< Home

Configuring URPF on an Interface

Configure URPF on an interface to prevent source address spoofing attacks across the network.

Prerequisites

  • Configuring the link attributes of the interface

  • Configuring an IP address for the interface

  • Configuring an ACL rule

Context

The URPF check can be implemented in strict or loose mode. Additionally, the URPF check also supports checking ACLs and default routes.

The processing flow of the URPF check is as follows:

  1. If the source IP address of the packet exists in the FIB table of the router:

    • In strict mode, the URPF check reversely searches for the outgoing interface of the packet. If only one outgoing interface matches the ingoing interface of the packet, the packet passes the URPF check. If more than one outgoing interface matches the ingoing interface of the packet, you must use the loose mode. Otherwise, the packet is denied. (Reverse search indicates searching for the egress of another packet whose destination IP address is the source IP address of the packet.)
    • In loose mode, when the source IP address of the packet exists in the FIB table of the router and the route is not a blackhole one (regardless of the consistency between the reversely-searched egress and the ingress of the packet), the packet passes the URPF check; otherwise, the packet is denied.

  2. If the source IP address of the packet does not exist in the FIB table of the router, check the default route and the allow-default-route parameter of URPF.

    • If the default route is configured, but the allow-default-route parameter is not specified:

      As the source IP address of the packet does not exist in the FIB table of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode.

    • If the default route is configured, and the allow-default-route parameter is specified:

      • If the strict check is implemented, and the egress of the default route is consistent with the ingress of the packet, the packet passes the URPF check and is forwarded normally. If the egress of the default route is inconsistent with the ingress of the packet, the packet is denied.
      • If the loose check is implemented, the packet passes the URPF check and is forwarded normally.
  3. The ACL is matched only when the packet is denied. If the ACL allows the packet through, the packet is forwarded normally. If the ACL denies the packet, the packet is discarded.

URPF cannot work with the global routing policy or PBR intelligent uplink selection. Otherwise, packet loss may occur.

Procedure

  1. Access the system view. 

    system-view

  2. Access the interface view. 

    interface interface-type interface-number

    You can enable URPF check on GE interfaces, VLANIF interfaces, Eth-Trunk interfaces, Tunnel interfaces or sub-interfaces.

  3. Enable URPF on the interface. 

    ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

    Or

    ipv6 urpf { loose | strict } [ allow-default-route ] [ acl6 acl-number ]

Follow-up Procedure

For packets discarded due to URPF, run the display firewall statistics system discarded or display firewall ipv6 statistics system discarded command and check the URPF packets discarded field.
Parent Topic: URPF
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >