ip urpf

Function

The ip urpf command enables the URPF check on the specified interface.

The undo ip urpf command disables the URPF check on the specified interface.

Format

ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

undo ip urpf

Parameters

Parameter	Description	Value
loose	Indicates that URPF performs loose check.	-
strict	Indicates that URPF performs strict check.	-
allow-default-route	Indicates that default routes are allowed to be processed specially. That is, the default route is matched when the reverse route lookup is implemented based on the source IP address of the packet. The packet is processed as follows: If the strict check is implemented, and the next hop of the default route is the same as the incoming interface of the packet, the packet passes the URPF check and is forwarded normally. If the next hop of the default route is different from the incoming interface of the packet, the packet is denied. If the loose check is implemented, the packet passes the URPF check and is forwarded.	-
acl-number	Specifies the ACL number. If the URPF denies the packet, the FW continues to match the ACL. If the packet matches the permit rule of the ACL, the device forwards the packet.	You can specify either of the following ACLs: Basic ACL: ranges from 2000 to 3999. Advanced ACL: ranges from 3000 to 3999.

Views

Ethernet interface view, Ethernet sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, VLANIF interface view, Tunnel interface view, Virtual-Template interface view

Default Level

2: Configuration level

Usage Guidelines

By default, the URPF check is disabled.

The URPF check is performed as follows:

If the source IP address of the packet exists in the FIB of the router:
- In strict mode, the URPF check reversely searches for the outgoing interface of the packet. If only one outgoing interface matches the ingoing interface of the packet, the packet passes the URPF check. If more than one outgoing interface matches the ingoing interface of the packet, you must use the loose mode. Otherwise, the packet is denied. (Reverse search indicates searching for the outgoing interface of another packet whose destination IP address is the source IP address of the packet.)
- In loose mode, when the source IP address of the packet exists in the FIB of the router, and the route is not a blackhole one (regardless of the consistency between the reversely-searched outgoing interface and the incoming interface of the packet), the packet passes the URPF check; otherwise, the packet is denied.
If the source IP address of the packet does not exist in the FIB of the router, check the default route and the allow-default-route parameter of URPF.
- If the default route is configured, but the allow-default-route parameter is not specified:
  
  As the source IP address of the packet does not exist in the FIB of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode.
- If the default route is configured, and the allow-default-route parameter is specified:
  - If the strict check is implemented, and the next hop of the default route is the same as the incoming interface of the packet, the packet passes the URPF check and is forwarded. If the next hop of the default route is different from the incoming interface of the packet, the packet is denied.
  - If the loose check is implemented, the packet passes the URPF check and is forwarded.
The ACL is matched only when the packet is denied by URPF. If the ACL allows the packet through, the packet is forwarded. If the ACL denies the packet, the packet is discarded.

Example

# Enable the URPF strict check on GigabitEthernet 0/0/1 and allow processing default routes specially. Set the ACL number to 2999.

<sysname> system-view
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet0/0/1] ip urpf strict allow-default-route acl 2999