ipv6 urpf

Function

The ipv6 urpf command enables the IPv6 URPF check on a specified interface.

The undo ipv6 urpf command disables the IPv6 URPF check on a specified interface.

Format

ipv6 urpf { loose | strict } [ allow-default-route ] [ acl6 acl-number ]

undo ipv6 urpf

Parameters

Parameter	Description	Value
loose	Indicates that IPv6 URPF performs loose check.	The value is a string of 1 to 20 characters.
strict	Indicates that IPv6 URPF performs strict check.	-
allow-default-route	Indicates that default routes are allowed to be processed specially. That is, the default route is matched when the reverse route search is implemented based on the source IP address of the packet. The packet is processed as follows: If the strict check is implemented, and the next hop of the default route is the same as the incoming interface of the packet, the packet passes the URPF check and is forwarded. If the next hop of the default route is different from the incoming interface of the packet, the packet is denied. If the loose check is implemented, the packet passes the URPF check and is forwarded.	-
acl-number	Specifies the IPv6 ACL number. If the IPv6 URPF denies the packet, the FW continues to match the IPv6 ACL. If the packet matches the permit rule of the IPv6 ACL, the device forwards the packet.	You can specify either of the following IPv6 ACLs: Basic ACL: ranges from 2000 to 3999. Advanced ACL: ranges from 3000 to 3999.

Views

Ethernet interface view, Ethernet sub-interface view, VLANIF interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

By default, the IPv6 URPF check is disabled.

The URPF check is processed as follows:

If the source IP address of the packet exists in the FIB of the router:
- In strict mode, the URPF check reversely searches for the outgoing interface of the packet. If only one outgoing interface matches the incoming interface of the packet, the packet passes the URPF check. If more than one outgoing interface matches the incoming interface of the packet, you must use the loose mode. Otherwise, the packet is denied. (Reverse search indicates searching for the outgoing interface of another packet whose destination IP address is the source IP address of the packet.)
- In loose mode, when the source IP address of the packet exists in the FIB of the router, and the route is not a blackhole one (regardless of the consistency between the reversely-searched outgoing interface and the incoming interface of the packet), the packet passes the URPF check; otherwise, the packet is denied.
If the source IP address of the packet does not exist in the FIB of the router, check the default route and the allow-default-route parameter of URPF.
- If the default route is configured, but the allow-default-route parameter is not specified:
  
  As the source IP address of the packet does not exist in the FIB of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode.
- If the default route is configured, and the allow-default-route parameter is specified:
  - If the strict check is implemented, and the next hop of the default route is the same as the incoming interface of the packet, the packet passes the URPF check and is forwarded normally. If the next hop of the default route is different from the incoming interface of the packet, the packet is denied.
  - If the loose check is implemented, the packet passes the URPF check and is forwarded.
The ACL is matched only when the packet is denied by URPF. If the ACL allows the packet through, the packet is forwarded. If the ACL denies the packet, the packet is discarded.

Example

# Enable the IPv6 URPF strict check on GigabitEthernet 0/0/1 and allow processing default routes specially. Set the IPv6 ACL number to 2999.

<sysname> system-view
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet0/0/1] ipv6 urpf strict allow-default-route acl6 2999