472
URPF configuration commands
ip urpf
Use
ip urpf
to enable URPF check on an interface to prevent source address spoofing attacks.
Use
undo
ip urpf
to disable URPF check.
Syntax
ip urpf
{
loose
|
strict
} [
allow-default-route
] [
acl
acl-number
]
undo ip urpf
Default
URPF check is disabled.
Views
Interface view
Default command level
2: System level
Parameters
loose
: Enables loose URPF check. For a packet to pass loose URPF check, the source address of
the packet must match the destination address of a FIB entry.
strict
: Enables strict URPF check. For a packet to pass strict URPF check, the source address and
receiving interface of the packet must match the destination address and output interface of a FIB
entry.
allow-default-route
: Allows using the default route for URPF check.
acl
acl-number
: ACL number in the range of 2000 to 3999.
•
For a basic ACL, the value range is 2000 to 2999.
•
For an advanced ACL, the value range is 3000 to 3999.
Usage guidelines
Configuring URPF in interface view takes effect only on the interface.
You can use the
display ip interface
command to view statistics about packets discarded by URPF.
Examples
# Configure strict URPF check on interface GigabitEthernet 3/0/2, which allows using the default
route and uses ACL 2999 to match packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/2
[Sysname-GigabitEthernet 3/0/2] ip urpf strict allow-default-route acl 2999
# Enable loose URPF check on GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/1
[Sysname-GigabitEthernet 3/0/1] ip urpf loose