Introduction To Urpf; Urpf Features Supported By The S9300; Figure 7-1 Networking Diagram Of Urpf - Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

7 URPF Configuration

7.1 Introduction to URPF

This section describes the principle of URPF.

URPF is mainly used to prevent network attacks based on source address spoofing.

As shown in

address 2.1.1.1. S9300-B sends a response packet to S9300-C whose IP address is 2.1.1.1. In

this way, S9300-A attacks S9300-B and S9300-C by sending the invalid packet.

Figure 7-1 Networking diagram of URPF

1.1.1.1/24

S9300-A

When a packet is sent to a URPF-enabled interface, URPF obtains the source address and

incoming interface of the packet. URPF then takes the source address as the destination address

to query the corresponding incoming interface and compares the queried interface with the

incoming interface. If they are different, URPF considers the source address as spoofing and

discards the packet. In this way, URPF can effectively prevent malicious attacks that arise by

changing the source IP address.

7.2 URPF Features Supported by the S9300

This section describes the URPF features supported by the S9300.

URPF takes effect only on the incoming interface of the S9300. When URPF is enabled on an

interface, URPF checks the incoming packets of this interface.

The S9300 supports the following URPF check modes:

7-2

Figure

7-1, S9300-A sends a packet to S9300-B by using the pseudo source IP

2.1.1.1/24

Source address

NOTE

The IP address of the interface on the S9300 needs to be configured on the VLANIF interface, but URPF

needs to be configured on the physical interface. This is because URPF is implemented on the physical

interface.

URPF strict check: The packets can be forwarded only when the source address of packets

exists in the FIB table of the S9300 and the outgoing interface of a default route is the same

as the incoming interface of the packets. Otherwise, the packets fail to pass the check and

are discarded.

URPF loose check: When the source address of packets exists in the FIB table of the

S9300, the packets pass the check and are forwarded regardless of whether the outgoing

interface of a default route is the same as the incoming interface of the packets.

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

S9300-B

Configuration Guide - Security

2.1.1.1/24

S9300-C

Issue 01 (2009-07-28)

Table of Contents

Introduction To Urpf; Urpf Features Supported By The S9300; Figure 7-1 Networking Diagram Of Urpf - Huawei Quidway S9300 Configuration Manual

7.1 Introduction to URPF

Figure 7-1 Networking diagram of URPF

7.2 URPF Features Supported by the S9300

Related Manuals for Huawei Quidway S9300

Related Content for Huawei Quidway S9300

Table of Contents