H3C S9500 Series Operation Manual page 6

Operation Manual – URPF
H3C S9500 Series Routing Switches
Create two virtual interfaces, VLAN interface 1000 and VLAN interface 1001; enable
URPF on them and use the NAT service processor board in slot 5 to perform URPF
check.
Port Ethernet 6/1/1 is a trunk port, permitting packets of VLAN 1000 and VLAN 1001.
It is required that port Ethernet 6/1/1 performs URPF check on packets of VLAN 1000
and VLAN 1001.
II. Network diagram
VLAN 1000
SwitchA
Figure 1-3 Network diagram for URPF
III. Configuration procedure
# Configure VLAN information.
[H3C] vlan 1000
[H3C-vlan1000] vlan 1001
[H3C-vlan1001] quit
[H3C] interface ethernet 6/1/1
[H3C-Ethernet6/1/1]quit
[H3C] vlan 1001
[H3C-vlan1001] quit
[H3C] interface vlan-interface 1000
[H3C-Vlan-interface1000] ip address 10.10.10.1 24
[H3C-Vlan-interface1000] interface vlan-interface 1001
[H3C-Vlan-interface1001] ip address 11.11.11.1 24
# Enable URPF on the VLAN interfaces.
[H3C-Vlan-interface1000] urpf enable to slot 5
[H3C-Vlan-interface1000] interface vlan 1001
[H3C-Vlan-interface1001]urpf enable to slot 5
# Create a layer 2 ACL rule
<H3C> system-view
[H3C] acl number 4000
# Permit the IP packets going into VLAN 1000 and the DMAC must be the interface
MAC000f-e239-a9b8.
[H3C-acl-link-4000] rule 0 permit ip ingress 1000 egress 000f-e239-a9b8
0000-0000-0000
# Permit the IP packets going into VLAN 1001.
Ethernet6/1/1
VLAN1001
Trunk口
SwitchB
ISP
1-5
Chapter 1 URPF Configuration