F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100
119
• ACL—To identify specific packets as valid packets, you can use an ACL to match these packets.
Even if the packets do not pass URPF check, they are still forwarded normally.
114BURPF work flow
URPF does not check multicast packets.
421HFigure 98 shows how URPF works.
Figure 98 URPF work flow
1. URPF checks source address validity:
{ Discards packets with a source broadcast address.
Check the received
packet
A broadcast
source address?
An all-zero
source address?
Does
the source
address match a
FIB entry?
A broadcast
destination address?
A default route?
Is
the default route
allowed for URPF
check?
Does
the receiving
interface match the
output interface of
the matching FIB
entry?
Loose URPF?
Check passed
Discard
Does the
ACL permit the
packet?
Yes
Yes
Yes
Yes
No
No
Yes
No
No
Yes
Yes
Yes
No
No
No
Yes
No
No