R2511-HP MSR Router Series Security Configuration Guide(V5)
461
Do not configure the allow-default-route keyword for loose URPF check. Otherwise, URPF might fail to
work.
After configuring the URPF check on an interface, you can use the display ip interface command to view
statistics about packets discarded by URPF (displayed as "Drops" and "Suppressed drops").
To enable URPF on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Enable URPF check on the
interface.
ip urpf { loose | strict } [ allow-default-route ]
[ acl acl-number ]
Disabled by default.
URPF configuration example
Network requirements
As shown in Figure 147, enable strict URPF check on Ethernet 1/1 of Router B and permit packets from
n e t w o r k 10 .1.1. 0 / 2 4 .
Enable strict URPF check on Ethernet 1/1 of Router A to allow using the default route for URPF check.
Figure 147 Network diagram
Configuration procedure
1. Configure Router B:
# Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.
<RouterB> system-view
[RouterB] acl number 2010
[RouterB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255
[RouterB-acl-basic-2010] quit
# Specify the IP address of Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 1.1.1.2 255.255.255.0
# Enable strict URPF check on Ethernet 1/1.
[RouterB-Ethernet1/1] ip urpf strict acl 2010
2. Configure Router A:
# Specify the IP address of Ethernet 1/1.
<RouterA> system-view
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 1.1.1.1 255.255.255.0