HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

121

122

123

124

125

126

127

128

129

130

118

• ACL—To identify specific packets as valid packets, you can use an ACL to match these packets.

Even if the packets do not pass URPF check, they are still forwarded correctly.

URPF work flow

URPF does not check multicast packets.

Figure 98 shows how URP

F works.

Figure 98 URPF work flow

1. URPF checks source address validity:

{ Discards packets with a source broadcast address.

Check the received

packet

A broadcast

source address?

An all-zero

source address?

Does

the source

address match a

FIB entry?

A broadcast

destination address?

A default route?

the default route

allowed for URPF

check?

Does

the receiving

interface match the

output interface of

the matching FIB

entry?

Loose URPF?

Check passed

Discard

Does the

ACL permit the

packet?

Yes