Firewall URPF process

1

The URPF process is as follows:

1. If the source address of a packet is in the FIB table of a router:

?For the strict check, search for the packet outbound interface reversely. If there is only one outbound interface matching the packet inbound interface, the packet passes the check. Otherwise, the packet is denied. If there are multiple outbound interfaces matching the packet inbound interface, the loose check is required. (Reverse search means the search for the outbound interface of the packet whose destination IP address is the source IP address of the original packet.)
?In loose mode, if the source IP address of the packet exists in the FIB table of the router and the route is not a black-hole one (regardless of consistency between the reversely searched outbound interface and the inbound interface of the packet), the packet passes the URPF check; otherwise, the packet is denied.
2. If the source address of the packet is not in the FIB table of the router, check the default route and the URPF allow-default-route parameter.

?If the default route is configured but the allow-default-route parameter is not configured:

If the source IP address of the packet is not in the FIB table of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode.

?If both the default route and the allow-default-route parameter are configured:

■In strict mode, if the default route outbound interface and the packet inbound interface are consistent, the packet passes the URPF check and is forwarded. If the default route outbound interface and the packet inbound interface are inconsistent, the packet is denied.
■In loose mode, packets can be forwarded after passing the URPF check.
3. The ACL is matched only after the packet is denied. If the ACL permits the packet, the packet is forwarded. If the ACL denies the packet, the packet is discarded.

Other related questions:
Firewall IPv6 URPF processing
The IPv6 URPF process is as follows: 1. If the source address of a packet is in the FIB table of a router: ?For the strict check, search for the packet outbound interface reversely. If there is only one outbound interface matching the packet inbound interface, the packet passes the check. Otherwise, the packet is denied. If there are multiple outbound interfaces matching the packet inbound interface, the loose check is required. (Reverse search means the search for the outbound interface of the packet whose destination IP address is the source IP address of the original packet.) ?In loose mode, if the source IP address of the packet exists in the FIB table of the router and the route is not a black-hole one (regardless of consistency between the reversely searched outbound interface and the inbound interface of the packet), the packet passes the URPF check; otherwise, the packet is denied. 2. If the source address of the packet is not in the FIB table of the router, check the default route and the URPF allow-default-route parameter. ?If the default route is configured but the allow-default-route parameter is not configured: If the source IP address of the packet is not in the FIB table of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode. ?If both the default route and the allow-default-route parameter are configured: ■In strict mode, if the default route outbound interface and the packet inbound interface are consistent, the packet passes the URPF check and is forwarded. If the default route outbound interface and the packet inbound interface are inconsistent, the packet is denied. ■In loose mode, packets can be forwarded after passing the URPF check. 3. The IPv6 ACL is matched only after the packet is denied. If the IPv6 ACL permits the packet, the packet is forwarded. If the IPv6 ACL denies the packet, the packet is discarded.

Method used to change the license on USG firewalls
1. If functions controlled by a license need to be expanded or added, you need to acquire a license file again. Perform the steps for applying for a license file. The license center automatically combines the original license file and the license file for a new feature and generates a new license file. 2. If the previous license file is used on device A and it will be used on device B, seek help from the license management center, by sending the device ESN, LAC, contract No. and change information to license@huawei.com.

Method used to configure VLAN communications through L3 subinterfaces on USG firewalls
To enable different VLANs to communicate with each other, you can connect different VLANs to different interfaces of an L3 device. In this way, a router can exchange data between different VLANs. However, this method wastes limited physical interface resources of the device. The Ethernet subinterfaces can be used to address this issue. Currently, the Ethernet subinterfaces can be configured for the Ethernet interfaces and Eth-Trunk interfaces. By configuring multiple subinterfaces, corresponding to different VLANs, for a physical interface, a physical interface can enable different VLANs to communicate with each other. The method for enabling VLANs to communicate with each other through L3 subinterfaces is only applicable to the scenario in which hosts in each VLAN are in different network segments. If hosts in a VLAN are in the same network segment, you can configure L2 subinterfaces to enable VLANs to communicate with each other. To configure VLAN communications through L3 subinterfaces, perform the following steps: 1. Run the system-view command to enter the system view. 2. Run the interface interface-type interface-number.subinterface-number command to create a subinterface and enter the subinterface view. 3. Run the vlan-type dot1q vlan-id command to configure the encryption type and associated VLAN ID for the subinterface. 4. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP address for the subinterface. The IP addresses of the subinterface and the main interface can be in the same network segment, but the subnet masks of the subinterface and the main interface must different.

Method used to configure static MAC address entries on USG firewalls
Static MAC address entries are added or deleted manually, and cannot be aged. Static MAC address entries can decrease the broadcast traffic on the network. Static MAC address entries are applicable to a network with less device changed. To configure a static MAC address entry, in the system or interface view, run the mac-address static mac-address interface-type interface-number vlan vlan-id command.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top