Firewall IPv6 URPF processing

0

The IPv6 URPF process is as follows:

1. If the source address of a packet is in the FIB table of a router:

?For the strict check, search for the packet outbound interface reversely. If there is only one outbound interface matching the packet inbound interface, the packet passes the check. Otherwise, the packet is denied. If there are multiple outbound interfaces matching the packet inbound interface, the loose check is required. (Reverse search means the search for the outbound interface of the packet whose destination IP address is the source IP address of the original packet.)
?In loose mode, if the source IP address of the packet exists in the FIB table of the router and the route is not a black-hole one (regardless of consistency between the reversely searched outbound interface and the inbound interface of the packet), the packet passes the URPF check; otherwise, the packet is denied.
2. If the source address of the packet is not in the FIB table of the router, check the default route and the URPF allow-default-route parameter.

?If the default route is configured but the allow-default-route parameter is not configured:

If the source IP address of the packet is not in the FIB table of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode.

?If both the default route and the allow-default-route parameter are configured:

■In strict mode, if the default route outbound interface and the packet inbound interface are consistent, the packet passes the URPF check and is forwarded. If the default route outbound interface and the packet inbound interface are inconsistent, the packet is denied.
■In loose mode, packets can be forwarded after passing the URPF check.
3. The IPv6 ACL is matched only after the packet is denied. If the IPv6 ACL permits the packet, the packet is forwarded. If the IPv6 ACL denies the packet, the packet is discarded.

Other related questions:
Firewall URPF process
The URPF process is as follows: 1. If the source address of a packet is in the FIB table of a router: ?For the strict check, search for the packet outbound interface reversely. If there is only one outbound interface matching the packet inbound interface, the packet passes the check. Otherwise, the packet is denied. If there are multiple outbound interfaces matching the packet inbound interface, the loose check is required. (Reverse search means the search for the outbound interface of the packet whose destination IP address is the source IP address of the original packet.) ?In loose mode, if the source IP address of the packet exists in the FIB table of the router and the route is not a black-hole one (regardless of consistency between the reversely searched outbound interface and the inbound interface of the packet), the packet passes the URPF check; otherwise, the packet is denied. 2. If the source address of the packet is not in the FIB table of the router, check the default route and the URPF allow-default-route parameter. ?If the default route is configured but the allow-default-route parameter is not configured: If the source IP address of the packet is not in the FIB table of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode. ?If both the default route and the allow-default-route parameter are configured: ■In strict mode, if the default route outbound interface and the packet inbound interface are consistent, the packet passes the URPF check and is forwarded. If the default route outbound interface and the packet inbound interface are inconsistent, the packet is denied. ■In loose mode, packets can be forwarded after passing the URPF check. 3. The ACL is matched only after the packet is denied. If the ACL permits the packet, the packet is forwarded. If the ACL denies the packet, the packet is discarded.

Whether USG firewalls support IPv6 Neighbor Discovery
The USG firewalls support IPv6 Neighbor Discovery.

Method used to configure IPv6 over IPv4 manual tunnels on the USG2000 and USG5000 series
On the USG2000 and USG5000 series, configure the IPv6 over IPv4 manual tunnel as follows: USG_A and USG_B are boundary devices on the IPv6 and IPv4 networks. The IPv4 address of interface GigabitEthernet 1/0/1 connecting USG_A to the IPv4 network is 1.1.1.1/24, and the IPv6 address of the interface connecting USG_A to the IPv6 network is 2011::1/64. The IPv4 address of interface GigabitEthernet 1/0/1 connecting USG_B to the IPv4 network is 1.1.1.2/24, and the IPv6 address of the interface connecting USG_B to the IPv6 network is 3011::1/64. An IPv6 over IPv4 manual tunnel is established between USG_A and USG_B. 1. Configure the tunnel encapsulation type, source address, destination address, and IPv6 address of the tunnel interface of USG_A. system-view [USG] sysname USG_A [USG_A] ipv6 [USG_A] interface tunnel 1 [USG_A-Tunnel1] tunnel-protocol ipv6-ipv4 [USG_A-Tunnel1] ipv6 enable [USG_A-Tunnel1] source 1.1.1.1 [USG_A-Tunnel1] destination 1.1.1.2 [USG_B-Tunnel1] ipv6 address 3001::1 64 2. Configure the route connecting USG_B to the IPv6 network. [USG_A] ipv6 route-static 3011:: 64 tunnel 1 3. Configure the tunnel encapsulation type, source address, destination address, and IPv6 address of the tunnel interface of USG_B. system-view [USG] sysname USG_B [USG_B] ipv6 [USG_B] interface tunnel 1 [USG_B-Tunnel1] tunnel-protocol ipv6-ipv4 [USG_B-Tunnel1] ipv6 enable [USG_B-Tunnel1] source 1.1.1.2 [USG_B-Tunnel1] destination 1.1.1.1 [USG_B-Tunnel1] ipv6 address 3001::2 64 4. Configure the route connecting USG_A to the IPv6 network. [USG_B] ipv6 route-static 2011:: 64 tunnel 1

Method used to change the license on USG firewalls
1. If functions controlled by a license need to be expanded or added, you need to acquire a license file again. Perform the steps for applying for a license file. The license center automatically combines the original license file and the license file for a new feature and generates a new license file. 2. If the previous license file is used on device A and it will be used on device B, seek help from the license management center, by sending the device ESN, LAC, contract No. and change information to license@huawei.com.

Method used to configure VLAN communications through L3 subinterfaces on USG firewalls
To enable different VLANs to communicate with each other, you can connect different VLANs to different interfaces of an L3 device. In this way, a router can exchange data between different VLANs. However, this method wastes limited physical interface resources of the device. The Ethernet subinterfaces can be used to address this issue. Currently, the Ethernet subinterfaces can be configured for the Ethernet interfaces and Eth-Trunk interfaces. By configuring multiple subinterfaces, corresponding to different VLANs, for a physical interface, a physical interface can enable different VLANs to communicate with each other. The method for enabling VLANs to communicate with each other through L3 subinterfaces is only applicable to the scenario in which hosts in each VLAN are in different network segments. If hosts in a VLAN are in the same network segment, you can configure L2 subinterfaces to enable VLANs to communicate with each other. To configure VLAN communications through L3 subinterfaces, perform the following steps: 1. Run the system-view command to enter the system view. 2. Run the interface interface-type interface-number.subinterface-number command to create a subinterface and enter the subinterface view. 3. Run the vlan-type dot1q vlan-id command to configure the encryption type and associated VLAN ID for the subinterface. 4. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP address for the subinterface. The IP addresses of the subinterface and the main interface can be in the same network segment, but the subnet masks of the subinterface and the main interface must different.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top