H3C S9500 Series: The Advanced Routing Switch for Enterprise Networks
The H3C S9500 Series Routing Switches are high-performance, scalable, and reliable switches designed for enterprise networks. With its advanced features, the H3C S9500 Series provides a comprehensive solution for various networking requirements.
Key capabilities include:
-
High Scalability: Supports up to 480 Gbps switching capacity and up to 144 10GE ports, allowing for flexible network expansion.
-
Comprehensive Security: Offers robust security features such as ACLs, QoS, and URPF to protect against threats and ensure data confidentiality.
H3C S9500 Series: The Advanced Routing Switch for Enterprise Networks
The H3C S9500 Series Routing Switches are high-performance, scalable, and reliable switches designed for enterprise networks. With its advanced features, the H3C S9500 Series provides a comprehensive solution for various networking requirements.
Key capabilities include:
-
High Scalability: Supports up to 480 Gbps switching capacity and up to 144 10GE ports, allowing for flexible network expansion.
-
Comprehensive Security: Offers robust security features such as ACLs, QoS, and URPF to protect against threats and ensure data confidentiality.
Operation Manual – URPF
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 URPF Configuration ....................................................................................................1-1
1.1 URPF Overview.................................................................................................................1-1
1.2 Configuring URPF..............................................................................................................1-2
1.3 URPF Configuration Examples..........................................................................................1-3
1.3.1 Example I ................................................................................................................1-3
1.3.2 Example II ...............................................................................................................1-4
Operation Manual – URPF
H3C S9500 Series Routing Switches Chapter 1 URPF Configuration
1-1
Chapter 1 URPF Configuration
When configuring URPF, go to these sections for information you are interested in:
z URPF Overview
z Configuring URPF
z URPF Configuration Examples
Note:
The service processor boards mentioned in the chapter refer to LSB1NAMB0 boards.
1.1 URPF Overview
Unicast reverse path forwarding (URPF) serves as a safeguard against source address
spoofing attacks.
In general, a routing switch routes packets according to their destination. If finding the
best routes, routing switches transfer the packets, otherwise, discard the packets.
After URPF is enabled, switches obtain the source addresses and incoming interfaces
of packets. Then switches search routes to the destination addresses (that is the
source addresses) in routing tables. If the outgoing interfaces are found inconsistent
with the incoming interfaces, switches assume the source addresses are forged, and
discard the packets.
URPF can prevent malicious attackers from modifying source addresses. The following
figure shows the common attack mode.
1.1.1.1 2.1.1.1
SwitchA
SwitchB SwitchC
Source address
2.1.1.1
Figure 1-1 Source address spoofing attacks
Forge packets with source address 2.1.1.1 on Switch A, and send a request to Switch B
server. Then Switch B responds to the request and sends packets to the address
2.1.1.1 if Switch B does not perform URPF check. The illegal packets can attack both
Switch B and Switch C.
Operation Manual – URPF
H3C S9500 Series Routing Switches Chapter 1 URPF Configuration
1-2
1.2 Configuring URPF
The following section describes the URPF configuration tasks:
z Configure packet redirection
z Enable URPF on ports
z Display port configuration information
z Clear URPF statistical counters to zero
Use the urpf enable command to enable URPF for a certain VLAN port and specify the
service processor board where the port locates. Configure to redirect packets in port
view to the service processor board to make data flow reach the service processor
board.
Caution:
Because URPF and virtual private LAN service (VPLS) are mutually exclusive, you
cannot simultaneously enable URPF and VPLS in the same VLAN interface view.
After enabling URPF on a current VLAN port, you can use the display urpf command
to view the configuration. If the enabled and specified NAM server processor card is
inserted in the slot, you can also view the statistical data related to URPF on the port.
When a VLAN port with URPF enabled runs for a long time, more statistical data enter
the counter. Therefore you need to clear statistical data related to URPF on the port. To
clear recording statistics of received and rejected data packets on the port, execute the
reset urpf statistic command. As a result, the URPF statistical counter is cleared to
zero.
Follow these steps to enable URPF on a port and specify the corresponding
LSB1NATB boards for handling:
To do… Use the command… Remarks
Enter system view
system-view
—
Enter Ethernet port view interface ethernetX/1/X —
Configure packet
redirection
traffic-redirect inbound
ip-group { acl-number |
acl-name } [ rule rule
link-group { acl-number |
acl-name } [ rule rule
[ system-index index ] ] |
link-group { acl-number |
acl-name } rule rule ] slot
slotnum designated-vlan
vlanidex
Required.
The service processor
board does not support
multicast currently. You
can prohibit multicast
packets from being
redirected to the service
processor board through
ACL
Operation Manual – URPF
H3C S9500 Series Routing Switches Chapter 1 URPF Configuration
1-3
To do… Use the command… Remarks
Quit to system view
quit
—
Enter VLAN interface
view
interface vlan-interface
vlan-id
—
Enable URPF on a port
urpf enable to slot slotid
Required.
Enable URPF in VLAN
interface view. Specify
corresponding slot of a
service processor board
to perform URPF check.
By default, URPF is
disabled.
Display configuration
information
display urpf
—
Clear URPF statistical
counters to zero
reset urpf statistic
—
Note:
z In access control lists, redirection configuration is only valid for permit action of the
rule.
z When you are configuring the traffic-redirect command to redirect packets, you
must prohibit multicast packets from being redirected to the service processor board
through ACL.
1.3 URPF Configuration Examples
1.3.1 Example I
I. Network requirements
What differs from routers is that, for switches, you can enable URPF on VLAN
interfaces, and configure only packet redirection on every port. Packets to be checked
are sent to the service processor board and then are forwarded or discarded after the
system performs URPF procedure on them.
II. Network diagram
ISP
G6/1/2
SwitchA SwitchB
VLAN 1000
E3/1/30
Figure 1-2 Network diagram for URPF configuration
Operation Manual – URPF
H3C S9500 Series Routing Switches Chapter 1 URPF Configuration
1-4
III. Configuration procedure
As for Switch B, assume that the service processor board is installed in slot 5, and
normal access boards are installed in slot 3 and 3.
# Configure VLAN 1000.
[H3C] vlan 1000
[H3C-vlan1000] port Ethernet 3/1/30
[H3C-vlan1000] port GigabitEthernet6/1/2
[H3C] interface vlan-interface 1000
[H3C-Vlan-interface1000] ip address 10.10.10.1 24
# Configure flow templates. Specify the flow template of the two access boards installed
in slot 3 and slot 6 to extract the destination MAC addresses and Ethernet protocol
fields of the packets.
[H3C] flow-template user-defined slot 3 dmac 00-00-00 ethernet-protocol
[H3C] flow-template user-defined slot 6 dmac 00-00-00 ethernet-protocol
# Create an ACL of Layer 2.
[H3C]acl number 4000
# Define a rule that permits IP packets whose destination MAC addresses are that of
the interface (01-02-03).
[H3C-acl-link-4000] rule 0 permit ip egress 01-02-03 00-00-00
# Configure packet redirecting on the corresponding Ethernet port.
[H3C] interface ethernet 3/1/30
[H3C-Ethernet3/1/30] flow-template user-defined
[H3C-Ethernet3/1/30] traffic-redirect inbound link-group 4000 slot 5 vlan 1000
[H3C-Ethernet3/1/30] quit
[H3C] interface GigabitEthernet 6/1/2
[H3C-GigabitEthernet6/1/2] flow-template user-defined
[H3C-GigabitEthernet6/1/2] traffic-redirect inbound link-group 4000 slot 5
designated-vlan 1000
[H3C-GigabitEthernet6/1/2] quit
# Enable URPF in VLAN 1000.
[H3C] interface vlan-interface 1000
[H3C-Vlan-Interface1000] urpf enable to slot 5
1.3.2 Example II
I. Network requirements
NAM board is placed in slot 5.
Operation Manual – URPF
H3C S9500 Series Routing Switches Chapter 1 URPF Configuration
1-5
Create two virtual interfaces, VLAN interface 1000 and VLAN interface 1001; enable
URPF on them and use the NAT service processor board in slot 5 to perform URPF
check.
Port Ethernet 6/1/1 is a trunk port, permitting packets of VLAN 1000 and VLAN 1001.
It is required that port Ethernet 6/1/1 performs URPF check on packets of VLAN 1000
and VLAN 1001.
II. Network diagram
ISP
SwitchA SwitchB
VLAN 1000
Ethernet6/1/1
VLAN1001
Trunk口
Figure 1-3 Network diagram for URPF
III. Configuration procedure
# Configure VLAN information.
[H3C] vlan 1000
[H3C-vlan1000] vlan 1001
[H3C-vlan1001] quit
[H3C] interface ethernet 6/1/1
[H3C-Ethernet6/1/1]quit
[H3C] vlan 1001
[H3C-vlan1001] quit
[H3C] interface vlan-interface 1000
[H3C-Vlan-interface1000] ip address 10.10.10.1 24
[H3C-Vlan-interface1000] interface vlan-interface 1001
[H3C-Vlan-interface1001] ip address 11.11.11.1 24
# Enable URPF on the VLAN interfaces.
[H3C-Vlan-interface1000] urpf enable to slot 5
[H3C-Vlan-interface1000] interface vlan 1001
[H3C-Vlan-interface1001]urpf enable to slot 5
# Create a layer 2 ACL rule
<H3C> system-view
[H3C] acl number 4000
# Permit the IP packets going into VLAN 1000 and the DMAC must be the interface
MAC000f-e239-a9b8.
[H3C-acl-link-4000] rule 0 permit ip ingress 1000 egress 000f-e239-a9b8
0000-0000-0000
# Permit the IP packets going into VLAN 1001.
Operation Manual – URPF
H3C S9500 Series Routing Switches Chapter 1 URPF Configuration
1-6
[H3C-acl-link-4000] rule 1 permit ip ingress 1001 egress 000f-e239-a9b8
0000-0000-0000
# Configure a user-defined flow template.
[H3C] flow-template user-defined slot 6 vlanid ethernet-protocol dmac 00-00-00
# Apply the flow template on port Ethernet 6/1/1 and configure traffic redirection.
[H3C-Ethernet6/1/1] flow-template user-defined
[H3C-Ethernet6/2/1] traffic-redirect inbound link-group 4000 rule 0 slot 5
designated-vlan 1000
[H3C-Ethernet6/1/1] traffic-redirect inbound link-group 4000 rule 1 slot 5
designated-vlan 1001
Note that the ingress VLAN IDs configured in the rules added to ACL 4000 must be the
same as the ones specified when configuring traffic redirection. The trunk port checks
URPF by VLAN.
-
1
-
2
-
3
-
4
-
5
-
6
-
7
H3C S9500 Series: The Advanced Routing Switch for Enterprise Networks
The H3C S9500 Series Routing Switches are high-performance, scalable, and reliable switches designed for enterprise networks. With its advanced features, the H3C S9500 Series provides a comprehensive solution for various networking requirements.
Key capabilities include:
-
High Scalability: Supports up to 480 Gbps switching capacity and up to 144 10GE ports, allowing for flexible network expansion.
-
Comprehensive Security: Offers robust security features such as ACLs, QoS, and URPF to protect against threats and ensure data confidentiality.
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
H3C S9500 Series Operating instructions
-
-
-
-
-
-
-
-
-
H3C MSR-20-21 ROUTER User manual
Other documents
-
3com S9512 FABRIC Operating instructions
-
-
-
Huawei Quidway S8500 Series Command Manual
-
HP 6125XLG Configuration manual
-
SMC Networks ES4710BD User manual
-
D-Link DES-7200 User manual
-
-
Cisco Systems 10000 User manual
-