Aspf Tcp Application Inspection Configuration Example - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
ASPF TCP application inspection configuration example
Network requirements
Local users on the internal network need to access the external network. To protect the internal network
against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A
to drop faked ICMP error messages and non-SYN packets that are the first packets over TCP connections.
Figure 72 Network diagram
Internal network
Host
192.168.1.2/24
Configuration procedure
# Configure ACL 31 1 1 to deny all IP packets.
<RouterA> system-view
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create ASPF policy 1.
[RouterA] aspf-policy 1
# Configure ASPF policy 1 to drop faked ICMP error messages.
[RouterA-aspf-policy-1] icmp-error drop
# Configure ASPF policy 1 to drop non-SYN packets that are the first packets over TCP connections.
[RouterA-aspf-policy-1] tcp syn-check
[RouterA-aspf-policy-1] quit
# Apply ACL 31 1 1 to the inbound direction of interface Ethernet 1/0 to prohibit all IP packets from
entering the internal network.
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] packet-filter 3111 inbound
# Apply ASPF policy 1 to the outbound direction of interface Ethernet 1/0.
[RouterA-Ethernet1/0] aspf policy 1 outbound
Verifying the configuration
# Display the configuration of ASPF policy 1.
<RouterA> display aspf policy 1
ASPF policy configuration:
Policy number: 1
Enable ICMP error message check
Router A
Router B
Eth1/0
10.1.1.1/24
Eth1/1
192.168.1.1/24
External network
Server
2.2.2.11/24
252
Advertisement
Table of Contents
Troubleshooting
