H3C S9500 Series Operation Manual page 347

Operation Manual – ARP
H3C S9500 Series Routing Switches
Chapter 4 IP Packet Attack Prevention
When configuring IP packet attack prevention, go to these sections for information you
are interested in:
Introduction to IP Packet Attack Prevention
Configuring IP Packet Attack Prevention
4.1 Introduction to IP Packet Attack Prevention
With the expansion of the Internet and the increase of Internet users, network devices
are susceptible to attacks. You can configure the IP packet attack prevention function
on S9500 series switches to defend against IP packet attacks or unknown multicast
attacks.
An IP packet attack occurs when an S9500 switch receives excessive IP packets.
If the destination IP addresses of the packets and the IP address of a VLAN
interface are on the same network segment, these packets will be delivered to the
CPU for processing, which may affect normal packet forwarding due to high CPU
usage.
When an S9500 switch receives a large amount of IP packets with the TTL field
being 1, a large amount of ICMP time exceeded packets will be generated, thus
increasing the burden of CPU.
4.2 Configuring IP Packet Attack Prevention
Follow these steps to configure IP packet attack prevention:
Enter system view
Enable/disable IP packet
attack prevention
Configure the switch not
to process the packets
with the TTL field being 1
Configuration
To do...
system-view
anti-attack ip { disable |
enable }
anti-attack ttl1 enable
slot slotid
Chapter 4 IP Packet Attack Prevention Configuration
Use the command...
4-1
Remarks
—
Required
Enabled by default.
By default, the switch
processes the packets
with the TTL field being 1.