Aspf Tcp Application Inspection Configuration Example - HP VSR1000 Security Configuration Manual
Virtual services router
Hide thumbs
Also See for VSR1000:
- Configuration manual (463 pages) ,
- High availability configuration manual (91 pages) ,
- Layer 2 - wan access command reference (50 pages)
Table of Contents
Advertisement
ASPF TCP application inspection configuration example
Network requirements
Local users on the internal network need to access the external network. To protect the internal network
against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A.
Router A can then drop faked ICMP error messages and non-SYN packets that are the first packets over
TCP connections.
Figure 85 Network diagram
Configuration procedure
# Configure ACL 31 1 1 to deny all IP packets.
<RouterA> system-view
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create ASPF policy 1.
[RouterA] aspf-policy 1
# Enable ICMP error message check.
[RouterA-aspf-policy-1] icmp-error drop
# Enable TCP SYN check.
[RouterA-aspf-policy-1] tcp syn-check
[RouterA-aspf-policy-1] quit
# Apply ACL 31 1 1 to deny all incoming IP packets on interface GigabitEthernet 1/0.
[RouterA] interface GigabitEthernet 1/0
[RouterA-GigabitEthernet1/0] packet-filter 3111 inbound
# Apply ASPF policy 1 to the outbound direction of interface GigabitEthernet 1/0.
[RouterA-GigabitEthernet1/0] aspf apply policy 1 outbound
Verifying the configuration
# Display the configuration of ASPF policy 1.
<RouterA> display aspf policy 1
293
- Quick Links:
- Configuring the Device as an Ssh...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
