Configuring TCP attack protection ························································································································· 235

Enabling the SYN Cookie feature ······························································································································ 235

Displaying and maintaining TCP attack protection ·································································································· 235

Configuring IP source guard ·································································································································· 236

IP source guard overview ············································································································································ 236

Static IP source guard entries ····························································································································· 236

Dynamic IPv4 source guard entries ··················································································································· 237

Configuration task list ·················································································································································· 237

Configuring the IPv4 source guard function ·············································································································· 238

Enabling IPv4 source guard on a port ·············································································································· 238

Configuring a static IPv4 source guard entry ··································································································· 239

Setting the maximum number of IPv4 source guard entries allowed on a port ············································ 240

Configuring the IPv6 source guard function ·············································································································· 240

Enabling IPv6 source guard on a port ·············································································································· 240

Configuring a static IPv6 source guard entry ··································································································· 241

Setting the maximum number of IPv6 source guard entries allowed on a port ············································ 242

Displaying and maintaining IP source guard ············································································································ 242

IP source guard configuration examples ··················································································································· 243

Static IPv4 source guard entry configuration···································································································· 243

Dynamic IPv4 source guard using DHCP snooping ························································································ 245

Dynamic IPv4 source guard using DHCP relay ································································································ 246

Static IPv6 source guard entry configuration···································································································· 247

Global static IP source guard configuration ····································································································· 248

Troubleshooting IP source guard ································································································································ 250

Configuring ARP attack protection ························································································································· 251

ARP attack protection configuration task list ············································································································· 251

Configuring unresolvable IP attack protection ·········································································································· 252

Configuring ARP source suppression ················································································································ 252

Enabling ARP black hole routing ······················································································································· 252

Displaying and maintaining ARP source suppression ····················································································· 252

Unresolvable IP attack protection configuration example ··············································································· 253

Configuring ARP packet rate limit ······························································································································ 254

Configuring ARP packet rate limit ····················································································································· 254

Configuring source MAC-based ARP attack detection ···························································································· 254

Displaying and maintaining source MAC-based ARP attack detection ························································· 255

Source MAC-based ARP attack detection configuration example ································································· 255

Configuring ARP active acknowledgement ··············································································································· 256

Configuring ARP detection ·········································································································································· 257

Configuring user validity check ························································································································· 257

Configuring ARP packet validity check ············································································································· 258

Configuring ARP restricted forwarding ············································································································· 259

Displaying and maintaining ARP detection ······································································································ 259

User validity check configuration example ······································································································· 259

User validity check and ARP packet validity check configuration example ·················································· 261

ARP restricted forwarding configuration example ··························································································· 262

Configuring ARP automatic scanning and fixed ARP ······························································································· 264

Configuration guidelines ···································································································································· 264

Configuration procedure ···································································································································· 265

Configuring ND attack defense ····························································································································· 266

Overview ······································································································································································· 266

Enabling source MAC consistency check for ND packets ······················································································· 267