H3C S7500E-X Configuration Examples
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Hardware
  5. H3C S7500E-X
  6. Configuration examples

H3C S7500E-X Configuration Examples

Attack protection configuration examples
Hide thumbs Also See for S7500E-X:
Table of Contents

Advertisement

Quick Links

Download this manual
H3C S7500E-X Attack Protection
Configuration Examples
Copyright © 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without
prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S7500E-X and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C S7500E-X

Summary of Contents for H3C S7500E-X

  • Page 1 H3C S7500E-X Attack Protection Configuration Examples Copyright © 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

  • Page 2: Table Of Contents

    Contents Introduction ··································································································································································· 1 Prerequisites ·································································································································································· 1 Example: Configuring link layer attack protection ···································································································· 2 Network requirements ······················································································································································ 2 Requirements analysis ······················································································································································· 3 Software version used ······················································································································································ 3 Configuration restrictions and guidelines ······················································································································· 3 Configuration procedures ················································································································································ 4 Configuring Device B ··············································································································································· 4 Configuring Device A ··············································································································································...

  • Page 3: Introduction

    Introduction This document provides configuration examples of link layer attack protection, ARP attack protection, network layer attack protection, and transport layer attack protection, as defined in Table Table 1 Attack protection types Attack protection types Description Prevents the attack of packets with different source MAC address attack MAC addresses or VLANs by configuring the protection...

  • Page 4: Example: Configuring Link Layer Attack Protection

    Example: Configuring link layer attack protection Network requirements As shown in Figure 1, Device A, Device B, and Device C run MSTP. Device B acts as the root bridge, and GigabitEthernet 2/0/1 on Device C is blocked. Configure the following features to prevent link layer attacks: •...

  • Page 5: Requirements Analysis

    Figure 1 Network diagram Requirements analysis For the ports at the access side of Device A and Device C to rapidly transit to the forwarding state, use the stp edged-port command to configure these ports as edge ports. This example uses GigabitEthernet 2/0/3 to illustrate the configuration on the ports at the access side on Device A and Device C.

  • Page 6: Configuration Procedures

    Configuration procedures Configuring Device B # Specify IP addresses for interfaces. (Details not shown.) # Configure root guard on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. <DeviceB> system-view [DeviceB] interface range GigabitEthernet 2/0/1 to GigabitEthernet 2/0/2 [DeviceB-if-range] stp root-protection [DeviceB-if-range] quit # Configure TC-BPDU guard. [DeviceB] stp tc-protection [DeviceB] stp tc-protection threshold 10 # Configure broadcast and multicast suppression on GigabitEthernet 2/0/1 and GigabitEthernet...

  • Page 7: Configuring Device C

    Configuring Device C # Specify IP addresses for interfaces. (Details not shown.) # Configure STP BPDU guard. <DeviceC> system-view [DeviceC] stp bpdu-protection # Configure GigabitEthernet 2/0/3 as an edge port. [DeviceC] interface GigabitEthernet 2/0/3 [DeviceC-GigabitEthernet2/0/3] stp edged-port [DeviceC-GigabitEthernet2/0/3] quit # Configure root guard on GigabitEthernet 2/0/1. [DeviceC] interface GigabitEthernet 2/0/1 [DeviceC-GigabitEthernet2/0/1] stp root-protection [DeviceC-GigabitEthernet2/0/1] quit...

  • Page 8: Configuration Files

    Configuration files Device A: • stp bpdu-protection stp tc-protection stp tc-protection threshold 10 interface GigabitEthernet 2/0/1 port link-mode bridge broadcast-suppression pps 6400 multicast-suppression pps 6400 interface GigabitEthernet 2/0/2 port link-mode bridge broadcast-suppression pps 6400 multicast-suppression pps 6400 interface GigabitEthernet 2/0/3 port link-mode bridge mac-address max-mac-count 1024 stp edged-port...

  • Page 9: Example: Configuring Arp Attack Protection

    stp bpdu-protection stp tc-protection stp tc-protection threshold 10 interface GigabitEthernet 2/0/1 port link-mode bridge stp root-protection broadcast-suppression pps 6400 multicast-suppression pps 6400 interface GigabitEthernet 2/0/2 port link-mode bridge stp loop-protection broadcast-suppression pps 6400 multicast-suppression pps 6400 interface GigabitEthernet 2/0/3 port link-mode bridge mac-address max-mac-count 1024 broadcast-suppression pps 6400 multicast-suppression pps 6400...

  • Page 10: Software Version Used

    Software version used This example was created and verified on S7500EX-CMW710-R7168. Configuration procedures # Specify IP addresses for interfaces. (Details not shown.) # Enable ARP source suppression. <Device> system-view [Device] arp source-suppression enable # Configure the device to accept a maximum of 8 unresolvable packets per source IP address in 5 seconds.

  • Page 11: Configuration Files

    Configuration files arp valid-check enable arp source-mac filter arp source-mac threshold 25 arp active-ack enable arp source-suppression enable arp source-suppression limit 8 Example: Configuring network layer attack protection Network requirements As shown in Figure 3, Device A is the gateway for the internal network. To protect Device A against IP packet attacks from internal and external networks, configure the following network layer attack protection features: Configure strict uRPF check to prevent source address spoofing attacks.

  • Page 12: Verifying The Configuration

    # Disable sending ICMP time exceeded messages. Sending ICMP time exceeded messages is disabled by default. [DeviceA] undo ip ttl-expires enable Verifying the configuration Verify that Device A can prevent source address spoofing attacks: # Verify that Device A can filter out packets with forged source IP addresses. (Details not shown.) # Verify the uRPF configuration.

  • Page 13: Software Version Used

    responds to a SYN packet with a SYN ACK packet without establishing a TCP semi-connection. The device establishes a TCP connection only when it receives an ACK packet from the sender. Figure 4 Network diagram Software version used This example was created and verified on S7500EX-CMW710-R7168. Configuration procedures # Specify IP addresses for interfaces.

  • Page 14: Related Documentation

    Related documentation H3C S7500E-X Switch Series Layer 2—LAN Switching Configuration Guide-Release 7168 • H3C S7500E-X Switch Series Layer 2—LAN Switching Command Reference-Release 7168 • H3C S7500E-X Switch Series Layer 3—IP Services Configuration Guide-Release 7168 • • H3C S7500E-X Switch Series Layer 3—IP Services Command Reference-Release 7168 H3C S7500E-X Switch Series Security Configuration Guide-Release 7168 •...

Table of Contents