H3C S12500R Series Configuration Examples
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. S12500R Series
  6. Configuration examples

H3C S12500R Series Configuration Examples

Switch router attack protection configuration examples
Hide thumbs Also See for S12500R Series:
Table of Contents

Advertisement

Quick Links

Download this manual
H3C S12500R Switch Router Series
Attack Protection Configuration Examples
Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New
H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are
the property of their respective owners.
The information in this document is subject to change without notice.

Advertisement

Table of Contents
loading

Related Manuals for H3C S12500R Series

Summary of Contents for H3C S12500R Series

  • Page 1 No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd. Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

  • Page 2: Table Of Contents

    Contents Introduction ···································································································· 1 Prerequisites ·································································································· 1 Example: Configuring link layer attack protection ··········································· 2 Network configuration ········································································································································ 2 Analysis ······························································································································································ 3 Software versions used ······································································································································ 3 Restrictions and guidelines ································································································································ 3 Procedures ························································································································································· 3 Configuring Device B ································································································································· 3 Configuring Device A ·································································································································...

  • Page 3: Introduction

    Introduction This document provides configuration examples of link layer attack protection, ARP attack protection, network layer attack protection, and transport layer attack protection, as defined in Table Table 1 Attack protection types Attack protection types Description Prevents the attack of packets with different source MAC address attack MAC addresses or VLANs by configuring the protection...

  • Page 4: Example: Configuring Link Layer Attack Protection

    Example: Configuring link layer attack protection Network configuration As shown in Figure 1, Device A, Device B, and Device C run MSTP. Device B acts as the root bridge, and HundredGigE 1/0/1 on Device C is blocked. Configure the following features to prevent link layer attacks: •...

  • Page 5: Analysis

    Analysis For the ports at the access side of Device A and Device C to rapidly transit to the forwarding state, use the command to configure these ports as edge ports. stp edged-port This example uses HundredGigE 1/0/3 to illustrate the configuration on the ports at the access side on Device A and Device C.

  • Page 6: Configuring Device C

    [DeviceA] interface range hundredgige 1/0/1 to hundredgige 1/0/3 [DeviceA-if-range] port link-mode bridge [DeviceA-if-range] quit # Configure STP BPDU guard. [DeviceA] stp bpdu-protection # Configure HundredGigE 1/0/3 as an edge port. [DeviceA] interface hundredgige 1/0/3 [DeviceA-HundredGigE1/0/3] stp edged-port [DeviceA-HundredGigE1/0/3] quit # Configure TC-BPDU guard. [DeviceA] stp tc-protection [DeviceA] stp tc-protection threshold 10 # Configure broadcast and multicast suppression on all ports.

  • Page 7: Verifying The Configuration

    Verifying the configuration # Verify that the edge ports go down after they receives STP BPDUs. (Details not shown.) # Bring the edge ports up by using the command. (Details not shown.) undo shutdown # Verify that the root bridge ID of Device B does not change and that the STP topology remains stable after STP BPDUs with higher priority are sent to the Device B.

  • Page 8: Example: Configuring Arp Attack Protection

    broadcast-suppression pps 6400 multicast-suppression pps 6400 • Device C: stp bpdu-protection stp tc-protection threshold 10 interface HundredGigE 1/0/1 port link-mode bridge broadcast-suppression pps 6400 multicast-suppression pps 6400 interface HundredGigE 1/0/2 port link-mode bridge stp loop-protection broadcast-suppression pps 6400 multicast-suppression pps 6400 interface HundredGigE 1/0/3 port link-mode bridge stp edged-port...

  • Page 9: Software Versions Used

    Figure 2 Network diagram Network Device Software versions used This configuration example was created and verified on Release 3606. Procedures # Specify IP addresses for interfaces. (Details not shown.) # Enable ARP source suppression. <Device> system-view [Device] arp source-suppression enable # Configure the device to accept a maximum of 8 unresolvable packets per source IP address in 5 seconds.

  • Page 10: Configuration Files

    # Verify that the CPU usage does not surge. (Details not shown.) Verify that each ARP attack protection feature functions on the device (this example uses the ARP source suppression feature): # Send the device 20 forged packets with the same source IP address and unresolvable destination IP addresses.

  • Page 11: Restrictions And Guidelines

    Restrictions and guidelines After you disable sending ICMP time exceeded messages, the tracert feature will not be available. Do no configure both uRPF in strict mode and ECMP routes. A violation might cause that service packets forwarded based on ECMP routes are mistakenly dropped. By default, interfaces on the device are disabled (in ADM or Administratively Down state).

  • Page 12: Example: Configuring Transport Layer Attack Protection

    Example: Configuring transport layer attack protection Network configuration As shown in Figure 4, the device is the gateway for the internal network. Configure SYN Cookie protection on the device to protect against SYN flood attacks. With this feature enabled, the device responds to a SYN packet with a SYN ACK packet without establishing a TCP semi-connection.

  • Page 13: Configuration Files

    Configuration files tcp syn-cookie enable Related documentation • H3C S12500R Switch Router Series Layer 2—LAN Switching Command Reference-R3606 • H3C S12500R Switch Router Series Layer 2—LAN Switching Configuration Guide-R3606 • H3C S12500R Switch Router Series Layer 3—IP Services Command Reference-R3606 •...

Table of Contents