Page 1
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd. Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
Introduction This document provides configuration examples of link layer attack protection, ARP attack protection, network layer attack protection, and transport layer attack protection, as defined in Table Table 1 Attack protection types Attack protection types Description Prevents the attack of packets with different source MAC address attack MAC addresses or VLANs by configuring the protection...
Example: Configuring link layer attack protection Network configuration As shown in Figure 1, Device A, Device B, and Device C run MSTP. Device B acts as the root bridge, and HundredGigE 1/0/1 on Device C is blocked. Configure the following features to prevent link layer attacks: •...
Analysis For the ports at the access side of Device A and Device C to rapidly transit to the forwarding state, use the command to configure these ports as edge ports. stp edged-port This example uses HundredGigE 1/0/3 to illustrate the configuration on the ports at the access side on Device A and Device C.
Verifying the configuration # Verify that the edge ports go down after they receives STP BPDUs. (Details not shown.) # Bring the edge ports up by using the command. (Details not shown.) undo shutdown # Verify that the root bridge ID of Device B does not change and that the STP topology remains stable after STP BPDUs with higher priority are sent to the Device B.
Figure 2 Network diagram Network Device Software versions used This configuration example was created and verified on Release 3606. Procedures # Specify IP addresses for interfaces. (Details not shown.) # Enable ARP source suppression. <Device> system-view [Device] arp source-suppression enable # Configure the device to accept a maximum of 8 unresolvable packets per source IP address in 5 seconds.
# Verify that the CPU usage does not surge. (Details not shown.) Verify that each ARP attack protection feature functions on the device (this example uses the ARP source suppression feature): # Send the device 20 forged packets with the same source IP address and unresolvable destination IP addresses.
Restrictions and guidelines After you disable sending ICMP time exceeded messages, the tracert feature will not be available. Do no configure both uRPF in strict mode and ECMP routes. A violation might cause that service packets forwarded based on ECMP routes are mistakenly dropped. By default, interfaces on the device are disabled (in ADM or Administratively Down state).
Example: Configuring transport layer attack protection Network configuration As shown in Figure 4, the device is the gateway for the internal network. Configure SYN Cookie protection on the device to protect against SYN flood attacks. With this feature enabled, the device responds to a SYN packet with a SYN ACK packet without establishing a TCP semi-connection.