Configuration Files; Example: Configuring Network Layer Attack Protection; Network Configuration; Software Versions Used - H3C S12500R Series Configuration Examples
Switch router attack protection configuration examples
Hide thumbs
Also See for S12500R Series:
- Installation manual (102 pages) ,
- Hardware reference manual (69 pages) ,
- Installation, quick start (33 pages)
Table of Contents
Advertisement
# Verify that the CPU usage does not surge. (Details not shown.)
2.
Verify that each ARP attack protection feature functions on the device (this example uses the
ARP source suppression feature):
# Send the device 20 forged packets with the same source IP address and unresolvable
destination IP addresses. (Details not shown.)
# Verify that the device stops resolving the packets after receiving 8 forged packets within 5
seconds. (Details not shown.)
# Verify the ARP source suppression configuration.
[Device] display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 8
Current cache length: 16
Configuration files
#
arp valid-check enable
arp source-mac filter
arp source-mac threshold 25
arp active-ack enable
arp source-suppression enable
arp source-suppression limit 8
#
Example: Configuring network layer
attack protection
Network configuration
As shown in
packet attacks from internal and external networks, configure the following network layer attack
protection features:
•
Configure strict uRPF check to prevent source address spoofing attacks.
•
Disabling sending ICMP time exceeded messages. The device will not be flooded by ICMP time
exceeded messages when receiving a large number of packets with TTL set to 1.
Figure 3 Network diagram
Software versions used
This configuration example was created and verified on Release 3606.
Figure
3, Device A is the gateway for the internal network. To protect Device A against IP
Switch
Device A
Device B
8
IP network
Advertisement
Table of Contents
