1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. S12500R Series
  6. Configuration examples

Restrictions And Guidelines; Procedures; Verifying The Configuration; Configuration Files - H3C S12500R Series Configuration Examples

Switch router attack protection configuration examples
Hide thumbs Also See for S12500R Series:
Table of Contents

Advertisement

Restrictions and guidelines

After you disable sending ICMP time exceeded messages, the tracert feature will not be available.
Do no configure both uRPF in strict mode and ECMP routes. A violation might cause that service
packets forwarded based on ECMP routes are mistakenly dropped.
By default, interfaces on the device are disabled (in ADM or Administratively Down state). To have
an interface operate, you must use the

Procedures

# Specify IP addresses for interfaces. (Details not shown.)
# Enable strict uRPF check.
[DeviceA] ip urpf strict
# Disable sending ICMP time exceeded messages. Sending ICMP time exceeded messages is
disabled by default.
[DeviceA] undo ip ttl-expires enable

Verifying the configuration

1.
Verify that Device A can prevent source address spoofing attacks:
# Verify that Device A can filter out packets with forged source IP addresses. (Details not
shown.)
# Verify the uRPF configuration.
[DeviceA] display ip urpf
Global uRPF configuration information:
Check type: strict
2.
Verify that TTL attack protection functions on Device A:
# Enable ICMP debugging by executing the
(Details not shown.)
# Use a PC to send packets in which the TTL is 1 to Device A. (Details not shown.)
# Verify that Device A does not display any debugging information and that the PC does not
receive any ICMP time exceeded messages. (Details not shown.)
# Enable sending ICMP time exceeded messages and send packets in which the TTL is 1 to
Device A. (Details not shown.)
# Verify that Device A responds with ICMP time exceeded messages.
<DeviceA> *Aug 14 16:43:31:068 2016 NM-3 SOCKET/7/ICMP: Slot=2;
Time(s):1371221011
ICMP Packet: src = 6.0.0.1, dst = 202.101.0.2
Original IP: src = 202.101.0.2, dst = 192.168.0.2

Configuration files

#
ip urpf strict
undo shutdown
ICMP Output:
type = 11, code = 0 (ttl-exceeded)
proto = 253, first 8 bytes = 00000000 00000000
command to enable that interface.
debugging ip icmp
9
command on Device A.

Advertisement

Table of Contents
loading

Related Manuals for H3C S12500R Series

Related Content for H3C S12500R Series

Table of Contents