Introduction; Prerequisites - H3C S12500R Series Configuration Examples

Introduction

This document provides configuration examples of link layer attack protection, ARP attack protection,
network layer attack protection, and transport layer attack protection, as defined in
Table 1 Attack protection types
Attack protection types
Link layer attack
protection
ARP attack
protection
Network layer
attack protection
Transport layer
attack protection

Prerequisites

The configuration examples in this document were created and verified in a lab environment, and all
the devices were started with the factory default configuration. When you are working on a live
network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of attack protection.
MAC address attack
protection
STP packet attack protection
ARP source suppression
ARP black hole routing
ARP active
acknowledgement
Source MAC-based ARP
attack detection
ARP packet source MAC
consistency check
uRPF check
TTL attack protection
SYN flood attack protection
Description
Prevents the attack of packets with different source
MAC addresses or VLANs by configuring the
maximum number of MAC addresses that an
interface can learn.
Provides protection measures such as BPDU guard,
root guard, loop guard, and TC-BPDU guard.
Prevents IP attack packets from fixed sources.
Prevents IP attack packets from sources that are not
fixed.
Prevents user spoofing.
Prevents ARP packet attacks from the same source
MAC.
Prevents attacks from ARP packets whose source
MAC address in the Ethernet header is different from
the sender MAC address in the message body.
Protects a network against source spoofing attacks.
Prevents an attack by disabling sending ICMP time
exceeded messages.
Enables the server to return a SYN ACK message
when it receives a TCP connection request, without
establishing a half-open TCP connection.
1
Table 1.