1
Introduction
This document provides configuration examples of link layer attack protection, ARP attack protection,
network layer attack protection, and transport layer attack protection, as defined in
Table 1 Attack protection types
Attack protection types
Description
Link layer attack
protection
MAC address attack
protection
Prevents the attack of packets with different source
MAC addresses or VLANs by configuring the
maximum number of MAC addresses that an
interface can learn.
STP packet attack protection
Provides protection measures such as BPDU guard,
root guard, loop guard, and TC-BPDU guard.
ARP attack
protection
ARP source suppression
Prevents IP attack packets from fixed sources.
ARP black hole routing
Prevents IP attack packets from sources that are not
fixed.
ARP active
acknowledgement
Prevents user spoofing.
Source MAC-based ARP
attack detection
Prevents ARP packet attacks from the same source
MAC.
ARP packet source MAC
consistency check
Prevents attacks from ARP packets whose source
MAC address in the Ethernet header is different from
the sender MAC address in the message body.
Network layer
attack protection
uRPF check
Protects a network against source spoofing attacks.
TTL attack protection
Prevents an attack by disabling sending ICMP time
exceeded messages.
Transport layer
attack protection
SYN flood attack protection
Enables the server to return a SYN ACK message
when it receives a TCP connection request, without
establishing a half-open TCP connection.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all
the devices were started with the factory default configuration. When you are working on a live
network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of attack protection.
