H3C S12500R Series Скачать руководство пользователя страница 12 | Manualshive

Страница: 12 / 13

H3C S12500R Series Скачать руководство пользователя страница 12

10

#

Example: Configuring transport layer
attack protection

Network configuration

As shown in

, the device is the gateway for the internal network. Configure SYN Cookie

protection on the device to protect against SYN flood attacks. With this feature enabled, the device
responds to a SYN packet with a SYN ACK packet without establishing a TCP semi-connection. The
device establishes a TCP connection only when it receives an ACK packet from the sender.

Figure 4 Network diagram

Software versions used

This configuration example was created and verified on Release 3606.

By default, interfaces on the device are disabled (in

ADM

or

Administratively Down

state). To have

an interface operate, you must use the

undo shutdown

command to enable that interface.

Procedures

# Specify IP addresses for interfaces. (Details not shown.)

# Enable SYN Cookie.

<Device> system-view

[Device] tcp syn-cookie enable

Verifying the configuration

# Verify that the device does not have any TCP semi-connections. The state "SYN_RECEIVED"
represents semi-connections.

[Device] display tcp

*: TCP connection with authentication

Local Addr:port Foreign Addr:port State Slot PCB

0.0.0.0:21 0.0.0.0:0 LISTEN 1 0xffffffffffffff9

d

0.0.0.0:23 0.0.0.0:0 LISTEN 1 0xffffffffffffff9

f

192.168.2.88:23 192.168.2.79:2197 ESTABLISHED 1 0xffffffffffffffa

3

192.168.2.88:23 192.168.2.89:2710 ESTABLISHED 1 0xffffffffffffffa

2

Network

Device

Switch

«
...
10
11
12
13
»

Содержание S12500R Series

Страница 1: ... manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co Ltd Except for the trademarks of New H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners The information in this document is subject to change without notice ...

Страница 2: ... ARP attack protection 6 Network configuration 6 Software versions used 7 Procedures 7 Verifying the configuration 7 Configuration files 8 Example Configuring network layer attack protection 8 Network configuration 8 Software versions used 8 Restrictions and guidelines 9 Procedures 9 Verifying the configuration 9 Configuration files 9 Example Configuring transport layer attack protection 10 Networ...

Страница 3: ...ng Source MAC based ARP attack detection Prevents ARP packet attacks from the same source MAC ARP packet source MAC consistency check Prevents attacks from ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body Network layer attack protection uRPF check Protects a network against source spoofing attacks TTL attack protection Prevent...

Страница 4: ... at the access side of Device A and Device C The BPDU guard feature prevents the ports from performing spanning tree calculations when it receives forged BPDUs with a higher priority Enable TC BPDU guard on Device A Device B and Device C The TC BPDU guard feature prevents a large number of TC BPDUs from affecting the network in a short time Configure broadcast and multicast suppression on the desi...

Страница 5: ...dministratively Down state To have an interface operate you must use the undo shutdown command to enable that interface Procedures Configuring Device B Specify IP addresses for interfaces Details not shown Configure root guard on HundredGigE 1 0 1 and HundredGigE 1 0 2 DeviceB system view DeviceB interface range hundredgige 1 0 1 to hundredgige 1 0 2 DeviceB if range port link mode bridge DeviceB ...

Страница 6: ...terfaces Details not shown Configure each interface to operate in Later 2 mode DeviceC system view DeviceC interface range hundredgige 1 0 1 to hundredgige 1 0 3 DeviceC if range port link mode bridge DeviceC if range quit Configure STP BPDU guard DeviceC stp bpdu protection Configure HundredGigE 1 0 3 as an edge port DeviceC interface hundredgige 1 0 3 DeviceC HundredGigE1 0 3 stp edged port Devi...

Страница 7: ... flooded after a large number of broadcasts are sent to the edge ports on device A and Device C Details not shown Configuration files Device A stp bpdu protection stp tc protection threshold 10 interface HundredGigE 1 0 1 port link mode bridge broadcast suppression pps 6400 multicast suppression pps 6400 interface HundredGigE 1 0 2 port link mode bridge broadcast suppression pps 6400 multicast sup...

Страница 8: ...dredGigE 1 0 2 port link mode bridge stp loop protection broadcast suppression pps 6400 multicast suppression pps 6400 interface HundredGigE 1 0 3 port link mode bridge stp edged port broadcast suppression pps 6400 multicast suppression pps 6400 Example Configuring ARP attack protection Network configuration As shown in Figure 2 the device is the gateway for the internal network Configure ARP atta...

Страница 9: ... packet attacks Device arp resolving route enable Enable ARP active acknowledgment to prevent user spoofing Device arp active ack enable Configure source MAC based ARP attack detection to prevent ARP packet attacks from the same source MAC Device arp source mac filter Device arp source mac threshold 25 Enable ARP packet source MAC address consistency check to prevent attacks from ARP packets with ...

Страница 10: ...alid check enable arp source mac filter arp source mac threshold 25 arp active ack enable arp source suppression enable arp source suppression limit 8 Example Configuring network layer attack protection Network configuration As shown in Figure 3 Device A is the gateway for the internal network To protect Device A against IP packet attacks from internal and external networks configure the following...

Страница 11: ...Device A can filter out packets with forged source IP addresses Details not shown Verify the uRPF configuration DeviceA display ip urpf Global uRPF configuration information Check type strict 2 Verify that TTL attack protection functions on Device A Enable ICMP debugging by executing the debugging ip icmp command on Device A Details not shown Use a PC to send packets in which the TTL is 1 to Devic...

Страница 12: ... on the device are disabled in ADM or Administratively Down state To have an interface operate you must use the undo shutdown command to enable that interface Procedures Specify IP addresses for interfaces Details not shown Enable SYN Cookie Device system view Device tcp syn cookie enable Verifying the configuration Verify that the device does not have any TCP semi connections The state SYN_RECEIV...

Страница 13: ...Command Reference R3606 H3C S12500R Switch Router Series Layer 2 LAN Switching Configuration Guide R3606 H3C S12500R Switch Router Series Layer 3 IP Services Command Reference R3606 H3C S12500R Switch Router Series Layer 3 IP Services Configuration Guide R3606 H3C S12500R Switch Router Series Security Command Reference R3606 H3C S12500R Switch Router Series Security Configuration Guide R3606 ...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды