Local Attack Defense Configuration

Local attack defense restricts the packets to be sent to the CPU through attack source tracing, TCP/IP attack defense, CAR, application layer association, and management/control plane protection to ensure the device security and normal service processing on the CPU.

Introduction to Local Attack Defense: Local attack defense can protect the CPUs of devices against various attacks.

Configuration Precautions for Local Attack Defense

Configuring Attack Source Tracing: After being configured with attack source tracing, the router saves received attack packets to its memory for attack analysis and defense.

Configuring the Alarm Function for Packet Discarding: You can set the interval for checking the number of discarded packets and the alarm threshold for the packet discarding rate.

Configuring TCP/IP Attack Defense: Defense against TCP/IP attacks protects the CPU of the router against malformed packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that normal services can be processed.

Configuring Invalid ND Packet Attack Defense

Configuring the CAR: This section describes how to configure the CAR.

Configuring VLAN CAR: When an access device is under attack, you can configure VLAN CAR to restrict the rate at which specific packets are sent to the CPU to protect the CPU against attacks.

Configuring ND VLAN CAR: ND VLAN CAR allows you to limit the rate of ND packets on the attacked interface without affecting other interfaces. This minimizes the impact of attacks on devices and services. After the alarm function is enabled for ND VLAN CAR and the number of ND packets to be sent to the CPU exceeds the threshold configured for ND VLAN CAR, an alarm is reported.

Configuring Interface-based CAR: When an access device is under attack, you can configure interface-based CAR to restrict the rate at which all or specific packets are sent to the CPU to protect the CPU against attacks.

Configuring Host CAR: You can configure host CAR to control the rate at which packets are sent to the CPU.

Configuring Dynamic Link Protection: You can configure dynamic link protection to allow protocol packets used to establish sessions to be preferentially sent to the CPU when the bandwidth is guaranteed.

Configuring the Management Protocol ACL Delivering Function

Configuring the Function of Receiving Broadcast ICMP Echo Request Packets

Configuring Application Layer Association: This section describes how to configure association between the application layer and lower layers.

Configuring Management and Service Plane Protection: This section describes how to configure management and service plane protection. This function allows only specified protocol packets to be sent to CPUs, and reduces malicious packet attacks on these CPUs to ensure that devices work properly.

Configuring Layer 2 Loop Detection: This section describes how to configure Layer 2 loop detection.

Configuring Layer 3 Loop Detection: Layer 3 loop detection reports traps when detecting a routing loop so that you can take rapid measures to ensure proper service running.

Maintaining Local Attack Defense: Before collecting attack defense statistics, delete the existing statistics.

Configuration Examples for Local Attack Defense: This section describes the typical application scenario of local attack defense, including networking requirements, configuration roadmap, and data preparation, and provides related configuration files.