Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
471472473474475476477478479480
464
Step Command Remarks
2. (Optional.) Specify an IP
address to be protected by the
TCP client verification function.
client-verify tcp protected { ip
destination-ip-address | ipv6
destination-ipv6-address }
[ vpn-instance vpn-instance-name ]
[ port port-number ]
By default, the TCP client
verification function does not
protect any IP address.
3. Enter Layer 3 interface view.
interface interface-type
interface-number
N/A
4. Enable TCP client verification
on the interface.
To set the safe reset mode:
client-verify tcp enable mode
safe-reset
To set the SYN cookie mode:
client-verify tcp enable [ mode
syn-cookie ]
By default, TCP client
verification is disabled on the
interface.
Configuring DNS client verification
Configure DNS client verification the interface that connects to the external network. The DNS client
verification protects internal DNS servers against DNS flood attacks.
IP addresses protected by DNS client verification can be manually added or automatically learned:
You can manually add protected IP addresses. The device performs client verification when it
receives the first DNS query destined for a protected IP address.
The DNS client verification can automatically add victims' IP addresses to the protected IP list when
collaborating with DNS flood attack detection. Make sure client-verify is specified as the DNS
flood attack prevention action. For more information, see "Configuring a DNS flood attack defense
poli
cy."
If a DNS client is verified legitimate, the device adds the client's IP address to the trusted IP list. The device
directly forwards DNS packets from trusted IP addresses.
To configure DNS client verification:
Step Command Remarks
1. Enter system view.
system-view N/A
2. (Optional.) Specify an IP
address to be protected by
the DNS client verification
function.
client-verify dns protected { ip
destination-ip-address | ipv6
destination-ipv6-address }
[ vpn-instance vpn-instance-name ]
[ port port-number ]
By default, the DNS client
verification function does not
protect any IP address.
3. Enter Layer 3 interface view.
interface interface-type
interface-number
N/A
4. Enable DNS client verification
on the interface.
client-verify dns enable
By default, DNS client
verification is disabled on the
interface.