Home » TP-Link Manuals » Hubs & Switches » TP-Link T1500-28TC TL-SL2428 » Manual Viewer

TP-Link T1500-28TC TL-SL2428 T1500-28TCUN V1 Configuration Guide - Page 442

An Operation System with bugs cannot process the URG Urgent Pointer of TCP

View all TP-Link T1500-28TC TL-SL2428 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 442 highlights

Configuring Network Security DoS Defend Configuration Step 3 Step 4 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | pingflood | syn-flood | win-nuke | smurf | ping-of-death } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows. land: The attacker sends a specific fake SYN (synchronous) packet to the destination host. Because both the source IP address and the destination IP address of the SYN packet are set to be the IP address of the host, the host will be trapped in an endless circle of building the initial connection. scan-synfin: The attacker sends the packet with its SYN field and the FIN field set to 1. The SYN field is used to request initial connection whereas the FIN field is used to request disconnection. Therefore, a packet of this type is illegal. xma-scan: The attacker sends the illegal packet with its TCP index, FIN, URG and PSH field set to 1. null-scan: The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all the control fields set to 0 are considered as the illegal packets. port-less-1024: The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024. blat: The attacker sends the illegal packet with the same source port and destination port on Layer 4 and with its URG field set to 1. Similar to the Land Attack, the system performance of the attacked host is reduced because the Host circularly attempts to build a connection with the attacker. ping-flood: The attacker floods the destination system with Ping packets, creating a broadcast storm that makes it impossible for system to respond to legal communication. syn-flood: The attacker uses a fake IP address to send TCP request packets to the server. Upon receiving the request packets, the server responds with SYN-ACK packets. Since the IP address is fake, no response will be returned. The server will keep on sending SYN-ACK packets. If the attacker sends overflowing fake request packets, the network resource will be occupied maliciously and the requests of the legal clients will be denied. win-nuke: An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP packets. If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation System bugs, it will cause blue screen. smurf: The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. As a result, the victim's computer will be flooded with traffic and cannot work normally. ping-of-death: The attacker sends abnormal ping packets larger than 65535 bytes to cause system crash on the target computer. show ip dos-prevent Verify the Dos Defend configuration. Configuration Guide 421

Section	Page
About This Guide	22
Intended Readers	22
Conventions	22
More Information	23
Accessing the Switch	24
Overview	25
Web Interface Access	26
Login	26
Save Config Function	27
Disable the Web Server	28
Configure the Switch's IP Address and Default Gateway	28
Command Line Interface Access	30
Console Login (only for switch with console port)	30
Telnet Login	32
SSH Login	33
Disable Telnet login	37
Disable SSH login	38
Copy running-config startup-config	38
Change the Switch's IP Address and Default Gateway	39
Managing System	40
System	41
Overview	41
Supported Features	41
System Info Configurations	43
Using the GUI	43
Viewing the System Summary	43
Specifying the Device Description	45
Setting the System Time	46
Setting the Daylight Saving Time	47
Specifying the System IP	48
Using the CLI	49
Viewing the System Summary	49
Specifying the Device Description	50
Setting the System Time	51
Setting the Daylight Saving Time	54
Specifying the System IP	56
User Management Configurations	59
Using the GUI	59
Creating Admin Accounts	59
Creating Accounts of Other Types	60
Using the CLI	62
Creating Admin Accounts	62
Creating Accounts of Other Types	63
System Tools Configurations	67
Using the GUI	67
Configuring the Boot File	67
Restoring the Configuration of the Switch	68
Backing up the Configuration File	69
Upgrading the Firmware	69
Rebooting the switch	70
Reseting the Switch	70
Using the CLI	71
Configuring the Boot File	71
Restoring the Configuration of the Switch	71
Backing up the Configuration File	72
Upgrading the firmware	73
Rebooting the switch	73
Reseting the Switch	73
Access Security Configurations	75
Using the GUI	75
Configuring the Access Control Feature	75
Configuring the HTTP Function	77
Configuring the HTTPS Function	78
Configuring the SSH Feature	80
Enabling the Telnet Function	81
Using the CLI	81
Configuring the Access Control	81
Configuring the HTTP Function	83
Configuring the HTTPS Function	84
Configuring the SSH Feature	87
Enabling the Telnet Function	89
Appendix: Default Parameters	90
Managing Physical Interfaces	93
Physical Interface	94
Overview	94
Supported Features	94
Basic Parameters Configurations	95
Using the GUI	95
Using the CLI	96
Port Mirror Configuration	99
Using the GUI	99
Using the CLI	101
Port Security Configuration	103
Using the GUI	103
Using the CLI	104
Port Isolation Configurations	106
Using the GUI	106
Using the CLI	107
Loopback Detection Configuration	109
Using the GUI	109
Using the CLI	110
Configuration Examples	113
Example for Port Mirror	113
Network Requirements	113
Configuration Scheme	113
Using the GUI	113
Using the CLI	115
Example for Port Isolation	115
Network Requirements	115
Configuration Scheme	116
Using the GUI	116
Using the CLI	117
Example for Loopback Detection	118
Network Requirements	118
Configuration Scheme	118
Using the GUI	118
Using the CLI	119
Appendix: Default Parameters	121
Configuring LAG	123
LAG	124
Overview	124
Supported Features	124
LAG Configuration	125
Using the GUI	126
Configuring Load-balancing Algorithm	126
Configuring Static LAG or LACP	127
Using the CLI	129
Configuring Load-balancing Algorithm	129
Configuring Static LAG or LACP	130
Configuration Example	134
Network Requirements	134
Configuration Scheme	134
Using the GUI	135
Using the CLI	136
Appendix: Default Parameters	138
Monitoring Traffic	139
Traffic Monitor	140
Using the GUI	140
Viewing the Traffic Summary	140
Viewing the Traffic Statistics in Detail	141
Using the CLI	143
Appendix: Default Parameters	144
Managing MAC Address Table	145
MAC Address Table	146
Overview	146
Supported Features	146
Address Configurations	147
Using the GUI	147
Adding Static MAC Address Entries	147
Modifying the Aging Time of Dynamic Address Entries	149
Adding MAC Filtering Address Entries	150
Viewing Address Table Entries	150
Using the CLI	151
Adding Static MAC Address Entries	151
Modifying the Aging Time of Dynamic Address Entries	152
Adding MAC Filtering Address Entries	153
Appendix: Default Parameters	155
Configuring 802.1Q VLAN	156
Overview	157
802.1Q VLAN Configuration	158
Using the GUI	158
Configuring the PVID of the Port	158
Configuring the VLAN	159
Using the CLI	160
Creating a VLAN	160
Configuring the PVID of the Port	161
Adding the Port to the Specified VLAN	162
Configuration Example	164
Network Requirements	164
Configuration Scheme	164
Network Topology	165
Using the GUI	165
Using the CLI	167
Appendix: Default Parameters	169
Configuring Spanning Tree	170
Spanning Tree	171
Overview	171
Basic Concepts	171
STP/RSTP Concepts	171
MSTP Concepts	175
STP Security	176
STP/RSTP Configurations	179
Using the GUI	179
Configuring STP/RSTP Parameters on Ports	179
Configuring STP/RSTP Globally	181
Verifying the STP/RSTP Configurations	183
Using the CLI	184
Configuring STP/RSTP Parameters on Ports	184
Configuring Global STP/RSTP Parameters	186
Enabling STP/RSTP Globally	187
MSTP Configurations	189
Using the GUI	189
Configuring Parameters on Ports in CIST	189
Configuring the MSTP Region	191
Configuring MSTP Globally	196
Verifying the MSTP Configurations	198
Using the CLI	199
Configuring Parameters on Ports in CIST	199
Configuring the MSTP Region	201
Configuring Global MSTP Parameters	204
Enabling Spanning Tree Globally	206
STP Security Configurations	209
Using the GUI	209
Configuring the STP Security	209
Using the CLI	210
Configuring the STP Security	210
Configuration Example for MSTP	213
Network Requirements	213
Configuration Scheme	213
Using the GUI	214
Using the CLI	225
Appendix: Default Parameters	232
Configuring Layer 2 Multicast	236
Layer 2 Multicast	237
Overview	237
Supported Layer 2 Multicast Protocols	238
IGMP Snooping Configurations	239
Using the GUI	239
Configuring IGMP Snooping Globally	239
Enabling IGMP Snooping Globally	239
(Optional) Configuring Unknown Multicast	239
(Optional) Configuring Report Message Suppression	240
Configuring Router Port Time and Member Port Time	240
Configuring IGMP Snooping Last Listener Query	240
Verifying IGMP Snooping Status	241
Configuring the Port’s Basic IGMP Snooping Features	242
Enabling IGMP Snooping on the Port	242
(Optional) Configuring Fast Leave	242
Configuring IGMP Snooping in the VLAN	243
Configuring IGMP Snooping Globally in the VLAN	243
(Optional) Configuring the Static Router Ports in the VLAN	244
(Optional) Configuring the Forbidden Router Ports in the VLAN	244
Configuring the Multicast VLAN	244
Creating Multicast VLAN and Configuring Basic Settings	245
(Optional) Creating Replace Source IP	246
Viewing Dynamic Router Ports in the Multicast VLAN	246
(Optional) Configuring the Static Router Ports	246
(Optional) Configuring the Forbidden Router Ports	246
(Optional) Configuring the Querier	247
Configuring the Querier	247
Viewing Settings of IGMP Querier	248
Configuring IGMP Profile	248
Creating Profile	248
Searching Profile	248
Editing IP Range of the Profile	249
Binding Profile and Member Ports	249
Binding Profile and Member Ports	250
Configuring Max Groups a Port Can Join	250
Viewing IGMP Statistics on Each Port	251
Configuring Auto Refresh	251
Viewing IGMP Statistics	252
Configuring Static Member Port	252
Configuring Static Member Port	252
Viewing IGMP Static Multicast Groups	253
Using the CLI	253
Enabling IGMP Snooping Globally	253
Enabling IGMP Snooping on the Port	253
Configuring IGMP Snooping Parameters Globally	255
Configuring Report Message Suppression	255
Configuring Unknown Multicast	256
Configuring IGMP Snooping Parameters on the Port	257
Configuring Router Port Time and Member Port Time	257
Configuring Fast Leave	258
Configuring Max Group and Overflow Action on the Port	259
Configuring IGMP Snooping Last Listener Query	260
Configuring IGMP Snooping Parameters in the VLAN	261
Configuring Router Port Time and Member Port Time	261
Configuring Static Router Port	262
Configuring Forbidden Router Port	263
Configuring Static Multicast (Multicast IP and Forward Port)	264
Configuring IGMP Snooping Parameters in the Multicast VLAN	265
Configuring Router Port Time and Member Port Time	265
Configuring Static Router Port	266
Configuring Forbidden Router Port	267
Configuring Replace Source IP	268
Configuring the Querier	269
Enabling IGMP Querier	269
Configuring Query Interval, Max Response Time and General Query Source IP	269
Configuring Multicast Filtering	271
Creating Profile	271
Binding Profile to the Port	272
Viewing Multicast Snooping Configurations	274
Using the GUI	274
Viewing IPv4 Multicast Snooping Configurations	274
Using the CLI	274
Viewing IPv4 Multicast Snooping Configurations	274
Configuration Examples	276
Example for Configuring Basic IGMP Snooping	276
Network Requirements	276
Configuration Scheme	276
Using the GUI	277
Using the CLI	280
Example for Configuring Multicast VLAN	282
Network Requirements	282
Configuration Scheme	282
Network Topology	282
Using the GUI	283
Using the CLI	286
Example for Configuring Unknown Multicast and Fast Leave	288
Network Requirement	288
Configuration Scheme	289
Using the GUI	289
Using the CLI	292
Example for Configuring Multicast Filtering	293
Network Requirements	293
Configuration Scheme	293
Network Topology	293
Using the GUI	294
Using the CLI	301
Appendix: Default Parameters	304
Default Parameters for IGMP Snooping	304
Configuring QoS	305
QoS	306
Overview	306
Supported Features	306
DiffServ Configuration	307
Using the GUI	308
Configuring Priority Mode	308
Configuring Schedule Mode	310
Using CLI	311
Configuring Priority Mode	311
Configuring Schedule Mode	315
Bandwidth Control Configuration	317
Using the GUI	317
Configuring Rate Limit	317
Configuring Storm Control	318
Using the CLI	319
Configuring Rate Limit on Port	319
Configuring Storm Control	320
Configuration Examples	322
Example for Configuring SP Mode	322
Network Requirements	322
Configuration Scheme	322
Using the GUI	323
Using the CLI	323
Example for Configuring WRR Mode	324
Network Requirements	324
Configuration Scheme	325
Using the GUI	325
Using the CLI	334
Appendix: Default Parameters	338
Configuring Voice VLAN	339
Overview	340
Voice VLAN Configuration	342
Using the GUI	343
(Optional) Configuring OUI Addresses	343
Configuring Voice VLAN Globally	344
Configuring Voice VLAN Mode on Ports	345
Using the CLI	346
Configuration Example	349
Network Requirements	349
Configuration Scheme	349
Network Topology	349
Using the GUI	350
Using the CLI	358
Appendix: Default Parameters	362
Configuring PoE	363
PoE	364
Overview	364
Supported Features	364
PoE Power Management Configurations	365
Using the GUI	365
Configuring the PoE Parameters Manually	365
Configuring the PoE Parameters Using the Profile	367
Using the CLI	369
Configuring the PoE Parameters Manually	369
Configuring the PoE Parameters Using the Profile	371
Time-Range Function Configurations	373
Using the GUI	373
Creating a Time-Range	373
Configuring the Holiday Parameters	375
Viewing the Time-Range Table	375
Using the CLI	376
Configuring a Time-Range	376
Configuring the Holiday Parameters	378
Viewing the Time-Range Table	379
Example for PoE Configurations	380
Network Requirements	380
Configuring Scheme	380
Using the GUI	380
Using the CLI	382
Appendix: Default Parameters	384
Configuring ACL	385
ACL	386
Overview	386
Supported Features	386
ACL Configurations	387
Using the GUI	387
Creating an ACL	387
Configuring ACL Rules	388
Configuring Policy	391
Configuring the ACL Binding and Policy Binding	392
Using the CLI	397
Configuring ACL	397
Configuring Policy	401
ACL Binding and Policy Binding	402
Configuration Example for ACL	405
Network Requirements	405
Network Topology	405
Configuration Scheme	405
Using the GUI	406
Using the CLI	410
Appendix: Default Parameters	412
Configuring Network Security	413
Network Security	414
Overview	414
Supported Features	414
IP-MAC Binding Configurations	418
Using the GUI	418
Binding Entries Manually	418
Binding Entries Dynamically	419
Viewing the Binding Entries	421
Using the CLI	422
Binding Entries Manually	422
Viewing Binding Entries	424
DHCP Snooping Configuration	425
Using the GUI	425
Enabling DHCP Snooping on VLAN	425
Configuring DHCP Snooping on Ports	426
(Optional) Configuring Option 82	427
Using the CLI	428
Enabling DHCP Snooping on VLAN	428
Configuring DHCP Snooping on Ports	429
(Optional) Configuring Option 82	431
ARP Inspection Configurations	433
Using the GUI	433
Configuring ARP Detection	433
Configuring ARP Defend	434
Viewing ARP Statistics	435
Using the CLI	437
Configuring ARP Detection	437
Configuring ARP Defend	438
Viewing ARP Statistics	439
DoS Defend Configuration	440
Using the GUI	440
Using the CLI	441
802.1X Configuration	444
Using the GUI	444
Configuring the RADIUS Server	444
Configuring 802.1X Globally	448
Configuring 802.1X on Ports	450
Using the CLI	451
Configuring the RADIUS Server	451
Configuring 802.1X Globally	453
Configuring 802.1X on Ports	455
AAA Configuration	458
Using the GUI	459
Globally Enabling AAA	459
Adding Servers	459
Configuring Server Groups	461
Configuring the Method List	462
Configuring the AAA Application List	463
Configuring Login Account and Enable Password	464
Using the CLI	465
Globally Enabling AAA	465
Adding Servers	465
Configuring Server Groups	468
Configuring the Method List	469
Configuring the AAA Application List	470
Configuring Login Account and Enable Password	475
Configuration Examples	477
Example for DHCP Snooping and ARP Detection	477
Network Requirements	477
Configuration Scheme	477
Using the GUI	478
Using the CLI	481
Example for 802.1X	483
Network Requirements	483
Configuration Scheme	483
Network Topology	484
Using the GUI	484
Using the CLI	487
Example for AAA	489
Network Requirements	489
Configuration Scheme	490
Using the GUI	490
Using the CLI	493
Appendix: Default Parameters	496
Configuring SNMP & RMON	503
SNMP Overview	504
SNMP Configurations	505
Using the GUI	506
Enabling SNMP	506
Creating an SNMP View	506
Creating an SNMP Group	507
Creating SNMP Users	509
Creating SNMP Communities	510
Using the CLI	511
Enabling SNMP	511
Creating an SNMP View	513
Creating an SNMP Group	514
Creating SNMP Users	516
Creating SNMP Communities	517
Notification Configurations	519
Using the GUI	519
Using the CLI	521
Configuring the Host	521
Enabling SNMP Notification	522
RMON Overview	526
RMON Configurations	527
Using the GUI	527
Configuring Statistics	527
Configuring History	528
Configuring Event	529
Configuring Alarm	530
Using the CLI	532
Configuring Statistics	532
Configuring History	533
Configuring Event	534
Configuring Alarm	536

Match case Limit results 1 per page

Configuration Guide

421

Configuring Network Security

DoS Defend Configuration

Step 3

ip dos-prevent type {

flood | syn-flood | win-nuke | smurf | ping-of-death

}

Configure one or more defend types according to your needs. The types of DoS attack are

introduced as follows.

land:

The attacker sends a speciﬁc fake SYN (synchronous) packet to the destination host.

Because both the source IP address and the destination IP address of the SYN packet are

set to be the IP address of the host, the host will be trapped in an endless circle of building

the initial connection.

scan-synfin:

The attacker sends the packet with its SYN field and the FIN field set to 1.

The SYN ﬁeld is used to request initial connection whereas the FIN ﬁeld is used to request

disconnection. Therefore, a packet of this type is illegal.

xma-scan:

The attacker sends the illegal packet with its TCP index, FIN, URG and PSH ﬁeld

set to 1.

null-scan:

The attacker sends the illegal packet with its TCP index and all the control ﬁelds

set to 0. During the TCP connection and data transmission, the packets with all the control

ﬁelds set to 0 are considered as the illegal packets.

port-less-1024:

The attacker sends the illegal packet with its TCP SYN field set to 1 and

source port smaller than 1024.

blat:

The attacker sends the illegal packet with the same source port and destination port on

Layer 4 and with its URG ﬁeld set to 1. Similar to the Land Attack, the system performance

of the attacked host is reduced because the Host circularly attempts to build a connection

with the attacker.

ping-flood:

The attacker floods the destination system with Ping packets, creating a

broadcast storm that makes it impossible for system to respond to legal communication.

syn-flood:

The attacker uses a fake IP address to send TCP request packets to the server.

Upon receiving the request packets, the server responds with SYN-ACK packets. Since the

IP address is fake, no response will be returned. The server will keep on sending SYN-ACK

packets. If the attacker sends overﬂowing fake request packets, the network resource will

be occupied maliciously and the requests of the legal clients will be denied.

win-nuke:

An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP

packets. If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation

System bugs, it will cause blue screen.

smurf:

The Smurf attack is a distributed denial-of-service attack in which large numbers

of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed

source IP are broadcast to a computer network using an IP broadcast address. Most

devices on a network will, by default, respond to this by sending a reply to the source IP

address. As a result, the victim’s computer will be flooded with traffic and cannot work

normally.

ping-of-death:

The attacker sends abnormal ping packets larger than 65535 bytes to cause

system crash on the target computer.

Step 4

show ip dos-prevent

Verify the Dos Defend configuration.