Home » TP-Link Manuals » Hubs & Switches » TP-Link T1600G-18TSTL-SG2216 » Manual Viewer

TP-Link T1600G-18TSTL-SG2216 T1600G-18TSUN V1 Configuration Guide - Page 592

An Operation System with bugs cannot process the URG Urgent Pointer of TCP

View all TP-Link T1600G-18TSTL-SG2216 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 592 highlights

Configuring Network Security DoS Defend Configuration Step 3 Step 4 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | pingflood | syn-flood | win-nuke | smurf | ping-of-death } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows. land: The attacker sends a specific fake SYN (synchronous) packet to the destination host. Because both the source IP address and the destination IP address of the SYN packet are set to be the IP address of the host, the host will be trapped in an endless circle of building the initial connection. scan-synfin: The attacker sends the packet with its SYN field and the FIN field set to 1. The SYN field is used to request initial connection whereas the FIN field is used to request disconnection. Therefore, a packet of this type is illegal. xma-scan: The attacker sends the illegal packet with its TCP index, FIN, URG and PSH field set to 1. null-scan: The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all the control fields set to 0 are considered as the illegal packets. port-less-1024: The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024. blat: The attacker sends the illegal packet with the same source port and destination port on Layer 4 and with its URG field set to 1. Similar to the Land Attack, the system performance of the attacked host is reduced because the Host circularly attempts to build a connection with the attacker. ping-flood: The attacker floods the destination system with Ping packets, creating a broadcast storm that makes it impossible for system to respond to legal communication. syn-flood: The attacker uses a fake IP address to send TCP request packets to the server. Upon receiving the request packets, the server responds with SYN-ACK packets. Since the IP address is fake, no response will be returned. The server will keep on sending SYN-ACK packets. If the attacker sends overflowing fake request packets, the network resource will be occupied maliciously and the requests of the legal clients will be denied. win-nuke: An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP packets. If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation System bugs, it will cause blue screen. smurf: The attacker broadcasts large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP to a computer network using an IP broadcast address. Most devices on a network will respond to this by sending a reply to the source IP address. If the number of devices on the network that receive and respond to these packets is very large, the victim's host will be flooded with traffic, which can slow down the victim's host and cause the host impossible to work on. ping-of-death: The attacker sends an improperly large Internet Control Message Protocol (ICMP) echo request packet, or a ping packet, with the purpose of overflowing the input buffers of the destination host and causing the host to crash. show ip dos-prevent Verify the Dos Defend configuration. Configuration Guide 569

Section	Page
About This Guide	24
Intended Readers	24
Conventions	24
More Information	25
Accessing the Switch	26
Overview	27
Web Interface Access	28
Login	28
Save Config Function	29
Disable the Web Server	30
Configure the Switch's IP Address and Default Gateway	31
Command Line Interface Access	34
Console Login (only for switch with console port)	34
Telnet Login	36
SSH Login	37
Disable Telnet login	41
Disable SSH login	42
Copy running-config startup-config	42
Change the Switch's IP Address and Default Gateway	43
Managing System	44
System	45
Overview	45
Supported Features	45
System Info Configurations	47
Using the GUI	47
Viewing the System Summary	47
Specifying the Device Description	49
Setting the System Time	49
Setting the Daylight Saving Time	51
Using the CLI	52
Viewing the System Summary	52
Specifying the Device Description	53
Setting the System Time	54
Setting the Daylight Saving Time	57
User Management Configurations	60
Using the GUI	60
Creating Admin Accounts	60
Creating Accounts of Other Types	61
Using the CLI	63
Creating Admin Accounts	63
Creating Accounts of Other Types	64
System Tools Configurations	68
Using the GUI	68
Configuring the Boot File	68
Restoring the Configuration of the Switch	69
Backing up the Configuration File	70
Upgrading the Firmware	70
Rebooting the switch	71
Configuring the Reboot Schedule	71
Reseting the Switch	72
Using the CLI	72
Configuring the Boot File	72
Restoring the Configuration of the Switch	73
Backing up the Configuration File	74
Upgrading the firmware	74
Rebooting the switch	75
Configuring the Reboot Schedule	75
Reseting the Switch	77
Access Security Configurations	78
Using the GUI	78
Configuring the Access Control Feature	78
Configuring the HTTP Function	80
Configuring the HTTPS Function	81
Configuring the SSH Feature	83
Enabling the Telnet Function	84
Using the CLI	84
Configuring the Access Control	84
Configuring the HTTP Function	86
Configuring the HTTPS Function	87
Configuring the SSH Feature	89
Enabling the Telnet Function	92
SDM Template Configuration	93
Using the GUI	93
Using the CLI	94
Appendix: Default Parameters	96
Managing Physical Interfaces	99
Physical Interface	100
Overview	100
Supported Features	100
Basic Parameters Configurations	101
Using the GUI	101
Using the CLI	102
Port Mirror Configuration	105
Using the GUI	105
Using the CLI	107
Port Security Configuration	109
Using the GUI	109
Using the CLI	110
Port Isolation Configurations	113
Using the GUI	113
Using the CLI	114
Loopback Detection Configuration	116
Using the GUI	116
Using the CLI	117
Configuration Examples	120
Example for Port Mirror	120
Network Requirements	120
Configuration Scheme	120
Using the GUI	120
Using the CLI	122
Example for Port Isolation	122
Network Requirements	122
Configuration Scheme	123
Using the GUI	123
Using the CLI	124
Example for Loopback Detection	125
Network Requirements	125
Configuration Scheme	125
Using the GUI	125
Using the CLI	126
Appendix: Default Parameters	128
Configuring LAG	130
LAG	131
Overview	131
Supported Features	131
LAG Configuration	132
Using the GUI	133
Configuring Load-balancing Algorithm	133
Configuring Static LAG or LACP	134
Using the CLI	136
Configuring Load-balancing Algorithm	136
Configuring Static LAG or LACP	137
Configuration Example	141
Network Requirements	141
Configuration Scheme	141
Using the GUI	142
Using the CLI	143
Appendix: Default Parameters	146
Monitoring Traffic	147
Traffic Monitor	148
Using the GUI	148
Viewing the Traffic Summary	148
Viewing the Traffic Statistics in Detail	149
Using the CLI	151
Appendix: Default Parameters	152
Managing MAC Address Table	153
MAC Address Table	154
Overview	154
Supported Features	154
Address Configurations	156
Using the GUI	156
Adding Static MAC Address Entries	156
Modifying the Aging Time of Dynamic Address Entries	158
Adding MAC Filtering Address Entries	159
Viewing Address Table Entries	159
Using the CLI	160
Adding Static MAC Address Entries	160
Modifying the Aging Time of Dynamic Address Entries	161
Adding MAC Filtering Address Entries	162
Security Configurations	164
Using the GUI	164
Configuring MAC Notification Traps	164
Limiting the Number of MAC Addresses in VLANs	166
Using the CLI	167
Configuring MAC Notification Traps	167
Limiting the Number of MAC Addresses in VLANs	168
Example for Security Configurations	170
Network Requirements	170
Configuration Scheme	170
Using the GUI	171
Using the CLI	172
Appendix: Default Parameters	173
Configuring 802.1Q VLAN	174
Overview	175
802.1Q VLAN Configuration	176
Using the GUI	176
Configuring the PVID of the Port	176
Configuring the VLAN	177
Using the CLI	178
Creating a VLAN	178
Configuring the PVID of the Port	179
Adding the Port to the Specified VLAN	180
Configuration Example	182
Network Requirements	182
Configuration Scheme	182
Network Topology	183
Using the GUI	183
Using the CLI	185
Appendix: Default Parameters	187
Configuring MAC VLAN	188
Overview	189
MAC VLAN Configuration	190
Using the GUI	190
Configuring 802.1Q VLAN	190
Binding the MAC Address to the VLAN	191
Enabling MAC VLAN for the Port	191
Using the CLI	192
Configuring 802.1Q VLAN	192
Binding the MAC Address to the VLAN	192
Enabling MAC VLAN for the Port	193
Configuration Example	195
Network Requirements	195
Configuration Scheme	195
Using the GUI	196
Using the CLI	199
Appendix: Default Parameters	202
Configuring Protocol VLAN	203
Overview	204
Protocol VLAN Configuration	205
Using the GUI	205
Configuring 802.1Q VLAN	205
Creating Protocol Template	206
Configuring Protocol VLAN	207
Using the CLI	207
Configuring 802.1Q VLAN	207
Creating a Protocol Template	208
Configuring Protocol VLAN	209
Configuration Example	211
Network Requirements	211
Configuration Scheme	211
Using the GUI	212
Using the CLI	217
Appendix: Default Parameters	221
Configuring Spanning Tree	222
Spanning Tree	223
Overview	223
Basic Concepts	223
STP/RSTP Concepts	223
MSTP Concepts	227
STP Security	228
STP/RSTP Configurations	231
Using the GUI	231
Configuring STP/RSTP Parameters on Ports	231
Configuring STP/RSTP Globally	233
Verifying the STP/RSTP Configurations	235
Using the CLI	236
Configuring STP/RSTP Parameters on Ports	236
Configuring Global STP/RSTP Parameters	238
Enabling STP/RSTP Globally	239
MSTP Configurations	241
Using the GUI	241
Configuring Parameters on Ports in CIST	241
Configuring the MSTP Region	243
Configuring MSTP Globally	248
Verifying the MSTP Configurations	250
Using the CLI	251
Configuring Parameters on Ports in CIST	251
Configuring the MSTP Region	253
Configuring Global MSTP Parameters	256
Enabling Spanning Tree Globally	258
STP Security Configurations	261
Using the GUI	261
Configuring the STP Security	261
Configuring the Threshold and Cycle of TC Protect	262
Using the CLI	263
Configuring the STP Security	263
Configuring the TC Protect	265
Configuration Example for MSTP	267
Network Requirements	267
Configuration Scheme	267
Using the GUI	268
Using the CLI	279
Appendix: Default Parameters	286
Configuring Layer 2 Multicast	288
Layer 2 Multicast	289
Overview	289
Supported Layer 2 Multicast Protocols	290
IGMP Snooping Configurations	291
Using the GUI	291
Configuring IGMP Snooping Globally	291
Enabling IGMP Snooping Globally	291
(Optional) Configuring Unknown Multicast	291
(Optional) Configuring Report Message Suppression	292
Configuring Router Port Time and Member Port Time	292
Configuring IGMP Snooping Last Listener Query	293
Verifying IGMP Snooping Status	293
Configuring the Port’s Basic IGMP Snooping Features	294
Enabling IGMP Snooping on the Port	294
(Optional) Configuring Fast Leave	294
Configuring IGMP Snooping in the VLAN	295
Configuring IGMP Snooping Globally in the VLAN	295
(Optional) Configuring the Static Router Ports in the VLAN	296
(Optional) Configuring the Forbidden Router Ports in the VLAN	296
Configuring the Multicast VLAN	296
Creating Multicast VLAN and Configuring Basic Settings	297
(Optional) Creating Replace Source IP	298
Viewing Dynamic Router Ports in the Multicast VLAN	298
(Optional) Configuring the Static Router Ports	298
(Optional) Configuring the Forbidden Router Ports	298
(Optional) Configuring the Querier	299
Configuring the Querier	299
Viewing Settings of IGMP Querier	299
Configuring IGMP Profile	300
Creating Profile	300
Searching Profile	300
Editing IP Range of the Profile	301
Binding Profile and Member Ports	301
Binding Profile and Member Ports	302
Configuring Max Groups a Port Can Join	302
Viewing IGMP Statistics on Each Port	303
Configuring Auto Refresh	303
Viewing IGMP Statistics	304
Enabling IGMP Accounting and Authentication	304
Configuring IGMP Accounting Globally	305
Configuring IGMP Authentication on the Port	305
Configuring Static Member Port	305
Configuring Static Member Port	306
Viewing IGMP Static Multicast Groups	306
Using the CLI	307
Enabling IGMP Snooping Globally	307
Enabling IGMP Snooping on the Port	307
Configuring IGMP Snooping Parameters Globally	308
Configuring Report Message Suppression	308
Configuring Unknown Multicast	309
Configuring IGMP Snooping Parameters on the Port	310
Configuring Router Port Time and Member Port Time	310
Configuring Fast Leave	311
Configuring Max Group and Overflow Action on the Port	312
Configuring IGMP Snooping Last Listener Query	313
Configuring IGMP Snooping Parameters in the VLAN	315
Configuring Router Port Time and Member Port Time	315
Configuring Static Router Port	316
Configuring Forbidden Router Port	317
Configuring Static Multicast (Multicast IP and Forward Port)	318
Configuring IGMP Snooping Parameters in the Multicast VLAN	318
Configuring Router Port Time and Member Port Time	318
Configuring Static Router Port	319
Configuring Forbidden Router Port	320
Configuring Replace Source IP	321
Configuring the Querier	322
Enabling IGMP Querier	322
Configuring Query Interval, Max Response Time and General Query Source IP	323
Configuring Multicast Filtering	324
Creating Profile	324
Binding Profile to the Port	325
Enabling IGMP Accounting and Authentication	327
Enabling IGMP Authentication on the Port	327
Enabling IGMP Accounting Globally	328
Configuring MLD Snooping	329
Using the GUI	329
Configuring MLD Snooping Globally	329
Enabling MLD Snooping Globally	329
(Optional) Configuring Unknown Multicast	329
(Optional) Configuring Report Message Suppression	330
Configuring Router Port Time and Member Port Time	330
Configuring MLD Snooping Last Listener Query	331
Verifying MLD Snooping Status	331
Configuring the Port’s Basic MLD Snooping Features	332
Enabling MLD Snooping on the Port	332
(Optional) Configuring Fast Leave	332
Configuring MLD Snooping in the VLAN	333
Configuring MLD Snooping Globally in the VLAN	333
(Optional) Configuring the Static Router Ports in the VLAN	334
(Optional) Configuring the Forbidden Router Ports in the VLAN	334
Configuring the Multicast VLAN	334
Creating Multicast VLAN and Configuring Basic Settings	335
(Optional) Creating Replace Source IP	336
Viewing Dynamic Router Ports in the Multicast VLAN	336
(Optional) Configuring the Static Router Ports	336
(Optional) Configuring the Forbidden Router Ports	336
(Optional) Configuring the Querier	337
Configuring the Querier	337
Viewing Settings of MLD Querier	337
Configuring MLD Profile	338
Creating Profile	338
Searching Profile	338
Editing IP Range of the Profile	339
Binding Profile and Member Ports	340
Binding Profile and Member Ports	340
Configuring Max Groups a Port Can Join	341
Viewing MLD Statistics on Each Port	342
Configuring Auto Refresh	342
Viewing MLD Statistics	342
Configuring Static Member Port	343
Configuring Static Member Port	343
Viewing MLD Static Multicast Groups	343
Using the CLI	344
Enabling MLD Snooping Globally	344
Enabling MLD Snooping on the Port	344
Configuring MLD Snooping Parameters Globally	345
Configuring Report Message Suppression	345
Configuring Unknown Multicast	346
Configuring MLD Snooping Parameters on the Port	347
Configuring Router Port Time and Member Port Time	347
Configuring Fast Leave	348
Configuring Max Group and Overflow Action on the Port	349
Configuring MLD Snooping Last Listener Query	350
Configuring MLD Snooping Parameters in the VLAN	351
Configuring Router Port Time and Member Port Time	351
Configuring Static Router Port	352
Configuring Forbidden Router Port	353
Configuring Static Multicast (Multicast IP and Forward Port)	354
Configuring MLD Snooping Parameters in the Multicast VLAN	355
Configuring Router Port Time and Member Port Time	355
Configuring Static Router Port	356
Configuring Forbidden Router Port	357
Configuring Replace Source IP	358
Configuring the Querier	359
Enabling MLD Querier	359
Configuring Query Interval, Max Response Time and General Query Source IP	360
Configuring Multicast Filtering	361
Creating Profile	361
Binding Profile to the Port	362
Viewing Multicast Snooping Configurations	364
Using the GUI	364
Viewing IPv4 Multicast Snooping Configurations	364
Viewing IPv6 Multicast Snooping Configurations	365
Using the CLI	365
Viewing IPv4 Multicast Snooping Configurations	365
Viewing IPv6 Multicast Snooping Configurations	366
Configuration Examples	368
Example for Configuring Basic IGMP Snooping	368
Network Requirements	368
Configuration Scheme	368
Using the GUI	369
Using the CLI	372
Example for Configuring Multicast VLAN	374
Network Requirements	374
Configuration Scheme	374
Network Topology	374
Using the GUI	375
Using the CLI	378
Example for Configuring Unknown Multicast and Fast Leave	380
Network Requirement	380
Configuration Scheme	381
Using the GUI	381
Using the CLI	384
Example for Configuring Multicast Filtering	385
Network Requirements	385
Configuration Scheme	385
Network Topology	385
Using the GUI	386
Using the CLI	393
Appendix: Default Parameters	396
Default Parameters for IGMP Snooping	396
Default Parameters for MLD Snooping	397
Configuring Logical Interfaces	399
Overview	400
Logical Interfaces Configurations	401
Using the GUI	401
Creating a Layer 3 Interface	401
Configuring IPv4 Parameters of the Interface	402
Configuring IPv6 Parameters of the Interface	403
Viewing Detail Information of the Interface	406
Using the CLI	406
Creating a Layer 3 Interface	406
Configuring IPv4 Parameters of the Interface	408
Configuring IPv6 Parameters of the Interface	409
Appendix: Default Parameters	412
Configuring Static Routing	413
Overview	414
IPv4 Static Routing Configuration	415
Using the GUI	415
Using the CLI	416
IPv6 Static Routing Configuration	417
Using the GUI	417
Using the CLI	418
Viewing Routing Table	420
Using the GUI	420
Viewing IPv4 Routing Table	420
Viewing IPv6 Routing Table	421
Using the CLI	421
Viewing IPv4 Routing Table	421
Viewing IPv6 Routing Table	422
Example for Static Routing	423
Network Requirements	423
Configuration Scheme	423
Using the GUI	423
Using the CLI	424
Appendix: Default Parameter	427
Configuring DHCP	428
DHCP	429
Overview	429
Supported Features	429
DHCP Client Configuration	432
Using the GUI	432
Using the CLI	433
DHCP Relay Configuration	435
Using the GUI	435
Enabling DHCP Relay and Configuring Option 82	435
Specifying DHCP Server for the Interface or VLAN	436
Using the CLI	438
Enabling DHCP Relay	438
(Optional) Configuring Option 82	438
Specifying DHCP Server for Interface or VLAN	440
Configuration Examples	444
Example for DHCP Interface Relay	444
Network Requirements	444
Configuration Scheme	444
Using the GUI	445
Using the CLI	446
Appendix: Default Parameters	448
Configuring ARP	449
Overview	450
ARP Configurations	451
Using the GUI	451
Viewing the ARP Entries	451
Adding Static ARP Entries Manually	452
Using the CLI	452
Configuring ARP Function	452
Configuring QoS	456
QoS	457
Overview	457
Supported Features	457
DiffServ Configuration	458
Using the GUI	459
Configuring Priority Mode	459
Configuring Schedule Mode	462
Using CLI	464
Configuring Priority Mode	464

Match case Limit results 1 per page

Configuration Guide

569

Configuring Network Security

DoS Defend Configuration

Step 3

ip dos-prevent type {

flood | syn-flood | win-nuke | smurf | ping-of-death

}

Configure one or more defend types according to your needs. The types of DoS attack are

introduced as follows.

land:

The attacker sends a speciﬁc fake SYN (synchronous) packet to the destination host.

Because both the source IP address and the destination IP address of the SYN packet are

set to be the IP address of the host, the host will be trapped in an endless circle of building

the initial connection.

scan-synfin:

The attacker sends the packet with its SYN field and the FIN field set to 1.

The SYN ﬁeld is used to request initial connection whereas the FIN ﬁeld is used to request

disconnection. Therefore, a packet of this type is illegal.

xma-scan:

The attacker sends the illegal packet with its TCP index, FIN, URG and PSH ﬁeld

set to 1.

null-scan:

The attacker sends the illegal packet with its TCP index and all the control ﬁelds

set to 0. During the TCP connection and data transmission, the packets with all the control

ﬁelds set to 0 are considered as the illegal packets.

port-less-1024:

The attacker sends the illegal packet with its TCP SYN field set to 1 and

source port smaller than 1024.

blat:

The attacker sends the illegal packet with the same source port and destination port on

Layer 4 and with its URG ﬁeld set to 1. Similar to the Land Attack, the system performance

of the attacked host is reduced because the Host circularly attempts to build a connection

with the attacker.

ping-flood:

The attacker floods the destination system with Ping packets, creating a

broadcast storm that makes it impossible for system to respond to legal communication.

syn-flood:

The attacker uses a fake IP address to send TCP request packets to the server.

Upon receiving the request packets, the server responds with SYN-ACK packets. Since the

IP address is fake, no response will be returned. The server will keep on sending SYN-ACK

packets. If the attacker sends overﬂowing fake request packets, the network resource will

be occupied maliciously and the requests of the legal clients will be denied.

win-nuke:

An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP

packets. If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation

System bugs, it will cause blue screen.

smurf:

The attacker broadcasts large numbers of Internet Control Message Protocol (ICMP)

packets with the intended victim’s spoofed source IP to a computer network using an IP

broadcast address. Most devices on a network will respond to this by sending a reply to

the source IP address. If the number of devices on the network that receive and respond

to these packets is very large, the victim’s host will be flooded with traffic, which can slow

down the victim’s host and cause the host impossible to work on.

ping-of-death:

The attacker sends an improperly large Internet Control Message Protocol

(ICMP) echo request packet, or a ping packet, with the purpose of overflowing the input

buffers of the destination host and causing the host to crash.

Step 4

show ip dos-prevent

Verify the Dos Defend configuration.