Home » TP-Link Manuals » Hubs & Switches » TP-Link T2500G-10MPS » Manual Viewer

TP-Link T2500G-10MPS T2500G-10MPSUN V1 Configuration Guide - Page 620

Click, Follow these steps to con DoS Defend, NULL Scan, SYN sPort less, Blat Attack

View all TP-Link T2500G-10MPS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 620 highlights

Configuring Network Security DoS Defend Configuration NULL Scan SYN sPort less 1024 Blat Attack Ping Flooding SYN/SYN-ACK Flooding WinNuke Attack Smurf Attack Ping Of Death 3) Click Apply. The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024. The attacker sends the illegal packet with the same source port and destination port on Layer 4 and with its URG field set to 1. Similar to the Land Attack, the system performance of the attacked host is reduced because the Host circularly attempts to build a connection with the attacker. The attacker floods the destination system with Ping packets, creating a broadcast storm that makes it impossible for the system to respond to legal communication. The attacker uses a fake IP address to send TCP request packets to the server. Upon receiving the request packets, the server responds with SYN-ACK packets. Since the IP address is fake, no response will be returned. The server will keep on sending SYN-ACK packets. If the attacker sends overflowing fake request packets, the network resource will be occupied maliciously and the requests of the legal clients will be denied. Because the Operation System with bugs cannot correctly process the URG (Urgent Pointer) of TCP packets, the attacker sends this type of packets to the TCP port139 (NetBIOS) of the host with the Operation System bugs, which will cause the host with a blue screen. The attacker broadcasts large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP to a computer network using an IP broadcast address. Most devices on a network will respond to this by sending a reply to the source IP address. If the number of devices on the network that receive and respond to these packets is very large, the victim's host will be flooded with traffic, which can slow down the victim's host and cause the host impossible to work on. The attacker sends an improperly large Internet Control Message Protocol (ICMP) echo request packet, or a ping packet, with the purpose of overflowing the input buffers of the destination host and causing the host to crash. 5.2 Using the CLI Follow these steps to configure DoS Defend: Step 1 configure Enter global configuration mode. Step 2 ip dos-prevent Globally enable the DoS defend feature. Configuration Guide 593

Section	Page
About This Guide	28
Intended Readers	28
Conventions	28
More Information	29
Accessing the Switch	30
Overview	31
Web Interface Access	32
Login	32
Save Config Function	33
Disable the Web Server	34
Configure the Switch's IP Address and Default Gateway	35
Command Line Interface Access	36
Console Login (only for switch with console port)	36
Telnet Login	38
SSH Login	39
Disable Telnet login	43
Disable SSH login	44
Copy running-config startup-config	44
Change the Switch's IP Address and Default Gateway	45
Managing System	46
System	47
Overview	47
Supported Features	47
System Info Configurations	49
Using the GUI	49
Viewing the System Summary	49
Specifying the Device Description	51
Setting the System Time	52
Setting the Daylight Saving Time	53
Specifying the Serial Port Parameter	54
Using the CLI	55
Viewing the System Summary	55
Specifying the Device Description	56
Setting the System Time	57
Setting the Daylight Saving Time	59
Specifying the Serial Port Parameter	61
User Management Configurations	63
Using the GUI	63
Creating Admin Accounts	63
Creating Accounts of Other Types	64
Using the CLI	66
Creating Admin Accounts	66
Creating Accounts of Other Types	67
System Tools Configurations	71
Using the GUI	71
Configuring the Boot File	71
Restoring the Configuration of the Switch	72
Backing up the Configuration File	73
Upgrading the Firmware	73
Configuring Auto Install Function	74
Rebooting the switch	75
Configuring the Reboot Schedule	75
Reseting the Switch	76
Using the CLI	76
Configuring the Boot File	76
Restoring the Configuration of the Switch	77
Backing up the Configuration File	78
Upgrading the firmware	78
Configuring Auto Install Function	79
Rebooting the switch	80
Configuring the Reboot Schedule	81
Reseting the Switch	82
Access Security Configurations	83
Using the GUI	83
Configuring the Access Control Feature	83
Configuring the HTTP Function	85
Configuring the HTTPS Function	86
Configuring the SSH Feature	88
Enabling the Telnet Function	89
Using the CLI	89
Configuring the Access Control	89
Configuring the HTTP Function	91
Configuring the HTTPS Function	92
Configuring the SSH Feature	95
Enabling the Telnet Function	97
Appendix: Default Parameters	98
Managing Physical Interfaces	101
Physical Interface	102
Overview	102
Supported Features	102
Basic Parameters Configurations	103
Using the GUI	103
Using the CLI	104
Port Mirror Configuration	107
Using the GUI	107
Using the CLI	109
Port Security Configuration	111
Using the GUI	111
Using the CLI	112
Port Isolation Configurations	115
Using the GUI	115
Using the CLI	116
Loopback Detection Configuration	118
Using the GUI	118
Using the CLI	119
Configuration Examples	122
Example for Port Mirror	122
Network Requirements	122
Configuration Scheme	122
Using the GUI	122
Using the CLI	124
Example for Port Isolation	124
Network Requirements	124
Configuration Scheme	125
Using the GUI	125
Using the CLI	126
Example for Loopback Detection	127
Network Requirements	127
Configuration Scheme	127
Using the GUI	127
Using the CLI	128
Appendix: Default Parameters	130
Configuring LAG	132
LAG	133
Overview	133
Supported Features	133
LAG Configuration	134
Using the GUI	135
Configuring Load-balancing Algorithm	135
Configuring Static LAG or LACP	136
Using the CLI	138
Configuring Load-balancing Algorithm	138
Configuring Static LAG or LACP	139
Configuration Example	143
Network Requirements	143
Configuration Scheme	143
Using the GUI	144
Using the CLI	145
Appendix: Default Parameters	147
Monitoring Traffic	148
Traffic Monitor	149
Using the GUI	149
Viewing the Traffic Summary	149
Viewing the Traffic Statistics in Detail	150
Using the CLI	152
Appendix: Default Parameters	153
Managing MAC Address Table	154
MAC Address Table	155
Overview	155
Supported Features	155
Address Configurations	157
Using the GUI	157
Adding Static MAC Address Entries	157
Modifying the Aging Time of Dynamic Address Entries	159
Adding MAC Filtering Address Entries	160
Viewing Address Table Entries	160
Using the CLI	161
Adding Static MAC Address Entries	161
Modifying the Aging Time of Dynamic Address Entries	162
Adding MAC Filtering Address Entries	163
Security Configurations	165
Using the GUI	165
Configuring MAC Notification Traps	165
Limiting the Number of MAC Addresses in VLANs	166
Using the CLI	167
Configuring MAC Notification Traps	167
Limiting the Number of MAC Addresses in VLANs	169
Example for Security Configurations	171
Network Requirements	171
Configuration Scheme	171
Using the GUI	172
Using the CLI	173
Appendix: Default Parameters	174
Configuring DDM	175
Overview	176
DDM Configuration	177
Using the GUI	177
Configuring DDM Globally	177
Configuring the Temperature Threshold	178
Configuring the Voltage Threshold	178
Configuring the Bias Current Threshold	179
Configuring the Tx Power Threshold	180
Configuring the Rx Power Threshold	181
Viewing DDM Status	181
Using the CLI	182
Configuring DDM Globally	182
Configuring DDM Shutdown	183
Configuring Temperature Threshold	184
Configuring Voltage Threshold	185
Configuring Bias Current Threshold	186
Configuring Tx Power Threshold	188
Configuring Rx Power Threshold	189
Viewing DDM Configuration	190
Viewing DDM Status	191
Appendix: Default Parameters	192
Configuring L2PT	193
Overview	194
L2PT Configuration	196
Using the GUI	196
Using the CLI	197
Configuration Example	200
Network Requirements	200
Configuration Scheme	200
Using the GUI	200
Using the CLI	201
Appendix: Default Parameters	203
Configuring 802.1Q VLAN	204
Overview	205
802.1Q VLAN Configuration	206
Using the GUI	206
Configuring the PVID of the Port	206
Configuring the VLAN	208
Using the CLI	209
Creating a VLAN	209
Configuring the Port	210
Adding the Port to the Specified VLAN	211
Configuration Example	213
Network Requirements	213
Configuration Scheme	213
Network Topology	214
Using the GUI	214
Using the CLI	216
Appendix: Default Parameters	218
Configuring MAC VLAN	219
Overview	220
MAC VLAN Configuration	221
Using the GUI	221
Configuring 802.1Q VLAN	221
Binding the MAC Address to the VLAN	222
Enabling MAC VLAN for the Port	222
Using the CLI	223
Configuring 802.1Q VLAN	223
Binding the MAC Address to the VLAN	223
Enabling MAC VLAN for the Port	224
Configuration Example	226
Network Requirements	226
Configuration Scheme	226
Using the GUI	227
Using the CLI	232
Appendix: Default Parameters	236
Configuring Protocol VLAN	237
Overview	238
Protocol VLAN Configuration	239
Using the GUI	239
Configuring 802.1Q VLAN	239
Creating Protocol Template	240
Configuring Protocol VLAN	241
Using the CLI	241
Configuring 802.1Q VLAN	241
Creating a Protocol Template	242
Configuring Protocol VLAN	243
Configuration Example	245
Network Requirements	245
Configuration Scheme	245
Using the GUI	246
Using the CLI	253
Appendix: Default Parameters	258
Configuring VLAN-VPN	259
VLAN-VPN	260
Overview	260
Supported Features	261
Basic VLAN-VPN Configuration	262
Using the GUI	262
Configuring 802.1Q VLAN	262
Enabling VLAN-VPN Globally and Configuring Up-link Ports	262
Using the CLI	263
Configuring 802.1Q VLAN	263
Enabling VLAN-VPN Globally and Configuring Up-link Ports	263
Flexible VLAN-VPN Configuration	266
Using the GUI	266
Using the CLI	267
Configuration Example	269
Network Requirements	269
Configuration Scheme	269
Using the GUI	270
Using the CLI	273
Appendix: Default Parameters	276
Configuring GVRP	277
Overview	278
GVRP Configuration	279
Using the GUI	279
Using the CLI	281
Configuration Example	284
Network Requirements	284
Configuration Scheme	284
Using the GUI	285
Using the CLI	290
Appendix: Default Parameters	294
Configuring Spanning Tree	295
Spanning Tree	296
Overview	296
Basic Concepts	296
STP/RSTP Concepts	296
MSTP Concepts	300
STP Security	301
STP/RSTP Configurations	304
Using the GUI	304
Configuring STP/RSTP Parameters on Ports	304
Configuring STP/RSTP Globally	306
Verifying the STP/RSTP Configurations	308
Using the CLI	309
Configuring STP/RSTP Parameters on Ports	309
Configuring Global STP/RSTP Parameters	311
Enabling STP/RSTP Globally	312
MSTP Configurations	314
Using the GUI	314
Configuring Parameters on Ports in CIST	314
Configuring the MSTP Region	316
Configuring MSTP Globally	320
Verifying the MSTP Configurations	322
Using the CLI	323
Configuring Parameters on Ports in CIST	323
Configuring the MSTP Region	325
Configuring Global MSTP Parameters	328
Enabling Spanning Tree Globally	330
STP Security Configurations	333
Using the GUI	333
Configuring the STP Security	333
Using the CLI	334
Configuring the STP Security	334
Configuration Example for MSTP	337
Network Requirements	337
Configuration Scheme	337
Using the GUI	338
Using the CLI	346
Appendix: Default Parameters	353
Configuring Layer 2 Multicast	355
Layer 2 Multicast	356
Overview	356
Supported Layer 2 Multicast Protocols	357
IGMP Snooping Configurations	358
Using the GUI	358
Configuring IGMP Snooping Globally	358
Enabling IGMP Snooping Globally	358
(Optional) Configuring Unknown Multicast	358
(Optional) Configuring Report Message Suppression	359
Configuring Router Port Time and Member Port Time	359
Configuring IGMP Snooping Last Listener Query	360
Verifying IGMP Snooping Status	360
Configuring the Port’s Basic IGMP Snooping Features	361
Enabling IGMP Snooping on the Port	361
(Optional) Configuring Fast Leave	361
Configuring IGMP Snooping in the VLAN	362
Configuring IGMP Snooping Globally in the VLAN	362
(Optional) Configuring the Static Router Ports in the VLAN	363
(Optional) Configuring the Forbidden Router Ports in the VLAN	363
Configuring the Multicast VLAN	363
Creating Multicast VLAN and Configuring Basic Settings	364
(Optional) Creating Replace Source IP	365
Viewing Dynamic Router Ports in the Multicast VLAN	365
(Optional) Configuring the Static Router Ports	365
(Optional) Configuring the Forbidden Router Ports	365
(Optional) Configuring the Querier	366
Configuring the Querier	366
Viewing Settings of IGMP Querier	366
Configuring IGMP Profile	367
Creating Profile	367
Searching Profile	367
Editing IP Range of the Profile	368
Binding Profile and Member Ports	368
Binding Profile and Member Ports	369
Configuring Max Groups a Port Can Join	369
Viewing IGMP Statistics on Each Port	370
Configuring Auto Refresh	370
Viewing IGMP Statistics	371
Enabling IGMP Accounting and Authentication	371
Configuring IGMP Accounting Globally	371
Configuring IGMP Authentication on the Port	372
Configuring Static Member Port	372
Configuring Static Member Port	372
Viewing IGMP Static Multicast Groups	373
Using the CLI	373
Enabling IGMP Snooping Globally	373
Enabling IGMP Snooping on the Port	373
Configuring IGMP Snooping Parameters Globally	375
Configuring Report Message Suppression	375
Configuring Unknown Multicast	376
Configuring IGMP Snooping Parameters on the Port	377
Configuring Router Port Time and Member Port Time	377
Configuring Fast Leave	378
Configuring Max Group and Overflow Action on the Port	379
Configuring IGMP Snooping Last Listener Query	380
Configuring IGMP Snooping Parameters in the VLAN	381
Configuring Router Port Time and Member Port Time	381
Configuring Static Router Port	382
Configuring Forbidden Router Port	383
Configuring Static Multicast (Multicast IP and Forward Port)	384
Configuring IGMP Snooping Parameters in the Multicast VLAN	385
Configuring Router Port Time and Member Port Time	385
Configuring Static Router Port	386
Configuring Forbidden Router Port	387
Configuring Replace Source IP	388
Configuring the Querier	389
Enabling IGMP Querier	389
Configuring Query Interval, Max Response Time and General Query Source IP	389
Configuring Multicast Filtering	391
Creating Profile	391
Binding Profile to the Port	392
Enabling IGMP Accounting and Authentication	393
Enabling IGMP Authentication on the Port	393
Enabling IGMP Accounting Globally	394
Configuring MLD Snooping	395
Using the GUI	395
Configuring MLD Snooping Globally	395
Enabling MLD Snooping Globally	395
(Optional) Configuring Unknown Multicast	395
(Optional) Configuring Report Message Suppression	396
Configuring Router Port Time and Member Port Time	396
Configuring MLD Snooping Last Listener Query	396
Verifying MLD Snooping Status	397
Configuring the Port’s Basic MLD Snooping Features	397
Enabling MLD Snooping on the Port	398
(Optional) Configuring Fast Leave	398
Configuring MLD Snooping in the VLAN	398
Configuring MLD Snooping Globally in the VLAN	399
(Optional) Configuring the Static Router Ports in the VLAN	399
(Optional) Configuring the Forbidden Router Ports in the VLAN	399
Configuring the Multicast VLAN	400
Creating Multicast VLAN and Configuring Basic Settings	400
(Optional) Creating Replace Source IP	401
Viewing Dynamic Router Ports in the Multicast VLAN	401
(Optional) Configuring the Static Router Ports	401
(Optional) Configuring the Forbidden Router Ports	402
(Optional) Configuring the Querier	402
Configuring the Querier	402
Viewing Settings of MLD Querier	403
Configuring MLD Profile	403
Creating Profile	403
Searching Profile	404
Editing IP Range of the Profile	404
Binding Profile and Member Ports	405
Binding Profile and Member Ports	405
Configuring Max Groups a Port Can Join	405
Viewing MLD Statistics on Each Port	406
Configuring Auto Refresh	406
Viewing MLD Statistics	407
Configuring Static Member Port	407
Configuring Static Member Port	407
Viewing MLD Static Multicast Groups	408
Using the CLI	408
Enabling MLD Snooping Globally	408
Enabling MLD Snooping on the Port	408
Configuring MLD Snooping Parameters Globally	409
Configuring Report Message Suppression	409
Configuring Unknown Multicast	410
Configuring MLD Snooping Parameters on the Port	412
Configuring Router Port Time and Member Port Time	412
Configuring Fast Leave	413
Configuring Max Group and Overflow Action on the Port	414
Configuring MLD Snooping Last Listener Query	415
Configuring MLD Snooping Parameters in the VLAN	416
Configuring Router Port Time and Member Port Time	416
Configuring Static Router Port	417
Configuring Forbidden Router Port	418
Configuring Static Multicast (Multicast IP and Forward Port)	419
Configuring MLD Snooping Parameters in the Multicast VLAN	420
Configuring Router Port Time and Member Port Time	420
Configuring Static Router Port	421
Configuring Forbidden Router Port	422
Configuring Replace Source IP	423
Configuring the Querier	424
Enabling MLD Querier	424
Configuring Query Interval, Max Response Time and General Query Source IP	424
Configuring Multicast Filtering	426
Creating Profile	426
Binding Profile to the Port	427
Viewing Multicast Snooping Configurations	429
Using the GUI	429
Viewing IPv4 Multicast Snooping Configurations	429
Viewing IPv6 Multicast Snooping Configurations	430
Using the CLI	430
Viewing IPv4 Multicast Snooping Configurations	430
Viewing IPv6 Multicast Snooping Configurations	431
Configuration Examples	433
Example for Configuring Basic IGMP Snooping	433
Network Requirements	433
Configuration Scheme	433
Using the GUI	434
Using the CLI	436
Example for Configuring Multicast VLAN	438
Network Requirements	438
Configuration Scheme	438
Network Topology	438
Using the GUI	439
Using the CLI	442
Example for Configuring Unknown Multicast and Fast Leave	445
Network Requirement	445
Configuration Scheme	445
Using the GUI	446
Using the CLI	447
Example for Configuring Multicast Filtering	449
Network Requirements	449
Configuration Scheme	449
Network Topology	449
Using the GUI	450
Using the CLI	455
Appendix: Default Parameters	458
Default Parameters for IGMP Snooping	458
Default Parameters for MLD Snooping	459
Configuring DHCP VLAN Relay	461
DHCP VLAN Relay	462
Overview	462
DHCP VLAN Relay Configuration	463
Using the GUI	463
Enabling DHCP Relay and Configuring Option 82	463
Specifying DHCP Server for the VLAN	464
Using the CLI	465
Enabling DHCP Relay	465
(Optional) Configuring Option 82	466
Specifying DHCP Server for VLAN	467

Match case Limit results 1 per page

Configuration Guide

593

Configuring Network Security

DoS Defend Configuration

NULL Scan

The attacker sends the illegal packet with its TCP index and all the control fields

set to 0. During the TCP connection and data transmission, the packets with all

control fields set to 0 are considered illegal.

SYN sPort less

1024

The attacker sends the illegal packet with its TCP SYN field set to 1 and source

port smaller than 1024.

Blat Attack

The attacker sends the illegal packet with the same source port and destination

port on Layer 4 and with its URG field set to 1. Similar to the Land Attack, the

system performance of the attacked host is reduced because the Host circularly

attempts to build a connection with the attacker.

Ping Flooding

The attacker floods the destination system with Ping packets, creating a

broadcast storm that makes it impossible for the system to respond to legal

communication.

SYN/SYN-ACK

Flooding

The attacker uses a fake IP address to send TCP request packets to the server.

Upon receiving the request packets, the server responds with SYN-ACK packets.

Since the IP address is fake, no response will be returned. The server will keep

on sending SYN-ACK packets. If the attacker sends overflowing fake request

packets, the network resource will be occupied maliciously and the requests of

the legal clients will be denied.

WinNuke Attack

Because the Operation System with bugs cannot correctly process the URG

(Urgent Pointer) of TCP packets, the attacker sends this type of packets to the

TCP port139 (NetBIOS) of the host with the Operation System bugs, which will

cause the host with a blue screen.

Smurf Attack

The attacker broadcasts large numbers of Internet Control Message Protocol

(ICMP) packets with the intended victim’s spoofed source IP to a computer

network using an IP broadcast address. Most devices on a network will respond

to this by sending a reply to the source IP address. If the number of devices on

the network that receive and respond to these packets is very large, the victim’s

host will be flooded with traffic, which can slow down the victim’s host and cause

the host impossible to work on.

Ping Of Death

The attacker sends an improperly large Internet Control Message Protocol (ICMP)

echo request packet, or a ping packet, with the purpose of overflowing the input

buffers of the destination host and causing the host to crash.

3) Click

Apply

5.2

Using the CLI

Follow these steps to configure DoS Defend:

Step 1

configure

Enter global configuration mode.

Step 2

ip dos-prevent

Globally enable the DoS defend feature.