Home » TP-Link Manuals » Hubs & Switches » TP-Link T3700G-52TQ » Manual Viewer

TP-Link T3700G-52TQ T3700G-52TQUN V1 User Guide - Page 362

DoS Defend

View all TP-Link T3700G-52TQ manuals

Add to My Manuals
Save this manual to your list of manuals

Page 362 highlights

Entry Description: UNIT: Select: Port: Security Type: LAG: Select the unit ID of the desired member in the stack. Select your desired port for configuration. It is multi-optional. Displays the port number. Select Security Type for the port. • Disable: Select this option to disable the IP Source Guard feature for the port. • SIP: Only the packets with its source IP address and port number matched to the IP-MAC binding rules can be processed. • SIP+MAC: Only the packets with its source IP address, source MAC address and port number matched to the IP-MAC binding rules can be processed. Displays the LAG to which the port belongs to. 14.5 DoS Defend DoS (Denial of Service) Attack is to occupy the network bandwidth maliciously by the network attackers or the evil programs sending a lot of service requests to the Host, which incurs an abnormal service or even breakdown of the network. With DoS Defend function enabled, the switch can analyze the specific fields of the IP packets and distinguish the malicious DoS attack packets. Upon detecting the packets, the switch will discard the illegal packets directly and limit the transmission rate of the legal packets if the over legal packets may incur a breakdown of the network. The switch can defend several types of DoS attack listed in the following table. DoS Attack Type Land Attack Scan SYNFIN Xmascan Description The attacker sends a specific fake SYN packet to the destination Host. Since both the source IP address and the destination IP address of the SYN packet are set to be the IP address of the Host, the Host will be trapped in an endless circle for building the initial connection. The performance of the network will be reduced extremely. The attacker sends the packet with its SYN field and the FIN field set to 1. The SYN field is used to request initial connection whereas the FIN field is used to request disconnection. Therefore, the packet of this type is illegal. The switch can defend this type of illegal packet. The attacker sends the illegal packet with its TCP index, FIN, URG and PSH field set to 1. 349

Section	Page
Package Contents	14
Chapter 1 About This Guide	15
1.1 Intended Readers	15
1.2 Conventions	15
1.3 Overview of This Guide	16
Chapter 2 Introduction	21
2.1 Overview of the Switch	21
2.2 Appearance Description	21
2.2.1 Front Panel	21
2.2.2 Rear Panel	23
Chapter 3 Login to the Switch	25
3.1 Login	25
3.2 Configuration	25
Chapter 4 System	27
4.1 System Info	27
4.1.1 System Summary	27
4.1.2 Device Description	29
4.1.3 System Time	30
4.1.4 Daylight Saving Time	31
4.1.5 System IPv6	32
4.1.6 Management Port IPv4	35
4.1.7 Management Port IPv6	36
4.2 User Management	37
4.2.1 User Table	38
4.2.2 User Config	38
4.3 System Tools	39
4.3.1 Boot Config	39
4.3.2 Config Restore	40
4.3.3 Config Backup	41
4.3.4 Firmware Upgrade	42
4.3.5 System Reboot	42
4.3.6 System Reset	43
4.4 Access Security	43
4.4.1 Access Control	43
4.4.2 HTTP Config	44
4.4.3 HTTPS Config	45
4.4.4 SSH Config	48
4.4.5 Telnet Config	52
4.5 SDM Template	52
4.5.1 SDM Template Config	52
Chapter 5 Stack	54
5.1 Stack Management	60
5.1.1 Stack Info	61
5.1.2 Stack Config	62
5.1.3 Auto Copy Software	64
5.2 Application Example for Stack	65
Chapter 6 Switching	66
6.1 Port	66
6.1.1 Port Config	66
6.1.2 Port Mirror	67
6.1.3 Port Security	70
6.1.4 Protected Ports	71
6.1.5 Loopback Detection	72
6.1.6 Default Settings	75
6.2 LAG	75
6.2.1 LAG Table	76
6.2.2 Static LAG	78
6.2.3 LACP Config	79
6.2.4 Default Settings	80
6.3 Traffic Monitor	81
6.3.1 Traffic Summary	81
6.3.2 Traffic Statistics	82
6.4 MAC Address	84
6.4.1 Address Table	84
6.4.2 Static Address	86
6.4.3 Dynamic Address	87
6.4.4 Filtering Address	89
Chapter 7 VLAN	91
7.1 802.1Q VLAN	92
7.1.1 VLAN Config	94
7.1.2 Port Config	95
7.2 Application Example for 802.1Q VLAN	97
7.3 MAC VLAN	99
7.4 Application Example for MAC VLAN	100
7.5 Protocol VLAN	101
7.5.1 Protocol Group Table	102
7.5.2 Protocol Group	103
7.5.3 Protocol Template	103
7.6 Application Example for Protocol VLAN	104
7.7 VLAN VPN	106
7.7.1 VLAN-VPN Config	107
7.7.2 Default Settings	108
7.8 GVRP	108
7.8.1 GVRP Config	110
7.8.2 Default Settings	111
7.9 Private VLAN	111
7.9.1 PVLAN Config	113
7.9.2 Port Config	114
7.10 Application Example for Private VLAN	115
Chapter 8 Spanning Tree	118
8.1 STP Config	124
8.1.1 STP Config	124
8.1.2 STP Summary	126
8.2 Port Config	126
8.3 MSTP Instance	129
8.3.1 Region Config	130
8.3.2 Instance Config	130
8.3.3 Instance Port Config	131
8.4 STP Security	134
8.4.1 Port Protect	134
8.5 Application Example for MSTP Function	137
Chapter 9 Multicast	142
9.1 IGMP Snooping	144
9.1.1 Snooping Config	146
9.1.2 Port Config	147
9.1.3 VLAN Config	148
9.1.4 Querier Config	150
9.1.5 Profile Config	152
9.2 MLD Snooping	154
9.2.1 Snooping Config	155
9.2.2 Port Config	157
9.2.3 VLAN Config	158
9.2.4 Querier Config	159
9.2.5 Profile Config	161
9.3 MVR	163
9.3.1 MVR Config	163
9.3.2 Interface Config	164
9.3.3 Member Config	166
9.3.4 Traffic	167
9.4 Multicast Table	168
9.4.1 Summary	168
9.4.2 Static Config	169
9.4.3 IGMP Snooping	171
9.4.4 MLD Snooping	171
9.4.5 SSM Groups	172
9.4.6 SSM Entries	173
9.4.7 SSM Status	174
Chapter 10 Routing	176
10.1 Interface	176
10.2 Routing Table	179
10.3 Static Routing	180
10.3.1 Static Routing	180
10.3.2 Application Example for Static Routing	181
10.4 DHCP Server	182
10.4.1 DHCP Server	188
10.4.2 Pool Setting	190
10.4.3 DHCP Options Set	192
10.4.4 Binding Table	193
10.4.5 Packet Statistics	194
10.4.6 Application Example for DHCP Server and Relay	195
10.5 DHCP Relay	197
10.5.1 Global Config	199
10.5.2 DHCP Server	201
10.6 Proxy ARP	202
10.6.1 Proxy ARP	202
10.6.2 Local Proxy ARP	203
10.6.3 Application Example for Proxy ARP	204
10.7 ARP	204
10.7.1 ARP Table	204
10.7.2 Static ARP	205
10.8 RIP	206
10.8.1 Basic Config	210
10.8.2 Interface Config	212
10.8.3 Application Example for RIP	213
10.9 OSPF	214
10.9.1 Process	232
10.9.2 Basic	233
10.9.3 Network	235
10.9.4 Interface	236
10.9.5 Area	241
10.9.6 Area Aggregation	243
10.9.7 Virtual Link	244
10.9.8 Route Redistribution	246
10.9.9 Neighbor Table	247
10.9.10 Link State Database	249
10.9.11 Application Example for OSPF	250
10.10 VRRP	251
10.10.1 Basic Config	255
10.10.2 Advanced Config	258
10.10.3 Virtual IP Config	259
10.10.4 Track Config	261
10.10.5 Virtual Router Statistics	262
10.10.6 Application Example for VRRP	264
Chapter 11 Multicast Routing	266
11.1 Global Config	267
11.1.1 Global Config	267
11.1.2 Mroute Table	268
11.2 IGMP	269
11.2.1 Global Config	273
11.2.2 Interface Config	274
11.2.3 Interface State	275
11.2.4 Multicast Group Table	276
11.2.5 Application Example for IGMP	277
11.3 PIM DM	279
11.3.1 PIM DM Interface	284
11.3.2 PIM DM Neighbor	284
11.3.3 Application Example for PIM DM	286
11.4 PIM SM	287
11.4.1 PIM SM Interface	293
11.4.2 PIM SM Neighbor	294
11.4.3 BSR	294
11.4.4 RP	296
11.4.5 RP Mapping	298
11.4.6 RP Info	298
11.4.7 PIM SSM	299
11.4.8 Packet Statistics	300
11.4.9 Application Example for PIM SM	301
11.5 Static Mroute	303
11.5.1 Static Mroute Config	304
11.5.2 Application Example for Static Mroute	305
Chapter 12 QoS	308
12.1 Class of Service	311
12.1.1 Trust Mode	311
12.1.2 Port Priority	311
12.1.3 802.1P/CoS to Queue Mapping	313
12.1.4 DSCP to Queue Mapping	314
12.1.5 Schedule Mode	316
12.2 DiffServ	317
12.2.1 Global	317
12.2.2 Class Summary	319
12.2.3 Class Config	319
12.2.4 Policy Summary	322
12.2.5 Policy Config	323
12.2.6 Service Config	325
12.3 Bandwidth Control	326
12.3.1 Rate Limit	326
12.3.2 Storm Control	327
12.4 Voice VLAN	328
12.4.1 Global Config	329
12.4.2 Port Config	329
12.4.3 OUI Config	330
12.5 Auto VoIP	331
12.5.1 Auto VoIP Config	331
Chapter 13 ACL	334
13.1 Time-Range	334
13.1.1 Time-Range Summary	334
13.2 ACL Config	336
13.2.1 ACL Summary	336
13.2.2 ACL Create	337
13.2.3 MAC ACL	337
13.2.4 Standard-IP ACL	339
13.2.5 Extend-IP ACL	340
13.3 ACL Binding	342
13.3.1 Binding Table	343
13.3.2 Port Binding	344
13.3.3 VLAN Binding	345
Chapter 14 Network Security	347
14.1 IP-MAC Binding	347
14.1.1 Binding Table	347
14.1.2 Manual Binding	348
14.2 DHCP Snooping	349
14.2.1 Global Config	352
14.2.2 Port Config	354
14.3 ARP Inspection	355
14.3.1 ARP Detect	358
14.3.2 ARP Defend	359
14.3.3 ARP Statistics	360
14.4 IP Source Guard	361
14.5 DoS Defend	362
14.5.1 DoS Defend	363
14.6 802.1X	364
14.6.1 Global Config	368
14.6.2 Port Config	368
14.7 AAA	371
14.7.1 RADIUS Server Config	372
14.7.2 TACACS+ Server Config	372
14.7.3 Authentication Method List Config	373
14.7.4 Application Authentication List Config	375
14.7.5 802.1X Authentication Server Config	376
14.7.6 Default Settings	376
Chapter 15 SNMP	378
15.1 SNMP Config	380
15.1.1 Global Config	380
15.1.2 SNMP View	381
15.1.3 SNMP Group	382
15.1.4 SNMP User	384
15.1.5 SNMP Community	385
15.2 Notification	388
15.2.1 Notification Config	388
15.2.2 Traps Config	391
15.3 RMON	393
15.3.1 History	394
15.3.2 Event	395
15.3.3 Alarm	396
Chapter 16 LLDP	398
16.1 Basic Config	401
16.1.1 Global Config	401
16.1.2 Port Config	402
16.2 Device Info	404
16.2.1 Local Info	404
16.2.2 Neighbor Info	405
16.3 Device Statistics	406
16.4 LLDP-MED	408
16.4.1 Global Config	408
16.4.2 Port Config	409
16.4.3 Local Info	411
16.4.4 Neighbor Info	412
Chapter 17 Maintenance	414
17.1 System Monitor	414
17.1.1 CPU Monitor	414
17.1.2 Memory Monitor	415
17.2 Log	415
17.2.1 Log Table	416
17.2.2 Local Log	417
17.2.3 Remote Log	418
17.2.4 Backup Log	419
17.3 Device Diagnose	420
17.3.1 Cable Test	420
17.4 Network Diagnose	421
17.4.1 Ping	421
17.4.2 Tracert	422

Match case Limit results 1 per page

Entry Description:

UNIT:

Select the unit ID of the desired member in the stack.

Select:

Select your desired port for configuration. It is multi-optional.

Port:

Displays the port number.

Security Type:

Select Security Type for the port.

•

Disable:

Select this option to disable the IP Source Guard

feature for the port.

•

SIP:

Only the packets with its source IP address and port

number matched to the IP-MAC binding rules can be

processed.

•

SIP+MAC:

Only the packets with its source IP address,

source MAC address and port number matched to the

IP-MAC binding rules can be processed.

LAG:

Displays the LAG to which the port belongs to.

14.5

DoS Defend

DoS (Denial of Service) Attack is to occupy the network bandwidth maliciously by the network

attackers or the evil programs sending a lot of service requests to the Host, which incurs an

abnormal service or even breakdown of the network.

With DoS Defend function enabled, the switch can analyze the specific fields of the IP packets

and distinguish the malicious DoS attack packets. Upon detecting the packets, the switch will

discard the illegal packets directly and limit the transmission rate of the legal packets if the

over legal packets may incur a breakdown of the network. The switch can defend several types

of DoS attack listed in the following table.

DoS Attack Type

Description

Land Attack

The attacker sends a specific fake SYN packet to the destination

Host. Since both the source IP address and the destination IP

address of the SYN packet are set to be the IP address of the Host,

the Host will be trapped in an endless circle for building the initial

connection. The performance of the network will be reduced

extremely.

Scan SYNFIN

The attacker sends the packet with its SYN field and the FIN field set

to 1. The SYN field is used to request initial connection whereas the

FIN field is used to request disconnection. Therefore, the packet of

this type is illegal. The switch can defend this type of illegal packet.

Xmascan

The attacker sends the illegal packet with its TCP index, FIN, URG

and PSH field set to 1.

349