Home » ZyXEL Manuals » Networking » ZyXEL P-662HW-61 » Manual Viewer

ZyXEL P-662HW-61 User Guide - Page 440

ARP Behavior and the ARP ackGratuitous Commands

Get ZyXEL P-662HW-61 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 440 highlights

Appendix J Command Interpreter Figure 299 Routing Command Example ras> ip nat routing 2 0 Routing can work in NAT when no NAT rule match LAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyXEL Device does not accept ARP reply information if the ZyXEL Device did not send out a corresponding request. This helps prevent the ZyXEL Device from updating its ARP table with an incorrect IP address to MAC address mapping due to a spoofed ARP. An incorrect IP to MAC address mapping in the ZyXEL Device's ARP table could cause the ZyXEL Device to send packets to the wrong device. Commands for Using or Ignoring Gratuitous ARP Requests A host can send an ARP request to resolve its own IP address. This is called a gratuitous ARP request. The packet uses the host's own IP address as the source and destination IP address. The packet uses the Ethernet broadcast address (FF:FF:FF:FF:FF:FF) as the destination MAC address. This is used to determine if any other hosts on the network are using the same IP address as the sending host. The other hosts in the network can also update their ARP table IP address to MAC address mappings with this host's MAC address. The ip arp ackGratuitous commands set how the ZyXEL Device handles gratuitous ARP requests. • Use ip arp ackGratuitous active no to have the ZyXEL Device ignore gratuitous ARP requests. • Use ip arp ackGratuitous active yes to have the ZyXEL Device respond to gratuitous ARP requests. For example, say the regular gateway goes down and a backup gateway sends a gratuitous ARP request. If the request is for an IP address that is not already in the ZyXEL Device's ARP table, the ZyXEL Device sends an ARP request to ask which host is using the IP address. After the ZyXEL Device receives a reply from the backup gateway, it adds an ARP table entry. If the ZyXEL Device's ARP table already has an entry for the IP address, the ZyXEL Device's response depends on how you configure the ip arp ackGratuitous forceUpdate command. • Use ip arp ackGratuitous forceUpdate on to have the ZyXEL Device update the MAC address in the ARP entry. • Use ip arp ackGratuitous forceUpdate off to have the ZyXEL Device not update the MAC address in the ARP entry. A backup gateway (as in the following graphic) is an example of when you might want to turn on the forced update for gratuitous ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address. If ackGratuitous is on and set to force updates, the ZyXEL Device receives the gratuitous ARP request and 440 P-662H/HW-D Series User's Guide

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	23
List of Tables	31
Introduction and Wizards	37
Getting To Know Your ZyXEL Device	39
1.1 Introducing the ZyXEL Device	39
1.1.1 Applications of the ZyXEL Device	39
1.1.2 Firewall for Secure Broadband Internet Access	40
1.1.3 Front Panel LEDs	41
Introducing the Web Configurator	43
2.1 Web Configurator Overview	43
2.2 Accessing the Web Configurator	43
2.3 Resetting the ZyXEL Device	46
2.3.1 Using the Reset Button	46
2.4 Navigating the Web Configurator	47
2.4.1 Navigation Panel	47
2.4.2 Status Screen	50
2.4.3 Status: Any IP Table	53
2.4.4 Status: WLAN Status	53
2.4.5 Status: Bandwidth Status	54
2.4.6 Status: VPN Status	54
2.4.7 Status: Packet Statistics	55
2.4.8 Changing Login Password	57
Wizard Setup for Internet Access	59
3.1 Introduction	59
3.2 Internet Access Wizard Setup	59
3.2.1 Automatic Detection	61
3.2.2 Manual Configuration	61
3.3 Wireless Connection Wizard Setup	66
3.3.1 Automatically assign a WPA key	69
3.3.2 Manually assign a WPA-PSK key	69
3.3.3 Manually assign a WEP key	69
Bandwidth Management Wizard	73
4.1 Introduction	73
4.2 Predefined Media Bandwidth Management Services	73
4.3 Bandwidth Management Wizard Setup	74
Network	79
WAN Setup	81
5.1 WAN Overview	81
5.1.1 Encapsulation	81
5.1.2 Multiplexing	82
5.1.3 VPI and VCI	82
5.1.4 IP Address Assignment	82
5.1.5 Nailed-Up Connection (PPP)	83
5.1.6 NAT	83
5.2 Metric	83
5.3 Traffic Shaping	84
5.3.1 ATM Traffic Classes	85
5.4 Zero Configuration Internet Access	85
5.5 Internet Connection	86
5.5.1 Configuring Advanced Internet Connection	87
5.6 Configuring More Connections	89
5.6.1 More Connections Edit	90
5.6.2 Configuring More Connections Advanced Setup	92
5.7 Traffic Redirect	94
5.8 Configuring WAN Backup	94
5.9 WAN Backup Advanced Screen	96
5.10 Dial Backup Modem Setup	99
LAN Setup	101
6.1 LAN Overview	101
6.1.1 LANs, WANs and the ZyXEL Device	101
6.1.2 DHCP Setup	102
6.1.3 DNS Server Address	102
6.1.4 DNS Server Address Assignment	102
6.2 LAN TCP/IP	103
6.2.1 IP Address and Subnet Mask	103
6.2.2 RIP Setup	104
6.2.3 Multicast	104
6.2.4 Any IP	105
6.3 Configuring LAN IP	106
6.3.1 Configuring Advanced LAN Setup	107
6.4 DHCP Setup	108
6.5 LAN Client List	109
6.6 LAN IP Alias	110
Wireless LAN	113
7.1 Wireless Network Overview	113
7.2 Wireless Security Overview	114
7.2.1 SSID	114
7.2.2 MAC Address Filter	114
7.2.3 User Authentication	114
7.2.4 Encryption	115
7.2.5 One-Touch Intelligent Security Technology (OTIST)	116
7.3 Wireless Performance Overview	116
7.3.1 Quality of Service (QoS)	116
7.4 Additional Wireless Terms	116
7.5 General Wireless LAN Screen	117
7.5.1 No Security	118
7.5.2 WEP Encryption Screen	119
7.5.3 WPA(2)-PSK	120
7.5.4 WPA(2) Authentication Screen	122
7.5.5 Wireless LAN Advanced Setup	124
7.6 OTIST	125
7.6.1 Enabling OTIST	125
7.6.2 Starting OTIST	127
7.6.3 Notes on OTIST	128
7.7 MAC Filter	129
7.8 WMM QoS	130
7.8.1 WMM QoS Example	130
7.8.2 WMM QoS Priorities	130
7.8.3 Services	131
7.9 QoS Screen	131
7.9.1 ToS (Type of Service) and WMM QoS	131
7.9.2 Application Priority Configuration	132
7.10 Multiple SSID (P-662HW-D Models only)	133
7.10.1 Multiple SSID Commands	134
7.10.2 Multiple SSID Example	135
DMZ	137
8.1 Introduction	137
8.2 Configuring DMZ	137
8.3 DMZ Public IP Address Example	139
Network Address Translation (NAT) Screens	141
9.1 NAT Overview	141
9.1.1 NAT Definitions	141
9.1.2 What NAT Does	142
9.1.3 How NAT Works	142
9.1.4 NAT Application	142
9.1.5 NAT Mapping Types	143
9.2 SUA (Single User Account) Versus NAT	144
9.3 NAT General Setup	144
9.4 Port Forwarding	145
9.4.1 Default Server IP Address	146
9.4.2 Port Forwarding: Services and Port Numbers	146
9.4.3 Configuring Servers Behind Port Forwarding (Example)	146
9.5 Configuring Port Forwarding	147
9.5.1 Port Forwarding Rule Edit	148
9.6 Address Mapping	149
9.6.1 Address Mapping Rule Edit	150
9.7 Trigger Port	151
9.8 Edit Trigger Port	153
Security	155
Firewalls	157
10.1 Firewall Overview	157
10.2 Types of Firewalls	157
10.2.1 Packet Filtering Firewalls	157
10.2.2 Application-level Firewalls	158
10.2.3 Stateful Inspection Firewalls	158
10.3 Introduction to ZyXEL’s Firewall	158
10.3.1 Denial of Service Attacks	159
10.4 Denial of Service	159
10.4.1 Basics	159
10.4.2 Types of DoS Attacks	160
10.5 Stateful Inspection	162
10.5.1 Stateful Inspection Process	163
10.5.2 Stateful Inspection and the ZyXEL Device	164
10.5.3 TCP Security	164
10.5.4 UDP/ICMP Security	165
10.5.5 Upper Layer Protocols	165
10.6 Guidelines for Enhancing Security with Your Firewall	166
10.6.1 Security In General	166
10.7 Packet Filtering Vs Firewall	167
10.7.1 Packet Filtering:	167
10.7.2 Firewall	167
Firewall Configuration	169
11.1 Access Methods	169
11.2 Firewall Policies Overview	169
11.3 Rule Logic Overview	170
11.3.1 Security Ramifications	170
11.3.2 Key Fields For Configuring Rules	171
11.4 Connection Direction	171
11.4.1 LAN to WAN Rules	172
11.4.2 Alerts	172
11.5 General Firewall Policy	172
11.6 Firewall Rules Summary	173
11.6.1 Configuring Firewall Rules	175
11.6.2 Customized Services	178
11.6.3 Configuring A Customized Service	178
11.7 Example Firewall Rule	179
11.8 Predefined Services	183
11.9 Anti-Probing	185
11.10 DoS Thresholds	186
11.10.1 Threshold Values	186
11.10.2 Half-Open Sessions	187
11.10.3 Configuring Firewall Thresholds	187
Content Filtering	191
12.1 Content Filtering Overview	191
12.2 Configuring Keyword Blocking	191
12.3 Configuring the Schedule	192
12.4 Configuring Trusted Computers	193
Content Access Control	195
13.1 Content Access Control Overview	195
13.1.1 Content Access Control WLAN Application	195
13.1.2 Configuration Steps	195
13.2 Activating CAC and Creating User Groups	196
13.2.1 Configuring Time Schedule	197
13.2.2 Configuring Services	198
13.2.3 Configuring Web Site Filters	200
13.2.4 Testing Web Site Access Privileges	205
13.3 User Account Setup	206
13.4 User Online Status	207
13.5 Trusted Devices	208
13.6 Trusted-external Websites	208
13.7 Content Access Control Logins	209
13.7.1 User Login	209
13.7.2 Administrator Login	210
Register	211
14.1 myZyXEL.com overview	211
14.1.1 Subscription Services Available on the ZyXEL Device	211
14.2 Registration	212
14.3 Service	213
Introduction to IPSec	215
15.1 VPN Overview	215
15.1.1 IPSec	215
15.1.2 Security Association	215
15.1.3 Other Terminology	215
15.1.4 VPN Applications	216
15.2 IPSec Architecture	216
15.2.1 IPSec Algorithms	217
15.2.2 Key Management	217
15.3 Encapsulation	217
15.3.1 Transport Mode	218
15.3.2 Tunnel Mode	218
15.4 IPSec and NAT	218
VPN Screens	221
16.1 VPN/IPSec Overview	221
16.2 IPSec Algorithms	221
16.2.1 AH (Authentication Header) Protocol	221
16.2.2 ESP (Encapsulating Security Payload) Protocol	221
16.3 My IP Address	222
16.4 Secure Gateway Address	222
16.4.1 Dynamic Secure Gateway Address	223
16.5 VPN Setup Screen	223
16.6 Keep Alive	225
16.7 VPN, NAT, and NAT Traversal	225
16.8 Remote DNS Server	226
16.9 ID Type and Content	227
16.9.1 ID Type and Content Examples	228
16.10 Pre-Shared Key	229
16.11 Editing VPN Policies	229
16.12 IKE Phases	233
16.12.1 Negotiation Mode	234
16.12.2 Diffie-Hellman (DH) Key Groups	235
16.12.3 Perfect Forward Secrecy (PFS)	235
16.13 Configuring Advanced IKE Settings	235
16.14 Manual Key Setup	238
16.14.1 Security Parameter Index (SPI)	238
16.15 Configuring Manual Key	238
16.16 Viewing SA Monitor	241
16.17 Configuring Global Setting	242
16.18 Telecommuter VPN/IPSec Examples	243
16.18.1 Telecommuters Sharing One VPN Rule Example	243
16.18.2 Telecommuters Using Unique VPN Rules Example	244
16.19 VPN and Remote Management	245
Certificates	247
17.1 Certificates Overview	247
17.1.1 Advantages of Certificates	248
17.2 Self-signed Certificates	248
17.3 Configuration Summary	248
17.4 My Certificates	248
17.5 My Certificate Import	250
17.5.1 Certificate File Formats	251
17.6 My Certificate Create	252
17.7 My Certificate Details	254
17.8 Trusted CAs	257
17.9 Trusted CA Import	259
17.10 Trusted CA Details	260
17.11 Trusted Remote Hosts	262
17.12 Verifying a Trusted Remote Host’s Certificate	264
17.12.1 Trusted Remote Host Certificate Fingerprints	264
17.13 Trusted Remote Hosts Import	265
17.14 Trusted Remote Host Certificate Details	265
17.15 Directory Servers	268
17.16 Directory Server Add or Edit	269
Advanced	271
Static Route	273
18.1 Static Route Overview	273
18.2 Configuring Static Routes	274
18.2.1 Static Route Edit	275
Bandwidth Management	277
19.1 Bandwidth Management Overview	277
19.2 Application-based Bandwidth Management	277
19.3 Subnet-based Bandwidth Management	277
19.4 Application and Subnet-based Bandwidth Management	278
19.5 Scheduler	278
19.5.1 Priority-based Scheduler	278
19.5.2 Fairness-based Scheduler	279
19.6 Maximize Bandwidth Usage	279
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	279
19.6.2 Maximize Bandwidth Usage Example	279
19.6.3 Bandwidth Management Priorities	281
19.7 Configuring Summary	281
19.8 Bandwidth Management Rule Setup	282
19.8.1 Rule Configuration	283
19.9 Bandwidth Monitor	286
Dynamic DNS Setup	287
20.1 Dynamic DNS Overview	287
20.1.1 DYNDNS Wildcard	287
20.2 Configuring Dynamic DNS	287
Remote Management Configuration	291
21.1 Remote Management Overview	291
21.1.1 Remote Management Limitations	292
21.1.2 Remote Management and NAT	292
21.1.3 System Timeout	292
21.2 WWW	292
21.3 Telnet	294
21.4 Configuring Telnet	294
21.5 Configuring FTP	295
21.6 SNMP	296
21.6.1 Supported MIBs	297
21.6.2 SNMP Traps	297
21.6.3 Configuring SNMP	297
21.7 Configuring DNS	299
21.8 Configuring ICMP	299
21.9 TR-069	300
Universal Plug-and-Play (UPnP)	303
22.1 Introducing Universal Plug and Play	303
22.1.1 How do I know if I'm using UPnP?	303
22.1.2 NAT Traversal	303
22.1.3 Cautions with UPnP	303
22.2 UPnP and ZyXEL	304
22.2.1 Configuring UPnP	304
22.3 Installing UPnP in Windows Example	305
22.4 Using UPnP in Windows XP Example	308
Maintenance, Troubleshooting and Specifications	315
System	317
23.1 General Setup and System Name	317
23.1.1 System Configuration	317
23.2 Time Setting	319
Logs	323
24.1 Logs Overview	323
24.1.1 Alerts and Logs	323
24.2 Viewing the Logs	323
24.3 Configuring Log Settings	324
24.4 SMTP Error Messages	326
24.4.1 Example E-mail Log	327
Tools	329
25.1 Firmware Upgrade	329
25.2 Configuration Screen	331
25.2.1 Backup Configuration	331
25.2.2 Restore Configuration	332
25.2.3 Back to Factory Defaults	333
25.3 Restart	333
Diagnostic	335
26.1 General Diagnostic	335
26.2 DSL Line Diagnostic	336
Troubleshooting	337
27.1 Problems Starting Up the ZyXEL Device	337
27.2 Problems with the LAN	337
27.3 Problems with the WAN	338
27.4 Problems Accessing the ZyXEL Device	338
27.4.1 Pop-up Windows, JavaScripts and Java Permissions	339
27.4.2 ActiveX Controls in Internet Explorer	344
Product Specifications	347
28.1 General ZyXEL Device Specifications	347
28.2 Wall-mounting Instructions	351
Appendices and Index	353
Setting up Your Computer’s IP Address	355
Pop-up Windows, JavaScripts and Java Permissions	377
IP Addresses and Subnetting	385
Wireless LANs	395
Management with Wireless Zero Configuration	409
Common Services	423
Virtual Circuit Topology	427
Importing Certificates	429
NetBIOS Filter Commands	435
Command Interpreter	437
Internal SPTGEN	443
Log Descriptions	459
Legal Information	475
Customer Support	479

Match case Limit results 1 per page

Appendix J Command Interpreter

P-662H/HW-D Series User’s Guide

440

Figure 299

Routing Command Example

ARP Behavior and the ARP ackGratuitous Commands

The ZyXEL Device does not accept ARP reply information if the ZyXEL Device did not send

out a corresponding request. This helps prevent the ZyXEL Device from updating its ARP

table with an incorrect IP address to MAC address mapping due to a spoofed ARP. An

incorrect IP to MAC address mapping in the ZyXEL Device’s ARP table could cause the

ZyXEL Device to send packets to the wrong device.

Commands for Using or Ignoring Gratuitous ARP Requests

A host can send an ARP request to resolve its own IP address. This is called a gratuitous ARP

request. The packet uses the host’s own IP address as the source and destination IP address.

The packet uses the Ethernet broadcast address (FF:FF:FF:FF:FF:FF) as the destination MAC

address. This is used to determine if any other hosts on the network are using the same IP

address as the sending host. The other hosts in the network can also update their ARP table IP

address to MAC address mappings with this host’s MAC address.

The

ip arp ackGratuitous

commands set how the ZyXEL Device handles gratuitous

ARP requests.

• Use

ip arp ackGratuitous active no

to have the ZyXEL Device ignore gratuitous

ARP requests.

• Use

ip arp ackGratuitous active yes

to have the ZyXEL Device respond to

gratuitous ARP requests.

For example, say the regular gateway goes down and a backup gateway sends a gratuitous

ARP request. If the request is for an IP address that is not already in the ZyXEL Device’s

ARP table, the ZyXEL Device sends an ARP request to ask which host is using the IP

address. After the ZyXEL Device receives a reply from the backup gateway, it adds an

ARP table entry.

If the ZyXEL Device’s ARP table already has an entry for the IP address, the ZyXEL

Device’s response depends on how you configure the

ip arp ackGratuitous

forceUpdate

command.

• Use

ip arp ackGratuitous forceUpdate on

to have the ZyXEL Device

update the MAC address in the ARP entry.

• Use

ip arp ackGratuitous forceUpdate off

to have the ZyXEL Device not

update the MAC address in the ARP entry.

A backup gateway (as in the following graphic) is an example of when you might want to turn

on the forced update for gratuitous ARP requests. One day gateway A shuts down and the

backup gateway (B) comes online using the same static IP address as gateway A. Gateway B

broadcasts a gratuitous ARP request to ask which host is using its IP address. If ackGratuitous

is on and set to force updates, the ZyXEL Device receives the gratuitous ARP request and

ras> ip nat routing 2 0

Routing can work in NAT when no NAT rule match.

-----------------------------------------------

LAN: yes