manualshive.com logo in svg

iTAS PAMSPAN501x, User Manual, Page: 79 / 109

Share
Download
iTAS PAMSPAN501x User Manual Download Page 79

PAMSPAN501x G.SHDSL.bis EFM Gateway 

-

78

 

The attacker floods the network with ICMP packets that are not Echo requests, 

stealing bandwidth needed for legitimate services. The device detects an attempted 

ICMP flood if it receives more than 100 ICMP packets per second from a single 

host. To modify this default threshold, enter:

 

 

security set IDS MaxICMP <max> 

 

Once this threshold is exceeded, traffic originating from the attacker is blocked for 

1800 seconds by default. To modify this default duration, enter: 

 

security set IDS DOSattackblock <duration>

 

 

 

 
 

 

Ping Flood 

 

The attacker floods the network with pings, using bandwidth needed for legitimate 

services. The device detects an attempted ping flood if it receives more than 15 

pings per second from a single host. To modify this default threshold, enter: 

 

security set IDS MaxPING <max> 

 

Once this threshold is exceeded, traffic originating from the attacker is blocked for 

1800 seconds by default. To modify this default duration, enter: 

 

security set IDS DOSattackblock <duration>

 

Summary of Contents for PAMSPAN501x

Page 1: ...PAMSPAN501x G SHDSL bis EFM Gateway User Manual Version 1 5 RECYCLABLE ...

Page 2: ...ion 10 2 6 3 Windows XP PCs 11 2 6 4 Windows 2000 PCs 11 2 6 5 Windows Me PCs 12 2 6 6 Windows 95 98 PCs 13 3 3 C Co on nf fi ig gu ur re e t th he e P PA AM MS SP PA AN N5 50 01 1x x v vi ia a E Em mW We eb b 15 3 1 Accessing EmWeb 15 3 2 About EmWeb pages 15 3 2 1 Status Pages 16 3 2 1 1 System Information 16 3 2 1 2 Physical Port 16 3 2 1 3 Routing Table 20 3 2 1 4 Network Interface 21 3 2 1 5 ...

Page 3: ...onfiguring NAT global addresses 62 3 2 4 1 7 Configuring NAT reserved mapping 64 3 2 4 1 8 Configuring Firewall policies 65 3 2 4 1 9 Configuring validators 67 3 2 4 1 10 Configuring triggers 68 3 2 4 1 11 Configuring Intrusion Detection Settings 69 3 2 4 2 IP Routes 82 3 2 4 3 Bridge 84 3 2 4 3 1 Spanning Bridge Configuration 87 3 2 4 3 2 Interface Configuration 87 3 2 4 4 VLAN 91 3 2 4 4 2 Edit ...

Page 4: ...PAMSPAN501x G SHDSL bis EFM Gateway 3 I IN NS ST TR RU UC CT TI IO ON N M MA AN NU UA AL L ...

Page 5: ...501x is a solution that enables enterprise users to enjoy long distance high bandwidth and symmetric data transmission Distance Rate relationship Table 26 AWG_ Without Noise _ EFM mode Line rate kbps 1 Pair Longest reach feet 2 Pairs Longest reach feet 3 Pairs Longest reach feet 4 Pairs Longest reach feet 192 18000 18000 18000 18000 256 18000 18000 18000 18000 384 18000 18000 18000 18000 768 16400...

Page 6: ... on 4 wire Transmission rate up to 17 07 Mbps on 6 wire Transmission rate up to 22 76 Mbps on 8 wire Support of Annex A Annex B Annex F and Annex G Auto load balancing with bonded pairs Support point to point configuration Manual or auto rate selectivity Comply IEEE 802 3ah 2004 ITU T G 994 1 Support EFM over G SHDSL bis and G SHDSL Support ATM over G SHDSL bis and G SHDSL MAC bridging IEEE 802 3a...

Page 7: ... 11 jack 8 wires two RJ 11 jacks Ethernet interface four RJ 45 jack 10 100BaseT auto sensing and crossover AC power adapter 100VAC 240VAC 50 60Hz One craft Interface for local console access CID Dimensions Weight Dimensions 35mm H 210mm W 193mm D Weight 914g Operating Requirements Password protection PAP and CHAP support Remote access management via telnet SNMPv1 SNMPV2 Firewall Security Packet Fi...

Page 8: ... front panel of 4 wire and 8 wire PAMSPAN501x respectively Figure 2 1 8 wire PAMSPAN501x Front Panel LED Figure 2 2 4 wire PAMSPAN501x Front Panel LED 1 PWR Power Indicator 2 DSL DSL loop On CO 3 CO Off CPE 4 ALM Alarm for error 5 LAN On Ethernet Link connected Figure 2 3 8 wire PAMSPAN501x rear view Figure 2 4 4 wire PAMSPAN501x rear view ...

Page 9: ...factory default settings the default configuration file will be uploaded If you forget your password or cannot access the device you will need to reset the device to the default settings The procedure is as follows 1 Power off the modem 2 Press the reset default button 3 Power on the Modem and check the front panel of the modem 4 When the CPE LED blinks rapidly release the reset button If you pres...

Page 10: ...end of the cable to your SHDSL signal source 2 Insert one end of the RJ45 Ethernet cable into one of the LAN ports on the back of the PAMSPAN501X Connect the other end of the cable to the Ethernet Network Interface Card NIC in your PC Up to four Ethernet devices can be connected to the PAMSPAN501X 3 Connect an earth ground to the grounding terminal marked FG 4 Connect the external AC adapter suppl...

Page 11: ... if You have obtained one or more public IP addresses that you want to always associate with specific computers for example if you are using a computer as a public web server suggest to delete You maintain different subnets on your LAN Before you begin be sure to have the following information on hand or contact your ISP if you do not know it The IP address and subnet mask to be assigned to each P...

Page 12: ... button labeled Obtain an IP address automatically Also click the radio button labeled Obtain DNS server address automatically 6 Click twice to confirm your changes and close the Control Panel 2 6 4 Windows 2000 PCs First check for the IP protocol and if necessary install it 1 In the Windows task bar click the Start button point to Settings and then click Control Panel 2 Double click the Network a...

Page 13: ...en close the Control Panel 2 6 5 Windows Me PCs 1 In the Windows task bar click the Start button point to Settings and then click Control Panel 2 Double click the Network and Dial up Connections icon 3 In the Network and Dial up Connections window right click the Network icon and then select Properties The Network Properties dialog box displays with a list of currently installed network components...

Page 14: ...twork icon The Network dialog box displays with a list of currently installed network components If the list includes TCP IP and then the protocol has already been enabled Skip to step 9 3 If TCP IP does not display as an installed component click The Select Network Component Type dialog box displays 4 Select Protocol and then click The Select Network Protocol dialog box displays 5 Click Microsoft...

Page 15: ...pter 10 In the TCP IP Properties dialog box click the IP Address tab 11 Click the radio button labeled Obtain an IP address automatically 12 Click the DNS Configuration tab and then click the radio button labeled Obtain an IP address automatically 13 Click twice to confirm and save your changes You will be prompted to restart Windows Click ...

Page 16: ...s EmWeb provides a series of web pages that you can use to setup and configure the PAMSPAN501x These pages are organized into three main topics You can select each of the following topics from the menu on the left hand side of the main window Status information about the current setup and status of the system System The System section lets you carry out system commands like Event Log Firmware Upda...

Page 17: ...ollowing sections 3 2 1 1 System Information Click System Information on Status menu and then System information page will be displayed as shown below 3 2 1 2 Physical Port This option allows you to configure the ports available on your PAMSPAN501X depending on the type of image that you intend to boot Configuring ports 1 From the Status menu click on Physical Port The physical ports available on ...

Page 18: ...age allows you to carry out advanced configuration of your SHDSL port attributes From the Shdsl Port Configuration page click View advanced attributes The Shdsl Port Configuration page will be displayed Shdsl is the default SHDSL port name created in the PAMSPAN501X You can configure the SHDSL parameters on this page ...

Page 19: ...PAMSPAN501x G SHDSL bis EFM Gateway 18 4 In the Unit Id drop down menu you can set the device as either CO or CPE and then click to save the settings ...

Page 20: ...er the Max and Min Line Rate values where the values range from 192000bps to 5696000bps and then click to save the settings Once the handshaking process between the STU R and STU C devices is complete the actual transmission rate will be displayed in the Current Tx Rate attribute 7 To configure a specific Ethernet port click the appropriate port number eth1 eth4 in the Physical Port Table and then...

Page 21: ... Ethernet port as either enabled or disabled via the Admin Status drop down list and then click to update the advanced configuration or to revert to the default advanced configuration settings Click Return to basic attributes to return to the Eth1 Port Configuration page 3 2 1 3 Routing Table Routing Table is a matrix with a network control protocol which gives the hierarchy of link routing at eac...

Page 22: ...Advanced menu 3 2 1 4 Network Interface If to view the statistics on Bridge Router Interfaces select a specified interface to invoke the Bridge Router Interface page Following figure shows the statistics on the interface rfc1483 0 Click to get the latest status information for this bridge interface ...

Page 23: ...uration errors experienced by your Router during a current session 3 types of logs can be selected via select a log drop down list All Events Shows all events occurred Configuration errors Shows error messages regarding configuration s which the system DOES NOT allow to change Syslog messages Shows all messages regarding system actions other then Configuration errors ...

Page 24: ...n and Authentication They will be introduced in the following sections 3 2 2 1 Save config To save your current configuration to Flash ROM 1 From the System menu click on Save configuration The following page is displayed 2 Click on to save your current configuration in the device After a short time the configuration is saved and the following confirmation message is displayed Saved information mo...

Page 25: ...he System menu The following page will be displayed To creating a new login account 1 Click Create a new user The following page will be displayed 2 Enter the desire information details for the new user into the username password and comment text fields 3 Click The Authentication page will be displayed The table now contains details for the user that has just been created ...

Page 26: ...account to be updated Modify the necessary text boxes then click A user account to be deleted Click the Delete this user button 2 Once a user account has been edited or deleted the Authentication page will be displayed and the table will reflect any changes that have been made on the Edit user page 3 2 2 3 Prompt This configuration allows user to configure the prompt name which will be shown in th...

Page 27: ...s and as a percentage has been written to the Flash ROM 4 Once the file has been written to flash the Firmware Update page is refreshed The page confirms completion of the update and requests that the PAMSPAN501X be restarted in order to use the new firmware Click Restart in the system menu Note Please do not power off the device while updating firmware or saving the configuration as this might ca...

Page 28: ...he Backup Configuration section click The File Download window will be displayed Click The Save As window will then be displayed Select a directory in which to save the backup configuration and click Restoring a configuration 1 In the Restore Configuration section as shown below click in the Configuration File text box and enter the network path of the file that is to be restored If the path detai...

Page 29: ...rom the System menu click Restart The following page will be displayed 2 Click to reset the PAMSPAN501X The Restart page also provides an option to restart and restor the factory default settings Check the Reset to factory default settings checkbox and then click Monitor the console status output to check the reset progress 3 After the login and password prompt is displayed login as usual with log...

Page 30: ... create edit and delete WAN services DHCP server allow you to enable disable and configure your DHCP server DHCP relay allow you to enable disable and configure your DHCP relay DNS client allow you to enable disable and configure DNS client DNS relay allow you to enable disable and configure DNS relay SNTP client allow you to configure Simple Network Time Protocol at Client side Please point to th...

Page 31: ...ete it The Creator column shows the method that the services are being created By default command all four ports will be created from CLI therefore it would show CLI under the Creator column To delete a service If users would like to delete a service simply click the specific port link such as eth3 under Descriptions column the port deletion page will be displayed as shown below Click to delete th...

Page 32: ...secondary LAN connections 1 The Default LAN Port section contains two subsections a IP address and subnet mask details for your primary LAN connection To edit these details click and enter the new primary address details b Secondary IP address details To create configure a secondary IP address click in the Secondary IP Address text box and enter the new address details 2 Once you have configured t...

Page 33: ...P Interface Field Definition Ipaddr The IP address for this IP Interface Mask Mask fort this IP Interface Dhcp DHCP is a protocol used to obtain IP addresses and other parameters such as the default gateway subnet mask and IP addresses of DNS servers from a DHCP server The DHCP server ensures that all IP addresses are unique which means that no IP address is assigned to a second client while the a...

Page 34: ...s errors and provides other information relevant to IP packet processing Real Interface The actual main interface Name The name of this Interface Enabled Enable or disable this interface 3 2 3 1 1 Supporting multi port router The device permit multi port router To configure this user must first delete the default services since all ports have already been created under bridged mode by default Then...

Page 35: ...dge interface to allow data to be bridged via the transport Only one transport can be attached to an interface If you use this command when there is already a transport attached to the interface the previous transport will be replaced by the new one ip add interface name 192 168 1 1 255 255 255 0 This command adds a named interface and optionally sets its IP address The IP address is not mandatory...

Page 36: ...n also create virtual interfaces on routed services Click on WAN connections via the Configuration menu The WAN connections page will be displayed Editing a WAN service 2 Click on the Edit link for a specific service The Edit page for that specific connection will be displayed From there the user will be able to modify two interfaces Bridge Interfaces and Spanning Bridge Interfaces 3 Bridge Interf...

Page 37: ...PAMSPAN501x G SHDSL bis EFM Gateway 36 ...

Page 38: ...ystem will only accept Tagged packets Port Default User Priority This command enables control over the priority of ports 0 means the highest priority 7 is the lowest Num Traffic Classes A Traffic Class specifies a mechanism that can be used to match incoming and or outgoing packets on a router s interface Regen Priority This command specifies the mapping of user priorities in the incoming frames t...

Page 39: ... the distance of the packets traveled Create a new service The device supports several types of services such as RFC 1483 MER IPoEoA PPPoA PPPoE and IPoA Click and the WAN connection service creating page will be displayed as shown below For example To create a PPP over AAL5 service choose PPPoA bridged and click on Configure to go to the MER service creating page as shown below Fill in the desire...

Page 40: ...ce Must match on CPE side LLC header mode Enable or disable the LLC header HDLC header mode Enable or disable the HDLC header Authentication Enter the username and passwords for access Another example To create a MER IPoEoA service Choose MER IPoEoA and click on Configure to go to the MER service creating page as shown below Fill in the desire data into the appropriate fields and click Apply to cr...

Page 41: ...xamples rfc1483 add transport name port vpi vci llc vcmux bridged routed This command creates a named RFC1483 transport and allows the following parameters to be specified The ATM port that will transport RFC1483 data VPI Virtual Path Identifier VCI Virtual Circuit Identifier LLC or VcMux encapsulation optional Bridged or Routed optional The port VPI VCI combination must be unique for each transpo...

Page 42: ... following page will be displayed Enabling disabling the DHCP server The DHCP server is enabled by default To disable the DHCP server click Note User may not enable both the DHCP relay and DHCP server at the same time because some interface is configured for DHCP server as well as for DHCP relay If DHCP relay is currently enabled User will not be able to set the DHCP server to enable The DHCP serv...

Page 43: ...f 20 addresses c Set the Primary and Secondary DNS Server addresses or set your System to give out its own IP address as the DNS Server address d Set your PAMSPAN501X to give out its own IP address as the default Gateway address 3 Once you have entered the new configuration details for your DHCP server click The DHCP Server page will be displayed containing details of your new subnet Editing a DHC...

Page 44: ...on name drop down list and select a name as shown below Type a value that matches the selected option name in the Option value text box Click 4 The Edit DHCP server subnet page will be displayed as shown below and details of your new option will be displayed under the Additional option information sub heading To delete an existing option check the Delete box for a specific option and click ...

Page 45: ...ease time make a new entry and click To delete a fixed mapping check the Delete box for a specific mapping and click 3 2 3 3 1 Command Line Interface for DHCP Server You can also use a command line interface CLI to configure the DHCP server Below are some examples Please add numbering for the CLI commands Enable DHCP server dhcpserver enable Create a DHCP server subnet configuration that already e...

Page 46: ...ssign a specific IP address to a specific DHCP client based on the client s MAC address Enter dhcpserver add fixedhost myhost 192 168 1 20 00 20 2b 01 02 03 This adds a fixed mapping of the IP address 192 168 1 20 to a host whose Ethernet MAC address is 00 20 2b 01 02 03 If your fixed IP mapping overlaps with an IP address in a dynamic address range then the fixed mapping will always supersede the...

Page 47: ...the following message if you have previously turned off the DHCP server Note the DHCP server is not currently enabled If you see this issue the following command dhcpserver enable The final step is to update the DHCP server with the new IP interface and configuration that has been defined To do this enter dhcpserver update 3 2 3 4 DHCP Relay This option allows you to Enable Disable a DHCP relay Ad...

Page 48: ...utton will display Disable which upon clicking it will disable the relay Note If the DHCP server is enabled the DHCP relay will be disabled by default You can t enable the DHCP relay unless you disable the DHCP server Adding a DHCP server to the DHCP relay list 1 In the Add new DHCP server section type an address in the New DHCP server IP address text box 2 Click The address will be displayed in t...

Page 49: ...add a DHCP server subnet to the DHCP relay s list of server IP addresses use the following command dhcprelay add server 192 168 1 0 You need to update the DHCP relay in order for this addition to take effect by entering dhcprelay update Simultaneous use of DHCP Relay and DHCP Server To configure this you must first disable both the DHCP server and the DHCP relay dhcprelay disable dhcpserver disabl...

Page 50: ... Type the IP address of the unknown domain name in the DNS servers text box 2 Click The IP address appears in the DNS servers table You can add a maximum of three server IP addresses Each IP address entry has a Delete button associated with it Click to remove an IP address from this list Configuring DNS search domains 1 Type a search string in the Domain search order text box 2 Click The search st...

Page 51: ...ch list when a user asks for the IP address list for an incomplete domain name To add to this list enter dnsclient add searchdomain searchstring You can add up to six domain searches To display them enter dnsclient list searchdomains To delete one or all of them enter dnsclient delete searchdomain number dnsclient clear searchdomains 3 2 3 6 DNS Relay This option allows you to create configure and...

Page 52: ...ddress is displayed in the Edit DHCP server list section as shown To edit an entry click on an IP address and enter the new details and then click To delete an entry check the Delete box for an IP address and then click DNS Relay LAN Database Click the DNS Relay LAN Database link on the top of the DNS Relay page The DNS Relay LAN Database page will be displayed as shown below ...

Page 53: ... at the bottom of the DNS relay local LAN database page to display the Create new DNS relay local LAN database entry page as shown below This page lets you enter the details of a new device on the local LAN You need to type in the name of the device and its IP address Once you type in the name and IP address in the appropriate fields click to save your settings Then the new host name and IP addres...

Page 54: ...nfig WAN givetodnsrelay enabled To set a DNS server that the DNS relay can use to obtain domain address information enter dnsrelay add server ip address The DNS server address should be supplied by your ISP To display servers enter dnsrelay list servers 3 2 3 7 SNTP Client This option allows you to Synchronize a Client with an NTP Server Configure the SNTP NTP Server Manually set the system clock ...

Page 55: ...ient to immediately synchronize the local time with the server located in the association list if unicast or if anycast is enabled initiate an anycast sequence on the network Note to synchronize a Client with an NTP Server the NTP server SNTP client mode and local time zone information should be pre configured ...

Page 56: ...n the sntpclient sync command is issued Disable the unicast server is removed from the association list b Broadcast mode Enable allows the SNTP client to accept time synchronization broadcast packets from an SNTP server located on the network and updates the local system time accordingly Disable stops synchronization via broadcast mode c Anycast Mode Enable the SNTP client sends time synchronized ...

Page 57: ... time zone Click on the local time zone drop down list and select a time zone and then click to validate your settings 3 Enter the SNTP transmit packet timeout value the SNTP transmit packet retries value and the SNTP automatic resynchronization polling value in their respective text boxes then click to validate your settings ...

Page 58: ...u can use the command line interface to configure the SNTP client Below are some examples To enable disable the SNTP client in a particular access mode use the command sntpclient set mode unicast broadcast anycast enable disable For example to enable broadcast mode enter sntpclient set mode broadcast enable To disable broadcast mode enter sntpclient set mode broadcast disable To add a server use t...

Page 59: ...rvers To display the current status of SNTP client enter sntpclient show status Clock Synchronized TRUE SNTP Standard Version Number 4 SNTP Mode s Configured Unicast Broadcast Local Time Tuesday 28 Aug 2001 14 39 25 Local Time Zone EDT Eastern Daylight Time Time Difference VTC 4 00 Precision 1 16384 of a second Root Dispersion 0 2342 second s Server Reference ID GPS Round Trip Delay 2 second s Loc...

Page 60: ...allows you to Enable NAT between interfaces Configure global addresses Configure reserved mappings Firewall EmWeb allows you to Enable Firewall and Firewall Intrusion Detection settings Set the Firewall security level Configure Firewall policies portfilters and validators Configure Intrusion Detection settings Click on Security in the Advanced menu and the following page will be displayed ...

Page 61: ...Enabled radio buttons 2 Click to update the Security State 3 2 4 1 3 Setting a default Security Level Both Security and Firewall must be enabled in order to set a default Security Level 1 In the Security Level section click on the Security Level drop down list 2 Select the level that you want to set which can be either none high medium or low 3 Click the button to save the changes 3 2 4 1 4 Config...

Page 62: ... service that the security interface is based on Type the type of network connection specified NAT settings contains hyperlinks that allow NAT to be configured Delete Interface hyperlink Click this to display the Security Delete Interface page Check the interface details and then click the Delete button 3 2 4 1 5 Configuring NAT To configure NAT 1 Enable Security 2 Create at least two different se...

Page 63: ...T is enabled To disable NAT between these interfaces click Once NAT between interfaces has been enabled you can Configure global addresses Configure reserved mappings 3 2 4 1 6 Configuring NAT global addresses Global address pools allow a pool of outside network addresses to be created that is visible outside your network Before global addresses can be configured NAT needs to be configured To set ...

Page 64: ...s either Use Subnet Mask specify the subnet mask address of the IP address or Use IP Address Range specify the first and last IP address in the range Click the drop down list and select a method Enter an IP Address that is visible outside the network Subnet Mask IP Address 2 the value specified here depends on the subnet configuration that is being used If Use Subnet Mask is chosen enter the subne...

Page 65: ...e the Configuring NAT Section To set up a reserved mapping on existing NAT enabled interfaces 1 From the NAT Security Interfaces table click the Advanced NAT Configuration hyperlink for the interface to which reserved mapping is to be added The Advanced NAT Configuration page will be displayed 2 Click the Add Reserved Mapping hyperlink The following page will be displayed 3 This page allows reserv...

Page 66: ...wn in the following figure The Security Policy Configuration table will then be displayed which contains details of each Firewall policy The policies can now be configured to include portfilters and validators A portfilter is an individual rule that determines what kind of traffic can pass between two interfaces specified in an existing policy To configure a portfilter 1 From the Current Security ...

Page 67: ...TCP UDP portfilter click Add Raw IP Filter The following page will be displayed Specify the protocol number in the Transport Type text box for example for IGMP enter protocol number 2 Then use the Direction drop down lists to specify whether inbound traffic and outbound traffic is to be allowed or blocked Click The Firewall Port Filters page will be displayed containing details of the IP portfilte...

Page 68: ...g page will be displayed 2 In the Host IP Address text box enter the IP address that is to be allowed blocked 3 In the Host Subnet Mask text box enter the IP mask address If a range of addresses is to be filtered the mask can be specified for example 255 255 255 0 If a single IP address is to be filtered use the specific IP mask address for example 255 255 255 255 4 Click on the Direction drop dow...

Page 69: ...g page will be displayed 2 Configure the trigger as follows a Transport Type select a transport type from the drop down list depending on whether a trigger for a TCP or a UDP application is to be added b Port Number Start enter the start of the trigger port range that the primary session uses c Port Number End enter the end of the trigger port range that the primary session uses d Allow Multiple H...

Page 70: ...age has a Delete hyperlink assigned to it To delete a trigger click this link and then click the Delete button on the confirmation page The Current Security Trigger page will be displayed and details of the deleted trigger s have been removed There are two hyperlinks on the page a To add a new trigger click New Trigger b To display the Security Interface Configuration page click Return to Interfac...

Page 71: ...PAMSPAN501x G SHDSL bis EFM Gateway 70 Displaying information about IDS console enable security list intrusion Configuring blacklisting ...

Page 72: ...ypes of attack Protocol Attack Name UDP Ascend Kill UDP Echo Scan Port scan attack TCP WinNuke Port scan attack TCP Xmas Tree Scan Port scan attack TCP IMAP SYN FIN Scan Port scan attack ICMP SMURF if victim protection is set SMURF Attack TCP SYN Flood if scanning threshold is exceeded SYN FIN RST Flood TCP Net Bus Scan Port scan attack UDP Back Orifice Scan Port scan attack If a DoS attack is det...

Page 73: ...SHDSL bis EFM Gateway 72 If a web spoofing SMURF attack is detected the host is blacklisted for 10 minutes by default Displaying blacklisting details console enable security list blacklist Basic Network Configuration ...

Page 74: ...nstalled on the victim s PC the attacker uses TCP port 12345 12346 or 20034 to remotely perform illicit activities Back Orifice scan Back Orifice and Back Orifice 2k are Trojan Horse attacks for Windows 95 98 NT Once installed on the victim s PC the attacker commonly listens on UDP ports 31337 31338 Back Orifice and 54320 54321 Back Orifice 2k The attacker can then remotely perform illicit activit...

Page 75: ...ypes of DoS attack Flood attack is when an attacker tries to overload your device by flooding it with packets Whilst your device tries to cope with this sudden influx of packets it causes delays to the transport of legitimate packets or prevents the network from transporting legitimate traffic altogether Logic or software attack is a small number of corrupt packets that are designed to exploit kno...

Page 76: ...eturn address which is the address of the intended victim and the replies cause the system to crash Protection from SMURF attacks is provided once victim protection is enabled Enter security enable IDS victimprotection To disable victim protection enter security disable IDS victimprotection If victim protection is enabled the device detects the broadcast packet and blocks the attacker from sending...

Page 77: ...oming SYN requests which may include legitimate traffic TCP packets with FIN and RST flags set also cause problems and constitute a preliminary survey to gain information about the victim s network The device detects an attempted SYN flood if it received more than 20 SYN packets per second from a single host To modify this default threshold enter security set IDS floodthreshold max The device also...

Page 78: ...ort flood threshold traffic originating from the attacker is blocked for 1800 seconds by default To modify this default duration enter security set IDS DOSattackblock duration The device detects an SYN ACK attack if it receives more than 100 unfinished TCP handshakes per second from a single host To modify this default threshold enter security set IDS MaxTCPopenhandshake max Once this threshold is...

Page 79: ...g from the attacker is blocked for 1800 seconds by default To modify this default duration enter security set IDS DOSattackblock duration Ping Flood The attacker floods the network with pings using bandwidth needed for legitimate services The device detects an attempted ping flood if it receives more than 15 pings per second from a single host To modify this default threshold enter security set ID...

Page 80: ...cker sends a UDP packet containing special data to port 9 the discard port causing your Ascend router to reboot and possibly crash continuously Traffic originating from the attacker is blocked for 1800 seconds by default To modify this default duration enter security set IDS DOSattackblock duration ...

Page 81: ...ld be lost NetBIOS is often used Traffic originating from the attacker is blocked for 1800 seconds by default To modify this default duration enter security set IDS DOSattackblock duration Echo Chargen A chargen attack exploits character generator chargen service UDP port 19 Sessions that appear to come from the local system s Echo service are spoofed and pointed at the chargen service to create a...

Page 82: ...indows NT machines to crash Traffic originating from the attacker is blocked by the router for 1800 seconds by default To modify this default duration enter security set IDS DOSattackblock duration Land Attack This attack targets Microsoft Windows machines An attacker sends a forged packet with the same source and destination IP address which confuses the victim s machine causing it to crash or re...

Page 83: ...800 seconds by default To modify this default duration enter security set IDS DOSattackblock duration 3 2 4 2 IP Routes This option allows you to create static IP routes to destination addresses via an IP interface name or a Gateway address Click on IP routes from the Configuration menu The Edit Routes page is displayed This page lists the following information about existing routes Whether the ro...

Page 84: ...leting a route 1 To delete an existing route check the Delete box for a specific route 2 Click on Creating an IP V4 Route 1 Click on the Create new Ip V4 Route hyperlink The following page is displayed 2 Complete the Create IP v4 Route form in order to configure the route 3 When you have typed the details click on The Edit Routes page is displayed The table now contains details of the route that y...

Page 85: ...Advanced menu click on Bridge and then the Bridge page is displayed This page lists the following information about bridge 1 Global bridge configuration 2 VLAN configuration 3 Spanning tree configuration The following shows the Global Bridge configuration settings ...

Page 86: ...o Hybrid i e VLAN learning and is both Independent as well as Shared depending on the association of the VLANs with the filtering databases 5 The Multicast Learning setting is non configurable and always set to HVM Hybrid VLAN Multicast Learning i e if two VLANs are associated with the same FDB The filtering information for a multicast MAC address in one VLAN will also be used in the forwarding de...

Page 87: ... The default value is 300 seconds To change the filter age value enter the required number of seconds in the filter age field and then click to save the settings 11 Traffic Class Mapping To set the traffic class select an option from the drop down list and click to save the settings The following table gives the range of values for each option that can be specified with this command and a default ...

Page 88: ...ows users to configure 1 Spanning spanning tree setting true or false 2 Priority spanning tree priority value 3 Forward Delay spanning tree forward delay time seconds 4 Hello time spanning tree hello time seconds 5 Maximum Age spanning tree maximum age seconds 3 2 4 3 2 Interface Configuration Click Interface configuration and then the Bridge Interfaces page will be displayed as shown in the follo...

Page 89: ... for a bridge interface 0 Transport Name of attached transport Priority Map The mapping of user priority in the incoming frames to the regenerated user priority that will be used for traffic class mapping as well as being set in the VLAN tag of the outgoing frame Configuration methods are introduced in section 5 1 4 3 2 4 3 3 Priority map configuration Click Priority Map for a specific Bridge Inte...

Page 90: ...hich the user priority with a value of 1 in the incoming frame should be mapped 1 Priority 2 The Regenerated User Priority to which the user priority with a value of 2 in the incoming frame should be mapped 2 Priority 3 The Regenerated User Priority to which the user priority with a value of 3 in the incoming frame should be mapped 3 Priority 4 The Regenerated User Priority to which the user prior...

Page 91: ...rity 1 The traffic class to which the Regenerated Priority with a value of 1 is mapped 1 Priority 2 The traffic class to which the Regenerated Priority with a value of 2 is mapped 2 Priority 3 The traffic class to which the Regenerated Priority with a value of 3 is mapped 3 Priority 4 The traffic class to which the Regenerated Priority with a value of 4 is mapped 4 Priority 5 The traffic class to ...

Page 92: ...e user wants to assign to the VLAN name The valid values for the VLAN ID range between 1 and 4094 1 FDB Name The name of an existing Filtering Database with which the user wants the VLAN Interface to be associated If the FDB already exists the VLAN Interface becomes associated with that FDB If the FDB does not exist it is created and the VLAN Interface becomes associated with it DefaultFdb Tagged ...

Page 93: ...k to save the settings to clear the settings or to return to the previous page Click Create a new VLAN and the Create a new VLAN page will be displayed as shown in the following figure On this page a new VLAN Interface can be created by configuring the VLAN name the VLAN ID and FDB Name respectively Click to save the settings to clear the settings or to return to the previous page ...

Page 94: ... to confirm 3 2 4 4 4 Destination Based Unicast Filtering Entry Configuration Unicast transmit the same but separate data to each computer that requesting the same data It might result in flooding the network To configure Static Unicast Entries click Destination Based Unicast Filtering Entry Configuration under Bridge Config Then Destination MAC Based Unicast Filtering Entries window will be displ...

Page 95: ...mic if it is being detected from the input port 3 2 4 4 5 Multicast Filtering Entry Configuration In contrast with Unicast Multicast acts like broadcast It transmits the data to all end stations on a LAN or VLAN Multicast filtering is the system by which end stations only receive multicast traffic if they register to join specific multicast groups With multicast filtering network devices only forw...

Page 96: ...iguration To configure Forward ALL Unregistered Entries click Forward ALL Unregistered Entries under Bridge Config and the following window will be displayed as shown below This option allows users to assign the Egress Ports that the system forward to FWDALLMCAST means forwarding all Multicast entries FWDUNREGMCAST means forwarding all unregistered Multicast entries As the below image shown FWDALL...

Page 97: ...rt name of SHDSL created in PAMSPAN501x where stands for ATM EFM port You can configure simple SHDSL parameters in this page The procedure is shown as follows 1 In the Role drop down list you can set the device as CPE or CO 2 If to set PAMSPAN501x s Wire mode click on Wire Pair drop down list to select the Wire Pair number needed Wire Mode DSL Pair to Use Illustration 2 WireMode 1 4 WireMode 1 2 6...

Page 98: ...n list to set PSD as symmetric or asymmetric 7 If to set the maximum and minimum line rate click on the Max Line Rate and Min Line Rate drop down list respectively range 192 kbps to 5696 kbps 8 If to set the target margin input the desired number in the target margin field range 1 to 21 dB 9 Click on to submit your setting or to clear your setting 10 To view the advanced status of SHDSL and Ethern...

Page 99: ... the profile and click Add to create a classifier profile Click the link Edit of the desired profile to modify the rule of that specific profile Enter name for the rule to add a new rule to the profile and then set the rule by enter the desired criteria into those fields and click OK to save the settings ...

Page 100: ...t rule r2 dscprange 16 31 This command sets the dscprange with the criteria from 16 to 31 for rule r2 classifier profile cdscp set rule r2 priority 2 This command tags the incoming packets that meet the r2 criteria to priority 2 classifier profile cdscp add rule r3 This command adds the rule r3 to the profile cdscp classifier profile cdscp set rule r3 dscprange 32 47 This command sets the dscprang...

Page 101: ...ueues Enter the name for the Scheduler Profile and click Add to create the new profile Upon clicking Add the following page will be displayed for user to choose the method for the QoS scheduler Priority or Weighted Queues Click for the priority type and for the weighted queue type After clicking on the desired scheduler profile type the profile will then be created and appear on the QoS main page ...

Page 102: ...ackets being sent scheduler add profile spriority priority This command adds a profile named spriority with priority queuing which provides prioritized treatment to higher priority traffic scheduler show profile spriority This command shows the profile spriority QoS with weighted queues When using this method scheduler for transporting will based on the weight of percentage Each queue will contain...

Page 103: ... 40 Queue 3 will contain 40 of the total transport bandwidth in every transmission Note The total weight is 100 and packets in other queues that are not being set will share rest bandwidth scheduler show profiles swf2q This command shows the profile swf2q scheduler show profile swf2q queues This command shows the profile swf2q queues information 3 2 4 6 3 To add a meter for QoS Enter the name for ...

Page 104: ...ll other packets are out of profile Red meter add profile name trtcm cir cbs pir pbs This command creates a meter profile that uses the trtcm algorithm for metering If a packet stream s average rate is within CIR and the burst size is within CBS then the packet is in profile Green If a packet stream s average rate is within PIR and the burst size is within PBS then the packet is partially in profi...

Page 105: ...ts depending on their metering result Note that if this command is not applied by default the green and yellow packets are passed and red packets are dropped 3 2 4 6 4 Attach a profile to a transport It is recommended that before attaching a profile to a transport you should set Bridge Config Global Config Traffic Class Mapping to Enabled or Priority Based by Web control or from a CLI command As t...

Page 106: ...ort will be scheduled according to the configuration of the scheduler profile It sets HSL scheduler to follow the rule in profile spriority transports show HSL This command shows the information on the HSL transport TOS DSCP QoS For this function you should set a scheduler to the HSL transport and a classifier to an ingress Ethernet transport Below are the examples transports set HSL scheduler pro...

Page 107: ...et on the HSL The scheduler is removed from the data path transports set HSL scheduler profile spriority This command sets an existing scheduler profile on an existing transport The outgoing traffic on the transport will be scheduled according to the configuration of the scheduler profile It sets HSL scheduler to follow the rule in profile spriority For the transport set using classifier transport...

Page 108: ...blished If your Ethernet LED no light make sure the RJ 45 you using is connected properly Please use the crossover Ethernet cable If the port is disabled then the Ethernet LED will not illuminate User has to connect to the peer port and enable the port via Web or console Note if all the other peer ports are also disabled then user will only be able to enable the ports using CLI via console DSL LED...

Page 109: ...O Central Office DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone DNS Domain Name System DSL Digital Subscriber Line EFM Ethernet in the First Mile FDB Filtering Database IGMP Internet Group Management Protocol NAT Network Address Translation NTP Network Time Protocol PAP Password Authentication Protocol RSTP Rapid Spanning Tree Protocol SHDSL Symmetrical High Bitrate Digital Subscr...

Reviews:

No comments