Manual

ManualsBrandsAllied Telesis ManualsComputer HardwareAT-S62

211

212

213

214

215

216

217

218

219

220

Table Of Contents

Table of Contents
List of Figures
Preface
- How This Guide is Organized
- Document Conventions
- Where to Find Web-based Guides
- Contacting Allied Telesyn
- Management Software Updates
Chapter 1
Overview
- Management Overview
- Local Management Session
- Telnet Management Session
- Web Browser Management Session
- SNMP Management Session
- Management Access Levels
Section I
Basic Operations
- Chapter 2
- Starting a Local or Telnet Management Session
- Chapter 3
- Enhanced Stacking
- Chapter 4
- Basic Switch Parameters
- Chapter 5
- SNMPv1 and SNMPv2c Configuration
- Chapter 6
- Port Parameters
- Chapter 7
- MAC Address Table
- Chapter 8
- Port Trunking
- Chapter 9
- Port Mirroring
- Chapter 10
- Ethernet Statistics
  - Displaying Port Statistics
  - Clearing Port Counters
Section II
Advanced Operations
- Chapter 11
- File System
- Chapter 12
- File Downloads and Uploads
- Chapter 13
- Event Log
- Chapter 14
- Quality of Service
- Chapter 15
- IGMP Snooping
- Chapter 16
- Denial of Service Defense
  - Denial of Service Defense Overview
  - Enabling or Disabling Denial of Service Prevention
Section III
SNMPv3 Operations
- Chapter 17
- SNMPv3 Configuration
Section IV
Spanning Tree Protocols
- Chapter 18
- Spanning Tree and Rapid Spanning Tree Protocols
- Chapter 19
- Multiple Spanning Tree Protocol
Section V
Virtual LANs
- Chapter 20
- Tagged and Port-based Virtual LANs
- Chapter 21
- GARP VLAN Registration Protocol
- Chapter 22
- Multiple VLAN Modes
Section VI
Port Security
- Chapter 23
- MAC Address Security
- Chapter 24
- 802.1x Port-based Access Control
Section VII
Management Security
- Chapter 25
- Web Server
  - Web Server Overview
    - Supported Protocols
    - General Steps to Configuring the Web Server for Encryption
  - Configuring the Web Server
- Chapter 26
- Encryption Keys
- Chapter 27
- Public Key Infrastructure Certificates
- Chapter 28
- Secure Shell (SSH) Protocol
- Chapter 29
- RADIUS and TACACS+ Authentication Protocols
  - TACACS+ and RADIUS Overview
    - Guidelines
  - Configuring Authentication Protocol Settings
    - Displaying RADIUS Status and Settings
- Chapter 30
- Management Access Control List
Section VIII
Web Browser Management
- Chapter 31
- Starting a Web Browser Management Session
  - Starting a Web Browser Management Session
    - Browser Tools
  - Saving Your Parameter Changes
  - Quitting a Web Browser Management Session
- Chapter 32
- Enhanced Stacking
  - Setting a Switch’s Enhanced Stacking Status
  - Selecting a Switch in an Enhanced Stack
    - Returning to the Master Switch
  - Displaying the Enhanced Stacking Status
- Chapter 33
- Basic Switch Parameters
  - Configuring an IP Address and Switch Name
  - Activating the BOOTP and DHCP Client Software
  - Displaying System Information
  - Configuring the Manager and Operator Passwords
  - Rebooting a Switch
  - Pinging a Remote System
  - Returning the AT-S62 Software to the Factory Default Values
- Chapter 34
- SNMPv1 and SNMPv2c Community Strings
  - Enabling or Disabling SNMP Management
  - Creating a New SNMPv1 or SNMPv2c Community String
  - Modifying a Community String
  - Deleting a Community String
  - Displaying the SNMP Status and Community Strings
- Chapter 35
- Port Parameters
  - Configuring Port Parameters
  - Displaying Port Status and Statistics
- Chapter 36
- MAC Address Table
  - Displaying the MAC Address Table
  - Adding Static Unicast and Multicast MAC Addresses
  - Deleting Unicast and Multicast MAC Addresses
  - Changing the Aging Time
- Chapter 37
- Port Trunking
  - Creating a Port Trunk
  - Modifying a Port Trunk
  - Deleting a Port Trunk
  - Displaying the Port Trunks
- Chapter 38
- Port Mirroring
  - Creating a Port Mirror
  - Modifying or Disabling a Port Mirror
  - Deleting a Port Mirror
  - Displaying the Port Mirror
- Chapter 39
- File Downloads and Uploads
  - Downloading a File
  - Uploading a File
- Chapter 40
- Event Log
  - Enabling or Disabling the Event Log
  - Displaying Events
  - Saving the Event Log
  - Clearing the Event Log
- Chapter 41
- Quality of Service
  - Configuring CoS
  - Mapping CoS Priorities to Egress Queues
  - Configuring Egress Scheduling
  - Displaying the CoS Settings
  - Displaying QoS Scheduling
- Chapter 42
- IGMP Snooping
  - Configuring IGMP Snooping
  - Displaying a List of Host Nodes and Multicast Routers
- Chapter 43
- Denial of Service Defense
  - Configuring Denial of Service Attack Defense
  - Displaying the DoS Settings
- Chapter 44
- SNMPv3 Protocol
  - Configuring the SNMPv3 Protocol
  - Enabling the SNMP Protocol
  - Configuring the SNMPv3 User Table
  - Configuring the SNMPv3 View Table
  - Configuring the SNMPv3 Access Table
  - Configuring the SNMPv3 SecurityToGroup Table
  - Configuring the SNMPv3 Notify Table
  - Configuring the SNMPv3 Target Address Table
  - Configuring the SNMPv3 Target Parameters Table
  - Configuring the SNMPv3 Community Table
  - Displaying SNMPv3 Tables
- Chapter 45
- STP, RSTP, and MSTP
  - Enabling or Disabling Spanning Tree
  - Configuring STP
  - Configuring RSTP
  - Configuring MSTP
  - Displaying Spanning Tree Settings
- Chapter 46
- Virtual LANs
  - Creating a New Port-Based or Tagged VLAN
  - Modifying a Port-Based or Tagged VLAN
  - Deleting a Port-Based or Tagged VLAN
  - Displaying VLANs
  - Selecting a VLAN Mode
  - Specifying a Management VLAN
- Chapter 47
- GARP VLAN Registration Protocol
  - Configuring GVRP
  - Enabling or Disabling GVRP on a Port
  - Displaying the GVRP Settings
- Chapter 48
- MAC Address Security
  - Displaying MAC Address Security Levels
- Chapter 49
- 802.1x Port-based Access Control
  - Enabling and Disabling Port-based Access Control
  - Setting Port Roles
  - Configuring Authenticator Port Parameters
  - Configuring Supplicant Port Parameters
  - Displaying the Port-based Access Control Settings
- Chapter 50
- Secure Shell Protocol
  - Configuring the SSH Server
  - Displaying SSH Information
- Chapter 51
- Encryption Keys, PKI, and SSL
  - Displaying Encryption Keys
  - Displaying PKI Settings and Certificates
  - Displaying the SSL Settings
- Chapter 52
- RADIUS and TACACS+ Authentication Protocols
  - Configuring RADIUS and TACACS+
  - Displaying the RADIUS or TACSACS+ Settings
- Chapter 53
- Management Access Control List
  - Creating a Management ACL
  - Adding or Deleting an ACE
  - Displaying the Management ACL
Appendix A
- AT-S62 Default Settings
Appendix B
- SNMPv3 Configuration Examples
  - SNMPv3 Configuration Examples
Index
- Numerics
- A
- B
- C
- D
- E
- F
- G
- H
- I
- K
- L
- M
- N
- O
- P
- Q
- R
- S
- T
- U
- V
- W
- X

AT-S62 User’s Guide

Section II: Advanced Operations 213

Denial of Service Defense Overview

The AT-S62 management software can help protect your network

against the following types of Denial of Service attacks.

❑ SYN Flood Attack

❑ SMURF Attack

❑ Land Attack

❑ Teardrop Attack

❑ Ping of Death Attack

❑ IP Options Attack

The following subsections briefly describe each type of attack and the

mechanism employed by the AT-S62 management software to protect

your network.

Note

Be sure to read the following descriptions before implementing a

DoS defense on a switch. Some defense mechanisms are CPU

intensive and can impact switch behavior.

SYN Flood

Attack

In this type of attack, an attacker sends a large number of TCP

connection requests (TCP SYN packets) with bogus source addresses to

the victim. The victim responds with acknowledgements (SYN ACK

packets), but since the original source addresses are bogus, the victim

node does not receive any replies. If the attacker sends enough requests

in a short enough period, the victim may freeze operations when the

number of requests exceeds the capacity of its connections queue.

To defend against this form of attack, a switch port monitors the number

of ingress TCP connection requests it receives. If a port receives more

than 60 requests per second, the following occurs.

❑ The switch sends a SNMP trap to the management workstations

❑ The port discards all ingress TCP-SYN packets for one minute.

However, the port continues to allow existing TCP connections to

go through.

This defense mechanism does not involve the switch’s CPU. You can

activate it on as many ports as you want without it impacting switch

performance.