Alcatel 9000 Betriebsanweisung Seite 578
- Seite / 702
- Inhaltsverzeichnis
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
Using ACL Security Features Configuring ACLs
page 27-14 OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
Using ACL Security Features
The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
• UserPorts—A port group that identifies its members as user ports to prevent spoofed IP traffic. When
a port is configured as a member of this group, packets received on the port are dropped if they contain
a source IP network address that does not match the IP subnet for the port. It is also possible to config-
ure a UserPorts profile to specify other types of traffic to monitor on user ports. See “Configuring a
UserPorts Group” on page 27-14. Note that this group is not supported on the OmniSwitch 6800.
• DropServices—A service group that improves the performance of ACLs that are intended to deny
packets destined for specific TCP/UDP ports. This group only applies to ports that are members of the
UserPorts group. Using the DropServices group for this function minimizes processing overhead,
which otherwise could lead to a DoS condition for other applications trying to use the switch. See
“Configuring a DropServices Group” on page 27-15. Note that this group is not supported on the
OmniSwitch 6800.
• BPDUShutdownPorts—A port group that identifies its members as ports that should not receive
BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. Note that
this group is not supported on the OmniSwitch 6850 and 9000. See “Configuring a BPDUShutdown-
Ports Group” on page 27-16.
• ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc-
ing DoS exposure from pings. Two condition parameters are also available to provide more granular
filtering of ICMP packets: icmptype and icmpcode. See “Configuring ICMP Drop Rules” on
page 27-17.
• TCP connection rules—Allows the determination of an established TCP connection by examining
TCP flags found in the TCP header of the packet. Two condition parameters are available for defining
a TCP connection ACL: established and tcpflags. See “Configuring TCP Connection Rules” on
page 27-17.
• Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
Configuring a UserPorts Group
To prevent IP address spoofing and/or other types of traffic on specific ports, create a port group called
UserPorts and add the ports to that group. For example, the following policy port group command adds
ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:
-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1
-> qos apply
Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.
The UserPorts group is also used in conjunction with the DropServices group. If a flow received on a port
that is a member of the UserPorts group is destined for a TCP or UDP port (service) specified in the
DropServices group, the flow is dropped. See “Configuring a DropServices Group” on page 27-15 for
more information.
- OmniSwitch 6800 Series 1
- OmniSwitch 6850 Series 1
- OmniSwitch 9000 Series 1
- Network Configuration Guide 1
- Contents 3
- About This Guide 29
- Who Should Read this Manual? 30
- What is in this Manual? 30
- What is Not in this Manual? 31
- Documentation Roadmap 32
- Related Documentation 34
- • Release Notes 35
- User Manual CD 36
- Technical Support 36
- In This Chapter 37
- Ethernet Specifications 38
- Non Combo Port Defaults 39
- Combo Ethernet Port Defaults 39
- Ethernet Ports Overview 40
- Autonegotiation Guidelines 43
- Resetting Statistics Counters 45
- Flood Only Rate Limiting 46
- Multicast Flood Rate Limiting 47
- Configuring a Port Alias 48
- Setting Interface Line Speed 50
- Configuring Duplex Mode 51
- 2 Managing Source 63
- Learning 63
- Source Learning Defaults 64
- MAC Address Table Overview 66
- Using Static MAC Addresses 66
- 3 Using 802.1s Multiple 71
- Spanning Tree 71
- MST Specifications 72
- MST Region Defaults 73
- MST General Overview 74
- MST Configuration Overview 80
- -> bridge protocol mstp 81
- Switch A Switch B 86
- 4 Configuring Learned 91
- Port Security 91
- Understanding the LPS Table 96
- 5 Configuring VLANs 101
- VLAN Specifications 102
- VLAN Defaults 102
- Sample VLAN Configuration 103
- VLAN Management Overview 104
- Creating/Modifying VLANs 105
- -> vlan 255 stp disable 110
- -> vlan 755 stp enable 110
- OmniSwitch 9700 114
- 6 Configuring Spanning Tree 117
- Parameters 117
- Spanning Tree Specifications 118
- Spanning Tree Overview 120
- Topology Examples 123
- Spanning Tree Operating Modes 125
- Using 1x1 Spanning Tree Mode 126
- Configuring Port Priority 140
- Configuring Port Path Cost 141
- Configuring Port Mode 144
- Example Network Overview 147
- 7 Assigning Ports 151
- Port Assignment Defaults 152
- Sample VLAN Port Assignment 153
- Mobile Tag Enabled 156
- Default VLAN 156
- IP Network 130.0.0.0 157
- IP Network 138.0.0.0 157
- VLAN Rule Classification 158
- -> vlan port mobile 4/1 161
- What is a Secondary VLAN? 163
- OmniSwitch 164
- Enable/Disable Default VLAN 166
- Port Properties 169
- 8 Configuring Port Mapping 171
- Port Mapping Specifications 172
- Port Mapping Defaults 172
- Example Port Mapping Overview 175
- 9 Defining VLAN Rules 177
- VLAN Rules Specifications 178
- VLAN Rules Defaults 178
- VLAN Rules Overview 180
- DHCP Rules 181
- Binding Rules 182
- MAC Address Rules 182
- Network Address Rules 182
- Protocol Rules 182
- Port Rules 183
- Defining DHCP MAC Range Rules 189
- Defining DHCP Port Rules 189
- Defining DHCP Generic Rules 190
- Defining Binding Rules 190
- Defining MAC Address Rules 193
- Defining MAC Range Rules 194
- Defining Protocol Rules 196
- Defining Port Rules 197
- The VLANs 198
- DHCP Servers and Clients 198
- Servers 200
- Clients 200
- Configuration” on page 9-3 201
- 10 Using Interswitch 203
- Protocols 203
- AIP Specifications 204
- AMAP Defaults 204
- AMAP Overview 205
- Discovery 206
- Transmission State 206
- Configuring AMAP 207
- -> show amap 208
- -> amap common 600 208
- -> amap common time 600 208
- Displaying AMAP Information 209
- 11 Configuring 802.1Q 211
- 802.1Q Specifications 212
- 802.1Q Defaults Table 212
- 802.1Q Overview 213
- Configuring an 802.1Q VLAN 215
- Configuring the Frame Type 216
- Show 802.1Q Information 217
- Application Example 218
- 12 Configuring IP 221
- IP Specifications 222
- IP Defaults 222
- IP Overview 224
- Additional IP Protocols 225
- Configuring IP IP Forwarding 229
- Creating a Static Route 230
- Creating a Default Route 230
- Local Proxy ARP 232
- ARP Filtering 233
- IP Configuration 234
- Setting the Decay Value 238
- Enabling DoS Traps 238
- Managing IP 240
- Configuring IP Managing IP 241
- Enabling All ICMP Types 242
- Using the Ping Command 243
- Tracing an IP Route 244
- Displaying TCP Information 244
- Displaying UDP Information 244
- 13 Configuring Static Link 247
- Aggregation 247
- -> static linkagg 5 size 8 254
- -> no static linkagg 5 254
- 14 Configuring Dynamic Link 259
- -> lacp linkagg 2 size 8 269
- -> no lacp linkagg 2 269
- Aggregate Group 270
- Administrative Key 273
- Configuration and Statistics 291
- 15 Configuring IPv6 293
- IPv6 Specifications 294
- IPv6 Defaults 294
- IPv6 Overview 296
- IPv6 Addressing 297
- IPv6 Address Prefix Notation 298
- Tunneling IPv6 over IPv4 299
- 6to4 Site 300
- IPv4 Domain 300
- 6to4 Host 300
- IPv6 Domain 301
- IPv6 Site 301
- Configuring an IPv6 Interface 302
- Modifying an IPv6 Interface 303
- Removing an IPv6 Interface 303
- Assigning IPv6 Addresses 304
- Removing an IPv6 Address 305
- 16 Configuring RIP 309
- RIP Specifications 310
- RIP Defaults 310
- RIP Overview 312
- RIP Routing 313
- Loading RIP 314
- Enabling RIP 314
- Creating a RIP Interface 315
- Enabling a RIP Interface 315
- RIP Routing Configuring RIP 316
- -> ip rip route-tag 1 316
- RIP Options 317
- RIP Redistribution 318
- RIP Security 322
- 17 Configuring RDP 325
- RDP Specifications 326
- RDP Defaults 326
- Reference Guide 328
- RDP Interfaces 330
- Security Concerns 331
- Enabling/Disabling RDP 332
- Creating an RDP Interface 332
- 18 Configuring DHCP Relay 337
- DHCP Relay Specifications 338
- DHCP Relay Defaults 339
- DHCP Relay Overview 341
- DHCP and the OmniSwitch 342
- DHCP Relay and Authentication 342
- Internal DHCP Relay 344
- DHCP Relay Implementation 345
- Setting the Forward Delay 346
- Setting Maximum Hops 347
- Using DHCP Snooping 352
- Enabling DHCP Snooping 353
- VLAN-Level DHCP Snooping 354
- Configuring Rate Limiting 356
- 19 Configuring VRRP 359
- VRRP Specifications 360
- VRRP Defaults 360
- 4 Enable VRRP on each switch 361
- VRRP Overview 362
- Why Use VRRP? 363
- VRRP MAC Addresses 364
- VRRP Startup Delay 364
- VRRP Tracking 365
- Configuration Overview 366
- Setting VRRP Traps 370
- Setting VRRP Startup Delay 370
- Creating Tracking Policies 371
- Master 1 373
- Backup 2 373
- Backup 1 373
- Master 2 373
- 20 Configuring IPX 377
- IPX Specifications 378
- IPX Defaults 378
- IPX Overview 380
- Configuring IPX IPX Overview 381
- IPX Routing 382
- Configuring IPX IPX Routing 383
- -> ipx default-route 222 383
- Using the PING Command 386
- IPX RIP/SAP Filtering 387
- Configuring RIP Filters 388
- Configuring SAP Filters 388
- Configuring GNS Filters 389
- IPX RIP/SAP Filter Precedence 390
- 21 Managing Authentication 393
- Server Defaults 395
- Server Overview 397
- OmniSwitch 6648 398
- ACE/Server 400
- RADIUS Servers 401
- Configuring the RADIUS Client 406
- LDAP Servers 407
- LDAP Server Details 408
- Directory Entries 409
- Directory Searches 410
- Directory Modifications 410
- Directory Compare and Sort 411
- The LDAP URL 411
- LDAP Accounting Attributes 414
- AccountStopTime 415
- AccountFailTime 415
- Dynamic Logging 416
- 22 Configuring 421
- Authenticated VLANs 421
- AVLAN Configuration Overview 424
- Sample AVLAN Configuration 425
- Telnet Authentication Client 427
- -> aaa avlan http language 428
- SSL for Web Browser Clients 431
- Installing the AV-Client 432
- Windows 95 433
- Windows 2000 and Windows NT 433
- button. The software 435
- Windows 95 and Windows 98 436
- Selecting a Dialog Mode 439
- Viewing AV-Client Components 440
- Logging Off the AV-Client 442
- Delay for IP Address Request 443
- Releasing the IP Address 443
- • MAC-Port-IP address 448
- • MAC-Port 448
- Setting Up a DNS Path 449
- Setting Up the DHCP Server 449
- Before Authentication 450
- After Authentication 450
- Configuring Single Mode 452
- 23 Configuring 802.1X 457
- 802.1X Specifications 458
- 802.1X Defaults 458
- 802.1X Overview 462
- 802.1X Ports and DHCP 463
- Re-authentication 463
- 802.1X Accounting 464
- Policy Types 465
- Enabling 802.1X on Ports 467
- -> 802.1x 3/1 direction in 468
- Initializing an 802.1X Port 469
- Supplicant Policy Examples 472
- 24 Managing Policy 477
- Policy Server Specifications 478
- Policy Server Defaults 478
- Policy Server Overview 479
- Modifying Policy Servers 480
- Modifying the Port Number 481
- Modifying the Searchbase 481
- Interaction With CLI Policies 483
- 25 Using ACL Manager 485
- ACLMAN Defaults 486
- Quick Steps for Creating ACLs 487
- ACLMAN Overview 489
- ACL Text Files 490
- ACL Precedence 490
- Using the ACLMAN Shell 491
- ACLMAN Modes and Commands 492
- ACLMAN User Privileges 498
- Configuring ACLs 500
- Saving the ACL Configuration 503
- Importing ACL Text Files 504
- 26 Configuring QoS 507
- QoS Specifications 508
- QoS General Overview 509
- QoS Policy Overview 510
- Condition Combinations 512
- Action Combinations 514
- QoS Defaults 515
- QoS Port Defaults 516
- Policy Rule Defaults 516
- Policy Action Defaults 517
- Default (Built-in) Policies 517
- QoS Configuration Overview 518
- Enabling/Disabling QoS 519
- Using the QoS Log 520
- Log Detail Level 521
- Forwarding Log Events 521
- Displaying the QoS Log 522
- Clearing the QoS Log 523
- Verifying Global Settings 524
- QoS Ports and Queues 525
- Configuring Queuing Schemes 526
- Trusted and Untrusted Ports 528
- Configuring Trusted Ports 529
- Creating Policies 531
- ASCII-File-Only Syntax 532
- Creating Policy Conditions 533
- Creating Policy Actions 534
- Removing Action Parameters 535
- Deleting a Policy Action 535
- Creating Policy Rules 536
- Disabling Rules 537
- Rule Precedence 537
- Saving Rules 537
- Logging Rules 538
- Deleting Rules 538
- Testing Conditions 539
- Sample Group Configuration 542
- Creating Network Groups 543
- Creating Services 544
- Creating Service Groups 545
- Creating MAC Groups 546
- Creating Port Groups 547
- Egress Bandwidth Shaping 548
- Example 1: Source Port Group 549
- Using Map Groups 551
- How Map Groups Work 552
- Creating Map Groups 552
- Applying the Configuration 554
- Flushing the Configuration 555
- Policy Applications 557
- Network 1 558
- 10.10.4.0 558
- Redirection Policies 559
- ICMP Policy Example 560
- Network C 561
- Policy Based Routing 562
- 10.3.0.0 563
- 173.5.1.0 563
- 173.10.2.0 563
- 174.26.1.0 563
- 27 Configuring ACLs 565
- ACL Specifications 566
- ACL Defaults 567
- Valid Combinations 570
- ACL Configuration Overview 571
- Layer 2 ACLs 574
- Layer 3 ACLs 575
- Multicast Filtering ACLs 576
- Using ACL Security Features 578
- Configuring ICMP Drop Rules 581
- ACL Application Example 584
- 28 Configuring IP Multicast 585
- Switching 585
- IPMS Specifications 587
- IPMSv6 Specifications 587
- IPMS Default Values 588
- IPMSv6 Default Values 588
- IPMS Overview 589
- IP Multicast Routing 590
- IGMP Version 3 591
- Configuring IPMS on a Switch 592
- Configuring the IGMP Version 593
- Restoring the IGMP Version 593
- Removing an IGMP Static Group 595
- Modifying IPMS Parameters 596
- Last Member Query Interval 597
- Modifying the Source Timeout 599
- Enabling the IGMP Querying 600
- Disabling the IGMP Querying 600
- Enabling the IGMP Spoofing 601
- Disabling the IGMP Spoofing 601
- Enabling the IGMP Zapping 602
- Disabling the IGMP Zapping 602
- IPMSv6 Overview 603
- MLD version 2 604
- Configuring the MLD Version 2 606
- Restoring the MLD Version 1 606
- Removing an MLD Static Group 608
- Modifying IPMSv6 Parameters 609
- Restoring the Source Timeout 612
- Enabling the MLD Querying 612
- Disabling the MLD Querying 612
- Enabling the MLD Spoofing 614
- Disabling the MLD Spoofing 614
- Enabling the MLD Zapping 615
- Disabling the MLD Zapping 615
- IPMS Application Example 616
- IPMSv6 Application Example 618
- 29 Diagnosing Switch 623
- Problems 623
- Port Mirroring Overview 625
- Port Monitoring Overview 627
- RMON Specifications 632
- RMON Probe Defaults 633
- Switch Health Overview 634
- Switch Health Defaults 635
- Port Mirroring 636
- Creating a Mirroring Session 639
- Deleting A Mirroring Session 642
- Port Monitoring 643
- Receiver 648
- Configuring a sFlow Session 649
- Displaying a sFlow Receiver 650
- Displaying a sFlow Sampler 651
- Displaying a sFlow Poller 651
- Displaying a sFlow Agent 652
- Deleting a sFlow Session 652
- Ethernet Statistics 654
- Displaying RMON Tables 656
- • memory 662
- • temperature 662
- Viewing Sampling Intervals 663
- 30 Using Switch Logging 667
- Switch Logging Specifications 668
- Switch Logging Defaults 669
- Switch Logging Overview 671
- Enabling Switch Logging 672
- Specifying the Severity Level 674
- Removing the Severity Level 675
- -> swlog clear 677
- A Software License 679
- Alcatel License Agreement 680
- C. Linux 683
- E. University of California 688
- G.Random.c 688
- H. Apptitude, Inc 689
- I. Agranat 689
- J. RSA Security Inc 689
- K. Sun Microsystems, Inc 689
- L. Wind River Systems, Inc 690
- Numerics 691
Verwandte Produkte und Handbücher für Software Alcatel 9000
Software Alcatel 2.3) Betriebsanweisung
(96 Seiten)
(96 Seiten)
© 2020, manymanuals.de. Alle Rechte vorbehalten. | 0.062 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern