Security, IP Protocol Type Filtering | Paradyne 6301, 6341, 6342

3. Configuring the DSL Router

Security

The router offers security via the following:

Filtering. A filter consists of a set of rules applied to a specific interface to indicate whether a packet received or sent on that interface is forwarded or discarded. Filters are applied to traffic in either the inbound (from the Ethernet port) or outbound (from the DSL port) direction on that interface:

—IP Protocol Type: TCP, UDP, or ICMP

—ICMP Message Type, Code

—TCP/UDP Ports

—Source/Destination IP Address

—Ethernet Type

Always enabled:

—Land Bug Prevention

—Smurf Attack Prevention

NOTE:

All Hotwire DSL Router filters are configured on the Hotwire DSL card. Some routing parameters that affect filtering, such as enabling bridging or routing, can only be configured on the DSL router.

IP Protocol Type Filtering

By default, IP Protocol Type (IP) filtering is disabled on the Hotwire DSL card for the DSL router. If enabled, filtering provides security advantages on LANs by restricting traffic on the network and hosts based on the source and/or destination IP addresses.

There is one filter per direction, with a maximum of 33 rules per filter. For IP filters, all filter access rules with a source host IP address are applied first, with all rules with a destination host IP address applied next. The remaining filters are applied in the order in which they were configured.

For additional information about IP filtering, refer to the Hotwire MVL, ReachDSL, RADSL, IDSL, and SDSL Cards, Models 8310, 8312/8314, 8510/8373/8374, 8303/8304, and 8343/8344, User’s Guide.

6300-A2-GB20-10

November 2003

3-11

Image 37

Paradyne 6301, 6341, 6342, 6371, 6351, 6302 manual Security, IP Protocol Type Filtering

Contents

Hotwire DSL Routers Copyright 2003 Paradyne Corporation All rights reserved Contents Monitoring the DSL Router DSL Router Configuration Examples Command Line Interface Diagnostics and Troubleshooting Traps and MIBs Configuration Defaults and Command Line ShortcutsDSL Router Terminal Emulation Index Firmware Upgrade Contents November Document Purpose and Intended Audience About This Guide New Features for this Release Section Description Document Summary Document Number Document Title Product-Related Documents Convention Translation Document Conventions Xii What is a Hotwire DSL Router? Introduction to Hotwire DSL RoutersDSL Technologies Supported Central Office CO Customer Premises CP Typical DSL Router SystemOptional IP routing with Hotwire DSL Router Features Management from an NMS using Snmp Service Subscriber Access Control to the DSL Router Accessing the DSL RouterLevels of Access Changing Access Session Levels Local Console AccessConsole disable save Exit Admin enable Invalid Characters Value Ascii Hex Translation Setting Up the New User’s Login Password admin new password save Telnet AccessLocal console disabled by conflict message Telnet enable save Determining the Available Commands Determining the Current Access LevelTelnet login enable save Help List config Using the List CommandChanging the System Identity List Exiting from the System If accessing the DSL router ThenManually Logging Out Exit Automatically Logging Out When autologout is DSL Router Configuration Overview Configuring the DSL RouterDSL Router’s Interfaces Interface Identifiers Service Domain IP Address Assignments Unnumbered DSL Interface Numbered DSL or Ethernet InterfaceSimplified Network Topology IP Options Processing IP Routing Network Considerations Address Resolution Protocol ARP Proxy ARP Basic NAT Network Address Translation NATNetwork Address Port Translation NAPT/PAT Applications Supported by NAT Simultaneous Basic NAT and Napt Dynamic Host Configuration Protocol Dhcp Server Dhcp Relay Agent IP Protocol Type Filtering Security Land Bug/Smurf Attack Prevention Ethernet Type Filtering Routed vs. Bridged PDUs If Using This Network Model Then These DSL Cards Can Be Used PPPoE Client Support Routed Network Model Standard mode When the negotiated IP Address is assigned to Then Configuring the DSL Router Configuration Examples DSL Router Configuration Examples IP, IPX Basic Bridging Configuration Example Basic Routing Configuration Example NAT Mapping Public IP Addresses Private IP Addresses Basic NAT Configuration Example Commands and syntax for this example are Napt Mapping Public IP Addresses Private IP Addresses Napt Configuration Example DSL Router Configuration Examples Simultaneous Basic NAT and Napt Configuration Example DSL Router Configuration Examples Core Router 155.1.3.1 Console Port Connection Dhcp Relay with Proxy ARP Configuration Example Dhcp Server with Basic NAT Configuration Example PPPoE Client with Napt and Dhcp Server Configuration Example Downstream Router Configuration Example Customer Premises CP IP Passthrough Configuration Example DSL Router Configuration Examples November Monitoring the Router Monitoring the DSL Router Front Panel LEDs LED StatusCondition Status Performance Statistics Interface StatusClearing Statistics Reasons for Ethernet Interface eth1 Discarded Frames Reasons for Discarded Data Reasons for DSL Interface dsl1 Discarded Frames Reasons for IP Processing Discarded Packets Reasons for PPPoE Discarded Frames Reasons for Bridge Discarded Frames Reasons for PPP Discarded Frames Diagnostics and Troubleshooting Overview Diagnostics and TroubleshootingAlarms Inquiry Device Restart Syslog enable disable Syslog Commands 1System Log Show syslog Syslog ip ip-addr mgt srvc Syslog Commands 2Syslog port port-number Syslog level level Syslog Messages Level Description Event Syslog Events Ping Ping CommandSyslog Message Display Ping dest-ipmgt -x source-ip-l bytes -w time -ieth1 dsl1 Ping reply from x.x.x.x bytes of data=nn Ping Test ResultsPing reply from x.x.x.x Request Timed OUT Ping reply from x.x.x.x Destination Unreachable TraceRoute TraceRoute CommandExample traceroute 135.300.41.8 -w 60 -i eth1 Tracing route to TraceRoute Test ResultsOver a max. of nn Hops, with nnn Byte packet X.x Command Line Interface Capability Command Line Interface Navigating the Router’s CLI Command RecallSyntax Conventions CLI Commands Table A-1. Configuration Commands Configuration CommandsConfigure terminal factory Save Ethernet Frame Format Command RFC 1483 Encapsulation CommandTable A-2. RFP 1483 Encapsulation Command Table A-3. Ethernet Frame Format Command Table A-4. Interface and Service Domain IP Address Commands Interface and Service Domain IP Address CommandsExamples ifn address dsl1 135.300.41.8 Ifn dsl1 primary Table A-5. IP Routing Commands 1 IP Routing Commands Table A-5. IP Routing Commands 2 Bridge CommandsTable A-6. Bridge Commands 1 Bridge enable disable Table A-6. Bridge Commands 2 ARP CommandsTable A-7. ARP Commands 1 Table A-7. ARP Commands 2 Proxy ARP CommandTable A-8. Proxy ARP Command Proxy arp eth1 dsl1 enable disable Table A-9. NAT Commands 1 NAT Commands Nat timeout time Table A-9. NAT Commands 2Nat napt purge Nat napt map udp tcp server-ip port Nat basic delete private-ip Table A-9. NAT Commands 3Nat napt delete udp tcp port Table A-9. NAT Commands 4 Dhcp Server CommandsTable A-10. Dhcp Server Commands 1 Dhcp server router ip-address Table A-10. Dhcp Server Commands 2Dhcp server name domain name Dhcp server nameserver ip-addressip-address2 Table A-11. Dhcp Relay Agent Commands Dhcp Relay Agent CommandsDhcp relay enable disable Dhcp relay address ip-address Table A-12. IP Packet Processing Commands IP Packet Processing CommandsIP multicast enable disable IP routing enable disable Table A-13. PPPoE Client Commands 1 PPPoE Client CommandsPppoe enable disable Ppp ip eth1 dsl1 passthrough mask no-dns Ppp authentication chap pap both none Table A-13. PPPoE Client Commands 2From previous Ppp username username Table A-13. PPPoE Client Commands 3 Table A-14. Telnet Commands 1 Telnet Commands Telnet timeout time Table A-14. Telnet Commands 2Telnet keep-alive enable disable Telnet keep-alive timeout time Clearing Statistics Command Traps CommandTable A-15. Traps Command Table A-16. Clearing Statistics Command Table A-17. Show Commands 1 Show CommandsShow alarms Show arp timeout Show config Table A-17. Show Commands 2Displays either console enabled or console disabled Show bridge Show dhcp relay Table A-17. Show Commands 3Show dhcp server Show interface eth1 dsl1 Table A-17. Show Commands 4Show ip route ip-address Show nat basic Table A-17. Show Commands 5Show nat napt Show pppoe Table A-17. Show Commands 6Show spanning-tree Show statistics eth1 dsl1 ip bridge pppoe tftp Table A-17. Show Commands 7Show statistics eth1 Show statistics dsl1 Table A-17. Show Commands 8Show statistics ip Show statistics bridge Show statistics pppoe Table A-17. Show Commands 9Show statistics tftp Show system Table A-17. Show Commands 10Show telnet Show traps Command Line Interface November Configuration Default Settings Configuration Defaults Command Line Shortcuts A-17 Table B-2. Command Line Shortcuts 1 Command Line ShortcutsArp create ip-addr mac-addr Arp delete ip-addr Table B-2. Command Line Shortcuts 2 Table B-2. Command Line Shortcuts 3 Show nat basic napt Show pppoe Table B-2. Command Line Shortcuts 4Show syslog Show system Show telnet Syslog ip ip-addrmgt srvc Snmp Overview Traps and MIBsTraps Overview Variable Binding DSL Router Traps Standard MIBs MIBs OverviewMIB II RFC System System Group Interfaces Interfaces Group RFCIfEntry IfType Identifies the interface type based Supported values IfXEntry Extension to Interfaces Table RFCMbps True1 IP Group RFC Table C-5. IP Group Objects Description Setting/Contents IpForward IP Cidr Route Group RFCIpCidrRouteEntry Snmp Group Transmission Group Ethernet-Like MIB RFC Paradyne Enterprise MIBs NoOp1 Device Control MIBActive1 Inactive2 Ping Test Device Diagnostics MIBTraceRoute InProgress2 Active test IcmpError TimeoutSystemError ApplpingTestEntry Traceroute ConfigureApplTracerouteResultsEntry AppTracerouteResultsEntry DevStatus1 Health and Status MIBDevStatus Factory1-to-active8 Configuration MIB PdnInetIpAddressTableEntry Interface Configuration MIBPrimary Secondary Dhcp MIB DSL Endpoint MIB DSL Router Terminal Emulation Accessing the List Command Output Terminal Emulation Programs Firmware Upgrade Commands Firmware UpgradeOverview Apply download Download dsl1ifn eth1ifn server-ip filename Firmware Upgrade ProceduresDownload ifn address eth1 155.1.3.254 Paradyne server Downloading will affect user data performance Are you sure? System is being reset At the CUSTOMER-CONFIG# prompt, type apply downloadNo new firmware to apply Firmware Upgrade November Index Symbols IN-2 IN-3 IN-4 IN-5 IN-6