Security management example – Nortel Networks WEB OS 212777 User Manual

Web OS 10.0 Application Guide

468

n

Chapter 17: Bandwidth Management

212777-A, February 2002

Security Management Example

BWM can be used to prevent Denial of Service (DoS) attacks by a flooding of “necessary evil”
packets and limiting the rate of TCP SYN, ping, other disruptive packets, and alerting/logging
the network manager when soft limits are exceeded.

In the following example, a filter is configured to match ping packets, and BWM is configured
to prevent DoS attacks by limiting the bandwidth policy rate of those packets:

1.

Configure the switch as usual for SLB (see

“Server Load Balancing” on page 117

):

n

Assign an IP address to each of the real servers in the server pool.

n

Define an IP interface on the switch.

n

Define each real server.

n

Define a real server group.

n

Define a virtual server.

n

Define the port configuration.

N

OTE

–

Ensure BWM is enabled on the switch (

/cfg/bwm/on

).

2.

Select a bandwidth policy.

Each policy must have a number from 1 to 64.

3.

Set the hard, soft, and reserved rate limits for this policy in Kilobytes.

4.

Set the buffer limit for the policy.

Set a parameter between 8192 and 128000 bytes. The buffer depth for a BWM contract should
be set to a multiple of the packet size.

5.

On the switch, select a BWM contract and name the contract.

Each contract must have a unique number from 1 to 256.

>> # /cfg/bwm/pol 1

(Select BWM policy 1)

>> Policy 1# hard 250k

(Set “never exceed” rate)

>> Policy 1# soft 250k

(Set desired bandwidth rate)

>> Policy 1# resv 250k

(Set committed information rate)

>> Policy 1# buffer

8192

(Set policy buffer limit of 8192 bytes)

>> Bandwidth Management# /cfg/bwm/cont 1

(Select BWM contract 1)

>> BWM Contract 1# name icmp

(Select contract name “icmp”)