Nortel Networks 212777 User Manual
Web OS 10.0 Application Guide
468
n
Chapter 17: Bandwidth Management
212777-A, February 2002
Security Management Example
BWM can be used to prevent Denial of Service (DoS) attacks by a flooding of “necessary evil”
packets and limiting the rate of TCP SYN, ping, other disruptive packets, and alerting/logging
the network manager when soft limits are exceeded.
packets and limiting the rate of TCP SYN, ping, other disruptive packets, and alerting/logging
the network manager when soft limits are exceeded.
In the following example, a filter is configured to match ping packets, and BWM is configured
to prevent DoS attacks by limiting the bandwidth policy rate of those packets:
to prevent DoS attacks by limiting the bandwidth policy rate of those packets:
1.
Configure the switch as usual for SLB (see
):
n
Assign an IP address to each of the real servers in the server pool.
n
Define an IP interface on the switch.
n
Define each real server.
n
Define a real server group.
n
Define a virtual server.
n
Define the port configuration.
N
OTE
–
Ensure BWM is enabled on the switch (
/cfg/bwm/on
).
2.
Select a bandwidth policy.
Each policy must have a number from 1 to 64.
3.
Set the hard, soft, and reserved rate limits for this policy in Kilobytes.
4.
Set the buffer limit for the policy.
Set a parameter between 8192 and 128000 bytes. The buffer depth for a BWM contract should
be set to a multiple of the packet size.
be set to a multiple of the packet size.
5.
On the switch, select a BWM contract and name the contract.
Each contract must have a unique number from 1 to 256.
>> # /cfg/bwm/pol 1
(Select BWM policy 1)
>> Policy 1# hard 250k
(Set “never exceed” rate)
>> Policy 1# soft 250k
(Set desired bandwidth rate)
>> Policy 1# resv 250k
(Set committed information rate)
>> Policy 1# buffer
8192
(Set policy buffer limit of 8192 bytes)
>> Bandwidth Management# /cfg/bwm/cont 1
(Select BWM contract 1)
>> BWM Contract 1# name icmp
(Select contract name “icmp”)