151| IPv6 Support AOS-W 6.5.3.x| User Guide
Parameter Description
Enforce TCP Handshake
Before Allowing Data
Prevents data from passing between two clients until the three-way TCP handshake
has been performed. This option should be disabled when you have mobile clients
on the network, as enabling this option will cause mobility to fail. You can enable
this option if there are no mobile clients on the network.
Default: Disabled
Prohibit IP Spoofing Enables detection of IP spoofing (where an intruder sends messages using the IP
address of a trusted client). When you enable this option, IP and MAC addresses
are checked for each ARP request/response. Traffic from a second MAC address
using a specific IP address is denied, and the entry is not added to the user table.
Possible IP spoofing attacks are logged and an SNMP trap is sent.
Default: Disabled
Prohibit RST Replay Attack When enabled, closes a TCP connection in both directions if a TCP RST is received
from either direction. You should not enable this option unless instructed to do so
by an Alcatel-Lucent representative.
Default: Disabled
Session Mirror
Destination
Destination (IPv4 address or switch port) to which mirrored session packets are
sent. You can configure IPv6 flows to be mirrored with the session ACL “mirror”
option. This option is used only for troubleshooting or debugging.
Default: N/A
Session Idle Timeout Set the time, in seconds, that a non-TCP session can be idle before it is removed
from the session table. Specify a value in the range 16–259 seconds. You should
not set this option unless instructed to do so by an Alcatel-Lucent representative.
Default: 30 seconds
Per-packet Logging Enables logging of every packet if logging is enabled for the corresponding session
rule. Normally, one event is logged per session. If you enable this option, each
packet in the session is logged. You should not enable this option unless instructed
to do so by an Alcatel-Lucent representative, as doing so may create unnecessary
overhead on the switch.
Default: Disabled (per-session logging is performed)
IPv6 Enable Enables IPv6 globally.
Table 38: IPv6 Firewall Parameters
The following examples configure attack rates and the session timeout for IPv6 traffic.
To configure the firewall function via the WebUI:
1. Navigate to the Configuration > Advanced Services > Stateful Firewall > Global Setting page.
2. Under the IPv6 column, enter the following:
n For Monitor Ping Attack, enter 15
n For Monitor IP Session Attack, enter 25
n For Session Idle Timeout, enter 60
3. Click Apply.
To configure firewall functions using the command line interface, issue the following commands in config
mode:
ipv6 firewall attack-rate ping 15
ipv6 firewall attack-rate session 25
ipv6 firewall session-idle-timeout 60
To Next Page
Loading...