D-Link Blog Home

Bandwidth management is the process of measuring and controlling the communications (traffic, packets) on a network link, to avoid filling the link to capacity or overfilling the link, which would result in network congestion and poor performance.

Bandwidth Control is a feature that allows the Network Administrator to specify the allowed rate of incoming and outgoing traffic on a per port basis. All D-Link switches that support Bandwidth Control will allow you to limit the Tx and Rx rates to a minimum value (see the manual for the minimum granularity value for your switch).

Tags: Bandwidth Control, Bandwidth management

When you use the Virtual Server, Port Forwarding, or Remote Administration features to open specific ports to traffic from the Internet, you could be increasing the exposure of your LAN to cyberattacks from the Internet.

In these cases, you can use Inbound Filters to limit that exposure by specifying the IP addresses of internet hosts that you trust to access your LAN through the ports that you have opened. You might, for example, only allow access to a game server on your home LAN from the computers of friends whom you have invited to play the games on that server.

Inbound Filters can be used for limiting access to a server on your network to a system or group of systems. Filter rules can be used with Virtual Server, Gaming, or Remote Administration features. Each filter can be used for several functions; for example a “Game Clan” filter might allow all of the members of a particular gaming group to play several different games for which gaming entries have been created. At the same time an “Admin” filter might only allows systems from your office network to access the WAN admin pages and an FTP server you use at home. If you add an IP address to a filter, the change is effected in all of the places where the filter is used.

Add/Edit Inbound Filter Rule

Here you can add entries to the Inbound Filter Rules List below, or edit existing entries.

Name

Enter a name for the rule that is meaningful to you.

Action

The rule can either Allow or Deny messages.

Source IP Range

Define the ranges of Internet addresses this rule applies to. For a single IP address, enter the same address in both the Start and End boxes. Up to eight ranges can be entered. The Enable checkbox allows you to turn on or off specific entries in the list of ranges.

Save
Saves the new or edited Inbound Filter Rule in the following list. When finished updating the Inbound Filter Rules List, you must still click the Save Settings button at the top of the page to make the changes effective and permanent.

Inbound Filter Rules List

The section lists the current Inbound Filter Rules. An Inbound Filter Rule can be changed by clicking the Edit icon, or deleted by clicking the Delete icon. When you click the Edit icon, the item is highlighted, and the “Edit Inbound Filter Rule” section is activated for editing.

In addition to the filters listed here, two predefined filters are available wherever inbound filters can be applied:

Allow All

Permit any WAN user to access the related capability.

Deny All

Prevent all WAN users from accessing the related capability. (LAN users are not affected by Inbound Filter Rules.)

Tags: INBOUND FILTER, Port Forwarding, Virtual Server

A maximum transmission unit (MTU) is the largest size packet or frame, specified in octets (eight-bit bytes), that can be sent in a packet or frame-based network such as the Internet. The Internet´s Transmission Control Protocol uses the MTU to determine the maximum size of each packet in any transmission. Too large an MTU size may mean retransmissions if the packet encounters a router that can´t handle that large a packet. Too small an MTU size means relatively more header overhead and more acknowledgements that have to be sent and handled. Most computer operating systems provide a default MTU value that is suitable for most users. In general, Internet users should follow the advice of their Internet service provider (ISP) about whether to change the default value and what to change it to.

In Windows 95, the default MTU was 1500 octets (eight-bit bytes), partly because this is the Ethernet standard MTU. The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. If you frequently access Web sites that encounter routers with an MTU size of 576, you may want to change to that size. (Apparently some users find that changing the setting to 576 improves performance and others do not find any improvement.) The minimum value that an MTU can be set to is 68.

For more recent Windows systems, the operating system is able to sense whether your connection should use 1500 or 576 and select the appropriate MTU for the connection.

Tags: default mtu, MTU, mtu size

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility. RFC 3833 attempts to document some of the known threats to the DNS and how DNSSEC responds to those threats.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS. RFC 4398 describes how to distribute these certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.

What is the vulnerability in the DNS?

The efficient work of storing a response that functions as a mid-way point between an end user’s computer and an authoritative server is performed by a caching name server, usually operated by an ISP (Internet Service Provider). The DNS was designed to allow this caching server to accept the first response it receives. It is possible, without the verification provided by DNSSEC authentication, for a malicious user to flood this caching name server with a spoofed response that is, most often, intended to dupe the end user into providing personal and or financial information to what appears to be his or her intended destination.

How does DNSSEC work?

DNSSEC works through a system of keys. At each stage in supplying a DNS query response through the chain that takes it back to the initiator’s machine, a known key and a private key must be matched. In this way, the response to the query is authenticated and the response validated.

Tags: DNS, DNS server, DNSSEC, NAT

PPPoE stands for Point-to-Point Protocol over Ethernet. It is a non-standard method of connecting to your ISP to gain an IP address. It relies upon a software client that is provided by the ISP. An IP address is required to gain a connection to the Internet.It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks. It was developed by UUNET, Redback Networks and RouterWare and is available as an informational RFC 2516.

Ethernet networks are packet-based and have no concept of a connection or circuit and also lack basic security features to protect against IP and MAC conflicts and rogue DHCP servers. By using PPPoE, users can virtually “dial” from one machine to another over an Ethernet network, establish a point to point connection between them and then securely transport data packets over the connection. It is mainly used by telephone companies, since PPPoE is easily integrated with the current dial-up AAA systems and fits perfectly into the current ATM backbones. The protocol also permits very easy unbundling of DSLAMs where required by regulators, since the user would simply use a different login into PPP, then the ATM circuit would be routed to the user’s ISP. Also pre-paid traffic bucket business models can be created with PPPoE more easily than with DHCP or multiplexing multiple users with different speed tiers or QoS through 1 DSL modem or by creating a different login for each static IP purchased by customers.

Tags: Point-to-Point, PPPoE, Protocol