Allied Telesis Layer 3 Switches manual Introduction, Contents

Page 1

How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches

Introduction

Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3. This How To Note describes these features and includes brief examples of how to configure them.

The implementations shown in this How To Note should be thought of as industry-standard best practices.

Contents

 

Introduction

1

Which products and software versions does this information apply to?

2

Securing the device

3

Protecting the network

3

Protecting against packet flooding

3

Protecting against rapid MAC movement

6

Controlling multicast traffic

7

Managing the device securely

9

Using Secure Shell (SSH)

9

Using SSL for secure web access

10

Using SNMPv3

10

Whitelisting telnet hosts

12

Identifying the user

14

IP spoofing and tracking

14

Rejecting Gratuitous ARP (GARP)

15

DHCP snooping

15

Using 802.1x port authentication

17

Protecting the user

18

Using private VLANs

18

Using local proxy ARP and MAC-forced forwarding

19

Using IPsec to make VPNs

24

Protecting against worms

25

C613-16103-00 REV A

www.alliedtelesis.com

Page 1 Page 2
Image 1
Page 1 Page 2
Contents
Introduction ContentsEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionRest of the QoS configuration is as normal, so Reboot after turning on enhanced modeConfiguration on one or more ports Protecting against rapid MAC movementIgmp snooping Controlling multicast trafficIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Switches Using IPsec to make VPNsAccess EdgeBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a