Allied Telesis Layer 3 Switches manual Managing the device securely

Page 11

Managing the device securely

Examples To allow the user “steve” full read, write and notify SNMP access to the switch:

enable snmp

add snmp view=full oid=1.3.6.1 type=include

add snmp group=super-users securitylevel=authPriv readview=full writeview=full notifyview=full

add snmp user=steve group=super-users authprotocol=md5 authpassword=cottonsox privprotocol=des privpassword=woollytop

To also give the user “jane” read and notify access to everything on the switch, add the following commands:

add snmp group=users securitylevel=authNoPriv readview=full notifyview=full

add snmp user=jane group=users authprotocol=md5 authpassword=redjeans

To also give the user “paul” unauthenticated read access to everything on the switch except BGP, add the following commands:

add snmp view=restricted oid=1.3.6.1 type=include

#exclude bgp by specifying either mib=bgp or oid=1.3.6.1.2.1.15: add snmp view=restricted mib=bgp type=exclude

add snmp group=restricted-users securitylevel=noAuthNoPriv readview=restricted

add snmp user=paul group=restricted-users

To also send traps securely to the PC with IP address 192.168.11.23 for user “steve” to see, add the following commands:

add snmp targetparams=netmonpc securitylevel=authPriv user=steve

add snmp targetaddress=nms ip=192.168.11.23 udp=162 params=netmonpc

For more information about the above examples, see How To Configure SNMPv3 On Allied Telesis Routers and Managed Layer 3 Switches, available from www.alliedtelesis.com/resources/ literature/howto.aspx. This How To Note also explains SNMPv3 concepts in detail, including users, groups and views.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

11

Image 11
Contents Introduction ContentsEdge switch Access Router Protecting against packet flooding Securing the deviceProtecting the network Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficIgmp throttling Configuration For each portIgmp filtering Managing the device securely Using Secure Shell SSHConfiguration Configuration 1. Enable Snmp Using SSL for secure web accessUsing SNMPv3 Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Trouble with ARP Identifying the userIP spoofing and tracking Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing ARP security Using 802.1x port authenticationUsing Dhcp snooping to track clients Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a