Allied Telesis Layer 3 Switches manual Building a whitelist through QoS

Page 13

Managing the device securely

Building a whitelist through QoS

On AT-8948, AT-9900, AT-9900s, and x900 Series switches, use classifiers to build a whitelist and QoS to apply it.

Configuration 1. Create classifiers to match telnet traffic from permitted IP addresses to the switch’s IP address.

2.Create a classifier to match all telnet traffic to the switch’s IP address.

3.Create a flow group and add the classifiers for permitted traffic to it.

4.Create a second flow group with a higher ID number and add the classifier that matches all telnet traffic to it.

Products

AT-8948

x900-48 Series

AT-9900 Series

AT-9924Ts x900-24 Series

Software Versions

2.7.3 and later

5.Create the rest of the QoS framework—traffic class and policy.

6.Apply the policy to all ports to stop telnet from all directions.

QoS is an incredibly versatile hardware-level packet filtering mechanism. For more information about setting up QoS on these switches, see How To Configure QoS On AT-8948,AT-9900,AT-9900s And x900 Series Switches. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.

Example To permit only the host with IP address 172.30.1.144 to telnet to the switch 172.28.40.70:

create classifier=1 ipsa=172.30.1.144/32 ipda=172.28.40.70/32 tcpd=23

create classifier=2 ipda=172.28.40.70/32 tcpd=23 create qos flowgroup=1 action=forward

create qos flowgroup=2 action=discard create qos trafficclass=1

create qos policy=1

add qos flowgroup=1 classifier=1 add qos flowgroup=2 classifier=2 add qos trafficclass=1 flowgroup=1 add qos trafficclass=1 flowgroup=2 add qos policy=1 trafficclass=1 set qos port=all policy=1

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

13

Page 12 Page 14
Image 13
Page 12 Page 14
Contents
Introduction ContentsEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionRest of the QoS configuration is as normal, so Reboot after turning on enhanced modeConfiguration on one or more ports Protecting against rapid MAC movementIgmp snooping Controlling multicast trafficIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Switches Using IPsec to make VPNsAccess EdgeBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a