Protecting the user
Protecting the user
This section describes the following methods of protecting users from other users on the network:
z“Using private VLANs” on page 18. This feature isolates switch ports in a VLAN from other switch ports in the same VLAN.
z“Using local proxy ARP and
z“Using IPsec to make VPNs” on page 24. This feature creates secure tunnels through an insecure network.
z“Protecting against worms” on page 25. These methods reduce the damage worms do to users of the network.
Using private VLANs
Private VLANs are an excellent way of preventing hosts on a subnet from attacking each other. Essentially, each switch port is isolated from other ports in the VLAN, but can access another network through an uplink port or uplink trunk group. All traffic between private ports is blocked, not just Layer 2 traffic.
| uplink port |
switch |
|
hacker | legitimate |
| customer |
Private VLANs are reasonably flexible. A private port can be a member of multiple private VLANs. However, a port cannot be a private port in some VLANs and a
On
switches that are connected in a ring topology. Also, you can group private ports together on these switches, which allows the ports in a group to communicate with each other but not with other ports in the VLAN.
Note that ports are only isolated from ports on the same physical switch, not from ports on other switches reached through an uplink port.
Configuration 1. Create the VLAN, specifying that it is private.
2.Add the uplink port, or the ports in the uplink trunk group, to the VLAN. For a trunk group, the ports must already be trunked together, and you must specify all the ports in the trunk group. Note that on Rapier 48i and
3.Add the private ports to the VLAN.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches | 18 |