Allied Telesis Layer 3 Switches manual Using local proxy ARP and MAC-forced forwarding

Page 19

Protecting the user

Example To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25:

create vlan=example vid=2 private

add vlan=2 port=24-25 frame=tagged uplink add vlan=2 port=2-6

To remove ports from the VLAN:

#remove port 4: delete vlan=2 port=4

#remove all private ports and the uplink ports: delete vlan=2 port=all

Using local proxy ARP and MAC-forced forwarding

Both these features ensure the integrity of ARP in your network and let you take granular control of IP traffic flows. They do this by forcing traffic that would have been dropped by private VLANs to go via an access router. Both features stop hosts from learning the MAC addresses of other hosts in their subnet—they learn the MAC address of the access router instead.

You can use these features, for example, to allow customers to use VoIP to telephone each other while blocking any video, data, or management traffic between customers.

MAC-forced forwarding (page 23) requires more configuration than local proxy ARP (page 20) but is more powerful. MAC-forced forwarding:

zensures that all ARP replies are generated by the directly-connected switch (not the access router). This removes the ARP process from the access router, minimises the distance ARPs travel through the network, and protects against ARP Denial of Service attacks.

zdynamically determines the appropriate access router for a host by snooping DHCP packets.

zbypassing the access router for traffic between application servers and their clients.

With software versions 291-05 and later, you can use MAC-forced forwarding without configuring private VLANs. However, we recommend you use it with private VLANs for maximum security.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

19

Image 19
Contents Introduction ContentsEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a