Allied Telesis Layer 3 Switches manual Local proxy ARP

Page 20

Protecting the user

The following figure shows a network that can use either local proxy ARP or MAC-forced forwarding—the examples in both the following sections refer to this network.

Internet

 

 

 

Management

24

PC

 

Access

5

 

Router

20

 

1

2

SIP and Multicast

 

 

 

 

server

LACP

 

1

2

Residential

Gateway 1

Edge

 

15

 

Switch 1

 

 

 

49

 

 

50

Client 1

 

 

50

 

 

Edge

 

 

Switch 3

 

 

49

 

Residential

 

 

Gateway 2

49

 

50

 

 

Edge

14

Client 2

Switch 2

15

Residential

 

 

 

Gateway 3

 

 

Client 3

 

 

macff.eps

Local proxy ARP

In a network configuration like the previous figure, each edge switch uses private VLANs to stop clients from talking directly to each other. Private VLANs stop the edge switch from flooding broadcast traffic, including clients’ ARP requests. Instead, the switch sends ARP requests out its uplink port to the access router.

Products

All switches listed on page 2

Software Versions

2.9.1 or later

If local proxy ARP is configured on the access router, then the access router responds to ARP requests with its own MAC address, instead of the destination device’s MAC address. This combination of private VLANs and local proxy ARP forces the clients to send all their traffic to the access router. When the access router sees traffic from a client, it checks a list of filters to determine whether to forward the traffic or drop it.

On each client residential gateway, you need to enable tagged VLANs on the connection to the edge switch for the VLANs that the client should be able to access.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

20

Page 19 Page 21
Image 20
Page 19 Page 21
Contents Contents IntroductionEdge switch Access Router Protecting against packet flooding Securing the deviceProtecting the network Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp throttling Configuration For each portIgmp filtering Managing the device securely Using Secure Shell SSHConfiguration Configuration 1. Enable Snmp Using SSL for secure web accessUsing SNMPv3 Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS Trouble with ARP Identifying the userIP spoofing and tracking Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing ARP security Using 802.1x port authenticationUsing Dhcp snooping to track clients Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a
Top Page Image Contents