Allied Telesis Layer 3 Switches manual Configuration of access router Example

Page 21

Protecting the user

Configuration of edge switches

1.Create the VLANs, specifying that they are private. Make a different VLAN for each type of traffic that you want to control differently.

2.Add the uplink and private ports to the VLANs as tagged ports.

3.Configure any other requirements, such as a management IP address.

Configuration of access router

Example

1.Create the VLANs.

2.Add the ports to the VLANs as tagged ports.

3.Enable IP.

4.Give each VLAN an IP address and turn on local proxy ARP.

5.Create classifiers and filters to decide which traffic to block.

6.Configure any other required networking features.

To allow VoIP (voice) but no other traffic between clients in the above network, use the following configuration for edge switch 1 (an AT-8648 switch in this example):

ena stp=default

set stp=default mode=rapid

delete lacp port=3-50 enable lacp

create vlan="voice" vid=101 private

add vlan=101 port=1-2,49-50 uplink frame=tagged add vlan=101 port=3-48 frame=tagged

create vlan="video" vid=102 private

add vlan=102 port=1-2,49-50 uplink frame=tagged add vlan=102 port=3-48 frame=tagged

create vlan="data" vid=103 private

add vlan=103 port=1-2,49-50 uplink frame=tagged add vlan=103 port=3-48 frame=tagged

create vlan="management" vid=104 private

add vlan=104 port=1-2,49-50 uplink frame=tagged add vlan=104 port=3-48 frame=tagged

#Give the management VLAN an appropriate IP address enable ip

add ip int=vlan104 ip=<address-in-192.168.4.0-subnet>

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

21

Page 20 Page 22
Image 21
Page 20 Page 22
Contents
Introduction ContentsEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionRest of the QoS configuration is as normal, so Reboot after turning on enhanced modeConfiguration on one or more ports Protecting against rapid MAC movementIgmp snooping Controlling multicast trafficConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Switches Using IPsec to make VPNsAccess EdgeBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a