Allied Telesis Layer 3 Switches manual Add ip int=vlan104 ip=address-in-192.168.4.0-subnet

Page 22

Protecting the user

Use the following configuration for edge switches 2 and 3 (AT-8648 switches in this example):

ena stp=default

set stp=default mode=rapid

create vlan="voice" vid=101 private

add vlan=101 port=49-50 uplink frame=tagged add vlan=101 port=1-48 frame=tagged create vlan="video" vid=102 private

add vlan=102 port=49-50 uplink frame=tagged add vlan=102 port=1-48 frame=tagged create vlan="data" vid=103 private

add vlan=103 port=49-50 uplink frame=tagged add vlan=103 port=1-48 frame=tagged create vlan="management" vid=104 private add vlan=104 port=49-50 uplink frame=tagged add vlan=104 port=1-48 frame=tagged

#Give the management VLAN an appropriate IP address enable ip

add ip int=vlan104 ip=<address-in-192.168.4.0-subnet>

Use the following configuration for the access router (a Rapier 24i switch in this example):

delete lacp port=3-24 enable lacp

create vlan="voice" vid=101 create vlan="video" vid=102 create vlan="data" vid=103 create vlan="management" vid=104

add vlan=101 port=1-2 frame=tagged add vlan=102 port=1-2 frame=tagged add vlan=103 port=1-2 frame=tagged add vlan=104 port=1-2 frame=tagged

enable

ip

add ip

int=vlan101 ip=192.168.1.254 proxy=local

add ip

int=vlan102 ip=192.168.2.254 proxy=local

add

ip

int=vlan103 ip=192.168.3.254 proxy=local

add

ip

int=vlan104 ip=192.168.4.254 proxy=local

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

22

Page 21 Page 23
Image 22
Page 21 Page 23
Contents
Contents IntroductionEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionConfiguration on one or more ports Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Access Using IPsec to make VPNsSwitches EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a