Allied Telesis MAC Forced Forwarding (MACFF) Explained for Layer 3 Switches

 Page 23
Products AT-8600 Series AT-8700XL Series Rapier Series AT-8800 Series AT-8948
x900-48 Series
AT-9900 Series
Software Versions 2.9.1 or later

Protecting the user

#Create a classifier to match all traffic in VLANs 101-104 create class=10 ipsa=192.168.0.0/16 ipda=192.168.0.0/16

#Create a classifier to match voice traffic

create class=100 ipsa=192.168.1.0/24 ipda=192.168.1.0/24

#Create a classifier to match management traffic

#The management PC is 192.168.4.250

create class=401 ipsa=192.168.4.0/24 ipda=192.168.4.250/32 create class=402 ipsa=192.168.4.250/32 ipda=192.168.4.0/24

#Create a filter to drop traffic within and between VLANs 101-104 add switch hwfilter classifier=10 action=discard

#Create filters to allow the exceptions (voice and management) add switch hwfilter classifier=100 action=nodrop

add switch hwfilter classifier=401 action=nodrop add switch hwfilter classifier=402 action=nodrop

MAC-Forced Forwarding (MACFF)

MAC-forced forwarding works in conjunction with DHCP snooping to give you full control over IP flows in a layer 2 network.

Like local proxy ARP, MACFF replies to a client’s ARP request with the MAC address of an access router, instead of the real MAC address of the IP requested.

With MACFF, the edge switch generates the ARP reply. The edge switch works out which MAC address to reply with from information provided by DHCP snooping. DHCP snooping keeps a record of the client’s IP, MAC and port assignment. It also records the router information that the client has been given by DHCP. DHCP snooping passes this

information to MACFF, so that MACFF knows which router’s MAC address to provide when it sees an ARP from that client.

For more information about how MACFF works, see How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

23

Page 22 Page 24
Image 23
Page 22 Page 24
Contents
Introduction ContentsEdge switch Access Router Protecting against packet flooding Securing the deviceProtecting the network Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficIgmp throttling Configuration For each portIgmp filtering Managing the device securely Using Secure Shell SSHConfiguration Configuration 1. Enable Snmp Using SSL for secure web accessUsing SNMPv3 Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Trouble with ARP Identifying the userIP spoofing and tracking Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing ARP security Using 802.1x port authenticationUsing Dhcp snooping to track clients Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a