Allied Telesis Layer 3 Switches manual Using IPsec to make VPNs, Edge, Access, Router

Page 24

 

 

Protecting the user

Configuration

1.

Create a VLAN for each type of service (for example, voice, video, and data). With

of edge

 

software versions 291-04 and earlier, the VLANs must be private VLANs. With software

switches

 

versions 291-05 and later, you can use non-private VLANs. However, we recommend you

 

 

use private VLANs for maximum security.

 

2.

Add the uplink and private ports to the VLANs as tagged ports.

 

3.

Enable DHCP snooping and ARP security. ARP security ensures that ARP packets received

 

 

on untrusted (client) ports are only forwarded if they originate from an IP in the DHCP

 

 

snooping database of current valid entries.

 

4.

Specify the trusted ports. Private VLAN uplink ports need to be trusted ports, so that they

 

 

can forward DHCP packets.

 

5.

Configure other aspects of DHCP snooping, such as static IP address bindings and the

 

 

maximum number of leases for ports.

 

6.

On AT-8948, AT-9900, and x900-48 Series switches, create classifiers for DHCP snooping.

 

7.

Enable MAC-forced forwarding.

 

8.

Configure any other requirements, such as a management IP address, STP and LACP.

Configuration

1.

Create the VLANs and add ports to them.

of access

2.

Enable IP and configure IP addresses on each VLAN.

router

3.

Create classifiers to match the traffic that you need to control.

 

 

4.

Create hardware filters to forward or drop the classified traffic.

 

5.

Disable ICMP redirection.

 

6.

Configure any other required networking features.

Example

How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

 

includes the full configuration for the network on page 19, including the three client

residential gateways, the three edge switches, and the access router. For your convenience, we have reproduced the configuration scripts for the edge switches and the access router in “Appendix: Configuration scripts for MAC-forced forwarding example” on page 27.

Using IPsec to make VPNs

IPsec is a frequently-used secure remote access technology. It is particularly useful for connecting remote offices over long distances and for giving access to travelling employees. IPsec offers authentication, highly secure access, and highly granular access.

The AlliedWare IPsec implementation is RFC compliant and offers extensive options.

Products

Rapier i Series

Rapier Series

AT-8800 Series

Software Versions

All

Examples For examples of the many ways to configure IPsec, see the following How To Notes:

zHow To Configure VPNs In A Corporate Network, With Optional Prioritisation Of VoIP

zHow To Configure Microsoft® Windows 2000 Virtual Private Network (VPN) client interoperability without NAT-T support

zHow To Configure Microsoft® Windows 2000 Virtual Private Network (VPN) client interoperability with NAT-T support

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

24

Page 23 Page 25
Image 24
Page 23 Page 25
Contents Contents IntroductionEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a
Top Page Image Contents