Allied Telesis Layer 3 Switches manual Edge switch

Page 27

Appendix: Configuration scripts for MAC-forced forwarding example

Appendix: Configuration scripts for MAC-forced forwarding example

In this example (from page 23), the edge switches can be any of the following switches:

zRapier 16fi and Rapier 24i (but not Rapier 48i)

zAT-8724XL (but not AT-8748XL)

zAT-8824 and AT-8848

zAT-8624T/2M, AT-8624PoE, and AT-8648T/2SP

The access router is a Rapier 24i switch.

Edge switch 1

Edge switch 1 is directly connected to the access router.

set system name="Edge Switch 1"

create vlan=Voice vid=100 private create vlan=Video vid=200 private create vlan=Data vid=300 private create vlan=Management vid=400 private create vlan=EAN_Management vid=500 private enable stp=default

set stp=default mode=rapid

add vlan=100 port=1-2,49-50 uplink frame=tagged add vlan=100 port=15 frame=tagged

add vlan=200 port=1-2,49-50 uplink frame=tagged add vlan=200 port=15 frame=tagged

add vlan=300 port=1-2,49-50 uplink frame=tagged add vlan=300 port=15 frame=tagged

add vlan=400 port=1-2,49-50 uplink frame=tagged add vlan=400 port=15 frame=tagged

add vlan=500 port=1-2,49-50 uplink frame=tagged set stp=default port=3-48 edgeport=yes

enable dhcpsnooping

enable dhcpsnooping arpsecurity enable dhcpsnooping option82

set dhcpsnooping port=1 trusted=yes set dhcpsnooping port=2 trusted=yes set dhcpsnooping port=49 trusted=yes set dhcpsnooping port=50 trusted=yes set dhcpsnooping port=15 maxleases=4

#Specify the static IP of the residential gateway

add dhcpsnooping binding=00-0d-da-00-0b-11 ip=172.16.4.201 interface=vlan400 port=15 router=172.16.4.254

enable

macff int=vlan100

enable

macff int=vlan200

enable

macff int=vlan300

enable

macff int=vlan400

enable

macff int=vlan500

enable

ip

add ip

int=vlan500 ip=172.16.5.101 mask=255.255.255.0

delete

lacp port=3-50

enable

lacp

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

27

Page 26 Page 28
Image 27
Page 26 Page 28
Contents
Introduction ContentsEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a