Allied Telesis Layer 3 Switches manual Edge switch

Page 28

Appendix: Configuration scripts for MAC-forced forwarding example

Edge switch 2

Edge switch 2 is connected to port 50 of edge switch 1. The configuration is similar to edge switch 1—differences are in bold:

# System configuration

set system name="Edge Switch 2"

#VLAN general configuration create vlan=Voice vid=100 private create vlan=Video vid=200 private create vlan=Data vid=300 private create vlan=Management vid=400 private create vlan=EAN_Management vid=500 private

#STP general configuration

enable stp=default

set stp=default mode=rapid

#VLAN port configuration

#ports 1 and 2 are not in any VLANs

add vlan=100 port=49-50 uplink frame=tagged add vlan=100 port=15 frame=tagged

add vlan=100 port=14 frame=tagged

add vlan=200 port=49-50 uplink frame=tagged add vlan=200 port=15 frame=tagged

add vlan=200 port=14 frame=tagged

add vlan=300 port=49-50 uplink frame=tagged add vlan=300 port=15 frame=tagged

add vlan=300 port=14 frame=tagged

add vlan=400 port=49-50 uplink frame=tagged add vlan=400 port=15 frame=tagged

add vlan=400 port=14 frame=tagged

add vlan=500 port=49-50 uplink frame=tagged

# STP port configuration

set stp="default" port=1-48 edgeport=yes

#DHCP Snooping configuration enable dhcpsnooping

enable dhcpsnooping arpsecurity enable dhcpsnooping option82

set dhcpsnooping port=14 maxleases=4 set dhcpsnooping port=15 maxleases=4 set dhcpsnooping port=49 trusted=yes set dhcpsnooping port=50 trusted=yes

add dhcpsnooping binding=00-0d-da-00-00-37 ip=172.16.4.202 interface=vlan400 port=14 router=172.16.4.254

add dhcpsnooping binding=00-0d-da-00-02-eb ip=172.16.4.203 interface=vlan400 port=15 router=172.16.4.254

#IP configuration

enable ip

add ip int=vlan500 ip=172.16.5.102 mask=255.255.255.0

#MACFF configuration enable macff int=vlan100 enable macff int=vlan200 enable macff int=vlan300 enable macff int=vlan400 enable macff int=vlan500

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

28

Page 27 Page 29
Image 28
Page 27 Page 29
Contents
Contents IntroductionEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a