Allied Telesis Layer 3 Switches manual Securing the device, Protecting the network

Page 3

Securing the device

Securing the device

The first step towards making a secure network is to secure the networking equipment itself.

There are two aspects to this. Firstly, physical security is vital—lock your networking equipment away.

Products

All switches listed on page 2

Software Versions

All

Secondly, straight after powering up any new piece of

networking equipment, change the default administrator user’s password. On an Allied Telesis managed layer 3 switch, the default user is “manager”. To change the password, use the following command:

set user=manager password=<new-password>

The default password is well-known. If you do not change it, anyone with physical or IP access could reconfigure the switch.

Protecting the network

This section describes layer 2 based methods for controlling the negative impact of misconfigured devices and misuse of the network. These solutions work at the Ethernet level of a packet and cause no degradation in the switch's throughput.

You can protect your network against the following:

ztraffic storms (“Protecting against packet flooding” on page 3)

zexcessive MAC address learning (“Protecting against rapid MAC movement” on page 6)

zunwanted multicast traffic (“Controlling multicast traffic” on page 7)

Protecting against packet flooding

Service providers are often vulnerable to traffic storms, primarily when incorrectly configured customer equipment is directly connected to the provider. Storms overwhelm a subnet, and all of the switches in that subnet, with traffic. Such misconfiguration can quickly lead to widespread outages and compromise guaranteed service levels.

Storms are a reality in any network. They can occur by accident, maliciously, or when a network device fails. They occur naturally in a network where switches are connected more than once to the same VLAN, so administrators must employ a method to prevent these switch loops.

Spanning Tree Protocol based solutions are the most common method of preventing loops. However, incorrect configuration or other network issues can cause STP to fail. For example, if a single switch in the VLAN does not have STP enabled, the STP tree will not converge properly. Spanning tree protocols can even fail if a broadcast storm drowns out STP messages.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

3

Image 3
Contents Introduction ContentsEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a