Allied Telesis Layer 3 Switches manual Access Router

Page 30

Appendix: Configuration scripts for MAC-forced forwarding example

Access Router

set system name="Access Router"

#Create a VLAN for accessing the Internet, SIP server and multicast groups create vlan=CoreNetwork vid=28

#Create the other VLANs

create vlan=Voice vid=100 create vlan=Video vid=200 create vlan=Data vid=300 create vlan=Management vid=400 create vlan=EAN_Management vid=500

add vlan=28 port=20,24 add vlan=500 port=5

add vlan=100 port=1-2 frame=tagged add vlan=200 port=1-2 frame=tagged add vlan=300 port=1-2 frame=tagged add vlan=400 port=1-2 frame=tagged add vlan=500 port=1-2 frame=tagged

enable

stp=default

set stp=default mode=rapid

set stp=default port=3-23 edgeport=yes

enable

ip

add ip

int=vlan28 ip=172.28.40.60

add ip

int=vlan100 ip=172.16.1.254 mask=255.255.255.0

add ip

int=vlan200 ip=172.16.2.254 mask=255.255.255.0

add ip

int=vlan300 ip=172.16.3.254 mask=255.255.255.0

add ip

int=vlan400 ip=172.16.4.254 mask=255.255.255.0

add ip

int=vlan500 ip=172.16.5.254 mask=255.255.255.0

add ip

rou=0.0.0.0 mask=0.0.0.0 int=vlan28 next=172.28.0.1

disable ip icmp=redirect

#Create classifiers to match traffic in VLANs 100-500 create class=10 ipsa=172.16.0.0/16 ipda=172.16.0.0/16 create class=100 ipsa=172.16.1.0/24 ipda=172.16.1.0/24 create class=401 ipsa=172.16.4.0/24 ipda=172.16.5.250/32 create class=402 ipsa=172.16.5.250/32 ipda=172.16.4.0/24 create class=501 ipsa=172.16.5.0/24 ipda=172.16.5.250/32 create class=502 ipsa=172.16.5.250/32 ipda=172.16.5.0/24

#Create a filter to drop all traffic within and between VLANs 100-500 add switch hwfilter classifier=10 action=discard

#Create filters to allow the exceptions (voice traffic)

add switch hwfilter classifier=100 action=nodrop add switch hwfilter classifier=401 action=nodrop add switch hwfilter classifier=402 action=nodrop add switch hwfilter classifier=501 action=nodrop add switch hwfilter classifier=502 action=nodrop

#Configure IGMP for multicasting enable ip igmp

enable ip igmp int=vlan28 enable ip igmp int=vlan200 enable ip igmp int=vlan300

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

30

Page 29 Page 31
Image 30
Page 29 Page 31
Contents
Contents IntroductionEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionConfiguration on one or more ports Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Access Using IPsec to make VPNsSwitches EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a