Allied Telesis Layer 3 Switches manual Controlling multicast traffic, Igmp snooping

Page 7

Protecting the network

2.Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second:

set switch thrashlimit=5..255

Configuration Rapid MAC movement protection also works with trunk groups. If one switch in a trunk fails, on trunk the switches probably cannot negotiate STP or any other trunks that they belong to. This

groups immediately causes a broadcast storm. Rapid MAC movement protection on the other switch in the trunk group detects such a storm because flooding of the same packet occurs on all trunk ports connected to the failed switch.

For a static trunk, to make use of rapid MAC movement protection, create the trunk and specify the optional thrashaction and thrashtimeout parameters:

create switch trunk=<name> port=<ports> thrashaction={learndisablelinkdownnoneportdisable vlandisable} thrashtimeout={none1..86400}

For a dynamic trunk using LACP, enable LACP, add ports, and set the optional thrashaction and thrashtimeout parameters:

enable lacp

add lacp port=<ports>

set lacp thrashaction={learndisablelinkdownnoneportdisable vlandisable} thrashtimeout={none1..86400}

Controlling multicast traffic

In a busy network, or one that has subscription-only access to multicast services, tight per-port control of multicast traffic is required. IGMP makes multicasting fairly efficient, but the extra control offered by AlliedWare helps increase efficiency.

When multicasting, it is essential to avoid filling the network with unnecessary multicast data and to make sure that the clients who join a group are entitled to receive it. It is also important to minimise delays in joining a group and to efficiently handle those who leave a group.

The following sections outline some of the IGMP controls that are particularly relevant for security. For detailed information on how to control IGMP in the network, see How To Configure IGMP for Multicasting on Routers and Managed Layer 3 Switches. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.

IGMP snooping

IGMP snooping is enabled by default on Allied Telesis managed layer 3 switches. IGMP snooping monitors the streams and clients involved in each multicast group, independent from IP itself. A snooping switch ensures that only ports that are interested in a group are sent it. This basic level of management works in tandem with the subnetwork's IGMP querier and makes sure that the querier gets notified of any client who wants to join the group.

Products

All switches listed on page 2

Software Versions

All

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

7

Page 6 Page 8
Image 7
Page 6 Page 8
Contents
Introduction ContentsEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a