Allied Telesis Layer 3 Switches Igmp filtering, Igmp throttling, Configuration For each port

Page 8

Protecting the network

IGMP filtering

IGMP filtering lets you dictate exactly which multicast groups a specific port can receive, by creating a filter list and applying it to the port. Different ports may have different filter lists applied to them.

If desired, you can select the type of message to filter. By default, filters apply to IGMP reports. You can create extra entries to also filter queries (type=query) and leave messages (type=leave).

Configuration For each port:

Products

All switches listed on page 2 that support 2.7.5 or later

Software Versions

2.7.5 or later

1.Work out which groups you want users on the port to be able to join.

2.Create an IGMP filter.

3.Create entries to allow the appropriate groups (action=include).

Note: The order of entries in a filter is important. When IGMP tries to match a message to a filter, it performs a linear search of the filter to find a matching entry. It tries each entry in turn, and stops processing the filter after the first match it finds.

4.Create an entry to block all groups (action=exclude). Give this entry a higher entry number than entries for the included groups.

5.Apply the filter to the port.

Example To stop the user attached to port 1 from joining any group except 224.12.13.14:

create igmp filter=1

add igmp filter=1 entry=1 group=224.12.13.14 action=include

add igmp filter=1 entry=2 group=224.0.0.0-239.255.255.255 action=exclude

set switch port=1 igmpfilter=1

IGMP throttling

Throttling limits the number of multicast groups that an individual port can join.

Example To limit port 2 to a total of 6 groups:

set switch port=2 igmpmaxgroup=6 igmpaction=replace

Products

All switches listed on page 2 that support 2.7.5 or later

Software Versions

2.7.5 or later

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

8

Image 8
Contents Contents IntroductionEdge switch Access Router Protecting against packet flooding Securing the deviceProtecting the network Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp throttling Configuration For each portIgmp filtering Managing the device securely Using Secure Shell SSHConfiguration Configuration 1. Enable Snmp Using SSL for secure web accessUsing SNMPv3 Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS Trouble with ARP Identifying the userIP spoofing and tracking Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing ARP security Using 802.1x port authenticationUsing Dhcp snooping to track clients Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a