Allied Telesis Layer 3 Switches manual Using local proxy ARP and MAC-forced forwarding

Protecting the user

Example To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25:

create vlan=example vid=2 private

add vlan=2 port=24-25 frame=tagged uplink add vlan=2 port=2-6

To remove ports from the VLAN:

#remove port 4: delete vlan=2 port=4

#remove all private ports and the uplink ports: delete vlan=2 port=all

Using local proxy ARP and MAC-forced forwarding

Both these features ensure the integrity of ARP in your network and let you take granular control of IP traffic flows. They do this by forcing traffic that would have been dropped by private VLANs to go via an access router. Both features stop hosts from learning the MAC addresses of other hosts in their subnet—they learn the MAC address of the access router instead.

You can use these features, for example, to allow customers to use VoIP to telephone each other while blocking any video, data, or management traffic between customers.

MAC-forced forwarding (page 23) requires more configuration than local proxy ARP (page 20) but is more powerful. MAC-forced forwarding:

zensures that all ARP replies are generated by the directly-connected switch (not the access router). This removes the ARP process from the access router, minimises the distance ARPs travel through the network, and protects against ARP Denial of Service attacks.

zdynamically determines the appropriate access router for a host by snooping DHCP packets.

zbypassing the access router for traffic between application servers and their clients.

With software versions 291-05 and later, you can use MAC-forced forwarding without configuring private VLANs. However, we recommend you use it with private VLANs for maximum security.