Protecting the user

Configuration

1.

Create a VLAN for each type of service (for example, voice, video, and data). With

of edge

 

software versions 291-04 and earlier, the VLANs must be private VLANs. With software

switches

 

versions 291-05 and later, you can use non-private VLANs. However, we recommend you

 

 

use private VLANs for maximum security.

 

2.

Add the uplink and private ports to the VLANs as tagged ports.

 

3.

Enable DHCP snooping and ARP security. ARP security ensures that ARP packets received

 

 

on untrusted (client) ports are only forwarded if they originate from an IP in the DHCP

 

 

snooping database of current valid entries.

 

4.

Specify the trusted ports. Private VLAN uplink ports need to be trusted ports, so that they

 

 

can forward DHCP packets.

 

5.

Configure other aspects of DHCP snooping, such as static IP address bindings and the

 

 

maximum number of leases for ports.

 

6.

On AT-8948, AT-9900, and x900-48 Series switches, create classifiers for DHCP snooping.

 

7.

Enable MAC-forced forwarding.

 

8.

Configure any other requirements, such as a management IP address, STP and LACP.

Configuration

1.

Create the VLANs and add ports to them.

of access

2.

Enable IP and configure IP addresses on each VLAN.

router

3.

Create classifiers to match the traffic that you need to control.

 

 

4.

Create hardware filters to forward or drop the classified traffic.

 

5.

Disable ICMP redirection.

 

6.

Configure any other required networking features.

Example

How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

 

includes the full configuration for the network on page 19, including the three client

residential gateways, the three edge switches, and the access router. For your convenience, we have reproduced the configuration scripts for the edge switches and the access router in “Appendix: Configuration scripts for MAC-forced forwarding example” on page 27.

Using IPsec to make VPNs

IPsec is a frequently-used secure remote access technology. It is particularly useful for connecting remote offices over long distances and for giving access to travelling employees. IPsec offers authentication, highly secure access, and highly granular access.

The AlliedWare IPsec implementation is RFC compliant and offers extensive options.

Products

Rapier i Series

Rapier Series

AT-8800 Series

Software Versions

All

Examples For examples of the many ways to configure IPsec, see the following How To Notes:

zHow To Configure VPNs In A Corporate Network, With Optional Prioritisation Of VoIP

zHow To Configure Microsoft® Windows 2000 Virtual Private Network (VPN) client interoperability without NAT-T support

zHow To Configure Microsoft® Windows 2000 Virtual Private Network (VPN) client interoperability with NAT-T support

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

24

Page 24
Image 24
Allied Telesis Layer 3 Switches manual Using IPsec to make VPNs, Edge, Access, Router