Protecting the network

2.Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second:

set switch thrashlimit=5..255

Configuration Rapid MAC movement protection also works with trunk groups. If one switch in a trunk fails, on trunk the switches probably cannot negotiate STP or any other trunks that they belong to. This

groups immediately causes a broadcast storm. Rapid MAC movement protection on the other switch in the trunk group detects such a storm because flooding of the same packet occurs on all trunk ports connected to the failed switch.

For a static trunk, to make use of rapid MAC movement protection, create the trunk and specify the optional thrashaction and thrashtimeout parameters:

create switch trunk=<name> port=<ports> thrashaction={learndisablelinkdownnoneportdisable vlandisable} thrashtimeout={none1..86400}

For a dynamic trunk using LACP, enable LACP, add ports, and set the optional thrashaction and thrashtimeout parameters:

enable lacp

add lacp port=<ports>

set lacp thrashaction={learndisablelinkdownnoneportdisable vlandisable} thrashtimeout={none1..86400}

Controlling multicast traffic

In a busy network, or one that has subscription-only access to multicast services, tight per-port control of multicast traffic is required. IGMP makes multicasting fairly efficient, but the extra control offered by AlliedWare helps increase efficiency.

When multicasting, it is essential to avoid filling the network with unnecessary multicast data and to make sure that the clients who join a group are entitled to receive it. It is also important to minimise delays in joining a group and to efficiently handle those who leave a group.

The following sections outline some of the IGMP controls that are particularly relevant for security. For detailed information on how to control IGMP in the network, see How To Configure IGMP for Multicasting on Routers and Managed Layer 3 Switches. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.

IGMP snooping

IGMP snooping is enabled by default on Allied Telesis managed layer 3 switches. IGMP snooping monitors the streams and clients involved in each multicast group, independent from IP itself. A snooping switch ensures that only ports that are interested in a group are sent it. This basic level of management works in tandem with the subnetwork's IGMP querier and makes sure that the querier gets notified of any client who wants to join the group.

Products

All switches listed on page 2

Software Versions

All

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

7

Page 6 Page 8
Page 7
Image 7
Allied Telesis Layer 3 Switches manual Controlling multicast traffic, Igmp snooping
Page 6 Page 8
Top Page Image Contents