NETWORK RESILIENCY SOLUTIONS VCStack + Link aggregation
8600 Configuration
To enable secure HTTP management to use certificates, a distinguished name is required and system security must be enabled
Storm control is configured to prevent downstream loops from affecting the inner layers of the network
By default, all ports are put into VLAN 171
Spanning tree needs to be disabled on the
The two gigabit ports are aggregated together to create a resilient link to the network core
802.1x authentication is enabled on all the
DHCP snooping guards against rogue server attacks, server exhaustion attacks, arp poisoning attacks and IP spoofing attacks. Any ARP poisoning attempt will be logged
Attach a management IP address to VLAN171, and provide a default gateway address
The Radius server is used for authenticating management sessions and also for authenticating 802.1x clients.
Management access is ONLY possible via the core- connected aggregated link. Access via insecure methods Telnet and HTTP are blocked
set system distinguished="cn=switch1, o=alliedtelesis, c=nz" enable system security
set switch
create vlan="edge" vid=171 add vlan="171"
enable stp="default"
set stp="default" mode=rapid disable stp="default"
create switch trunk=aggregation
enable portauth=8021x
enable portauth=8021x
enable dhcpsnooping
enable dhcpsnooping arpsecurity enable dhcpsnooping log=arpsecurity set dhcpsnooping port=25 trusted=yes set dhcpsnooping port=26 trusted=yes
enable ip
add ip int=vlan171 ip=192.168.171.34
add ip route=0.0.0.0 interface=vlan171 nexthop=192.168.171.1
add radius server=192.168.10.34
add switch l3filter match=dipaddress dclass=host
add switch l3filter=1 entry dipaddress=192.168.171.34 action=deny
add switch l3filter match=none import=true
add switch l3filter=2 entry iport=26 action=nodrop add switch l3filter=2 entry iport=25 action=nodrop
disable telnet server
Allied Telesis | www.alliedtelesis.com |
