1. Manuals
  2. Brands
  3. Allied Telesis Manuals
  4. Switch
  5. Layer 3 Switches
  6. Network manual

Allied Telesis Layer 3 Switches Network Manual

Managed layer 3 switches
Hide thumbs
Table of Contents

Advertisement

Quick Links

How To |
Create A Secure Network With Allied Telesis
Managed Layer 3 Switches

Introduction

Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3.
This How To Note describes these features and includes brief examples of how to configure
them.
The implementations shown in this How To Note should be thought of as industry-standard
best practices.
Contents
Introduction .............................................................................................................................................. 1
Securing the device ................................................................................................................................. 3
Protecting the network .......................................................................................................................... 3
Protecting against packet flooding ................................................................................................ 3
Protecting against rapid MAC movement ................................................................................... 6
Controlling multicast traffic ........................................................................................................... 7
Managing the device securely ................................................................................................................ 9
Using Secure Shell (SSH) ................................................................................................................ 9
Using SSL for secure web access ................................................................................................ 10
Using SNMPv3 ................................................................................................................................ 10
Whitelisting telnet hosts .............................................................................................................. 12
Identifying the user ................................................................................................................................ 14
IP spoofing and tracking ................................................................................................................ 14
Rejecting Gratuitous ARP (GARP) ............................................................................................ 15
DHCP snooping ............................................................................................................................. 15
Using 802.1x port authentication ............................................................................................... 17
Protecting the user ................................................................................................................................ 18
Using private VLANs ..................................................................................................................... 18
Using local proxy ARP and MAC-forced forwarding ............................................................. 19
Using IPsec to make VPNs ........................................................................................................... 24
Protecting against worms ............................................................................................................. 25
C613-16103-00 REV A
www.alliedtelesis.com

Advertisement

Table of Contents
loading

Related Manuals for Allied Telesis Layer 3 Switches

Summary of Contents for Allied Telesis Layer 3 Switches

  • Page 1: Table Of Contents

    Create A Secure Network With Allied Telesis Managed Layer 3 Switches Introduction Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3. This How To Note describes these features and includes brief examples of how to configure them.

  • Page 2: Which Products And Software Versions Does This Information Apply To

    How To Apply Firewall Policies And Rules How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx. Which products and software versions does this information apply to? This How To Note applies to the following Allied Telesis switch series: AT-8600 AT-8700XL AT-8800 Rapier i...

  • Page 3: Securing The Device

    VLAN does not have STP enabled, the STP tree will not converge properly. Spanning tree protocols can even fail if a broadcast storm drowns out STP messages. Create A Secure Network With Allied Telesis Managed Layer 3 Switches (“Protecting against packet flooding” on page (“Protecting against rapid MAC movement” on page (“Controlling multicast traffic”...
  • Page 4 Create A Secure Network With Allied Telesis Managed Layer 3 Switches (“Bandwidth limiting” on page (“Using QoS policy-based storm misconfigured flood of ARPs...
  • Page 5 To apply storm protection to unclassified traffic, configure storm protection on the default traffic class in the QoS policy settings. Use the parameters dtcstormwindow, dtcstormrate, dtcstormaction, and dtcstormtimeout. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the network Products...

  • Page 6: Protecting Against Rapid Mac Movement

    VLAN on which the rapid learning occurred. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the network Products...

  • Page 7: Controlling Multicast Traffic

    The following sections outline some of the IGMP controls that are particularly relevant for security. For detailed information on how to control IGMP in the network, see How To Configure IGMP for Multicasting on Routers and Managed Layer 3 Switches. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.

  • Page 8: Igmp Filtering

    Example To limit port 2 to a total of 6 groups: set switch port=2 igmpmaxgroup=6 igmpaction=replace Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the network Products All switches listed on page 2 that support 2.7.5 or later Software Versions 2.7.5 or later...

  • Page 9: Managing The Device Securely

    Create A Secure Network With Allied Telesis Managed Layer 3 Switches Managing the device securely (“Whitelisting telnet hosts” on page Products All switches listed on page 2 Software Versions 12).

  • Page 10: Using Ssl For Secure Web Access

    Set up a traphost profile, for trap messages to be remotely sent to. This is not compulsory but we recommend it. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Managing the device securely Products All switches listed on page 2,...
  • Page 11 Telesis Routers and Managed Layer 3 Switches, available from literature/howto.aspx. This How To Note also explains SNMPv3 concepts in detail, including users, groups and views. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Managing the device securely www.alliedtelesis.com/resources/...

  • Page 12: Whitelisting Telnet Hosts

    Whitelisting telnet hosts For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch.
  • Page 13 Create A Secure Network With Allied Telesis Managed Layer 3 Switches Managing the device securely Products AT-8948 x900-48 Series AT-9900 Series...

  • Page 14: Identifying The User

    The techniques for protecting the network are the same for all these phoney announcements: reject gratuitous ARPs, and control access to ports with DHCP snooping and ARP security. The following sections describe these solutions in detail. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Identifying the user Then...

  • Page 15: Rejecting Gratuitous Arp (Garp)

    GARP to penetrate the network by adding themselves to the switch’s ARP table. You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring GARPs does not completely prevent IP spoofing, but it does shut down one easy avenue for an attacker.
  • Page 16 172.16.0.12 on port 12, use the following command in addition to the configuration given in “Setting up DHCP add dhcpsnooping binding=00-00-00-00-00-12 ip=172.16.0.12 interface=vlan1 port=12 Create A Secure Network With Allied Telesis Managed Layer 3 Switches snooping”, above. Identifying the user...

  • Page 17: Using 802.1X Port Authentication

    Xsupplicant Most of the above Notes describe how to configure the authentication server and the host, as well as the switch. Create A Secure Network With Allied Telesis Managed Layer 3 Switches snooping”, above. Identifying the user “Setting up DHCP...

  • Page 18: Protecting The User

    Reference for more information about switch instances. Add the private ports to the VLAN. Create A Secure Network With Allied Telesis Managed Layer 3 Switches 18. This feature isolates switch ports in a VLAN from 19. These features force all 24.

  • Page 19: Using Local Proxy Arp And Mac-Forced Forwarding

    With software versions 291-05 and later, you can use MAC-forced forwarding without configuring private VLANs. However, we recommend you use it with private VLANs for maximum security. Create A Secure Network With Allied Telesis Managed Layer 3 Switches 23) requires more configuration than Protecting the user...

  • Page 20: Local Proxy Arp

    On each client residential gateway, you need to enable tagged VLANs on the connection to the edge switch for the VLANs that the client should be able to access. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Internet...
  • Page 21 # Give the management VLAN an appropriate IP address enable ip add ip int=vlan104 ip=<address-in-192.168.4.0-subnet> Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the user...
  • Page 22 Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the user...
  • Page 23 For more information about how MACFF works, see How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx. Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the user Products...

  • Page 24: Using Ipsec To Make Vpns

    How To Configure Microsoft® Windows 2000 Virtual Private Network (VPN) client interoperability without NAT-T support How To Configure Microsoft® Windows 2000 Virtual Private Network (VPN) client interoperability with NAT-T support Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the user page 19, including the three client...

  • Page 25: Protecting Against Worms

    How To Configure IPsec VPN Between Microsoft ISA Server 2004 and an Allied Telesyn Router Client How To Create a VPN between an Allied Telesis and a SonicWALL router, with NAT-T How To Create a VPN between an Allied Telesis and a NetScreen router...
  • Page 26 Create A Secure Network With Allied Telesis Managed Layer 3 Switches Protecting the user Products AT-8948 x900-48 Series AT-9900 Series...

  • Page 27: Appendix: Configuration Scripts For Mac-Forced Forwarding Example

    Create A Secure Network With Allied Telesis Managed Layer 3 Switches Appendix: Configuration scripts for MAC-forced forwarding example page 23), the edge switches can be any of the following switches:...

  • Page 28: Edge Switch 2

    # MACFF configuration enable macff int=vlan100 enable macff int=vlan200 enable macff int=vlan300 enable macff int=vlan400 enable macff int=vlan500 Create A Secure Network With Allied Telesis Managed Layer 3 Switches Appendix: Configuration scripts for MAC-forced forwarding example...

  • Page 29: Edge Switch 3

    # IP configuration enable ip add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 # MACFF configuration enable macff int=vlan100 enable macff int=vlan200 enable macff int=vlan300 enable macff int=vlan400 enable macff int=vlan500 Create A Secure Network With Allied Telesis Managed Layer 3 Switches...

  • Page 30: Access Router

    # Configure IGMP for multicasting enable ip igmp enable ip igmp int=vlan28 enable ip igmp int=vlan200 enable ip igmp int=vlan300 Create A Secure Network With Allied Telesis Managed Layer 3 Switches...
  • Page 31 Singapor e 534182 T: +65 6383 3832 Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. T: +1 800 424 4284 F: +1 425 481 3895 F: +41 91 69769.11...

This manual is also suitable for:

At-8600At-8700xlAt-8800Rapier iSwitchbladeAt-9800 ... Show all

Table of Contents