Page 3 - Securing the device; You can protect your network against the following:; Protecting against packet flooding; Products; Software Versions
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 3 Securing the device Securing the device The first step towards making a secure network is to secure the networking equipment itself. There are two aspects to this. Firstly, physical security is vital—lock your networking equipmen...
Page 4 - limiting broadcasts and multicasts on a port (; Bandwidth limiting; Configuration; To limit the bandwidth for ARPs:; Example; The following configuration limits ARP packets to
Protecting the network Create A Secure Network With Allied Telesis Managed Layer 3 Switches 4 Service providers need to prevent storms from disrupting services to customers. AlliedWare offers the following options for mitigating storms: z limiting broadcasts and multicasts on a port ( “Bandwidth lim...
Page 5 - Using QoS policy-based storm protection
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 5 Protecting the network Using QoS policy-based storm protection Policy-based storm protection lets you specify one of a range of actions for the switch to take when it detects a broadcast storm. It is a part of the QoS functionali...
Page 6 - Protecting against rapid MAC movement; thrashaction
Protecting the network Create A Secure Network With Allied Telesis Managed Layer 3 Switches 6 Example The following example applies storm protection to classified broadcast traffic on port 1 . If there is a storm, it takes the link down for 60 seconds. set switch enhancedmode=qoscounters Reboot afte...
Page 7 - thrashtimeout; and; thrashtimeout; Controlling multicast traffic; How To; IGMP snooping
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 7 Protecting the network 2. Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second: set switch thrashlimit=5..255 Configurati...
Page 8 - IGMP filtering; IGMP throttling
Protecting the network Create A Secure Network With Allied Telesis Managed Layer 3 Switches 8 IGMP filtering IGMP filtering lets you dictate exactly which multicast groups a specific port can receive, by creating a filter list and applying it to the port. Different ports may have different filter li...
Page 9 - Managing the device securely; “Using SSL for secure web access” on page 10
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 9 Managing the device securely Managing the device securely In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted reci...
Page 10 - Using SSL for secure web access; Add a security officer to your switch’s list of users.; Using SNMPv3
Managing the device securely Create A Secure Network With Allied Telesis Managed Layer 3 Switches 10 Using SSL for secure web access If you prefer to configure the switch using the convenient web-based GUI, then this is unencrypted by default. SSL lets you use the GUI securely, by using HTTPS instea...
Page 11 - Examples; except; To also send traps securely to the PC with IP address
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 11 Managing the device securely Examples To allow the user “steve” full read, write and notify SNMP access to the switch: enable snmp add snmp view=full oid=1.3.6.1 type=include add snmp group=super-users securitylevel=authPriv rea...
Page 12 - Whitelisting telnet hosts; all; telnet access to; Building a whitelist through layer 3 filters; deny; The first filter blocks (; To permit only the host with IP address
Managing the device securely Create A Secure Network With Allied Telesis Managed Layer 3 Switches 12 Whitelisting telnet hosts For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to th...
Page 13 - Building a whitelist through QoS; Create the rest of the QoS framework—traffic class and policy.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 13 Managing the device securely Building a whitelist through QoS On AT-8948, AT-9900, AT-9900s, and x900 Series switches, use classifiers to build a whitelist and QoS to apply it. 1. Create classifiers to match telnet traffic from ...
Page 14 - Identifying the user; IP spoofing and tracking; The trouble with ARP
Identifying the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 14 Identifying the user This section describes methods for authorising and tracking users and preventing them from changing their identity on the network. IP spoofing and tracking Unknown users who attempt to c...
Page 15 - To ignore GARPs on VLAN; DHCP snooping; track the physical location of hosts
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 15 Identifying the user Rejecting Gratuitous ARP (GARP) Hosts can use GARP to announce their presence on a subnet. It is a helpful mechanism, particularly when there is a chance of duplicate addresses. However, attackers can use GA...
Page 16 - How To Use DHCP Snooping,; Setting up DHCP snooping; Using static binding for rigid control; “Setting up DHCP snooping”
Identifying the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 16 For more information about setting up DHCP snooping, see How To Use DHCP Snooping, Option 82 and Filtering on Rapier, AT-8800 and AT-8600 Series Switches or How To Use DHCP Snooping, Option 82 and Filtering ...
Page 17 - Using DHCP snooping to track clients; “Setting up DHCP; Using ARP security; x port authentication; How to Configure A Secure School Network Based On 802.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 17 Identifying the user Using DHCP snooping to track clients If your DHCP server supports it, you can use “option 82” to record more information about DHCP clients. This enhances your ability to track users. The switch can pass opt...
Page 18 - Protecting the user; “Using private VLANs” on page 18; Using private VLANs; Switching
Protecting the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 18 Protecting the user This section describes the following methods of protecting users from other users on the network: z “Using private VLANs” on page 18 . This feature isolates switch ports in a VLAN from oth...
Page 19 - To remove ports from the VLAN:; Using local proxy ARP and MAC-forced forwarding; access router
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 19 Protecting the user Example To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25: create vlan=example vid=2 private add vlan=2 port=24-25 frame=tagged uplink add vlan=2 port=2-6 To remove ...
Page 20 - Local proxy ARP
Protecting the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 20 The following figure shows a network that can use either local proxy ARP or MAC-forced forwarding—the examples in both the following sections refer to this network. Local proxy ARP In a network configuration ...
Page 21 - edge switch
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 21 Protecting the user Configuration of edge switches 1. Create the VLANs, specifying that they are private. Make a different VLAN for each type of traffic that you want to control differently. 2. Add the uplink and private ports t...
Page 22 - Use the following configuration for; edge switches 2 and 3; Use the following configuration for the
Protecting the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 22 Use the following configuration for edge switches 2 and 3 (AT-8648 switches in this example): ena stp=default set stp=default mode=rapid create vlan="voice" vid=101 private add vlan=101 port=49-50 upl...
Page 23 - For more information about how MACFF works, see
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 23 Protecting the user # Create a classifier to match all traffic in VLANs 101-104 create class=10 ipsa=192.168.0.0/16 ipda=192.168.0.0/16 # Create a classifier to match voice traffic create class=100 ipsa=192.168.1.0/24 ipda=192.1...
Page 24 - Using IPsec to make VPNs
Protecting the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 24 Configuration of edge switches 1. Create a VLAN for each type of service (for example, voice, video, and data). With software versions 291-04 and earlier, the VLANs must be private VLANs. With software versio...
Page 25 - How To Troubleshoot A Virtual Private Network (VPN); Protecting against worms; Blocking worms through classifier-based filters; Find out which UDP or TCP port the worm attacks.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 25 Protecting the user z How To Configure Microsoft® Windows XP Virtual Private Network (VPN) client interoperability without NAT-T support z How To Configure Microsoft® Windows XP Virtual Private Network (VPN) client interoperabil...
Page 26 - To block the W32.Slammer worm on port; Blocking worms through QoS
Protecting the user Create A Secure Network With Allied Telesis Managed Layer 3 Switches 26 To block the W32.Slammer worm on port 1 , which does not have an SQL client or server attached to it: create classifier=1 udpdport=1434 protocol=ip iport=1 add switch hwfilter classifier=1 action=discard Bloc...
Page 27 - Edge switch
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 27 Appendix: Configuration scripts for MAC-forced forwarding example Appendix: Configuration scripts for MAC-forced forwarding example In this example (from page 23 ), the edge switches can be any of the following switches: z Rapie...
Page 28 - Edge switch 2; Edge switch 2 is connected to port 50 of edge switch; bold
Appendix: Configuration scripts for MAC-forced forwarding example Create A Secure Network With Allied Telesis Managed Layer 3 Switches 28 Edge switch 2 Edge switch 2 is connected to port 50 of edge switch 1 . The configuration is similar to edge switch 1 —differences are in bold : # System configura...
Page 29 - Edge switch 3; Edge switch 3 is connected to port 49 of edge switch
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 29 Appendix: Configuration scripts for MAC-forced forwarding example Edge switch 3 Edge switch 3 is connected to port 49 of edge switch 1 . The configuration is similar to edge switch 1 —differences are in bold : # System configura...
Page 30 - Access Router
Appendix: Configuration scripts for MAC-forced forwarding example Create A Secure Network With Allied Telesis Managed Layer 3 Switches 30 Access Router set system name="Access Router" # Create a VLAN for accessing the Internet, SIP server and multicast groups create vlan=CoreNetwork vid=28 #...
