Allied Telesis Layer 3 es user manual

User manual for the device Allied Telesis Layer 3 es

Device: Allied Telesis Layer 3 es
Category: Switch
Manufacturer: Allied Telesis
Size: 0.31 MB
Added : 3/12/2013
Number of pages: 31
Print the manual

Download

How to use this site?

Our goal is to provide you with a quick access to the content of the user manual for Allied Telesis Layer 3 es. Using the online preview, you can quickly view the contents and go to the page where you will find the solution to your problem with Allied Telesis Layer 3 es.

For your convenience

If looking through the Allied Telesis Layer 3 es user manual directly on this website is not convenient for you, there are two possible solutions:

  • Full Screen Viewing - to easily view the user manual (without downloading it to your computer), you can use full-screen viewing mode. To start viewing the user manual Allied Telesis Layer 3 es on full screen, use the button Fullscreen.
  • Downloading to your computer - You can also download the user manual Allied Telesis Layer 3 es to your computer and keep it in your files. However, if you do not want to take up too much of your disk space, you can always download it in the future from ManualsBase.
Allied Telesis Layer 3 es User manual - Online PDF
Advertisement
« Page 1 of 31 »
Advertisement
Print version

Many people prefer to read the documents not on the screen, but in the printed version. The option to print the manual has also been provided, and you can use it by clicking the link above - Print the manual. You do not have to print the entire manual Allied Telesis Layer 3 es but the selected pages only. paper.

Summaries

Below you will find previews of the content of the user manuals presented on the following pages to Allied Telesis Layer 3 es. If you want to quickly view the content of pages found on the following pages of the manual, you can use them.

Abstracts of contents
Summary of the content on the page No. 1

How To | Create A Secure Network With Allied Telesis
Managed Layer 3 Switches
Introduction
Allied Telesis switches include a range of sophisticated security features at layer 2 and layer 3.
This How To Note describes these features and includes brief examples of how to configure
them.
The implementations shown in this How To Note should be thought of as industry-standard
best practices.
Contents
Introduction ...................................................................................

Summary of the content on the page No. 2

Which products and software versions does this information apply to? Appendix: Configuration scripts for MAC-forced forwarding example ................................... 27 Edge switch 1 .................................................................................................................. 27 Edge switch 2 .................................................................................................................................. 28 Edge switch 3 ................................

Summary of the content on the page No. 3

Securing the device Securing the device The first step towards making a secure network is to secure Products the networking equipment itself. All switches listed on page 2 Software Versions There are two aspects to this. Firstly, physical security is vital—lock your networking equipment away. All Secondly, straight after powering up any new piece of networking equipment, change the default administrator user’s password. On an Allied Telesis managed layer 3 switch, the default user is “manager

Summary of the content on the page No. 4

Protecting the network Service providers need to prevent storms from disrupting services to customers. AlliedWare offers the following options for mitigating storms: limiting broadcasts and multicasts on a port (“Bandwidth limiting” on page 4) detecting a storm and disabling that port or VLAN (“Using QoS policy-based storm protection” on page 5) Bandwidth limiting ARP packets are the most frequent trigger for broadcast Products storms. One ARP packet is flooded around and around a All swit

Summary of the content on the page No. 5

Protecting the network Using QoS policy-based storm protection Policy-based storm protection lets you specify one of a Products range of actions for the switch to take when it detects a AT-8948 broadcast storm. It is a part of the QoS functionality. x900-48 Series AT-9900 Series Policy-based storm protection is more powerful than simple AT-9924Ts bandwidth limiting. It lets you restrict storm damage to x900-24 Series within the storming VLAN, and it gives you the flexibility to define what t

Summary of the content on the page No. 6

Protecting the network Example The following example applies storm protection to classified broadcast traffic on port 1. If there is a storm, it takes the link down for 60 seconds. set switch enhancedmode=qoscounters Reboot after turning on enhanced mode. create classifier=1 macdaddr=ff-ff-ff-ff-ff-ff create qos trafficclass=1 stormstatus=enable stormwindow=100 stormrate=100 stormaction=linkdown stormtimeout=60 The rest of the QoS configuration is as normal, so: create qos flowgroup=1 add qos

Summary of the content on the page No. 7

Protecting the network 2. Set the sensitivity in detecting rapid MAC movement, by using the following command to tell the switch how many times a MAC address can move ports in one second: set switch thrashlimit=5..255 Configuration Rapid MAC movement protection also works with trunk groups. If one switch in a trunk fails, on trunk the switches probably cannot negotiate STP or any other trunks that they belong to. This groups immediately causes a broadcast storm. Rapid MAC movement protection

Summary of the content on the page No. 8

Protecting the network IGMP filtering IGMP filtering lets you dictate exactly which multicast Products groups a specific port can receive, by creating a filter list and All switches listed on page 2 applying it to the port. Different ports may have different that support 2.7.5 or later filter lists applied to them. Software Versions If desired, you can select the type of message to filter. By 2.7.5 or later default, filters apply to IGMP reports. You can create extra entries to also filter

Summary of the content on the page No. 9

Managing the device securely Managing the device securely In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted recipients. A hacker may even be able to force a switch to flood unicast traffic. Because you cannot guarantee traffic privacy, you cannot be certain that management sessions are private. Therefore, you should always use encrypted sessions when remotely administering n

Summary of the content on the page No. 10

Managing the device securely Using SSL for secure web access Products If you prefer to configure the switch using the convenient All switches listed on page 2, web-based GUI, then this is unencrypted by default. SSL lets except AT-8948 and x900-48 you use the GUI securely, by using HTTPS instead of HTTP. Series which have no Configuration 1. Add a security officer to your switch’s list of users. graphical user interface 2. Create an encryption key for SSL to use. Software Versions 3. Create

Summary of the content on the page No. 11

Managing the device securely Examples To allow the user “steve” full read, write and notify SNMP access to the switch: enable snmp add snmp view=full oid=1.3.6.1 type=include add snmp group=super-users securitylevel=authPriv readview=full writeview=full notifyview=full add snmp user=steve group=super-users authprotocol=md5 authpassword=cottonsox privprotocol=des privpassword=woollytop To also give the user “jane” read and notify access to everything on the switch, add the following commands:

Summary of the content on the page No. 12

Managing the device securely Whitelisting telnet hosts For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet secure, but it does reduce the associated risks. Building a whitelist through

Summary of the content on the page No. 13

Managing the device securely Building a whitelist through QoS On AT-8948, AT-9900, AT-9900s, and x900 Series switches, Products use classifiers to build a whitelist and QoS to apply it. AT-8948 x900-48 Series Configuration 1. Create classifiers to match telnet traffic from permitted IP addresses to the switch’s IP address. AT-9900 Series AT-9924Ts 2. Create a classifier to match all telnet traffic to the x900-24 Series switch’s IP address. 3. Create a flow group and add the classifiers for per

Summary of the content on the page No. 14

Identifying the user Identifying the user This section describes methods for authorising and tracking users and preventing them from changing their identity on the network. IP spoofing and tracking Unknown users who attempt to change IP address—to circumvent billing or to hide their identity—can be a problem for administrators. Changing IP address for malicious reasons is most commonly called IP spoofing, and is also known as ARP spoofing, ARP poisoning, and ARP poison routing (APR). The net

Summary of the content on the page No. 15

Identifying the user Rejecting Gratuitous ARP (GARP) Products Hosts can use GARP to announce their presence on a All switches listed on page 2 subnet. It is a helpful mechanism, particularly when there is a chance of duplicate addresses. However, attackers can use Software Versions GARP to penetrate the network by adding themselves to 2.5.1 and later the switch’s ARP table. You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring GARPs does not completely preve

Summary of the content on the page No. 16

Identifying the user For more information about setting up DHCP snooping, see How To Use DHCP Snooping, Option 82 and Filtering on Rapier, AT-8800 and AT-8600 Series Switches or How To Use DHCP Snooping, Option 82 and Filtering on x900 Series Switches. These How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx. Setting up DHCP snooping This section describes a minimal configuration for DHCP snooping. With this configuration, the switch snoops DHCP packets to

Summary of the content on the page No. 17

Identifying the user Using DHCP snooping to track clients If your DHCP server supports it, you can use “option 82” to record more information about DHCP clients. This enhances your ability to track users. The switch can pass option 82 information to the DHCP server so that the server can record the switch MAC, switch port, VLAN number and subscriber-ID that the client is a member of. Example To pass option 82 information to the server, including the information that port 1 is room 101, use t

Summary of the content on the page No. 18

Protecting the user Protecting the user This section describes the following methods of protecting users from other users on the network: “Using private VLANs” on page 18. This feature isolates switch ports in a VLAN from other switch ports in the same VLAN. “Using local proxy ARP and MAC-forced forwarding” on page 19. These features force all traffic in a network to go via an access router. “Using IPsec to make VPNs” on page 24. This feature creates secure tunnels through an insecure net

Summary of the content on the page No. 19

Protecting the user Example To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25: create vlan=example vid=2 private add vlan=2 port=24-25 frame=tagged uplink add vlan=2 port=2-6 To remove ports from the VLAN: # remove port 4: delete vlan=2 port=4 # remove all private ports and the uplink ports: delete vlan=2 port=all Using local proxy ARP and MAC-forced forwarding Both these features ensure the integrity of ARP in your network and let you take granular co

Summary of the content on the page No. 20

Protecting the user The following figure shows a network that can use either local proxy ARP or MAC-forced forwarding—the examples in both the following sections refer to this network. Internet Management PC 24 Access 5 Router 20 12 SIP and Multicast server LACP Residential 12 Gateway 1 Edge 15 Switch 1 49 50 Client 1 50 Edge Switch 3 49 Residential Gateway 2 49 50 Edge Client 2 14 Switch 2 15 Residential Gateway 3 Client 3 macff.eps Local proxy ARP In a network configuration like the previo


Alternative user manuals
# User manual Category Download
1 Allied Telesis 24i User manual Switch 24
2 Allied Telesis AT -8000S/24 User manual Switch 182
3 Allied Telesis 8100S User manual Switch 28
4 Allied Telesis 4000 Series User manual Switch 9
5 Allied Telesis 48W User manual Switch 5
6 Allied Telesis AT -8000S/48 User manual Switch 33
7 Allied Telesis 86241-06 User manual Switch 0
8 Allied Telesis 613-001480 User manual Switch 4
9 Allied Telesis 8PS User manual Switch 1
10 Allied Telesis AT-8100L/8POE User manual Switch 3
11 Allied Telesis AT-8100S/24F-LC User manual Switch 0
12 Allied Telesis AT-8000GS/48 User manual Switch 34
13 Allied Telesis AT-8100S/16F8-SC User manual Switch 3
14 Allied Telesis AT-8100S/16F8-LC User manual Switch 0
15 Allied Telesis AT-8100S/48 User manual Switch 6
16 Sony 4-296-436-11 (2) User manual Switch 0
17 3Com 10/100BASE-TX User manual Switch 61
18 3Com 2226-SFP User manual Switch 688
19 3Com 16985ua.bk User manual Switch 10
20 3Com 10BASE-T User manual Switch 4