Introduction
Below are several recommendations and associated features available on AlliedWare Plus devices that can help protect your network from unauthorized access or performance loss due to misconfiguration.
Turning off unused ports
The simplest way to protect your network from unauthorized access is to turn off the ports that are not used. When a port is off, it cannot be used to access network until it is turned back on.
Example:
awplus# configure terminal
awplus(config)# interface port1.0.1
awplus(config-if)# shutdown
Using port-security
port-security help securing network by discarding packets from device with MAC addresses outside of the learned list.
The port-security maximum command sets the maximum number of MAC addresses that each port can learn.
The port-security violation command sets the action taken on a switch port when the port exceeds the learning limits. The port action can be either shutdown, restrict or protect.
- If shutdown is set, the physical link will be disabled and “shutdown” will be shown in the config.
- If restrict is set, the packet from the un-authorized MAC will be discarded and SNMP TRAP will be generated to alert management.
- If protect is set, the packet will simply be discarded by the packet processor silently.
The learned MAC list will be saved and is still present after a restart.
Example:
awplus# configure terminal
awplus(config)# interface port1.0.2
awplus(config-if)# switchport port-security
awplus(config-if)# switchport port-security maximum 3
awplus(config-if)# switchport port-security violation shutdown
Spanning tree portfast/bpdu guard
Allied Telesis switches by default run RSTP to prevent loop. This usually results a brief delay before ports start to pass traffic once plugged in. The delay can be avoided by executing spanning-tree edgeport command for selected ports. This command skips the converge phase of RSTP so that the port passes traffic immediately. This is intended for an access port that connects to an end point. The converge phase is necessary in new inter-switch connections to determine if loop exists.
Example:
awplus(config)# interface port1.0.8
awplus(config-if)# spanning-tree edgeport
Allied Telesis recommends using spanning-tree portfast bpdu-guard in global setting mode to avoid causing loops on the edge ports.
Example:
awplus# configure terminal
awplus(config)# spanning-tree portfast bpdu-guard
Loop protection
In addition to STP, AlliedWare Plus devices can also detect and prevent loop by sending loop-detection-frame, a special frame out from ports, the ports then listen for same frame that come back in to detect a loop. This is most appropriate for access ports - where there is no control of the equipment at the other end.
Below example enables the loop protection and sets the action to disable the port for 30 seconds.(default behavior is disabling the VLAN indefinitely)
Example:
awplus(config)#int port1.0.1
awplus(config-if)#loop-protection action port-disable
awplus(config-if)#loop-protection timeout 30
Storm prevention
A packet storm is a flood of broadcast, multicast, or flooded DLFs (Destination lookup failures) being forwarded around a loop. The severity of the storm is reduced by putting limits on how many broadcast/multicast/DLF are forwarded per second. The maximum forwarding rates for broadcast, multicast, and DLF can be set on a per-port basis .
Example:
awplus(config)#int port1.0.1
awplus(config-if)#storm-control broadcast level <level>
awplus(config-if)#storm-control multicast level <level>
awplus(config-if)#storm-control dlf level <level>
Where “level” is the maximum forwarding rate of the specified traffic type, as a percentage of port bandwidth.
DHCP snooping
DHCP snooping provides an extra layer of security at the network edge via dynamic IP source filtering. DHCP snooping looks into DHCP packets to build up a database of which IP addresses have been allocated to clients downstream of each port. Using this database, it can determine if the source IP addresses of packets arriving from clients are valid, i.e. the IP addresses that were allocated to the clients. Additionally, DHCP snooping can prevent rogue DHCP activity in the network by filtering out DHCP packets that are arriving on the wrong ports, or with incorrect contents.
To utilize DHCP snooping, please follow the steps in the article below:
https://www.alliedtelesis.com/en/documents/dhcp-snooping-feature-overview-and-configuration-guide
Using 802.1x security
802.1X is an IEEE standard providing a mechanism for authenticating devices attached to a LAN port or wireless device. Devices wishing to access services behind a port must authenticate themselves before any Ethernet packets are allowed to pass through.
To utilize 802.1x which requires RAIDUS server, please follow the steps in the article below:
https://www.alliedtelesis.com/en/documents/aaa-and-port-authentication-feature-overview-and-configuration-guide
Using ACL to block unwanted traffic from the switch
An Access Control List is one filter, or a sequence of filters, that are applied to an interface to either block or pass (or when using QoS, apply priority to) packets that match the filter definitions. ACLs are used to restrict network access by hosts and devices and to control network traffic.
To utilize access control list, please follow the steps in the article below:
https://www.alliedtelesis.com/en/documents/acl-feature-overview-and-configuration-guide