Filter
Top Products
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 15
Identifying the user
Rejecting Gratuitous ARP (GARP)
Hosts can use GARP to announce their presence on a
subnet. It is a helpful mechanism, particularly when there is
a chance of duplicate addresses. However, attackers can use
GARP to penetrate the network by adding themselves to
the switch’s ARP table.
You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring
GARPs does not completely prevent IP spoofing, but it does shut down one easy avenue for
an attacker.
Example
To ignore GARPs on VLAN
1
:
set ip interface=vlan1 gratuitousarp=off
Note: We do not recommend disabling GARP reception if a server with teamed network
cards is attached to the switch. In a teamed-NIC redundancy set-up, another card
takes over if a card fails. In many implementations, the NIC that takes over sends a
GARP to inform the switch of the port and MAC address change.
DHCP snooping
The AlliedWare DHCP snooping feature is a series of layer 2
techniques. It works with information from a DHCP server
to:
z track the physical location of hosts
z ensure that hosts only use the IP addresses assigned to
them
z ensure that only authorised DHCP servers are accessible.
In short, DHCP snooping ensures IP integrity on an L2-
switched domain.
With DHCP snooping, only a whitelist of IP addresses may
access the network. You configure this whitelist at the switch
port level, and the DHCP server manages the access control. Only specific IP addresses with
specific MAC addresses on specific ports may access the IP network.
DHCP snooping also stops attackers from adding their own DHCP servers to the network.
An attacker could set up a server to wreak havoc in the network or even control it.
There are a number of options for DHCP snooping. You can:
z let the switch snoop DHCP packets and decide who is authorised to access the IP
network. See “Setting up DHCP snooping” on page 16.
z statically bind IP address and MAC combinations to switch ports. See “Using static binding
for rigid control” on page 16.
z use option 82 to track users. See “Using DHCP snooping to track clients” on page 17.
z use ARP security to reject ARP messages unless they come from an IP address in the
DHCP snooping database. See “Using ARP security” on page 17.
Products
All switches listed on page 2
Software Versions
2.5.1 and later
Products
AT-8600 Series
AT-8700XL Series
Rapier i Series
Rapier Series
AT-8800 Series
AT-8948
x900-48 Series
AT-9900 Series
Software Versions
2.7.6 and later