Filter
Top Products
Allied Telesis www.alliedtelesis.com
NETWORK RESILIENCY SOLUTIONS
| VCStack + Link aggregation
8600 Configuration
set system distinguished="cn=switch1, o=alliedtelesis, c=nz"
enable system security
set switch port=1-24 bclimit=3000 mclimit=3000 dlflimit=3000
create vlan="edge" vid=171
add vlan="171" port=1-26
enable stp="default"
set stp="default" mode=rapid
disable stp="default" port=1-24
create switch trunk=aggregation port=25-26 speed=1000m
enable portauth=8021x
enable portauth=8021x port=1-24 type=authenticator
enable dhcpsnooping
enable dhcpsnooping arpsecurity
enable dhcpsnooping log=arpsecurity
set dhcpsnooping port=25 trusted=yes
set dhcpsnooping port=26 trusted=yes
enable ip
add ip int=vlan171 ip=192.168.171.34
add ip route=0.0.0.0 interface=vlan171 nexthop=192.168.171.1
add radius server=192.168.10.34 secret="testing123-2"
port=1812 accport=1813
add switch l3filter match=dipaddress dclass=host
add switch l3filter=1 entry dipaddress=192.168.171.34
action=deny
add switch l3filter match=none import=true
add switch l3filter=2 entry iport=26 action=nodrop
add switch l3filter=2 entry iport=25 action=nodrop
disable telnet server
Storm control is configured to prevent downstream loops
from affecting the inner layers of the network
To enable secure HTTP management to use certificates, a
distinguished name is required and system security must
be enabled
The two gigabit ports are aggregated together to create a
resilient link to the network core
Spanning tree needs to be disabled on the edge-facing
ports, as it cannot co-exist with 802.1x authentication
DHCP snooping guards against rogue server attacks, server
exhaustion attacks, arp poisoning attacks and IP spoofing
attacks. Any ARP poisoning attempt will be logged
The Radius server is used for authenticating management
sessions and also for authenticating 802.1x clients.
802.1x authentication is enabled on all the client-facing
ports. Clients cannot access the network without being
authenticated
Attach a management IP address to VLAN171, and provide
a default gateway address
By default, all ports are put into VLAN 171
Management access is ONLY possible via the core-
connected aggregated link. Access via insecure methods
Telnet and HTTP are blocked