- Allied Telesis, Inc Switch Specification Manual
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 19
Protecting the user
Example
To create a private VLAN with ports 2-6 in it, with an uplink trunk group of ports 24 and 25:
create vlan=example vid=2 private
add vlan=2 port=24-25 frame=tagged uplink
add vlan=2 port=2-6
To remove ports from the VLAN:
# remove port 4:
delete vlan=2 port=4
# remove all private ports and the uplink ports:
delete vlan=2 port=all
Using local proxy ARP and MAC-forced forwarding
Both these features ensure the integrity of ARP in your network and let you take granular
control of IP traffic flows. They do this by forcing traffic that would have been dropped by
private VLANs to go via an access router. Both features stop hosts from learning the MAC
addresses of other hosts in their subnet—they learn the MAC address of the access router
instead.
You can use these features, for example, to allow customers to use VoIP to telephone each
other while blocking any video, data, or management traffic between customers.
MAC-forced forwarding (page 23) requires more configuration than local proxy ARP
(page 20) but is more powerful. MAC-forced forwarding:
z ensures that all ARP replies are generated by the directly-connected switch (not the access
router). This removes the ARP process from the access router, minimises the distance
ARPs travel through the network, and protects against ARP Denial of Service attacks.
z dynamically determines the appropriate access router for a host by snooping DHCP
packets.
z bypassing the access router for traffic between application servers and their clients.
With software versions 291-05 and later, you can use MAC-forced forwarding without
configuring private VLANs. However, we recommend you use it with private VLANs for
maximum security.