Install guide
4 Software Reference
Configuring an Ethernet Access Node
To implement MAC-Forced Forwarding, configure the EAN to:
■ isolate clients within a subnet from one another.
See “Isolating clients using VLANs” on page 4.
■ gather the details of any clients, ARs and ASs on the network.
See “Using the DHCP Snooping Database” on page 5.
■ proxy ARP on behalf of ARs and ASs.
See “Enabling MAC-Forced Forwarding” on page 5.
■ prevent malicious spoofing or traffic from clients.
See “Using DHCP filtering and ARP security” on page 6.
For an example of how to configure the switch to perform MAC-Forced
Forwarding, see How to Use MAC-Forced Forwarding with DHCP Snooping to
Create Enhanced Private VLANs. This How To Note is available from
www.alliedtelesis.co.uk/site/solutions/techdocs.asp?area=howto.
Isolating clients using VLANs
To isolate the clients attached to the EAN, you must configure private VLANs.
A private VLAN contains switch ports that are isolated from other ports in the
VLAN, but can access another network through an uplink port or uplink trunk
group. These ports are called private ports. Each private VLAN contains private
and uplink ports.
When you have configured a private VLAN, the EAN only forwards traffic
from a client to the upstream network, regardless of the original destination
details. This blocks all direct traffic between private ports. To create private
VLANs, follow these steps:
1. Create the private VLAN.
Use the command:
create vlan=vlan-name vid=2..4094 private
2. Add the uplink port to the private VLAN.
Use the command:
add vlan={vlan-name|2..4094} port=port-list
[frame={untagged|tagged}] uplink
3. Add the private ports to the private VLAN.
Use the command:
add vlan={vlan-name|2..4094} port={port-list|all}
[frame={untagged|tagged}] [group]
For further information about the behaviour of private VLANs and how to
configure them on the EAN, see the Switching chapter in your Software
Reference.