Gvrp and network security – Allied Telesis AT-S62 User Manual

AT-S62 Management Software Menus Interface User’s Guide

Section V: VLANs

585

switches can result in GVRP incompatibility problems.

ˆ

You can convert dynamic GVRP VLANs and dynamic GVRP port
assignments to static VLANs and static port assignments. The
procedure for this is found in “Modifying a VLAN” on page 565.

ˆ

The default port settings on the switch for GVRP is active, meaning
that the ports participate in GVRP. Allied Telesyn recommends
disabling GVRP on those ports that are connected to GVRP-inactive
devices, which are nodes that do not feature GVRP.

ˆ

PDUs are transmitted only from those switch ports where GVRP is
enabled.

GVRP and

Network Security

GVRP should be used with caution because it can expose your network to
unauthorized access. A network intruder could access restricted parts of
the network by connecting to a switch port running GVRP and transmitting
a bogus GVRP PDU containing VIDs of restricted VLANs. GVRP would
make the switch port a member of the VLANs and that could give the
intruder access to restricted areas of your network.

To protect against this type of network intrusion, you should consider the
following:

ˆ

Activating GVRP only on those switch ports that are connected to
other devices that support GVRP. Do not activate GVRP on ports
connected to GVRP-inactive devices, or on ports that are not being
used.

ˆ

Converting all dynamic GVRP VLANs and dynamic GVRP ports to
static assignments, and then turning off GVRP on all switches. This
preserves the new VLAN assignments while protecting against
network intrusion. The procedure for converting dynamic VLANs to
static VLANs is found in “Converting a Dynamic GVRP VLAN” on
page 596.