beautypg.com

Gvrp and network security – Allied Telesis AT-S62 User Manual

Page 552

background image

Chapter 26: GARP VLAN Registration Protocol

Section V: Virtual LANs

552

❑ Resetting a switch erases all dynamic GVRP VLANs and dynamic

GVRP port assignments. The switch relearns the dynamic
assignments as it receives PDUs from the other switches.

❑ GVRP has three timers that you can set: join timer, leave timer, and

leave all timer. The values for these timers must be set the same
on all switches running GVRP. Timers with different values on
different switches can result in GVRP incompatibility problems.

❑ You can convert dynamic GVRP VLANs and dynamic GVRP port

assignments to static VLANs and static port assignments. The
procedure for this is found in Modifying a VLAN on page 534.

❑ The default port settings on the switch for GVRP is active, meaning

that the ports participate in GVRP. Allied Telesyn recommends
disabling GVRP on those ports that are connected to GVRP-
inactive devices, which are nodes that do not feature GVRP.

❑ PDUs are transmitted only from those switch ports where GVRP is

enabled.

GVRP and

Network Security

GVRP should be used with caution because it can expose your network
to unauthorized access. A network intruder could access restricted parts
of the network by connecting to a switch port running GVRP and
transmitting a bogus GVRP PDU containing VIDs of restricted VLANs.
GVRP would make the switch port a member of the VLANs and that
could give the intruder access to restricted areas of your network.

To protect against this type of network intrusion, you should consider
the following:

❑ Activating GVRP only on those switch ports that are connected to

other devices that support GVRP. Do not activate GVRP on ports
connected to GVRP-inactive devices, or on ports that are not
being used.

❑ Converting all dynamic GVRP VLANs and dynamic GVRP ports to

static assignments, and then turning off GVRP on all switches. This
preserves the new VLAN assignments while protecting against
network intrusion. The procedure for converting dynamic VLANs
to static VLANs is found in Converting a Dynamic GVRP VLAN on
page 563.

See also other documents in the category Allied Telesis Computer hardware: