Specifications
Alcatel-Lucent Page 20
OmniSwitch 6850 Series
E
E
E
m
m
m
b
b
b
e
e
e
d
d
d
d
d
d
e
e
e
d
d
d
S
S
S
e
e
e
c
c
c
u
u
u
r
r
r
i
i
i
t
t
t
y
y
y
Alcatel’s AOS OmniSwitch product family provides organizations with easy, robust and optimal ways to control access to individual infrastructure components
and to the individual resources resident on the network both internally and externally. Hence, information security for Internet, Intranet and Extranet applications
will be supported through the incorporation of an advanced security feature set. The OmniSwitch 6850 supports a distributed security approach, enhanced
emerging security technologies, and helps secure the LAN edge using proactive and reactive strategies.
The following is only a highlight of the advanced security features supported by the OmniSwitch 6850 Series:
Support of Microsoft Network Access Protocol (NAP)
IEEE 802.1x industry standard port based authentication challenges users with a password before allowing network access
o 802.1x multi-client, multi-VLAN support for per-client authentication and VLAN assignment
o IEEE 802.1x with group mobility
o IEEE 802.1x with MAC based authentication, group mobility or “guest” VLAN support
o MAC-based authentication for non-802.1x host
o Alcatel Access Guardian support
Port Mapping (Private VLANs)
Authenticated VLAN that challenges users with username and password and supports dynamic VLAN access based on user
Support for host integrity check and remediation VLAN
Security through the implementation of OmniVista Quarantine Manager (OV2770-QM) With OneTouch Security automation
PKI authentication for SSH access
Learned Port Security or MAC address lockdown allows only known devices to have network access preventing unauthorized network device access
RADIUS and LDAP admin authentication prevents unauthorized switch management
Secure Shell (SSH), Secure Socket Layer (SSL) and SNMPv3 for encrypted remote management communication
Access Control Lists (ACLs) to filter out unwanted traffic including denial of service attacks; Access control lists (ACLs) are per port, MAC SA/DA,
IP SA/DA, TCP/ UDP port; Flow based filtering in hardware (L1-L4)
Support for Access Control List Manager (ACLMAN)
Supports Microsoft Network Access Policy (NAP) protocol
Switch protocol security
o MD5 for RIPv2, OSPFv2 and SNMPv3
o SSH for secure CLI session with PKI support
o SSL for secure HTTP session
Security Servers supported LDAP, RADIUS, and ACE Server
Learned Port Security (LPS) Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses
on 10/100 and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are
link aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address
learning provides the following benefits:
• A configurable source learning time limit that applies to all LPS ports.
• A configurable limit on the number of MAC addresses allowed on an LPS port.
• Dynamic configuration of a list of authorized source MAC addresses.
• Static configuration of a list of authorized source MAC addresses.
• Two methods for handling unauthorized traffic: stopping all traffic on the port or only blocking
traffic that violates LPS criteria.
Configurable LPS parameters allow the user to restrict the source learning of host MAC addresses to:
• A specific amount of time in which the switch allows source learning to occur on all LPS
ports
• A maximum number of learned MAC addresses allowed on the port.
• A list of configured authorized source MAC addresses allowed on the port.
Additional LPS functionality allows the user to specify how the LPS port handles unauthorized traffic.
The following two options are available for this purpose:
• Block only traffic that violates LPS port restrictions; authorized traffic is forwarded on the
port.
• Disable the LPS port when unauthorized traffic is received; all traffic is stopped and a port
reset is required to return the port to normal operation.
LPS functionality is supported on the following 10/100 and Gigabit Ethernet port types:
• Fixed (non-mobile)
• Mobile
• 802.1Q tagged
• Authenticated
LPS has the following limitations:
• You cannot configure 802.1x and LPS on the same ports.
• You cannot configure LPS on 10 Gigabit ports.
• You cannot configure LPS on link aggregate and 802.1Q tagged ports.
Learned Port Security Specifications:
Ports eligible for LPS: 10/100 and Gigabit Ethernet ports (fixed, mobile, 802.1Q tagged, and
authenticated ports)
Ports not eligible for LPS: Link aggregated ports and 802.1Q (trunked) link aggregated ports