Datasheet
BlackDiamond 10808—Page 2
Extreme Networks Data Sheet
Security
Threat Detection and Response
CLEAR-Flow Security
Rules Engine
CLEAR-Flow Security Rules Engine
provides first order threat detection and
mitigation and mirrors traffic to security
resources for further analysis of
suspicious traffic in the network.
Security resources are virtually available
across the entire multi-gigabit network
thus enabling cost-effective scalability of
the security solution.
Sentriant
®
security appliance can add/
modify the BlackDiamond 10808 switch’s
CLEAR-Flow rules and Access Control
Lists (ACLs) to inspect additional traffic
or change inspection thresholds thereby
allowing an automated system to
fine-tune inspection rules in real-time.
Port Mirroring
Providing intrusion detection and
prevention, BlackDiamond 10808
supports many-to-one and cross-module
port mirroring. This can be used to mirror
traffic to an external network appliance
such as an intrusion detection device for
trend analysis or be utilized by a network
administrator as a diagnostic tool when
fending off a network attack.
Line-Rate Access Control Lists
ACLs are one of the most powerful tools
to control network resource utilization
and to secure and protect the network.
BlackDiamond 10808 supports up to
128K ACLs based on Layer 2, 3 or 4
header information such as the MAC
address or IP source/destination address.
Virtual Router
With Layer 3 Virtual Switching,
BlackDiamond brings the concept of
virtualization to multi-layer switching.
Layer 3 Virtual Switching allows
partitioning of a single switch into many
virtual routers. A virtual router has the
same capabilities and properties as a
physical router does. It inherits all the
same routing mechanisms for configura-
tion, operation and troubleshooting. As a
result, each virtual switch domain can be
separately managed and isolated for
security safety measures (refer to Figure 1:
Layer 3 Virtual Switching).
Network traffic can also be secluded into
separate virtual domains to minimize
security threats. The design of virtual
switch domains enables logical separation
of route tables. Multiple route tables
enable route isolation, which allows
the operator to make use of overlapping
IP address spaces. Overlapping IP
address spaces allow multiple communi-
ties of interest to share a single physical
networking infrastructure.
Hardened Network
Infrastructure
Denial of Service Protection
BlackDiamond 10808 handles Denial of
Service (DoS) attacks gracefully. If the
switch detects an unusually large number
of packets in the CPU input queue, it will
assemble ACLs that automatically stop
these packets from reaching the CPU.
After a period of time, the ACLs are
removed. If the attack continues, they
are reinstalled.
ASIC-based Longest Prefix Match
Longest Prefix Match (LPM) routing
elimin-ates the need for control plane
software to learn new flows and allows the
network to be resilient under a DoS
attack. With LPM the CPU is not burdened
with forwarding the “first packet” to any
unrecognized destination, freeing the CPU
for critical tasks.
Secure Management
Protocols like SSH2, SCP and SNMPv3
supported by a BlackDiamond 10808
series switch prevent the interception of
management communications and
man-in-the-middle attacks.
MD5 Authentication of Routing
Protocols
MD5 authentication of routing protocols
prevents attackers from tampering with
valid messages and attacking routing
sessions.
BlackDiamond 10808 delivers a new level of security to Ethernet core networking. BlackDiamond 10808 complements the
perimeter firewalls by protecting the “soft interior” of the network that currently goes unprotected. Utilizing the industry’s most
advanced CLEAR-Flow Security Rules Engine, BlackDiamond 10808 can be programmed to automatically detect and mitigate
security threats in seconds.
© 2010 Extreme Networks, Inc. All rights reser ved.
Subnet 1
Subnet 2
Layer 3
Virtual
Switch #2
Subnet 1 Subnet 2
Layer 3
Virtual
Switch #1
VLAN 1 VLAN 2
Layer 3
Virtual
Switch #1
Figure 1: Layer 3 Virtual Switching