Design Reference

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesFabric-enabled multi-service edge switches

111

112

113

114

115

116

117

118

119

120

Table Of Contents

Contents
Chapter 1: Introduction
- Purpose
- Related resources
- Support
Chapter 2: New in Release 4.0.50
- Features
- Other changes
Chapter 3: New in Release 4.0.40
- Features
- Other changes
Chapter 4: New in Release 4.0
- Features
- Other changes
Chapter 5: Network design fundamentals
Chapter 6: Hardware fundamentals and guidelines
- Supported hardware
- Platform considerations
- Hardware compatibility
- Supported optical devices
- Dispersion considerations for long reach
- 10/100BASE-X and 1000BASE-TX reach
- 10/100/1000BASE-TX Auto-Negotiation recommendations
- Auto MDIX
- CANA
Chapter 7: Optical routing design
- Optical routing system components
Chapter 8: Platform redundancy
- Power redundancy
- Input/output port redundancy
- Configuration redundancy
- Link redundancy
Chapter 9: Link redundancy
- Physical layer redundancy
- MultiLink Trunking
- 802.3ad-based link aggregation
Chapter 10: Layer 2 loop prevention
- Loop prevention and detection
- SLPP example scenarios
Chapter 11: Spanning tree
- Spanning tree and protection against isolated VLANs
- MSTP and RSTP considerations
Chapter 12: Layer 3 network design
- VRF Lite
- Virtual Router Redundancy Protocol
- Open Shortest Path First
- Border Gateway Protocol
- IP routed interface scaling
Chapter 13: SPBM design guidelines
- 802.1aq standard
- VLANs without member ports
- Provisioning
- Implementation options
- Reference architectures
- Solution-specific reference architectures
- Best practices
- SPBM restrictions and limitations
- IP multicast over SPBM restrictions
Chapter 14: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
Chapter 15: System and network stability and security
- DoS protection mechanisms
- Damage prevention
- Data plane security
- Control plane security
- Additional information
Chapter 16: QoS design guidelines
- QoS mechanisms
- QoS interface considerations
- Network congestion and QoS design
- QoS examples and recommendations
Chapter 17: Layer 1, 2, and 3 design examples
- Layer 1 example
- Layer 2 example
- Layer 3 example
Chapter 18: Software scaling capabilities
Chapter 19: Supported standards, RFCs, and MIBs
- Supported IEEE standards
- Supported RFCs
- Quality of service
- Network management
- MIBs
- Standard MIBs
- Proprietary MIBs
Glossary

High Secure mode

To ensure that VSP 4000 does not route packets with an illegal source address of 255.255.255.255

(RFC1812 Section 4.2.2.11 and RFC971 Section 3.2), you can enable High Secure mode.

By default, this feature is disabled. After you enable this flag, the feature applies to all ports.

For more information about High Secure mode, see Security for Avaya Virtual Services Platform

4000 Series, NN46251-601.

Data plane security

Data plane security mechanisms include VLANs, filters, routing policies, and routing protocol

protection.

VLANs and traffic isolation

You can use Avaya Virtual Services Platform 4000 Series to build secure VLANs. If you configure

port-based VLANs, each VLAN is completely separate from the others. VSP 4000 supports the

IEEE 802.1Q specification for tagging frames and coordinating VLANs across multiple switches.

VSP 4000 analyzes each packet independently of preceding packets. This mode, as opposed to the

cache mode that other vendors use, allows complete traffic isolation.

For more information about VLANs, see Configuring VLANs and Spanning Tree on Avaya Virtual

Services Platform 4000 Series, NN46251-500.

Management of access policies

At Layer 2, VSP 4000 provides the following security mechanisms:

• Access policies

If you enable access policies globally, the system creates a default policy (1) that allows File

Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Telnet, and Secure Shell (SSH).

If you enable access policies globally but disable the default policy, the system denies FTP,

HTTP, rlogin, SSH, Simple Network Management Protocol (SNMP), Telnet, and Trivial FTP

(TFTP).

The access-strict parameter ties to the accesslevel parameter. If you enable access-

strict, the access policy looks at the accesslevel parameter, and only applies to that

access level. Use the following configuration as an example:

VSP-9012:1(config)#show access-policy

AccessPolicyEnable: off

Id: 1

Name: default

PolicyEnable: false

Mode: allow

Service: ftp|http|telnet|ssh

Precedence: 128

NetAddrType: any

NetAddr: N/A

NetMask: N/A

Data plane security

December 2014 Network Design Reference for Avaya VSP 4000 Series 117

Comments? infodev@avaya.com