Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in Release 4.0.50
- Chapter 3: New in Release 4.0.40
- Chapter 4: New in Release 4.0
- Chapter 5: Network design fundamentals
- Chapter 6: Hardware fundamentals and guidelines
- Chapter 7: Optical routing design
- Chapter 8: Platform redundancy
- Chapter 9: Link redundancy
- Chapter 10: Layer 2 loop prevention
- Chapter 11: Spanning tree
- Chapter 12: Layer 3 network design
- Chapter 13: SPBM design guidelines
- Chapter 14: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 15: System and network stability and security
- Chapter 16: QoS design guidelines
- Chapter 17: Layer 1, 2, and 3 design examples
- Chapter 18: Software scaling capabilities
- Chapter 19: Supported standards, RFCs, and MIBs
- Glossary
policy to provide access. A lower precedence takes higher priority if you use multiple policies.
Preference 120 has priority over preference 128.
RADIUS authentication
You can enforce access control by using Remote Authentication Dial-in User Service (RADIUS).
RADIUS provides a high degree of security against unauthorized access and centralizes the
knowledge of security access based on a client and server architecture. The database within the
RADIUS server stores pertinent information about clients, users, passwords, and access privileges
including the use of the shared secret.
When the switch acts as a Network Access Server, it operates as a RADIUS client. The switch is
responsible for passing user information to the designated RADIUS servers. Because the switch
operates in a LAN environment, it allows user access through Telnet, rlogin, and console logon.
You can configure a list of up to 10 RADIUS servers on the switch. If the first server is unavailable,
VSP 4000 tries the second, and so on, until it establishes a successful connection.
RADIUS authentication supports: WEB, CLI, or SNMP. You can configure a list of up to 10 RADIUS
servers for all three methods combined. If you configure six servers for SNMP, you can configure
four servers for the other methods.
You can use the RADIUS server as a proxy for stronger authentication (see the following figure),
such as:
• SecurID cards
• Kerberos
• other systems like Terminal Access Controller Access-Control System Plus (TACACS+)
Figure 57: RADIUS server as proxy for stronger authentication
You must configure each RADIUS client to contact the RADIUS server. When you configure a client
to work with a RADIUS server, complete the following configurations:
• Enable RADIUS.
• Provide the IP address of the RADIUS server.
• Ensure that the shared secret matches what is defined in the RADIUS server.
• Provide the attribute value.
• Provide the use-by value.
The use-by value can be CLI, SNMP, or IGMP, or EAPoL.
• Indicate the order of priority in which the RADIUS server is used. (Order is essential when
more than one RADIUS server exists in the network.)
• Specify the User Datagram Protocol (UDP) port that the client and server use during the
authentication process. The UDP port between the client and the server must have the same or
System and network stability and security
122 Network Design Reference for Avaya VSP 4000 Series December 2014
Comments? infodev@avaya.com