Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
Chapter 13: System and network stability
and security
Use the information in this chapter to design and implement a secure network.
You must provide security mechanisms to prevent your network from attack. If links become
congested due to attacks, you can immediately halt end-user services. During the design phase,
study availability issues for each layer.
To provide additional network security, you can use the Avaya Virtual Services Platform 9000
or
your own high-performance stateful firewalls.
DoS protection mechanisms
Several internal mechanisms and features protect Avaya Virtual Services Platform 4000 Series
against Denial-of-Service (DoS) attacks.
Broadcast and multicast rate limiting
To protect the switch and other devices from excessive broadcast traffic, you can use broadcast and
multicast rate limiting on an individual-port basis.
For more information about how to configure the rate limits for broadcast or multicast packets on a
port, see Configuration - QoS and ACL-Based Traffic Filtering Avaya Virtual Services Platform 4000
Series, NN46251-502.
Directed broadcast suppression
You can enable or disable forwarding for directed broadcast traffic on an IP-interface basis. A
directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet. By
disabling or suppressing directed broadcasts on an interface, you cause all frames sent to the
subnet broadcast address for a local router interface to be dropped. Directed broadcast suppression
protects hosts from possible DoS attacks.
To prevent the flooding of other networks with DoS attacks, such as the Smurf attack, VSP 4000 is
protected by directed broadcast suppression. This feature is enabled by default. Avaya recommends
that you not disable it.
For more information about directed broadcast suppression, see Security for Avaya Virtual Services
Platform 4000 Series, NN46251-601.
116 Network Design Reference for Avaya VSP 4000 Series January 2015
Comments? infodev@avaya.com