Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
4. Prevent unknown devices from influencing the spanning tree topology.
Packet spoofing
You can stop spoofed IP packets by configuring the switch to forward only IP packets that contain
the correct source IP address of your network. By denying all invalid source IP addresses, you
minimize the chance that your network is the source of a spoofed DoS attack.
A spoofed packet is one that comes from the Internet into your network with a source address equal
to one of the subnet addresses on your network. The source address belongs to one of the address
blocks or subnets on your network. To provide spoofing protection, you can use a filter that
examines the source address of all outside packets. If that address belongs to an internal network or
a firewall, the packet is dropped.
To prevent DoS attack packets that come from your network with valid source addresses, you need
to know the IP network blocks in use. You can create a generic filter that:
• Permits valid source addresses
•
Denies all other source addresses
To do so, configure an ingress filter that drops all traffic based on the source address that belongs to
your network.
If you do not know the address space completely, it is important that you at least deny private (see
RFC1918) and reserved source IP addresses. The following table lists the source addresses to
filter.
Table 19: Source addresses to filter
Address Description
0.0.0.0/8 Historical broadcast. High Secure mode blocks addresses 0.0.0.0/8 and
255.255.255.255/16. If you enable this mode, you do not need to filter
these addresses.
10.0.0.0/8 RFC1918 private network
127.0.0.0/8 Loopback
169.254.0.0/16 Link-local networks
172.16.0.0/12 RFC1918 private network
192.0.2.0/24 TEST-NET
192.168.0.0/16 RFC1918 private network
224.0.0.0/4 Class D multicast
240.0.0.0/5 Class E reserved
248.0.0.0/5 Unallocated
255.255.255.255/32 Broadcast1
You can also enable the spoof-detect feature on a port.
For more information about the spoof-detect feature, seeConfiguring VLANs and Spanning Tree on
Avaya Virtual Services Platform 4000 Series, NN46251-500.
System and network stability and security
118 Network Design Reference for Avaya VSP 4000 Series January 2015
Comments? infodev@avaya.com