Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
High Secure mode
To ensure that VSP 4000 does not route packets with an illegal source address of 255.255.255.255
(RFC1812 Section 4.2.2.11 and RFC971 Section 3.2), you can enable High Secure mode.
By default, this feature is disabled. After you enable this flag, the feature applies to all ports.
For more information about High Secure mode, see Security for Avaya Virtual Services Platform
4000 Series, NN46251-601.
Data plane security
Data plane security mechanisms include VLANs, filters, routing policies, and routing protocol
protection.
VLANs and traffic isolation
You can use Avaya Virtual Services Platform 4000 Series to build secure VLANs. If you configure
port-based VLANs, each VLAN is completely separate from the others. VSP 4000 supports the
IEEE 802.1Q specification for tagging frames and coordinating VLANs across multiple switches.
VSP 4000 analyzes each packet independently of preceding packets. This mode, as opposed to the
cache mode that other vendors use, allows complete traffic isolation.
For more information about VLANs, see Configuring VLANs and Spanning Tree on Avaya Virtual
Services Platform 4000 Series, NN46251-500.
Management of access policies
At Layer 2, VSP 4000 provides the following security mechanisms:
• Access policies
If you enable access policies globally, the system creates a default policy (1) that allows File
Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Telnet, and Secure Shell (SSH).
If you enable access policies globally but disable the default policy, the system denies FTP,
HTTP, rlogin, SSH, Simple Network Management Protocol (SNMP), Telnet, and Trivial FTP
(TFTP).
The access-strict parameter ties to the accesslevel parameter. If you enable access-
strict, the access policy looks at the accesslevel parameter, and only applies to that
access level. Use the following configuration as an example:
VSP-9012:1(config)#show access-policy
AccessPolicyEnable: off
Id: 1
Name: default
PolicyEnable: false
Mode: allow
Service: ftp|http|telnet|ssh
Precedence: 128
NetAddrType: any
NetAddr: N/A
NetMask: N/A
Data plane security
January 2015 Network Design Reference for Avaya VSP 4000 Series 119
Comments? infodev@avaya.com