Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
Avaya recommends that you use access policies for in-band management to secure access to the
switch. By default, all services are denied. You must enable the default policy or enable a custom
policy to provide access. A lower precedence takes higher priority if you use multiple policies.
Preference 120 has priority over preference 128.
RADIUS authentication
You can enforce access control by using Remote Authentication Dial-in User Service (RADIUS).
RADIUS provides a high degree of security against unauthorized access and centralizes the
knowledge of security access based on a client and server architecture. The database within the
RADIUS server stores pertinent information about clients, users, passwords, and access privileges
including the use of the shared secret.
When the switch acts as a Network Access Server, it operates as a RADIUS client. The switch is
responsible for passing user information to the designated RADIUS servers. Because the switch
operates in a LAN environment, it allows user access through Telnet, rlogin, and console logon.
You can configure a list of up to 10 RADIUS servers on the switch. If the first server is unavailable,
VSP 4000 tries the second, and so on, until it establishes a successful connection.
RADIUS authentication supports: WEB, CLI, or SNMP. You can configure a list of up to 10 RADIUS
servers for all three methods combined. If you configure six servers for SNMP, you can configure
four servers for the other methods.
You can use the RADIUS server as a proxy for stronger authentication (see the following figure),
such as:
• SecurID cards
•
Kerberos
• other systems like Terminal Access Controller Access-Control System Plus (TACACS+)
Figure 58: RADIUS server as proxy for stronger authentication
You must configure each RADIUS client to contact the RADIUS server. When you configure a client
to work with a RADIUS server, complete the following configurations:
• Enable RADIUS.
• Provide the IP address of the RADIUS server.
• Ensure that the shared secret matches what is defined in the RADIUS server.
• Provide the attribute value.
• Provide the use-by value.
The use-by value can be CLI, SNMP, or IGMP, or EAPoL.
• Indicate the order of priority in which the RADIUS server is used. (Order is essential when
more than one RADIUS server exists in the network.)
System and network stability and security
124 Network Design Reference for Avaya VSP 4000 Series January 2015
Comments? infodev@avaya.com