Design Reference

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesFabric-enabled multi-service edge switches

151

152

153

154

155

156

157

158

159

160

Table Of Contents

Contents
Chapter 1: Introduction
- Purpose
- Related resources
- Support
Chapter 2: New in this release
- VOSS 4.2.1
  - Features
  - Other changes
- VOSS 4.2
  - Features
  - Other changes
Chapter 3: Network design fundamentals
Chapter 4: Hardware fundamentals and guidelines
- Supported hardware
- Platform considerations
- Hardware compatibility for VSP 4000
- Supported optical devices
- Dispersion considerations for long reach
- 10/100BASE-X and 1000BASE-TX reach
- 10/100/1000BASE-TX Auto-Negotiation recommendations
- Auto MDIX
- CANA
Chapter 5: Optical routing design
- Optical routing system components
Chapter 6: Platform redundancy
- Power redundancy
- Input/output port redundancy
- Configuration redundancy
- Link redundancy
Chapter 7: Link redundancy
- Physical layer redundancy
- MultiLink Trunking
- 802.3ad-based link aggregation
Chapter 8: Layer 2 loop prevention
- Loop prevention and detection
- SLPP example scenarios
Chapter 9: Layer 2 switch clustering and SMLT
- Split MultiLink Trunk configuration
Chapter 10: Layer 3 switch clustering and RSMLT
- Routed SMLT
- Switch clustering topologies and interoperability with other products
Chapter 11: Layer 3 switch clustering and multicast SMLT
- General guidelines
- Multicast triangle topology
- Square and full-mesh topology multicast guidelines
- SMLT and multicast traffic issues
Chapter 12: Spanning tree
- Spanning tree and protection against isolated VLANs
- MSTP and RSTP considerations
Chapter 13: Layer 3 network design
- VRF Lite
- Virtual Router Redundancy Protocol
- Open Shortest Path First
- Border Gateway Protocol
- IP routed interface scaling
- IPv6
Chapter 14: SPBM design guidelines
- 802.1aq standard
- VLANs without member ports
- Provisioning
- Implementation options
- Reference architectures
- Solution-specific reference architectures
- Best practices
- SPBM restrictions and limitations
- IP multicast over Fabric Connect restrictions
Chapter 15: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Split-subnet and multicast
- Protocol Independent Multicast-Sparse Mode guidelines
- Protocol Independent Multicast-Source Specific Multicast guidelines
- Multicast for multimedia
Chapter 16: System and network stability and security
- DoS protection mechanisms
- Damage prevention
- Data plane security
- Control plane security
- Additional information
Chapter 17: QoS design guidelines
- QoS mechanisms
- QoS interface considerations
- Network congestion and QoS design
- QoS examples and recommendations
Chapter 18: Layer 1, 2, and 3 design examples
- Layer 1 example
- Layer 2 example
- Layer 3 example
Glossary

High Secure mode

To ensure that VSP 4000 does not route packets with an illegal source address of 255.255.255.255

(RFC1812 Section 4.2.2.11 and RFC971 Section 3.2), you can enable High Secure mode.

By default, this feature is disabled. After you enable this flag, the feature applies to all ports.

For more information about High Secure mode, see Security for Avaya Virtual Services Platform

4000 Series, NN46251-601.

Data plane security

Data plane security mechanisms include the Extended Authentication Protocol (EAP) 802.1x,

VLANs, filters, routing policies, and routing protocol protection.

To protect the network from inside threats, the switch supports the 802.1x standard.

EAP separates user authentication from device authentication.

If you enable EAP, end-users must securely log on to the network before they can obtain access to

a resource.

Interaction between 802.1x and Optivity Policy Server v4.0

User-based networking links EAP authorization to individual user-based security policies based on

individual policies. As a result, network managers can define corporate policies and configure them

on an individual port basis. This configuration provides additional security based on a logon and

password.

The Avaya Optivity Policy Server supports 802.1x EAP authentication against Remote

Authentication Dial-in User Service (RADIUS) and other authentication, authorization, and

accounting (AAA) repositories. This support authenticates the user, grants access to specific

applications, and provides real time policy provisioning capabilities to mitigate the penetration of

unsecured devices.

The following figure shows the interaction between 802.1x and Optivity Policy Server. First, the user

initiates a logon from a user access point and receives a request/identify request from the switch

(EAP access point). The user receives a network logon. Prior to Dynamic Host Configuration

Protocol (DHCP), the user does not have network access because the EAP access point port is in

EAP blocking mode. The user provides logon credentials to the EAP access point using the

Extensible Authentication Protocol Over LAN (EAPoL). The client PC is both a RADIUS peer user

and an EAP supplicant.

Data plane security

June 2015 Network Design Reference for Avaya VSP 4000 Series 151

Comments on this document? infodev@avaya.com