Design Reference

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesFabric-enabled multi-service edge switches

151

152

153

154

155

156

157

158

159

160

Table Of Contents

Contents
Chapter 1: Introduction
- Purpose
- Related resources
- Support
Chapter 2: New in this release
- VOSS 4.2.1
  - Features
  - Other changes
- VOSS 4.2
  - Features
  - Other changes
Chapter 3: Network design fundamentals
Chapter 4: Hardware fundamentals and guidelines
- Supported hardware
- Platform considerations
- Hardware compatibility for VSP 4000
- Supported optical devices
- Dispersion considerations for long reach
- 10/100BASE-X and 1000BASE-TX reach
- 10/100/1000BASE-TX Auto-Negotiation recommendations
- Auto MDIX
- CANA
Chapter 5: Optical routing design
- Optical routing system components
Chapter 6: Platform redundancy
- Power redundancy
- Input/output port redundancy
- Configuration redundancy
- Link redundancy
Chapter 7: Link redundancy
- Physical layer redundancy
- MultiLink Trunking
- 802.3ad-based link aggregation
Chapter 8: Layer 2 loop prevention
- Loop prevention and detection
- SLPP example scenarios
Chapter 9: Layer 2 switch clustering and SMLT
- Split MultiLink Trunk configuration
Chapter 10: Layer 3 switch clustering and RSMLT
- Routed SMLT
- Switch clustering topologies and interoperability with other products
Chapter 11: Layer 3 switch clustering and multicast SMLT
- General guidelines
- Multicast triangle topology
- Square and full-mesh topology multicast guidelines
- SMLT and multicast traffic issues
Chapter 12: Spanning tree
- Spanning tree and protection against isolated VLANs
- MSTP and RSTP considerations
Chapter 13: Layer 3 network design
- VRF Lite
- Virtual Router Redundancy Protocol
- Open Shortest Path First
- Border Gateway Protocol
- IP routed interface scaling
- IPv6
Chapter 14: SPBM design guidelines
- 802.1aq standard
- VLANs without member ports
- Provisioning
- Implementation options
- Reference architectures
- Solution-specific reference architectures
- Best practices
- SPBM restrictions and limitations
- IP multicast over Fabric Connect restrictions
Chapter 15: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Split-subnet and multicast
- Protocol Independent Multicast-Sparse Mode guidelines
- Protocol Independent Multicast-Source Specific Multicast guidelines
- Multicast for multimedia
Chapter 16: System and network stability and security
- DoS protection mechanisms
- Damage prevention
- Data plane security
- Control plane security
- Additional information
Chapter 17: QoS design guidelines
- QoS mechanisms
- QoS interface considerations
- Network congestion and QoS design
- QoS examples and recommendations
Chapter 18: Layer 1, 2, and 3 design examples
- Layer 1 example
- Layer 2 example
- Layer 3 example
Glossary

Enhanced secure mode

If you enable enhanced secure mode, the system can provide role-based access levels, strong

password requirements, and strong rules on password length, password complexity, password

change intervals, password reuse, and password maximum age use. For more information, see

Administration for Avaya Virtual Services Platform 4000 Series, NN46251-600.

Security and access policies

Access policies permit secure switch access by specifying a list of IP addresses or subnets that can

manage the switch for a specific daemon, such as Telnet, SNMP, HTTP, SSHv2, TFTP, FTP, RSH,

and rlogin. Rather than using a management VLAN that is spread out among all of the switches in

the network, you can build a full Layer 3 routed network and securely manage the switch with one of

the in-band IP addresses attached to one of the VLANs (see the following figure).

Figure 77: Access levels

Avaya recommends that you use access policies for in-band management to secure access to the

switch. By default, all services are denied. You must enable the default policy or enable a custom

policy to provide access. A lower precedence takes higher priority if you use multiple policies.

Preference 120 has priority over preference 128.

RADIUS authentication

You can enforce access control by using Remote Authentication Dial-in User Service (RADIUS).

RADIUS provides a high degree of security against unauthorized access and centralizes the

knowledge of security access based on a client and server architecture. The database within the

RADIUS server stores pertinent information about clients, users, passwords, and access privileges

including the use of the shared secret.

When the switch acts as a Network Access Server, it operates as a RADIUS client. The switch is

responsible for passing user information to the designated RADIUS servers. Because the switch

operates in a LAN environment, it allows user access through Telnet, rlogin, and console logon.

You can configure a list of up to 10 RADIUS servers on the switch. If the first server is unavailable,

VSP 4000 tries the second, and so on, until it establishes a successful connection.

Control plane security

June 2015 Network Design Reference for Avaya VSP 4000 Series 157

Comments on this document? infodev@avaya.com