Design Reference

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesFabric-enabled multi-service edge switches

151

152

153

154

155

156

157

158

159

160

Table Of Contents

Contents
Chapter 1: Introduction
- Purpose
- Related resources
- Support
Chapter 2: New in this release
- VOSS 4.2.1
  - Features
  - Other changes
- VOSS 4.2
  - Features
  - Other changes
Chapter 3: Network design fundamentals
Chapter 4: Hardware fundamentals and guidelines
- Supported hardware
- Platform considerations
- Hardware compatibility for VSP 4000
- Supported optical devices
- Dispersion considerations for long reach
- 10/100BASE-X and 1000BASE-TX reach
- 10/100/1000BASE-TX Auto-Negotiation recommendations
- Auto MDIX
- CANA
Chapter 5: Optical routing design
- Optical routing system components
Chapter 6: Platform redundancy
- Power redundancy
- Input/output port redundancy
- Configuration redundancy
- Link redundancy
Chapter 7: Link redundancy
- Physical layer redundancy
- MultiLink Trunking
- 802.3ad-based link aggregation
Chapter 8: Layer 2 loop prevention
- Loop prevention and detection
- SLPP example scenarios
Chapter 9: Layer 2 switch clustering and SMLT
- Split MultiLink Trunk configuration
Chapter 10: Layer 3 switch clustering and RSMLT
- Routed SMLT
- Switch clustering topologies and interoperability with other products
Chapter 11: Layer 3 switch clustering and multicast SMLT
- General guidelines
- Multicast triangle topology
- Square and full-mesh topology multicast guidelines
- SMLT and multicast traffic issues
Chapter 12: Spanning tree
- Spanning tree and protection against isolated VLANs
- MSTP and RSTP considerations
Chapter 13: Layer 3 network design
- VRF Lite
- Virtual Router Redundancy Protocol
- Open Shortest Path First
- Border Gateway Protocol
- IP routed interface scaling
- IPv6
Chapter 14: SPBM design guidelines
- 802.1aq standard
- VLANs without member ports
- Provisioning
- Implementation options
- Reference architectures
- Solution-specific reference architectures
- Best practices
- SPBM restrictions and limitations
- IP multicast over Fabric Connect restrictions
Chapter 15: IP multicast network design
- Multicast and VRF-Lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Split-subnet and multicast
- Protocol Independent Multicast-Sparse Mode guidelines
- Protocol Independent Multicast-Source Specific Multicast guidelines
- Multicast for multimedia
Chapter 16: System and network stability and security
- DoS protection mechanisms
- Damage prevention
- Data plane security
- Control plane security
- Additional information
Chapter 17: QoS design guidelines
- QoS mechanisms
- QoS interface considerations
- Network congestion and QoS design
- QoS examples and recommendations
Chapter 18: Layer 1, 2, and 3 design examples
- Layer 1 example
- Layer 2 example
- Layer 3 example
Glossary

Encryption of control plane traffic

Control-plane traffic encryption involves Secure Shell (SSHv2), SFTP, and Simple Network

Management Protocol (SNMPv3).

Use SSH to conduct secure communications over a network between a server and a client. The

switch supports only the server mode (supply an external client to establish communication). The

server mode supports SSHv2. SSHv1 is not supported.

The SSH protocol offers:

• Authentication—SSHv2 determines identities. During the logon process, the SSH client asks

for digital proof of the identity of the user.

• Encryption—SSHv2 uses encryption algorithms to scramble data. This data is rendered

unintelligible except to the intended receiver.

• Integrity—SSHv2 guarantees that data is transmitted from the sender to the receiver without

alteration. If a third party captures and modifies the traffic, SSH detects this alteration.

VSP 4000 supports:

• SSH version 2 with password and Digital Signature Algorithm (DSA) authentication. SSH

version 1 is not supported.

• Digital Encryption Standard (DES)

• Advanced Encryption Standard (AES)

SNMP header network address

You can direct an IP header to have the same source address as the management virtual IP

address for self-generated UDP packets. If you configure a management virtual IP address and

enable the udpsrc-by-vip flag, the network address in the SNMP header is always the

management virtual IP address. This configuration is true for all traps routed out on the I/O ports or

on the out-of-band management Ethernet port.

SNMPv3 support

SNMP version 1 and version 2 are not secure because communities are not encrypted.

Avaya strongly recommends that you use SNMP version 3. SNMPv3 provides stronger

authentication services and the encryption of data traffic for network management.

If you enable enhanced secure mode, the VSP switch does not support the default SNMPv1 and

default SNMPv2 community strings, and default SNMPv3 user name. The individual in the

administrator access level role can configure a non-default value for the community strings, and the

VSP switch can continue to support SNMPv1 and SNMPv2. The individual in the administrator

access level role can also configure a non-default value for the SNMPv3 user name and the VSP

switch can continue to support SNMPv3.

If you disable enhanced secure mode, the SNMPv1 and SNMPv2 support for community strings

remains the same, and the default SNMPv3 user name remains the same. Enhanced secure mode

is disabled by default.

Other security equipment

Avaya offers other devices that increase the security of your network.

For sophisticated state-aware packet filtering (real stateful inspection), you can add an external

firewall to the architecture. State-aware firewalls can recognize and track application flows that use

Control plane security

June 2015 Network Design Reference for Avaya VSP 4000 Series 159

Comments on this document? infodev@avaya.com