Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
Chapter 13: System and network stability
and security
Use the information in this section to design and implement a secure network.
You must provide security mechanisms to prevent your network from attack. If links become congested
due to attacks, you can immediately halt end-user services. During the design phase, study availability
issues for each layer.
To provide additional network security, you can use the Avaya VSP 9000 or your own high-performance
stateful firewalls.
DoS protection mechanisms
Several internal mechanisms and features protect Virtual Services Platform 4000 against
Denial-of-Service (DoS) attacks.
Broadcast and multicast rate limiting
To protect the switch and other devices from excessive broadcast traffic, you can use
broadcast and multicast rate limiting on an individual port basis.
For more information about how to configure the rate limits for broadcast or multicast packets
on a port, see Avaya Virtual Services Platform 4000 Configuration — QoS and IP Filtering,
NN46251-502.
Directed broadcast suppression
You can enable or disable forwarding for directed broadcast traffic on an IP-interface basis. A
directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet. By
disabling or suppressing directed broadcasts on an interface, you cause all frames sent to the
subnet broadcast address for a local router interface to be dropped. Directed broadcast
suppression protects hosts from possible DoS attacks.
To prevent the flooding of other networks with DoS attacks, such as the Smurf attack, Virtual
Services Platform 4000 is protected by directed broadcast suppression. This feature is enabled
by default. Avaya recommends that you not disable it.
For more information about directed broadcast suppression, see Avaya Virtual Services
Platform 4000 Security, NN46251-601.
Prioritization of control traffic
Virtual Services Platform 4000 uses a sophisticated prioritization scheme to schedule control
packets on physical ports. This scheme involves two levels with both hardware and software
Network Design Reference for Avaya VSP 4000 February 2014 119