Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
For more information, see Avaya Virtual Services Platform 4000 Security,
NN46251-601.
4. Prevent unknown devices from influencing the spanning tree topology.
Packet spoofing
You can stop spoofed IP packets by configuring the switch to only forward IP packets that
contain the correct source IP address of your network. By denying all invalid source IP
addresses, you minimize the chance that your network is the source of a spoofed DoS
attack.
A spoofed packet is one that comes from the Internet into your network with a source address
equal to one of the subnet addresses on your network. The source address belongs to one of
the address blocks or subnets on your network. To provide spoofing protection, you can use
a filter that examines the source address of all outside packets. If that address belongs to an
internal network or a firewall, the packet is dropped.
To prevent DoS attack packets that come from your network with valid source addresses, you
need to know the IP network blocks in use. You can create a generic filter that:
• permits valid source addresses
• denies all other source addresses
To do so, configure an ingress filter that drops all traffic based on the source address that
belongs to your network.
If you do not know the address space completely, it is important that you at least deny private
(see RFC1918) and reserved source IP addresses. The following table lists the source
addresses to filter.
Table 12: Source addresses to filter
Address
Description
0.0.0.0/8 Historical broadcast. High Secure mode blocks addresses
0.0.0.0/8 and 255.255.255.255/16. If you enable this mode, you
do not need to filter these addresses.
10.0.0.0/8 RFC1918 private network
127.0.0.0/8 Loopback
169.254.0.0/16 Link local networks
172.16.0.0/12 RFC1918 private network
192.0.2.0/24 TEST-NET
192.168.0.0/16 RFC1918 private network
224.0.0.0/4 Class D multicast
240.0.0.0/5 Class E reserved
248.0.0.0/5 Unallocated
255.255.255.255/32 Broadcast1
Damage prevention
Network Design Reference for Avaya VSP 4000 February 2014 121