Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
Routing protocol security
You can protect OSPF and BGP updates with a Message Digest 5 (MD5) key on each interface.
At most, you can configure two MD5 keys for each interface. You can also use multiple MD5
key configurations for MD5 transitions without bringing down an interface.
For more information, see Avaya Virtual Services Platform 4000 Configuration — OSPF and
RIP, NN46251-506 and Avaya Virtual Services Platform 4000 Configuration — BGP
Services, NN46251-507.
Control plane security
The control plane physically separates management traffic using the in-band interface. The
control plane facilitates High Secure mode, access policies, authentication, SSH and Secure
Copy, and SNMP.
High Secure mode
Use High Secure to disable all unsecured applications and daemons, for example, FTP, TFTP,
and rlogin. Avaya strongly recommends that you do not use unsecured protocols. See also
High Secure mode on page 122.
Use Secure Copy (SCP) rather than FTP or TFTP.
Security and access policies
Access policies permit secure switch access by specifying a list of IP addresses or subnets
that can manage the switch for a specific daemon, such as Telnet, SNMP, HTTP, SSH, TFTP,
FTP, RSH, and rlogin. Rather than using a management VLAN that is spread out among all
of the switches in the network, you can build a full Layer 3 routed network and securely manage
the switch with one of the in-band IP addresses attached to one of the VLANs (see the following
figure).
You can use route policies to selectively accept or announce some networks and to block the
propagation of some routes. Route policies enhance the security in a network by hiding the
visibility of some networks (subnets) from other parts of the network.
You can apply one policy for one purpose. For example, you can apply a RIP announce policy
on a given RIP interface. In such cases, all sequence numbers under the given policy apply
to that filter. A sequence number also acts as an implicit preference (that is, a lower sequence
number is preferred).
System and network stability and security
124 Network Design Reference for Avaya VSP 4000 February 2014
Comments? infodev@avaya.com