Design Reference
Table Of Contents
- Contents
- Chapter 1: Introduction
- Chapter 2: New in this release
- Chapter 3: Network design fundamentals
- Chapter 4: Hardware fundamentals and guidelines
- Chapter 5: Optical routing design
- Chapter 6: Platform redundancy
- Chapter 7: Link redundancy
- Chapter 8: Layer 2 loop prevention
- Chapter 9: Spanning tree
- Chapter 10: Layer 3 network design
- Chapter 11: SPBM design guidelines
- Chapter 12: IP multicast network design
- Multicast and VRF-lite
- Multicast and MultiLink Trunking considerations
- Multicast scalability design rules
- IP multicast address range restrictions
- Multicast MAC address mapping considerations
- Dynamic multicast configuration changes
- IGMPv3 backward compatibility
- IGMP Layer 2 Querier
- TTL in IP multicast packets
- Multicast MAC filtering
- Guidelines for multicast access policies
- Multicast for multimedia
- Chapter 13: System and network stability and security
- Chapter 14: QoS design guidelines
- Chapter 15: Layer 1, 2, and 3 design examples
- Chapter 16: Software scaling capabilities
- Chapter 17: Supported standards, RFCs, and MIBs
- Glossary
Figure 54: Access levels
Avaya recommends that you use access policies for in-band management to secure access
to the switch. By default, all services are denied. You must enable the default policy or enable
a custom policy to provide access. A lower precedence takes higher priority if you use multiple
policies. Preference 120 has priority over preference 128.
RADIUS authentication
You can enforce access control by using RADIUS. RADIUS provides a high degree of security
against unauthorized access and centralizes the knowledge of security access based on a
client and server architecture. The database within the RADIUS server stores a list of pertinent
information about client information, user information, password, and access privileges
including the use of the shared secret.
When the switch acts as a Network Access Server, it operates as a RADIUS client. The switch
is responsible for passing user information to the designated RADIUS servers. Because the
switch operates in a LAN environment, it allows user access through Telnet, rlogin, and console
logon.
You can configure a list of up to 10 RADIUS servers on the switch. If the first server is
unavailable, Virtual Services Platform 4000 tries the second, and so on, until it establishes a
successful connection.
RADIUS authentication supports: WEB, CLI, SNMP, or Extensible Authentication Protocol over
LAN (EAPoL). You can configure a list of up to 10 RADIUS servers for all four methods
combined. If you configure six servers for EAPoL, you can configure four servers for the other
methods.
You can use the RADIUS server as a proxy for stronger authentication (see the following
figure), such as:
• SecurID cards
• Kerberos
Control plane security
Network Design Reference for Avaya VSP 4000 February 2014 125