Data Sheet
Advanced OSPF implementation for large routing
domains
• OSPF NSSA feature supports RFC 3101, The OSPF Not-So-Stubby Area (NSSA) Option
• Forwarding of OSPF Opaque LSAs is enabled by default
• Passive interface feature can disable sending OSPF routing updates on an interface
• Static Area Range Costs feature allows to congure a xed OSPF cost that is always advertised when an area
range is active
• OSPF Equal Cost Multipath (ECMP) feature allows to forward trafc through multiple paths, taking advantage
of more bandwidth
• ECMP routes can be learned dynamically, or congured statically with multiple static routes to same
destination but with different next hops
• OSPF Max Metric feature allows to to override the metric in summary type 3 and type 4 LSAs while in stub
router mode
• Automatic Exiting of Stub Router Mode feature allows to exit stub router mode, reoriginating the router LSA
with proper metric values on transit links
• Static Area Range Costs feature allows to congure a xed OSPF cost that is always advertised when an area
range is active
OSPF LSA Pacing feature improves the efciency of
LSA ooding, reducing or eliminating the packet
drops caused by bursts in OSPF control packets
• LSA transmit pacing limits the rate of LS Update packets that OSPF can send
• With LSA refresh groups, OSPF efciently bundles LSAs into LS Update packets when periodically refreshing
self-originated LSAs
OSPF Flood Blocking feature allows to disable LSA
ooding on an interface with area or AS (domain-
wide) scope
• In that case, OSPF does not advertise any LSAs with area or AS scope in its database description packets sent
to neighbors
OSPF Transit-Only Network Hiding is supported
based on RFC 6860 with transit-only network dened
as a network connecting only routers
• Transit-only networks are usually congured with routable IP addresses which are advertised in LSAs but are
not needed for data trafc
• If router-to-router subnets are advertised, remote attacks can be launched against routers by sending
packets to these transit-only networks
• Hiding transit-only networks speeds up network convergence and reduces vulnerability to remote attacks
• ‘Hiding’ implies that the prexes are not installed in the routing tables on OSPFv2 and OSPFv3 routers
IP Multinetting allows to congure more than one IP address on a network interface (other vendors may call it IP Aliasing or Secondary Addressing)
ICMP Throttling feature adds conguration options
for the transmission of various types of ICMP mes-
sages
• ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert
packets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets
• ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers
• Rate limiting ICMP error messages protects the local router and the network from sending a large number of
messages that take CPU and bandwidth
The Policy Based Routing feature (PBR) overrides
routing decision taken by the router and makes the
packet to follow different actions based on a policy
• It provides freedom over packet routing/forwarding instead of leaving the control to standard routing proto-
cols based on L3
• For instance, some organizations would like to dictate paths instead of following the paths shown by
routing protocols
• Network Managers/Administrators can set up policies such as:
– My network will not carry trafc from the Engineering department
– Trafc originating within my network with the following characteristics will take path A, while other trafc
will take path B
– When load sharing needs to be done for the incoming trafc across multiple paths based on packet
entities in the incoming trafc
Enterprise security
Trafc control MAC Filter and Port Securityhelp restrict the trafc allowed into and out of specied ports or interfaces in the system in order to increase overall security
and block MAC address ooding issues
DHCP Snoopingmonitors DHCP trafc between DHCP clients and DHCP servers to lter harmful DHCP message and builds a bindings database of (MAC address, IP
address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoong attacks
IP source guard and Dynamic ARP Inspection use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any
binding and to enforce source IP/MAC addresses for malicious users trafc elimination
Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups
or Port channel) for fast unauthorized data prevention and right granularity
Intelligent Edge Managed Switches
Data Sheet | M4300 series
PAGE 13 of 60