Security At Layer 3: Filtering - Avaya 8800 Planning And Engineering, Network Design
Ethernet routing switch
Hide thumbs
Also See for 8800:
- Troubleshooting manual (484 pages) ,
- Planning and engineering (306 pages) ,
- Configuration manual (226 pages)
Table of Contents
Advertisement
The Avaya Ethernet Routing Switch 8800/8600 provides Layer 2 filtering based on the MAC
destination and source addresses. This is available per-VLAN.
• Global MAC filters
This feature eliminates the need for you to configure multiple per-VLAN filter records for the
same MAC address. By using a Global MAC filter, you can discard ingress MAC addresses
that match a global list stored in the switch. You can also apply global MAC filtering to any
multicast MAC address. However, you cannot apply it to Local, Broadcast, BPDU MAC, TDP
MAC, or All-Zeroes MAC addresses. Once a MAC address is added to this Global list, it cannot
be configured statically or learned on any VLAN. In addition, no bridging or routing is performed
on packets to or from this MAC address on any VLAN.
For more information and configuration examples, see Release Notes for the Ethernet Routing
Switch 8800/8600 Release 3.5.2.
For more information about the Layer 2 MAC filter, see Avaya Ethernet Routing Switch
8800/8600 Configuration — IP Multicast Routing Protocols, NN46205-501.
• Unknown MAC Discard
Unknown MAC Discard secures the network by learning allowed MAC addresses during a
certain time interval. The switch locks these learned MAC addresses in the forwarding
database (FDB) and does not accept any new MAC addresses on the port.
• Limited MAC learning
This feature limits the number of FDB-entries learned on a particular port to a user-specified
value. After the number of learned FDB-entries reaches the maximum limit, packets with
unknown source MAC addresses are dropped by the switch. If the count drops below a
configured minimum value due to FDB aging, learning is reenabled on the port.
You can configure various actions like logging, sending traps, and disabling the port when the
number of FDB entries reaches the configured maximum limit.
For more information and configuration examples, see the Release Notes for the Ethernet
Routing Switch 8800/8600 Release 3.5.2.
Security at Layer 3: filtering
At Layer 3 and above, the Avaya Ethernet Routing Switch 8800/8600 provides enhanced filtering
capabilities as part of its security strategy to protect the network from different attacks.
You can configure two types of Classic filters on the Avaya Ethernet Routing Switch 8800/8600:
global filters and source/destination address filters.
R and RS modules support advanced filters based on Access Control Templates (ACT). You can
use predefined ACTs designed to prevent, for example, ARP Spoofing, or you can design custom
ACTs.
Customer Support Bulletins (CSBs) are available on the Avaya Technical Support Web site to
provide information and configuration examples about how to block some attacks.
June 2016
Planning and Engineering — Network Design
Comments on this document? infodev@avaya.com
Data plane security
277
Advertisement
Table of Contents
