avaya数据产品.ppt

0,Ethernet Routing Switch 8300v4.2 Product Knowledge Transfer,January 12,2009,1,Non-Disclosure Agreement,NORTEL CONFIDENTIALThe information contained herein is the property of Nortel and is strictly confidential.Except as expressly authorized in writing by Nortel,the holder shall keep all information contained herein confidential,shall disclose it only to its employees with a need to know,and shall protect it,in whole or in part,from disclosure and dissemination to third parties with the same degree of care it uses to protect its own confidential information,but with no less than reasonable care.Except as expressly authorized in writing by Nortel,the holder is granted no rights to use the information contained herein.The information contained herein is forward-lookingand may be subject to change.,2,8300 v4.2 Feature Overview,Richard McGovern8300 Product Brand Manager,3,ERS 8300 v4.2 Software Features,iBGP-Lite,IPFIX,IGMPv3 Snoop,DHCP-snooping,IP Source Guard,Dynamic ARP Inspection,BPDU-Filtering,IP Spoofing Detection,VLACP Enhancement,In Release v4.2,only BGP-Lite need Advance license,others are Basic license,Notes:For DHCP-snooping/IPSG/DAI,often called Security Features,4,ERS 8300 v4.2 Software Overview-iBGP-Lite,Feature IntroduceBGP is an inter-domain routing protocol that provides loop-free routing information.Based on TCP,two peer routers form BGP neighbor and exchange routing information.BGP uses this information to construct a graph of network connectivityBGP exchange inter-domain routing information between autonomous systems(ASs)or within an AS.Routers that are members of the same AS and exchange BGP updates run internal BGP(iBGP),and routers that are members of different ASs and exchange BGP updates run external BGP(eBGP)ERS8300 v4.2 will not fully support all BGP functions.Instead,only iBGP and the following related BGP functions will be implemented in this release iBGPBGP Route Reflector BGP AggregationBGP RedistributionBGP ECMP,5,ERS 8300 v4.2 Software Overview-iBGP-Lite,Feature LimitationOnly supports on 256M Memory CP cards8393SF 256M8394SF 256MOnly supports in GRT(VRF0)All I/O cards can support BGP functionFeature Scaling ability4 BGP neighbors8K BGP routers,6,AS10,ERS 8300 v4.2 Software Overview-BGP-Lite,Feature Application,IBGP,IBGP,IBGP,IBGP,iBGP,iBGP,AS200,AS100,7,ERS 8300 v4.2 Software Overview-iBGP-Lite,Feature ConfigurationCommand Line:#config ip bgp local-as#config ip bgp enable#config ip bgp neighbor create#config ip bgp neighbor remote-as#config ip bgp neighbor admin-state#config ip bgp restart#show ip bgp summary#show ip bgp neighbor infoJDM:(Menu:IP-BGP),8,ERS 8300 v4.2 Software Overview-IPFix,Feature IntroduceIPFix-IP Flow Information eXportIt allows monitoring of IP flows.An IP flow is defined as a set of packets over a period of time that has some common properties.IPFix capture and meter the traffic flow according fields followed:Source IP address,Destination IP address,Protocol Type,Source protocol Port,Destination protocol Port,ingress VLAN ID and ingress PortThe flow information can also be exported periodically to any third party IPFix compliant Collector(s)Support is for Netflow tracker version 9 onlyAll CP and I/O cards can support this featureOperation documented as part of Performance Management user manualFeature LimitationAny IPFix enabled slot(CP or IO)will not support port mirroring;if port mirroring is already enabled for any port on any slot,IPFix will not be able to be enabled for that same slot.As well,if IPFix is enabled for an IO slot or slave/standby CP slot,port mirroring on Master CP slot is not supportedDoes not support local collectorDoes not support MD5 encryption between exporters and collectorsSupport for only UDP protocol between ERS8300 and collectors,IPFIX will be automatically disabled if CPU utility great than 90%or if Memory is less than 2M.IPFix will automatically enabled again if CPU utility returns to less than 50%or Memory more than 5M;this behavior will not affect any configuration for IPFix,9,ERS 8300 v4.2 Software Overview-IPFIX,Feature Application,ERS8600,ERS8600,SMLT Square,ERSxxxx,ERS8300,ERS8300,ERS8300,ERS8300,IPFIX,IPFIX,IPFIX,IPFIX,IPFIX,IPFIX,10,ERS 8300 v4.2 Software Overview-IPFix,Feature ConfigurationCommand Line:#config ip ipfix state#config ip ipfix port all-traffic#show ip ipfix flowsJDM:(Menu:Serviceability-IPFIX),11,ERS 8300 v4.2 Software Overview-IGMPv3,Feature IntroduceFor ERS8300,upon receiving IS_IN or ALLOW,a L2 MAC forwarding entry will be created for that port,then the multicast traffic will be forwarded only to those ports that are interested in the group.IGMPv3 Snoop is working on the condition that SSM Snoop is enabled on the interface,and only processes the group in SSM range.SSM Snoop will be enabled by default when the version of IGMP Snoop Interface is set to 3 Support the backward compatibility for IGMPv1/v2 packet processing on IGMPv3 Snoop Interface.Thats to say IGMPv1/v2 host and IGMPv3 host can coexist in the same IGMPv3 Snoop InterfacePeriodical generic v3 query will be sent out when L2 Querier is enabled,and group-and-source specific query will be sent out upon receiving BLOCK reportFeature LimitationFor IGMPv3 packet,only group in SSM range is processed by IGMPv3 Snoop.Only IS_IN,ALLOW and BLOCK is processed on switch,other report types are just forwarded to multicast router.One group can be mapped to only one source,but one source can be mapped to multiple groupsIn compatible mode,if IGMPv1/v2 host wants to join a group in SSM range,this group must be a static entry in SSM channel tableThe maximum number of IGMP groups is 2000All CP and I/O cards can support this feature,12,ERS 8300 v4.2 Software Overview-IGMPv3,Feature Application,13,ERS 8300 v4.2 Software Overview-IGMPv3,Feature ConfigurationCommand Line:#config vlan ip igmp snoop#config vlan ip igmp version#config vlan ip igmp compatibility-mode enable JDM:(Menu:VLAN-VLANs-IP),14,ERS 8300 v4.2 Software Overview-Security Features,Feature IntroduceDHCP(Dynamic Host Configuration Protocol)snooping is a security feature that provides network security by filtering un-trusted DHCP messages to eliminate the attackers ability to respond to DHCP requests with bogus IP information.By building and maintaining a DHCP binding table and dropping un-matched DHCP request packet,DHCP snooping also provides the security against the Denial-Of-Service(DoS)attacks that are launched using the DHCP request messagesIP Source Guard is a per port feature and is used to prevent IP spoofing by only allowing IP addresses obtained through DHCP Snooping.When a connecting client receives a valid IP from the DHCP server,a filter is installed on the port to only allow traffic from the assigned IP addressDynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding table.This table was built by DHCP snooping when it is enabled on the VLANs and on the switch.If the ARP packet is received on a trusted interface,the switch forwards the packet without any checks.If the ARP packet is received on un-trusted interfaces,the switch forwards the packet only if it is valid.By default,Vlans are arp-inspection disable and all ports in vlan are arp-inspection un-trusted,15,Feature LimitationDHCP-SnoopingNSNA and DHCP Snooping can not be enabled on the same portDHCP Snooping can not be enabled on any port for which a filter has been configured;any port with a filter configured,can not be enabled for DHCP SnoopingSaving of DHCP binding table across reboots is not supportAddition of static DHCP snooping entries into binding table is not supportedThe size of DHCP Snooping Binding Table is 512All CP and I/O cards can support this featureDynamic ARP InspectionCan not be enabled when NSNA has been enabled on the same portPort has a filter loaded on can not be enabled ARP InspectionAll CP and I/O cards can support this feature IP Source GuardRequires DHCP-Snooping enabled,Global and VLAN,and Dynamic ARP Inspection enabled,at VLAN,to function and port setting must be set to untrust IP Source Guard can not be enabled if NSNA has been enabled on the same portIP Source Guard can not be enabled if the port has any filter configuredOnly 10 IP entries can be applied per un-trusted portAll CP and I/O cards can support this feature,ERS 8300 v4.2 Software Overview-Security Features,16,Feature Application,ERS 8300 v4.2 Software Overview-Security Features,SecurityFeatures,SecurityFeatures,17,ERS 8300 v4.2 Software Overview-Security Features,Feature ConfigurationCommand Line:DHCP-snooping#config ip dhcp-snooping#config ip dhcp-snooping vlan#config ip dhcp-snooping port#show ip dhcp-snooping bindingIP Source Guard#config ip source-guard port#show ip source-guard binding ports Dynamic ARP Inspection#config ip arp-inspection vlan#config ip arp-inspection port#show ip arp-inspection vlan#show ip arp-inspection ports,18,ERS 8300 v4.2 Software Overview-Security Features,Feature Configuration(Cont.)JDM:(Menu:IP-DHCP),19,ERS 8300 v4.2 Software Overview-BPDU-Filtering,Feature IntroduceBPDU-Filtering is an enhancement for STP.This feature allows to achieve the following objectives:Block the unwanted Root selection process when an edge device,such as a laptop running Linux with STP on,is added to the network.This would prevent unknown devices from influencing an existing Spanning Tree TopologyBlock the BPDU flooding of the switch from an unknown deviceBPDU filtering is a feature that when enabled at a port level,will either shutdown a port for a specific time period or forever when it receives a Spanning Tree BPDU.For all user access ports,it is recommended to enable Spanning Tree Fast Start in addition to BPDU filtering.If you select to shut down the port forever,manual intervention is required to bring the port back up by disabling and then re-enabling the port stateFeature LimitationNot supported on MLT/LACP portsAll CP and I/O cards can support this feature,20,ERS 8300 v4.2 Software Overview-BPDU-Filtering,Feature Application,BPDU-FilteringFastStart,BPDU-FilteringFastStart,21,ERS 8300 v4.2 Software Overview-BPDU-Filtering,Feature ConfigurationCommand Line:#config ether bpdu-filter|#show bpdu-filter JDM:,22,ERS 8300 v4.2 Software Overview-IP Spoofing Detection,Feature IntroduceIP-Spoof Detection is an enhancement to the IP security in VLAN area.With this enhancement,users are now able to prevent VLAN logical IP spoofing by defining the physical ports blocking the usage of this IP address.A configurable option is provided on a port basis which will detect a duplicate IP address and block any packet to/from that MAC addressIf an ARP packet is received having the same source IP address as the logical VLAN IP address,all the traffic coming to any port of the switch in that VLAN with this MAC address as source/destination address will be silently discarded in hardware.After detecting a duplicate IP address,the switch will send a gratuitous ARP to let other devices on the VLAN know about the correct MAC address for that IP address.A configurable global timer can be specified by the user after which the MAC discard record will be deleted and once again the switch will start accepting packets from that MAC addressFeature LimitationOnly triggered by broadcast ARP requests for the duplicate IP addressThis feature can detect spoofing of VRRP virtual IP addresses as well as physical IP address assigned to a VLANAll CP and I/O cards can support this feature,23,ERS 8300 v4.2 Software Overview-IP Spoofing Detection,Feature Application,IPSD,IPSD,24,ERS 8300 v4.2 Software Overview-IP Spoofing Detection,Feature ConfigurationCommand Line:#config ether spoof-detect|#config auto-recovery-delay#config ethernet auto-recover-port#show spoof-detect JDM:,25,ERS 8300 v4.2 Software Overview-VLACP Enhancement,Feature IntroduceVLACP is a Nortel Proprietary feature,it provides an end-to-end failure detection mechanism,which notifies the uni-directional or bi-directional link failures.Based on the v4.1 VLACP implementation,the v4.2 VLACP Enhancement supports the global multicast Mac address configuration and VLACP port ether type configuration per port based Feature LimitationMac address:Only can configure it on the global VLACP disabledRange:01:80:c2:00:00:00 01:80:c2:00:ff:ffSome reserved MAC can not be configuredEther type:Range:0 x05f3 0 xffffSome reserved ether type can not be configured,26,ERS 8300 v4.2 Software Overview-VLACP Enhancement,Feature Application,VLACP,VLACP,27,ERS 8300 v4.2 Software Overview-VLACP Enhancement,Feature ConfigurationCommand Line:#config vlacp macaddress#config ethernet vlacp ethertype JDM:(Menu:VLAN-MLT/LACP-VLACP),28,ERS 8300 v4.2 Software Image,SoftwareRuntime Image-p83a4200.imgBoot Monitor Image-p83b4200.imgI/O Image-p83r4200.dldDevice Manager-jdm_6170.exe,29,Q&A,30,Thanks!,