avaya数据产品.ppt

上传人：牧羊曲112

文档编号：5416230

上传时间：2023-07-05

格式：PPT

页数：31

大小：2.90MB

《avaya数据产品.ppt》由会员分享，可在线阅读，更多相关《avaya数据产品.ppt（31页珍藏版）》请在三一办公上搜索。

1、0,Ethernet Routing Switch 8300v4.2 Product Knowledge Transfer,January 12,2009,1,Non-Disclosure Agreement,NORTEL CONFIDENTIALThe information contained herein is the property of Nortel and is strictly confidential.Except as expressly authorized in writing by Nortel,the holder shall keep all informatio

2、n contained herein confidential,shall disclose it only to its employees with a need to know,and shall protect it,in whole or in part,from disclosure and dissemination to third parties with the same degree of care it uses to protect its own confidential information,but with no less than reasonable ca

3、re.Except as expressly authorized in writing by Nortel,the holder is granted no rights to use the information contained herein.The information contained herein is forward-lookingand may be subject to change.,2,8300 v4.2 Feature Overview,Richard McGovern8300 Product Brand Manager,3,ERS 8300 v4.2 Soft

4、ware Features,iBGP-Lite,IPFIX,IGMPv3 Snoop,DHCP-snooping,IP Source Guard,Dynamic ARP Inspection,BPDU-Filtering,IP Spoofing Detection,VLACP Enhancement,In Release v4.2,only BGP-Lite need Advance license,others are Basic license,Notes:For DHCP-snooping/IPSG/DAI,often called Security Features,4,ERS 830

5、0 v4.2 Software Overview-iBGP-Lite,Feature IntroduceBGP is an inter-domain routing protocol that provides loop-free routing information.Based on TCP,two peer routers form BGP neighbor and exchange routing information.BGP uses this information to construct a graph of network connectivityBGP exchange

6、inter-domain routing information between autonomous systems(ASs)or within an AS.Routers that are members of the same AS and exchange BGP updates run internal BGP(iBGP),and routers that are members of different ASs and exchange BGP updates run external BGP(eBGP)ERS8300 v4.2 will not fully support all

7、 BGP functions.Instead,only iBGP and the following related BGP functions will be implemented in this release iBGPBGP Route Reflector BGP AggregationBGP RedistributionBGP ECMP,5,ERS 8300 v4.2 Software Overview-iBGP-Lite,Feature LimitationOnly supports on 256M Memory CP cards8393SF 256M8394SF 256MOnly

8、 supports in GRT(VRF0)All I/O cards can support BGP functionFeature Scaling ability4 BGP neighbors8K BGP routers,6,AS10,ERS 8300 v4.2 Software Overview-BGP-Lite,Feature Application,IBGP,IBGP,IBGP,IBGP,iBGP,iBGP,AS200,AS100,7,ERS 8300 v4.2 Software Overview-iBGP-Lite,Feature ConfigurationCommand Line

9、:#config ip bgp local-as#config ip bgp enable#config ip bgp neighbor create#config ip bgp neighbor remote-as#config ip bgp neighbor admin-state#config ip bgp restart#show ip bgp summary#show ip bgp neighbor infoJDM:(Menu:IP-BGP),8,ERS 8300 v4.2 Software Overview-IPFix,Feature IntroduceIPFix-IP Flow

10、Information eXportIt allows monitoring of IP flows.An IP flow is defined as a set of packets over a period of time that has some common properties.IPFix capture and meter the traffic flow according fields followed:Source IP address,Destination IP address,Protocol Type,Source protocol Port,Destinatio

11、n protocol Port,ingress VLAN ID and ingress PortThe flow information can also be exported periodically to any third party IPFix compliant Collector(s)Support is for Netflow tracker version 9 onlyAll CP and I/O cards can support this featureOperation documented as part of Performance Management user

12、manualFeature LimitationAny IPFix enabled slot(CP or IO)will not support port mirroring;if port mirroring is already enabled for any port on any slot,IPFix will not be able to be enabled for that same slot.As well,if IPFix is enabled for an IO slot or slave/standby CP slot,port mirroring on Master C

13、P slot is not supportedDoes not support local collectorDoes not support MD5 encryption between exporters and collectorsSupport for only UDP protocol between ERS8300 and collectors,IPFIX will be automatically disabled if CPU utility great than 90%or if Memory is less than 2M.IPFix will automatically

14、enabled again if CPU utility returns to less than 50%or Memory more than 5M;this behavior will not affect any configuration for IPFix,9,ERS 8300 v4.2 Software Overview-IPFIX,Feature Application,ERS8600,ERS8600,SMLT Square,ERSxxxx,ERS8300,ERS8300,ERS8300,ERS8300,IPFIX,IPFIX,IPFIX,IPFIX,IPFIX,IPFIX,10

15、,ERS 8300 v4.2 Software Overview-IPFix,Feature ConfigurationCommand Line:#config ip ipfix state#config ip ipfix port all-traffic#show ip ipfix flowsJDM:(Menu:Serviceability-IPFIX),11,ERS 8300 v4.2 Software Overview-IGMPv3,Feature IntroduceFor ERS8300,upon receiving IS_IN or ALLOW,a L2 MAC forwarding

16、 entry will be created for that port,then the multicast traffic will be forwarded only to those ports that are interested in the group.IGMPv3 Snoop is working on the condition that SSM Snoop is enabled on the interface,and only processes the group in SSM range.SSM Snoop will be enabled by default wh

17、en the version of IGMP Snoop Interface is set to 3 Support the backward compatibility for IGMPv1/v2 packet processing on IGMPv3 Snoop Interface.Thats to say IGMPv1/v2 host and IGMPv3 host can coexist in the same IGMPv3 Snoop InterfacePeriodical generic v3 query will be sent out when L2 Querier is en

18、abled,and group-and-source specific query will be sent out upon receiving BLOCK reportFeature LimitationFor IGMPv3 packet,only group in SSM range is processed by IGMPv3 Snoop.Only IS_IN,ALLOW and BLOCK is processed on switch,other report types are just forwarded to multicast router.One group can be

19、mapped to only one source,but one source can be mapped to multiple groupsIn compatible mode,if IGMPv1/v2 host wants to join a group in SSM range,this group must be a static entry in SSM channel tableThe maximum number of IGMP groups is 2000All CP and I/O cards can support this feature,12,ERS 8300 v4

20、.2 Software Overview-IGMPv3,Feature Application,13,ERS 8300 v4.2 Software Overview-IGMPv3,Feature ConfigurationCommand Line:#config vlan ip igmp snoop#config vlan ip igmp version#config vlan ip igmp compatibility-mode enable JDM:(Menu:VLAN-VLANs-IP),14,ERS 8300 v4.2 Software Overview-Security Featur

21、es,Feature IntroduceDHCP(Dynamic Host Configuration Protocol)snooping is a security feature that provides network security by filtering un-trusted DHCP messages to eliminate the attackers ability to respond to DHCP requests with bogus IP information.By building and maintaining a DHCP binding table a

22、nd dropping un-matched DHCP request packet,DHCP snooping also provides the security against the Denial-Of-Service(DoS)attacks that are launched using the DHCP request messagesIP Source Guard is a per port feature and is used to prevent IP spoofing by only allowing IP addresses obtained through DHCP

23、Snooping.When a connecting client receives a valid IP from the DHCP server,a filter is installed on the port to only allow traffic from the assigned IP addressDynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding

24、 table.This table was built by DHCP snooping when it is enabled on the VLANs and on the switch.If the ARP packet is received on a trusted interface,the switch forwards the packet without any checks.If the ARP packet is received on un-trusted interfaces,the switch forwards the packet only if it is va

25、lid.By default,Vlans are arp-inspection disable and all ports in vlan are arp-inspection un-trusted,15,Feature LimitationDHCP-SnoopingNSNA and DHCP Snooping can not be enabled on the same portDHCP Snooping can not be enabled on any port for which a filter has been configured;any port with a filter c

26、onfigured,can not be enabled for DHCP SnoopingSaving of DHCP binding table across reboots is not supportAddition of static DHCP snooping entries into binding table is not supportedThe size of DHCP Snooping Binding Table is 512All CP and I/O cards can support this featureDynamic ARP InspectionCan not

27、 be enabled when NSNA has been enabled on the same portPort has a filter loaded on can not be enabled ARP InspectionAll CP and I/O cards can support this feature IP Source GuardRequires DHCP-Snooping enabled,Global and VLAN,and Dynamic ARP Inspection enabled,at VLAN,to function and port setting must

28、 be set to untrust IP Source Guard can not be enabled if NSNA has been enabled on the same portIP Source Guard can not be enabled if the port has any filter configuredOnly 10 IP entries can be applied per un-trusted portAll CP and I/O cards can support this feature,ERS 8300 v4.2 Software Overview-Se

29、curity Features,16,Feature Application,ERS 8300 v4.2 Software Overview-Security Features,SecurityFeatures,SecurityFeatures,17,ERS 8300 v4.2 Software Overview-Security Features,Feature ConfigurationCommand Line:DHCP-snooping#config ip dhcp-snooping#config ip dhcp-snooping vlan#config ip dhcp-snooping

30、 port#show ip dhcp-snooping bindingIP Source Guard#config ip source-guard port#show ip source-guard binding ports Dynamic ARP Inspection#config ip arp-inspection vlan#config ip arp-inspection port#show ip arp-inspection vlan#show ip arp-inspection ports,18,ERS 8300 v4.2 Software Overview-Security Fe

31、atures,Feature Configuration(Cont.)JDM:(Menu:IP-DHCP),19,ERS 8300 v4.2 Software Overview-BPDU-Filtering,Feature IntroduceBPDU-Filtering is an enhancement for STP.This feature allows to achieve the following objectives:Block the unwanted Root selection process when an edge device,such as a laptop run

32、ning Linux with STP on,is added to the network.This would prevent unknown devices from influencing an existing Spanning Tree TopologyBlock the BPDU flooding of the switch from an unknown deviceBPDU filtering is a feature that when enabled at a port level,will either shutdown a port for a specific ti

33、me period or forever when it receives a Spanning Tree BPDU.For all user access ports,it is recommended to enable Spanning Tree Fast Start in addition to BPDU filtering.If you select to shut down the port forever,manual intervention is required to bring the port back up by disabling and then re-enabl

34、ing the port stateFeature LimitationNot supported on MLT/LACP portsAll CP and I/O cards can support this feature,20,ERS 8300 v4.2 Software Overview-BPDU-Filtering,Feature Application,BPDU-FilteringFastStart,BPDU-FilteringFastStart,21,ERS 8300 v4.2 Software Overview-BPDU-Filtering,Feature Configurati

35、onCommand Line:#config ether bpdu-filter|#show bpdu-filter JDM:,22,ERS 8300 v4.2 Software Overview-IP Spoofing Detection,Feature IntroduceIP-Spoof Detection is an enhancement to the IP security in VLAN area.With this enhancement,users are now able to prevent VLAN logical IP spoofing by defining the

36、physical ports blocking the usage of this IP address.A configurable option is provided on a port basis which will detect a duplicate IP address and block any packet to/from that MAC addressIf an ARP packet is received having the same source IP address as the logical VLAN IP address,all the traffic c

37、oming to any port of the switch in that VLAN with this MAC address as source/destination address will be silently discarded in hardware.After detecting a duplicate IP address,the switch will send a gratuitous ARP to let other devices on the VLAN know about the correct MAC address for that IP address

38、.A configurable global timer can be specified by the user after which the MAC discard record will be deleted and once again the switch will start accepting packets from that MAC addressFeature LimitationOnly triggered by broadcast ARP requests for the duplicate IP addressThis feature can detect spoo

39、fing of VRRP virtual IP addresses as well as physical IP address assigned to a VLANAll CP and I/O cards can support this feature,23,ERS 8300 v4.2 Software Overview-IP Spoofing Detection,Feature Application,IPSD,IPSD,24,ERS 8300 v4.2 Software Overview-IP Spoofing Detection,Feature ConfigurationComman

40、d Line:#config ether spoof-detect|#config auto-recovery-delay#config ethernet auto-recover-port#show spoof-detect JDM:,25,ERS 8300 v4.2 Software Overview-VLACP Enhancement,Feature IntroduceVLACP is a Nortel Proprietary feature,it provides an end-to-end failure detection mechanism,which notifies the

41、uni-directional or bi-directional link failures.Based on the v4.1 VLACP implementation,the v4.2 VLACP Enhancement supports the global multicast Mac address configuration and VLACP port ether type configuration per port based Feature LimitationMac address:Only can configure it on the global VLACP dis

42、abledRange:01:80:c2:00:00:00 01:80:c2:00:ff:ffSome reserved MAC can not be configuredEther type:Range:0 x05f3 0 xffffSome reserved ether type can not be configured,26,ERS 8300 v4.2 Software Overview-VLACP Enhancement,Feature Application,VLACP,VLACP,27,ERS 8300 v4.2 Software Overview-VLACP Enhancement,Feature ConfigurationCommand Line:#config vlacp macaddress#config ethernet vlacp ethertype JDM:(Menu:VLAN-MLT/LACP-VLACP),28,ERS 8300 v4.2 Software Image,SoftwareRuntime Image-p83a4200.imgBoot Monitor Image-p83b4200.imgI/O Image-p83r4200.dldDevice Manager-jdm_6170.exe,29,Q&A,30,Thanks!,