1 / 29

AOS Release 6.3.1.R01 OmniSwitch 9000, 6850, 6800

AOS Release 6.3.1.R01 OmniSwitch 9000, 6850, 6800. Minka Nikolova November, 2007. AOS 6.3.1.R01 Overview. Products covered OmniSwitch 9000 , OmniSwitch 6850, OmniSwitch 6800 Release focus Enhanced security features Improved manageability Network configuration installation, diagnostics

rowdy
Télécharger la présentation

AOS Release 6.3.1.R01 OmniSwitch 9000, 6850, 6800

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AOS Release 6.3.1.R01 OmniSwitch 9000, 6850, 6800 Minka Nikolova November, 2007

  2. AOS 6.3.1.R01 Overview • Products covered • OmniSwitch 9000 , OmniSwitch 6850, OmniSwitch 6800 • Release focus • Enhanced security features • Improved manageability • Network configuration installation, diagnostics • Customer driven enhancements and commitments • L2 and L3 enhancements • Program Status • Currently involved in beta/field trials • DR4 date- planned for mid December, 2007 • Corporate network in Calabasas running this build for the last 3 weeks

  3. AOS 6.3.1 - Hardware

  4. 6.3.1.R01 - SFP support • Bi-directional Gig SFP • SFP-DUAL-MM and SFP-DUAL-SM15 – to be supported on combo ports of OS6850 copper models

  5. AOS 6.3.1 - Software

  6. Software Porting of 6.2.1 features for support on OS9000 • GVRP – Scalable VLAN management for extra-large networks • Ethernet OAM (802.1ag)- for connectivity monitoring • Ring Rapid STP - for optimized re-convergence in ring topology • IP Multicast TV Vlan - for optimized use of bandwidth resources • IS-IS for IPv4 Features from 6.1.5 • DHCP enhancement - redesigning the L2 DHCP for Option 82 / Snooping (w/o IP interface nor relay) • LPS enhancement - redesigning the LPS feature to sustain new attack scenario (MAC Flood) • 128 Link Aggregates • ECMP on RIP

  7. AOS 6.3.1 – New Features

  8. Account and password policy • Password policy settings • Complexity - Require min. number of upper-case letter, lower case letters, numbers, non-alphanumeric characters, not to contain user name, etc. • History - Retain 0 to 24 passwords • Min Password Length – 0 to 14 char • Min and Max password age – 0 to 999 days • Account Lockout settings – global to all accounts • Failed attempts count - configurable • Observation Window – period of time after which failed attempt counts is reset • Lockout • Threshold – number of attempts before the account is locked out • Duration – minutes to elapse before the user is allowed to try again

  9. RADIUS MAC Addresses RADIUS request with the MAC of the device I speak 802.1X I speak 802.1X I do not speak 802.1X I do not speak 802.1X Enhancements to Access Guardian –MAC based authentication only What? • For all devices that come on an authenticated port – always their MAC address is used for RADIUS authentication How? • Setting the polling retry to 0 ( zero) will force the switch to use the MAC address Benefits • Easy inventory for the network devices – based on their MAC • Avoid maintaining numerous DB – one for users, - second for devices

  10. Traffic Anomaly Detection • What is it? • Network Security component which is part of the AOS that detects network traffic anomalies and distinguishes malware traffic by • Real time network traffic monitoring • Dynamic anomaly detection and reporting • Dynamic anomalies port quarantining at • Low computational and deployment cost • Reduce the impact of new worms and other malicious code by implementing • Traffic Anomaly Detection and Prevention as near as possible to the end-systems

  11. Traffic Anomaly detection – cont. How? • Not based on worm signatures, no need for “updates” • Behavioral based • Simple counting of packets to detect traffic anomalies • No tracking of connections states • No deep packet inspection • Clever analysis of counters to detect worms • Minimal code space needed – not a CPU intensive task • Based on HW counters • Can also use configurable polling intervals to minimize processing power • This feature is configured per port • When anomaly is detected the following actions can take place: • send a SNMP trap to NMS station, • log, or • shut down the offending port

  12. Traffic Anomaly detection – cont. Examples • Anomalies • ARP based Address Scan , ARP Flood, ARP Poisoning, ARP Failure • TCP Port Scan, TCP based Address Scan • SYN Flood, SYN Failure, SYN-ACK Scan, Fin Scan, Fin-Ack, Rst count, etc. • ICMP based Address Scan, ICMP Flood, ICMP unreachable • Detectable Worms - examples

  13. Traffic Anomaly detection – cont. Benefits • Prevents network melt-down • When worms get in, the network stays up • Side benefit – slows down infection rate • Really easy to deploy • No need to visit each machine/server • No re-configuration of anything (DHCP, VLAN, firewalls, …) • No changes to any hardware (desktop, server, router, switch, …) or wiring • Can be deployed in existing 6850/9000 switches – only 6.3.1 sw upgrade is needed • For organizations without full-time security groups • Small to Medium Business • Residential type of services

  14. Detecting ARP poisoning • What? • This feature detects the presence of a ARP-Poisoning host on the network by identifying unsolicited ARP Replies from an attacker, false ARP requests and unsolicited ARP replies • How? • Using configured restricted IP addresses, for which the Switch, on sending an ARP Request should not get back an ARP Response. • By keeping track of the ARP requests that were sent, the switch only learns on receiving ARP reply if it had sent an ARP request – avoiding unsolicited ARP replies from an attacker Benefits • Stops an attacker of poisoning the ARP information of the switch

  15. ARP Defense mechanism • What? • This feature protects the CPU during the time of unresolved next-hop, when the traffic is sent to CPU for ARP resolution • How? • It accomplishes this by configuring a drop-entry in the hardware as soon as it attempts to resolve an ARP for the purpose of forwarding traffic. • This entry is removed either when the ARP is resolved or after 12 attempts have been made, once every 5 secs, whichever happens first. • Any subsequent traffic to using this next-hop will come to CPU, starting this cycle all over again. Benefits • Avoids CPU utilization climb and destabilizing the switch while next-hop is being resolved.

  16. Auto QoS on Alcatel-Lucent voice applications What? • Trust and prioritize the traffic from Alcatel-Lucent phones based on the priority in the packet How? • When enabled – the switch detect that the traffic comes from ALU phones ( based on the MAC) • Additional MAC group can be configured that will be treated the same • The administrator has the option to prioritize the phone traffic instead of merely trusting it • When enabled, qos policies specifying priority will not take effect on the phone traffic. The user can still apply other policies such as ACLs and Rate limiting policies Benefits • Allows for easy configuration and management in a converged environment. If you see Alcatel-Lucent phone place it in priority queue –7 Treat the rest as needed

  17. Auto QoS on NMS applications What? • Prioritize NMS traffic to the switch that aims to alleviate access problems to the switch that is under attack How? • Enable the feature on the switch • It is only supported on the first 8 interfaces in order of creation • MNS traffic is identified by the port number: • SSH ( TCP port 22) • telnet ( TCP port 23) • WebView ( HTTP port 80) • SNMP (TPC port 161) Benefits • Allows management access to the switch even under heavy load conditions • Avoids the possibility of the switch being DOS condition by rate limiting the high priority NMS traffic to 512 pps.

  18. port device info 2/22 Switch xxxx 2/1 IP-Phone xxxx 2/12 IP-Phone xxxx 2/13 IP-PBX xxxx port device info I’m a switch 1/1 IP-phone xxxx I’m an IP-PBX 1/2 PC xxxx I’m a switch I’m a switch 1/3 Switch xxxx I’m a switch I’m a switch I’m a switch I’m a switch I’m an IP-Phone I’m an IP-Phone I’m a PC I’m an IP-Phone Link Layer Discovery Protocol (LLDP) - 802.1AB based Adjacency Protocol What? • L2 discovery protocol used to exchange information with neighboring devices to build a database of adjacent devices. How? • LLDP PDUs are transmitted periodically containing some mandatory and some optional fields: - Chassis ID and port ID and description, system name , system description, system capabilities, management address, • Extensions • 802.1: VLAN name, port vlan • 802.3: MAC Phy • MED: power and capability • LLDP frames are sent out/received even in STP blocked ports; Benefits • Simplified network management in multi-vendor environment • Enables discovery of physical network topologies • Even with multiple VLANs where all subnets may not be known • Even on STP blocked ports • Ensure proper aging so only valid network device data is presented • Facilitates network inventory and troubleshooting LLDPDU Frame

  19. UDLD ( Unidirectional Link Discovery) Protocol What? • UDLD is a protocol that can be used to detect and disable unidirectional Ethernet fiber or copper links caused by: Mis-wiring of fiber strands, Interface misfunctions, media converter’s faults etc. How? • UDLD can be enabled on per port bases and it advertises a port’s identity to its neighbors. • UDLD maintains the identities of neighbors in a session in a cash table and makes sure that bi-directional traffic flows between correct neighbors • It can be enabled on per port bases • There are 2 modes of operation: agressive and normal • Based on message exchange b/n neighbors: probe, echo and fush • The implementation is based on the IETF UDLD draft Limitations • UDLD is not supported on aggregates , only on physical ports • Not interoperable with other vendor’s implementation Benefits • Detects and disables one-way connections before they create dangerous situations such as Spanning Tree loops or other protocol malfunctions

  20. Policy Based Mirroring ( PBM) What? • Allows to select the type of traffic to mirror by using QoS policies How? • While configuring QoS policies the mirroring attribute is specified as part of the action. • Mirroring can be done on ingress and egress packet or both • Mirroring policies supported • Traffic between 2 ports • Traffic from a source address • Traffic to a destination address • Traffic to/from an address • Traffic between 2 addresses • Traffic with a classification criterion based on packet contents other than addresses (for example , based on protocol, priority). • VLAN-based mirroring - mirroring of packets entering a VLAN Benefits • Selectively pick the traffic of interest and only monitor it

  21. Remote Port Mirroring (RPM) What? • Allows traffic to be carried over the network to a remote switch How? • This is achieved by using a dedicated remote port mirroring VLAN • The RPM VLAN has to be configured on the source, destination and intermediate switches • No other traffic is allowed on that VLAN dedicated VLAN has to be created While configuring QoS Limitations/Restrictions • Spanning Tree must be disabled for the Remote Port Mirroring VLAN on all switches • There must not be any physical loop present in the Remote Port Mirroring VLAN • Source learning must be disabled or overridden on the ports belonging to the Remote Port Mirroring VLAN • The QoS redirect feature can be used to override source learning on an OmniSwitch • The following types of traffic will not be mirrored: Link Aggregation Control Packets (LACP) , 802.1AB (LLDP), 802.1x port authentication, 802.3ag (OAM), Layer 3 control packets , Generic Attribute Registration Protocol (GARP), BPDUs

  22. Generic Routing Encapsulation (GRE) and IP/IP tunnels GRE • Configuration of IPv4 over IPv4 GRE tunnel interfaces as described in IETF RFC 2784 • No hardware support exists on any AOS hardware platform for GRE tunnels • Software forwarding of packets routed over these interfaces • To minimize the impact of these tunneled packets on system resources - egress rate limiting for packets destined to GRE tunnel - ingress rate limiting of the packets ingressing from a tunnel IP/IP Tunnels • BCM chipset supports IP over IP tunnels in HW • As per IETF RFC 2003 IP Encapsulation within IP • Limited to 127 total useable entries - shared between IP in IP, IPv6 in IP, and 6to4 tunnels

  23. DHCP Option 82 enhancements What? Based on the customer request we have • The capability to configure the Agent ID information format to a: string , the system name or the base mac-address (globally, no per port support). • Changed the slot/port format to a 2 bytes value for slot and port instead of IfIndex How? • New CLI is introduced that allows the administrator to pick what goes in the Agent ID field Agent ID

  24. Ethernet OAM enhancements What changed? • First release of ETH OAM was with 6.2.1.R01 was limited for OS6850– version 5.2 draft standard • Drafts supported in 6.3.1.R01 • IEEE 802.1ag Draft 7.0 • IEEE8021-CFM-MIB ( entirely different in terms of MIB and CLI) • Multi – NI support added for OS6850 and OS9000 • Enabled by default – as soon as management domain is created • Support added for MIP CCM database • MA ( Management association) creation: end point list for this MA is created and distributed across the network • Support of displaying all stored linktrace transactions IDs and linktrace reply records Limitations • 6.3.1 implementation is not compatible with 6.2.1 • Default CC Interval is 10s (educed to 1 s we would have to scale down the number of MEPs as well to 64)

  25. 6.3.1.R01 Software – Overview -1 • Layer 2 • VLAN Stacking enhancements – service oriented architecture, inner tag QoS, bandwidth management on a per port, port + CVLAN bases, control protocol BPDU handling on UNI ports etc. • DHCP Snooping over Vlan stacking • IP Mcast VLAN enhancements – multiple sender ports • VLAN stacking interoperability with RRSTP • PVST+ support – interop with Cisco, extension of our 1x1 STP Layer 3 • 128 OSPF Neighbors - scale to 128 neighbors per area • Support for 31 bit network mask – for point-to-point connection b/n routers

  26. 6.3.1.R01 Software – Overview -2 • IPv6 suite enhancements • IPv6 Multicast Routing protocol (PIM-SM/DM) • IPV6 management: ftp, telnet/ssh client, http/https , SNMP • L4 ACL over IPv6 Miscellaneous • User profiles • IE7 support for AVLAN • Windows Vista Support for AVLAN • AOS Alcatel-Lucent re-branding • Global commands to admin up/down all VRRP instances and set up default values • DSCP condition enhancements –adding range

  27. OmniSwitch 6850 – activities on the roadmap • Adding native support of 6850 within 5620 SAM from IPD • Development underway • Release 6 of SAM scheduled for Q2, 2008 • Metro Ethernet Forum Certifications • MEF 9 and MEF 14 • Tests performed with a third party certification company • Expecting the certificates to be received in the coming week

  28. 6.3.1 Additional resources • Draft version of user guide, network config. guide and CLI guide are available on Intranet • http://uscals-sp1.ind.alcatel.com/sites/TechPub/visitor_homepage/631%20CLI%20Draft%20Documents/Forms/AllItems.aspx • 6.3.1 Release notes • Under review • Performance guideline document • Under development • A complete list of PER will be posted on the Intranet • http://aww.ind.alcatel.com/pre_dr4.cfm?view=631

  29. Thank you!

More Related