Netgear APS1000W Product Data Sheet - Page 11

ProSAFE® LAN Access and Aggregation Chassis Switches Data Sheet M6100 series ICMP Throttling feature adds configuration options for • ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert pack- the transmission of various types of ICMP messages ets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets • ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers • Rate limiting ICMP error messages protects the local router and the network from sending a large number of messages that take CPU and bandwidth Border Gateway Protocol version 4 (BGP4) is supported for typical routed data center topologies (IPv4 and IPv6) up to max L3 route table size (12K routes) • BGP is an inter-Autonomous System (AS) routing protocol as described in RFC 4271 section-3 • The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems • This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses BGP Route Reflection feature as described in RFC 4456 allows to a router to reflect a route received from an internal peer to another internal peer The Policy Based Routing feature (PBR) overrides routing decision taken by the router and makes the packet to follow different actions based on a policy • Under conventional BGP rules, a router can only send an internal peer routes learned from an external peer or routes locally originated • Route reflection eliminates the need to configure a full mesh of iBGP peering sessions • The administrator can configure an internal BGP peer to be a route reflector client • Alternatively, the administrator can configure a peer template to make any inheriting peers route reflector clients • The client status of a peer can be configured independently for IPv4 and IPv6 a cluster may have multiple route reflectors • A cluster may have multiple route reflectors • It provides freedom over packet routing/forwarding instead of leaving the control to standard routing protocols based on L3 • For instance, some organizations would like to dictate paths instead of following the paths shown by routing protocols • Network Managers/Administrators can set up policies such as: -- My network will not carry traffic from the Engineering department -- Traffic originating within my network with the following characteristics will take path A, while other traffic will take path B -- When load sharing needs to be done for the incoming traffic across multiple paths based on packet entities in the incoming traffic Enterprise security Traffic control MAC Filter and Port Security help restrict the traffic allowed into and out of specified ports or interfaces in the system in order to increase overall security and block MAC address flooding issues DHCP Snooping monitors DHCP traffic between DHCP clients and DHCP servers to filter harmful DHCP message and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofing attacks IP source guard and Dynamic ARP Inspection use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding and to enforce source IP / MAC addresses for malicious users traffic elimination Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups or Port channel) for fast unauthorized data prevention and right granularity For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to define the IP/MAC or protocol through which management access is allowed for increased HTTP/HTTPS or Telnet/SSH management security Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to influence the overall STP by creating loops Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unexpected new equipment in the network may accidentally become a root bridge for a given VLAN Dynamic 802.1x VLAN assignment mode, including Dynamic VLAN creation mode and Guest VLAN/ Unauthenticated VLAN are supported for rigorous user • Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in order to facilitate convergent deployment. For instance when IP phones connect PCs on their bridge, IP phones and PCs can authenticate on the same switch port but under different VLAN assignment policies (Voice VLAN versus other Production VLANs) Page 11 of 48