Netgear CSM4532 Product Data Sheet - Page 8

100GE-Enabled Managed Switches Data Sheet M4500 series Remote Switched Port Analyzer (RSPAN) Link Dependency IPv6 Router Advertisement Guard FIP Snooping ECN Support Configurable Access and Authentication Profiles AAA Command Authorization Password-protected Management Access Strong Password Enforcement • Along with the physical source ports, the network traffic received/transmitted on a VLAN can be monitored. A port mirroring session is operationally active if and only if both a destination (probe) port and at least one source port or VLAN is configured. If neither is true, the session is inactive. The switch supports remote port mirroring. The switch also supports VLAN mirroring. Traffic from/to all the physical ports which are members of that particular VLAN is mirrored (The source for a port mirroring session can be either physical ports or VLAN). For Flow-based mirroring, ACLs are attached to the mirroring session. The network traffic that matches the ACL is only sent to the destination port. This feature is supported for remote monitoring also. IP/MAC access-list can be attached to the mirroring session. Up to four RSPAN sessions can be configured on the switch and up to four RSPAN VLANs are supported. An RSPAN VLAN cannot be configured as a source for more than one session at the same time. To configure four RSPAN mirroring sessions, it is required to configure 4 RSPAN VLANs. • The Link Dependency feature supports enabling/disabling ports based on the link state of other ports (i.e., making the link state of some ports dependent on the link state of others). In the simplest form, if port A is dependent on port B and switch detects link loss on B, the switch automatically brings down link on port A. When the link is restored to port B, the switch automatically restores link to port A. The link action command option determines whether link A will come up/go down, depending upon the state of link B. • M4500 supports IPv6 Router Advertisement Guard (RA-Guard) to protect against attacks via rogue Router Advertisements in accordance with RFC 6105. RA Guard supports Stateless RA-Guard, for which you can configure the interface to allow received router advertisements and router redirect message to be processed/forwarded or dropped. By default, RA-Guard is not enabled on any interfaces. RA-Guard is enabled/disabled on physical interfaces or Port-channels. RA-Guard does not require IPv6 routing to be enabled. • The FCoE Initialization Protocol (FIP) is used to perform the functions of FC_BB_E device discovery, initialization, and maintenance. FIP uses a separate EtherType from FCoE to distinguish discovery, initialization, and maintenance traffic from other FCoE traffic. FIP frames are standard Ethernet size (1518 Byte 802.1q frame), whereas FCoE frames are a maximum of 2240 bytes. FIP snooping is a frame inspection method used by FIP Snooping Bridges to monitor FIP frames and apply policies based upon the L2 header information in those frames. • Snooping • Auto-configuration of Ethernet ACLs based on information in the Ethernet headers of FIP frames. • Emulation of FC point-to-point links within the DCB Ethernet network. • Enhanced FCoE security/robustness by preventing FCoE MAC spoofing. • The role of FIP snooping-enabled ports on the switch falls under one of the following types: • Perimeter or Edge port (connected directly to a Fiber Channel end node or ENode). • Fiber Channel forwarder (FCF) facing port (that receives traffic from FCFs targeted to the ENodes). • Note: The FIP Snooping Bridge feature supports the configuration of the perimeter port role and FCFfacing port roles and is intended for use only at the edge of the switched network. The default port role in an FCoE-enabled VLAN is as a perimeter port. FCF-facing ports are configured by the user. • Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks signal congestion by dropping packets. A Random Early Discard scheme provides earlier notification than tail drop by dropping packets already queued for transmission. ECN marks congested packets that would otherwise have been dropped and expects an ECN capable receiver to signal congestion back to the transmitter without the need to retransmit the packet that would have been dropped. For TCP, this means that the TCP receiver signals a reduced window size to the transmitter but does not request retransmission of the CE marked packet. M4500 implements ECN capability as part of the WRED configuration process. It is configured as parameter in the random-detect command. Eligible packets are marked by hardware based upon the WRED configuration. You can configure any CoS queue to operate in ECN marking mode and can configure different discard thresholds for each color. • You can configure rules to limit access to the switch management interface based on criteria such as access type and source IP address of the management host. You can also require the user to be authenticated locally or by an external server, such as a RADIUS server. • This feature enables AAA Command Authorization on the switch. • Access to the CLI and SNMP management interfaces is password protected, and there are no default users on the system. • The Strong Password feature enforces a baseline password strength for all locally administered users. Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The strength of a password is a function of length, complexity and randomness. Using strong passwords lowers overall risk of a security breach. Page 8 of 29