Netgear GSM4248P Product Datasheet - Page 13

Datasheet | M4250 series AV Line Managed Switches Loopback interfaces are available as dynamic, stable IP addresses for other devices on the network, and for routing protocols Support of Routing Information Protocol (RIPv2) as a distance vector protocol specified in RFC 2453 for IPv4 • Each route is characterized by the number of gateways, or hops, a packet must traverse to reach its intended destination • Categorized as an interior gateway protocol, RIP operates within the scope of an autonomous system IP Multinetting allows to configure more than one IP address on a network interface (other vendors may call it IP Aliasing or Secondary Addressing) ICMP Throttling feature adds configuration options for the transmission of various types of ICMP messages The Policy Based Routing feature (PBR) overrides routing decision taken by the router and makes the packet to follow different actions based on a policy • ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert packets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets • ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers • Rate limiting ICMP error messages protects the local router and the network from sending a large number of messages that take CPU and bandwidth • It provides freedom over packet routing/forwarding instead of leaving the control to standard routing protocols based on L3 • For instance, some organizations would like to dictate paths instead of following the paths shown by routing protocols • Network Managers/Administrators can set up policies such as: -- My network will not carry traffic from the Engineering department -- Traffic originating within my network with the following characteristics will take path A, while other traffic will take path B -- When load sharing needs to be done for the incoming traffic across multiple paths based on packet entities in the incoming traffic Enterprise security Traffic control MAC Filter and Port Security help restrict the traffic allowed into and out of specified ports or interfaces in the system in order to increase overall security and block MAC address flooding issues DHCP Snooping monitors DHCP traffic between DHCP clients and DHCP servers to filter harmful DHCP message and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofing attacks IP source guard and Dynamic ARP Inspection use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding and to enforce source IP/MAC addresses for malicious users traffic elimination Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups or Port channel) for fast unauthorized data prevention and right granularity For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to define the IP/MAC or protocol through which management access is allowed for increased HTTP/HTTPS or Telnet/SSH management security Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to influence the overall STP by creating loops Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unexpected new equipment in the network may accidentally become a root bridge for a given VLAN Dynamic 802.1x VLAN assignment mode, including Dynamic VLAN creation mode and Guest VLAN / Unauthenticated VLAN are supported for rigorous user and equipment RADIUS policy server enforcement • Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in order to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP phones and PCs can authenticate on the same switch port but under different VLAN assignment policies (Voice VLAN versus other Production VLANs) 802.1x MAC Address Authentication Bypass (MAB) is a supplemental authentication mechanism that lets non-802.1x devices bypass the traditional 802.1x process altogether, letting them authenticate to the network using their client MAC address as an identifier • A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose • MAB can be configured on a per-port basis on the switch • MAB initiates after unsuccessful dot1x authentication process (configurable time out), when clients don't respond to any of EAPOL packets • When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the authen- tication server • The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses • The RADIUS server returns the access policy and VLAN assignment to the switch for each client PAGE 13 of 63