4
Link Layer Discovery Protocol
and Auto Detection/Auto
Configuration
The ERS 5500 series combines the
functionality of the Link Layer Discovery
Protocol (LLDP) and Auto Detection/
Auto Configuration (ADAC) to further
satisfy enterprises’ needs for converged
applications and simplified deployment.
Currently supported on Nortel IP Phones
featuring 802.1AB functionality, the
Ethernet Routing Switch uses LLDP for
auto discovery of 802.1AB-supporting
devices. Through LLDP, the identifica-
tion, configuration and capabilities of
neighboring devices are stored and shared
with other 802.1AB-supporting products
in order to build a topology map.
Through the linkage of these two features,
once the device is identified, the ADAC
feature automatically configures the port
with settings such as VLAN member-
ship and prioritization information.
Security for safeguarding
the network
Protecting the network against both
external and increasingly prevalent
internal attacks is a critical part of every
IT manager’s job. The ability to do this
requires simple to manage, yet intelligent
security solutions that not only look at
the identity of the person logging in,
but also at the device connecting into
the network. This network access control
approach ensures that only authorized
individuals and properly scanned/secured
devices are allowed onto the network,
thereby providing enhanced levels of
security.
Nortel’s Ethernet Routing Switch 5500
Series delivers various features to assist
in securing the network.
Nortel Secure Network Access
solution
Secure Network Access (SNA) —
Nortel’s endpoint security and policy
compliance solution — inspects,
assesses, ensures compliance to policy,
and remediates at the network endpoint
source, prior to network access.
Nortel SNA dramatically simplifies the
complexity of enterprise network access
architectures with a solution that assures
endpoint security compliance. Nortel
SNA provides this security through
seamless device quarantine and contain-
ment, remediation and repair for LAN
users and remote users (IPSec/SSL),
with both fixed and mobile connectivity
devices.
Running Nortel SNA with Nortel VPN
Gateways and Routers and ERS 5500
enables a highly integrated endpoint
security solution that’s easy to use and
manage. If an end station is already
known to the network manager as a
trusted device, its MAC address can be
input into the ERS 5500 switch. This
simplified and centralized manner of
managing access ensures that trusted
devices are granted quick access to the
network.
Network Access Control through
802.1X-based authentication
The ERS 5500 series supports IEEE
802.1X-based security, which limits
access to the network based on user
credentials. Through support for any
device with an 802.1X supplicant, as
well as for machines that don’t have a
supplicant but have a known MAC that
can be entered into the switch/RADIUS
server, 802.1X delivers a standards-based
approach to authentication. Additionally,
for Voice over IP (VoIP) deployments
where the PC connects to the network
through a VoIP handset, the PC does its
authentication via EAP while the handset
is authenticated by using its DHCP signa-
ture, thus allowing for a simplified solu-
tion when more than one device requires
authentication on a single switch port.
Dynamic Host Control Protocol
Snooping
Dynamic Host Control Protocol
Snooping (DHCP) snooping provides
network security to a device by elimi-
nating an attacker’s ability to respond to
DHCP requests with false IP informa-
tion (DHCP spoofing). It is based on
trusted versus untrusted ports. DHCP
Snooping drops untrusted DHCP replies
and verifies the source of the DHCP
packets by creating a binding table of
DHCP clients. DHCP Snooping is used
in conjunction with the ARP Inspection
feature.
Dynamic Address Resolution
Protocol inspection
Dynamic Address Resolution Protocol
(ARP) inspection provides network
security to a device by eliminating an
attacker’s ability to poison ARP caches for
systems connected to the subnet. This
feature also prevents attackers from inter-
cepting traffic intended for other hosts on
the subnet (i.e., man-in-the middle).
Based on the DHCP binding table
maintained by the DHCP snooping
application, the function intercepts all
ARP request and responses on ‘untrusted’
ports. It then verifies that each intercepted
packet has valid IP-to-MAC address
binding before updating local ARP
cache or before forwarding the packet
to destination.
IP Source Guard
IP Source Guard is a Layer 2 per port
security feature that prevents IP spoofing
by only allowing IP addresses obtained
through DHCP Snooping. When a
connecting client receives a valid IP
address from the DHCP server, a filter is
installed on the port to allow traffic from
the assigned IP address. IP Source Guard
supports up to 10 IP addresses per port
and is dynamically configured from IP
information stored in the corresponding
DHCP Snooping Binding Entry.