Application Guide: routing switch application

With the development of the routing industry, the routing switch is also widely used and plays an even more important role. Here we mainly introduce the layer-independent line rate service quality (QoS) and access control, this section describes customizable filtering and "trusted neighbor" mechanisms.

Although global network security experts are developing methods to defend against DoS attacks, DoS attacks are ineffective because they exploit the weakness of TCP protocol. Configure a route switch and install a dedicated DoS identification and prevention tool to minimize the loss caused by DoS attacks. Using a layer-3 router switch to establish a comprehensive network security system, it must be based on a layer-3 router switch and an intelligent network with routing as the core, there is a sound layer-3 or above security policy management tools. At the same time, the network design stage should be reasonably arranged.

Lan Layer

On the LAN layer, network administrators can take many preventive measures. For example, although it is almost impossible to completely eliminate the counterfeiting of IP groups, the network administrator can build a filter. If the data carries the source address of the Intranet, it can effectively reduce internal counterfeit IP attacks by limiting the data input traffic. Filters can also restrict external IP group streams to prevent DoS attacks from fake IP addresses from being used as an intermediate system. Other methods are as follows: Disable or restrict specific services. For example, limit UDP services to be used only for Network diagnosis purposes on the Intranet. Unfortunately, these restrictions may negatively affect valid applications such as RealAudio using UDP as the transmission mechanism. If attackers can force victims not to use IP services or other legitimate applications, these hackers have achieved DoS attacks.

Network Transmission Layer

1. layer-independent line rate service quality (QoS) and Access Control

The emergence of a line-rate multi-layer Routing Switch with configurable smart software, layer-independent QoS, and access control functions improves the capability of network transmission devices to protect data flow integrity. In traditional routers, authentication mechanisms, such as filtering out counterfeit groups with internal addresses, require traffic to reach the vro edge and comply with the standards in the specific access control list. However, maintaining the access control list is not only time-consuming, but also greatly increases the router overhead. In contrast, a multi-layer route switch can flexibly implement various policy-based access control.

This layer-independent access control capability completely separates security decisions from network structure decisions, so that network administrators do not have to adopt sub-optimal routing or routing switch topology while effectively deploying DoS prevention measures. As a result, network administrators and service providers can seamlessly integrate policy-based control standards in the entire metropolitan area network, data center, or enterprise network environment, regardless of the complex router-based core services, it is also a relatively simple layer 2 route switch. In addition, data authentication for line rate processing can be performed in the background without performance latency.

2. Customizable filtering and "trusted neighbor" mechanisms

Another advantage of smart multi-layer access control is that it can easily implement custom filtering operations, such as customizing the control granularity of system response according to specific standards. Multi-layer routing switches can push groups to specific QoS configuration files with the specified maximum bandwidth limit, rather than making simple "pass" or "discard" decisions for groups that may be DoS attacks. This method can prevent DoS attacks and reduce the risk of dropping valid data packets. Another advantage is the ability to customize routing access policies and support the "trusted neighbor" relationship between specific systems to prevent unauthorized use of internal routes.

Taking the ExtremeWare package of gejin network as an example, it maps and covers the 802.1p and DiffServ labels, all route switches can ignore, observe, or process any DiffServ Mark sent from "untrusted neighbors. These mechanisms enable the system administrator to adjust internal routing policies based on traffic from specific neighbors.

3. Custom network login configuration

Network login uses a unique user name and password to authenticate the identity before the user is authorized to enter. In network login, the user's browser submits the Dynamic Host Configuration Protocol DHCP to the routing switch. The switch captures the user's identity and sends a request to the RADIUS server for identity authentication, the vswitch allows the group traffic sent by the user to flow through the network. In draft, it has been stipulated that the network login mechanism can control users' access to the route switch, minimizing the danger of direct DoS attacks. Network logon also provides a robust mechanism for managing and tracking internal users.