Layer-4 switching, Security, Layer-4 switching security – Enterasys Networks X-Pedition 2000 User Manual

Features

6

Enterasys X-Pedition 2000 Getting Started Guide

•

IPX SAP – the Service Advertisement Protocol, which allows hosts attached to an IPX network
to reach printers, file servers, and other services

By default, IPX routing is enabled on the XP-2000 when an IPX interface is created.

Layer-4 Switching

In addition to Layer-2 bridging and Layer-3 routing, the XP-2000 performs Layer-4 switching.
Layer-4 switching is based on applications and flows.

•

Layer-4 applications – The XP-2000 understands the application for which an IP or IPX packet
contains data and therefore enables you to manage and control traffic on an application basis.
For IP traffic, the XP-2000 looks at the packet’s TCP or UDP port number to determine the
application. For IPX packets, the XP-2000 looks at the destination socket to determine the
application.

•

Layer-4 flows – The XP-2000 can store Layer-4 flows in each expansion module. A Layer-4
flow consists of the source and destination addresses in the IP or IPX packet combined with the
TCP or UDP source and destination port number (for IP) or the source and destination socket
(for IPX). You can therefore manage and control individual flows between hosts on an
individual application basis.

A single host can have many individual Layer-4 entries in the XP-2000. For example, an IP host
might have separate Layer-4 application entries for email, FTP, HTTP, and so on, or separate Layer-
4 flow entries for specific email destinations and for specific FTP and Web connections.

Security

The bridging, routing, and application (Layer-2, Layer-3, and Layer-4) support described in
previous sections enables you to implement security filters that meet the specific needs of your
organization. You can implement the following types of filters to secure traffic on the XP-2000:

•

Layer-2 source filters (block bridge traffic based on source MAC address)

•

Layer-2 destination filters (block bridge traffic based on destination MAC address)

•

Layer-2 flow filters (block bridge traffic based on specific source-destination pairs)

•

Layer-3 source filters (block IP or IPX traffic based on source IP or IPX address)

•

Layer-3 destination filters (block IP or IPX traffic based on destination IP or IPX address)

•

Layer-3 flow filters (block IP or IPX traffic based on specific source-destination pairs)

•

Layer-4 application filters (block traffic based on UDP or TCP source and destination ports for
IP or source and destination sockets for IPX)