Manuale d’uso / di manutenzione del prodotto X-PeditionTM del fabbricante Enterasys Networks
Vai alla pagina of 466
X-Pedition ™ Security Router XSR User’ s Guide Ve r s i o n 7 . 6 P/N 9033837-09.
.
i Notice Enterasys Networks reserves the right to make changes in specif ications and other information contained in this do cument and its web si te without prior notice.
ii Regulatory Compliance Information Federal Communications Commission (F CC) Notice The XSR complies with Title 47, Pa r t 15, Class A of FCC rules.
iii Industry Canada Notices This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications.
iv Electromagnetic Compatibility (EMC) This product complies with the following: 47 CFR Par t s 2 and 15, CSA C108.8, 89/336/EEC, EN 55022, EN 55024, EN 61000 ‐ 3 ‐ 2, EN 61000 ‐ 3 ‐ 3, AS/NZS CISPR 22, and VCCI V ‐ 3.
v Declaration of Conformity Application of Co uncil Directiv e(s): 89/336/EEC 73/23/EEC Manufacturer’s Na me: Enterasys Networks, Inc. Manufacturer ’ s A ddress: 50 Minuteman Road Andover, MA 01810 USA European Representative Addre ss: Enterasys Networks, Ltd.
vi Independent Communications Authority of South Africa This product complies with the terms of th e provisions of section 54(1) of the T elecom.
vii Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT , CAREFULL Y READ THIS LICENSE AGREEMENT . This document is an agreement (“ Agreement”) betw een the end user (“Y ou”) and Enterasys Networks, Inc.
viii 4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regu lation by agencies of the U.
ix 10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause .
x.
xi Contents Preface Contents of the Guide .. ............. ................ ............. ................ ............. ................ ............. ... ................. ......... xxvii Conventions Used in This G uid e ........ ............. .....
xii Configuring an Interface ......... ............. ................ ............. ................ ............. ................ ....... ............ 2-22 Displaying Interface Attributes ............. ................ ............. ................
xiii Chapter 3: Managing LAN/WAN Interfaces Overview of LAN Interfaces ...... ................ ............. ................ ............. ................ ................. ... ................ ........ 3-1 LAN Features ..................... .......
xiv Secondary IP ...... ................ ............. ................ ............. ............. ................ ............. ........ .................. ........ 5-7 Interface & Secondary IP ........... ................ ................ ....
xv Load Balancing ....... ................ ............. ................ ............. ............. ................ ............. ...... ................ 5-31 ARP Process on a VRRP Router ........... ............. ................ ................ .
xvi Filter Lists ............... ............. ............. ................ ............. ............. ................ ............. ... ................... ... 6-12 Community Lists . ................. ............. ................ ............. .
xvii Describing the XSR’s PIM-SM v2 Features .. ............ ................. ................ ................ ............. ........... ........ ..... 7-7 Phase 1: Building a Shared Tree .... ............. ................ ................ ......
xviii Chapter 9: Configuring Frame Relay Overview ............. ............ ............. ................. ............ ............. ................. ............ ......... ................. ............. ..... 9-1 Virtual Circuits ...............
xix Configuring ISDN Callback ............................. ............. ................ ............. ................ ............. . ............. 10-12 Point-to-Point with Matched Callin g/Called Numbers ....... ................ ................
xx Backup Using ISDN ..... ............. ............. ................ ............. ................ ............. ............. ....... ................ 1 0-37 Node A (Backed-up Node) Configur ation ............... ................ ............. ..
xxi Measuring Bandwidth Utilization .................. ................. ................ ............. ................ ............. ... ...... 12-5 Describing Priority Queues .. ................ ................ ............. ................ .....
xxii ADSL Hardware ........... ............. ................ ............. ............. ................ ............. ................ .. .................... 13-5 NIM Card ............ ................. ............. ............ .................
xxiii Server 1 ........... ............. ............. ................ ............. ............. ................ ............. ........... ............... .... 14-17 Server 2 ........... ............. ............. ................ ............. .
xxiv DHCP Client Services ..................... ............. ................ ............. ................ ............. .............. ........ ................ 15-6 Router Option .................. ................ ............. ............. ...
xxv Application Level Commands ....... ............. ................ ................. ............ ................. ................ ... .... 16-13 Application Level Gateway ..... ................ ............. ................ ............. ......
xxvi DOS Attacks Bloc ked Counters .............. ............. ................ ............. ................ ............. .............. ..... B-12 DOS Attacks Bloc ked Table ......... ................ ............. ............. ................ .
XSR User’s Guide xxvii Preface This guide provides a general overview of the XSR hardwar e and software features. It describes how to configure and maintain the router . R efer to the XSR CLI Reference Guide and the XSR Getting Started Guide for information not contained in this document.
Conventions Used in This Guide xxviii Preface • Chapter 1 1, Config uring ISDN, outlines how to set up the Integrated Services Digital Network protocol on the XSR for BRI, PRI and leased line applications. ISDN protocol tracing and partial decoding of Q921 and Q9 31 frames is also described.
Conventions Used in This Guide XSR User’s Guide xxix Wa r n i n g : Warns against an action that could result in person al injury or death. Advertencia: Ad vierte contra una acción que pud iera resultar en lesión corporal o la muerte.
Getting Help xxx Preface Getting Help For additional support related to the XSR, cont act Enterasys Networks by one of these methods: Before contacting Enterasys Ne tworks for technical s upport, have.
XSR User’s Guide 1-1 1 Overview This chapter briefly describes the functionality of the XSR. Refer to the following chapters in this manual for details on how to configur e this functiona lity and the XSR CLI Refer ence Guide for a description of associated CLI commands and examples.
1-2 Overview and data-compre ssion negotiation. Also supporte d: PPPoE client and sub-i nterface monitoring, and Multilink PPP pr otocols as well as Dial on Demand (DoD), Bandwidth on Demand (BoD), Multi-Class MLPPP . • IP Protocol - IP supports interconnected systems of packet-switched computer communication networks.
XSR User’s Guide 1-3 • Quality of Service - The XSR provides traf fi c classification us ing IP Precedence and DSCP bits, bandwidth control via meter ed, policed an d prioritized traf fic queues, and queue management utilizing T ail Drop, Random and W eighted Ea rly Detection (RED, WRED) .
1-4 Overview.
XSR User’s Guide 2-1 2 Managing the XSR The XSR can be managed via thr ee interfaces with varying levels of contr ol: the Command Line Interface (CLI) for full configuration, perfor mance and fault .
Utilizing the Command Line Interface 2-2 Managing the XSR Using the Console Port to Remotely Control the XSR The XSR’s Console port can also be c onnected to a modem for the purpose of r emote console control.
Utilizing the Command Line Interface XSR User’s Guide 2-3 T erminal Commands If you want to display identi fication informatio n about the current terminal connection, issue the show whoami command. Refer to the XSR Getting Started Guide and XSR CLI Refer ence Guide for more information on commands.
Utilizing the Command Line Interface 2-4 Managing the XSR PuTTY and other sharewar e programs are compatible with the XSR’s SSH server . Refer to the XSR Getting Started and CLI Refe renc e guides for more details. Accessing the Initial Prompt The CLI is pr otected by security .
Utilizing the Command Line Interface XSR User’s Guide 2-5 Managing the Session A first-ti me CLI session is s et up with default attributes; e.g., the session is set to time out after 1800 seconds of idle time. Y ou can reconfigur e session values such as cr eate users, passwor ds, and login banners, and set T elnet and W eb access.
Utilizing the Command Line Interface 2-6 Managing the XSR • Backwardly compatible/transparent to those not r equiring RAI. • Console display of RAI progr ess. • Console interrupt of RAI pr ocess at any time. • CLI configurabl e RAI loading. Persiste nt, 5-minute try , and none (dis able).
Utilizing the Command Line Interface XSR User’s Guide 2-7 DHCP client over the LAN: • Operational over an Ethernet interface only on the lowest slot/card/port only . • Uses the options field for TF TP server , IP address, hos t name and config file.
Utilizing the Command Line Interface 2-8 Managing the XSR RAI checks each DLCI, up to 30, on a given in terface for a Bootp r esponse , an rDNS server and a TF TP server with a configuration file. The fi rst DLCI that accomplishes this will be chosen.
Utilizing the Command Line Interface XSR User’s Guide 2-9 W ith bootp enabled , DHCP relay and server functi onality is disabled on thi s DLCI for br oadcast packets entering from this DLCI. Unicast bootp reques ts are still forwar ded to the server .
Utilizing the Command Line Interface 2-10 Managing the XSR PPP RAI over a Leased Line PPP over a leased line performs similarly to Fram e Relay RA I over a serial link via a leased T elco line. When PPP negotiation is su ccessful, a poin t-to-p oint connection is established from the remote XSR to the central r ou ter .
Utilizing the Command Line Interface XSR User’s Guide 2-11 The first phase establishes a physical connection (training) on the ADLS line. RAI ADSL attempts a physical connection on the first port of the ADSL card, waiting one minute fo r training to succeed.
Utilizing the Command Line Interface 2-12 Managing the XSR • Command Recall : Non-help commands ar e stored in the command history list buf fer up to the last 32 command s.
Utilizing the Command Line Interface XSR User’s Guide 2-13 Refer to Figure 2-1 for a graphic example of configuration modes. Figure 2-1 Partial Configuration Mode T ree The footnotes below refer to command options cited in the illustration.
Utilizing the Command Line Interface 2-14 Managing the XSR 4. Some attributes can be set at this level without acquiring other modes. For example: acces s- list access-list-num [deny | permit] [parameter [parameter…]] 5. Show commands can all be entered at EXE C, Privileged EXEC or hig her modes.
Utilizing the Command Line Interface XSR User’s Guide 2-15 Mode Examples Consider the followi ng examples to chan ge configuration mode: XSR>enable + Acquires Privileged EXEC mode XSR#config terminal + Acquires Global configuration mode XSR(config)#interface fastethernet 1 + Acquires Interface mode XSR(config-if<F1>)#ip address 192.
Utilizing the Command Line Interface 2-16 Managing the XSR CLI Command Limit s CLI commands on the XSR ar e bounded by the following: • T otal number of characters in a command l ine/help message: 2.
Utilizing the Command Line Interface XSR User’s Guide 2-17 Supported Port s The XSR supports the following port types: • Single-channel ports: Fast- and Gi gabitEthernet, Sync/A sync serial, A TM .
Utilizing the Command Line Interface 2-18 Managing the XSR • V irtual Inte rfaces: – Loopback - Range 0 to 15. Interface type: Internal Loopback. – Dialer - Range: 0 to 255, Interface type: Dialer . – VPN - Range: 0 to 255, Interface type: VPN tunnel/Dialer .
Utilizing the Command Line Interface XSR User’s Guide 2-19 • BRI-Dialer (IDSN) Exampl e interface dialer 0 + Configures dialer interface 0 ip address 2.
Utilizing the Command Line Interface 2-20 Managing the XSR – Switched : When configuring a switched BRI connect ion, thr ee serial sub-interfaces ar e automatically cr eated when you enter: interfac.
Utilizing the Command Line Interface XSR User’s Guide 2-21 Deleting T able Entries There ar e two ways to delete an entry from a table depending on the table type. T ype (e.g.): XSR(config)#no arp 1.1.1.1 e45e.ffe5 .ffee + removes the arp entry related to row 1.
Utilizing the Command Line Interface 2-22 Managing the XSR Ports can be enabled or disabled, configur ed for default settings, associated tables, clock rate, priority group, and encapsulatio n, for example. Refer to the XSR CLI Refer ence Guide for mor e details on Interface mode command s.
Utilizing the Command Line Interface XSR User’s Guide 2-23 Managing Message Logs Messages produced by the XS R, whether alar ms or ev ents, as well as link state changes for critical ports and a manag ement authenticati on log, can be r outed to variou s destinations wit h the logging command.
Utilizing the Command Line Interface 2-24 Managing the XSR • Contents of stacks (task stacks, interrupt stack) • Status of one special task (packet processor by default) • Code around the cr ash.
Utilizing the Command Line Interface XSR User’s Guide 2-25 Using the Real-Time Clock The XSR’s Real-T i me Clock (R TC) is employed by other syst em software modules to time-stamp events, alarms and is us eful when no network clock source is accessible.
Utilizing the Command Line Interface 2-26 Managing the XSR Resetting the Configurati on to Factory Default In situations wher e the XSR has invalid softwar e or a pr oblem booting up, you can r eset the router and return it to its factory default se ttings by accessing Bootr om Monitor Mode.
Utilizing the Command Line Interface XSR User’s Guide 2-27 Configuration Save Options There ar e several options avai lable regar d ing configuration : • If you want to make your running configurat ion the new startup configuration, you can save it to Flash memory with the copy runnin g-config startup-config command.
Utilizing the Command Line Interface 2-28 Managing the XSR For more comman d details, refer to the XSR CLI Refer ence Guide . Uploading the Confi guration/Crash Report An upload copies the XSR s tartup-configuration file (partial) to a system in a CLI script format using TF TP .
Utilizing the Command Line Interface XSR User’s Guide 2-29 Managing the Sof tware Image The XSR can stor e more than one software image in Flash. Creating Alternate Soft ware Image Files The XSR can cr eate multiple softwar e images, a useful option if you want to quickly select an alternate image.
Utilizing the Command Line Interface 2-30 Managing the XSR • Optionall y , if you have CompactFlash installed, you can download the firmwar e file to cflash: then perform Step 1 (s ee below) followed by the bu (lower -case u ) command.
Utilizing the Command Line Interface XSR User’s Guide 2-31 4. Using TF TP , transfer updateBootrom.fls from the networ k: XSR-1805# copy tftp://192.168.27.95/C:/tftpDir/ updateBootrom.fls flash:updateBootrom.fls Copy 'tftpDir/updateBootrom.fls' fro m server as 'updateBootrom.
Utilizing the Command Line Interface 2-32 Managing the XSR Local Bootrom Upgrade Due to the change in the format of the Bootr o m file between version 1. x and vers ion 2.01, a transitional step is r equired when updating acr o ss these versions only .
Utilizing the Command Line Interface XSR User’s Guide 2-33 – DOS-style full path (without the file name) of the site of the Bootr o m file on the host PC. – The username and password to use when conne cting to your F TP server on the host PC. 6.
Utilizing the Command Line Interface 2-34 Managing the XSR Programming 131072(0x20000) bytes at address 0xfffa0000 Programming 48299(0xbcab) bytes at a ddress 0xfffc0000 Verifying Bootrom flash sectors Locking 3 Bootrom flash sectors Locking 8 Bootrom flash sectors ***** Bootrom update completed.
Utilizing the Command Line Interface XSR User’s Guide 2-35 • If the power to XSR fails, try another reload • If a syntax error is indicated, ex amine your configuration for err ors • If XSR crashes, do not r etry reloading. Contact T echnical Support EOS fallback is configu rable from the CLI or via SNMP .
Utilizing the Command Line Interface 2-36 Managing the XSR 5. Set the operation to imageSetSelected : set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16 .2.7.1.3.1 0100 6. Set the row to active : set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16 .2.7.1.11.1 1 7. Reboot the XSR to load the new image by configuring the follow ing: • Create a r ow: set 1.
Memory Management XSR User’s Guide 2-37 When the XSR boots up, the checksum of these file s is calcu lated and stored in volatile memory . From then on any time the content o f those files is changed the hash is r ecalculated and stor ed.
Network Management through SNMP 2-38 Managing the XSR When the memory governor is asked to allow or deny a new r esource, the de cision is based on: • memory low watermark •e x t r e m e l i m i t Y ou can push the extreme limit of individual resources as long as the memory low watermark is not met.
Network Management through SNMP XSR User’s Guide 2-39 SNMP Informs SNMP Informs were first intr oduced in SNMPv2. An Inform is essentially nothing mor e than an acknowledged trap . That is, when a remote application r eceives an Inform it sends back an “I got it” message.
Network Management through SNMP 2-40 Managing the XSR Alarm Management (T raps) The following events ar e supported by SNMP traps: snmpT rapColdStart, snmpT rapWarmStart, snmpT rapLinkDown, snmpT rapL.
Network Management through SNMP XSR User’s Guide 2-41 Latency (network delay) is measur ed with the formula: D(i)=(Ri-Si) , which is the r ound-trip interval between sending and receiving the ICMP packet trigger ed by the initiator and echoed back by the target.
Network Management through SNMP 2-42 Managing the XSR Via S NM P The following example creates a r ow in the aggregate measur e table with owner us erA . If the entry is created with owner monitor , replace 5.1 17.1 15.101.1 1 4.65 with 7.109.1 1 1.1 10.
Network Management through SNMP XSR User’s Guide 2-43 Query a Measurement Now that you have performed the pr evious actions, you can query the measur ement result. Via C LI The following command d isplays rtr output: XSR#show rtr history Via S NM P 1.
Network Management through SNMP 2-44 Managing the XSR Sof tware Image Download using NetSight The NetSight Remote Administ rator application can download an image to the XSR using TF TP . The software image download is initiated through NetSight using a n SNMP set command, which triggers a TF TP downloa d session initiated f rom the XSR.
Accessing the XSR Through the Web XSR User’s Guide 2-45 1. W rit e a plain ASCII file containing the CLI commands you want entered. For example: interface FastEthernet2 ip address 192.168.19.1 255.255.255. 0 no shutdown 2. Save and move the file to the root dir ectory of the TF TP server on your PC.
Network Management Tools 2-46 Managing the XSR Using the CLI for Downloads TF TP can be used to transfer system firmwar e to the XSR remotely . A TF TP server must be running on the r emote machine and the firmwar e image file must reside in the TF TP root directory of the server when using the copy tftp filename command.
XSR User’s Guide 3-1 3 Managing LAN/W AN Interfaces Overview of LAN Interfaces The XSR supports two 10/100 Base-T FastEthernet ports on the XSR 1800 Series branch routers and three 10/100/1000 Base-T GigabitEthernet ports on the XSR 3000 Series regional r outers.
Configuring the LAN 3-2 Managing LAN/WAN Inter faces • Maximum T r ansmission Unit (MTU ) - all frames less than or equ al to 1518 bytes are accepted.
Overview of WAN Interfaces XSR User’s Guide 3-3 Overview of W AN Interfaces The XSR supports as many as si x serial cards (i n an XSR-3250), each of which can support four ports for a maximum of 24 serial ports. Each po rt is indi vidually configurable regarding speed, media-type, and pr otocol.
Configuring the WAN 3-4 Managing LAN/WAN Inter faces • Clocking speed - For Sync interfaces, an external cl ock must be provided. Acceptable clock values range fr om 2400 Hz to 10 MHz.
Configuring the WAN XSR User’s Guide 3-5 The following example configur es the asynchr onous serial interface on NIM 2, port 0 with the following non-def ault values: PPP encapsulation, RS422 cabling, 576 00 bps clock rate, MTU size of 1200 bytes, no parity , 7 databits and 2 stopbits.
Configuring the WAN 3-6 Managing LAN/WAN Inter faces.
XSR User’s Guide 4-1 4 Configuring T1/E1 & T3/E3 Interfaces Overview The XSR provides Frame Relay and PPP service vi a T1 /E1 and T3/E3 functional ity as well as Drop and Insert featur es. T1/E1 Functionality The XSR provides a T1/E1 subsystem on a single NIM-based I/O card with a maximum of two installed NIMs.
Features 4-2 Configuring T1 /E1 & T3/E3 Interfaces • Support for local and r emote loopback • Support for an IP interface as a loopback (r efer to the CLI Refer ence Guide for an example) • .
Features XSR User’s Guide 4-3 • Line rate - 34.368 Mbps • Full rate - 34.0995 Mbps (G751) • Sub-rate - approximately 3 Mbps increments up to 33 Mbps • Compatible DSUs supported – Cisco or Quick Eagle (form erly Digital Link) DL3100 E3 -300-33.
Features 4-4 Configuring T1 /E1 & T3/E3 Interfaces • Clear Channel service is similar to the full rate servi ce except that the data stream rate is slightly higher because the framing over head bits ar e also used to deliver data. – T3 - Not A vailable – E3 - 34.
Configuring Channelized T1/E1 Inter faces XSR User’s Guide 4-5 • Th e D & I N I M s u p p o r t s d i ff e re n t f r a m i n g a n d l i n e c o d i n g o n t h e C O T 1 a n d P B X T 1 p o .
Configuring Un-channeliz ed T3/E3 Interfaces 4-6 Configuring T1 /E1 & T3/E3 Interfaces 9. Add any additional configuration commands r equ ired to enable IP- or PPP-related pr otocols. 10. Use the no shutdown and exit commands to enable the interface and r eturn to configuration mode.
Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-7 T roubleshooting T1/E1 & T3/E3 Links This section describes ge neral procedur es for tr oubleshooting T1/E 1 lines on the XSR.
Troubleshooting T1/E1 & T3/E3 Links 4-8 Configuring T1 /E1 & T3/E3 Interfaces Figure 4-3 T1/E1 & T3/E3 Physical Layer (Lay er 1) T roubleshooting Flowchart The show controller command displays current contr oller parameters, statu s and statistics data.
Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-9 2. Restart the controller: XSR(config-controller<T1/0>)#no shut down If the T1/E1or T3/E3 controller and line ar e not up , check t.
Troubleshooting T1/E1 & T3/E3 Links 4-10 Configuring T 1/E1 & T3/E3 Interfaces Receive Remote Alarm Indi cation (RAI - Y ellow Alarm) 1. Insert an external loopback ca ble into the T1/E1 or T3/E3 port. 2. Use the show controller command to check for alar ms.
Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-11 Figure 4-5 T1/E1 & T3/E3 Alarm Analysis T roubleshooting Actions Flow (Part 2) T1/E1 & T3/E3 Error Event s Analysis This section describes various error events that can occur o n controller lines and pr ovides troubleshooting information to fix some of these err ors.
Troubleshooting T1/E1 & T3/E3 Links 4-12 Configuring T 1/E1 & T3/E3 Interfaces Figure 4-6 T1/E1 & T3/E3 Error Even t s Analysis T roubleshooting Flowchart Slip Seconds Counter Increasing If slip seconds ar e pr esent on the T1/E1 or T3/E3 line, us ually there is a clocking pr oblem.
Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-13 Framing Loss Seconds Increasing If framing loss seconds ar e pres ent on the T1/E1 li ne, usually there is a framing problem. Perform the following steps to correct this pr oblem: 1. Ensure the framing format configured on the contr oller port matches the framing format of the line.
Troubleshooting T1/E1 & T3/E3 Links 4-14 Configuring T 1/E1 & T3/E3 Interfaces.
XSR User’s Guide 5-1 5 Configuring IP Overview This document describes th e XSR’s IP pr otocol suite func tionality including: • General IP featur es (ARP , ICMP , TCP , UDP , TF TP , T elnet, SSH, NA T , VRRP , Pr oxy DNS, et al.
General IP Features 5-2 Configuring IP • The Router ID can be configur ed with the ip router- id command or , if not configured, automatically generated fr om the exi sting configuration.
General IP Features XSR User’s Guide 5-3 • T roubleshooting T ools –P i n g –T r a c e r o u t e •I P R o u t i n g –R I P – T riggered-on-Demand RIP update s – OSPF including Database.
General IP Features 5-4 Configuring IP • V irtual Router Redundancy Pr otocol (VRRP): RFC-2338 and De finitions of Managed Objects for the V irtual Router Redundancy Protocol: RFC-2787 • Equal-Cos.
General IP Features XSR User’s Guide 5-5 When a BOOTP/DHCP res ponse is rece ived, the pack et is sent to the requester as a unicast IP packet, according to RFC-951, wi th clarifications in RFC-1532. The source addr esses of the relayed BOOT P/DHCP packets can be selected using ip dhcp relay- source gateway command.
General IP Features 5-6 Configuring IP does not actually examine or store full r outing tabl es sent by r outing devices, it merely keeps track of which systems ar e sending such data. Using IRDP , the XSR can specify both a priority and the time after which a device should be assume d down if no further packets ar e received.
General IP Features XSR User’s Guide 5-7 hostkey .dat file unless none have been generated or the co ntent of the file is corr upted in which case default keys are used to secure the connection. A number of SSH clients are commer cially avai lable. Enterasys r ecommends the PuTTY client freewar e as compatible and easy to configure.
General IP Features 5-8 Configuring IP An XSR interface can support one primary IP ad dr ess and multiple secondar y IP addres ses. Including all XSR interfaces, the total of supported secondary IP ad.
General IP Features XSR User’s Guide 5-9 Routing T able Mana ger & Secondary IP If the interface is up, each pr imary and secondary IP addr ess will have an entry in the r outing table as a directly connected r oute.
IP Routing Protocols 5-10 Configuring IP VRRP & Secondary IP Multiple virtual IP add resses per V irtual Router (V R) are available to support multiple logical IP subnets on a single LAN segment.
IP Routing Protocols XSR User’s Guide 5-11 •S t a t i c r o u t e s • Route redistribution • Default network • CIDR (classless IP) •C o n f i g u r a b l e R o u t e r I D • Route P reference When you run multiple r outing pr otocols, the XS R assigns a weight to each of them.
IP Routing Protocols 5-12 Configuring IP • Offset metric parameters - r oute metrics via RIP . Adding an offset to an interface might for ce a route thr ough that interface to become a backup r oute.
IP Routing Protocols XSR User’s Guide 5-13 • The latest changes are sent when: – The routing database is m odified by new da ta. The latest changes ar e sent thr ough all interfaces running triggered-on-demand RIP .
IP Routing Protocols 5-14 Configuring IP • Dial-on-dem and connections. Retransmissions are governed by the following conditions, among others: • The retransmi ssion timer is a periodic timer set to 5 seconds.
IP Routing Protocols XSR User’s Guide 5-15 • Incre mental SPF is always enabled. SPF calculation can be chang ed with timers spf • Hello wait intervals with ip ospf dead-interval and ip ospf hel.
IP Routing Protocols 5-16 Configuring IP Each LSA type configurable for database over flow can generate a log to reflect pending overflow , overflow entered and exited logs in this format: – Date an.
IP Routing Protocols XSR User’s Guide 5-17 OSPF T roubleshooting XSR commands provide debugging of OSPF V ersion 2 control information including: • Monitoring specific OSPF events fr om the CLI wi.
IP Routing Protocols 5-18 Configuring IP –S t a t i c r o u t e s : 1 – BGP external routes: 20 –O S P F i n t r a - a r e a r o u t e s : 108 – OSPF inter-ar ea routes: 11 0 – OSPF external.
IP Routing Protocols XSR User’s Guide 5-19 Figure 5-1 802.1Q VLAN T ag The rese rved T ag T ype denotes the associated Ethernet frame type of the VLAN T ag while the remaining 16 tag bits comprise t.
IP Routing Protocols 5-20 Configuring IP Figure 5-3 T opology of Ethern et/PPPoE/VLAN/PPPoE over VLAN VLAN Processing Over the XS R’ s Ethernet Interfaces The VLAN routing pr ocess, shown in Figur e 5-4 , works as follows on the XSR. The following steps are r eflected in the graphic below .
IP Routing Protocols XSR User’s Guide 5-21 Figure 5-5 VLAN Ethernet to Fast/GigabitEthernet T opology VLAN Processing: VLAN-enabled Ethernet to W AN Interfaces In this scenario, shown in Figure 5- 6 , the XSR does not insert a VLAN tag in Ethernet frames because no VLAN is linked with the outgoing port (Serial 1).
IP Routing Protocols 5-22 Configuring IP Figure 5-7 W AN Interface to VLAN Ethernet T opology For sample configurations, refer to “Configuring VLAN Examples” on page 5-46. QoS with VLAN The XSR’s support for Quality of Service (QoS ) with VLAN is described in the chapter “Configuring Quality of Service” on page 12-1.
IP Routing Protocols XSR User’s Guide 5-23 2. When a policy entry is found for a packet, the table search ends and the packet is processed accordi ng to that entry . 3. Each entry has a gr oup of match and set clauses. All match clause s must matc h in orde r to process the packet accor ding to the ent ry .
IP Routing Protocols 5-24 Configuring IP Default Network The default network is used to specify candidates for the default r oute when a default route is not specified or learne d.
IP Routing Protocols XSR User’s Guide 5-25 Leaving the Router ID unconfigured or allowing it to be assigned by default to a physical IP interface can be risky because physical interfaces are impermanent and their IP addresses can be re-configure d.
IP Routing Protocols 5-26 Configuring IP R TP_compression TX r eached maximum allowed connections, R TP compression r eceived un-expected 8 bit CID R TP compression r eceived un-expected 16 bit CID Received CID (mmm) exceeds the negotiated max CID nnn.
IP Routing Protocols XSR User’s Guide 5-27 • Application Level Gat eway (ALG) for F TP , ICMP , Netbios over TCP and UDP – PPTP/GRE ALG for NAP T - allows PP TP traffic to be NA Tted • Multiple ISP - NAP T based on the egress interface. • W ith NAPT , routing is not automaticall y filtered out.
IP Routing Protocols 5-28 Configuring IP Figure 5-8 Simple VRRP T opology Because the VR uses th e IP addr ess of the physic al Ethernet interface of XSR1, XSR1 becomes the master VR , also known as the IP address owner . XSR1, as the master VR, assumes the IP addre ss of the VR and is r esponsible for forward i ng packets sent to this IP addr ess.
IP Routing Protocols XSR User’s Guide 5-29 • V irtual Router - An abstract object managed by VRRP that acts as a default r outer for hosts on a shar ed LAN. It consists of a VR Identifier and a set of associated IP address(es) acr oss a common LAN.
IP Routing Protocols 5-30 Configuring IP • Broadcasts an ARP message with the VR’s MAC address to all the IP addr esses associated with the VR’s IP addr ess, • Starts the a dvertisement timer , • And transitions to the master state.
IP Routing Protocols XSR User’s Guide 5-31 Load Balancing The XSR provides load balancing according to the following rules: • Load balancing depends on how your network is designed.
IP Routing Protocols 5-32 Configuring IP • Master VR - all traf fic, including locally generated or forwarding traf fic, uses one of the virtual MAC address es as the source MAC address except VRRP pr ot ocol packets, which use the corresponding virtual MAC address as the sour ce MAC addr ess.
IP Routing Protocols XSR User’s Guide 5-33 When the actual IP addr ess owner of the V irtual IP addr ess re leases the master state of the VR, it will no longer be able to receiv e any IP packet destined for that address even though the actual interface is still up.
IP Routing Protocols 5-34 Configuring IP Equal-Cost Multi-Path (ECMP) Equal-Cost Multi-Path (ECMP) is a technique to forward pack ets along multiple paths of equal cost, aggregating multiple physical link s into one virtual link to effectively increase the total bandwidth of a connection.
Configuring RIP Examples XSR User’s Guide 5-35 Figure 5-10 ECMP VPN Load Balancing T opology Configuring RIP Examples The following example enables RIP on both FastEthe rnet interfaces and a serial link of the XSR. The FastEthernet 2 interface is co nfigur ed to be totally passive (updates not sent or r eceived).
Configuring RIP Examples 5-36 Configuring IP XSR(config-if<F1>)#ip address 192.16 8.1.100 255.255.255.0 XSR(config-if<F1>)#ip access-group 1 in XSR(config-if<F1>)#ip access-group 1 o.
Configuring Unnumbered IP Serial Interface Example XSR User’s Guide 5-37 Configuring Unnumbered IP Serial Interface Example The following example configures an X.21-type, se rial interface 1/0 as an unnumbered serial interface. Serial 1/0 is directed to us e the IP address of FastEtherne t port 1.
Configuring NAT Examples 5-38 Configuring IP Configuring NA T Examples Basic One-to-One St atic NA T The following example illustrate s inside source address translation on the XSR, as shown in Figur e 5-1 1 below . Figure 5-1 1 NA T Inside Source T ranslation 1.
Configuring NAT Examples XSR User’s Guide 5-39 Dynamic Pool Configuration The following example illustra tes dynamic pool translation on the XSR, as shown in Figur e 5-12 .
Configuring NAT Examples 5-40 Configuring IP 3. Optional . Add an A CL to p ermit NA T tr affic from the 10.1.1 .0 networ k. All oth er traffic is implicitly denied . XSR(config)#access-list 57 permit 10 .1.1.0 0.0.0.255 4. Optional . Reset the default NA T timeou t interval to 5 minutes: XSR(config)#ip nat translation timeo ut timeout 300 5.
Configuring NAT Examples XSR User’s Guide 5-41 3. Host 172.20.2.1 r eceives the packet and r esponds to address 200.2.2.1. 4. When the XSR rece ives the packet, it sear ch es the NAP T table, using the pr otocol, global address and port, and translates the addr e ss to the inside local address 10.
Configuring NAT Examples 5-42 Configuring IP 2. The first packet th e XSR receives from 10.1.1.1 is checked against its ACLs . ACL 101 matches and pool NatPool is used. A check is made for existi ng mapping and if found is used otherwise a new one is created.
Configuring NAT Examples XSR User’s Guide 5-43 Figure 5-15 St atic NA T within Interface As shown in Figure 5- 15 , packets from the PC at 10.1.1.1 ar e statically NA Tted to the PC at 203.2.2.1 but through neither of the pools. This occurs because static NA T takes precedence over other NA T forms.
Configuring Policy Based Routing Example 5-44 Configuring IP + The above optional NAPT commands use ACL 101 for the 200.2.2.0 network and AC L 102 for the 201.2.2.0 ne twork XSR(config-if<F2>)#ip nat source int f-static 10.1.1.1 203.2.2.1 + The above optional command statically NA T s packets from 10.
Configuring VRRP Example XSR User’s Guide 5-45 XSR(config-if<G1>)#ip policy These commands cr eate the PBR, map it to ACL 101, and set the forwar ding router as 192.168.5.2: XSR(config)#route-map pbr 101 XSR(config-pbr-map)#match ip address 101 XSR(config-pbr-map)#set ip next-hop 192.
Configuring VLAN Examples 5-46 Configuring IP XSRb(config-if<F1>)#vrrp 5 priority 200 XSRb(config-if<F1>)#vrrp 5 adver-int 30 XSRb(config-if<F1>)#vrrp 5 ip 10.10. 10.50 XSRb(config-if<F1>)#vrrp 5 preempt d elay 2 XSRb(config-if<F1>)#vrrp 5 track ser ial 2/0 XSRb(config-if<F1>)#vrrp 100 ip 10.
XSR User’s Guide 6-1 6 Configuring the Border Gateway Protocol Features The XSR supports the following the Border Gateway Protocol (BGP-4) features: • Full mandatory BGP v4 protocol support (RFC-1.
Overview 6-2 Configuring the Bor der Gateway Protocol Figure 6-1 Differentiating EBGP from IBGP BGP can be categorized as a path vector routin g pr otocol which defines a r oute as a pairing between a destination and the qualities of the path to that destination.
Overview XSR User’s Guide 6-3 • Hold ti me : Number of seconds that the sender pr oposes for the value of the Hold T imer . The hold time defines the interval that can elapse without the r eceipt of an Update or KeepAlive message befor e the peer is assumed to be dis abled.
Overview 6-4 Configuring the Bor der Gateway Protocol AS Path The AS_P A TH attribute, as shown in Figure 6-2 , is the sequence of AS numbers a r oute has traversed to reach a destination. The AS that or iginates the route add s its own AS number when sending the route to its EBGP peers.
Overview XSR User’s Guide 6-5 BGP considers the ORIGIN attribute in its d ecisi on-making pr ocess to set a pr eference ranking among multiple r outes. Namely , BGP prefers the path with the lowest origin type, wher e IGP is lower than EGP , and EGP is lower than INCOMP LETE.
Overview 6-6 Configuring the Bor der Gateway Protocol Figure 6- 3 Lo cal Preference Applied t o Direct Egre ss T raffic from AS..
Overview XSR User’s Guide 6-7 Weight W eight, as shown in Figur e 6-4 , and LOCAL_PREF attributes ar e similar except that weight is not exchanged between r outers. It is significant only locally . Higher prefer ence is accor ded the r oute with a higher weight.
Overview 6-8 Configuring the Bor der Gateway Protocol Aggregator The AGGREGA TOR attribute, as shown in Figur e 6-5 , is added by the BGP speaker that formed the aggregate r oute. It includes the AS and r out er ID of the BGP speaker that originated the aggregate pr efix.
Overview XSR User’s Guide 6-9 Figure 6-6 MED Applied to Direct Ingress T raffic Flow to an AS Community A BGP community , as shown in Figure 6-7 , is defined as a group of destinations that shar e some common property and is not limited to one networ k or AS.
Overview 6-10 Configuring the Bor der Gateway Protocol learn, advertise, or r edistribute r outes. When r o utes ar e aggregated, the r esulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes. Community lists form groups of communities for use in a route map’s match clause.
Overview XSR User’s Guide 6-11 BGP Path Selection Process BGP routers usually consider multiple paths to a destination. The BGP best path selection process decides the optimal path to install in the IP routing table and use for forwar ding traffic.
Overview 6-12 Configuring the Bor der Gateway Protocol Access Control List s Access Control Lists (ACLs) are filters which permit or deny access to one or mor e IP addresses. ACLs generally apply to both route updates and packet filtering but with BGP , route update filtering is emp hasized.
Overview XSR User’s Guide 6-13 • Set community attributes for a specific route with set community • Set the origin for a specific r oute with set origin • Set the MED of a specific r oute with.
Overview 6-14 Configuring the Bor der Gateway Protocol • Display all routes with any AS path: – show ip bgp “.*” • Display all routes having at least two AS numbers in the AS path: – show ip bgp “. . + “ • Display all routes that traversed AS number 600: – show ip bgp “.
Overview XSR User’s Guide 6-15 • Permit a local BGP speaker to send the default r o ute 0.0.0.0 to a neighbor as the default route: neighbor default-originate • Configure the COMMUNITIES attribu.
Overview 6-16 Configuring the Bor der Gateway Protocol Synchronization When an AS provide s transit service to other ASs and if th ere ar e non-BGP r outers in the AS, transit traffic might be dropped if the intermedia te non-BGP r outers have not learned r outes for that traf fic via an IGP .
Overview XSR User’s Guide 6-17 prefix is s uppressed for a calculated period (a penalty) which is fur ther incremented with e very subsequent flap. The penalty is then decr emented by a half-life value until the penalty is below a reu s e t hre s ho ld .
Overview 6-18 Configuring the Bor der Gateway Protocol Scaling BGP BGP requir es that all BGP speakers with a single AS (IBGP) be fully meshed , as shown in Figur e 6- 10 . The res ult is that for any BGP speakers within an AS, the number of unique BGP sessions requir ed is determined by the following formula: n x (n-1 )/2 .
Overview XSR User’s Guide 6-19 Route Reflectors Route reflectors ar e an alternative to the requir em ent of a fully meshed network within an AS, as illustra ted in Figure 6-1 1 . This approach allows a BGP speaker (known as a route reflector ) to advertise IBGP learned r outes to certain IBGP peer s.
Overview 6-20 Configuring the Bor der Gateway Protocol It is typical for a client cluster to have one route r eflector and be identified by the reflector ’s router ID. If you want gr eater r edundancy and wish to avoid a single point of failure, you can add mor e than one r eflector to a clus ter .
Overview XSR User’s Guide 6-21 Figure 6-12 Figure 12 Use of Confederations to Reduce IBGP Mesh D isplaying System and Network S t atistics The XSR supports BGP statistical disp lays such as routing table entries, caches, and databases . The XSR can also show data about node accessibility and the path packets take thr ough the network.
Configuring BGP Route Maps 6-22 Configuring the Bor der Gateway Protocol • Show BGP peer gr oup data: show ip bgp peer-group • Show routes matching regu lar AS path expressions: show ip bgp regex .
Configuring BGP Route Maps XSR User’s Guide 6-23 XSR(config-router)#neighbor 192.168. 57.4 remote-as 200 XSR(config-router)#neighbor 192.168. 57.4 route-map 77 out XSR(config-router)#route-map 77 5 .
Configuring BGP Route Maps 6-24 Configuring the Bor der Gateway Protocol XSR(config-router)#neighbor 192.168. 57.69 filter-list 3 out XSR(config-router)#neighbor 192.
Configuring BGP Peer Groups XSR User’s Guide 6-25 XSR(config-router)#neighbor 130.32.3 2.1 remote-as 37 In a BGP speaker in AS 2, configur e the peers from AS’s 1 and 3 as special EBGP peers. Node 191.169.57.1 is a standard IBGP peer and 131.21. 12.
Configuring BGP Peer Groups 6-26 Configuring the Bor der Gateway Protocol XSR(config-router)#neighbor IBGP fil ter-list 1 out XSR(config-router)#neighbor IBGP fil ter-list 2 in XSR(config-router)#neighbor 192.168.57.3 peer-group IBGP XSR(config-router)#neighbor 192.
Configuring BGP Peer Groups XSR User’s Guide 6-27 XSR(config-router)#neighbor 192.168.57.90 send-commu nity XSR(config-router)#neighbor 192.168.57.90 route-map 111 out XSR(config-router)#neighbor ro.
Configuring BGP Peer Groups 6-28 Configuring the Bor der Gateway Protocol XSR(config-router)#bgp confederation identifier 100 XSR(config-router)#bgp confederation peer 10 20 30 XSR(config-router)#neighbor 192.168.57.50 remote-as 15 XSR(config-router)#neighbor 192.
XSR User’s Guide 7-1 7 Configuring PIM-SM and IGMP This chapter describes Pr otocol Independent Mu lticast - Sparse Mode (PIM-SM) and Internet Group Management Protocol (I GMP) configuration.
IP Multicast Overview 7-2 Configuring PIM-SM an d IGMP calculates the checksum based on the whole Regi ster packet including the data portion. When the XSR receives a Register packet, it acce pts both partial and whole checksum methods .
IP Multicast Overview XSR User’s Guide 7-3 • Addresses between 239.0.0.0 and 239.255.255. 255 should not be forwarded beyond an organization's intranet. • Addresses between 232.0.0.0 and 232.255.255.255 a r e set as ide especially for a Sour ce-Specific Multicast service (SSM).
Describing the XSR’s IP Multicast Features 7-4 Configuring PIM-SM an d IGMP T wo basic types of MDT s are source and shared trees, descri bed as follows: •A source tr ee is a distribution network with its r oot at the source and branches forming a spanning tree thr ough the network to its receiv ers.
Describing the XSR’s IP Multicast Features XSR User’s Guide 7-5 IGMP is an asymmetric protocol, so there ar e separate behaviors for gr oup members (hosts or rout ers that wish to receive mu lticast packet s) and multicast routers (router s that can forwar d multicast packets).
Describing the XSR’s IP Multicast Features 7-6 Configuring PIM-SM an d IGMP Receiving a Query When a LAN contains multiple multicas t routers, IGMPv3 chooses a s ingle querier per subnet using the same querier election mechanism as IGMPv2, namely by IP address .
Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-7 Behavior of Group Me mbers Among Older V e rsion Group Members An IGMPv3 host may be situated in a network wher e hosts have not yet been upgraded to IGMPv3.
Describing the XSR’s PIM-SM v2 Features 7-8 Configuring PIM-SM an d IGMP Phase 1: Building a Shared T ree During phase one, PIM-SM builds a shared tr ee rooted at a s pecial router called Rendezvous Point (RP), as shown in Figure 7-2 .
Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-9 interconnects with a router which is alr eady on the shortest path tree fr om S to the same multicast group, the Join message can end on that r outer to get a short-cut path.
Describing the XSR’s PIM-SM v2 Features 7-10 Configuring PIM-SM a nd IGMP Figure 7-4 Phase 3 T opology: Shortest Path T ree Between Sender and Receiver Neighbor Discovery and DR Election PIM-SM neighbor discovery and DR election ar e performed via Hello messages which ar e sent periodically through each PIM-enabled interface.
Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-11 PIM Register Message By the end of PIM-SM phase one, the DR for the sender will encapsulate packets from the sender in a Register messag e and send it to RP for the multicast gr oup.
Describing the XSR’s PIM-SM v2 Features 7-12 Configuring PIM-SM a nd IGMP Assert messages ar e used to negotiate which rout er will forwar d the multicast packets. The r ule for the assert winner is the router with the lower prefer ence (usually a unicast r outing pr otocol prefer ence) and a metric learned from that pr otocol.
PIM Configuration Examples XSR User’s Guide 7-13 PIM Configuration Examples The following is a simple PIM configuration using the virtual Loopback inte rface 0 and physical interface FastEthernet 1.
PIM Configuration Examples 7-14 Configuring PIM-SM a nd IGMP.
XSR User’s Guide 8-1 8 Configuring PPP Overview The Point-to-Point Protocol (PPP), refer enced in RFC-1616, is a standard method for transporting multi-protocol datagrams over poin t-to -point links.
PPP Features 8-2 Configuring PPP – Challenge Handshake Authen tication Protocol (CHAP) – Microsoft Challenge Handshake Au thentication Pr ot ocol (MS-CHAP) • Link Quality Monitoring (LQM) pr oce.
PPP Features XSR User’s Guide 8-3 Authentication Authentication protocols, as r efe renced in RFC-1334, are used pr imarily by hosts and routers to connect to a PPP network server via switched circ uits or dialup lines, but might be applied to dedicated links as well.
PPP Features 8-4 Configuring PPP The MS-CHAP challenge, response and success packet formats are identical in format to the standard CHAP challeng e, response and success packets, r espectivel y . MS-CHAP defines a set of reason for failur e codes r eturned in the Fa ilure packet Me ssage Field.
PPP Features XSR User’s Guide 8-5 • Fragmentation/reass embly • Detection of fragment loss • Optimal buffer usage • MTU size determination • Management of M LPPP bundl es • MIB support f.
PPP Features 8-6 Configuring PPP MLPPP Packet Fragment ation and Se rialization T ransmission Latency MLPPP’s packet transport method over multiple member links is made possible by fragmenting the packet after balancing the load bandwidth to fully ut ilize the member links’ bandwidth.
PPP Features XSR User’s Guide 8-7 The overall serialization latency for a fragment over a synchronous/ asynchronous Serial or T1 link should be multiplied by the size of the tr ansmission queue. T o contr ol latency , both the transmission queue size and frag ment size must be controlled.
PPP Features 8-8 Configuring PPP The class number is defaulted to five for both short and the long sequence numbers. That includes four suspendable levels from 0 to 4 with the high est level at 5. The curr ent limits on memory and throughput set the optimized numb er of class to 4 for the XSR.
PPP Features XSR User’s Guide 8-9 IP Address Assignment In PPP , IPCP configur ation option type 3 corresponds to IP addr ess negotiation. This configuration option pr ovides a way to negotiate th e IP addres s to be used on the local end of the link.
Configuring PPP with a Dialed Backup Line 8-10 Configuring PPP Configuring PPP with a Dialed Backup Line Y ou can configure PPP on the following types of physical interfaces: • Asynchr onous serial .
Configuring a Dialed Backup Line XSR User’s Guide 8-11 5. Enter no shutdown to enable this interface. XSR(config-if<S1/0>)#no shutdown Configuring a Dialed Backup Line The following tasks m us.
Configuring a Dialed Backup Line 8-12 Configuring PPP Configuring the Interface as the Backup Dialer Interface 1. Enter interface serial card / port to specify the interface to back up. 2. Enter ip address ip-address mask to specify the IP addr ess and subnet mask of the interface.
Configuring MLPPP on a Multilink/Dialer interface XSR User’s Guide 8-13 Configuring MLPPP on a Multilink/Dialer interface Multilink Example The following example enables Mu lti-Clas s MLPPP on inter.
Configuring BAP 8-14 Configuring PPP XSR(config-if<D255>)#multilink min-l inks 37 XSR(config-if<D255>)#ppp multilink b ap XSR(config-if<D255>)#ppp bap number default 1200 XSR(config-.
Configuring BAP XSR User’s Guide 8-15 XSR1(config-controller<T1-1/0>)#isdn bchan-number-order ascending XSR1(config-controller<T1-1/0>)#no s hutdown XSR1(config-controller<T1-1/0>)#dial er pool-member 1 priority 0 2.
Configuring BAP 8-16 Configuring PPP 3. Configure the Dialer 1 interface with a dialer pool: XSR2(config)#interface Dialer1 XSR2(config-if<D1>)#no shutdown XSR2(config-if<D1>)#dialer pool 1 XSR2(config-if<D1>)#encapsulation pp p 4. Set up BAP on Dialer 1 by enabling BAP and adding BAP phone numbers for XSR1 to call.
Configuring BAP XSR User’s Guide 8-17 XSR1(config-if<D1>)#dialer pool 1 XSR1(config-if<D1>)#encapsulation pp p XSR1(config-if<D1>)#ppp multilink ba p XSR1(config-if<D1>)#ppp .
Configuring BAP 8-18 Configuring PPP.
XSR User’s Guide 9-1 9 Configuring Frame Relay Overview Frame Relay ( FR) is a sim ple, bit- oriented protocol that of fers fa st-packet switching for wid e-area networking. It combines the statistical multiple xing and port-sharing featur es of an X.
Overview 9-2 Configuring Fr ame Relay Figure 9-1 Frame Relay Netw ork T opology From the perspective of the OSI refer ence mo del, Frame Relay is a hi gh-performance W AN protocol suite operating at the physical and data li nk layers (1 and 2).
Frame Relay Features XSR User’s Guide 9-3 Frame Relay Features The XSR supports the following FR features: • The XSR acts as a DTE/DCE device in the UNI (User Network Interface) interface , suppor.
Controlling Congestion in Frame Rela y Networks 9-4 Configuring Fr ame Relay Address Resolution The XSR supports dynamic resoluti on via Inverse AR P to map virtual circuits (DLCI) to r emote protocol addr esses, as defined in RFC-2390.
Controlling Congestion in Frame Relay Networks XSR User’s Guide 9-5 Several other parameters work hand-in-hand wi th CIR in controlling traffic flow . Committed burst (Bc) is the peak number of bits that the network attempts to deliver during a given period.
Controlling Congestion in Frame Rela y Networks 9-6 Configuring Fr ame Relay Using BECN bits to control the outbound dataflow is known as adaptive shaping .
Link Management Information (LMI) XSR User’s Gu ide 9-7 Link Management Information (LMI) A FR UNI-DCE device communicates with an attached FR DTE device (e.g., the XSR) about the status of the PVC connections thr ough Link Management Information protocol (LMI).
FRF.12 Fragmentation 9-8 Configuring Fr ame Relay FRF .12 Fragment ation Generally speaki ng, it is difficult to deliver good end-to-end quality of se rvice for time-sensitive packets (voice and video.
FRF.12 Fragmentation XSR User’s Gu ide 9-9 until you enter the copy running config startup config command to copy the running configuration into the startup configuration file withi n Flash.
Interconnecting via Frame Relay Network 9-10 Configuring F rame Relay Interconnecting via Frame Relay Network The following typical application uses FR to link r emote branches to the corporate network at the central sites via a FR network, as shown in Figure 9- 3 .
Configuring Frame Relay XSR User’s Guide 9-11 Configuring Frame Relay Multi-point to Point-to-Point Example The following example configures the XSR in Ne w Y ork to connect with XSRs in Andover and Montreal using Frame Relay , as shown in Figure 9-4 .
Configuring Frame Relay 9-12 Configuring F rame Relay NewYork(config-map-class<frf12>)#fra me-relay bc out 4000 NewYork(config-map-class<frf12>)#fra me-relay be out 5000 NewYork(config-map.
Configuring Frame Relay XSR User’s Guide 9-13 Andover(config-if<S2/0>)#frame-relay lmi-type ANSI Andover(config-if<S2/0>)#frame-relay traffic-shaping Andover(config-if<S2/0>)#frame-relay class frf12 Andover(config-if<S2/0>)#no shutdown Configure Serial sub-interface 2/0.
Configuring Frame Relay 9-14 Configuring F rame Relay.
XSR User’s Guide 10-1 10 Configuring Dialer Services This chapter details information about th e XSR’s suite of dialer functionality: •D i a l • Ethernet Failover • Backup Dialer • Dial on.
Asynchronous and Synchronous Support 10-2 Configuring Dialer Ser vices Asynchronous and Synchronous Support Synchronous and asynchronous interfaces can be configur ed for dialed connections to one or more des tination networks. When r equested, the XSR uses dialing commands to send the phone number of the destination network to a modem.
Asynchronous and Sy nchronous Support XSR User’s Guide 10-3 T able 10-1 list s V .25bis options. By default, th e synchronous port will use V25bis. The functions of these options ar e nation-specific, and they may have dif ferent implementations. Refe r to your modem documentation for a list of supported commands and options.
Implementing Dial Services 10-4 Configuring Dialer Ser vices Implementing Dial Services Dial services are provided by dialer interfaces , which are defined as any XSR interface capable of placi ng or receivi ng a call. Y ou can implement Dial Services by creating a dialer profile .
Implementing Dial Services XSR User’s Guide 10-5 to support point-to-point or point-to-multi-p oint connections and ca n be non-spoofed for backup purposes.
Implementing Dial Services 10-6 Configuring Dialer Ser vices Configuring Encap sulation When a clear data link is established between two peer s, traffic must be encapsulated and framed for transport across the Dialer media.
Implementing Dial Services XSR User’s Guide 10-7 Figure 10-3 Logical View of Dialer Profiles Figure 10- 4 on page 10-8 illustrates thr ee Dialer Interf aces with thr ee associ ated Dialer Pools. Dialer Pool 6 supports two Serial interfaces of differ ent priority “weighting”.
Implementing Dial Services 10-8 Configuring Dialer Ser vices Figure 10-4 Sample Dialer T opology As illustra ted in Figure 10-5 on page 10-9 and Figur e 10-6 on page 10-10, T oronto and Andover Dialer Profiles shar e si milar parameters except phone numbers and values specifyi ng the interval to wait for a dial signal .
Implementing Dial Services XSR User’s Guide 10-9 Figure 10-5 Dialer Profile of Destination (416) 123- 4456 Interface dialer 0 ip address 10.1.1.1 255.
Implementing Dial Services 10-10 Configuring Dialer Ser vices Figure 10-6 Dialer Profile of Destination (987) 231- 2345 Configuring the Dialer Interface The following tasks need to be perf ormed to co.
Implementing Dial Services XSR User’s Guide 10-11 Configuring the Map Class 1. Enter map-class dialer classname to create a map-class identifier . This value must match the classname value you specified in the dialer string command. 2. Enter dialer wait-for-carrier-time seconds to set the interval the local modem waits to answer the call.
Implementing Dial Services 10-12 Configuring Dialer Ser vices Configuring ISDN Callback The following CLI commands configure point-to-point and point-to-multip oint applications with single or multiple neig hbors.
Overview of Dial Backup XSR User’s Guide 10-13 XSR(config-if<D1>)#dialer idle-timer 0 XSR(config-if<D1>)#dialer map ip 10. 10.10.2 9053617921 XSR(config-if<D1>)#dialer map ip 10. 10.10.3 9053617363 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 10.
Link Failure Backup Example 10-14 Configuring Dialer Ser vices 8. Backup link is up, triggering the next action. 9. Static Backup r oute configured - the routing pr ocess sear ches its configured Static Routing entries and installs the r outes that can be reached thr ough the backup interface.
Configuring a Dialed Backup Line XSR User’s Guide 10-15 Configuring the Physical Inter face for the Di aler Interface Perform the following s teps to set up the physical port f or the dialer interface: 1. Enter interface serial card / port to specify the interface.
Configuring a Dialed Backup Line 10-16 Configuring Dialer Ser vices Sample Configuration Figure 10- 8 on page 10-16 shows an example of two dialer interfaces used to ba c k u p t w o s e p ar at e serial lines using only one dial out li ne ( serial interface 1 ).
Overview of Dial on Demand/Bandwidth on Demand XSR User’s Guide 10-17 XSR(config-if<D2>)#encapsulation ppp XSR(config-if<D2>)#dialer pool 5 XSR(config-if<D2>)#no shutdown Configur .
Dialer Interface Spoofing 10-18 Configuring Dialer Ser vices For more information on ISDN fundamentals , refer “Confi guring Integrated Services Digi tal Network” on page 1 and the XSR CLI Refer ence Guide. Dialer Interface S poofing Spoofing on a dialer interface is defined as the line “pretending” to be up when it is not.
Dialer Watch XSR User’s Guide 10-19 A watch group can also be specified for use by the V irtual Router Redund ancy Pr otocol (VRRP) with the vrrp <numbe r> track watch-group command. For mor e information, r efer to “Configuring IP” on page 1 .
Answering Incoming ISDN Calls 10-20 Configuring Dialer Ser vices Caveat The following caveat applies to Dialer W atch functiona lity: The dialer will not disconnect the secondary backup switched link if this conne ction has a better cost to the watched route than the primary link.
Answering Incoming ISDN Calls XSR User’s Guide 10-21 Incoming Call Mapping Example This example, as shown in Figure 10-10 , configures a node capable of handling multiple call setup requests coming from dif fere nt remote peers an d maps each incoming call to the corr ect IP interface (Dialer interface).
Answering Incoming ISDN Calls 10-22 Configuring Dialer Ser vices Node B (Called No de) Configuration The following commands add two users to validate calls made from Node A. This configuration employs the username/authentication method of mapping incoming calls.
Configuring DoD/BoD XSR User’s Guide 10-23 XSR(config-if<BRI-1/0>)#dialer pool- member 2 XSR(config-if<BRI-1/0>)#no shutdown The following commands define a dialer group, a dd a dialer pool, set a 20-second idle timeout, and map BRI int erface 1/0 to Di aler port 1.
Configuring DoD/BoD 10-24 Configuring Dialer Ser vices Figure 10-1 1 Dial on Demand T opology PPP Point-to-Multi point Configuration In this configuration, only one of the peer nodes can initiate the setup of a switched link when access-list defined data traf fic is sent to the remote peer .
Configuring DoD/BoD XSR User’s Guide 10-25 ! XSR(config-if<D2>)#dialer map ip 2 0.20.20.2 2401 ! XSR(config-if<D2>)#ip address 20.2 0.20.
Configuring DoD/BoD 10-26 Configuring Dialer Ser vices XSR(config)#interface dialer 1 XSR(config-if<D1>)#no shutdown XSR(config-if<D1>)#dialer pool 25 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#dialer idle-timeo ut 35 XSR(config-if<D1>)#dialer-group 3 XSR(config-if<D1>)#dialer map ip 10.
Configuring DoD/BoD XSR User’s Guide 10-27 Figure 10- 12 Po int-to-P oint T opolo gy Dial-in Routing for Dial on De mand Example The following commands configur e dialer inter face 1 : XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.
Configuring DoD/BoD 10-28 Configuring Dialer Ser vices XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.
Configuring DoD/BoD XSR User’s Guide 10-29 Dial-out Router Example The following commands add a dialer pool and dialer gr oup, specify a secr et passwor d to be sent to the peer f or P AP authentica tion, and specify thr ee MLPPP call destinations - XSR-Andover , XSR-Boston and XSR-Buffalo - on XSR-T oront o’ s Dialer interface 1.
Configuring DoD/BoD 10-30 Configuring Dialer Ser vices XSR(config-if<D2>)#no shutdown XSR(config-if<D2>)#dialer remote-nam e XSR-Boston The following commands add a dialer pool member and .
Configuring DoD/BoD XSR User’s Guide 10-31 Node B (Called No de) Configuration The following commands add a dialer pool member with the Central Of fice switch type to BRI interface 1/0: XSR(config)#.
Configuring DoD/BoD 10-32 Configuring Dialer Ser vices XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#no shutdown The following commands add a dialer pool member and speci fy the prim.
Configuring DoD/BoD XSR User’s Guide 10-33 Figure 10-15 MLPPP Poin t-to-Multipoint T opology Dial-out Router Example The following commands add a dialer pool and dialer gr oup, and specify three MLP PP call destinations - XSR-Andover , XSR-Boston and XSR-Buffalo - on XSR-T oronto’ s Dialer interfac e 1.
Configuring DoD/BoD 10-34 Configuring Dialer Ser vices The following command d efines interesting packets for the dial out trigger by configuring A CL 101 to pass all T ype 8 source and destination IC.
Switched PPP Multilink Configuration XSR User’s Guide 10-35 XSR(config)#access-list 101 permit i cmp any any 8 The following command maps AC L 101 to dialer group 3: XSR(config)#dialer-list 3 protoc.
Switched PPP Multilink Configuration 10-36 Configuring Dialer Ser vices Node A (Calling Node) Configuration The following commands add a dialer pool member and set the Central Of fice switch type on B.
Backup Configuration XSR User’s Guide 10-37 Backup Configuration Backup Using ISDN This example configur es ISDN NIM cards (e ither BRI or T1/E1 configur ed for PRI) to be used for backing-up other interfaces, as shown in Figure 10-17 .
Backup Configuration 10-38 Configuring Dialer Ser vices XSR(config-if<D2>)#dialer pool 22 XSR(config-if<D2>)#dialer string 250 1 XSR(config-if<D2>)#ip address 20.
Backup Configuration XSR User’s Guide 10-39 XSR(config-if<D2>)#no shutdown XSR(config-if<D2>)#dialer pool 28 XSR(config-if<D2>)#encapsulation ppp XSR(config-if<D2>)#dialer called 250 1 XSR(config-if<D2>)#ip address 20.20.
Backup Configuration 10-40 Configuring Dialer Ser vices XSR(config-if<S2/0:0>)#backup interf ace dialer1 XSR(config-if<S2/0:0>)#encapsulation ppp XSR(config-if<S2/0:0>)#ip address 30 .
Backup Configuration XSR User’s Guide 10-41 Configuration for Fram e Relay Encap sulation This backup dial-out example configures FR enca psulation and typical call parameters (dial pool, dial string, dial class) on parent Dialer interface 20 while setting the DLCI and IP address on Dialer sub-interface 20.
Backup Configuration 10-42 Configuring Dialer Ser vices.
XSR User’s Guide 11-1 11 Configuring Integrated Services Digital Network This chapter outlines how to co nfigure the Integrated Services Digital Network (ISDN) Protocol on the XSR in the following s.
Understanding ISDN 11-2 Configuring Integ rated Services Digital Network BRI Features • Circuit Mode Data (CMD): Channels (DS0s or B’ s) are switched by the CO to the destination user for the duration of the call. – 0utgoing calls supported for Backup, DoD/BoD.
Understanding ISDN XSR User’s Guide 11-3 which provides access to 23 B-channels in North America and Japan and 30 B-channels in Europe and most of Asia, and a 64 Kbps D-channel in both. Basic Rate Interface The XSR’s BRI NIM pr ovides two BRI ports .
Understanding ISDN 11-4 Configuring Integ rated Services Digital Network D-Channel S t andards The XSR supports several D-channel standar ds, which are enabled with the isdn switch-type command.
Understanding ISDN XSR User’s Guide 11-5 refer ence poin t represents the customer premises ’ wiring. S/T is a point-to-mult ipoint wiring configuration, that is, the NTI can be connected to as many as eight TEs that contend for the two B channels.
Understanding ISDN 11-6 Configuring Integ rated Services Digital Network Call Monitoring Call monitoring is also an vita l element of the XSR’s ISDN servic e.
Understanding ISDN XSR User’s Guide 11-7 Rx ISDN-BRI 1/0 03:13:47:676 Q921 UI p 0 sapi 63 tei 127 c/r 1 • + 2nd line: info:0F 00 00 06 FF Tx ISDN-BRI 1/0 03:13:52:601 Q921 IN FO p 0 nr 0 ns 0 sapi.
Understanding ISDN 11-8 Configuring Integ rated Services Digital Network – + Next line: 04 Bearer capability 8890 18 Channel Id. 81 6C Calling number N0:2800 70 Called number N0:2500 The succeeding section lists a ll message type s and IEs the XSR displays.
ISDN Configuration XSR User’s Guide 11-9 Decoded IEs Only IEs referring to data calls are supported and d ecoded by the XSR, as sho wn in the following examples.
ISDN Configuration 11-10 Configuring Inte grated Services Digital Network •T h e channel-group command for point-to-point connections. The above commands are mutually exclusive : you can enter one or the other per PRI interface, not both. On the E1 NIM, 30 channels are controlled by ISDN, and 23 channels on the T1 NIM.
ISDN Configuration XSR User’s Guide 11-11 Figure 1 1-1 . Switched BRI Configuration Model The following example adds a dialer pool and grou p, and two phone numbers to the called node’s Dialer 0 port. It also config ures a second dial er pool and group, a Multil ink PPP line to four B channels on the Dialer 1 interface, and maps the 192.
ISDN Configuration 11-12 Configuring Inte grated Services Digital Network XSR(config)#interface dialer 1 XSR(config-if<D1>)#ip address 2.2.2. 2 255.255.255.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#ppp multilink XSR(config-if<D0>)#dialer map ip 192 .
ISDN Configuration XSR User’s Guide 11-13 Figure 1 1-2 . PRI Configuration Model The following T1 example configures the interface for ISDN PRI operation, adds a dialer pool and group, and one dialer string to the node’s Dial er 1 port. The ISDN PRI interface belongs to two prioritized pool members .
ISDN Configuration 11-14 Configuring Inte grated Services Digital Network Be aware that the isdn bchan-number-order command for ces the PRI in terface to make outgoing calls in ascending or descending or der . The command is recommended only if your service provider r equests it to lessen the chance of call collisions.
More Configuration Examples XSR User’s Guide 11-15 XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/1:2>)#encapsulat ion frame relay The following commands ad d a third, bundled B1/B2 line on BRI interface 0/1/1 and another lease line on BRI channel 0/1/2:1 with Frame Relay en capsulation.
ISDN (ITU Standard Q.931) Call Status Cause Codes 11-16 Configuring Inte grated Services Digital Network XSR(config-if<BRI-1/1>)#no shutdown XSR(config-if<BRI-1/1>)#dialer pool- member 1 p.
ISDN (ITU Standard Q.931) Call Status Cause Codes XSR User’s Guide 11-17 7 Call awarded and being delive red in an established channel 8 Prefix 0 dialed but not allo wed 9 Prefix 1 dialed but not al.
ISDN (ITU Standard Q.931) Call Status Cause Codes 11-18 Configuring Inte grated Services Digital Network 54 Incoming calls barred 55 Incoming calls barred within CUG 56 Call waitin g not subscribed 57.
XSR User’s Guide 12-1 12 Configuring Quality of Service Overview In a typical network, ther e ar e often many users and appl ications competing for limited system and network r esour ces.
Mechanisms Providing QoS 12-2 Configuring Quality of Service • QoS on the dialer interfaces is dir ectly applied to the di aler interface and inherited by the dial pool members (Serial or ISDN). • QoS on MLPPP interfaces. • QoS on point-to-point and point-to-multi-point VPN interfaces.
Mechanisms Providing QoS XSR User’s Guide 12-3 features in the traf fic policy determine how to trea t the classifie d traffic. T raffic policy cannot be applied to mult ilink PPP int erfaces at this t ime. Y ou must perform thre e steps to configur e a class-based cl assifier: 1.
Mechanisms Providing QoS 12-4 Configuring Quality of Service •T h e priority command assigns traffic fr om this clas s a Priority Queue (PQ) and sets the parameter for the queue. Priority queues pr ovid e guaranteed bandwidth - they always receive the bandwidth requested.
Mechanisms Providing QoS XSR User’s Guide 12-5 Configuring CBWFQ CBWFQ is configured using the bandwidth command. It provides a minimum bandwidth guarantee during congestion. For example, policy-map keyser guarantees 30 per cent of the bandwidth to class sosay and 60 percent of th e bandwidt h to cl ass intrigue .
Mechanisms Providing QoS 12-6 Configuring Quality of Service excess bandwidth may be used by CBWFQ. A r ule of thumb for configur ing PQs is to assign time- sensitive traff ic (voice and video) to PQs and othe r types (e.g., T elnet) to fair queues. Any traf fic you do not specially assign (e.
Mechanisms Providing QoS XSR User’s Guide 12-7 This is how the policer works. It maintains two token bucket s, one holding tokens for normal burst and the other for excess burst. The polici ng algorithm handles token r efilling an d burst checking. T oken buckets are r efilled every time a new pa cket arrives.
Mechanisms Providing QoS 12-8 Configuring Quality of Service Class-based traffic shaping can be configured on an y class and appl ied to any data path (interface or DLCI) with the shape command. In order to do so, you must define a traffic polic y and within that policy apply traffic shaping to a class.
Mechanisms Providing QoS XSR User’s Guide 12-9 XSR(config-pmap-c<d32>)#exit XSR(config-pmap<cbts>)#class foo XSR(config-pmap-c<foo>)#shape 38400 15440 XSR(config-pmap-c<foo>).
Mechanisms Providing QoS 12-10 Configuring Quality of Ser vice queue-limit value for the queue size . Be aware th at by setting the queue size smaller than the shaper burst, s hape will not be abl e to achieve the configured aver age rate. When the queue-limit command is not invoked, queue size is determined only by the shaper burst.
Mechanisms Providing QoS XSR User’s Guide 12-11 Figure 12-1 RED Drop Probability Calculation In the following example, class bus has a minimum thr eshold of 460. RED will s tart to randomly (with a probabil ity between 0 and 1/10) discard packets when its queue grows over 460 packets.
Mechanisms Providing QoS 12-12 Configuring Quality of Ser vice WRED. T raffic marked with a lower dr op probabi lity is assigned a hi gher MaxP , and bigger thresholds for MinTh and MaxTh than traffic marked with DSCP values having a higher dr op level.
QoS and Link Fragmentation and Interleaving (LFI) XSR User’s Guide 12-13 the dialer interface is pushed to binded serial an d, when disconnected, is r emoved from the serial port.
QoS with VLAN 12-14 Configuring Quality of Ser vice QoS with MLPPP multi-class r egulates the output qu eue in such a way that, ideally , there is at most one non-priority packet in front of the prio rity packet so the greatest latency that latency- sensitive packets experience is never bigger than the fragment delay .
QoS with VLAN XSR User’s Guide 12-15 Describing VLAN QoS Packet Flow The following scenarios illustrate how prioriti zed VLAN and non-VLAN packets behave across XSR interfaces with VLAN and QoS conf igured and include minimal CLI commands.
QoS with VLAN 12-16 Configuring Quality of Ser vice Figure 12-4 LAN/QoS Serial Scenario Non-VLAN IP Packet R outed Out a Fast/Gigab itEthernet Interface In this scenario, shown in Figure 12- 5 , the policy map setCos4 is applied to the ou tput interface FastEthernet 1.
QoS on Input XSR User’s Guide 12-17 Priority levels range from 0 (lowest) to 7. 6. Create a traf fic policy . policy-map <policy-map-name> 7. Optional . Mark the IEEE 802.1 priority in the output VLAN header . set cos <0 - 7> 8. Attach the service policy to the input or output interface.
QoS on VPN 12-18 Configuring Quality of Ser vice The XSR of fers you two choices in applying QoS service policy: • before encryption on the VPN tunnel ( virtual VPN) interface or , • after encryption on the under lying physical interface. Copying of the T oS byte brings into pl ay security concerns you must address.
QoS on VPN XSR User’s Guide 12-19 outer header . In this scenario, all QoS -related para meters are attached to the VPN interface. Note that the VPN interface is a virtual interface w ith out any bandwidth attached to it s o certain QoS operations may not be appli ed here, namely , sc heduling packets.
QoS on VPN 12-20 Configuring Quality of Ser vice Figure 12-6 QoS on a Virtu al Interface Example The following commands confi gure Ser and Vp n policy maps on the XSR Remote 1 as shown in Figure 12- 7 .
QoS on VPN XSR User’s Guide 12-21 XSR(config)#policy-map Ser XSR(config-pmap-Ser>)#class RTP1 XSR(config-pmap-c<RTP1>)#priority hi gh 100 XSR(config-pmap-c<RTP1>)#exit XSR(config-pmap.
QoS on VPN 12-22 Configuring Quality of Ser vice XSR(config)#interface vpn 1 XSR(config-int-vpn)#ip address 20.20 .20.1/24 XSR(config-int-vpn)#copy-tos XSR(config-int-vpn)#service-policy o utput vpn XSR(config-tms-tunnel)#tunnel t1 XSR(config-tms-tunnel)#set protocol gre XSR(config-tms-tunnel)#set peer 10.
QoS on VPN XSR User’s Guide 12-23 This situation can cause unexpected r esults when Qo S is applied to VPN interfaces. If the rate of traffic traversing the VPN interface is higher th an the physical interface bandwidth, packets are droppe d after they ar e sent fr om the VPN interfac e.
QoS Policy Configuration Examples 12-24 Configuring Quality of Ser vice As an example, tunnels with ESP and 3DES en coding will add 44 bytes (or mor e) overhead.
QoS Policy Configuration Examples XSR User’s Guide 12-25 XSR(config-pmap-c<class1>)#queue-lim it 40 XSR(config-pmap-c<class1>)#exit XSR(config-pmap<policy1>)#class clas s2 XSR(conf.
QoS Policy Configuration Examples 12-26 Configuring Quality of Ser vice Create a policy map consisting of one or more traffic classes and specif y QoS char acteristics for each traffic class: XSR(conf.
QoS Policy Configuration Examples XSR User’s Guide 12-27 XSR(config-pmap<QoS-Policy>)#class V oIP-RTP XSR(config-pmap-c<class VoIP-RTP>)#p riority high 100 XSR(config-pmap-c<class VoI.
QoS Policy Configuration Examples 12-28 Configuring Quality of Ser vice XSR(config)#map-class frame-relay Vo IP XSR(config-map-class<VoIP>)#frame-re lay cir out 256000 XSR(config-map-class<Vo.
QoS Policy Configuration Examples XSR User’s Guide 12-29 XSR(config)#interface multilink 1 XSR(config-if<M1>)#service-policy in put InOut XSR(config-if<M1>)#exit XSR(config)#interface fa.
QoS Policy Configuration Examples 12-30 Configuring Quality of Ser vice XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#service-policy in put Eth.
XSR User’s Guide 13-1 13 Configuring ADSL This chapter details the background, featur es, implementation and configuration of Asymmetric Digital Subscriber Line (ADSL) on the XSR. Overview ADSL (Asymmetric Digital Subscr iber Line) is a technology for transmitting digital information at a high bandwidth over existing phone lines.
Features 13-2 Configuring ADSL Figure 13-1 RFC Encaps ulation Layers PDU Encap sulation Choices The XSR’s Protocol Data Unit (PDU) encapsulat ion choices are de scribed and illustrated as follows. PPP over A TM The XSR’s PPPoA option, as defined by RFC-2364, supports the following featur es.
Features XSR User’s Guide 13-3 Figure 13-2 PPPoA Network Diagram This implementation is restricted as follows: • Maximum MTU of 1500 bytes • A TM SVCs are not supported • Frame Relay/A TM internetworking (per FRF .
Features 13-4 Configuring ADSL Figure 13-3 PPPoE Network Diagram The limitations of this config uration are as follows: • Maximum MTU of 1492 bytes • ARP is not supported • Other received b ridged P DU types are silently d iscarded (802.4, 802.5, 802 .
Features XSR User’s Guide 13-5 Figure 13-4 IP over A TM Network Diagram Restrictions of this implementati on are as f ollows: • Maximum MTU of 1500 bytes • NLPID-formatted r outed IP version 4 PDUs over A TM PVCs are not supported • LLC-encapsulated bridge PDUs are not supported.
Features 13-6 Configuring ADSL ADSL on the Motherboard T wo versions of ADSL ar e pr ovided by the XSR Series 1200 r outers: • Annex A over POTS on the XSR-1220 • Annex B over ISDN on the XSR-1235.
Features XSR User’s Guide 13-7 OAM Cells OAM cells are messa ges used to operate, ad mini ster , and maintain A TM networks. They provide in-band control functions for virtual circuits, incl uding hop-by-hop and end-to-end functions such as path connectivity an d delay measur ement.
Configuration Examples 13-8 Configuring ADSL Inverse ARP The XSR employs Inverse ARP as defined in R FC- 1293 with modifications specified by RFC-2225 (Classical IP over A TM). Inverse ARP is supported for P VC s wh ic h are con fi gured as Ro ut ed I Pv 4 circuits (per RFC-1483), using LL C/SNAP encapsulation.
Configuration Examples XSR User’s Guide 13-9 VCI values to tho se requested by th e DSL provid er . Notice that the Maximum Segment Size (MSS ) is set to 1400 bytes for TCP SY N (synchronize) packets.
Configuration Examples 13-10 Configuring ADSL The following optional command configures a universal defau lt route: XSR(config)#ip route 0.0.0.0 0.0.0.0 atm 1/0.1 IPoA Enter the following commands to configure a IPoA topology: XSR(config)#interface ATM 1/0 XSR(config-if<ATM1/0>)#no shutdown XSR(config-if<ATM1/0>)#interface ATM 1/0.
XSR User’s Guide 14-1 14 Configuring the V irtual Private Network VPN Overview As it is most commonly defi ned, a V irtual P rivate Network (VP N) allows two or more private networks to be connected over a publicly access ed network.
Ensuring VPN Securi ty with IPSec/IKE/GRE 14-2 Configuring the Virtua l Private Network • Encryption and decryption promote confidentiality by allowing two communicating parties to disguise informati on they share . The sender en crypts, or scrambles , data before sendi ng it.
Ensuring VPN Security with IPSec/IKE/GRE XSR User’s Guide 14-3 Since IPSec is the standard security pr otocol, th e XSR can establish IPSec connections with third- node devices including routers as well as PCs.
Ensuring VPN Securi ty with IPSec/IKE/GRE 14-4 Configuring the Virtua l Private Network Figure 14-2 T unnel Mode Processing As shown above, AH authenticates t he entire packet transmitte d on the netw.
Describing Public-Key Infrastructure (PKI) XSR User’s Guide 14-5 Defining VPN Encryption T o ensure that the VPN is secur e, limiting user acce ss is only one piece of the puzzle; once the user is authenti cated, the data i tself needs to be protec ted as well.
Describing Public-Key Infrastructure (PKI) 14-6 Configuring the Virtua l Private Network data. Instead of encrypting the data itself, the si gni ng software creates a one-way hash of the data, then uses your private key to encrypt the hash.
Describing Public-Key Infrastructure (PKI) XSR User’s Guide 14-7 CRL checking is not optional. CRLs ar e collec ted automatically by the XSR using information available in the IPSec and CA certificates it ha s already collected.
Describing Public-Key Infrastructure (PKI) 14-8 Configuring the Virtua l Private Network Figure 14-4 Certificate Chain Example A certificate chain traces a path of certificates fr om a branch in the hierar chy to the root of the hierarchy .
DF Bit Functionality XSR User’s Guide 14-9 Pending Mode Once you have authen ticated against the pa rent CA in your XS R certificate chain, you then enr oll the XSR's IPSec client certif icate against the CA using the SCEP enroll command.
VPN Applications 14-10 Configuring the Virtual Private Network This feature specifies whether the router can clear , set , or copy the DF bit in the encapsulating header . It is available only for IPSe c tunnel mode - transport mode is not af fected because it does not have an encapsulating IP heade r .
VPN Applications XSR User’s Guide 14-11 Site-to-Site Networks Site-to-site tunnels run as point-to-point links. They are useful when connecting geographical ly dispersed network segments wher e each segment contains servers and hosts. VPN tunnels play the role of point-to-point links and ar e transpar ent from a r outing perspective.
VPN Applications 14-12 Configuring the Virtual Private Network If you filter traffic with ACLs, you will need to write an ACL similar to this example: access- list 101 permit udp any host 192.168.57.4 eq 4500 . If you enable the XSR firewall, ref er t o “Configuring Security on the XSR” on page 16-1 for more information.
VPN Applications XSR User’s Guide 14-13 the hosts on the private LAN. The XSR's internal NA T operates only on Layer -4 pr otocols such as TCP and UDP . NA T also employs a set of modules - Application Level Gateway (ALG) - processing non-UDP/TCP pr otoc ols such as ICMP and H323.
VPN Applications 14-14 Configuring the Virtual Private Network behind the XSR. After a tunnel h as been built, the XSR may advertise r outing information about the corporate network to the client. Authentication can be performed in several wa ys depending on the protocol used.
VPN Applications XSR User’s Guide 14-15 From the server ’s point of view , connected tu nnels are point-to-multipoint links. The VPN interface serving as the server ’s tunnel endpoi nt must be a point-to-multipoint interface.
VPN Applications 14-16 Configuring the Virtual Private Network Client • Fast/GigabitEthernet 1 interface: This is private, non-rout able segm ent, usua lly 19 2.168.1.0/24. OSPF must be disabled on F1. If OSPF is enabled on this interface it will be advertised to the server .
VPN Applications XSR User’s Guide 14-17 The VPN interface on the server may terminate a mix of connections - some of which may be Client-type connections and others ma y be Network Extension connections. The following OSP F settings should be applied in this scenari o: Server Apply the same settings as in the Client Mode scenario.
XSR VPN Features 14-18 Configuring the Virtual Private Network Server 2 Interfaces Fast/GigabitEthernet 1 and VPN 1 Client Interfaces Fast/G igabitEthe rnet 1, VPN 1 and VPN 2. Figure 14-10 OSPF Used with Failover Limit ations Peer-to-Peer IPSec tunnels ar e co nfigured without the VPN interface by applying crypto maps to physical interfaces.
XSR VPN Features XSR User’s Guide 14-19 - Client mode • Remote Access application –C l i e n t s - W indows XP , 2000 (L2TP); NT 4.0, 98, 98 SE, ME, and CE.
VPN Configuration Overview 14-20 Configuring the Virtual Private Network • Authentication, Authorization, and Accounti ng (AAA) support including AAA per interface (for clients), AAA for PPP , and A.
VPN Configuration Overview XSR User’s Guide 14-21 •E n t e r crypto key master generat e in Global configuration mode. ACL Configuration Rules Consider a few general r ules when configuri ng ACLs .
VPN Configuration Overview 14-22 Configuring the Virtual Private Network XSR(config-if<F2>)#ip address 141.15 4.196.87 255.255.255.192 I f a n X S R i s c o n f i g u re d a s a V P N g a t e w a y , t h e e x t e rna l interface (FastEtherne t 2 , e .
VPN Configuration Overview XSR User’s Guide 14-23 More than one IKE pr oposal can be specified on each node. When IKE negotiation begins, it seeks a common proposal on both peers with identical parameters. IKE policy is configur ed using the crypto isakmp peer command.
VPN Configuration Overview 14-24 Configuring the Virtual Private Network Configure IKE policy for the remote peer , assuming that two other IKE proposals ( try2 and try3 ) have been configure d: XSR(config)#crypto isakmp peer 192.
VPN Configuration Overview XSR User’s Guide 14-25 Authentication, Authorization and Accounting Configuration The XSR’s AAA implementation hand les all authentication, authorization and accounting of users (Remote Access) and peer gateways (S ite-to-Site).
VPN Configuration Overview 14-26 Configuring the Virtual Private Network AAA Commands The following XSR AA A commands usef ul for VPN config uration include: • Configure users and groups with aaa us.
VPN Configuration Overview XSR User’s Guide 14-27 XSR(aaa-user)#aaa password ThISisMYS haREDsecRET The following sample conf iguration creates user Jeremiah in the P romisedLand user group, with DNS.
VPN Configuration Overview 14-28 Configuring the Virtual Private Network – crypto ca certificate chain – no certificate - The serial number can be found in: show crypto ca certificates • Remove CA identities and all associated CA and IPSec client certif icates by entering no crypto ca identity <ca name> .
VPN Configuration Overview XSR User’s Guide 14-29 Certificate has the following attributes: Fingerprint: D423E129 81904CE0 1E6D0 FE0 A123A302 Do you accept this certificate? [yes /no] y 4. Display your CA certificates to verify all r oot and associated certificates are pr esent.
VPN Configuration Overview 14-30 Configuring the Virtual Private Network XSR(config)#ip domain acme.com 8. Enroll in an end-entity certificate from a CA for which you have previously authenticated ; e.
VPN Configuration Overview XSR User’s Guide 14-31 Issuer: C=US, O=sml , CN=ldapca Valid From: 2002 Aug 5th, 12 :40:46 GMT Valid To: 2004 Aug 5th, 12 :48:15 GMT Subject: C=US, O=sml , CN=ldapca Finge.
Configuring a Simple VPN Site-to-Site Application 14-32 Configuring the Virtual Private Network VPN Interface Sub-Commands The following sub-commands ar e available at VPN Interface mode: ip firewall .
Configuring a Simple VPN Site-to-Site Application XSR User’s Guide 14-33 configuration, permit means protect or encrypt , and deny indicates don’ t encrypt or allow as is . XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.
Configuring the VPN Using EZ-IPSec 14-34 Configuring the Virtual Private Network XSR(config-crypto-m)#match address 1 40 + Applies map to ACL 140 and renders t he ACL bi-direction al XSR(config-crypto-m)#set peer 1.
Configuring the VPN Using EZ-IPSec XSR User’s Guide 14-35 EZ-IPSec is invoked using the crypto ezipsec command in Interfac e mode to cr eate a set of standard IPSec policies, relieving you of the complex manual process.
Configuration Examples 14-36 Configuring the Virtual Private Network XSR(config-tms-tunnel)#set peer 200. 10.20.30 + Specifies the IP address of the remote peer XSR(config-t ms-tunnel) #set protocol i.
Configuration Examples XSR User’s Guide 14-37 Figure 14-12 EZ-IP Sec Client , XP Client and Gateway T opology Begin by setting the XSR syste m time via SNTP . This configuration is critical for XSRs which use time-sensitive certificat es. XSR(config)#sntp-client server 10.
Configuration Examples 14-38 Configuring the Virtual Private Network XSR(config)#crypto ipsec transform-s et esp-3des-sha esp-3des esp-sha-hmac XSR(cfg-crypto-tran)set security-ass ociation lifetime k.
Configuration Examples XSR User’s Guide 14-39 Clear the DF bit globally : XSR(config)#crypto ipsec df-bit clea r Enable the OSPF engine, VPN and FastEthernet 1 interfaces for r outing: XSR(config)#router ospf 1 XSR(config-router)#network 10.120.70 .
Configuration Examples 14-40 Configuring the Virtual Private Network XSR(config-if)#encapsulation ppp XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assig.
Configuration Examples XSR User’s Guide 14-41 XSR(config-isakmp-peer)#proposal sha red 4. Configure a set of thr ee IPSec quick mode securi ty parameters that the XSR-3000 is willing to negotiate to.
Configuration Examples 14-42 Configuring the Virtual Private Network XSR(config-tms-tunnel)#ip ospf dead- interval 4 XSR(config-tms-tunnel)#ip ospf hello -interval 1 XSR(config-tms-tunnel)#ip ospf cost 100 9. Configure a default static route to the next hop Internet router: XSR(config)#ip route 0.
Configuration Examples XSR User’s Guide 14-43 XSR(config-if<F2>)#ip address 63.81. 64.200 255.255.255.0 XSR(config-if<F2>)#no shutdown 7. Add a VPN point-to-point GRE interface wi th a heartbeat of nine seconds, enable XSR3250A to initiate an outbound tunnel ( set active command), set the IP address of the remote VPN gateway ( 63.
Configuration Examples 14-44 Configuring the Virtual Private Network XSR/Cisco Site-to-Site Example The following Site-to-Site configuration connects a Cisco 2600 router with internal/external IP addresses of 192.168.3.5/192.168.2.5 to a XSR with internal/external IP a ddr esses of 192.
Configuration Examples XSR User’s Guide 14-45 interface FastEthernet0/0 ip address 192.168.3.5 255.255.255.0 speed auto half-duplex no cdp enable interface FastEthernet0/1 ip address 192.168.2.5 255.255.255.0 duplex auto speed auto no cdp enable crypto map regular ip classless ip route 0.
Interoperability Profile for the XSR 14-46 Configuring the Virtual Private Network XSR(config)#crypto ipsec transform-s et esp-des-md5 esp-des esp-md5-hmac XSR(cfg-crypto-tran)#set pfs group2 XSR(cfg-.
Interoperability Profile for the XSR XSR User’s Guide 14-47 •M a i n m o d e •T r i p l e D E S •S H A - 1 • MODP group 2 (1024 bits) • Pre-shar ed secret of “hr5xb84l6aa9r6” • SA li.
Interoperability Profile for the XSR 14-48 Configuring the Virtual Private Network XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#exchange-mod e main 7.
Interoperability Profile for the XSR XSR User’s Guide 14-49 Scenario 2: Gateway-to-Ga teway with Certificates The following is a typical gateway -to-gateway VPN that uses certificates for au thentication, as illustra ted in Figure 14-14 . Figure 14-14 Gateway-to Gat eway with Certificates T opology Gateway A connects the internal LAN 1 0.
Interoperability Profile for the XSR 14-50 Configuring the Virtual Private Network 1. Begin by as king your CA ad ministrator for yo ur CA name and URL. The CA ’s URL defines its IP addres s, path and default port (80). Y ou can resolve the CA server add ress manually by pinging its IP address.
Interoperability Profile for the XSR XSR User’s Guide 14-51 State: CA-AUTHENTICATED Version: V3 Serial Number: 4581287295151589 54573993 Issuer: C=US, O=sml , CN=hightest Valid From: 2002 Jul 24th, 2 0:45:13 GMT Valid To: 2003 Jul 24th, 2 0:55:13 GMT Subject: C=US, O=sml.
Interoperability Profile for the XSR 14-52 Configuring the Virtual Private Network Valid To: 2003 Aug 29th, 1 6:01:58 GMT Subject: unstructure dName=corp Fingerprint: ABF37B67 7200CCD A 604CB10C D5AC7.
XSR User’s Guide 15-1 15 Configuring DHCP Overview of DHCP The Dynamic Host Co nfiguration Protocol (DHCP) a llocates and delivers conf iguration values, including IP addr esses, to Inter net hosts.
How DHCP Works 15-2 Configuring DH CP XSR User’s Guide • Provis ioning of dif ferentiate d network values by Client Class. • Persistent and user -controllable conflict avoidance to prevent d uplicate IP addres s including configurable ping checking.
DHCP Services XSR User’s Guide 15-3 client used a client ID when it got the lease, it will use the same identifier in the message. Alternately , when a lease is near expiration, th e client tries to renew it.
DHCP Services 15-4 Configuring DH CP XSR User’s Guide control data ar e carried in tagged data items wh ich are stor ed in the options field of the DHCP message. The data items themselves , also called options, ar e enabled on the XSR by th e options command specifying IP a ddress, hex or ASCII string values.
DHCP Services XSR User’s Guide 15-5 When DHCP Server surveys its client s using the manual bindings of a client-ide ntifier or hardware- address, and host address, it generally inherits attributes fr om an outer down to an inner scope. But, the DHCP Server will override outermost attributes when they are found first at the Host scope.
DHCP Client Services 15-6 Configuring DH CP XSR User’s Guide 4. Optionally , specify the client name using any standard ASCII character . Enter client-name <name> . The client name should not includ e the domain name. For example, the name acme should not be specified as acme.
DHCP Client Services XSR User’s Guide 15-7 Primary and secondary IP addr esses on the same interface ar e not permitted within the same subnet nor are they allowed within the same subn ets already occupied by other interfaces. Also, the primary IP addr ess must be configur ed before any secondary addr ess is configured.
DHCP CLI Commands 15-8 Configuring DH CP XSR User’s Guide DHCP CLI Commands The XSR of fers CLI commands to pr ovide the following functionality: • DHCP Server addre ss pool(s) with r elated para meters and D HCP options/vendor extensions. Y ou can configur e a DHCP add ress pool with a name t hat is a symbol ic string (e.
DHCP Set Up Overview XSR User’s Guide 15-9 addresse s are of fere d to the client. Show ip dhcp server stati stics is a useful catch-all command. Show ip local pool shows a lis t of active IP local pools, excluded and in use IP addresse s.
Configuration Steps 15-10 Configuring DH CP XSR User’s Guide 1. Add global pool local_ clients including the starting IP addr es s of the range and addresses that are unr eachable to network clients: XSR(config)#ip local pool local_clie nts 1.1.1.0/24 XSR(ip-local-pool)#exclude 1.
DHCP Server Configuration Examples XSR User’s Guide 15-11 8. Add to the host scope by specifying the NetBIOS-node-type for this particular host: XSR(config-dhcp-host)#netbios-node-t ype h-node 9.
DHCP Server Configuration Examples 15-12 Configuring DH CP XSR User’s Guide The domain name f or this host is specif ied as indusriver .com (this w ill override enterasys.com specified for this pool, and ent.com specified for the class). XSR(config)#ip local pool dpool 1.
XSR User’s Guide 16-1 16 Configuring Security on the XSR This chapter describes the secur i ty options available on the XSR includin g the firewall feature set and methods to pr otect against hacker atta cks.
Features 16-2 Configuring Security on the XSR T o configure ACLs, you de fine them by number only then ap ply them to an interface. Any number of entries can be defined in a single ACL and may actually confli ct, but they are analyzed in the order in which they appear in the sh ow access-lists command.
Features XSR User’s Guide 16-3 Smurf Att ack A “smurf” attack involves a n a ttacker sending ICMP echo requests from a falsified source (a spoofed addr ess) to a directed br oadcast addr ess, ca using all hosts on t he target subnet to reply to the falsified sour ce.
General Security Precautions 16-4 Configuring Security on the XSR Large ICMP Packet s This protection is triggered for ICMP packets lar ger than a size you can configure. Such packets are dr opped by the XSR if the protection is enabled with the HostDoS command.
AAA Services XSR User’s Guide 16-5 • If you must enable PPP on the W AN, use CHAP authentication • Disable all unnecessary router services (e.g., HTTP , if not used) • W rite strict ACLs to li.
AAA Services 16-6 Configuring Security on the XSR The method to perform AAA is configured globally by the aaa method command, which pr ovides additional acct-port , address , attempts , auth-p ort , backup , client , enable , group , hash enable , key , qtimeout , retransmit , and timeout sub-commands.
AAA Services XSR User’s Guide 16-7 2. Enter crypto key master generate to cr eate a master key . 3. Enter crypto key dsa generate to create a host key pair on the XSR. When successful, this message will di splay: Keys are generated, new connections will use these keys for authentication 4.
AAA Services 16-8 Configuring Security on the XSR Figure 16-8 PuTTY Alert Message 7. The SSH login screen will appear as shown in Figure 16-9 . Login with Admin and no password unless you cr eated both values earlier . Figure 16-9 PuTTY Login Screen 8.
Firewall Feature Set Overview XSR User’s Guide 16-9 18. Optionally , if you want to tigh ten security on the XSR, enter ip ssh server disable to deactivate SSH. 19. Enter policy teln et to enable T elnet access for the new user . 20. Enter exit to quit AA A user m ode.
Firewall Feature Set Overview 16-10 Configuring Security on the XSR Figure 16-10 XSR Firewall T opology There ar e many possible network configurations fo r a fir ewall. The figur e above shows a scenar io with the firewall connected to the trusted networ k (internal) and servers that can be acces sed externally (via the DMZ).
Firewall Feature Set Overview XSR User’s Guide 16-11 and port numbers. These fir ewalls ar e scalable, easy to implement and widel y deployed f or simple Network layer filtering , but they suffer the following disadvantages: • Do not maintain st ates for an individual sessi on nor track a session establishment protocol.
XSR Firewall Feature Set Functionality 16-12 Configuring Security on the XSR St ateful Inspection Firewalls A stateful inspection f irewall combine s the aspe cts of other fir ewalls to filter packets at the network layer , determine whether session packet s are legitimate and evaluate th e payload of packets at the application layer .
XSR Firewall Feature Set Functionality XSR User’s Guide 16-13 Application Level Commands A special action option - Command Level Security (CLS) - to filter inter-pr otocol actions within several pr otocols. The CLS examines the mes sage type produce d by the application being filtered and either passes or dr ops specific application commands.
XSR Firewall Feature Set Functionality 16-14 Configuring Security on the XSR On Board URL Filtering This features lets you block access to a list of Un iform Resource Locators (URLs) or limit access to certain approved sites.
XSR Firewall Feature Set Functionality XSR User’s Guide 16-15 Figure 16-1 1 Blocked Web Site Screen Y ou must include the re-direct URL in the white URL list when redirect URL is used with a white l.
XSR Firewall Feature Set Functionality 16-16 Configuring Security on the XSR against the ro uting table. If a packet is r eceived fr om an interface with a sour ce IP address that is not routable thr ough this interface, it is considered spoofed and dropped .
XSR Firewall Feature Set Functionality XSR User’s Guide 16-17 • Flooding attacks (TCP , UDP , ICMP) logs • Fir ewall start and restar t • Failures (out of memory) A sample W eb access (port 80) permit alarm, which logs at level 4, displays: FW: Permit: Port-2, Out TCP Con_Req, 10.
XSR Firewall Feature Set Functionality 16-18 Configuring Security on the XSR Figure 16- 12 illustrates the process by which a user acce s ses a server after authentication by th e XSR fir ewall, as explained below: 1. A user T elnets to the firewall pre senting a name and password.
Firewall CLI Commands XSR User’s Guide 16-19 Firewall CLI Commands The XSR provides configuration objects which, used in policy rules, can be specified at the CLI. These and other fir ewall commands ar e, as follows: • Network - Identifies a network or host.
Firewall CLI Commands 16-20 Configuring Security on the XSR – Non-Unicast packet han dling - Packets with broadcast or multicast destination a ddresses ar e not allowed to pass in either dir ectio n - they must be allowed explicitly .
Firewall CLI Commands XSR User’s Guide 16-21 • Event Logging - Defines the event thr eshold for fir ewall values logged to the Console or Syslog with ip firewall logging .
Firewall Limitations 16-22 Configuring Security on the XSR Firewall Limit ations Consider the followi ng caveats regar ding fir ewall operations: • Gating Rules - Internal XSR gating r ules, which orde r traf fic filtering, ar e stor ed in a temporary file in Flash.
Pre-configuring the Firewall XSR User’s Guide 16-23 cache will not automatically switch over . If the firewall is enabled on a slave router , then all sessions would have to be r e-established. Y ou would have to re-authenticate users for acce ss to authentication-protected servers.
Configuration Examples 16-24 Configuring Security on the XSR – Multicast or broadcast fi ltering for ro ut ing and communications pr otocol filtering • Perform a trial or delayed load to check for.
Configuration Examples XSR User’s Guide 16-25 Figure 16-14 XSR with Firewall T opology Begin by configuring network objects for private , dmz and Mgmt networks: XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 interna l XSR(config)#ip firewall network priv ate 220.
Configuration Examples 16-26 Configuring Security on the XSR XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 220.15 0.2.17 255.255.255.0 XSR(config-if<F1>)#no shutdown XSR(config)#interface serial 1/0:0 XSR(config-if<S1/0:0>)#ip address 20 6.
Configuration Examples XSR User’s Guide 16-27 XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assigne d overload XSR(config-if)#ppp pap sent-username b1j.
Configuration Examples 16-28 Configuring Security on the XSR – T erminate Network Extension Mode (NEM) and Client mode tunnels – T erminate remote access L2TP/IPSec tunnels – T erminate PP TP re.
Configuration Examples XSR User’s Guide 16-29 XSR(config-isakmp-peer)#proposal xp soho p2p XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#nat-traversa l automatic Configur e the.
Configuration Examples 16-30 Configuring Security on the XSR XSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93 Define an IP pool for distribution of tunnel addresses to all client types: XSR(config)#ip local pool test 10.
Configuration Examples XSR User’s Guide 16-31 XSR(aaa-group)#l2tp compression XSR(aaa-group)#policy vpn Configure the local AAA method for shar ed secret tunne ls (NEM and client mode tunnels ): XSR.
Configuration Examples 16-32 Configuring Security on the XSR Define service to support IPSec NA T traversal (Release 7. 0 or later): XSR(config)#ip firewall service ietf NatT eq 4500 gt 1023 udp Defin.
Configuration Examples XSR User’s Guide 16-33 Load the firewall configuration: XSR(config)#ip firewall load Globally enable the f irewall . Even though you have configur ed and loaded the firewall, only invoking the following command “turns on” the fir ewall.
Configuration Examples 16-34 Configuring Security on the XSR XSR(config)#ip firewall policy radius internal internal Radius al low bidirectional XSR(config)#ip firewall policy RADac ct internal internal Radius_ACCT allow bidirectional Configuring Simple Security This configuration offers simple protection for the XSR.
Configuration Examples XSR User’s Guide 16-35 RPC Policy Configuration The following configurat ion creates policies which permit TCP RPC-based appl ications to flow from a Branch to Corporate network. Y ou can use the keyword bidirectional if you expect the branch network to also have RPC-based services.
Configuration Examples 16-36 Configuring Security on the XSR.
XSR User’s Guide A-1 A Alarms/Events, System Limits, and S tandard ASCII T able This appendix describes the configuration and memory limits of the XSR as wel l as system High, Medium and Low severity , firewall and NA T (separately descri bed on page A-14 ) alarms and events captur ed by the r outer .
Recommended System Limits A-2 Alarms/Events, System Limits, and Standard ASCII Table SNMP read-only communities 20 20 20 SNMP read-write communities 20 20 20 SNMP trap servers 20 20 25 SNMP users 25 2.
System Alarms and Events XSR User’s Guide A-3 System Alarms and Event s The XSR exhibits the foll owing logging behavior for all except firewall and NA T alarms: Refer to the following table for all High severity alarms and events reported by the XSR.
System Alarms and Events A-4 Alarms/Events, System Limits, and Standard ASCII Table T1E1 Receiver has Loss of Frame (Y ellow Alarm). T1/E1 physical port is detecting an OOF alarm. T1E1 LOF alarm on receiver clea red. T1/E1 physical po rt is not detecting an OOF alarm.
System Alarms and Events XSR User’s Guide A-5 ISDN Incoming Call <BRI | Serial card / port:channel> Connected to <calling no.> Unknown Call An incoming call connected for test purposes will be disconnected within 30 seconds. ISDN No rth American BRI In terface %d req uires SPID configuration Configuration error.
System Alarms and Events A-6 Alarms/Events, System Limits, and Standard ASCII Table ETH1_ DRIV The ISR could not be connected This is internal configuratio n alarm occurs because the interrupt service routine (ISR) cannot be connected to th e FastEthernet 2 interface/dri ver , rendering FastEthern et port 2 unavailable.
System Alarms and Events XSR User’s Guide A-7 CLI User: <username> logged in from address <IP address> Login proces s failure due to in valid user ID or p assword through telnet ses sion in CheckLo gin().
System Alarms and Events A-8 Alarms/Events, System Limits, and Standard ASCII Table Refer to the table below for all Medium severity al arms and events r eported by the XSR. All of the following messages ar e USER_LEVE L facility except for those in bold text which are SECURITY_LEVEL.
System Alarms and Events XSR User’s Guide A-9 T1 ERROR: Shared memory allocation failed for Receive Descriptors. Error in allocating memo ry for T1E1 HW card. T1 T1E1 PCI Init Failed. Error in initializing T1E1 HW card. T1 ERROR: Shared memory allocation failed for Transmit Pending Queue.
System Alarms and Events A-10 Alarms/Events, System Limits, and Standard ASCII Table PPP PPP MS-CHAP authent icatio n failed while being authenticate d by remote peer PPP MS-CHAP authentication has fail ed while being authenticated by the remote peer .
System Alarms and Events XSR User’s Guide A-11 Refer to the table below for all Low severity alar ms an d events reported by the XSR. All of the following messages ar e USER_LEVE L facility except for those in bold text which are SECURITY_LEVEL.
System Alarms and Events A-12 Alarms/Events, System Limits, and Standard ASCII Table T1E1 Receive Remote Ala rm Indication (Y ello w Alarm). Indicates that T1/E1 physica l port is detecting RAI Alarm. T1E1 Receive RAI alarm cl eared. Indicates that T1/E1 physical port is not detect ing RAI Alarm.
System Alarms and Events XSR User’s Guide A-13 SYNC_ DRIV Packets lost > 255 (RX overrun) Sum of packets lost due to RX FIFO overrun exceeded 255. PP Out of memory - frame dropped at port <port number> Frame is dropped at the specifie d port from depl eted memory .
Firewall and NAT Alarms and Repor ts A-14 Alarms/Events, System Limits, and Standard ASCII Table Firewall and NA T Alarms and Report s The XSR reports logging messages for firewall and NA T functionality as listed below . Low system-level logging messages ar e classified at Levels 4 or 6 wh ile Medium system-level alarms are classified at Level 3.
Firewall and NAT Alarms and Reports XSR User’s Guide A-15 3 - ERROR NA T : No NA T ent ry found, %IP_P2 3 - ERROR NA T : TCP reset, NA T port %d, %IP_P2 3 - ERROR UDP: NA T unable to forward packet,.
Firewall and NAT Alarms and Repor ts A-16 Alarms/Events, System Limits, and Standard ASCII Table 1 - ALERT UDP: Detected UDP Flood attack %IP_P2 1 - ALERT UDP: Duplicate d external host %IP_P2 2 - CRI.
Firewall and NAT Alarms and Reports XSR User’s Guide A-17 3 - ERROR Den y: ICMP unsuppo rted packet %IP2_ICMP 3 - ERROR Den y: java applet %CMD, %IP_P2 3 - ERROR Den y: No filter for %s, %IP_2 3 - E.
Firewall and NAT Alarms and Repor ts A-18 Alarms/Events, System Limits, and Standard ASCII Table 3 - ERROR TC P: Non-empty ACK packet in TCP three-way handshake seque nce %IP_P2 3 - ERROR TCP: RST pac.
Standard ASCII Character Table XSR User’s Guide A-19 S t andard ASCII Character T a ble The following table displays stand ard ASCII char act e rs f or ref e ren c in g SN M P co nv e n ti o ns fo u n d in “ Configuration Examples ” on page 2-4 1.
Standard ASCII Character Table A-20 Alarms/Events, System Limits, and Standard ASCII Table 107: k 108: l 109: m 1 10: n 11 2 : p 1 13: q 11 4 : r 11 5 : s 1 16: t 1 17: u 11 8 : v 120: x 121: y 122: z.
XSR User’s Guide B-1 B XSR SNMP Proprietary and Associated S tandard MIBs This appendix lists and describes XSR- supported SNMP tables and objects for the following standard (partial listin g) and p.
Service Level Reporting MIB Tables B-2 XSR SNMP Proprietary and Associated Standard MIBs et sysSrvcLvlOwnerT able A management entity interested in creating and activating remote SLA measurements must previously be register ed in the Service Leve l Owners T able which contains owner's contact information.
Service Level Reporting MIB Tables XSR User’s Guide B-3 et sysSrvcLvlNetMeasureT able Entries in the Service Level Network Measur ement T ab le display several metric measurements per packet exchange. Each measur ement step pr oduces a single r esult per metric with measurement intervals and metrics saved in the T able.
Service Level Reporting MIB Tables B-4 XSR SNMP Proprietary and Associated Standard MIBs et sysSrvcLvlAggrMeasureT able Entries in the Service Level Ag gregate Measurem ent T abl e display several met ric measurements per packet exchange.
BGP v4 MIB Tables XSR User’s Guide B-5 BGP v4 MIB T ables The XSR supports th e following B GP v4 tables, w hose fields are described in the following p ages: • General V ariables • Peer T able .
BGP v4 MIB Tables B-6 XSR SNMP Proprietary and Associated Standard MIBs bgpPeerAdminSt atus The desired state of the BGP connecti on. A transi tion from stop to start will cause the BGP S tart Event to be generated. A transitio n from start to stop will cause the BGP S t op Event to be generated.
BGP v4 MIB Tables XSR User’s Guide B-7 BGP-4 Received Path Attribute T able bgpPeerKeepAlive Interval for the KeepAli ve timer established with the peer , range: 1-21845 seconds.
BGP v4 MIB Tables B-8 XSR SNMP Proprietary and Associated Standard MIBs BGP-4 T rap s bgp4PathAttrASPathSegment The sequence of AS path segments. Each AS path segment is represented b y a triple <type, lengt h, value>.
Firewall MIB Tables XSR User’s Guide B-9 Firewall MIB T ables The firewall MIB contains the f ollowing tables , most of whi ch are detailed in this section: Firewall on Interface Gr oup, Interface t.
Firewall MIB Tables B-10 XSR SNMP Proprietary and Associated Standard MIBs Monitoring Object s This section describe s counters an d statis tics that are available to SNMP from the firewall. All fields are r ead-only and cannot be modified. The XSR supports SNMP ge ts only for these objects.
Firewall MIB Tables XSR User’s Guide B-11 IP Session Counters These counters track the activities of IP sess ions. IP Session T able This table contains information about each active IP session. Authenticated Address Counters This table provide s a summary of the authentication activity .
VPN MIB Tables B-12 XSR SNMP Proprietary and Associated Standard MIBs DOS Att acks Blocked Counters These elements reflect the DOS attack summaries stor ed in the firewall. DOS Att acks Blocked T able These elements reflect the hits against DOS attack types recognized by the firewall.
VPN MIB Tables XSR User’s Guide B-13 • etsysVpnIpsecProposalT able • etsysVpnIpsecPropT ransformsT able • etsysVpnAhT ransformT abl e • etsysVpnEspT ransformT able • etsysVpnIpcompT ransfo.
VPN MIB Tables B-14 XSR SNMP Proprietary and Associated Standard MIBs et sysVpnIkeProposal T able This table contains the IKE pr op osals used during IKE negotiatio n.
VPN MIB Tables XSR User’s Guide B-15 et sysVpnIp secPolicyRule T able This table defines the IPSec poli cy rules. The table index is { etsysVpnIpsecPolicyName , etsysVpnPolRulePriority }.
VPN MIB Tables B-16 XSR SNMP Proprietary and Associated Standard MIBs et sysVpnIp secProposal T able This table contains the IPSec pr oposals. The table index is { etsysVpnIpsec PropName }.
VPN MIB Tables XSR User’s Guide B-17 et sysVpnEspT ransform T able This table lists all the ESP transforms cr eated by adding ESP rows to the etsysVpnIpsecPropT ransformsT able . The table also contains r ead-only rows for XSR EZ-IPSec transforms. The table index is { etsysVpnEspT ranName }.
ipCidrRouteTable for Static Routes B-18 XSR SNMP Proprietary and Associated Standard MIBs ipCidrRouteT able for St atic Routes VPN configuration on the XS R may require a default route to the next-hop Inte rnet gateway . Static routes can be added with the IP Forwarding MIB (RFC-2096).
Enterasys Configuration Management MIB XSR User’s Guide B-19 Enterasys Configuration Management MIB The Enterasys Configuration Management MIB su pports parameters for an SNMP management entity to r.
Enterasys Configuration Change MIB B-20 XSR SNMP Proprietary and Associated Standard MIBs Enterasys Configuration Change MIB The Enterasys Configuration Change MIB supports parameters for SNMP management entities to determine if and w hen configuration changes have occurred.
Enterasys SNMP Persistence MIB XSR User’s Guide B-21 Enterasys SNMP Persistence MIB This MIB permits management applications to commit persistent SNMP configuration information to persistent s torage. etsysConfigChangeFirmwareGroup A collect ion of objects providing firmware change data.
Enterasys Syslog Client MIB B-22 XSR SNMP Proprietary and Associated Standard MIBs Enterasys Syslog Client MIB This Enterasys MIB module defines a portion of the SNMP Enterprise MIBs under the E nterasys Enterprise OID pertaining toconf iguriation of Syslog-compatible diagnostic messages generated for the XSR.
Enterasys Syslog Client MIB XSR User’s Guide B-23 • etsysSyslogServerAddressT ype The type of Internet address by which the Syslog server is specified in etsysSyslogServer Address . • etsysSyslogServerAddress The I nternet address for the Syslog message server.
Enterasys Syslog Client MIB B-24 XSR SNMP Proprietary and Associated Standard MIBs etsysSyslogServerGroup A collection of objects pr oviding descripti ons of syslog se rvers for sending system message.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Enterasys Networks X-PeditionTM è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Enterasys Networks X-PeditionTM - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Enterasys Networks X-PeditionTM imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Enterasys Networks X-PeditionTM ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Enterasys Networks X-PeditionTM, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Enterasys Networks X-PeditionTM.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Enterasys Networks X-PeditionTM. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Enterasys Networks X-PeditionTM insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.