Enterasys Networks X-PeditionTM Bedienungsanleitung

X-Pedition ™ Security Router XSR User’ s Guide Ve r s i o n 7 . 6 P/N 9033837-09[...]

[...]

i Notice Enterasys Networks  reserves  the  right  to  make  changes  in  specif ications  and  other  information  contained  in  this  do cument  and  its  web  si te  without  prior  notice.  The  reader  should  in  all  cases  consult  Enterasys Netw orks[...]

ii Regulatory Compliance Information Federal Communications Commission (F CC) Notice The  XSR  complies  with  Title  47,  Pa r t  15,  Class  A  of  FCC  rules.  Operation  is  subject  to  the  following  tw o  conditions: •T h i s  device  may  not  cause  harmful  i[...]

iii Industry Canada Notices This  digital  apparatus  does  not  exceed  the  class  A  limits  for  radio  noise  emissions  from  digital  apparatus  set  out  in  the  Radio  Interference  Regulations  of  the  Canadian  Department  of  Communications. Le  [...]

iv Electromagnetic Compatibility (EMC) This  product  complies  with  the  following:  47 CFR  Par t s  2  and  15,  CSA C108.8,  89/336/EEC,  EN 55022,  EN  55024,  EN 61000 ‐ 3 ‐ 2,  EN 61000 ‐ 3 ‐ 3,  AS/NZS  CISPR  22,  and  VCCI  V ‐ 3. Compatibilidad Electromágnet[...]

v Declaration of Conformity Application  of  Co uncil  Directiv e(s): 89/336/EEC 73/23/EEC Manufacturer’s  Na me: Enterasys Networks, Inc. Manufacturer ’ s  A ddress: 50  Minuteman  Road Andover,  MA  01810 USA European  Representative  Addre ss: Enterasys Networks,  Ltd. Nexus  House,  Newbury  Busi[...]

vi Independent Communications Authority of South Africa This  product  complies  with  the  terms  of  th e  provisions  of  section  54(1)  of  the  T elecommu nications  Act  (Act  103  of  1996)  and  the  T elecommunications  Regulation  prescribed  under  the  Pos[...]

vii Enterasys Networks, Inc. Firmware License Agreement BEFORE  OPENING  OR  UTILIZING  THE  ENCLOSED  PRODUCT , CAREFULL Y  READ  THIS  LICENSE  AGREEMENT . This  document  is  an  agreement  (“ Agreement”)  betw een  the  end  user  (“Y ou”)  and  Enterasys Networks, Inc. ?[...]

viii 4. EXPORT  RESTRICTIONS. You  understand  that  Enterasys  and  its  Affiliates  are  subject  to  regu lation  by  agencies  of  the  U.S.  Government,  including  the  U.S.  Department  of  Commerce,  which  prohibit  export  or  diversion  of  certain [...]

ix 10. ENFORCEMENT. You  acknowledge  and  agree  that  any  breach  of  Sections  2,  4,  or  9  of  this  Agreement  by  You  may  cause  Enterasys  irreparable  damage  for  which  recovery  of  money  damages  would  be  inadequate,  and  tha t ?[...]

x[...]

xi Contents Preface Contents of the Guide .. ............. ................ ............. ................ ............. ................ ............. ... ................. ......... xxvii Conventions Used in This G uid e ........ ............. ............. ................ ............. ............. ................ .... .................. xxvi[...]

xii Configuring an Interface ......... ............. ................ ............. ................ ............. ................ ....... ............ 2-22 Displaying Interface Attributes ............. ................ ............. ................ ................ ............. ......... .......... 2-22 Managing Message Logs ............. .....[...]

xiii Chapter 3: Managing LAN/WAN Interfaces Overview of LAN Interfaces ...... ................ ............. ................ ............. ................ ................. ... ................ ........ 3-1 LAN Features ..................... ................ ............. ............. ................ ............. ................ ...... ......[...]

xiv Secondary IP ...... ................ ............. ................ ............. ............. ................ ............. ........ .................. ........ 5-7 Interface & Secondary IP ........... ................ ................ ............. ................ ............. ................ .. ............. 5-7 ARP & Secondary [...]

xv Load Balancing ....... ................ ............. ................ ............. ............. ................ ............. ...... ................ 5-31 ARP Process on a VRRP Router ........... ............. ................ ................ ............. ................ .............. .. 5-31 Host ARP ......... ............. ............[...]

xvi Filter Lists ............... ............. ............. ................ ............. ............. ................ ............. ... ................... ... 6-12 Community Lists . ................. ............. ................ ............. ............. ................ ............. .......... ............... 6-12 Route Maps ...........[...]

xvii Describing the XSR’s PIM-SM v2 Features .. ............ ................. ................ ................ ............. ........... ........ ..... 7-7 Phase 1: Building a Shared Tree .... ............. ................ ................ ............. ................ ................ . .............. 7-8 Phase 2: Building Shortest Path Tr e[...]

xviii Chapter 9: Configuring Frame Relay Overview ............. ............ ............. ................. ............ ............. ................. ............ ......... ................. ............. ..... 9-1 Virtual Circuits ................. ............. ................ ............. ................. ............ ............. ......[...]

xix Configuring ISDN Callback ............................. ............. ................ ............. ................ ............. . ............. 10-12 Point-to-Point with Matched Callin g/Called Numbers ....... ................ ................ ............. ................ . 10-12 Point-to-Point with Different Ca lling/Called Numbers .....[...]

xx Backup Using ISDN ..... ............. ............. ................ ............. ................ ............. ............. ....... ................ 1 0-37 Node A (Backed-up Node) Configur ation ............... ................ ............. ................ ............. ............. . 1 0- 37 Node C (Called Node) Configurat ion ... ......[...]

xxi Measuring Bandwidth Utilization .................. ................. ................ ............. ................ ............. ... ...... 12-5 Describing Priority Queues .. ................ ................ ............. ................ ................ ............. ......... .......... 12-5 Configuring Priority Queues ......... .........[...]

xxii ADSL Hardware ........... ............. ................ ............. ............. ................ ............. ................ .. .................... 13-5 NIM Card ............ ................. ............. ............ ................. ............. ................ ............. ...... ................... 13-5 ADSL on the Motherboa[...]

xxiii Server 1 ........... ............. ............. ................ ............. ............. ................ ............. ........... ............... .... 14-17 Server 2 ........... ............. ............. ................ ............. ............. ................ ............. ........... ............... .... 14-18 Client .........[...]

xxiv DHCP Client Services ..................... ............. ................ ............. ................ ............. .............. ........ ................ 15-6 Router Option .................. ................ ............. ............. ................ ............. ............. ........... ............... ......... 15-6 Parameter Requ[...]

xxv Application Level Commands ....... ............. ................ ................. ............ ................. ................ ... .... 16-13 Application Level Gateway ..... ................ ............. ................ ............. ................ ............. .......... ....... 16-13 On Board URL Filtering ... ............. ........[...]

xxvi DOS Attacks Bloc ked Counters .............. ............. ................ ............. ................ ............. .............. ..... B-12 DOS Attacks Bloc ked Table ......... ................ ............. ............. ................ ............. ................ ...... ....... B-12 VPN MIB Tables . ................ ............. [...]

XSR User’s Guide xxvii Preface This guide provides a general overview of the XSR hardwar e and software features. It describes how to configure and maintain the router . R efer to the XSR CLI Reference Guide and the XSR Getting Started Guide for information not contained in this document. This guide is written for administrators who want to confi[...]

Conventions Used in This Guide xxviii Preface • Chapter 1 1, Config uring ISDN, outlines how to set up the Integrated Services Digital Network protocol on the XSR for BRI, PRI and leased line applications. ISDN protocol tracing and partial decoding of Q921 and Q9 31 frames is also described. • Chapter 12, Configuring Quali ty of Service , descr[...]

Conventions Used in This Guide XSR User’s Guide xxix Wa r n i n g : Warns against an action that could result in person al injury or death. Advertencia: Ad vierte contra una acción que pud iera resultar en lesión corporal o la muerte. W arnhinwe is: W arnung vor Handlungen, die zu V erletzung von Personen oder gar T odesfällen führen können![...]

Getting Help xxx Preface Getting Help For additional support related to the XSR, cont act Enterasys Networks by one of these methods: Before contacting Enterasys Ne tworks for technical s upport, have the following infor mation rea d y: • Y our Enterasys Networks service contract number • A description of the failure • A description of any ac[...]

XSR User’s Guide 1-1 1 Overview This chapter briefly describes the functionality of the XSR. Refer to the following chapters in this manual for details on how to configur e this functiona lity and the XSR CLI Refer ence Guide for a description of associated CLI commands and examples. The following functionality is support ed on the XSR: • Syste[...]

1-2 Overview and data-compre ssion negotiation. Also supporte d: PPPoE client and sub-i nterface monitoring, and Multilink PPP pr otocols as well as Dial on Demand (DoD), Bandwidth on Demand (BoD), Multi-Class MLPPP . • IP Protocol - IP supports interconnected systems of packet-switched computer communication networks. It uses a 32-bit addres sin[...]

XSR User’s Guide 1-3 • Quality of Service - The XSR provides traf fi c classification us ing IP Precedence and DSCP bits, bandwidth control via meter ed, policed an d prioritized traf fic queues, and queue management utilizing T ail Drop, Random and W eighted Ea rly Detection (RED, WRED) . Also, QoS on Input including classi fication based on c[...]

1-4 Overview[...]

XSR User’s Guide 2-1 2 Managing the XSR The XSR can be managed via thr ee interfaces with varying levels of contr ol: the Command Line Interface (CLI) for full configuration, perfor mance and fault management; the Simple Network Management Protocol (SNMP) for r emote monito ring and firmwar e upgrades, and the W eb for gathering version informa t[...]

Utilizing the Command Line Interface 2-2 Managing the XSR Using the Console Port to Remotely Control the XSR The XSR’s Console port can also be c onnected to a modem for the purpose of r emote console control. Make the connection with a straight-through cable and enter the following XSR commands: XSR(config)#interface serial 0 XSR(config-if<S0[...]

Utilizing the Command Line Interface XSR User’s Guide 2-3 T erminal Commands If you want to display identi fication informatio n about the current terminal connection, issue the show whoami command. Refer to the XSR Getting Started Guide and XSR CLI Refer ence Guide for more information on commands. Connecting via T elnet Once the XSR is pr operl[...]

Utilizing the Command Line Interface 2-4 Managing the XSR PuTTY and other sharewar e programs are compatible with the XSR’s SSH server . Refer to the XSR Getting Started and CLI Refe renc e guides for more details. Accessing the Initial Prompt The CLI is pr otected by security . Before you can access EXEC mode, you must enter a valid password. Th[...]

Utilizing the Command Line Interface XSR User’s Guide 2-5 Managing the Session A first-ti me CLI session is s et up with default attributes; e.g., the session is set to time out after 1800 seconds of idle time. Y ou can reconfigur e session values such as cr eate users, passwor ds, and login banners, and set T elnet and W eb access. Refer to the [...]

Utilizing the Command Line Interface 2-6 Managing the XSR • Backwardly compatible/transparent to those not r equiring RAI. • Console display of RAI progr ess. • Console interrupt of RAI pr ocess at any time. • CLI configurabl e RAI loading. Persiste nt, 5-minute try , and none (dis able). • No r ebooting re quired to activate configuratio[...]

Utilizing the Command Line Interface XSR User’s Guide 2-7 DHCP client over the LAN: • Operational over an Ethernet interface only on the lowest slot/card/port only . • Uses the options field for TF TP server , IP address, hos t name and config file. • Optionally uses Reverse DNS if options are not populated. At a branch site, the XSR suppor[...]

Utilizing the Command Line Interface 2-8 Managing the XSR RAI checks each DLCI, up to 30, on a given in terface for a Bootp r esponse , an rDNS server and a TF TP server with a configuration file. The fi rst DLCI that accomplishes this will be chosen. If the connection fails, RAI will reset itself an d restart at Phase 1, next media-type. If the DL[...]

Utilizing the Command Line Interface XSR User’s Guide 2-9 W ith bootp enabled , DHCP relay and server functi onality is disabled on thi s DLCI for br oadcast packets entering from this DLCI. Unicast bootp reques ts are still forwar ded to the server . Configuration on a DLCI by DLCI basis is supported for a bootp response, r equiring that a stati[...]

Utilizing the Command Line Interface 2-10 Managing the XSR PPP RAI over a Leased Line PPP over a leased line performs similarly to Fram e Relay RA I over a serial link via a leased T elco line. When PPP negotiation is su ccessful, a poin t-to-p oint connection is established from the remote XSR to the central r ou ter . Then the remote XSR can obta[...]

Utilizing the Command Line Interface XSR User’s Guide 2-11 The first phase establishes a physical connection (training) on the ADLS line. RAI ADSL attempts a physical connection on the first port of the ADSL card, waiting one minute fo r training to succeed. If it fails, RAI abandons ADSL RAI and moves to the next available RAI method. After trai[...]

Utilizing the Command Line Interface 2-12 Managing the XSR • Command Recall : Non-help commands ar e stored in the command history list buf fer up to the last 32 command s. Y ou can recall and edit previous commands using shortcut ke ys. For example: Ctrl + p/Ctrl + n will list the previous/next co mmand respectively and can be applied r epeatedl[...]

Utilizing the Command Line Interface XSR User’s Guide 2-13 Refer to Figure 2-1 for a graphic example of configuration modes. Figure 2-1 Partial Configuration Mode T ree The footnotes below refer to command options cited in the illustration. 1. The interface type can be one of the followin g: Serial, F astEth ernet , GigabitEthernet, BRI, loopback[...]

Utilizing the Command Line Interface 2-14 Managing the XSR 4. Some attributes can be set at this level without acquiring other modes. For example: acces s- list access-list-num [deny | permit] [parameter [parameter…]] 5. Show commands can all be entered at EXE C, Privileged EXEC or hig her modes. User EXEC Mode Y ou enter User EXEC (or s imply EX[...]

Utilizing the Command Line Interface XSR User’s Guide 2-15 Mode Examples Consider the followi ng examples to chan ge configuration mode: XSR>enable + Acquires Privileged EXEC mode XSR#config terminal + Acquires Global configuration mode XSR(config)#interface fastethernet 1 + Acquires Interface mode XSR(config-if<F1>)#ip address 192.16 8.[...]

Utilizing the Command Line Interface 2-16 Managing the XSR CLI Command Limit s CLI commands on the XSR ar e bounded by the following: • T otal number of characters in a command l ine/help message: 29 9 • T otal number of words in a command line: 127 • Number of command history entries recalled: 31 • T otal number of characters in a prompt: [...]

Utilizing the Command Line Interface XSR User’s Guide 2-17 Supported Port s The XSR supports the following port types: • Single-channel ports: Fast- and Gi gabitEthernet, Sync/A sync serial, A TM • Multiple-channel ty pe ports: BRI, T1/E1 Numbering XSR Slot s, Cards, and Port s The syntax for XSR slot, card, and port numbering on the CLI, ill[...]

Utilizing the Command Line Interface 2-18 Managing the XSR • V irtual Inte rfaces: – Loopback - Range 0 to 15. Interface type: Internal Loopback. – Dialer - Range: 0 to 255, Interface type: Dialer . – VPN - Range: 0 to 255, Interface type: VPN tunnel/Dialer . – Multilink - Range: 1 to 32767, In terface type: VPN tu nnel. – Frame Relay D[...]

Utilizing the Command Line Interface XSR User’s Guide 2-19 • BRI-Dialer (IDSN) Exampl e interface dialer 0 + Configures dialer interface 0 ip address 2.2.2.2 255.255.255.0 + S ets IP address/subnet on port encapsulation + Interface/Sub-interface Behavior XSR interfaces and sub-interf aces, channels and channel-gr oups are added and deleted dif [...]

Utilizing the Command Line Interface 2-20 Managing the XSR – Switched : When configuring a switched BRI connect ion, thr ee serial sub-interfaces ar e automatically cr eated when you enter: interface bri 2/1 isdn switch-type basic-ni1 – The following sub -interfaces are added: interface serial 2/1:0 interface serial 2/1:1 interface serial 2/1:2[...]

Utilizing the Command Line Interface XSR User’s Guide 2-21 Deleting T able Entries There ar e two ways to delete an entry from a table depending on the table type. T ype (e.g.): XSR(config)#no arp 1.1.1.1 e45e.ffe5 .ffee + removes the arp entry related to row 1.1.1.1. where no is the command that negates the previous operation an d arp is the ass[...]

Utilizing the Command Line Interface 2-22 Managing the XSR Ports can be enabled or disabled, configur ed for default settings, associated tables, clock rate, priority group, and encapsulatio n, for example. Refer to the XSR CLI Refer ence Guide for mor e details on Interface mode command s. Enabling an Interface The following command enables an int[...]

Utilizing the Command Line Interface XSR User’s Guide 2-23 Managing Message Logs Messages produced by the XS R, whether alar ms or ev ents, as well as link state changes for critical ports and a manag ement authenticati on log, can be r outed to variou s destinations wit h the logging command. And by iss uing the no logging command, you can block[...]

Utilizing the Command Line Interface 2-24 Managing the XSR • Contents of stacks (task stacks, interrupt stack) • Status of one special task (packet processor by default) • Code around the cr ash program counter • T ask message queues • Memory management statistics • T ask stack traces for all tasks The router can s tore one Fault Report[...]

Utilizing the Command Line Interface XSR User’s Guide 2-25 Using the Real-Time Clock The XSR’s Real-T i me Clock (R TC) is employed by other syst em software modules to time-stamp events, alarms and is us eful when no network clock source is accessible. It is normally synchronized with a master clock source over the network using the Simple Net[...]

Utilizing the Command Line Interface 2-26 Managing the XSR Resetting the Configurati on to Factory Default In situations wher e the XSR has invalid softwar e or a pr oblem booting up, you can r eset the router and return it to its factory default se ttings by accessing Bootr om Monitor Mode. T ake these steps: 1. Power up with a serial Com connecti[...]

Utilizing the Command Line Interface XSR User’s Guide 2-27 Configuration Save Options There ar e several options avai lable regar d ing configuration : • If you want to make your running configurat ion the new startup configuration, you can save it to Flash memory with the copy runnin g-config startup-config command. • If you want to convert [...]

Utilizing the Command Line Interface 2-28 Managing the XSR For more comman d details, refer to the XSR CLI Refer ence Guide . Uploading the Confi guration/Crash Report An upload copies the XSR s tartup-configuration file (partial) to a system in a CLI script format using TF TP . Y ou can later retrieve the file with TF TP . T o p er f or m th e ta [...]

Utilizing the Command Line Interface XSR User’s Guide 2-29 Managing the Sof tware Image The XSR can stor e more than one software image in Flash. Creating Alternate Soft ware Image Files The XSR can cr eate multiple softwar e images, a useful option if you want to quickly select an alternate image. For example, you can create two s oftware image [...]

Utilizing the Command Line Interface 2-30 Managing the XSR • Optionall y , if you have CompactFlash installed, you can download the firmwar e file to cflash: then perform Step 1 (s ee below) followed by the bu (lower -case u ) command. • If you use the Cabletr on TF TP/BOOTP Services application, which does not recognize long file names, first [...]

Utilizing the Command Line Interface XSR User’s Guide 2-31 4. Using TF TP , transfer updateBootrom.fls from the networ k: XSR-1805# copy tftp://192.168.27.95/C:/tftpDir/ updateBootrom.fls flash:updateBootrom.fls Copy 'tftpDir/updateBootrom.fls' fro m server as 'updateBootrom.fls' into Flash( y/n) ? y !!!!!!!!!!!!!!!!!!!!!!!!!![...]

Utilizing the Command Line Interface 2-32 Managing the XSR Local Bootrom Upgrade Due to the change in the format of the Bootr o m file between version 1. x and vers ion 2.01, a transitional step is r equired when updating acr o ss these versions only . This transitional step can be avoided by using the Bootrom Update uti lity described above. When [...]

Utilizing the Command Line Interface XSR User’s Guide 2-33 – DOS-style full path (without the file name) of the site of the Bootr o m file on the host PC. – The username and password to use when conne cting to your F TP server on the host PC. 6. V erify the netw ork boot values using the sn command. For example: XSR: sn Local IP address : 192[...]

Utilizing the Command Line Interface 2-34 Managing the XSR Programming 131072(0x20000) bytes at address 0xfffa0000 Programming 48299(0xbcab) bytes at a ddress 0xfffc0000 Verifying Bootrom flash sectors Locking 3 Bootrom flash sectors Locking 8 Bootrom flash sectors ***** Bootrom update completed. ***** Do you want to remove the bootrom fi le bootro[...]

Utilizing the Command Line Interface XSR User’s Guide 2-35 • If the power to XSR fails, try another reload • If a syntax error is indicated, ex amine your configuration for err ors • If XSR crashes, do not r etry reloading. Contact T echnical Support EOS fallback is configu rable from the CLI or via SNMP . Refer to the following section to [...]

Utilizing the Command Line Interface 2-36 Managing the XSR 5. Set the operation to imageSetSelected : set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16 .2.7.1.3.1 0100 6. Set the row to active : set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16 .2.7.1.11.1 1 7. Reboot the XSR to load the new image by configuring the follow ing: • Create a r ow: set 1.1.1.1 .1.3.6.1.4.1.56[...]

Memory Management XSR User’s Guide 2-37 When the XSR boots up, the checksum of these file s is calcu lated and stored in volatile memory . From then on any time the content o f those files is changed the hash is r ecalculated and stor ed. Y ou can access the hash value in the etsysConfigMgmtPersistentStorageChSum SNMP object and compare it with p[...]

Network Management through SNMP 2-38 Managing the XSR When the memory governor is asked to allow or deny a new r esource, the de cision is based on: • memory low watermark •e x t r e m e l i m i t Y ou can push the extreme limit of individual resources as long as the memory low watermark is not met. Once the low watermark is me t and you wish t[...]

Network Management through SNMP XSR User’s Guide 2-39 SNMP Informs SNMP Informs were first intr oduced in SNMPv2. An Inform is essentially nothing mor e than an acknowledged trap . That is, when a remote application r eceives an Inform it sends back an “I got it” message. When you send an Inform you use the re mote engineID with the message a[...]

Network Management through SNMP 2-40 Managing the XSR Alarm Management (T raps) The following events ar e supported by SNMP traps: snmpT rapColdStart, snmpT rapWarmStart, snmpT rapLinkDown, snmpT rapLinkUp, snmpT r apAuthFailure, entityT rapC onfigChange, frameRelayT rapfrDLCIStatusChange, ospfT rapIf StateChange, ospfT rapV irtIfStateChange, ospfT[...]

Network Management through SNMP XSR User’s Guide 2-41 Latency (network delay) is measur ed with the formula: D(i)=(Ri-Si) , which is the r ound-trip interval between sending and receiving the ICMP packet trigger ed by the initiator and echoed back by the target. Jitter (network delay variation) is the value between packets i and j as figur ed by [...]

Network Management through SNMP 2-42 Managing the XSR Via S NM P The following example creates a r ow in the aggregate measur e table with owner us erA . If the entry is created with owner monitor , replace 5.1 17.1 15.101.1 1 4.65 with 7.109.1 1 1.1 10.105.1 16.1 1 1.1 14 . 1. Create a r ow ( etsysSrvcLvlAggrMeasur eStatus ): 1.3.6.1.4.1.5624.1.2.[...]

Network Management through SNMP XSR User’s Guide 2-43 Query a Measurement Now that you have performed the pr evious actions, you can query the measur ement result. Via C LI The following command d isplays rtr output: XSR#show rtr history Via S NM P 1. Query the etsysSrvcLvlHistoryT able ( 1.3.6.1.4.1.5624.1.2.39.1.3.1 ). Using the SLA Agent in SN[...]

Network Management through SNMP 2-44 Managing the XSR Sof tware Image Download using NetSight The NetSight Remote Administ rator application can download an image to the XSR using TF TP . The software image download is initiated through NetSight using a n SNMP set command, which triggers a TF TP downloa d session initiated f rom the XSR. SNMP Downl[...]

Accessing the XSR Through the Web XSR User’s Guide 2-45 1. W rit e a plain ASCII file containing the CLI commands you want entered. For example: interface FastEthernet2 ip address 192.168.19.1 255.255.255. 0 no shutdown 2. Save and move the file to the root dir ectory of the TF TP server on your PC. 3. Use SNMPv3 to create a row in the Configurat[...]

Network Management Tools 2-46 Managing the XSR Using the CLI for Downloads TF TP can be used to transfer system firmwar e to the XSR remotely . A TF TP server must be running on the r emote machine and the firmwar e image file must reside in the TF TP root directory of the server when using the copy tftp filename command. Using SNMP for Downloads Y[...]

XSR User’s Guide 3-1 3 Managing LAN/W AN Interfaces Overview of LAN Interfaces The XSR supports two 10/100 Base-T FastEthernet ports on the XSR 1800 Series branch routers and three 10/100/1000 Base-T GigabitEthernet ports on the XSR 3000 Series regional r outers. All ports are capable of running in half- and full-duplex modes, an d are ANSI/IEEE [...]

Configuring the LAN 3-2 Managing LAN/WAN Inter faces • Maximum T r ansmission Unit (MTU ) - all frames less than or equ al to 1518 bytes are accepted. MTU size is set using the ip mtu command. • Speed is enabled using the speed command with the following options: – 10 - 10 Mbps – 100 - 100 Mbps – 1000 - 1000 Mbps – Auto - Auto-negotiate[...]

Overview of WAN Interfaces XSR User’s Guide 3-3 Overview of W AN Interfaces The XSR supports as many as si x serial cards (i n an XSR-3250), each of which can support four ports for a maximum of 24 serial ports. Each po rt is indi vidually configurable regarding speed, media-type, and pr otocol. The Serial W AN interface performs the following fu[...]

Configuring the WAN 3-4 Managing LAN/WAN Inter faces • Clocking speed - For Sync interfaces, an external cl ock must be provided. Acceptable clock values range fr om 2400 Hz to 10 MHz. For Async interfaces, the clock is internally generated and can be set to the following values us ing clock rate : – 2400 Kbps – 4800 Kbps – 7200 Kbps – 96[...]

Configuring the WAN XSR User’s Guide 3-5 The following example configur es the asynchr onous serial interface on NIM 2, port 0 with the following non-def ault values: PPP encapsulation, RS422 cabling, 576 00 bps clock rate, MTU size of 1200 bytes, no parity , 7 databits and 2 stopbits. It also assi gns the local IP address 192.168.1.1 to the inte[...]

Configuring the WAN 3-6 Managing LAN/WAN Inter faces[...]

XSR User’s Guide 4-1 4 Configuring T1/E1 & T3/E3 Interfaces Overview The XSR provides Frame Relay and PPP service vi a T1 /E1 and T3/E3 functional ity as well as Drop and Insert featur es. T1/E1 Functionality The XSR provides a T1/E1 subsystem on a single NIM-based I/O card with a maximum of two installed NIMs. Dependin g on the card type and[...]

Features 4-2 Configuring T1 /E1 & T3/E3 Interfaces • Support for local and r emote loopback • Support for an IP interface as a loopback (r efer to the CLI Refer ence Guide for an example) • T iming - line and internal • Framing - T1: SF , ESF; E1: CRC4, NO-CRC4 • Line encoding - T1: AMI, B8ZS; E1: AMI, HDB3 • Data inversion • Loop[...]

Features XSR User’s Guide 4-3 • Line rate - 34.368 Mbps • Full rate - 34.0995 Mbps (G751) • Sub-rate - approximately 3 Mbps increments up to 33 Mbps • Compatible DSUs supported – Cisco or Quick Eagle (form erly Digital Link) DL3100 E3 -300-33.9 20 Kbps – ADC Kentrox T3/E3 IDSU • Scrambling - Ci sco mode only • Performance Monitori[...]

Features 4-4 Configuring T1 /E1 & T3/E3 Interfaces • Clear Channel service is similar to the full rate servi ce except that the data stream rate is slightly higher because the framing over head bits ar e also used to deliver data. – T3 - Not A vailable – E3 - 34.368Mbps payload T1 Drop & Insert One-to-One DS0 Byp assing The XSR’s 2-[...]

Configuring Channelized T1/E1 Inter faces XSR User’s Guide 4-5 • Th e D & I N I M s u p p o r t s d i ff e re n t f r a m i n g a n d l i n e c o d i n g o n t h e C O T 1 a n d P B X T 1 p o r t s ( E S F versus D4, B8ZS versus AMI), but if the ports are not identically conf igured, the bypas s relays will not r estore the voice link in th[...]

Configuring Un-channeliz ed T3/E3 Interfaces 4-6 Configuring T1 /E1 & T3/E3 Interfaces 9. Add any additional configuration commands r equ ired to enable IP- or PPP-related pr otocols. 10. Use the no shutdown and exit commands to enable the interface and r eturn to configuration mode. Repeat the pre vious steps to configure mor e channel gr oups[...]

Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-7 T roubleshooting T1/E1 & T3/E3 Links This section describes ge neral procedur es for tr oubleshooting T1/E 1 lines on the XSR. The following flow diagram shows basic steps to perform. Figure 4-2 General T1/E1 & T3/E3 T roubleshooting Flowchart As shown in Figur e 4-2 , thre e tr[...]

Troubleshooting T1/E1 & T3/E3 Links 4-8 Configuring T1 /E1 & T3/E3 Interfaces Figure 4-3 T1/E1 & T3/E3 Physical Layer (Lay er 1) T roubleshooting Flowchart The show controller command displays current contr oller parameters, statu s and statistics data. Most controller err ors are caused by incorr ectly configur ed lines including line [...]

Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-9 2. Restart the controller: XSR(config-controller<T1/0>)#no shut down If the T1/E1or T3/E3 controller and line ar e not up , check that either the T3 /E3 NIM LOS or LOF LEDs are shining or one of the fol lowing messages dis plays in the show controller output: • Receiver has loss[...]

Troubleshooting T1/E1 & T3/E3 Links 4-10 Configuring T 1/E1 & T3/E3 Interfaces Receive Remote Alarm Indi cation (RAI - Y ellow Alarm) 1. Insert an external loopback ca ble into the T1/E1 or T3/E3 port. 2. Use the show controller command to check for alar ms. T o identify the type of the alarm, analyze the log r eport of the XSR. If alarms a[...]

Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-11 Figure 4-5 T1/E1 & T3/E3 Alarm Analysis T roubleshooting Actions Flow (Part 2) T1/E1 & T3/E3 Error Event s Analysis This section describes various error events that can occur o n controller lines and pr ovides troubleshooting information to fix some of these err ors. The show c[...]

Troubleshooting T1/E1 & T3/E3 Links 4-12 Configuring T 1/E1 & T3/E3 Interfaces Figure 4-6 T1/E1 & T3/E3 Error Even t s Analysis T roubleshooting Flowchart Slip Seconds Counter Increasing If slip seconds ar e pr esent on the T1/E1 or T3/E3 line, us ually there is a clocking pr oblem. Complete the followin g steps to correct this problem:[...]

Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-13 Framing Loss Seconds Increasing If framing loss seconds ar e pres ent on the T1/E1 li ne, usually there is a framing problem. Perform the following steps to correct this pr oblem: 1. Ensure the framing format configured on the contr oller port matches the framing format of the line. 2.[...]

Troubleshooting T1/E1 & T3/E3 Links 4-14 Configuring T 1/E1 & T3/E3 Interfaces[...]

XSR User’s Guide 5-1 5 Configuring IP Overview This document describes th e XSR’s IP pr otocol suite func tionality including: • General IP featur es (ARP , ICMP , TCP , UDP , TF TP , T elnet, SSH, NA T , VRRP , Pr oxy DNS, et al.) • IP routi ng (RIP , OSPF , static r outin g, trigger ed-on-demand RIP update s) •V L A N r o u t i n g •A[...]

General IP Features 5-2 Configuring IP • The Router ID can be configur ed with the ip router- id command or , if not configured, automatically generated fr om the exi sting configuration. Alternately , the Router ID is automatically generated as the highest non-zer o IP addr ess among all loopback in terfaces or , if no loopback interface is conf[...]

General IP Features XSR User’s Guide 5-3 • T roubleshooting T ools –P i n g –T r a c e r o u t e •I P R o u t i n g –R I P – T riggered-on-Demand RIP update s – OSPF including Database Overflow (RFC-1765) and Passive I nterfaces – OSPF debugging –S t a t i c r o u t e s – Default network –C I D R ( I P c l a s s l e s s ) ?[...]

General IP Features 5-4 Configuring IP • V irtual Router Redundancy Pr otocol (VRRP): RFC-2338 and De finitions of Managed Objects for the V irtual Router Redundancy Protocol: RFC-2787 • Equal-Cost Multi-Path (ECMP) pe r packet and per flow (r ound robin) for OSPF , BGP and static routes (RIP excluded) – Unequal cost multi-path, redistributio[...]

General IP Features XSR User’s Guide 5-5 When a BOOTP/DHCP res ponse is rece ived, the pack et is sent to the requester as a unicast IP packet, according to RFC-951, wi th clarifications in RFC-1532. The source addr esses of the relayed BOOT P/DHCP packets can be selected using ip dhcp relay- source gateway command. By default, IP stack selects t[...]

General IP Features 5-6 Configuring IP does not actually examine or store full r outing tabl es sent by r outing devices, it merely keeps track of which systems ar e sending such data. Using IRDP , the XSR can specify both a priority and the time after which a device should be assume d down if no further packets ar e received. The XSR enables r out[...]

General IP Features XSR User’s Guide 5-7 hostkey .dat file unless none have been generated or the co ntent of the file is corr upted in which case default keys are used to secure the connection. A number of SSH clients are commer cially avai lable. Enterasys r ecommends the PuTTY client freewar e as compatible and easy to configure. Fo r step-by-[...]

General IP Features 5-8 Configuring IP An XSR interface can support one primary IP ad dr ess and multiple secondar y IP addres ses. Including all XSR interfaces, the total of supported secondary IP addresses allow ed depends on the amount of the installed memory , although at present ten secondary IP ad dresses ar e supported despite the memory siz[...]

General IP Features XSR User’s Guide 5-9 Routing T able Mana ger & Secondary IP If the interface is up, each pr imary and secondary IP addr ess will have an entry in the r outing table as a directly connected r oute. If the interface is r ejected or the IP addr esses configure d on it are r emoved, the Routing T able Manager (R TM) wi ll dele[...]

IP Routing Protocols 5-10 Configuring IP VRRP & Secondary IP Multiple virtual IP add resses per V irtual Router (V R) are available to support multiple logical IP subnets on a single LAN segment. Secondary IP interacts with the XSR’s implementation of the V irtual Router Redundancy Protocol (VRRP) as follows: • The primary physical IP addre[...]

IP Routing Protocols XSR User’s Guide 5-11 •S t a t i c r o u t e s • Route redistribution • Default network • CIDR (classless IP) •C o n f i g u r a b l e R o u t e r I D • Route P reference When you run multiple r outing pr otocols, the XS R assigns a weight to each of them. For more information, r efer to “Route Prefer ence” on[...]

IP Routing Protocols 5-12 Configuring IP • Offset metric parameters - r oute metrics via RIP . Adding an offset to an interface might for ce a route thr ough that interface to become a backup r oute • Route filtering , in association with access lists, is enabled by the distribute-list command • RIP timers can be set for update , invalid and [...]

IP Routing Protocols XSR User’s Guide 5-13 • The latest changes are sent when: – The routing database is m odified by new da ta. The latest changes ar e sent thr ough all interfaces running triggered-on-demand RIP . RFC-2091 also specifies how packet types are handled in the following manner: •A n update request is defined as a request to a[...]

IP Routing Protocols 5-14 Configuring IP • Dial-on-dem and connections. Retransmissions are governed by the following conditions, among others: • The retransmi ssion timer is a periodic timer set to 5 seconds. • A limit in the number of retransmissions wil l be set, after which the routes learned thr ough the specified circuit ar e marked as [...]

IP Routing Protocols XSR User’s Guide 5-15 • Incre mental SPF is always enabled. SPF calculation can be chang ed with timers spf • Hello wait intervals with ip ospf dead-interval and ip ospf hello-interval as well as the poll timer to set up adjacencies as quickly as possible with ip ospf poll-timer • Retransmission and link-state update in[...]

IP Routing Protocols 5-16 Configuring IP Each LSA type configurable for database over flow can generate a log to reflect pending overflow , overflow entered and exited logs in this format: – Date and time stamp – Router ID (IP address) –M o d u l e ( O S P F ) –L o g D e s c r i p t i o n –L S A T y p e – Current LSA count The following[...]

IP Routing Protocols XSR User’s Guide 5-17 OSPF T roubleshooting XSR commands provide debugging of OSPF V ersion 2 control information including: • Monitoring specific OSPF events fr om the CLI with show ip ospf (with debugging enabled ) • Control Packets with debug ip ospf p acket • LSA transmi ssions/receptions with debug ip ospf lsas •[...]

IP Routing Protocols 5-18 Configuring IP –S t a t i c r o u t e s : 1 – BGP external routes: 20 –O S P F i n t r a - a r e a r o u t e s : 108 – OSPF inter-ar ea routes: 11 0 – OSPF external routes: 11 2 – RIP routes: 120 –B G P i n t e r n a l r o u t e s : 200 – V alues between 241 and 255 are r eserved for internal use •T h e s[...]

IP Routing Protocols XSR User’s Guide 5-19 Figure 5-1 802.1Q VLAN T ag The rese rved T ag T ype denotes the associated Ethernet frame type of the VLAN T ag while the remaining 16 tag bits comprise this control data: • a 3-bit value indicating the user priority of the Ethernet frame for QoS purposes • a 1-bit Canonical Format Indicator (CFI) d[...]

IP Routing Protocols 5-20 Configuring IP Figure 5-3 T opology of Ethern et/PPPoE/VLAN/PPPoE over VLAN VLAN Processing Over the XS R’ s Ethernet Interfaces The VLAN routing pr ocess, shown in Figur e 5-4 , works as follows on the XSR. The following steps are r eflected in the graphic below . Figure 5-4 XSR’ s VLAN Processing 1. When a VLAN-tagge[...]

IP Routing Protocols XSR User’s Guide 5-21 Figure 5-5 VLAN Ethernet to Fast/GigabitEthernet T opology VLAN Processing: VLAN-enabled Ethernet to W AN Interfaces In this scenario, shown in Figure 5- 6 , the XSR does not insert a VLAN tag in Ethernet frames because no VLAN is linked with the outgoing port (Serial 1). Figure 5-6 VLAN Ethernet to W AN[...]

IP Routing Protocols 5-22 Configuring IP Figure 5-7 W AN Interface to VLAN Ethernet T opology For sample configurations, refer to “Configuring VLAN Examples” on page 5-46. QoS with VLAN The XSR’s support for Quality of Service (QoS ) with VLAN is described in the chapter “Configuring Quality of Service” on page 12-1. Policy Based Routing [...]

IP Routing Protocols XSR User’s Guide 5-23 2. When a policy entry is found for a packet, the table search ends and the packet is processed accordi ng to that entry . 3. Each entry has a gr oup of match and set clauses. All match clause s must matc h in orde r to process the packet accor ding to the ent ry . When a match is found, one of the set c[...]

IP Routing Protocols 5-24 Configuring IP Default Network The default network is used to specify candidates for the default r oute when a default route is not specified or learne d. If the network specified by the ip default-network command appear s in the routing table from any sour ce (dynamic or stat ic ), it is fl agged as a candid ate default r[...]

IP Routing Protocols XSR User’s Guide 5-25 Leaving the Router ID unconfigured or allowing it to be assigned by default to a physical IP interface can be risky because physical interfaces are impermanent and their IP addresses can be re-configure d. A change in an IP address or the st ate of a physical interface that has been selected as the Route[...]

IP Routing Protocols 5-26 Configuring IP R TP_compression TX r eached maximum allowed connections, R TP compression r eceived un-expected 8 bit CID R TP compression r eceived un-expected 16 bit CID Received CID (mmm) exceeds the negotiated max CID nnn. Network Address T ranslation Network Addr ess T ranslation (NA T) maps IP ad dr ess from one addr[...]

IP Routing Protocols XSR User’s Guide 5-27 • Application Level Gat eway (ALG) for F TP , ICMP , Netbios over TCP and UDP – PPTP/GRE ALG for NAP T - allows PP TP traffic to be NA Tted • Multiple ISP - NAP T based on the egress interface. • W ith NAPT , routing is not automaticall y filtered out. Use distri bution lists to ensure global net[...]

IP Routing Protocols 5-28 Configuring IP Figure 5-8 Simple VRRP T opology Because the VR uses th e IP addr ess of the physic al Ethernet interface of XSR1, XSR1 becomes the master VR , also known as the IP address owner . XSR1, as the master VR, assumes the IP addre ss of the VR and is r esponsible for forward i ng packets sent to this IP addr ess.[...]

IP Routing Protocols XSR User’s Guide 5-29 • V irtual Router - An abstract object managed by VRRP that acts as a default r outer for hosts on a shar ed LAN. It consists of a VR Identifier and a set of associated IP address(es) acr oss a common LAN. A VRRP router may back up one or mor e VRs. • IP Address Owner - The VRRP r outer that has the [...]

IP Routing Protocols 5-30 Configuring IP • Broadcasts an ARP message with the VR’s MAC address to all the IP addr esses associated with the VR’s IP addr ess, • Starts the a dvertisement timer , • And transitions to the master state. • If an advertisement is received th at has a higher priority , or a hi gher IP address (if the priority [...]

IP Routing Protocols XSR User’s Guide 5-31 Load Balancing The XSR provides load balancing according to the following rules: • Load balancing depends on how your network is designed. • Load balancing is supported by separa te physical VRRP routers and not supported on the same physical router which has two LAN port s on the same LAN segment wi[...]

IP Routing Protocols 5-32 Configuring IP • Master VR - all traf fic, including locally generated or forwarding traf fic, uses one of the virtual MAC address es as the source MAC address except VRRP pr ot ocol packets, which use the corresponding virtual MAC address as the sour ce MAC addr ess. For example, if four VRs occupy one interface, two ar[...]

IP Routing Protocols XSR User’s Guide 5-33 When the actual IP addr ess owner of the V irtual IP addr ess re leases the master state of the VR, it will no longer be able to receiv e any IP packet destined for that address even though the actual interface is still up. This may cause routing packets to not reach this in terface and cause this interf[...]

IP Routing Protocols 5-34 Configuring IP Equal-Cost Multi-Path (ECMP) Equal-Cost Multi-Path (ECMP) is a technique to forward pack ets along multiple paths of equal cost, aggregating multiple physical link s into one virtual link to effectively increase the total bandwidth of a connection. Intern ally , the XSR decides which next hop to use in the e[...]

Configuring RIP Examples XSR User’s Guide 5-35 Figure 5-10 ECMP VPN Load Balancing T opology Configuring RIP Examples The following example enables RIP on both FastEthe rnet interfaces and a serial link of the XSR. The FastEthernet 2 interface is co nfigur ed to be totally passive (updates not sent or r eceived). The serial interface uses split h[...]

Configuring RIP Examples 5-36 Configuring IP XSR(config-if<F1>)#ip address 192.16 8.1.100 255.255.255.0 XSR(config-if<F1>)#ip access-group 1 in XSR(config-if<F1>)#ip access-group 1 out XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#media-type V35 XSR(config-if<S1/0>)#encaps[...]

Configuring Unnumbered IP Serial Interface Example XSR User’s Guide 5-37 Configuring Unnumbered IP Serial Interface Example The following example configures an X.21-type, se rial interface 1/0 as an unnumbered serial interface. Serial 1/0 is directed to us e the IP address of FastEtherne t port 1. XSR(config)#interface fastethernet 1 XSR(config-i[...]

Configuring NAT Examples 5-38 Configuring IP Configuring NA T Examples Basic One-to-One St atic NA T The following example illustrate s inside source address translation on the XSR, as shown in Figur e 5-1 1 below . Figure 5-1 1 NA T Inside Source T ranslation 1. The user at 10.1.1.1 opens a connection to host 172.20.2.1. 2. The first packet th e X[...]

Configuring NAT Examples XSR User’s Guide 5-39 Dynamic Pool Configuration The following example illustra tes dynamic pool translation on the XSR, as shown in Figur e 5-12 . Figure 5-12 Dynamic Pool T ranslation Configuring Dynamic Pool T ranslation Dynamic pool translation, as shown in Fi gure 5-12 , is performed thr ough the following pr ocess: [...]

Configuring NAT Examples 5-40 Configuring IP 3. Optional . Add an A CL to p ermit NA T tr affic from the 10.1.1 .0 networ k. All oth er traffic is implicitly denied . XSR(config)#access-list 57 permit 10 .1.1.0 0.0.0.255 4. Optional . Reset the default NA T timeou t interval to 5 minutes: XSR(config)#ip nat translation timeo ut timeout 300 5. Enabl[...]

Configuring NAT Examples XSR User’s Guide 5-41 3. Host 172.20.2.1 r eceives the packet and r esponds to address 200.2.2.1. 4. When the XSR rece ives the packet, it sear ch es the NAP T table, using the pr otocol, global address and port, and translates the addr e ss to the inside local address 10.1.1.1 and destination port 1789, then forwards it [...]

Configuring NAT Examples 5-42 Configuring IP 2. The first packet th e XSR receives from 10.1.1.1 is checked against its ACLs . ACL 101 matches and pool NatPool is used. A check is made for existi ng mapping and if found is used otherwise a new one is created. The global addr ess is 200.2.2.1 . 3. Packet are mark ed as originating fr om 200.2.2.1 to[...]

Configuring NAT Examples XSR User’s Guide 5-43 Figure 5-15 St atic NA T within Interface As shown in Figure 5- 15 , packets from the PC at 10.1.1.1 ar e statically NA Tted to the PC at 203.2.2.1 but through neither of the pools. This occurs because static NA T takes precedence over other NA T forms. Also, this static NA T would be used only when [...]

Configuring Policy Based Routing Example 5-44 Configuring IP + The above optional NAPT commands use ACL 101 for the 200.2.2.0 network and AC L 102 for the 201.2.2.0 ne twork XSR(config-if<F2>)#ip nat source int f-static 10.1.1.1 203.2.2.1 + The above optional command statically NA T s packets from 10.1.1.1 to 203.2.2.1 NA T Port Forwarding Th[...]

Configuring VRRP Example XSR User’s Guide 5-45 XSR(config-if<G1>)#ip policy These commands cr eate the PBR, map it to ACL 101, and set the forwar ding router as 192.168.5.2: XSR(config)#route-map pbr 101 XSR(config-pbr-map)#match ip address 101 XSR(config-pbr-map)#set ip next-hop 192.168.5.2 Configuring VRRP Example The following example co[...]

Configuring VLAN Examples 5-46 Configuring IP XSRb(config-if<F1>)#vrrp 5 priority 200 XSRb(config-if<F1>)#vrrp 5 adver-int 30 XSRb(config-if<F1>)#vrrp 5 ip 10.10. 10.50 XSRb(config-if<F1>)#vrrp 5 preempt d elay 2 XSRb(config-if<F1>)#vrrp 5 track ser ial 2/0 XSRb(config-if<F1>)#vrrp 100 ip 10.1 0.10.100 XSRb(confi[...]

XSR User’s Guide 6-1 6 Configuring the Border Gateway Protocol Features The XSR supports the following the Border Gateway Protocol (BGP-4) features: • Full mandatory BGP v4 protocol support (RFC-1771) • Support for all BGP v4 MIB tables defi ned in RFC-1657 including BGP SNMP traps • Protection of BGP Sessions: TCP MD5 Signature Option (RFC[...]

Overview 6-2 Configuring the Bor der Gateway Protocol Figure 6-1 Differentiating EBGP from IBGP BGP can be categorized as a path vector routin g pr otocol which defines a r oute as a pairing between a destination and the qualities of the path to that destination. The main role of a BGP- speaking node is to trade network reachability data with adjac[...]

Overview XSR User’s Guide 6-3 • Hold ti me : Number of seconds that the sender pr oposes for the value of the Hold T imer . The hold time defines the interval that can elapse without the r eceipt of an Update or KeepAlive message befor e the peer is assumed to be dis abled. • BGP identifier : IP addre ss of the BGP node (Router ID). • Param[...]

Overview 6-4 Configuring the Bor der Gateway Protocol AS Path The AS_P A TH attribute, as shown in Figure 6-2 , is the sequence of AS numbers a r oute has traversed to reach a destination. The AS that or iginates the route add s its own AS number when sending the route to its EBGP peers. Subsequently , ea ch AS that receives the r oute and passes i[...]

Overview XSR User’s Guide 6-5 BGP considers the ORIGIN attribute in its d ecisi on-making pr ocess to set a pr eference ranking among multiple r outes. Namely , BGP prefers the path with the lowest origin type, wher e IGP is lower than EGP , and EGP is lower than INCOMP LETE. The attribute is configur ed with the set origin command. Next Hop The [...]

Overview 6-6 Configuring the Bor der Gateway Protocol Figure 6- 3 Lo cal Preference Applied t o Direct Egre ss T raffic from AS.[...]

Overview XSR User’s Guide 6-7 Weight W eight, as shown in Figur e 6-4 , and LOCAL_PREF attributes ar e similar except that weight is not exchanged between r outers. It is significant only locally . Higher prefer ence is accor ded the r oute with a higher weight. W eight can be used to influence routes coming fr om dif ferent pr oviders to the sam[...]

Overview 6-8 Configuring the Bor der Gateway Protocol Aggregator The AGGREGA TOR attribute, as shown in Figur e 6-5 , is added by the BGP speaker that formed the aggregate r oute. It includes the AS and r out er ID of the BGP speaker that originated the aggregate pr efix. It is commonly used for debugging purposes. Figure 6-5 Aggregate and Aggr ega[...]

Overview XSR User’s Guide 6-9 Figure 6-6 MED Applied to Direct Ingress T raffic Flow to an AS Community A BGP community , as shown in Figure 6-7 , is defined as a group of destinations that shar e some common property and is not limited to one networ k or AS. Communities simplify routing policies by identifying r outes based on a logical property[...]

Overview 6-10 Configuring the Bor der Gateway Protocol learn, advertise, or r edistribute r outes. When r o utes ar e aggregated, the r esulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes. Community lists form groups of communities for use in a route map’s match clause. Similar to ACLs, you can[...]

Overview XSR User’s Guide 6-11 BGP Path Selection Process BGP routers usually consider multiple paths to a destination. The BGP best path selection process decides the optimal path to install in the IP routing table and use for forwar ding traffic. Only routes that are synch ronized, are free of AS loops and have a valid next-hop ar e considered [...]

Overview 6-12 Configuring the Bor der Gateway Protocol Access Control List s Access Control Lists (ACLs) are filters which permit or deny access to one or mor e IP addresses. ACLs generally apply to both route updates and packet filtering but with BGP , route update filtering is emp hasized. Prefix-based ACLs control acce ss by specifying which IP [...]

Overview XSR User’s Guide 6-13 • Set community attributes for a specific route with set community • Set the origin for a specific r oute with set origin • Set the MED of a specific r oute with set metric • Set the local pr eference for a specific route with set local-preference • Set the AS-Path list for a specific r oute with set as-pa[...]

Overview 6-14 Configuring the Bor der Gateway Protocol • Display all routes with any AS path: – show ip bgp “.*” • Display all routes having at least two AS numbers in the AS path: – show ip bgp “. . + “ • Display all routes that traversed AS number 600: – show ip bgp “.* 600 .*” • Display all routes with beginni ng with A[...]

Overview XSR User’s Guide 6-15 • Permit a local BGP speaker to send the default r o ute 0.0.0.0 to a neighbor as the default route: neighbor default-originate • Configure the COMMUNITIES attribute to be se nt to the neighbor at this IP addr ess: neighbor send-community • Permit interior BGP sessi ons to use any working interface for TCP lin[...]

Overview 6-16 Configuring the Bor der Gateway Protocol Synchronization When an AS provide s transit service to other ASs and if th ere ar e non-BGP r outers in the AS, transit traffic might be dropped if the intermedia te non-BGP r outers have not learned r outes for that traf fic via an IGP . BGP synchronization, whic h is enabled on the XSR by de[...]

Overview XSR User’s Guide 6-17 prefix is s uppressed for a calculated period (a penalty) which is fur ther incremented with e very subsequent flap. The penalty is then decr emented by a half-life value until the penalty is below a reu s e t hre s ho ld . S o, if st a bl e fo r a c er t ai n p e ri o d, the hold-down is released fr om the prefix a[...]

Overview 6-18 Configuring the Bor der Gateway Protocol Scaling BGP BGP requir es that all BGP speakers with a single AS (IBGP) be fully meshed , as shown in Figur e 6- 10 . The res ult is that for any BGP speakers within an AS, the number of unique BGP sessions requir ed is determined by the following formula: n x (n-1 )/2 . Be aware that this full[...]

Overview XSR User’s Guide 6-19 Route Reflectors Route reflectors ar e an alternative to the requir em ent of a fully meshed network within an AS, as illustra ted in Figure 6-1 1 . This approach allows a BGP speaker (known as a route reflector ) to advertise IBGP learned r outes to certain IBGP peer s. This is a va riation from the standard IBGP b[...]

Overview 6-20 Configuring the Bor der Gateway Protocol It is typical for a client cluster to have one route r eflector and be identified by the reflector ’s router ID. If you want gr eater r edundancy and wish to avoid a single point of failure, you can add mor e than one r eflector to a clus ter . This is accomplish ed by configuring al l cluste[...]

Overview XSR User’s Guide 6-21 Figure 6-12 Figure 12 Use of Confederations to Reduce IBGP Mesh D isplaying System and Network S t atistics The XSR supports BGP statistical disp lays such as routing table entries, caches, and databases . The XSR can also show data about node accessibility and the path packets take thr ough the network. The XSR off[...]

Configuring BGP Route Maps 6-22 Configuring the Bor der Gateway Protocol • Show BGP peer gr oup data: show ip bgp peer-group • Show routes matching regu lar AS path expressions: show ip bgp regex p • Show summary BGP neighbor status: sho w ip bgp summary Configuring BGP Route Map s The following example il lustrates the use of a rou te m a p [...]

Configuring BGP Route Maps XSR User’s Guide 6-23 XSR(config-router)#neighbor 192.168. 57.4 remote-as 200 XSR(config-router)#neighbor 192.168. 57.4 route-map 77 out XSR(config-router)#route-map 77 5 pe rmit XSR(config-route-map)#set as-path pr epend 100 XSR(config-route-map)#match ip addre ss 12 XSR(config-route-map)#route-map 77 1 5 permit XSR(co[...]

Configuring BGP Route Maps 6-24 Configuring the Bor der Gateway Protocol XSR(config-router)#neighbor 192.168. 57.69 filter-list 3 out XSR(config-router)#neighbor 192.168. 57.69 filter-list 2 in XSR(config-router)#exit XSR(config)#ip as-path access-list 1 permit _102_ XSR(config)#ip as-path access-list 2 permit _200$ XSR(config)#ip as-path access-li[...]

Configuring BGP Peer Groups XSR User’s Guide 6-25 XSR(config-router)#neighbor 130.32.3 2.1 remote-as 37 In a BGP speaker in AS 2, configur e the peers from AS’s 1 and 3 as special EBGP peers. Node 191.169.57.1 is a standard IBGP peer and 131.21. 12.2 is a standard EBGP peer fr om AS 30. XSR(config)#router bgp 2 XSR(config-router)#bgp confederat[...]

Configuring BGP Peer Groups 6-26 Configuring the Bor der Gateway Protocol XSR(config-router)#neighbor IBGP fil ter-list 1 out XSR(config-router)#neighbor IBGP fil ter-list 2 in XSR(config-router)#neighbor 192.168.57.3 peer-group IBGP XSR(config-router)#neighbor 192.168.57.4 peer-group IBGP XSR(config-router)#neighbor 192.168.57.5 peer-group IBGP XS[...]

Configuring BGP Peer Groups XSR User’s Guide 6-27 XSR(config-router)#neighbor 192.168.57.90 send-commu nity XSR(config-router)#neighbor 192.168.57.90 route-map 111 out XSR(config-router)#neighbor route-ma p 111 10 permit XSR(config-route-map)#match as-path 1 XSR(config-route-map)#set community 50 50 additive XSR(config-route-map)#route-map 111 20[...]

Configuring BGP Peer Groups 6-28 Configuring the Bor der Gateway Protocol XSR(config-router)#bgp confederation identifier 100 XSR(config-router)#bgp confederation peer 10 20 30 XSR(config-router)#neighbor 192.168.57.50 remote-as 15 XSR(config-router)#neighbor 192.168.57.50 route-map 55 out XSR(config-router)#neighbor 192.168. 58.2 remote-as 10 XSR([...]

XSR User’s Guide 7-1 7 Configuring PIM-SM and IGMP This chapter describes Pr otocol Independent Mu lticast - Sparse Mode (PIM-SM) and Internet Group Management Protocol (I GMP) configuration. Features The XSR supports the following IGMP/PIM features: • IGMP versions 1, 2 and 3 (on LAN interface only) •P I M - S M v e r s i o n 2 • Static IG[...]

IP Multicast Overview 7-2 Configuring PIM-SM an d IGMP calculates the checksum based on the whole Regi ster packet including the data portion. When the XSR receives a Register packet, it acce pts both partial and whole checksum methods . • The XSR permits configuration of the CRP value and sets the default priority value to 192, as requir ed by t[...]

IP Multicast Overview XSR User’s Guide 7-3 • Addresses between 239.0.0.0 and 239.255.255. 255 should not be forwarded beyond an organization's intranet. • Addresses between 232.0.0.0 and 232.255.255.255 a r e set as ide especially for a Sour ce-Specific Multicast service (SSM). IP multicast enables multiple hosts to receive packets wrapp[...]

Describing the XSR’s IP Multicast Features 7-4 Configuring PIM-SM an d IGMP T wo basic types of MDT s are source and shared trees, descri bed as follows: •A source tr ee is a distribution network with its r oot at the source and branches forming a spanning tree thr ough the network to its receiv ers. Because this tree us es the shortest path th[...]

Describing the XSR’s IP Multicast Features XSR User’s Guide 7-5 IGMP is an asymmetric protocol, so there ar e separate behaviors for gr oup members (hosts or rout ers that wish to receive mu lticast packet s) and multicast routers (router s that can forwar d multicast packets). Group Membership Actions Group members transmit Repor t messages to[...]

Describing the XSR’s IP Multicast Features 7-6 Configuring PIM-SM an d IGMP Receiving a Query When a LAN contains multiple multicas t routers, IGMPv3 chooses a s ingle querier per subnet using the same querier election mechanism as IGMPv2, namely by IP address . When a router receives a query with a lower IP address, it sets the Other -Querier-Pr[...]

Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-7 Behavior of Group Me mbers Among Older V e rsion Group Members An IGMPv3 host may be situated in a network wher e hosts have not yet been upgraded to IGMPv3. A host may al l ow i ts I GM P v3 M em b er s hi p Re c ord t o b e su p pre s se d by e it h er a V er s io n 1 or V ersion 2 [...]

Describing the XSR’s PIM-SM v2 Features 7-8 Configuring PIM-SM an d IGMP Phase 1: Building a Shared T ree During phase one, PIM-SM builds a shared tr ee rooted at a s pecial router called Rendezvous Point (RP), as shown in Figure 7-2 . Each multicast group is mapped to a specific RP to whi ch all Designed Routers (DR) of the r eceivers of the gr [...]

Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-9 interconnects with a router which is alr eady on the shortest path tree fr om S to the same multicast group, the Join message can end on that r outer to get a short-cut path. After the path is established, both the na tive pa cket along the SP T tree and Register encapsulated packet w[...]

Describing the XSR’s PIM-SM v2 Features 7-10 Configuring PIM-SM a nd IGMP Figure 7-4 Phase 3 T opology: Shortest Path T ree Between Sender and Receiver Neighbor Discovery and DR Election PIM-SM neighbor discovery and DR election ar e performed via Hello messages which ar e sent periodically through each PIM-enabled interface. A Hello T imer is ke[...]

Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-11 PIM Register Message By the end of PIM-SM phase one, the DR for the sender will encapsulate packets from the sender in a Register messag e and send it to RP for the multicast gr oup. When the DR r eceives a RegisterStop message from RP , the RegisterStop timer will begi n to maintain[...]

Describing the XSR’s PIM-SM v2 Features 7-12 Configuring PIM-SM a nd IGMP Assert messages ar e used to negotiate which rout er will forwar d the multicast packets. The r ule for the assert winner is the router with the lower prefer ence (usually a unicast r outing pr otocol prefer ence) and a metric learned from that pr otocol. If the pr eference[...]

PIM Configuration Examples XSR User’s Guide 7-13 PIM Configuration Examples The following is a simple PIM configuration using the virtual Loopback inte rface 0 and physical interface FastEthernet 1. Configuring a Loopback interface is a safer way to ensure PIM r outers discover each other since spe cifying a physical IP addr ess could re sult in [...]

PIM Configuration Examples 7-14 Configuring PIM-SM a nd IGMP[...]

XSR User’s Guide 8-1 8 Configuring PPP Overview The Point-to-Point Protocol (PPP), refer enced in RFC-1616, is a standard method for transporting multi-protocol datagrams over poin t-to -point links. PPP d efines pr ocedures to assign and manage network addresses, asynchr onous and synchronous en c apsulation, link configuration, li nk quality te[...]

PPP Features 8-2 Configuring PPP – Challenge Handshake Authen tication Protocol (CHAP) – Microsoft Challenge Handshake Au thentication Pr ot ocol (MS-CHAP) • Link Quality Monitoring (LQM) pr ocedures as defined by RFC-1989 • VJ/IP header compression • No restriction on frame size; default is 1500 oc tets for the information fi eld - as de[...]

PPP Features XSR User’s Guide 8-3 Authentication Authentication protocols, as r efe renced in RFC-1334, are used pr imarily by hosts and routers to connect to a PPP network server via switched circ uits or dialup lines, but might be applied to dedicated links as well. The server can use id entifica tion of the connecting host or router to select [...]

PPP Features 8-4 Configuring PPP The MS-CHAP challenge, response and success packet formats are identical in format to the standard CHAP challeng e, response and success packets, r espectivel y . MS-CHAP defines a set of reason for failur e codes r eturned in the Fa ilure packet Me ssage Field. It also defines a new packet ca lled Change Passwor d [...]

PPP Features XSR User’s Guide 8-5 • Fragmentation/reass embly • Detection of fragment loss • Optimal buffer usage • MTU size determination • Management of M LPPP bundl es • MIB support for network management • Up to four T1/E1 lines can be aggregated running MLPPP • Multi-class MLPPP f or up to five multiple sequence number stream[...]

PPP Features 8-6 Configuring PPP MLPPP Packet Fragment ation and Se rialization T ransmission Latency MLPPP’s packet transport method over multiple member links is made possible by fragmenting the packet after balancing the load bandwidth to fully ut ilize the member links’ bandwidth. When sent over a MLPPP link, each fragment carries a sequenc[...]

PPP Features XSR User’s Guide 8-7 The overall serialization latency for a fragment over a synchronous/ asynchronous Serial or T1 link should be multiplied by the size of the tr ansmission queue. T o contr ol latency , both the transmission queue size and frag ment size must be controlled. Fragment Interleavi ng Over the Link T ransmitting a highe[...]

PPP Features 8-8 Configuring PPP The class number is defaulted to five for both short and the long sequence numbers. That includes four suspendable levels from 0 to 4 with the high est level at 5. The curr ent limits on memory and throughput set the optimized numb er of class to 4 for the XSR. The result of th e number of suspendable classes af ter[...]

PPP Features XSR User’s Guide 8-9 IP Address Assignment In PPP , IPCP configur ation option type 3 corresponds to IP addr ess negotiation. This configuration option pr ovides a way to negotiate th e IP addres s to be used on the local end of the link. It allows the sender of the Configure-Reques t to state which IP addr ess is desir ed, or to r e[...]

Configuring PPP with a Dialed Backup Line 8-10 Configuring PPP Configuring PPP with a Dialed Backup Line Y ou can configure PPP on the following types of physical interfaces: • Asynchr onous serial •S y n c h r o n o u s s e r i a l •T 1 / E 1 By enabling PPP encapsulation on physical interfac es, PPP can also be used on calls placed by the d[...]

Configuring a Dialed Backup Line XSR User’s Guide 8-11 5. Enter no shutdown to enable this interface. XSR(config-if<S1/0>)#no shutdown Configuring a Dialed Backup Line The following tasks m ust be performed to conf igure a Dialed Backup line: • Configure the dialer interface • Configure a physical interface to function as backup • Con[...]

Configuring a Dialed Backup Line 8-12 Configuring PPP Configuring the Interface as the Backup Dialer Interface 1. Enter interface serial card / port to specify the interface to back up. 2. Enter ip address ip-address mask to specify the IP addr ess and subnet mask of the interface. 3. Enter backup interface dialer number as the backup interface. 4.[...]

Configuring MLPPP on a Multilink/Dialer interface XSR User’s Guide 8-13 Configuring MLPPP on a Multilink/Dialer interface Multilink Example The following example enables Mu lti-Clas s MLPPP on inter faces 71, 72 and 73 with dif fer ent fragmentation delay intervals but permits multicas t traffic in and out of the firewall on each multilink interf[...]

Configuring BAP 8-14 Configuring PPP XSR(config-if<D255>)#multilink min-l inks 37 XSR(config-if<D255>)#ppp multilink b ap XSR(config-if<D255>)#ppp bap number default 1200 XSR(config-if<D255>)#ppp bap number default 1400 XSR(config-if<D255>)#ppp bap call re quest XSR(config-if<D255>)#ppp multilink f ragment-delay [...]

Configuring BAP XSR User’s Guide 8-15 XSR1(config-controller<T1-1/0>)#isdn bchan-number-order ascending XSR1(config-controller<T1-1/0>)#no s hutdown XSR1(config-controller<T1-1/0>)#dial er pool-member 1 priority 0 2. Configure BRI interface 2/0 with the basic-ni1 switch type and two SPIDs : XSR1(config)#interface bri 2/0 XSR1(co[...]

Configuring BAP 8-16 Configuring PPP 3. Configure the Dialer 1 interface with a dialer pool: XSR2(config)#interface Dialer1 XSR2(config-if<D1>)#no shutdown XSR2(config-if<D1>)#dialer pool 1 XSR2(config-if<D1>)#encapsulation pp p 4. Set up BAP on Dialer 1 by enabling BAP and adding BAP phone numbers for XSR1 to call. XSR2(config-if[...]

Configuring BAP XSR User’s Guide 8-17 XSR1(config-if<D1>)#dialer pool 1 XSR1(config-if<D1>)#encapsulation pp p XSR1(config-if<D1>)#ppp multilink ba p XSR1(config-if<D1>)#ppp bap number d efault 1301 XSR1(config-if<D1>)#ppp bap number d efault 1300 XSR1(config-if<D1>)#ppp bap call req uest XSR1(config-if<D1&g[...]

Configuring BAP 8-18 Configuring PPP[...]

XSR User’s Guide 9-1 9 Configuring Frame Relay Overview Frame Relay ( FR) is a sim ple, bit- oriented protocol that of fers fa st-packet switching for wid e-area networking. It combines the statistical multiple xing and port-sharing featur es of an X.25 connection with fast speed and low delay for high performance and less overhead. Frame Relay o[...]

Overview 9-2 Configuring Fr ame Relay Figure 9-1 Frame Relay Netw ork T opology From the perspective of the OSI refer ence mo del, Frame Relay is a hi gh-performance W AN protocol suite operating at the physical and data li nk layers (1 and 2). Star ting from a s ource site, variable-length packets are switched between vari ous network segme nts un[...]

Frame Relay Features XSR User’s Guide 9-3 Frame Relay Features The XSR supports the following FR features: • The XSR acts as a DTE/DCE device in the UNI (User Network Interface) interface , supporting FR PVC connections (NNI functionalit y is not supported) • 10-bit DLCI addressing using a 2-byte DLCI he ader (3- and 4-byte headers are not su[...]

Controlling Congestion in Frame Rela y Networks 9-4 Configuring Fr ame Relay Address Resolution The XSR supports dynamic resoluti on via Inverse AR P to map virtual circuits (DLCI) to r emote protocol addr esses, as defined in RFC-2390. Dynamic Resolution Using Inverse ARP Inverse ARP lets a network node r equest a ne xt hop IP addr ess correspondi[...]

Controlling Congestion in Frame Relay Networks XSR User’s Guide 9-5 Several other parameters work hand-in-hand wi th CIR in controlling traffic flow . Committed burst (Bc) is the peak number of bits that the network attempts to deliver during a given period. Bc differs fr om CIR - it is a number , not a rate. CIR is equal to the committed burst d[...]

Controlling Congestion in Frame Rela y Networks 9-6 Configuring Fr ame Relay Using BECN bits to control the outbound dataflow is known as adaptive shaping . It is disabled by default on the XSR. T o activate it, you mus t first enable traf fic shaping on t he port then associate a map class with this interface, sub-interface or DLCI which has the a[...]

Link Management Information (LMI) XSR User’s Gu ide 9-7 Link Management Information (LMI) A FR UNI-DCE device communicates with an attached FR DTE device (e.g., the XSR) about the status of the PVC connections thr ough Link Management Information protocol (LMI). LMI monitors the status of the connect ion and provides the following data: • Activ[...]

FRF.12 Fragmentation 9-8 Configuring Fr ame Relay FRF .12 Fragment ation Generally speaki ng, it is difficult to deliver good end-to-end quality of se rvice for time-sensitive packets (voice and video) when operatin g over lo w speed FR lines (64 kbps or lower), especially when the link is also used to transport lar ge packet s (1500-byte F TP traf[...]

FRF.12 Fragmentation XSR User’s Gu ide 9-9 until you enter the copy running config startup config command to copy the running configuration into the startup configuration file withi n Flash. Map-Class Configuration The Map Class configures a common profile (character istics) that can be applied to PVCs, eliminating the need to configure parameter[...]

Interconnecting via Frame Relay Network 9-10 Configuring F rame Relay Interconnecting via Frame Relay Network The following typical application uses FR to link r emote branches to the corporate network at the central sites via a FR network, as shown in Figure 9- 3 . Figure 9-3 Branch/C entral Frame Re lay T opology New Y ork Minneapolis Frame Relay[...]

Configuring Frame Relay XSR User’s Guide 9-11 Configuring Frame Relay Multi-point to Point-to-Point Example The following example configures the XSR in Ne w Y ork to connect with XSRs in Andover and Montreal using Frame Relay , as shown in Figure 9-4 . Figure 9-4 Frame Relay Multipoint to Point- to-Point T opology The following CLI command s enab[...]

Configuring Frame Relay 9-12 Configuring F rame Relay NewYork(config-map-class<frf12>)#fra me-relay bc out 4000 NewYork(config-map-class<frf12>)#fra me-relay be out 5000 NewYork(config-map-class<frf12>)#fra me-relay fragment 53 NewYork(config-map-class<frf12>)#ser vice-policy out Voice Configure Serial interface 2/0 with FR [...]

Configuring Frame Relay XSR User’s Guide 9-13 Andover(config-if<S2/0>)#frame-relay lmi-type ANSI Andover(config-if<S2/0>)#frame-relay traffic-shaping Andover(config-if<S2/0>)#frame-relay class frf12 Andover(config-if<S2/0>)#no shutdown Configure Serial sub-interface 2/0.1 for a point-to-point connection with DLCI 980: Ando[...]

Configuring Frame Relay 9-14 Configuring F rame Relay[...]

XSR User’s Guide 10-1 10 Configuring Dialer Services This chapter details information about th e XSR’s suite of dialer functionality: •D i a l • Ethernet Failover • Backup Dialer • Dial on Demand (DoD) • Bandwidth on Demand (BoD) • Multilink PPP (MLPPP) • Dialer Interface Spoofing • Dialer W atch Overview of Dial Services Dial S[...]

Asynchronous and Synchronous Support 10-2 Configuring Dialer Ser vices Asynchronous and Synchronous Support Synchronous and asynchronous interfaces can be configur ed for dialed connections to one or more des tination networks. When r equested, the XSR uses dialing commands to send the phone number of the destination network to a modem. The modem t[...]

Asynchronous and Sy nchronous Support XSR User’s Guide 10-3 T able 10-1 list s V .25bis options. By default, th e synchronous port will use V25bis. The functions of these options ar e nation-specific, and they may have dif ferent implementations. Refe r to your modem documentation for a list of supported commands and options. DTR Dialing for Sync[...]

Implementing Dial Services 10-4 Configuring Dialer Ser vices Implementing Dial Services Dial services are provided by dialer interfaces , which are defined as any XSR interface capable of placi ng or receivi ng a call. Y ou can implement Dial Services by creating a dialer profile . Refer to Figure 10-2 for a network perspective and Figur e 10-3 for[...]

Implementing Dial Services XSR User’s Guide 10-5 to support point-to-point or point-to-multi-p oint connections and ca n be non-spoofed for backup purposes. Refer to “Dialer Interface Spoofi ng” on page 10-18 for more information. • Dialer map class defines all line characteristics of calls to the destination including the interval to wait [...]

Implementing Dial Services 10-6 Configuring Dialer Ser vices Configuring Encap sulation When a clear data link is established between two peer s, traffic must be encapsulated and framed for transport across the Dialer media. PPP is the encapsulatio n method of choice for Dialer Servi ces because it supports mult iple protocols and is used for synch[...]

Implementing Dial Services XSR User’s Guide 10-7 Figure 10-3 Logical View of Dialer Profiles Figure 10- 4 on page 10-8 illustrates thr ee Dialer Interf aces with thr ee associ ated Dialer Pools. Dialer Pool 6 supports two Serial interfaces of differ ent priority “weighting”. Dialer Pools 3 and 9 support three Serial interfaces with one interf[...]

Implementing Dial Services 10-8 Configuring Dialer Ser vices Figure 10-4 Sample Dialer T opology As illustra ted in Figure 10-5 on page 10-9 and Figur e 10-6 on page 10-10, T oronto and Andover Dialer Profiles shar e si milar parameters except phone numbers and values specifyi ng the interval to wait for a dial signal . Interface dial er 0 ip addre[...]

Implementing Dial Services XSR User’s Guide 10-9 Figure 10-5 Dialer Profile of Destination (416) 123- 4456 Interface dialer 0 ip address 10.1.1.1 255.0.0.0 encapsulation ppp dialer string 4161234456 class Toronto dialer string 9872312345 class Andove r dialer pool 6 map class dialer Toronto wait for carrier 20 Dialer Pool 6 contains two ports: Se[...]

Implementing Dial Services 10-10 Configuring Dialer Ser vices Figure 10-6 Dialer Profile of Destination (987) 231- 2345 Configuring the Dialer Interface The following tasks need to be perf ormed to configure a dialer profile: • Create and configure the dialer interface • Configure a map class (optional but distinguis hes dialer profiles) • Co[...]

Implementing Dial Services XSR User’s Guide 10-11 Configuring the Map Class 1. Enter map-class dialer classname to create a map-class identifier . This value must match the classname value you specified in the dialer string command. 2. Enter dialer wait-for-carrier-time seconds to set the interval the local modem waits to answer the call. Configu[...]

Implementing Dial Services 10-12 Configuring Dialer Ser vices Configuring ISDN Callback The following CLI commands configure point-to-point and point-to-multip oint applications with single or multiple neig hbors. Point-to-Point with Matche d Calling/Called Numbers The following commands configure the called XSR with matched calling and called phon[...]

Overview of Dial Backup XSR User’s Guide 10-13 XSR(config-if<D1>)#dialer idle-timer 0 XSR(config-if<D1>)#dialer map ip 10. 10.10.2 9053617921 XSR(config-if<D1>)#dialer map ip 10. 10.10.3 9053617363 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 10.10. 10.1 255.255.255.0 XSR(config-if<D1>)#no[...]

Link Failure Backup Example 10-14 Configuring Dialer Ser vices 8. Backup link is up, triggering the next action. 9. Static Backup r oute configured - the routing pr ocess sear ches its configured Static Routing entries and installs the r outes that can be reached thr ough the backup interface. 10. Dynamic route - the r outing protocol (RIP) lear ns[...]

Configuring a Dialed Backup Line XSR User’s Guide 10-15 Configuring the Physical Inter face for the Di aler Interface Perform the following s teps to set up the physical port f or the dialer interface: 1. Enter interface serial card / port to specify the interface. 2. Enter encapsulation ppp to set PPP encapsulation. 3. Enter dialer pool-member p[...]

Configuring a Dialed Backup Line 10-16 Configuring Dialer Ser vices Sample Configuration Figure 10- 8 on page 10-16 shows an example of two dialer interfaces used to ba c k u p t w o s e p ar at e serial lines using only one dial out li ne ( serial interface 1 ). Figure 10-8 Backup Dial Example The CLI commands shown below are those used to configu[...]

Overview of Dial on Demand/Bandwidth on Demand XSR User’s Guide 10-17 XSR(config-if<D2>)#encapsulation ppp XSR(config-if<D2>)#dialer pool 5 XSR(config-if<D2>)#no shutdown Configur e backup serial port for dial purposes to belong to dial pool 5: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#dialer pool-member 5 XSR([...]

Dialer Interface Spoofing 10-18 Configuring Dialer Ser vices For more information on ISDN fundamentals , refer “Confi guring Integrated Services Digi tal Network” on page 1 and the XSR CLI Refer ence Guide. Dialer Interface S poofing Spoofing on a dialer interface is defined as the line “pretending” to be up when it is not. That is, the lin[...]

Dialer Watch XSR User’s Guide 10-19 A watch group can also be specified for use by the V irtual Router Redund ancy Pr otocol (VRRP) with the vrrp <numbe r> track watch-group command. For mor e information, r efer to “Configuring IP” on page 1 . At the outset, the XSR’s Routing T able Manager (R TM) notifies the Dialer subsystem when a[...]

Answering Incoming ISDN Calls 10-20 Configuring Dialer Ser vices Caveat The following caveat applies to Dialer W atch functiona lity: The dialer will not disconnect the secondary backup switched link if this conne ction has a better cost to the watched route than the primary link. Bu t, you can r emedy this situati on by entering the ip rip offset [...]

Answering Incoming ISDN Calls XSR User’s Guide 10-21 Incoming Call Mapping Example This example, as shown in Figure 10-10 , configures a node capable of handling multiple call setup requests coming from dif fere nt remote peers an d maps each incoming call to the corr ect IP interface (Dialer interface). Figure 10-10 Incoming Call Mapping T opolo[...]

Answering Incoming ISDN Calls 10-22 Configuring Dialer Ser vices Node B (Called No de) Configuration The following commands add two users to validate calls made from Node A. This configuration employs the username/authentication method of mapping incoming calls. XSR(config)#username toronto privile ge 0 password cleartext z XSR(config)#username bos[...]

Configuring DoD/BoD XSR User’s Guide 10-23 XSR(config-if<BRI-1/0>)#dialer pool- member 2 XSR(config-if<BRI-1/0>)#no shutdown The following commands define a dialer group, a dd a dialer pool, set a 20-second idle timeout, and map BRI int erface 1/0 to Di aler port 1. The dialer map command directs Node D to call Node B, specifying Node[...]

Configuring DoD/BoD 10-24 Configuring Dialer Ser vices Figure 10-1 1 Dial on Demand T opology PPP Point-to-Multi point Configuration In this configuration, only one of the peer nodes can initiate the setup of a switched link when access-list defined data traf fic is sent to the remote peer . Node A (Calling Node) Configuration The following command[...]

Configuring DoD/BoD XSR User’s Guide 10-25 ! XSR(config-if<D2>)#dialer map ip 2 0.20.20.2 2401 ! XSR(config-if<D2>)#ip address 20.2 0.20.1 255.255.255.0 The following command d efines interesting packets for the dial out tr igger by configuring acces s list 101 to pass all T ype 8 source and dest ination ICM P traffic up to 20 idle se[...]

Configuring DoD/BoD 10-26 Configuring Dialer Ser vices XSR(config)#interface dialer 1 XSR(config-if<D1>)#no shutdown XSR(config-if<D1>)#dialer pool 25 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#dialer idle-timeo ut 35 XSR(config-if<D1>)#dialer-group 3 XSR(config-if<D1>)#dialer map ip 10. 10.10.2 2400[...]

Configuring DoD/BoD XSR User’s Guide 10-27 Figure 10- 12 Po int-to-P oint T opolo gy Dial-in Routing for Dial on De mand Example The following commands configur e dialer inter face 1 : XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.22 .85.1 XSR(config-if<D1>)#ppp authenticat[...]

Configuring DoD/BoD 10-28 Configuring Dialer Ser vices XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.22 .85.2 XSR(config-if<D1>)#ppp pap sent-user name XSR-andover password secret 0 dolly XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer string 474 10 XSR[...]

Configuring DoD/BoD XSR User’s Guide 10-29 Dial-out Router Example The following commands add a dialer pool and dialer gr oup, specify a secr et passwor d to be sent to the peer f or P AP authentica tion, and specify thr ee MLPPP call destinations - XSR-Andover , XSR-Boston and XSR-Buffalo - on XSR-T oront o’ s Dialer interface 1. Spoofing is e[...]

Configuring DoD/BoD 10-30 Configuring Dialer Ser vices XSR(config-if<D2>)#no shutdown XSR(config-if<D2>)#dialer remote-nam e XSR-Boston The following commands add a dialer pool member and set the Central Of fice switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch- type basic-net3 XSR(conf[...]

Configuring DoD/BoD XSR User’s Guide 10-31 Node B (Called No de) Configuration The following commands add a dialer pool member with the Central Of fice switch type to BRI interface 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch- type basic-net3 XSR(config-if<BRI-1/0>)#dialer pool- member 22 XSR(config-if<BRI[...]

Configuring DoD/BoD 10-32 Configuring Dialer Ser vices XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#no shutdown The following commands add a dialer pool member and speci fy the primary-ni switch on XSR- To r o n t o ’ s T1 interface 2/3: XSR(config)#controller t1 2/3 XSR(config-controller<T1-1/1>)#switc h-type primary-ni [...]

Configuring DoD/BoD XSR User’s Guide 10-33 Figure 10-15 MLPPP Poin t-to-Multipoint T opology Dial-out Router Example The following commands add a dialer pool and dialer gr oup, and specify three MLP PP call destinations - XSR-Andover , XSR-Boston and XSR-Buffalo - on XSR-T oronto’ s Dialer interfac e 1. Spoofing also is enabled by the dialer ma[...]

Configuring DoD/BoD 10-34 Configuring Dialer Ser vices The following command d efines interesting packets for the dial out trigger by configuring A CL 101 to pass all T ype 8 source and destination ICMP pack ets: XSR(config)#access-list 101 permit i cmp any any 8 Dial-in Router Example The following commands add a diale r pool and configure PPP Mul[...]

Switched PPP Multilink Configuration XSR User’s Guide 10-35 XSR(config)#access-list 101 permit i cmp any any 8 The following command maps AC L 101 to dialer group 3: XSR(config)#dialer-list 3 protocol i p list 101 Node B Configuration The following commands add a dialer pool member and set the Central Of fice switch type on BRI port 1/0: XSR(conf[...]

Switched PPP Multilink Configuration 10-36 Configuring Dialer Ser vices Node A (Calling Node) Configuration The following commands add a dialer pool member and set the Central Of fice switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch- type basic-net3 XSR(config-if<BRI-1/0>)#dialer pool- membe[...]

Backup Configuration XSR User’s Guide 10-37 Backup Configuration Backup Using ISDN This example configur es ISDN NIM cards (e ither BRI or T1/E1 configur ed for PRI) to be used for backing-up other interfaces, as shown in Figure 10-17 . Figure 10-17 Backup T opology Using ISDN Node A (Backed-up Node) Configuration The following command s set inte[...]

Backup Configuration 10-38 Configuring Dialer Ser vices XSR(config-if<D2>)#dialer pool 22 XSR(config-if<D2>)#dialer string 250 1 XSR(config-if<D2>)#ip address 20.20. 20.1 255.255.255.0 The following command configures backup Dialer int erface 1 on Serial sub-interface 2/0:0: XSR(config)#interface serial 2/0:0 XSR(config-if<S2/0[...]

Backup Configuration XSR User’s Guide 10-39 XSR(config-if<D2>)#no shutdown XSR(config-if<D2>)#dialer pool 28 XSR(config-if<D2>)#encapsulation ppp XSR(config-if<D2>)#dialer called 250 1 XSR(config-if<D2>)#ip address 20.20. 20.3 255.255.255.0 The following command configures Serial sub-interfac e 2/0:0: XSR(config)#int[...]

Backup Configuration 10-40 Configuring Dialer Ser vices XSR(config-if<S2/0:0>)#backup interf ace dialer1 XSR(config-if<S2/0:0>)#encapsulation ppp XSR(config-if<S2/0:0>)#ip address 30 .30.30.1 255.255.255.0 Node C (Called No de) Configuration The following commands configure two channel gr ou ps with three tot al timeslots on T1 su[...]

Backup Configuration XSR User’s Guide 10-41 Configuration for Fram e Relay Encap sulation This backup dial-out example configures FR enca psulation and typical call parameters (dial pool, dial string, dial class) on parent Dialer interface 20 while setting the DLCI and IP address on Dialer sub-interface 20.1: XSR(config)#interface dialer 20 XSR(c[...]

Backup Configuration 10-42 Configuring Dialer Ser vices[...]

XSR User’s Guide 11-1 11 Configuring Integrated Services Digital Network This chapter outlines how to co nfigure the Integrated Services Digital Network (ISDN) Protocol on the XSR in the following sections: •X S R I S D N f e a t u r e s • Understanding ISDN • ISDN configuration topol ogy –B R I –P R I –L e a s e d l i n e • ISDN co[...]

Understanding ISDN 11-2 Configuring Integ rated Services Digital Network BRI Features • Circuit Mode Data (CMD): Channels (DS0s or B’ s) are switched by the CO to the destination user for the duration of the call. – 0utgoing calls supported for Backup, DoD/BoD. – Incoming calls routed to the correct pr otocol stack based on called number/su[...]

Understanding ISDN XSR User’s Guide 11-3 which provides access to 23 B-channels in North America and Japan and 30 B-channels in Europe and most of Asia, and a 64 Kbps D-channel in both. Basic Rate Interface The XSR’s BRI NIM pr ovides two BRI ports . Each port has two 64 Kbps B- channels and one 16 Kbps D-channel. BRI is co nfigured on the XS R[...]

Understanding ISDN 11-4 Configuring Integ rated Services Digital Network D-Channel S t andards The XSR supports several D-channel standar ds, which are enabled with the isdn switch-type command. The accepted standards and some associated switches are: • Europe/ International: basic-net3 for BR I and primary-net5 for PRI • Japan: basic-ntt for B[...]

Understanding ISDN XSR User’s Guide 11-5 refer ence poin t represents the customer premises ’ wiring. S/T is a point-to-mult ipoint wiring configuration, that is, the NTI can be connected to as many as eight TEs that contend for the two B channels. Most XSR applications are critical and requir e point-to-point connections with the ISDN service [...]

Understanding ISDN 11-6 Configuring Integ rated Services Digital Network Call Monitoring Call monitoring is also an vita l element of the XSR’s ISDN servic e. Call monitoring features ar e useful in terms of securi ty , but also enable tracking of cal l volume and logging of all conn ections so that administrators can optimize the number of ISDN [...]

Understanding ISDN XSR User’s Guide 11-7 Rx ISDN-BRI 1/0 03:13:47:676 Q921 UI p 0 sapi 63 tei 127 c/r 1 • + 2nd line: info:0F 00 00 06 FF Tx ISDN-BRI 1/0 03:13:52:601 Q921 IN FO p 0 nr 0 ns 0 sapi 0 tei 64 c/r0 info:08 00 7B 3A 07 32 38 30 30 35 3 5 35 Tx ISDN-BRI 1/0 03:13:52:556 Q921 SA BME p 1 sapi 0 tei 64 c/r 0 Rx ISDN-BRI 1/0 03:13:52:661[...]

Understanding ISDN 11-8 Configuring Integ rated Services Digital Network – + Next line: 04 Bearer capability 8890 18 Channel Id. 81 6C Calling number N0:2800 70 Called number N0:2500 The succeeding section lists a ll message type s and IEs the XSR displays. Al l unsupported mes sage types and IEs are marked UNKNOWN or IE no t Found . T able 1 1-1[...]

ISDN Configuration XSR User’s Guide 11-9 Decoded IEs Only IEs referring to data calls are supported and d ecoded by the XSR, as sho wn in the following examples. Those IEs used for voice calls and supplementary services are not applicable. • Called party number: 70 Called number N0:2500 • Calling party number: 6C Calling number N0:2800 • Ca[...]

ISDN Configuration 11-10 Configuring Inte grated Services Digital Network •T h e channel-group command for point-to-point connections. The above commands are mutually exclusive : you can enter one or the other per PRI interface, not both. On the E1 NIM, 30 channels are controlled by ISDN, and 23 channels on the T1 NIM. Other PRI commands include:[...]

ISDN Configuration XSR User’s Guide 11-11 Figure 1 1-1 . Switched BRI Configuration Model The following example adds a dialer pool and grou p, and two phone numbers to the called node’s Dialer 0 port. It also config ures a second dial er pool and group, a Multil ink PPP line to four B channels on the Dialer 1 interface, and maps the 192.168.1.1[...]

ISDN Configuration 11-12 Configuring Inte grated Services Digital Network XSR(config)#interface dialer 1 XSR(config-if<D1>)#ip address 2.2.2. 2 255.255.255.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#ppp multilink XSR(config-if<D0>)#dialer map ip 192 .168.1.10 name HOME 212555756 XSR(config-if<D0>)#dialer[...]

ISDN Configuration XSR User’s Guide 11-13 Figure 1 1-2 . PRI Configuration Model The following T1 example configures the interface for ISDN PRI operation, adds a dialer pool and group, and one dialer string to the node’s Dial er 1 port. The ISDN PRI interface belongs to two prioritized pool members . Y ou can add map class, dialer list and ACL [...]

ISDN Configuration 11-14 Configuring Inte grated Services Digital Network Be aware that the isdn bchan-number-order command for ces the PRI in terface to make outgoing calls in ascending or descending or der . The command is recommended only if your service provider r equests it to lessen the chance of call collisions. Leased-Line Configuration Mod[...]

More Configuration Examples XSR User’s Guide 11-15 XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/1:2>)#encapsulat ion frame relay The following commands ad d a third, bundled B1/B2 line on BRI interface 0/1/1 and another lease line on BRI channel 0/1/2:1 with Frame Relay en capsulation. Y ou can add ot[...]

ISDN (ITU Standard Q.931) Call Status Cause Codes 11-16 Configuring Inte grated Services Digital Network XSR(config-if<BRI-1/1>)#no shutdown XSR(config-if<BRI-1/1>)#dialer pool- member 1 priority 1 BRI Leased Line The following example configures a leased-line BRI connection: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#l[...]

ISDN (ITU Standard Q.931) Call Status Cause Codes XSR User’s Guide 11-17 7 Call awarded and being delive red in an established channel 8 Prefix 0 dialed but not allo wed 9 Prefix 1 dialed but not allo wed 10 Prefix 1 dialed but not require d 1 1 More digits received than allowed, call is proc eeding 16* Normal call clearing 17* User busy 18* No u[...]

ISDN (ITU Standard Q.931) Call Status Cause Codes 11-18 Configuring Inte grated Services Digital Network 54 Incoming calls barred 55 Incoming calls barred within CUG 56 Call waitin g not subscribed 57 Bearer capabilit y not auth orized 58 Bearer capabilit y not presently a vailable 63 Service or option not avail able, unspecified 65 Bearer service [...]

XSR User’s Guide 12-1 12 Configuring Quality of Service Overview In a typical network, ther e ar e often many users and appl ications competing for limited system and network r esour ces. While r esource sharing on a f irst-come, first-serve basis may s uffice whe n your network load is light, access can fr eeze quickly when the network gets cong[...]

Mechanisms Providing QoS 12-2 Configuring Quality of Service • QoS on the dialer interfaces is dir ectly applied to the di aler interface and inherited by the dial pool members (Serial or ISDN). • QoS on MLPPP interfaces. • QoS on point-to-point and point-to-multi-point VPN interfaces. • Control over copy of the T oS byte from/to outer head[...]

Mechanisms Providing QoS XSR User’s Guide 12-3 features in the traf fic policy determine how to trea t the classifie d traffic. T raffic policy cannot be applied to mult ilink PPP int erfaces at this t ime. Y ou must perform thre e steps to configur e a class-based cl assifier: 1. Define a traffic class with the class-map command. 2. Create a tra[...]

Mechanisms Providing QoS 12-4 Configuring Quality of Service •T h e priority command assigns traffic fr om this clas s a Priority Queue (PQ) and sets the parameter for the queue. Priority queues pr ovid e guaranteed bandwidth - they always receive the bandwidth requested. Prior i ty class is not allowed to se nd more than its guar anteed bandwidt[...]

Mechanisms Providing QoS XSR User’s Guide 12-5 Configuring CBWFQ CBWFQ is configured using the bandwidth command. It provides a minimum bandwidth guarantee during congestion. For example, policy-map keyser guarantees 30 per cent of the bandwidth to class sosay and 60 percent of th e bandwidt h to cl ass intrigue . If one class uses less of the re[...]

Mechanisms Providing QoS 12-6 Configuring Quality of Service excess bandwidth may be used by CBWFQ. A r ule of thumb for configur ing PQs is to assign time- sensitive traff ic (voice and video) to PQs and othe r types (e.g., T elnet) to fair queues. Any traf fic you do not specially assign (e.g., Email ) is automatically dir ected to the class-defa[...]

Mechanisms Providing QoS XSR User’s Guide 12-7 This is how the policer works. It maintains two token bucket s, one holding tokens for normal burst and the other for excess burst. The polici ng algorithm handles token r efilling an d burst checking. T oken buckets are r efilled every time a new pa cket arrives. The specified bandwidth and the inte[...]

Mechanisms Providing QoS 12-8 Configuring Quality of Service Class-based traffic shaping can be configured on an y class and appl ied to any data path (interface or DLCI) with the shape command. In order to do so, you must define a traffic polic y and within that policy apply traffic shaping to a class. In the following example, class ring is shape[...]

Mechanisms Providing QoS XSR User’s Guide 12-9 XSR(config-pmap-c<d32>)#exit XSR(config-pmap<cbts>)#class foo XSR(config-pmap-c<foo>)#shape 38400 15440 XSR(config-pmap-c<foo>)#bandwidth pe r 30 XSR(config-pmap-c<foo>)#exit XSR(config-pmap<cbts>)#class class-d efault XSR(config-pmap-c<class-default>)#se t i[...]

Mechanisms Providing QoS 12-10 Configuring Quality of Ser vice queue-limit value for the queue size . Be aware th at by setting the queue size smaller than the shaper burst, s hape will not be abl e to achieve the configured aver age rate. When the queue-limit command is not invoked, queue size is determined only by the shaper burst. Congestion Con[...]

Mechanisms Providing QoS XSR User’s Guide 12-11 Figure 12-1 RED Drop Probability Calculation In the following example, class bus has a minimum thr eshold of 460. RED will s tart to randomly (with a probabil ity between 0 and 1/10) discard packets when its queue grows over 460 packets. It will start to discard each packet when the queue holds more[...]

Mechanisms Providing QoS 12-12 Configuring Quality of Ser vice WRED. T raffic marked with a lower dr op probabi lity is assigned a hi gher MaxP , and bigger thresholds for MinTh and MaxTh than traffic marked with DSCP values having a higher dr op level. Because higher drop DSCPs have a lower MinTh , as the queue grows, the XSR starts discardi ng th[...]

QoS and Link Fragmentation and Interleaving (LFI) XSR User’s Guide 12-13 the dialer interface is pushed to binded serial an d, when disconnected, is r emoved from the serial port. Refer to “Configuring PPP” on page 8-1. Suggestions for Usin g QoS on the XSR The XSR supports QoS on all interfaces but you sh ould enable QoS only on the data pat[...]

QoS with VLAN 12-14 Configuring Quality of Ser vice QoS with MLPPP multi-class r egulates the output qu eue in such a way that, ideally , there is at most one non-priority packet in front of the prio rity packet so the greatest latency that latency- sensitive packets experience is never bigger than the fragment delay . Practically speaking, la tenc[...]

QoS with VLAN XSR User’s Guide 12-15 Describing VLAN QoS Packet Flow The following scenarios illustrate how prioriti zed VLAN and non-VLAN packets behave across XSR interfaces with VLAN and QoS conf igured and include minimal CLI commands. VLAN Packet with Priority Routed out a Fast/GigabitEthernet Interface The following scenario is illustrated [...]

QoS with VLAN 12-16 Configuring Quality of Ser vice Figure 12-4 LAN/QoS Serial Scenario Non-VLAN IP Packet R outed Out a Fast/Gigab itEthernet Interface In this scenario, shown in Figure 12- 5 , the policy map setCos4 is applied to the ou tput interface FastEthernet 1.1. Since the input IP DSCP was 46 it will match the class matchDscp . The output [...]

QoS on Input XSR User’s Guide 12-17 Priority levels range from 0 (lowest) to 7. 6. Create a traf fic policy . policy-map <policy-map-name> 7. Optional . Mark the IEEE 802.1 priority in the output VLAN header . set cos <0 - 7> 8. Attach the service policy to the input or output interface. interface <Interface name> <slot/card/[...]

QoS on VPN 12-18 Configuring Quality of Ser vice The XSR of fers you two choices in applying QoS service policy: • before encryption on the VPN tunnel ( virtual VPN) interface or , • after encryption on the under lying physical interface. Copying of the T oS byte brings into pl ay security concerns you must address. As described in RFCs 2475 an[...]

QoS on VPN XSR User’s Guide 12-19 outer header . In this scenario, all QoS -related para meters are attached to the VPN interface. Note that the VPN interface is a virtual interface w ith out any bandwidth attached to it s o certain QoS operations may not be appli ed here, namely , sc heduling packets. But, other QoS parameter s which can be appl[...]

QoS on VPN 12-20 Configuring Quality of Ser vice Figure 12-6 QoS on a Virtu al Interface Example The following commands confi gure Ser and Vp n policy maps on the XSR Remote 1 as shown in Figure 12- 7 . XSR Central configurat ion is not described. Configure the QoS Class Maps R TP and F TP matched to ACLs 1 1 0 and 15: XSR(config)#class-map RTP XSR[...]

QoS on VPN XSR User’s Guide 12-21 XSR(config)#policy-map Ser XSR(config-pmap-Ser>)#class RTP1 XSR(config-pmap-c<RTP1>)#priority hi gh 100 XSR(config-pmap-c<RTP1>)#exit XSR(config-pmap-Ser>)#class FTP1 XSR(config-pmap-c<FTP1>)#bandwidth p ercent 20 XSR(config-pmap-c<FTP1>)#exit XSR(config-pmap-Ser>)#class class-def[...]

QoS on VPN 12-22 Configuring Quality of Ser vice XSR(config)#interface vpn 1 XSR(config-int-vpn)#ip address 20.20 .20.1/24 XSR(config-int-vpn)#copy-tos XSR(config-int-vpn)#service-policy o utput vpn XSR(config-tms-tunnel)#tunnel t1 XSR(config-tms-tunnel)#set protocol gre XSR(config-tms-tunnel)#set peer 10.1 0.10.2 XSR(config-tms-tunnel)#set active [...]

QoS on VPN XSR User’s Guide 12-23 This situation can cause unexpected r esults when Qo S is applied to VPN interfaces. If the rate of traffic traversing the VPN interface is higher th an the physical interface bandwidth, packets are droppe d after they ar e sent fr om the VPN interfac e. Due to this, QoS stat istics may show higher available band[...]

QoS Policy Configuration Examples 12-24 Configuring Quality of Ser vice As an example, tunnels with ESP and 3DES en coding will add 44 bytes (or mor e) overhead. Padding for 3DES may add ei ght more bytes. Ca lculate the shaper rate with this formula: ShaperRate = LineRate * ( 1 - Ov erHead/(OverHead +A vgPktSize)) The table below summarizes the sh[...]

QoS Policy Configuration Examples XSR User’s Guide 12-25 XSR(config-pmap-c<class1>)#queue-lim it 40 XSR(config-pmap-c<class1>)#exit XSR(config-pmap<policy1>)#class clas s2 XSR(config-pmap-c<class2>)#bandwidth 300 XSR(config-pmap-c<class2>)#random-de tect 34 56 3 XSR(config-pmap-c<class2>)#exit XSR(config-pmap&l[...]

QoS Policy Configuration Examples 12-26 Configuring Quality of Ser vice Create a policy map consisting of one or more traffic classes and specif y QoS char acteristics for each traffic class: XSR(config)#policy-map frame1 XSR(config-pmap<frame1>)#class voice XSR(config-pmap-c<voice>)#priority h igh 20 2500 XSR(config-pmap-c<voice>[...]

QoS Policy Configuration Examples XSR User’s Guide 12-27 XSR(config-pmap<QoS-Policy>)#class V oIP-RTP XSR(config-pmap-c<class VoIP-RTP>)#p riority high 100 XSR(config-pmap-c<class VoIP-RTP>)#c lass FTP XSR(config-pmap-c<class VoIP-RTP>)#b andwidth per 30 XSR(config)#access-list 101 permit u dp any any range 16384 32767 XSR[...]

QoS Policy Configuration Examples 12-28 Configuring Quality of Ser vice XSR(config)#map-class frame-relay Vo IP XSR(config-map-class<VoIP>)#frame-re lay cir out 256000 XSR(config-map-class<VoIP>)#frame-re lay bc out 25600 XSR(config-map-class<VoIP>)#frame-re lay be out 0 XSR(config-map-class<VoIP>)#service- policy output QoS[...]

QoS Policy Configuration Examples XSR User’s Guide 12-29 XSR(config)#interface multilink 1 XSR(config-if<M1>)#service-policy in put InOut XSR(config-if<M1>)#exit XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#service-policy ou tput InOut Input QoS on Ingress to the Diffserv Domain Policy If the XSR is positioned on the [...]

QoS Policy Configuration Examples 12-30 Configuring Quality of Ser vice XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#service-policy in put Eth[...]

XSR User’s Guide 13-1 13 Configuring ADSL This chapter details the background, featur es, implementation and configuration of Asymmetric Digital Subscriber Line (ADSL) on the XSR. Overview ADSL (Asymmetric Digital Subscr iber Line) is a technology for transmitting digital information at a high bandwidth over existing phone lines. Unli ke regular [...]

Features 13-2 Configuring ADSL Figure 13-1 RFC Encaps ulation Layers PDU Encap sulation Choices The XSR’s Protocol Data Unit (PDU) encapsulat ion choices are de scribed and illustrated as follows. PPP over A TM The XSR’s PPPoA option, as defined by RFC-2364, supports the following featur es. The r outer includes an integrated P PPoA client whic[...]

Features XSR User’s Guide 13-3 Figure 13-2 PPPoA Network Diagram This implementation is restricted as follows: • Maximum MTU of 1500 bytes • A TM SVCs are not supported • Frame Relay/A TM internetworking (per FRF .8) is not supported • PPP coding transitions - switching the meth od (VC-multiplexed PPP t o LLC-encapsulated PPP and back) - [...]

Features 13-4 Configuring ADSL Figure 13-3 PPPoE Network Diagram The limitations of this config uration are as follows: • Maximum MTU of 1492 bytes • ARP is not supported • Other received b ridged P DU types are silently d iscarded (802.4, 802.5, 802 .6, FD DI) • Does not send (PID type 0x00 -01) and ignores r eceived (PID type 0x00-01) LAN[...]

Features XSR User’s Guide 13-5 Figure 13-4 IP over A TM Network Diagram Restrictions of this implementati on are as f ollows: • Maximum MTU of 1500 bytes • NLPID-formatted r outed IP version 4 PDUs over A TM PVCs are not supported • LLC-encapsulated bridge PDUs are not supported. A ny bridged PDUs r eceived and PDUs received which specify a[...]

Features 13-6 Configuring ADSL ADSL on the Motherboard T wo versions of ADSL ar e pr ovided by the XSR Series 1200 r outers: • Annex A over POTS on the XSR-1220 • Annex B over ISDN on the XSR-1235 DSP Firmware Digital Signal Pr ocessing (DSP) firmware , which the XSR’s onboar d ADSL modem uses to communicate with your provider ’s Digit al S[...]

Features XSR User’s Guide 13-7 OAM Cells OAM cells are messa ges used to operate, ad mini ster , and maintain A TM networks. They provide in-band control functions for virtual circuits, incl uding hop-by-hop and end-to-end functions such as path connectivity an d delay measur ement. T wo distinct varieties exist, types 4 and 5, which usually comp[...]

Configuration Examples 13-8 Configuring ADSL Inverse ARP The XSR employs Inverse ARP as defined in R FC- 1293 with modifications specified by RFC-2225 (Classical IP over A TM). Inverse ARP is supported for P VC s wh ic h are con fi gured as Ro ut ed I Pv 4 circuits (per RFC-1483), using LL C/SNAP encapsulation. This implementation will not send an [...]

Configuration Examples XSR User’s Guide 13-9 VCI values to tho se requested by th e DSL provid er . Notice that the Maximum Segment Size (MSS ) is set to 1400 bytes for TCP SY N (synchronize) packets. Because a PC connected to a Fast/ GigabitEthernet port may be unable to access W eb sites if its MSS setting is too h igh, subtracting for the PPPo[...]

Configuration Examples 13-10 Configuring ADSL The following optional command configures a universal defau lt route: XSR(config)#ip route 0.0.0.0 0.0.0.0 atm 1/0.1 IPoA Enter the following commands to configure a IPoA topology: XSR(config)#interface ATM 1/0 XSR(config-if<ATM1/0>)#no shutdown XSR(config-if<ATM1/0>)#interface ATM 1/0.1 XSR[...]

XSR User’s Guide 14-1 14 Configuring the V irtual Private Network VPN Overview As it is most commonly defi ned, a V irtual P rivate Network (VP N) allows two or more private networks to be connected over a publicly access ed network. VPNs share some similarities with W ide Area Ne tworks (W AN), but the key fea ture of VPNs is their use of the In[...]

Ensuring VPN Securi ty with IPSec/IKE/GRE 14-2 Configuring the Virtua l Private Network • Encryption and decryption promote confidentiality by allowing two communicating parties to disguise informati on they share . The sender en crypts, or scrambles , data before sendi ng it. The receiver decrypts, or unscrambles, the da ta after r eceiving it. [...]

Ensuring VPN Security with IPSec/IKE/GRE XSR User’s Guide 14-3 Since IPSec is the standard security pr otocol, th e XSR can establish IPSec connections with third- node devices including routers as well as PCs. An IPSec tunnel basically acts as the network layer protecting all data packets that pass throug h, re ga rd le ss o f t h e a p pl i ca [...]

Ensuring VPN Securi ty with IPSec/IKE/GRE 14-4 Configuring the Virtua l Private Network Figure 14-2 T unnel Mode Processing As shown above, AH authenticates t he entire packet transmitte d on the network wher eas ESP only covers a portion of the packet transmitted (t he higher layer data in transport mode and the entire original packet in tunnel mo[...]

Describing Public-Key Infrastructure (PKI) XSR User’s Guide 14-5 Defining VPN Encryption T o ensure that the VPN is secur e, limiting user acce ss is only one piece of the puzzle; once the user is authenti cated, the data i tself needs to be protec ted as well. W ithout a mechanism to pr ovide data privacy , information flowing through the channe[...]

Describing Public-Key Infrastructure (PKI) 14-6 Configuring the Virtua l Private Network data. Instead of encrypting the data itself, the si gni ng software creates a one-way hash of the data, then uses your private key to encrypt the hash. The encrypted hash, along with other information, such as the hashing algorithm, is known as a di gital signa[...]

Describing Public-Key Infrastructure (PKI) XSR User’s Guide 14-7 CRL checking is not optional. CRLs ar e collec ted automatically by the XSR using information available in the IPSec and CA certificates it ha s already collected. T wo methods are available to perform this collection: • HTTP Get issues an HTTP-based r equest to collect the certif[...]

Describing Public-Key Infrastructure (PKI) 14-8 Configuring the Virtua l Private Network Figure 14-4 Certificate Chain Example A certificate chain traces a path of certificates fr om a branch in the hierar chy to the root of the hierarchy . In a certificate chain, the following occurs: • Each certificate is followed by th e certificate of its iss[...]

DF Bit Functionality XSR User’s Guide 14-9 Pending Mode Once you have authen ticated against the pa rent CA in your XS R certificate chain, you then enr oll the XSR's IPSec client certif icate against the CA using the SCEP enroll command. Depending on how your CA administrator has configured the CA, you may or may not immediate ly receive yo[...]

VPN Applications 14-10 Configuring the Virtual Private Network This feature specifies whether the router can clear , set , or copy the DF bit in the encapsulating header . It is available only for IPSe c tunnel mode - transport mode is not af fected because it does not have an encapsulating IP heade r . T ypical en terprise DF bit settin gs include[...]

VPN Applications XSR User’s Guide 14-11 Site-to-Site Networks Site-to-site tunnels run as point-to-point links. They are useful when connecting geographical ly dispersed network segments wher e each segment contains servers and hosts. VPN tunnels play the role of point-to-point links and ar e transpar ent from a r outing perspective. Figure 14- 5[...]

VPN Applications 14-12 Configuring the Virtual Private Network If you filter traffic with ACLs, you will need to write an ACL similar to this example: access- list 101 permit udp any host 192.168.57.4 eq 4500 . If you enable the XSR firewall, ref er t o “Configuring Security on the XSR” on page 16-1 for more information. Y ou can verify traffic[...]

VPN Applications XSR User’s Guide 14-13 the hosts on the private LAN. The XSR's internal NA T operates only on Layer -4 pr otocols such as TCP and UDP . NA T also employs a set of modules - Application Level Gateway (ALG) - processing non-UDP/TCP pr otoc ols such as ICMP and H323. Routing updates are unidir ectional - the Centra l site adver[...]

VPN Applications 14-14 Configuring the Virtual Private Network behind the XSR. After a tunnel h as been built, the XSR may advertise r outing information about the corporate network to the client. Authentication can be performed in several wa ys depending on the protocol used. For PP TP , authentication is achieved by means of PPP-based m e t h o d[...]

VPN Applications XSR User’s Guide 14-15 From the server ’s point of view , connected tu nnels are point-to-multipoint links. The VPN interface serving as the server ’s tunnel endpoi nt must be a point-to-multipoint interface. Additionally , the server does not see segments be hind the clients because in Client Mode, NA T is employed inside th[...]

VPN Applications 14-16 Configuring the Virtual Private Network Client • Fast/GigabitEthernet 1 interface: This is private, non-rout able segm ent, usua lly 19 2.168.1.0/24. OSPF must be disabled on F1. If OSPF is enabled on this interface it will be advertised to the server . The server's IP routing table will learn a route to this segment v[...]

VPN Applications XSR User’s Guide 14-17 The VPN interface on the server may terminate a mix of connections - some of which may be Client-type connections and others ma y be Network Extension connections. The following OSP F settings should be applied in this scenari o: Server Apply the same settings as in the Client Mode scenario. OSPF is enabl e[...]

XSR VPN Features 14-18 Configuring the Virtual Private Network Server 2 Interfaces Fast/GigabitEthernet 1 and VPN 1 Client Interfaces Fast/G igabitEthe rnet 1, VPN 1 and VPN 2. Figure 14-10 OSPF Used with Failover Limit ations Peer-to-Peer IPSec tunnels ar e co nfigured without the VPN interface by applying crypto maps to physical interfaces. In th[...]

XSR VPN Features XSR User’s Guide 14-19 - Client mode • Remote Access application –C l i e n t s - W indows XP , 2000 (L2TP); NT 4.0, 98, 98 SE, ME, and CE. PPTP available on all clients – L 2TP/IPSec protocols SCEP: Certificate and PKI environme nt - MS-CHAP v2, EA P user authenti cation: - Username/Password (local database and RADIUS) - S[...]

VPN Configuration Overview 14-20 Configuring the Virtual Private Network • Authentication, Authorization, and Accounti ng (AAA) support including AAA per interface (for clients), AAA for PPP , and AAA debugging • Dynamic Host Configuration Protocol (DHCP) support –D H C P S e r v e r •O S P F o v e r V P N • DF Bit override on IPSec tunne[...]

VPN Configuration Overview XSR User’s Guide 14-21 •E n t e r crypto key master generat e in Global configuration mode. ACL Configuration Rules Consider a few general r ules when configuri ng ACLs on the XSR: • T ypically , two ACL set s are written, one to filt er IPSec/IKE traffic (defined in crypto maps), and a simple set to filter non-IPSe[...]

VPN Configuration Overview 14-22 Configuring the Virtual Private Network XSR(config-if<F2>)#ip address 141.15 4.196.87 255.255.255.192 I f a n X S R i s c o n f i g u re d a s a V P N g a t e w a y , t h e e x t e rna l interface (FastEtherne t 2 , e . g . ) , c a n b e m a de more r estrictive by only allowing VPN pr otocol s to pass through[...]

VPN Configuration Overview XSR User’s Guide 14-23 More than one IKE pr oposal can be specified on each node. When IKE negotiation begins, it seeks a common proposal on both peers with identical parameters. IKE policy is configur ed using the crypto isakmp peer command. Specified parameters are ef fective when a peer addr ess/subnet matches the IP[...]

VPN Configuration Overview 14-24 Configuring the Virtual Private Network Configure IKE policy for the remote peer , assuming that two other IKE proposals ( try2 and try3 ) have been configure d: XSR(config)#crypto isakmp peer 192.1 68.57.33/32 XSR(config-isakmp-peer)#proposal try 1 try2 try3 XSR(config-isakmp-peer)#config-mode gateway XSR(config-is[...]

VPN Configuration Overview XSR User’s Guide 14-25 Authentication, Authorization and Accounting Configuration The XSR’s AAA implementation hand les all authentication, authorization and accounting of users (Remote Access) and peer gateways (S ite-to-Site). The components include: • Usernames and passwor ds for authentication • Associated gr [...]

VPN Configuration Overview 14-26 Configuring the Virtual Private Network AAA Commands The following XSR AA A commands usef ul for VPN config uration include: • Configure users and groups with aaa user and aaa group comman ds as well as the following sub-commands : – policy specifies SS H , Te l n e t , Fi rewall or VPN service for users – dns[...]

VPN Configuration Overview XSR User’s Guide 14-27 XSR(aaa-user)#aaa password ThISisMYS haREDsecRET The following sample conf iguration creates user Jeremiah in the P romisedLand user group, with DNS, WINS and MPPE encryption, and assigns IP local pool r emote_user s for remote access: XSR(config)#aaa group PromisedLand XSR(aaa-group)#dns server p[...]

VPN Configuration Overview 14-28 Configuring the Virtual Private Network – crypto ca certificate chain – no certificate - The serial number can be found in: show crypto ca certificates • Remove CA identities and all associated CA and IPSec client certif icates by entering no crypto ca identity <ca name> . Configuring PKI The main steps [...]

VPN Configuration Overview XSR User’s Guide 14-29 Certificate has the following attributes: Fingerprint: D423E129 81904CE0 1E6D0 FE0 A123A302 Do you accept this certificate? [yes /no] y 4. Display your CA certificates to verify all r oot and associated certificates are pr esent. In the RA Mode example below , ldapca is the root CA of thr ee certi[...]

VPN Configuration Overview 14-30 Configuring the Virtual Private Network XSR(config)#ip domain acme.com 8. Enroll in an end-entity certificate from a CA for which you have previously authenticated ; e.g., ldapca . The CLI script will prompt you to enter and r e -enter a challenge passwo rd y ou cre a te o r i s given to you by your CA administrator[...]

VPN Configuration Overview XSR User’s Guide 14-31 Issuer: C=US, O=sml , CN=ldapca Valid From: 2002 Aug 5th, 12 :40:46 GMT Valid To: 2004 Aug 5th, 12 :48:15 GMT Subject: C=US, O=sml , CN=ldapca Fingerprint: D423E129 81904CE 0 1E6D0FE0 A123A302 Certificate Size: 1157 bytes RA KeyEncipher Certificate - ldapca- rae State: CA-AUTHENTICATED Version: V3[...]

Configuring a Simple VPN Site-to-Site Application 14-32 Configuring the Virtual Private Network VPN Interface Sub-Commands The following sub-commands ar e available at VPN Interface mode: ip firewall + Set of commands to conf igure the firewall ip address-negotiated + Set s the VPN interface’s IP address to be negotiated ip address + Specifies an[...]

Configuring a Simple VPN Site-to-Site Application XSR User’s Guide 14-33 configuration, permit means protect or encrypt , and deny indicates don’ t encrypt or allow as is . XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.0.0.255 XSR(config) #access-l ist 130 pe rmit ip 6 3.81.64.0 0 .0.0.255 6 3.81.66.0 0.0.0.25 5 XSR[...]

Configuring the VPN Using EZ-IPSec 14-34 Configuring the Virtual Private Network XSR(config-crypto-m)#match address 1 40 + Applies map to ACL 140 and renders t he ACL bi-direction al XSR(config-crypto-m)#set peer 1.1.1. 2 + Attaches map to peer XSR(config-crypto-m)#mode [tunnel | transport] + Selects IPSec mode for XSR-to-XSR (t unnel) or host to X[...]

Configuring the VPN Using EZ-IPSec XSR User’s Guide 14-35 EZ-IPSec is invoked using the crypto ezipsec command in Interfac e mode to cr eate a set of standard IPSec policies, relieving you of the complex manual process. It enables dynamic r outing over an IPSec tunnel: • V ia Client or Network Ex tension Mode • Supporting RIPv2 and OSPF thr o[...]

Configuration Examples 14-36 Configuring the Virtual Private Network XSR(config-tms-tunnel)#set peer 200. 10.20.30 + Specifies the IP address of the remote peer XSR(config-t ms-tunnel) #set protocol ipsec network- extension-mo de + Selects IPSec to initiate a NEM tunnel connection Most of the parame ters shown below have been au tomatically entered[...]

Configuration Examples XSR User’s Guide 14-37 Figure 14-12 EZ-IP Sec Client , XP Client and Gateway T opology Begin by setting the XSR syste m time via SNTP . This configuration is critical for XSRs which use time-sensitive certificat es. XSR(config)#sntp-client server 10.12 0.84.3 XSR(config)#sntp-client poll-interva l 60 Add ACLs to permit IP a[...]

Configuration Examples 14-38 Configuring the Virtual Private Network XSR(config)#crypto ipsec transform-s et esp-3des-sha esp-3des esp-sha-hmac XSR(cfg-crypto-tran)set security-ass ociation lifetime kilobytes 10000 Configur e the following fo ur crypto maps to match ACLs 150, 140, 120, and 1 10: XSR(config)#crypto map test 50 XSR(config-crypto-m)#s[...]

Configuration Examples XSR User’s Guide 14-39 Clear the DF bit globally : XSR(config)#crypto ipsec df-bit clea r Enable the OSPF engine, VPN and FastEthernet 1 interfaces for r outing: XSR(config)#router ospf 1 XSR(config-router)#network 10.120.70 .0 0.0.0.255 area 5.5.5.5 XSR(config-router)#network 10.120.11 2.0 0.0.0.255 area 5.5.5.5 Create a g[...]

Configuration Examples 14-40 Configuring the Virtual Private Network XSR(config-if)#encapsulation ppp XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assigne d overload XSR(config-if)#ppp pap sent-username pezhmon password pezhmon Configure the Network Extension Mode, site-to- site IPSec tunnel to the ce[...]

Configuration Examples XSR User’s Guide 14-41 XSR(config-isakmp-peer)#proposal sha red 4. Configure a set of thr ee IPSec quick mode securi ty parameters that the XSR-3000 is willing to negotiate to within the IKE conversation: XSR(config)#crypto ipsec transform-s et aes-md5 esp-aes esp-md5-hmac XSR(cfg-crypto-tran)#set security-as sociation life[...]

Configuration Examples 14-42 Configuring the Virtual Private Network XSR(config-tms-tunnel)#ip ospf dead- interval 4 XSR(config-tms-tunnel)#ip ospf hello -interval 1 XSR(config-tms-tunnel)#ip ospf cost 100 9. Configure a default static route to the next hop Internet router: XSR(config)#ip route 0.0.0.0 0.0.0.0 63.81.64.1 10. Enable OSPF on the trus[...]

Configuration Examples XSR User’s Guide 14-43 XSR(config-if<F2>)#ip address 63.81. 64.200 255.255.255.0 XSR(config-if<F2>)#no shutdown 7. Add a VPN point-to-point GRE interface wi th a heartbeat of nine seconds, enable XSR3250A to initiate an outbound tunnel ( set active command), set the IP address of the remote VPN gateway ( 63.81 .[...]

Configuration Examples 14-44 Configuring the Virtual Private Network XSR/Cisco Site-to-Site Example The following Site-to-Site configuration connects a Cisco 2600 router with internal/external IP addresses of 192.168.3.5/192.168.2.5 to a XSR with internal/external IP a ddr esses of 192.168.1.2/ 192.168.2.2. The commands are displayed as they would [...]

Configuration Examples XSR User’s Guide 14-45 interface FastEthernet0/0 ip address 192.168.3.5 255.255.255.0 speed auto half-duplex no cdp enable interface FastEthernet0/1 ip address 192.168.2.5 255.255.255.0 duplex auto speed auto no cdp enable crypto map regular ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 192.168.1.0 255.255.255.[...]

Interoperability Profile for the XSR 14-46 Configuring the Virtual Private Network XSR(config)#crypto ipsec transform-s et esp-des-md5 esp-des esp-md5-hmac XSR(cfg-crypto-tran)#set pfs group2 XSR(cfg-crypto-tran)#no set security -association life kilo XSR(cfg-crypto-tran)#set security-as sociation life secon 700 XSR(config)#crypto map test 20 XSR(c[...]

Interoperability Profile for the XSR XSR User’s Guide 14-47 •M a i n m o d e •T r i p l e D E S •S H A - 1 • MODP group 2 (1024 bits) • Pre-shar ed secret of “hr5xb84l6aa9r6” • SA lifetime of 28800 seconds (eight hours) with no Kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 ar e: •T r i p l e D E S •S H A - 1 ?[...]

Interoperability Profile for the XSR 14-48 Configuring the Virtual Private Network XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#exchange-mod e main 7. Configure IKE Phase 2 settings by cr eating the transform-set Secure : XSR(config)#crypto ipsec transform-s et Secure esp-3des esp-sha1-hmac XSR(cfg-crypto-tran)#set pfs group2[...]

Interoperability Profile for the XSR XSR User’s Guide 14-49 Scenario 2: Gateway-to-Ga teway with Certificates The following is a typical gateway -to-gateway VPN that uses certificates for au thentication, as illustra ted in Figure 14-14 . Figure 14-14 Gateway-to Gat eway with Certificates T opology Gateway A connects the internal LAN 1 0.5.6.0/24[...]

Interoperability Profile for the XSR 14-50 Configuring the Virtual Private Network 1. Begin by as king your CA ad ministrator for yo ur CA name and URL. The CA ’s URL defines its IP addres s, path and default port (80). Y ou can resolve the CA server add ress manually by pinging its IP address. 2. Be sure that the XSR time setting is corr ect acc[...]

Interoperability Profile for the XSR XSR User’s Guide 14-51 State: CA-AUTHENTICATED Version: V3 Serial Number: 4581287295151589 54573993 Issuer: C=US, O=sml , CN=hightest Valid From: 2002 Jul 24th, 2 0:45:13 GMT Valid To: 2003 Jul 24th, 2 0:55:13 GMT Subject: C=US, O=sml.com, CN=sml_requestor Fingerprint: 91EB5A77 B5CA535 A 077B65C5 65035615 Cert[...]

Interoperability Profile for the XSR 14-52 Configuring the Virtual Private Network Valid To: 2003 Aug 29th, 1 6:01:58 GMT Subject: unstructure dName=corp Fingerprint: ABF37B67 7200CCD A 604CB10C D5AC7F49 Certificate Size: 1590 bytes CA Certificate - PKItestca1 State: CA-AUTHENTICATED Version: V3 Serial Number: 6083684655030387 331394927502614112809[...]

XSR User’s Guide 15-1 15 Configuring DHCP Overview of DHCP The Dynamic Host Co nfiguration Protocol (DHCP) a llocates and delivers conf iguration values, including IP addr esses, to Inter net hosts. Cons isting of two components, DHCP provides host- specific configuration parameters fr om a DHCP Se rver to a host, and allocates network addresse s[...]

How DHCP Works 15-2 Configuring DH CP XSR User’s Guide • Provis ioning of dif ferentiate d network values by Client Class. • Persistent and user -controllable conflict avoidance to prevent d uplicate IP addres s including configurable ping checking. • V isibility of DHCP network activity and leases thr ough operator reports statistics and l[...]

DHCP Services XSR User’s Guide 15-3 client used a client ID when it got the lease, it will use the same identifier in the message. Alternately , when a lease is near expiration, th e client tries to renew it. If unsuccess ful in renewing by a certain period, the client en ters a r ebinding state and sends a DISCOVER message to restart the pr oces[...]

DHCP Services 15-4 Configuring DH CP XSR User’s Guide control data ar e carried in tagged data items wh ich are stor ed in the options field of the DHCP message. The data items themselves , also called options, ar e enabled on the XSR by th e options command specifying IP a ddress, hex or ASCII string values. Supported options are defined in the [...]

DHCP Services XSR User’s Guide 15-5 When DHCP Server surveys its client s using the manual bindings of a client-ide ntifier or hardware- address, and host address, it generally inherits attributes fr om an outer down to an inner scope. But, the DHCP Server will override outermost attributes when they are found first at the Host scope. For instanc[...]

DHCP Client Services 15-6 Configuring DH CP XSR User’s Guide 4. Optionally , specify the client name using any standard ASCII character . Enter client-name <name> . The client name should not includ e the domain name. For example, the name acme should not be specified as acme.enterasys.com . DHCP Client Services Router Option The XSR’s DH[...]

DHCP Client Services XSR User’s Guide 15-7 Primary and secondary IP addr esses on the same interface ar e not permitted within the same subnet nor are they allowed within the same subn ets already occupied by other interfaces. Also, the primary IP addr ess must be configur ed before any secondary addr ess is configured. If the primary addr ess is[...]

DHCP CLI Commands 15-8 Configuring DH CP XSR User’s Guide DHCP CLI Commands The XSR of fers CLI commands to pr ovide the following functionality: • DHCP Server addre ss pool(s) with r elated para meters and D HCP options/vendor extensions. Y ou can configur e a DHCP add ress pool with a name t hat is a symbol ic string (e.g., Accounting) with i[...]

DHCP Set Up Overview XSR User’s Guide 15-9 addresse s are of fere d to the client. Show ip dhcp server stati stics is a useful catch-all command. Show ip local pool shows a lis t of active IP local pools, excluded and in use IP addresse s. DHCP Set Up Overview Configuring DHCP Address Pools The DHCP Server is config ured by performing the followi[...]

Configuration Steps 15-10 Configuring DH CP XSR User’s Guide 1. Add global pool local_ clients including the starting IP addr es s of the range and addresses that are unr eachable to network clients: XSR(config)#ip local pool local_clie nts 1.1.1.0/24 XSR(ip-local-pool)#exclude 1.1.1.249 6 Create a Corresponding DHCP Pool 2. Map this local pool t[...]

DHCP Server Configuration Examples XSR User’s Guide 15-11 8. Add to the host scope by specifying the NetBIOS-node-type for this particular host: XSR(config-dhcp-host)#netbios-node-t ype h-node 9. Specify any number ed options. For example, setting DHCP option 28 specifies the broadcast address in us e on the client's subnet: XSR(config)#ip d[...]

DHCP Server Configuration Examples 15-12 Configuring DH CP XSR User’s Guide The domain name f or this host is specif ied as indusriver .com (this w ill override enterasys.com specified for this pool, and ent.com specified for the class). XSR(config)#ip local pool dpool 1.1. 1.0/24 XSR(config)#ip dhcp pool dpool XSR(config-dhcp-pool)#domain-name e[...]

XSR User’s Guide 16-1 16 Configuring Security on the XSR This chapter describes the secur i ty options available on the XSR includin g the firewall feature set and methods to pr otect against hacker atta cks. Features The following security features ar e supported on the XSR: • Standard and Extended Access Control Lists (ACLs) • Protection ag[...]

Features 16-2 Configuring Security on the XSR T o configure ACLs, you de fine them by number only then ap ply them to an interface. Any number of entries can be defined in a single ACL and may actually confli ct, but they are analyzed in the order in which they appear in the sh ow access-lists command. Input and output filters are applie d separate[...]

Features XSR User’s Guide 16-3 Smurf Att ack A “smurf” attack involves a n a ttacker sending ICMP echo requests from a falsified source (a spoofed addr ess) to a directed br oadcast addr ess, ca using all hosts on t he target subnet to reply to the falsified sour ce. By sending a conti nuous stre am of such r equests, th e attacker can cr eat[...]

General Security Precautions 16-4 Configuring Security on the XSR Large ICMP Packet s This protection is triggered for ICMP packets lar ger than a size you can configure. Such packets are dr opped by the XSR if the protection is enabled with the HostDoS command. Ping of Death Att ack Thi s p rote cti on i s t ri gge red w hen an ICM P p ac ket is r[...]

AAA Services XSR User’s Guide 16-5 • If you must enable PPP on the W AN, use CHAP authentication • Disable all unnecessary router services (e.g., HTTP , if not used) • W rite strict ACLs to limit HTTP , T elnet and SNMP access • W rite ACLs to limit the t ype of ICMP messages • Create ACLs to direct services to appropriate servers only [...]

AAA Services 16-6 Configuring Security on the XSR The method to perform AAA is configured globally by the aaa method command, which pr ovides additional acct-port , address , attempts , auth-p ort , backup , client , enable , group , hash enable , key , qtimeout , retransmit , and timeout sub-commands. Although the default AAA service is local , yo[...]

AAA Services XSR User’s Guide 16-7 2. Enter crypto key master generate to cr eate a master key . 3. Enter crypto key dsa generate to create a host key pair on the XSR. When successful, this message will di splay: Keys are generated, new connections will use these keys for authentication 4. If you wish to connect usi ng SSH, perform the followi ng[...]

AAA Services 16-8 Configuring Security on the XSR Figure 16-8 PuTTY Alert Message 7. The SSH login screen will appear as shown in Figure 16-9 . Login with Admin and no password unless you cr eated both values earlier . Figure 16-9 PuTTY Login Screen 8. Back on the CLI, enter session-timeout ssh <15-35000> to set the idle timeout period. 9. Op[...]

Firewall Feature Set Overview XSR User’s Guide 16-9 18. Optionally , if you want to tigh ten security on the XSR, enter ip ssh server disable to deactivate SSH. 19. Enter policy teln et to enable T elnet access for the new user . 20. Enter exit to quit AA A user m ode. 21. Enter aaa client telnet to permit the new user to employ T elnet. The XSR [...]

Firewall Feature Set Overview 16-10 Configuring Security on the XSR Figure 16-10 XSR Firewall T opology There ar e many possible network configurations fo r a fir ewall. The figur e above shows a scenar io with the firewall connected to the trusted networ k (internal) and servers that can be acces sed externally (via the DMZ). The XSR firewall feat[...]

Firewall Feature Set Overview XSR User’s Guide 16-11 and port numbers. These fir ewalls ar e scalable, easy to implement and widel y deployed f or simple Network layer filtering , but they suffer the following disadvantages: • Do not maintain st ates for an individual sessi on nor track a session establishment protocol. Ports are us ually alway[...]

XSR Firewall Feature Set Functionality 16-12 Configuring Security on the XSR St ateful Inspection Firewalls A stateful inspection f irewall combine s the aspe cts of other fir ewalls to filter packets at the network layer , determine whether session packet s are legitimate and evaluate th e payload of packets at the application layer . It allows a [...]

XSR Firewall Feature Set Functionality XSR User’s Guide 16-13 Application Level Commands A special action option - Command Level Security (CLS) - to filter inter-pr otocol actions within several pr otocols. The CLS examines the mes sage type produce d by the application being filtered and either passes or dr ops specific application commands. For[...]

XSR Firewall Feature Set Functionality 16-14 Configuring Security on the XSR On Board URL Filtering This features lets you block access to a list of Un iform Resource Locators (URLs) or limit access to certain approved sites. The XSR extracts the abso lute URL fr om the Get and Host headers of the http Request packet sent by web br owser , and matc[...]

XSR Firewall Feature Set Functionality XSR User’s Guide 16-15 Figure 16-1 1 Blocked Web Site Screen Y ou must include the re-direct URL in the white URL list when redirect URL is used with a white list, otherwise the XSR will enter an endless loop with the W eb browser , performing re-direction to the same re-directed URL because it is not in the[...]

XSR Firewall Feature Set Functionality 16-16 Configuring Security on the XSR against the ro uting table. If a packet is r eceived fr om an interface with a sour ce IP address that is not routable thr ough this interface, it is considered spoofed and dropped . A high priority log is generated wh en DoS atta cks are detected. These DoS attacks ar e c[...]

XSR Firewall Feature Set Functionality XSR User’s Guide 16-17 • Flooding attacks (TCP , UDP , ICMP) logs • Fir ewall start and restar t • Failures (out of memory) A sample W eb access (port 80) permit alarm, which logs at level 4, displays: FW: Permit: Port-2, Out TCP Con_Req, 10.10.10.10(1042) -> 192.168.1.200(80) FW: TCP new session re[...]

XSR Firewall Feature Set Functionality 16-18 Configuring Security on the XSR Figure 16- 12 illustrates the process by which a user acce s ses a server after authentication by th e XSR fir ewall, as explained below: 1. A user T elnets to the firewall pre senting a name and password. 2. The XSR’s AAA functionality talks to an authen tication server[...]

Firewall CLI Commands XSR User’s Guide 16-19 Firewall CLI Commands The XSR provides configuration objects which, used in policy rules, can be specified at the CLI. These and other fir ewall commands ar e, as follows: • Network - Identifies a network or host. A network with a subnet addr ess or a host with an address and 32-bit mask is specified[...]

Firewall CLI Commands 16-20 Configuring Security on the XSR – Non-Unicast packet han dling - Packets with broadcast or multicast destination a ddresses ar e not allowed to pass in either dir ectio n - they must be allowed explicitly . – This rule makes it easy to deny access to IP broadcast/multicast packets through the fire wall but to allow a[...]

Firewall CLI Commands XSR User’s Guide 16-21 • Event Logging - Defines the event thr eshold for fir ewall values logged to the Console or Syslog with ip firewall logging . Y ou can set eight severity leve ls ranging from 0 for emer gency alarms down to 7 which cumulatively logs all firewall messages through 0, as follows: – Level 0: Emergency[...]

Firewall Limitations 16-22 Configuring Security on the XSR Firewall Limit ations Consider the followi ng caveats regar ding fir ewall operations: • Gating Rules - Internal XSR gating r ules, which orde r traf fic filtering, ar e stor ed in a temporary file in Flash. Because one gating rule exists for each network source/destination e xpansion, a [...]

Pre-configuring the Firewall XSR User’s Guide 16-23 cache will not automatically switch over . If the firewall is enabled on a slave router , then all sessions would have to be r e-established. Y ou would have to re-authenticate users for acce ss to authentication-protected servers. • Load Sharing - If two or mor e fir ewall-enabled XSRs are li[...]

Configuration Examples 16-24 Configuring Security on the XSR – Multicast or broadcast fi ltering for ro ut ing and communications pr otocol filtering • Perform a trial or delayed load to check for configuration errors • Load the configuration in the fir ewall engine • Enable or disable the fir ewall: – System wide, or on – Individual in[...]

Configuration Examples XSR User’s Guide 16-25 Figure 16-14 XSR with Firewall T opology Begin by configuring network objects for private , dmz and Mgmt networks: XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 interna l XSR(config)#ip firewall network priv ate 220.150.2.32 mask 255.255.255.240 internal XSR(config)#ip firewall[...]

Configuration Examples 16-26 Configuring Security on the XSR XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 220.15 0.2.17 255.255.255.0 XSR(config-if<F1>)#no shutdown XSR(config)#interface serial 1/0:0 XSR(config-if<S1/0:0>)#ip address 20 6.12.44.16/24 XSR(config-if<S1/0:0>)#no shutdown Globally enable th[...]

Configuration Examples XSR User’s Guide 16-27 XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assigne d overload XSR(config-if)#ppp pap sent-username b1jsSW23 “password is not displayed” XSR(config-if)#no shutdown Attach a static route to the PPPoE interface and add a local IP pool: XSR(config)#ip [...]

Configuration Examples 16-28 Configuring Security on the XSR – T erminate Network Extension Mode (NEM) and Client mode tunnels – T erminate remote access L2TP/IPSec tunnels – T erminate PP TP remote access tunnels – Firewall inspecti on on the public VPN inter face (the crypto map interf ace) – Firewall inspection on the trusted VPN inter[...]

Configuration Examples XSR User’s Guide 16-29 XSR(config-isakmp-peer)#proposal xp soho p2p XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#nat-traversa l automatic Configur e the following IPSec SAs: XSR(config)#crypto ipsec transform-s et esp-3des-md5 esp-3des esp-md5-hmac XSR(cfg-crypto-tran)no set security- association life[...]

Configuration Examples 16-30 Configuring Security on the XSR XSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93 Define an IP pool for distribution of tunnel addresses to all client types: XSR(config)#ip local pool test 10.12 0.70.0 255.255.255.0 Create hosts to r esolve hostnames for th e certificate servers for CRL r etrieval: XSR(config)#ip host[...]

Configuration Examples XSR User’s Guide 16-31 XSR(aaa-group)#l2tp compression XSR(aaa-group)#policy vpn Configure the local AAA method for shar ed secret tunne ls (NEM and client mode tunnels ): XSR(config)#aaa method local XSR(aaa-method-radius)#group DEFAULT XSR(aaa-method-radius)#qtimeout 0 Configure the RADIUS AAA method to authentica te remo[...]

Configuration Examples 16-32 Configuring Security on the XSR Define service to support IPSec NA T traversal (Release 7. 0 or later): XSR(config)#ip firewall service ietf NatT eq 4500 gt 1023 udp Define service for ISAKMP: XSR(config)#ip firewall service ike eq 500 gt 499 udp Define service for L2TP tunnels: XSR(config)#ip firewall service l2tp eq 1[...]

Configuration Examples XSR User’s Guide 16-33 Load the firewall configuration: XSR(config)#ip firewall load Globally enable the f irewall . Even though you have configur ed and loaded the firewall, only invoking the following command “turns on” the fir ewall. Once enabled, if you ar e r emotely connected, the fir ewall will cl ose your sessio[...]

Configuration Examples 16-34 Configuring Security on the XSR XSR(config)#ip firewall policy radius internal internal Radius al low bidirectional XSR(config)#ip firewall policy RADac ct internal internal Radius_ACCT allow bidirectional Configuring Simple Security This configuration offers simple protection for the XSR. The firewall featur e set is n[...]

Configuration Examples XSR User’s Guide 16-35 RPC Policy Configuration The following configurat ion creates policies which permit TCP RPC-based appl ications to flow from a Branch to Corporate network. Y ou can use the keyword bidirectional if you expect the branch network to also have RPC-based services. XSR(config)#ip firewall network Bran ch 1[...]

Configuration Examples 16-36 Configuring Security on the XSR[...]

XSR User’s Guide A-1 A Alarms/Events, System Limits, and S tandard ASCII T able This appendix describes the configuration and memory limits of the XSR as wel l as system High, Medium and Low severity , firewall and NA T (separately descri bed on page A-14 ) alarms and events captur ed by the r outer . Recommended System Limit s The XSR suggests l[...]

Recommended System Limits A-2 Alarms/Events, System Limits, and Standard ASCII Table SNMP read-only communities 20 20 20 SNMP read-write communities 20 20 20 SNMP trap servers 20 20 25 SNMP users 25 25 25 SNMP groups 100 100 100 SNMP views 50 50 10000 Interfaces 136 136 800 RIP networks 300 300 900 Dialer map classe s 192 192 192 Dialer pool size 4[...]

System Alarms and Events XSR User’s Guide A-3 System Alarms and Event s The XSR exhibits the foll owing logging behavior for all except firewall and NA T alarms: Refer to the following table for all High severity alarms and events reported by the XSR. All of the following messages are USER_LE VEL facility except for those in bold and red text whi[...]

System Alarms and Events A-4 Alarms/Events, System Limits, and Standard ASCII Table T1E1 Receiver has Loss of Frame (Y ellow Alarm). T1/E1 physical port is detecting an OOF alarm. T1E1 LOF alarm on receiver clea red. T1/E1 physical po rt is not detecting an OOF alarm. T1E1 Transmitting Remote Alarm (Y ellow Alarm). T1/E1 physical port is transmitt [...]

System Alarms and Events XSR User’s Guide A-5 ISDN Incoming Call <BRI | Serial card / port:channel> Connected to <calling no.> Unknown Call An incoming call connected for test purposes will be disconnected within 30 seconds. ISDN No rth American BRI In terface %d req uires SPID configuration Configuration error. ISDN Call <BRI | Se[...]

System Alarms and Events A-6 Alarms/Events, System Limits, and Standard ASCII Table ETH1_ DRIV The ISR could not be connected This is internal configuratio n alarm occurs because the interrupt service routine (ISR) cannot be connected to th e FastEthernet 2 interface/dri ver , rendering FastEthern et port 2 unavailable. ETH1_ DRIV Init string parse[...]

System Alarms and Events XSR User’s Guide A-7 CLI User: <username> logged in from address <IP address> Login proces s failure due to in valid user ID or p assword through telnet ses sion in CheckLo gin(). CLI User: <username> logged in from console Login proces s failure due to in valid user ID or p assword through console sessi[...]

System Alarms and Events A-8 Alarms/Events, System Limits, and Standard ASCII Table Refer to the table below for all Medium severity al arms and events r eported by the XSR. All of the following messages ar e USER_LEVE L facility except for those in bold text which are SECURITY_LEVEL. ASYNC_ IDRIV Unrecoverable error The XSR has an un-reco verable [...]

System Alarms and Events XSR User’s Guide A-9 T1 ERROR: Shared memory allocation failed for Receive Descriptors. Error in allocating memo ry for T1E1 HW card. T1 T1E1 PCI Init Failed. Error in initializing T1E1 HW card. T1 ERROR: Shared memory allocation failed for Transmit Pending Queue. Error in allocating memo ry for T1E1 HW card. T1 ERROR: Sh[...]

System Alarms and Events A-10 Alarms/Events, System Limits, and Standard ASCII Table PPP PPP MS-CHAP authent icatio n failed while being authenticate d by remote peer PPP MS-CHAP authentication has fail ed while being authenticated by the remote peer . PPP PPP MS-CHAP aut hentication success while authenticati ng remote peer's response PPP MS-[...]

System Alarms and Events XSR User’s Guide A-11 Refer to the table below for all Low severity alar ms an d events reported by the XSR. All of the following messages ar e USER_LEVE L facility except for those in bold text which are SECURITY_LEVEL. ETH0_ DRIV PHY write operation u nsuccessful The PHY chip on the Fast Ethernet 1 interfa ce has had an[...]

System Alarms and Events A-12 Alarms/Events, System Limits, and Standard ASCII Table T1E1 Receive Remote Ala rm Indication (Y ello w Alarm). Indicates that T1/E1 physica l port is detecting RAI Alarm. T1E1 Receive RAI alarm cl eared. Indicates that T1/E1 physical port is not detect ing RAI Alarm. T1E1 Receive Alarm In dication Signal (Bl ue Alarm).[...]

System Alarms and Events XSR User’s Guide A-13 SYNC_ DRIV Packets lost > 255 (RX overrun) Sum of packets lost due to RX FIFO overrun exceeded 255. PP Out of memory - frame dropped at port <port number> Frame is dropped at the specifie d port from depl eted memory . PLA TF Need 'snmp-server system-shutdown' for SNMP reboot SNMP [...]

Firewall and NAT Alarms and Repor ts A-14 Alarms/Events, System Limits, and Standard ASCII Table Firewall and NA T Alarms and Report s The XSR reports logging messages for firewall and NA T functionality as listed below . Low system-level logging messages ar e classified at Levels 4 or 6 wh ile Medium system-level alarms are classified at Level 3. [...]

Firewall and NAT Alarms and Reports XSR User’s Guide A-15 3 - ERROR NA T : No NA T ent ry found, %IP_P2 3 - ERROR NA T : TCP reset, NA T port %d, %IP_P2 3 - ERROR UDP: NA T unable to forward packet, %IP_P2 4 - W ARNING NA T table is full 4 - W ARNING NA T : TCP connection closed, freeing NA T port %d 4 - W ARNING Purging NA T Entr y for port %d 5[...]

Firewall and NAT Alarms and Repor ts A-16 Alarms/Events, System Limits, and Standard ASCII Table 1 - ALERT UDP: Detected UDP Flood attack %IP_P2 1 - ALERT UDP: Duplicate d external host %IP_P2 2 - CRIT Init: Error reading A TE SR entries 2 - CRIT Init: Error reading java filt er 2 - CRIT Init: Error reading selective IP ranges fo r ActiveX filterin[...]

Firewall and NAT Alarms and Reports XSR User’s Guide A-17 3 - ERROR Den y: ICMP unsuppo rted packet %IP2_ICMP 3 - ERROR Den y: java applet %CMD, %IP_P2 3 - ERROR Den y: No filter for %s, %IP_2 3 - ERROR Deny: No filter for ICMP , %IP_2 3 - ERROR Den y: no matching filter , %IP2_ICMP 3 - ERROR Deny: OSPF packet, %IP2 3 - ERROR Den y: TCP Chri stma[...]

Firewall and NAT Alarms and Repor ts A-18 Alarms/Events, System Limits, and Standard ASCII Table 3 - ERROR TC P: Non-empty ACK packet in TCP three-way handshake seque nce %IP_P2 3 - ERROR TCP: RST packet indicating non-existing servi ce was blocked %IP_P2 3 - ERROR UDP: Maximum allowed inbo und connections exce eded from host %I P_P2 3 - ERROR UDP:[...]

Standard ASCII Character Table XSR User’s Guide A-19 S t andard ASCII Character T a ble The following table displays stand ard ASCII char act e rs f or ref e ren c in g SN M P co nv e n ti o ns fo u n d in “ Configuration Examples ” on page 2-4 1. Figure A-17 St andard ASCII Character T able 4 - W ARNING TCP connect ion closed %IP_P2 4 - W AR[...]

Standard ASCII Character Table A-20 Alarms/Events, System Limits, and Standard ASCII Table 107: k 108: l 109: m 1 10: n 11 2 : p 1 13: q 11 4 : r 11 5 : s 1 16: t 1 17: u 11 8 : v 120: x 121: y 122: z 123: { 124: 12 5: } 126: ~[...]

XSR User’s Guide B-1 B XSR SNMP Proprietary and Associated S tandard MIBs This appendix lists and describes XSR- supported SNMP tables and objects for the following standard (partial listin g) and proprietar y MIBS: • “Service Level Reporting MIB T ables” (page B-1) • “BGP v4 MIB T ables” (page B-5) • “Firewall MIB T ables” (pa [...]

Service Level Reporting MIB Tables B-2 XSR SNMP Proprietary and Associated Standard MIBs et sysSrvcLvlOwnerT able A management entity interested in creating and activating remote SLA measurements must previously be register ed in the Service Leve l Owners T able which contains owner's contact information. The MIB indicates that there should be[...]

Service Level Reporting MIB Tables XSR User’s Guide B-3 et sysSrvcLvlNetMeasureT able Entries in the Service Level Network Measur ement T ab le display several metric measurements per packet exchange. Each measur ement step pr oduces a single r esult per metric with measurement intervals and metrics saved in the T able. Once the etsysSrvcLvlAggrM[...]

Service Level Reporting MIB Tables B-4 XSR SNMP Proprietary and Associated Standard MIBs et sysSrvcLvlAggrMeasureT able Entries in the Service Level Ag gregate Measurem ent T abl e display several met ric measurements per packet exchange. Each step of the measur ement produce s a single result with the interval and metric saved in the etsysSrvcLvlH[...]

BGP v4 MIB Tables XSR User’s Guide B-5 BGP v4 MIB T ables The XSR supports th e following B GP v4 tables, w hose fields are described in the following p ages: • General V ariables • Peer T able • Received Path Attribute T able •T r a p s General V ariables T able BGP v4 Peer T able etsysSrvcLvlAggrMeasureHis toryOwnerIndex 1 (Whatever is [...]

BGP v4 MIB Tables B-6 XSR SNMP Proprietary and Associated Standard MIBs bgpPeerAdminSt atus The desired state of the BGP connecti on. A transi tion from stop to start will cause the BGP S tart Event to be generated. A transitio n from start to stop will cause the BGP S t op Event to be generated. This value can be used to restart BGP peer connectio[...]

BGP v4 MIB Tables XSR User’s Guide B-7 BGP-4 Received Path Attribute T able bgpPeerKeepAlive Interval for the KeepAli ve timer established with the peer , range: 1-21845 seconds. The value i s calculated by this BGP speaker such t hat, when compared with bgpPee rHoldTime , it has the same proportio n as bgpPeerKeepAliveCon figured has wh en compa[...]

BGP v4 MIB Tables B-8 XSR SNMP Proprietary and Associated Standard MIBs BGP-4 T rap s bgp4PathAttrASPathSegment The sequence of AS path segments. Each AS path segment is represented b y a triple <type, lengt h, value>. The type is a 1-octet field which ha s two possible values: • AS_SET : unordered set of ASs a route i n the UPDA TE message[...]

Firewall MIB Tables XSR User’s Guide B-9 Firewall MIB T ables The firewall MIB contains the f ollowing tables , most of whi ch are detailed in this section: Firewall on Interface Gr oup, Interface to Policy Gr oup, Group P olicy , Policy Rule Definition, Authentication Group, Network in Network Gr ou p, Network Gr oup, Network, Compound Filter , [...]

Firewall MIB Tables B-10 XSR SNMP Proprietary and Associated Standard MIBs Monitoring Object s This section describe s counters an d statis tics that are available to SNMP from the firewall. All fields are r ead-only and cannot be modified. The XSR supports SNMP ge ts only for these objects. Policy Rule T able T ot als Counters These counters track[...]

Firewall MIB Tables XSR User’s Guide B-11 IP Session Counters These counters track the activities of IP sess ions. IP Session T able This table contains information about each active IP session. Authenticated Address Counters This table provide s a summary of the authentication activity . Authenticated Addresses T able This table provides detaile[...]

VPN MIB Tables B-12 XSR SNMP Proprietary and Associated Standard MIBs DOS Att acks Blocked Counters These elements reflect the DOS attack summaries stor ed in the firewall. DOS Att acks Blocked T able These elements reflect the hits against DOS attack types recognized by the firewall. VPN MIB T ables The XSR supports the following VPN tables, whose[...]

VPN MIB Tables XSR User’s Guide B-13 • etsysVpnIpsecProposalT able • etsysVpnIpsecPropT ransformsT able • etsysVpnAhT ransformT abl e • etsysVpnEspT ransformT able • etsysVpnIpcompT ransform T able • ospfIfT able • rip2IfConfT able • ipCidrRouteT able for Static Routes et sysVpnIkePeer T able This table is used to configure an IKE[...]

VPN MIB Tables B-14 XSR SNMP Proprietary and Associated Standard MIBs et sysVpnIkeProposal T able This table contains the IKE pr op osals used during IKE negotiatio n. The named row is equivalent to the crypto isakmp proposal CLI command. The table index is { etsysVpnIkePr opName }, which is the name r eferenced in the etsysVpnIkePeerProposalsT abl[...]

VPN MIB Tables XSR User’s Guide B-15 et sysVpnIp secPolicyRule T able This table defines the IPSec poli cy rules. The table index is { etsysVpnIpsecPolicyName , etsysVpnPolRulePriority }. et sysVpnIp secPolProposals T able This table links IPSec proposals in the etsysVpnIpsecPr oposalT able with IPSec policy rules in the etsysVpnIpsecPolRuleT abl[...]

VPN MIB Tables B-16 XSR SNMP Proprietary and Associated Standard MIBs et sysVpnIp secProposal T able This table contains the IPSec pr oposals. The table index is { etsysVpnIpsec PropName }. et sysVpnIp secPropT ransforms T able This table a ggregates tran sforms f rom the ipspAhT ransformT able , ipspEspT ransformT able , and ipspIpcompT ransformT [...]

VPN MIB Tables XSR User’s Guide B-17 et sysVpnEspT ransform T able This table lists all the ESP transforms cr eated by adding ESP rows to the etsysVpnIpsecPropT ransformsT able . The table also contains r ead-only rows for XSR EZ-IPSec transforms. The table index is { etsysVpnEspT ranName }. et sysVpnIpcompT ransform T able Only hardwar e compres[...]

ipCidrRouteTable for Static Routes B-18 XSR SNMP Proprietary and Associated Standard MIBs ipCidrRouteT able for St atic Routes VPN configuration on the XS R may require a default route to the next-hop Inte rnet gateway . Static routes can be added with the IP Forwarding MIB (RFC-2096). This MIB is not currently implemented on the XSR, although it i[...]

Enterasys Configuration Management MIB XSR User’s Guide B-19 Enterasys Configuration Management MIB The Enterasys Configuration Management MIB su pports parameters for an SNMP management entity to reset the managed entity , upload and download executable images and configuration files, and identify the active executable image and configu ration f[...]

Enterasys Configuration Change MIB B-20 XSR SNMP Proprietary and Associated Standard MIBs Enterasys Configuration Change MIB The Enterasys Configuration Change MIB supports parameters for SNMP management entities to determine if and w hen configuration changes have occurred. Refer to the supported fields in the following table. etsysConfigMgmtChang[...]

Enterasys SNMP Persistence MIB XSR User’s Guide B-21 Enterasys SNMP Persistence MIB This MIB permits management applications to commit persistent SNMP configuration information to persistent s torage. etsysConfigChangeFirmwareGroup A collect ion of objects providing firmware change data. etsysConfigChangeCompliance T he compliance statement for c[...]

Enterasys Syslog Client MIB B-22 XSR SNMP Proprietary and Associated Standard MIBs Enterasys Syslog Client MIB This Enterasys MIB module defines a portion of the SNMP Enterprise MIBs under the E nterasys Enterprise OID pertaining toconf iguriation of Syslog-compatible diagnostic messages generated for the XSR. etsysSnmpPersistenceGroup A collection[...]

Enterasys Syslog Client MIB XSR User’s Guide B-23 • etsysSyslogServerAddressT ype The type of Internet address by which the Syslog server is specified in etsysSyslogServer Address . • etsysSyslogServerAddress The I nternet address for the Syslog message server. • etsysSyslogServerUd pPort The UDP port number t he client is usin g to send re[...]

Enterasys Syslog Client MIB B-24 XSR SNMP Proprietary and Associated Standard MIBs etsysSyslogServerGroup A collection of objects pr oviding descripti ons of syslog se rvers for sending system messages to: • estetsysSyslogServerMaxEntries • etsysSyslogSer verNumEntries • etsysSyslogServer T ab leNextAva ilableIndex • etsysSyslogServer Descr[...]