1. Manuals
  2. Brands
  3. Cabletron Systems Manuals
  4. Switch
  5. GIGAswitch GSR-16
  6. User's reference manual

Cabletron Systems GIGAswitch GSR-16 User's Reference Manual

Enterasys gigaswitch gsr-16: reference guide
Hide thumbs Also See for GIGAswitch GSR-16:
Table of Contents

Advertisement

Quick Links

Download this manual
DIGITAL GIGAswitch/Router
User Reference Manual
Part Number:
9032684-03
December 1999
This manual describes how to use the DIGITAL GIGAswitch/Router
(GSR).
Revision/Update Information: This is a revised document.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the GIGAswitch GSR-16 and is the answer not in the manual?

Questions and answers

Related Manuals for Cabletron Systems GIGAswitch GSR-16

Summary of Contents for Cabletron Systems GIGAswitch GSR-16

  • Page 1 DIGITAL GIGAswitch/Router User Reference Manual Part Number: 9032684-03 December 1999 This manual describes how to use the DIGITAL GIGAswitch/Router (GSR). Revision/Update Information: This is a revised document.
  • Page 2 Changes Cabletron Systems reserves the right to make changes in specifications and other information contained in this document without prior notice. The reader should in all cases consult Cabletron Systems to determine whether any such changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. Disclaimer IN NO EVENT SHALL CABLETRON SYSTEMS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED...

  • Page 3: Industry Canada Notice

    FCC Notice — Class A Computing Device FCC Notice — Class A Computing Device This equipment generates, uses, and may emit radio frequency energy. The equipment has been type tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules, which are designed to provide reasonable protection against such radio frequency interference.
  • Page 4 VCCI Notice — Class A Computing Device VCCI Notice — Class A Computing Device This equipment is a Class A product (information equipment to be used in commercial and/or industrial areas) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in commercial and/or industrial areas.
  • Page 5 Cabletron Systems, Inc. Program License Agreement IMPORTANT: Before utilizing this product, carefully read this License Agreement. This document is an agreement between you, the end user, and Cabletron Systems, Inc. (“Cabletron”) that sets forth your rights and obligations with respect to the Cabletron software program (the “Program”) contained in this package.

  • Page 6: Safety Information

    SAFETY INFORMATION United States Government Restricted Rights The enclosed product (a) was developed solely at private expense; (b) contains “restricted computer software” submitted with restricted rights in accordance with Section 52227-19 (a) through (d) of the Commercial Computer Software - Restricted Rights Clause and its successors, and (c) in all respects is proprietary data belonging to Cabletron and/or its suppliers.

  • Page 7: Declaration Of Conformity

    DECLARATION OF CONFORMITY Application of Council Directive(s): Manufacturer’s Name: Manufacturer’s Address: European Representative Name: European Representative Address: Conformance to Directive(s)/Product Standards: Equipment Type/Environment: We the undersigned, hereby declare, under our sole responsibility, that the equipment packaged with this notice conforms to the above directives. Manufacturer Mr.

  • Page 9: Table Of Contents

    Preface ... xxi About This Manual ... xxi Who Should Read This Manual? ... xxi How to Use This Manual ... xxi Related Documentation... xxiii Correspondence..xxiii Documentation Comments... xxiii Online Services ... xxiii Getting Help... xxiv Chapter 1: DIGITAL GIGAswitch/Router Product Overview ... 1 Supported Media (Encapsulation Type)...3 Supported Routing Protocols ...3 Configuring the DIGITAL GIGAswitch/Router...4...
  • Page 10 Contents Managing the GSR ... 17 Setting the GSR Name ... 17 Setting GSR Date and Time ... 17 Configuring NTP... 18 Configuring the GSR CLI... 18 Configuring SNMP Services... 18 Configuring DNS ... 19 Connecting Between the GSR and Other Systems ... 19 Configuring Logging ...
  • Page 11 Configuring GSR Bridging Functions ...35 Configuring Address-based or Flow-based Bridging ...35 Configuring Spanning Tree ...36 Adjusting Spanning-Tree Parameters...36 Setting the Bridge Priority ...37 Setting a Port Priority...37 Assigning Port Costs ...38 Adjusting Bridge Protocol Data Unit (BPDU) Intervals ...38 Adjusting the Interval between Hello Times...38 Defining the Forward Delay Interval ...38 Defining the Maximum Age ...39 Configuring a Port or Protocol based VLAN...39...
  • Page 12 Contents Chapter 6: IP Routing Configuration Guide ... 59 IP Routing Overview ... 59 IP Routing Protocols ... 60 Unicast Routing Protocols ... 60 Multicast Routing Protocols ... 60 Configuring IP Interfaces and Parameters ... 61 Configuring IP Addresses to Ports ... 61 Configuring IP Interfaces for a VLAN ...
  • Page 13 Chapter 8: RIP Configuration Guide ... 83 RIP Overview...83 Configuring RIP ...83 Enabling and Disabling RIP ...84 Configuring RIP Interfaces ...84 Configuring RIP Parameters ...85 Configuring RIP Route Preference ...86 Configuring RIP Route Default-Metric...86 Monitoring RIP ...87 Configuration Example ...88 Chapter 9: OSPF Configuration Guide...
  • Page 14 Contents Local_Pref Attribute Example ... 130 Notes on Using the Local_Pref Attribute ... 132 Multi-Exit Discriminator Attribute Example ... 132 EBGP Aggregation Example... 134 Route Reflection Example... 135 Notes on Using Route Reflection... 138 Chapter 11: Routing Policy Configuration Guide... 139 Route Import and Export Policy Overview...
  • Page 15 Creating an Aggregate Source ...159 Examples of Import Policies...159 Example 1: Importing from RIP...159 Importing a Selected Subset of Routes from One RIP Trusted Gateway ... Importing a Selected Subset of Routes from All RIP Peers Accessible Over Example 2: Importing from OSPF ...163 Importing a Selected Subset of OSPF-ASE Routes ...165 Examples of Export Policies ...166 Example 1: Exporting to RIP ...166...
  • Page 16 Contents Applying an IP Policy to an Interface ... 192 Applying an IP Policy to Locally Generated Packets ... 192 IP Policy Configuration Examples ... 192 Routing Traffic to Different ISPs... 192 Prioritizing Service to Customers ... 194 Authenticating Users Through a Firewall ... 195 Firewall Load Balancing...
  • Page 17 Web Caching...219 Configuring Web Caching ...219 Creating the Cache Group...219 Specifying the Client(s) for the Cache Group (Optional)...220 Redirecting HTTP Traffic on an Interface ...220 Configuration Example ...221 Other Configurations ...221 Bypassing Cache Servers ...222 Proxy Server Redundancy ...222 Distributing Frequently-Accessed Sites Across Cache Servers...222 Monitoring Web-Caching ...223 Chapter 16: IPX Routing Configuration Guide...
  • Page 18 Contents Applying ACLs to Interfaces... 242 Applying ACLs to Services... 243 Using ACLs as Profiles ... 244 Using Profile ACLs with the IP Policy Facility... 245 Using Profile ACLs with the Traffic Rate Limiting Facility... 246 Using Profile ACLs with Dynamic NAT ... 246 Using Profile ACLs with the Port Mirroring Facility ...
  • Page 19 Configuring IPX QoS Policies ...267 Setting an IPX QoS Policy...267 Specifying Precedence for an IPX QoS Policy ...268 Configuring GSR Queueing Policy...268 Allocating Bandwidth for a Weighted-Fair Queuing Policy ...268 ToS Rewrite ...268 Configuring ToS Rewrite for IP Packets...269 Monitoring QoS ...271 Limiting Traffic Rate...272 Example Configuration ...272 Displaying Rate Limit Information ...273...
  • Page 20 Contents Packet Compression... 298 Average Packet Size... 299 Nature of the Data ... 299 Link Integrity ... 299 Latency Requirements... 299 Example Configurations ... 300 Packet Encryption ... 300 WAN Quality of Service... 300 Source Filtering and ACLs... 301 Weighted-Fair Queueing ... 301 Congestion Management ...

  • Page 21: Preface

    About This Manual This manual provides detailed information and procedures for configuring the DIGITAL ™ GIGAswitch /Router software. If you have not yet installed the GSR, use the instructions in the DIGITAL GIGAswitch/Router Getting Started Guide to install the chassis and perform basic setup tasks, then return to this manual for more detailed configuration information.
  • Page 22 Preface If You Want To Configure OSPF routing Configure BGP routing Configure routing policies Configure IP multicast routing Configure IP policy-based forwarding Configure Network Address Translation Configure web hosting Configure IPX routing Configure Access Control Lists Configure security Configure QoS (Quality of Service) parameters Monitor performance Configure RMON...

  • Page 23: Related Documentation

    Related Documentation The DIGITAL GIGAswitch/Router documentation set includes the following items. Refer to these other documents to learn more about your product. For Information About Installing and setting up the GSR Managing the GSR using DIGITAL’s element management application The complete syntax for all CLI commands System messages and SNMP traps Correspondence...

  • Page 24: Getting Help

    Detailed description of the issue (including history, what you’ve tried, and conditions under which you see this occur) • Hardware module number, software version, and switch configuration (that is, what part types are in what slots) xxiv DIGITAL GIGAswitch/Router User Reference Manual...

  • Page 25: Chapter 1: Digital Gigaswitch/Router Product Overview

    GIGAswitch/Router The DIGITAL GIGAswitch/Router provides non-blocking, wire-speed Layer-2 (switching), Layer-3 (routing) and Layer-4 (application) switching. The hardware provides wire-speed performance regardless of the performance monitoring, filtering, and Quality of Service (QoS) features enabled by the software. You do not need to accept performance compromises to run QoS or access control lists (ACLs).
  • Page 26 Chapter 1: DIGITAL GIGAswitch/Router Product Overview Table 1. GSR Hardware and software specifications (Continued) Feature Capacity Routing protocols Bridging and VLAN protocols Media Interface protocols Quality of Service (QoS) RMON Specification • 4,096 Virtual LANs (VLANs) • 3 MB input/output buffering per Gigabit port •...

  • Page 27: Supported Media (Encapsulation Type)

    Table 1. GSR Hardware and software specifications (Continued) Feature Management Port mirroring Hot swapping Load balancing/ sharing Redundancy Supported Media (Encapsulation Type) The GSR supports the following industry-standard networking media: • IP: IEEE 802.3 SNAP and Ethernet Type II • IPX: IEEE 802.3 SNAP, Ethernet Type II, IPX 802.3, 802.2 •...

  • Page 28: Configuring The Digital Gigaswitch/Router

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview • Novell IPX routing protocols: – Routing Information Protocol (RIP) – Service Advertising Protocol (SAP) Chapter 16, ”IPX Routing Configuration Guide,” describes these protocols in detail. Configuring the DIGITAL GIGAswitch/Router The GSR provides a command line interface (CLI) that allows you to configure and manage the GSR.

  • Page 29: Access Modes

    Table 2. Common CLI key commands (Continued) Key Sequence Ctrl+E Ctrl+F Ctrl+N Ctrl+P Ctrl+U Ctrl+X Ctrl+Z Access Modes The GSR CLI has four access modes. • User – Allows you to display basic information and use basic utilities such as ping but does not allow you to display SNMP, filter, and access control list information or make other configuration changes.

  • Page 30: User Mode

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview When you are in Configure or Enable mode, enter the exit command or press Ctrl+Z to exit to the previous access mode. Note: When you exit Configure mode, the CLI will ask you whether you want to activate the configuration commands you have issued.

  • Page 31: Enable Mode

    To list the commands available in User mode, enter a question mark (?) as shown in the following example: gs/r> ? aging dvmrp enable exit file help igmp ip-redundancy l2-tables logout multicast ping pvst statistics telnet traceroute vlan Enable Mode Enable mode provides more facilities than User mode.
  • Page 32 Chapter 1: DIGITAL GIGAswitch/Router Product Overview To list the commands available in Enable mode, enter a question mark (?) as shown in the following example: gs/r# ? aging configure copy dhcp dvmrp enable exit file filters frame-relay help http igmp interface ip-policy ip-redundancy...

  • Page 33: Configure Mode

    smarttrunk snmp statistics system tacacs tacacs-plus telnet traceroute vlan web-cache To exit Enable mode and return to User mode, use one of the following commands: Exit Enable mode. Configure Mode Configure mode provides the capabilities to configure all features and functions on the GSR.
  • Page 34 Chapter 1: DIGITAL GIGAswitch/Router Product Overview filters frame-relay help igmp interface ip-policy ip-redundancy ip-router lfap load-balance ospf port pvst radius rate-limit rdisc rmon smarttrunk snmp system tacacs tacacs-plus vlan web-cache Special configuration mode commands: clear diff erase negate save search show - Configure L2 security filters - Configure wan interface parameters...

  • Page 35: Boot Prom Mode

    To exit Configure mode and return to Enable mode, use one of the following commands: Exit Configure mode. Boot PROM Mode If your GSR does not find a valid system image on the external PCMCIA flash, the system might enter programmable read-only memory (PROM) mode. You should then reboot the GSR at the boot PROM to restart the system.

  • Page 36: Configuration Files

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview Configuration Files The GSR uses three special configuration files: • Active – The commands from the Startup configuration file and any configuration commands that you have made active from the scratchpad (see below). Caution: The active configuration remains in effect only during the current power cycle. If you power down or reboot the GSR without saving the active configuration changes to the Startup configuration file, the changes are lost.
  • Page 37 Images currently available: img2100 Use the system image choose command to select the image file the GSR will use the next time you reboot the switch. Here is an example: gs/r# system image choose img2100 Making image img2100 the active image for next reboot Enter the system image list command to verify the change.

  • Page 38: Loading Boot Prom Software

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview Loading Boot PROM Software The GSR boots using the boot PROM software installed on the Control Module’s internal memory. To upgrade the boot PROM software and boot using the upgraded image, use the following procedure. Display the current boot settings by entering the system show version command: Here is an example: gs/r# system show version...

  • Page 39: Copying The Configuration To The Startup Configuration File

    If you have not already done so, enter the configure command to enter Configure mode in the CLI. Enter the following command: save active The CLI displays the following message: Do you want to make the changes Active? [y] Enter yes or y to activate the changes. Note: If you exit Configure mode (by entering the exit command or pressing Ctrl+Z), the CLI will ask you whether you want to make the changes in the scratchpad...

  • Page 40: Displaying Configuration Changes

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview Displaying Configuration Changes While in Configure mode, you can display the configuration of the running system as well as non-activated changes that are in the Scratchpad by entering the following command: Display running system configuration and non-activated changes in scratchpad.

  • Page 41: Managing The Gsr

    Managing the GSR The GSR contains numerous system facilities for system management. You can perform configuration management tasks on the GSR including: • Setting the GSR name • Setting the GSR date and time • Configuring NTP • Configuring the CLI •...

  • Page 42: Configuring Ntp

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview Configuring NTP You can use the ntp set server command to instruct the GSR’s NTP client to periodically synchronize its clock. By default, the GSR specifies an NTPv3 client that sends a synchronization packet to the server every 60 minutes. This means the GSR will attempt to set its own clock against the server once every hour.

  • Page 43: Configuring Dns

    Configuring DNS The GSR allows you to configure up to three Domain Name Service (DNS) servers. To configure the DNS, enter the following command in Configure mode: Configure DNS. Connecting Between the GSR and Other Systems To test a connection between the GSR and an IP host, enter the following command in User or Enable mode: Test connection between the GSR...

  • Page 44: Configuring Logging

    Chapter 1: DIGITAL GIGAswitch/Router Product Overview Configuring Logging During operation, the GSR system software sends messages to the management console. These messages include informational, warning, error, and fatal messages. Console messages can also be sent to a syslog server. To configure a Syslog server, enter the following command in Configure mode: Configure a Syslog server.
  • Page 45 Show the most recent Syslog messages kept in the local syslog message buffer. Show usage information about various system resources. Show the contact information (administrator name, phone number, and so on). Shows the percentage of the CPU that is currently being used. Show the GSR date and time.
  • Page 46 Chapter 1: DIGITAL GIGAswitch/Router Product Overview Show GSR uptime. Show the current Telnet connections to the GSR. Show the software version running on the GSR. Task system show uptime system show users system show version DIGITAL GIGAswitch/Router User Reference Manual Command...

  • Page 47: Chapter 2: Hot Swapping Line Cards And Control Modules

    Hot Swapping Overview This chapter describes the hot swapping functionality of the GSR. Hot swapping is the ability to replace a line card or Control Module while the GSR is operating. Hot swapping allows you to remove or install line cards without switching off or rebooting the GSR. Swapped-in line cards are recognized by the GSR and begin functioning immediately after they are installed.

  • Page 48: Hot Swapping Line Cards

    Chapter 2: Hot Swapping Line Cards and Control Modules Hot Swapping Line Cards The procedure for hot swapping a line card consists of deactivating the line card, removing it from its slot in the GSR chassis, and installing a new line card in the slot. Deactivating the Line Card To deactivate the line card, do one of the following: •...

  • Page 49: Removing The Line Card

    Removing the Line Card To remove a line card from the GSR: Make sure the Offline LED on the line card is lit. : Do not remove the line card unless the Offline LED is lit. Doing so can cause the Warning GSR to crash.

  • Page 50: Hot Swapping A Secondary Control Module

    Chapter 2: Hot Swapping Line Cards and Control Modules Hot Swapping a Secondary Control Module If you have a secondary control module installed on the GSR, you can hot swap it with another Control Module or line card. : You can only hot swap an inactive Control Module. You should never remove Warning the active Control Module from the GSR.

  • Page 51: Removing The Control Module

    Removing the Control Module To remove a Control Module from the GSR: Make sure that none of the LEDs on the Control Module are lit. Loosen the captive screws on each side of the Control Module. Carefully remove the Control Module from its slot in the GSR chassis. Installing the Control Module To install a new Control Module or line card into the slot: Note:...
  • Page 52 Chapter 2: Hot Swapping Line Cards and Control Modules The procedure for hot swapping a Switching Fabric Module is similar to the procedure for hot swapping a line card or Control Module. You deactivate the Switching Fabric Module, remove it from the GSR, and insert another Switching Fabric Module in the slot. Note: You cannot deactivate the Switching Fabric Module with the system hotswap command.

  • Page 53: Chapter 3: Bridging Configuration Guide

    Bridging Overview The DIGITAL GIGAswitch/Router provides the following bridging functions: • Compliance with the IEEE 802.1d standard • Compliance with the IGMP multicast bridging standard • Wire-speed address-based bridging or flow-based bridging • Ability to logically segment a transparently bridged network into virtual local-area networks (VLANs), based on physical ports or protocol (IP or IPX or bridged protocols ®...

  • Page 54: Bridging Modes (Flow-Based And Address-Based)

    VLAN to each port of a switching device. Then, any traffic received on a given port of a switch belongs to the VLAN associated with that port. VLANs are primarily used for broadcast containment. A layer-2 (L2) broadcast frame is normally transmitted all over a bridged network.

  • Page 55: Port-Based Vlans

    1 is transmitted on ports 2 and 3. It is not transmitted on any other port. MAC-address-based VLANs In this type of VLAN, each switch (or a central VLAN information server) keeps track of all MAC addresses in a network and maps them to VLANs based on information configured by the network administrator.

  • Page 56: Subnet-Based Vlans

    Subnet-based VLANs are a subset of protocol based VLANs and determine the VLAN of a frame based on the subnet to which the frame belongs. To do this, the switch must look into the network layer header of the incoming frame. This type of VLAN behaves similar to a router by segregating different subnets into different broadcast domains.

  • Page 57: Ports, Vlans, And L3 Interfaces

    The GSR can be used purely as an L2 switch. Frames arriving at any port are bridged and not routed. In this case, setting up VLANs and associating ports with VLANs is all that is required. You can set up the GSR switching router to use port-based VLANs, protocol- based VLANs, or a mixture of the two types.

  • Page 58: Access Ports And Trunk Ports (802.1Q Support)

    VLAN OTHER_VLAN for any other protocol, then an IP frame received by port 1 is classified as belonging to VLAN IP_VLAN. Trunk ports (802.1Q) are usually used to connect one VLAN-aware switch to another. They carry traffic belonging to several VLANs. For example, suppose that GSR A and B are both configured with VLANs V1 and V2.

  • Page 59: Configuring Gsr Bridging Functions

    Configuring GSR Bridging Functions Configuring Address-based or Flow-based Bridging The GSR ports perform address-based bridging by default but can be configured to perform flow-based bridging instead of address-based bridging, on a per-port basis. A port cannot be configured to perform both types of bridging at the same time. The GSR performance is equivalent when performing flow-based bridging or address- based bridging.

  • Page 60: Configuring Spanning Tree

    Chapter 3: Bridging Configuration Guide To change a port from flow-based bridging to address-based bridging, enter the following command in Configure mode: Change a port from flow- based bridging to address- based bridging. Configuring Spanning Tree Note: Some commands in this facility require updated GSR hardware. Please refer to the Release Notes for details.

  • Page 61: Setting The Bridge Priority

    You can adjust spanning-tree parameters by performing any of the tasks in the following sections: • Set the Bridge Priority • Set an Interface Priority Note: Only network administrators with a good understanding of how bridges and the Spanning-Tree Protocol work should make adjustments to spanning-tree parameters.

  • Page 62: Assigning Port Costs

    Chapter 3: Bridging Configuration Guide Assigning Port Costs Each interface has a port cost associated with it. By convention, the port cost is 1000/data rate of the attached LAN, in Mbps. You can set different port costs. To assign port costs, enter the following command in Configure mode: Set a different port cost other than the defaults for default spanning tree.

  • Page 63: Defining The Maximum Age

    To change the default interval setting, enter the following command in Configure mode: Set the default of the forward delay interval for default spanning tree. Set the default of the forward delay interval for a particular instance of spanning tree. Defining the Maximum Age If a bridge does not hear BPDUs from the root bridge within a specified interval, it assumes that the network has changed and recomputes the spanning-tree topology.

  • Page 64: Configuring Vlan Trunk Ports

    Chapter 3: Bridging Configuration Guide Configuring VLAN Trunk Ports The GSR supports standards-based VLAN trunking between multiple GSRs as defined by IEEE 802.1Q. 802.1Q adds a header to a standard Ethernet frame which includes a unique VLAN id per trunk between two GSRs. These VLAN IDs extend the VLAN broadcast domain to more than one GSR.

  • Page 65: Monitoring Bridging

    • Secure port filters A secure filter shuts down access to the GSR based on MAC addresses. All packets received by a port are dropped. When combined with static entries, however, these filters can be used to drop all received traffic but allow some frames to go through. Monitoring Bridging The GSR provides display of bridging statistics and configurations contained in the GSR.

  • Page 66: Configuration Examples

    Chapter 3: Bridging Configuration Guide Configuration Examples VLANs are used to associate physical ports on the GSR with connected hosts that may be physically separated but need to participate in the same broadcast domain. To associate ports to a VLAN, you must first create a VLAN and then assign ports to the VLAN. This section shows examples of creating an IP or IPX VLAN and a DECnet, SNA, and AppleTalk VLAN.

  • Page 67: Chapter 4: Smarttrunk Configuration Guide

    Overview This chapter explains how to configure and monitor SmartTRUNKs on the GSR. A SmartTRUNK is DIGITAL Equipment Corporation’s technology for load balancing and load sharing. For a description of the SmartTRUNK commands, see the “smarttrunk commands” section of the DIGITAL GIGAswitch/Router Command Line Interface Reference Manual.

  • Page 68: Configuring Smarttrunks

    Chapter 4: SmartTRUNK Configuration Guide SmartTRUNKs are compatible with all GSR features, including VLANs, STP, VRRP, etc. SmartTRUNK operation is supported over different media types and a variety of technologies including 10/100/1000 Mbps Ethernet. Configuring SmartTRUNKs To create a SmartTRUNK: Create a SmartTRUNK and specify a control protocol for it.

  • Page 69: Add Physical Ports To The Smarttrunk

    Add Physical Ports to the SmartTRUNK You can add any number of ports to a SmartTRUNK. The limit is the number of ports on the GSR. Any port on any module can be part of a SmartTRUNK. If one module should go down, the remaining ports on other modules will remain operational.

  • Page 70: Monitoring Smarttrunks

    Chapter 4: SmartTRUNK Configuration Guide Monitoring SmartTRUNKs Statistics are gathered for data flowing through a SmartTRUNK and each port in the SmartTRUNK. To display SmartTRUNK statistics, enter one of the following commands in Enable mode:. Display information about all SmartTRUNKs and the control protocol used.

  • Page 71: Example Configurations

    1 ip address 10.1.1.1 255.255.255.0 ip route-cache distributed interface fasteth 0/0 no ip address channel-group 1 The following is the configuration for the Cisco Catalyst 5K switch: set port channel 3/1-2 on DIGITAL GIGAswitch/Router User Reference Manual st.2 Router 11.1.1.2/24 to-s1 12.1.1.2/24...
  • Page 72 Chapter 4: SmartTRUNK Configuration Guide The following is the SmartTRUNK configuration for the GSR labeled ‘R1’ in the diagram: smarttrunk create st.1 protocol no-protocol smarttrunk create st.2 protocol huntgroup smarttrunk create st.3 protocol huntgroup smarttrunk add ports et.1(1-2) to st.1 smarttrunk add ports et.2(1-2) to st.2 smarttrunk add ports et.3(1-2) to st.3 interface create ip to-cisco address-netmask 10.1.1.2/24 port st.1...

  • Page 73: Chapter 5: Dhcp Configuration Guide

    DHCP Overview The Dynamic Host Configuration Protocol (DHCP) server on the GSR provides dynamic address assignment and configuration to DHCP capable end-user systems, such as ® Microsoft Windows You can configure the server to provide a dynamic IP address from a pre-allocated pool of IP addresses or a static IP address.

  • Page 74: Configuring Dhcp

    Chapter 5: DHCP Configuration Guide Configuring DHCP By default, the DHCP server is not enabled on the GSR. You can selectively enable DHCP service on particular interfaces and not others. To enable DHCP service on an interface, you must first define a DHCP scope. A scope consists of a pool of IP addresses and a set of parameters for a DHCP client.

  • Page 75: Configuring A Static Ip Address

    Table 3. Client Parameters Parameter netbios-name-server netbios-node-type netbios-scope To define the parameters that the DHCP server gives the clients, enter the following command in Configure mode: Define client parameters. Configuring a Static IP Address To define a static IP address that the DHCP server can assign to a client with a specific MAC address, enter the following command in Configure mode: Define static IP address for a particular MAC address.

  • Page 76: Configuring Dhcp Server Parameters

    Chapter 5: DHCP Configuration Guide Configuring DHCP Server Parameters You can configure several “global” parameters that affect the behavior of the DHCP server itself. To configure global DHCP server parameters, enter the following commands in Configure mode: Specify a remote location to back up the lease database.

  • Page 77: Dhcp Configuration Examples

    DHCP Configuration Examples The following configuration describes DHCP configuration for a simple network with just one interface on which DHCP service is enabled to provide both dynamic and static IP addresses. Create an IP VLAN called ‘client_vlan’. vlan create client_vlan ip Add all Fast Ethernet ports in the GSR to the VLAN ‘client_vlan’.

  • Page 78: Configuring Secondary Subnets

    Chapter 5: DHCP Configuration Guide Specify a remote lease database on the TFTP server 10.1.89.88. dhcp global set lease-database tftp://10.1.89.88/lease.db 10. Specify a database update interval of every 15 minutes. dhcp global set commit-interval 15 Configuring Secondary Subnets In some network environments, multiple logical subnets can be imposed on a single physical segment.

  • Page 79: Secondary Subnets And Directly-Connected Clients

    Include ‘scope2’ in the superscope ‘super1’. dhcp scope2 attach superscope super1 Since there are multiple pools of IP addresses, the pool associated with ‘scope1’ is used first since ‘scope1’ is applied to the interface before ‘scope2’. Clients that are given an address from ‘scope1’...

  • Page 80: Interacting With Relay Agents

    Chapter 5: DHCP Configuration Guide Define the address pool for ‘scope2’. dhcp scope2 define pool 10.2.1.40-10.2.1.50 Create a superscope ‘super1’ that includes ‘scope1’. dhcp scope1 attach superscope super1 Include ‘scope2’ in the superscope ‘super1’. dhcp scope2 attach superscope super1 For clients on the secondary subnet, the default gateway is 10.2.1.1, which is also the secondary address for the interface ‘clients’.
  • Page 81 DHCP Configuration Examples Define the address pool for ‘scope1’. dhcp scope1 define pool 10.5.1.10-10.5.1.20 DIGITAL GIGAswitch/Router User Reference Manual...

  • Page 83: Chapter 6: Ip Routing Configuration Guide

    This chapter describes how to configure IP interfaces and general non-protocol-specific routing parameters. IP Routing Overview Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP handles addressing, routing, fragmentation, reassembly, and protocol demultiplexing. In addition, IP specifies how hosts and routers should process packets, handle errors and discard packets.

  • Page 84: Ip Routing Protocols

    Chapter 6: IP Routing Configuration Guide TCP and UDP also specify “ports,” which identify the application which is using TCP/UDP. For example, a web server would typically use TCP/UDP port 80, which specifies HTTP-type traffic. The GSR supports standards-based TCP, UDP, and IP. IP Routing Protocols The GSR supports standards-based unicast and multicast routing.

  • Page 85: Configuring Ip Interfaces And Parameters

    The GSR supports the following multicast routing protocols: • Distance Vector Multicast Routing Protocol (DVMRP) RFC 1075 • Internet Group Management Protocol (IGMP) as described in RFC 2236 The GSR also supports the latest DVMRP Version 3.0 draft specification, which includes mtrace, Generation ID and Pruning/Grafting.

  • Page 86: Specifying Ethernet Encapsulation Method

    Chapter 6: IP Routing Configuration Guide Specifying Ethernet Encapsulation Method The DIGITAL GIGAswitch/Router supports two encapsulation types for IP. You can configure encapsulation type on a per-interface basis. • Ethernet II: The standard ARPA Ethernet Version 2.0 encapsulation, which uses a 16- bit protocol type code (the default encapsulation method) •...

  • Page 87: Configuring Reverse Address Resolution Protocol (Rarp)

    To disable proxy ARP, enter the following command in Configure mode: Disable Proxy ARP on an interface. Configuring Reverse Address Resolution Protocol (RARP) Reverse Address Resolution Protocol (RARP) works exactly the opposite of ARP. Taking a MAC address as input, RARP determines the associated IP address. RARP is useful for X- terminals and diskless workstations that may not have an IP address when they boot.

  • Page 88: Monitoring Rarp

    Chapter 6: IP Routing Configuration Guide Then place the text file on a TFTP server that the GSR can access and enter the following command in Enable mode: gs/r# copy tftp-server to ethers <IPaddr-of-TFTP-server> TFTP server? Source filename? Monitoring RARP You can use the following commands to obtain information about the GSR’s RARP configuration: Display the interfaces to which the...

  • Page 89: Configuring Ip Services (Icmp)

    Configuring IP Services (ICMP) The GSR provides ICMP message capabilities including ping and traceroute. Ping allows you to determine the reachability of a certain IP host. Traceroute allows you to trace the IP gateways to an IP host. To access ping or traceroute on the GSR, enter the following commands in Enable mode: Specify ping.

  • Page 90: Configuring Direct Broadcast

    Chapter 6: IP Routing Configuration Guide Configuring Direct Broadcast You can configure the GSR to forward all directed broadcast traffic from the local subnet to a specified IP address or all associated IP addresses. This is a more efficient method than defining only one local interface and remote IP address destination at a time with the ip-helper command when you are forwarding traffic from more than one interface in the local subnet to a remote destination IP address.

  • Page 91: Configuring Router Discovery

    To display IP information, enter the following command in Enable mode: Show ARP table entries. Show IP interface configuration. Show all TCP/UDP connections and services. Show configuration of IP interfaces. Show IP routing table information. Show ARP entries in routing table. Show DNS parameters.

  • Page 92: Configuration Examples

    Chapter 6: IP Routing Configuration Guide To configure router advertisement, enter the following commands in Configure mode: Define IP address to be included in router advertisements. Enable router advertisement on an interface. Configure router advertisement for a specific address. Configure router advertisement for an interface or all interfaces.

  • Page 93: Chapter 7: Vrrp Configuration Guide

    VRRP Overview This chapter explains how to set up and monitor the Virtual Router Redundancy Protocol (VRRP) on the GSR. VRRP is defined in RFC 2338. End host systems on a LAN are often configured to send packets to a statically configured default router.

  • Page 94: Configuring Vrrp

    Chapter 7: VRRP Configuration Guide Configuring VRRP This section presents three sample VRRP configurations: • A basic VRRP configuration with one virtual router • A symmetrical VRRP configuration with two virtual routers • A multi-backup VRRP configuration with three virtual routers Basic VRRP Configuration Figure 4 shows a basic VRRP configuration with a single virtual router.

  • Page 95: Configuration Of Router R1

    Configuration of Router R1 The following is the configuration file for Router R1 in 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 4: ip-redundancy start vrrp 1 interface test Line 1 adds IP address 10.0.0.1/16 to interface test, making Router R1 the owner of this IP address.
  • Page 96 Chapter 7: VRRP Configuration Guide This configuration allows you to load-balance traffic coming from the hosts on the 10.0.0.0/16 subnet and provides a redundant path to either virtual router. Note: This is the recommended configuration on a network using VRRP. Master for VRID=1 Backup for VRID=2 Interface Addr.

  • Page 97: Configuration Of Router R1

    Configuration of Router R1 The following is the configuration file for Router R1 in 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test 4: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 5: ip-redundancy associate vrrp 2 interface test address 10.0.0.2/16 6: ip-redundancy start vrrp 1 interface test 7: ip-redundancy start vrrp 2 interface test...

  • Page 98: Multi-Backup Configuration

    Chapter 7: VRRP Configuration Guide Multi-Backup Configuration Figure 6 shows a VRRP configuration with three routers and three virtual routers. Each router serves as a Master for one virtual router and as a Backup for each of the others. When a Master router goes down, one of the Backups takes over the IP addresses of its virtual router.

  • Page 99: Configuration Of Router R1

    Router R3 is the secondary Backup for virtual routers become a Master router only if both Routers R1 and R2 should fail. In such a case, Router R3 would become the Master for all three virtual routers. Configuration of Router R1 The following is the configuration file for Router R1 in 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test...

  • Page 100: Configuration Of Router R2

    Chapter 7: VRRP Configuration Guide Since Router R1 is the owner of the IP address associated with virtual router a priority of 255 (the highest) for virtual router priority for virtual routers configuration have a higher priority, Router R1 will take over as Master for virtual routers VRID=2 VRID=3 The following table shows the priorities for each virtual router configured on Router R1.

  • Page 101: Configuration Of Router R3

    The following table shows the priorities for each virtual router configured on Router R2. Virtual Router – IP address=10.0.0.1/16 VRID=1 – IP address=10.0.0.2/16 VRID=2 – IP address=10.0.0.3/16 VRID=3 Note: Since 100 is the default priority, line 9, which sets the priority to 100, is actually unnecessary.

  • Page 102: Additional Configuration

    Chapter 7: VRRP Configuration Guide The following table shows the priorities for each virtual router configured on Router R3. Virtual Router – IP address=10.0.0.1/16 VRID=1 – IP address=10.0.0.2/16 VRID=2 – IP address=10.0.0.3/16 VRID=3 Note: Since 100 is the default priority, lines 8 and 9, which set the priority to 100, are actually unnecessary.

  • Page 103: Setting Pre-Empt Mode

    Setting Pre-empt Mode When a Master router goes down, the Backup with the highest priority takes over the IP addresses associated with the Master. By default, when the original Master comes back up again, it takes over from the Backup router that assumed its role as Master. When a VRRP router does this, it is said to be in pre-empt mode.

  • Page 104: Monitoring Vrrp

    Chapter 7: VRRP Configuration Guide Monitoring VRRP The GSR provides two commands for monitoring a VRRP configuration: ip-redundancy trace, which displays messages when VRRP events occur, and ip-redundancy show, which reports statistics about virtual routers. ip-redundancy trace The ip-redundancy trace command is used for troubleshooting purposes. This command causes messages to be displayed when certain VRRP events occur on the GSR.

  • Page 105: Vrrp Configuration Notes

    VRRP Configuration Notes • The Master router sends keep-alive advertisements. The frequency of these keep-alive advertisements is determined by setting the Advertisement interval parameter. The default value is 1 second. • If a Backup router doesn’t receive a keep-alive advertisement from the current Master within a certain period of time, it will transition to the Master state and start sending advertisements itself.
  • Page 106 Chapter 7: VRRP Configuration Guide • As specified in RFC 2338, a Backup router that has transitioned to Master will not respond to pings, accept telnet sessions, or field SNMP requests directed at the virtual router's IP address. Not responding allows network management to notice that the original Master router (i.e., the IP address owner) is down.

  • Page 107: Chapter 8: Rip Configuration Guide

    RIP Overview This chapter describes how to configure the Routing Information Protocol (RIP) on the DIGITAL GIGAswitch/Router. RIP is a distance-vector routing protocol for use in small networks. RIP is described in RFC 1723. A router running RIP broadcasts updates at set intervals.

  • Page 108: Enabling And Disabling Rip

    Chapter 8: RIP Configuration Guide Enabling and Disabling RIP To enable or disable RIP, enter one of the following commands in Configure mode. Enable RIP. Disable RIP. Configuring RIP Interfaces To configure RIP in the GSR, you must first add interfaces to inform RIP about attached interfaces.

  • Page 109: Configuring Rip Parameters

    Configuring RIP Parameters No further configuration is required, and the system default parameters will be used by RIP to exchange routing information. These default parameters may be modified to suit your needs by using the rip set interface command. RIP Parameter Version number Check-zero for RIP reserved parameters Whether RIP packets should be broadcast...

  • Page 110: Configuring Rip Route Preference

    Chapter 8: RIP Configuration Guide Specify the metric to be used when advertising routes that were learned from other protocols. Enable automatic summarization and redistribution of RIP routes. Specify broadcast of RIP packets regardless of number of interfaces present. Check that reserved fields in incoming RIP V1 packets are zero.

  • Page 111: Monitoring Rip

    Monitoring RIP The rip trace command can be used to trace all rip request and response packets. To monitor RIP information, enter the following commands in Enable mode. Show all RIP information. Show RIP export policies. Show RIP global information. Show RIP import policies.

  • Page 112: Configuration Example

    Chapter 8: RIP Configuration Guide Configuration Example ! Example configuration ! Create interface GSR1-if1 with ip address 1.1.1.1/16 on port et.1.1 on GSR-1 interface create ip GSR1-if1 address-netmask 1.1.1.1/16 port et.1.1 ! Configure rip on GSR-1 rip add interface GSR1-if1 rip set interface GSR1-if1 version 2 rip start ! Set authentication method to md5...

  • Page 113: Chapter 9: Ospf Configuration Guide

    OSPF Overview Open Shortest Path First (OSPF) is a link-state routing protocol that supports IP subnetting and authentication. The GSR supports OSPF Version 2.0 as defined in RFC 1583. Each link-state message contains all the links connected to the router with a specified cost associated with the link.

  • Page 114: Ospf Multipath

    Chapter 9: OSPF Configuration Guide OSPF Multipath The GSR also supports OSPF and static Multi-path. If multiple equal-cost OSPF or static routes have been defined for any destination, then the GSR “discovers” and uses all of them. The GSR will automatically learn up to four equal-cost OSPF or static routes and retain them in its forwarding information base (FIB).

  • Page 115: Configuring Ospf Interface Parameters

    Configuring OSPF Interface Parameters You can configure the OSPF interface parameters shown in the table below. Table 4. OSPF Interface Parameters OSPF Parameter Interface OSPF State (Enable/Disable) Cost No multicast Retransmit interval Transit delay Priority Hello interval Router dead interval Poll Interval Key chain Authentication Method...

  • Page 116: Configuring An Ospf Area

    Chapter 9: OSPF Configuration Guide Specify the number of seconds required to transmit a link state update on an OSPF interface. Specify the time a neighbor router will listen for OSPF hello packets before declaring the router down. Disable IP multicast for sending OSPF packets to neighbors on an OSPF interface.

  • Page 117: Configuring Ospf Area Parameters

    To create areas and assign interfaces, enter the following commands in the Configure mode. Create an OSPF area. Add an interface to an OSPF area. Add a stub host to an OSPF area. Add a network to an OSPF area for summarization.

  • Page 118: Creating Virtual Links

    Chapter 9: OSPF Configuration Guide Creating Virtual Links In OSPF, virtual links can be established: • To connect an area via a transit area to the backbone • To create a redundant backbone connection via another area Each Area Border Router must be configured with the same virtual link. Note that virtual links cannot be configured through a stub area.

  • Page 119: Configuring Ospf Over Non-Broadcast Multiple Access

    Configuring OSPF over Non-Broadcast Multiple Access You can configure OSPF over NBMA circuits to limit the number of Link State Advertisements (LSAs). LSAs are limited to initial advertisements and any subsequent changes. Periodic LSAs over NBMA circuits are suppressed. To configure OSPF over WAN circuits, enter the following command in Configure mode: Configure OSPF over a WAN circuit.
  • Page 120 Chapter 9: OSPF Configuration Guide Show all OSPF areas. Show OSPF errors. Show information about OSPF export policies. Shows routes redistributed into OSPF. Show all OSPF global parameters. Show information about OSPF import policies. Show OSPF interfaces. Shows information about all valid next hops mostly derived from the SPF calculation.

  • Page 121: Ospf Configuration Examples

    OSPF Configuration Examples For all examples in this section, refer to the configuration shown in The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces.

  • Page 122: Exporting All Rip, Interface & Static Routes To Ospf

    Chapter 9: OSPF Configuration Guide Create a OSPF export destination for type-2 routes since we would like to redistribute certain routes into OSPF as type 2 OSPF-ASE routes. ip-router policy create ospf-export-destination ospfExpDstType2 type 2 metric 4 Create a Static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc Create a Direct export source since we would like to export interface/direct routes.
  • Page 123 Create a OSPF export destination for type-2 routes. ip-router policy create ospf-export-destination ospfExpDstType2 type 2 metric 4 Create a OSPF export destination for type-2 routes with a tag of 100. ip-router policy create ospf-export-destination ospfExpDstType2t100 type 2 tag 100 metric 4 Create a RIP export source.
  • Page 124 Chapter 9: OSPF Configuration Guide 12. Create the Export-Policy for redistributing all interface, RIP, static, OSPF and OSPF- ASE routes into RIP. ip-router policy export destination ripExpDst source statExpSrc network all ip-router policy export destination ripExpDst source ripExpSrc network all ip-router policy export destination ripExpDst source directExpSrc network all ip-router policy export destination ripExpDst source ospfExpSrc...
  • Page 125 140.1.5/24 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 140.1.1.1/24 130.1.1.1/16 140.1.3.1/24 140.1.2.1/24 190.1.1.1/16 120.190.1.1/16 120.190.1.2/16 202.1.2.2/16 160.1.5.2/24 Figure 7. Exporting to OSPF A r e a B a c k b o n e 130.1.1.3/16 160.1.5.2/24 150.20.3.1/16 150.20.3.2/16 A r e a 150.20.0.0...

  • Page 127: Chapter 10: Bgp Configuration Guide

    BGP Overview The Border Gateway Protocol (BGP) is an exterior gateway protocol that allows IP routers to exchange network reachability information. BGP became an internet standard in 1989 (RFC 1105) and the current version, BGP-4, was published in 1994 (RFC 1771). BGP is typically run between Internet Service Providers.

  • Page 128: The Gsr Bgp Implementation

    Chapter 10: BGP Configuration Guide The GSR BGP Implementation The GSR routing protocol implementation is based on GateD 4.0.3 code (http://www.gated.org). GateD is a modular software program consisting of core services, a routing database, and protocol modules supporting multiple routing protocols (RIP versions 1 and 2, OSPF version 2, BGP version 2 through 4, and Integrated IS-IS).

  • Page 129: Setting The Autonomous System Number

    Setting the Autonomous System Number An autonomous system number identifies your autonomous system to other routers. To set the GSR’s autonomous system number, enter the following command in Configure mode. Set the GSR’s autonomous system number. The autonomous-system <num1> parameter sets the AS number for the router. Specify a number from 1–65534.

  • Page 130: Configuring A Bgp Peer Group

    Chapter 10: BGP Configuration Guide Configuring a BGP Peer Group A BGP peer group is a group of neighbor routers that have the same update policies. To configure a BGP peer group, enter the following command in Configure mode: Configure a BGP peer group. where: peer-group <number-or-string>...

  • Page 131: Adding And Removing A Bgp Peer

    proto Specifies the interior protocol to be used to resolve BGP next hops. Specify one of the following: Use any igp to resolve BGP next hops. Use RIP to resolve BGP next hops. Use OSPF to resolve BGP next hops. ospf static Use static to resolve BGP next hops.

  • Page 132: Using As-Path Regular Expressions

    Chapter 10: BGP Configuration Guide Using AS-Path Regular Expressions An AS-path regular expression is a regular expression where the alphabet is the set of AS numbers. An AS-path regular expression is composed of one or more AS-path expressions. An AS-path expression is composed of AS path terms and AS-path operators. An AS path term is one of the following three objects: autonomous_system Is any valid autonomous system number, from one through 65534 inclusive.

  • Page 133: As-Path Regular Expression Examples

    For example: (4250 .*) Means anything beginning with 4250. (.* 6301 .*) Means anything with 6301. (.* 4250) Means anything ending with 4250. (. * 1104|1125|1888|1135 .*) Means anything containing 1104 or 1125 or 1888 or 1135. AS-path regular expressions are used as one of the parameters for determining which routes are accepted and which routes are advertised.

  • Page 134: Using The As Path Prepend Feature

    Chapter 10: BGP Configuration Guide Using the AS Path Prepend Feature When BGP compares two advertisements of the same prefix that have differing AS paths, the default action is to prefer the path with the lowest number of transit AS hops; in other words, the preference is for the shorter AS path length.

  • Page 135: Bgp Configuration Examples

    Add the peer-host back to the peer-group. If the as-count option is part of the startup configuration, the above steps are unnecessary. BGP Configuration Examples This section presents sample configurations illustrating BGP features. The following features are demonstrated: • BGP peering •...
  • Page 136 Chapter 10: BGP Configuration Guide Figure 8 illustrates a sample BGP peering session. AS-1 GSR1 10.0.0.1/16 The CLI configuration for router GSR1 is as follows: interface create ip et.1.1 address-netmask 10.0.0.1/16 port et.1.1 # Set the AS of the router ip-router global set autonomous-system 1 # Set the router ID ip-router global set router-id 10.0.0.1...

  • Page 137: Ibgp Configuration Example

    The gated.conf file for router GSR1 is as follows: autonomoussystem 1 ; routerid 10.0.0.1 ; bgp yes { The CLI configuration for router GSR2 is as follows: interface create ip et.1.1 address-netmask 10.0.0.2/16 port et.1.1 ip-router global set autonomous-system 2 ip-router global set router-id 10.0.0.2 bgp create peer-group pg2w1 type external autonomous-system 1 bgp add peer-host 10.0.0.1 group pg2w1...

  • Page 138: Ibgp Routing Group Example

    Chapter 10: BGP Configuration Guide An IGP, like OSPF, could possibly be used instead of IBGP to exchange routing information between EBGP speakers within an AS. However, injecting full Internet routes (50,000+ routes) into an IGP puts an expensive burden on the IGP routers. Additionally, IGPs cannot communicate all of the BGP attributes for a given route.
  • Page 139 BGP Configuration Examples Figure 9 shows a sample BGP configuration that uses the Routing group type. AS-64801 10.12.1.1/30 10.12.1.6/30 Cisco lo0 172.23.1.25/30 OSPF 10.12.1.5/30 10.12.1.2/30 GSR4 GSR1 IBGP 172.23.1.10/30 172.23.1.5/30 lo0 172.23.1.26/30 GSR6 172.23.1.6/30 172.23.1.9/30 Figure 9. Sample IBGP Configuration (Routing Group Type) DIGITAL GIGAswitch/Router User Reference Manual...
  • Page 140 Chapter 10: BGP Configuration Guide In this example, OSPF is configured as the IGP in the autonomous system. The following lines in the router GSR6 configuration file configure OSPF: # Create a secondary address for the loopback interface interface add ip lo0 address-netmask 172.23.1.26/30 ospf create area backbone ospf add interface to- ospf add interface to-...

  • Page 141: Ibgp Internal Group Example

    The following lines on the Cisco router set up IBGP peering with router GSR6. router bgp 64801 ! Disable synchronization between BGP and IGP no synchronization neighbor 172.23.1.26 remote-as 64801 ! Allow internal BGP sessions to use any operational interface for TCP ! connections neighbor 172.23.1.26 update-source Loopback0 IBGP Internal Group Example...
  • Page 142 Chapter 10: BGP Configuration Guide Figure 10 illustrates a sample IBGP Internal group configuration. 16.122.128.8/24 AS-1 16.122.128.1/24 GSR1 17.122.128.1/24 Figure 10. Sample IBGP Configuration (Internal Group Type) The CLI configuration for router GSR1 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.2 group int-ibgp-1 bgp add peer-host 16.122.128.8 group int-ibgp-1...
  • Page 143 The gated.conf file for router GSR1 is as follows: autonomoussystem 1 ; routerid 16.122.128.1 ; bgp yes { traceoptions aspath detail packets detail open detail update ; group type internal peeras 1 The CLI configuration for router GSR2 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.1 group int-ibgp-1...

  • Page 144: Ebgp Multihop Configuration Example

    Chapter 10: BGP Configuration Guide The configuration for router C1 (a Cisco router) is as follows: router bgp 1 no synchronization network 16.122.128.0 mask 255.255.255.0 network 17.122.128.0 mask 255.255.255.0 neighbor 16.122.128.1 remote-as 1 neighbor 16.122.128.1 next-hop-self neighbor 16.122.128.1 soft-reconfiguration inbound neighbor 16.122.128.2 remote-as 1 neighbor 16.122.128.2 next-hop-self neighbor 16.122.128.2 soft-reconfiguration inbound...
  • Page 145 This sample configuration shows External BGP peers, GSR1 and GSR4, which are not connected to the same subnet. AS-64800 GSR1 16.122.128.1/16 Legend: The CLI configuration for router GSR1 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! Specify the gateway option, which indicates EBGP multihop.
  • Page 146 Chapter 10: BGP Configuration Guide The gated.conf file for router GSR1 is as follows: autonomoussystem 64800 ; routerid 0.0.0.1 ; bgp yes { traceoptions state ; group type external peeras 64801 static { 18.122.0.0 masklen 16 The CLI configuration for router GSR2 is as follows: interface create ip to-R1 address-netmask 16.122.128.3/16 port et.1.1 interface create ip to-R3 address-netmask 17.122.128.3/16 port et.1.2 # Static route needed to reach 18.122.0.0/16...

  • Page 147: Community Attribute Example

    The gated.conf file for router GSR3 is as follows: static { 16.122.0.0 masklen 16 The CLI configuration for router GSR4 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! Specify the gateway option, which indicates EBGP multihop. Set the ! gateway option to the address of the router that has a route to the ! peer.
  • Page 148 Chapter 10: BGP Configuration Guide AS-64901 ISP1 AS-64900 100.200.12.1/24 100.200.13.1/24 Figure 11. Sample BGP Configuration (Specific Community) AS-64902 172.25.1.1/16 172.25.1.2/16 192.168.20.2/16 AS-64899 192.168.20.1/16 192.169.20.1/16 192.169.20.2/16 DIGITAL GIGAswitch/Router User Reference Manual ISP2 172.26.1.2/16 172.26.1.1/16 10.200.14.1/24 10.200.15.1/24 Legend: Physical Link Peering Relationship Information Flow...
  • Page 149 AS-64901 AS-64900 100.200.12.20/24 100.200.13.1/24 Figure 12. Sample BGP Configuration (Well-Known Community) The Community attribute can be used in three ways: In a BGP Group statement: Any packets sent to this group of BGP peers will have the communities attribute in the BGP packet modified to be this communities attribute value from this AS.
  • Page 150 Chapter 10: BGP Configuration Guide Figure 12, router GSR11 has the following configuration: # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64901) ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64901 # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64901) ip-router policy create optional-attributes-list color2 community-id 155...
  • Page 151 Figure 12, router GSR13 has the following configuration: ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64902 ip-router policy create optional-attributes-list color2 community-id 155 autonomous-system 64902 ip-router policy create bgp-import-source 902color1 optional-attributes-list color1 autonomous-system 64899 sequence-number 1 ip-router policy create bgp-import-source 902color2 optional-attributes-list color2 autonomous-system 64899 sequence-number 2 ip-router policy create bgp-import-source 902color3 optional-attributes-list color1 autonomous-system 64901 sequence-number 3...
  • Page 152 Chapter 10: BGP Configuration Guide Figure 12, router GSR10 has the following configuration: # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64902) ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64902 # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64902) ip-router policy create optional-attributes-list color2 community-id 155...
  • Page 153 The community attribute may be a single community or a set of communities. A maximum of 10 communities may be specified. The community attribute can take any of the following forms: • Specific community The specific community consists of the combination of the AS-value and community •...

  • Page 154: Notes On Using Communities

    Chapter 10: BGP Configuration Guide Notes on Using Communities When originating BGP communities, the set of communities that is actually sent is the union of the communities received with the route (if any), those specified in group policy (if any), and those specified in export policy (if any). When receiving BGP communities, the update is only matched if all communities specified in the optional-attributes-list option of the ip-router policy create command are present in the BGP update.
  • Page 155 In the sample network in the link between router GSR13 and router GSR11. This is accomplished by setting the Local_Pref attribute. 10.200.12.1/24 GSR10 GSR12 Figure 13. Sample BGP Configuration (Local_Pref Attribute) DIGITAL GIGAswitch/Router User Reference Manual Figure 13, all the traffic exits Autonomous System 64901 through 10.200.13.1/24 10.200.14.1/24 192.169.20.1/16...

  • Page 156: Notes On Using The Local_Pref Attribute

    Chapter 10: BGP Configuration Guide In router 12’s CLI configuration file, the import preference is set to 160: # Set the set-pref metric for the IBGP peer group bgp set peer-group as901 set-pref 100 ip-router policy create bgp-import-source as900 autonomous-system 64900 preference 160 Using the formula for local preference [Local_Pref = 254 - (global protocol preference for this route) + metric], the Local_Pref value put out by router...
  • Page 157 GSR4 172.16.200.4/24 172.16.200.6/24 GSR6 AS 64752 Legend: Figure 14. Sample BGP Configuration (MED Attribute) Routers GSR4 and GSR6 inform router C1 about network 172.16.200.0/24 through External BGP (EBGP). Router GSR6 announced the route with a MED of 10, whereas router GSR4 announces the route with a MED of 20. Of the two EBGP routes, router C1 chooses the one with a smaller MED.

  • Page 158: Ebgp Aggregation Example

    Chapter 10: BGP Configuration Guide EBGP Aggregation Example Figure 15 shows a simple EBGP configuration in which one peer is exporting an aggregated route to its upstream peer and restricting the advertisement of contributing routes to the same peer. The aggregated route is 212.19.192.0/19. AS-64900 212.19.199.62/24 212.19.198.1/24...

  • Page 159: Route Reflection Example

    Router GSR9 has the following CLI configuration: bgp create peer-group rtr8 type external autonomous system 64900 bgp add peer-host 194.109.86.6 group rtr8 Route Reflection Example In some ISP networks, the internal BGP mesh becomes quite large, and the IBGP full mesh does not scale well.
  • Page 160 Chapter 10: BGP Configuration Guide Figure 16 shows a sample configuration that uses route reflection. AS-64900 GSR8 EBGP Peer AS-64901 GSR9 IBGP Cluster Client GSR10 Figure 16. Sample BGP Configuration (Route Reflection) In this example, there are two clusters. Router GSR10 is the route reflector for the first cluster and router GSR11 is the route reflector for the second cluster.
  • Page 161 Router 11 has router client peer. The following line in router reflector bgp set peer-group rtr11 reflector-client Even though the IBGP Peers are not fully meshed in AS 64901, the direct routes of router GSR14, that is, 192.68.222.0/24 in AS 64902 (which are redistributed in BGP) do show up in the route table of router GSR8 in AS64900, as shown below: ********************************************* * Route Table (FIB) of Router 8...

  • Page 162: Notes On Using Route Reflection

    Chapter 10: BGP Configuration Guide Notes on Using Route Reflection • Two types of route reflection are supported: – By default, all routes received by the route reflector from a client are sent to all internal peers (including the client’s group, but not the client itself). –...

  • Page 163: Chapter 11: Routing Policy Configuration Guide

    Route Import and Export Policy Overview The GSR family of routers supports extremely flexible routing policies. The GSR allows the network administrator to control import and export of routing information based on criteria including: • Individual protocol • Source and destination autonomous system •...

  • Page 164: Preference

    Chapter 11: Routing Policy Configuration Guide Preference Preference is the value the GSR routing process uses to order preference of routes from one protocol or peer over another. Preference can be set using several different configuration commands. Preference can be set based on one network interface over another, from one protocol over another, or from one remote gateway over another.

  • Page 165: Import Policies

    Import Policies Import policies control the importation of routes from routing protocols and their installation in the routing databases (Routing Information Base and Forwarding Information Base). Import Policies determine which routes received from other systems are used by the GSR routing process. Every import policy can have up to two components: •...

  • Page 166: Route-Filter

    Chapter 11: Routing Policy Configuration Guide It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router. Like the other interior protocols, preference cannot be used to choose between OSPF ASE routes. That is done by the OSPF costs. Route-Filter This component specifies the individual routes which are to be imported or restricted.

  • Page 167: Export-Source

    Export-Source This component specifies the source of the exported routes. It can also specify the metric to be associated with the routes exported from this source. The routes to be exported can be identified by their associated attributes: • Their protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate). •...

  • Page 168: Specifying A Route Filter

    Chapter 11: Routing Policy Configuration Guide Specifying a Route Filter Routes are filtered by specifying a route-filter that will match a certain set of routes by destination, or by destination and mask. Among other places, route filters are used with martians and in import and export policies.

  • Page 169: Aggregates And Generates

    Aggregates and Generates Route aggregation is a method of generating a more general route, given the presence of a specific route. It is used, for example, at an autonomous system border to generate a route to a network to be advertised via BGP given the presence of one or more subnets of that network learned via OSPF.

  • Page 170: Route-Filter

    Chapter 11: Routing Policy Configuration Guide The routes contributing to an aggregate can be identified by their associated attributes: • Protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate). • Autonomous system from which the route was learned. • AS path associated with a route. When BGP is configured, all routes are assigned an AS path when they are added to the routing table.

  • Page 171: Authentication Methods

    Authentication Methods There are mainly two authentication methods: Simple Password: In this method, an authentication key of up to 8 characters is included in the packet. If this does not match what is expected, the packet is discarded. This method provides little security, as it is possible to learn the authentication key by watching the protocol packets.

  • Page 172: Configuring Simple Routing Policies

    Chapter 11: Routing Policy Configuration Guide Configuring Simple Routing Policies Simple routing policies provide an efficient way for routing information to be exchanged between routing protocols. The redistribute command can be used to redistribute routes from one routing domain into another routing domain. Redistribution of routes between routing domains is based on route policies.

  • Page 173: Redistributing Directly Attached Networks

    Redistributing Directly Attached Networks Routes to directly attached networks are redistributed to another routing protocol such as RIP or OSPF by the following command. The network parameter specifies a set of routes that will be redistributed by this command. If all direct routes are to be redistributed set the network parameter to all.

  • Page 174: Redistributing Ospf To Rip

    Chapter 11: Routing Policy Configuration Guide Redistributing OSPF to RIP For the purposes of route redistribution and import-export policies, OSPF intra- and inter- area routes are referred to as ospf routes, and external routes redistributed into OSPF are referred to as ospf-ase routes. Examples of ospf-ase routes include static routes, rip routes, direct routes, bgp routes, or aggregate routes, which are redistributed into an OSPF domain.

  • Page 175: Exporting A Given Static Route To All Rip Interfaces

    • Determine its RIP configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 interface create ip to-r7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure a default route through 170.1.1.7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route default gateway 170.1.1.7...

  • Page 176: Exporting All Static Routes Except The Default Route To All Rip Interfaces

    Chapter 11: Routing Policy Configuration Guide Exporting All Static Routes to All RIP Interfaces Router R1 has several static routes. We would export these routes over all RIP interfaces. ip-router policy redistribute from-proto static to-proto rip network all Exporting All Static Routes Except the Default Route to All RIP Interfaces Router R1 has several static routes.

  • Page 177: Exporting All Interface & Static Routes To Ospf

    • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 et.1.2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.1.1.2 ip add route 160.1.5.0/24 gateway 120.1.1.2...

  • Page 178: Configuring Advanced Routing Policies

    Chapter 11: Routing Policy Configuration Guide Router R1 would like to export all RIP, interface, and static routes to OSPF. ip-router policy redistribute from-proto rip to-proto ospf ip-router policy redistribute from-proto direct to-proto ospf ip-router policy redistribute from-proto static to-proto ospf Router R1 would also like to export interface, static, RIP, OSPF, and OSPF-ASE routes into RIP.
  • Page 179 • Route Filter - This component provides the means to define a filter for the routes to be distributed. Routes that match a filter are considered as eligible for redistribution. This can be done using one of two methods: – Creating a route-filter and associating an identifier with it.

  • Page 180: Creating An Export Destination

    Chapter 11: Routing Policy Configuration Guide Creating an Export Destination To create an export destination, enter one the following commands in Configure mode: Create a RIP export destination. Create an OSPF export destination. Creating an Export Source To create an export source, enter one of the following commands in Configure mode: Create a RIP export source.

  • Page 181: Creating An Import Source

    To create route import policies, enter the following command in Configure mode: Create an import policy. The <imp-src-id> is the identifier of the import-source that determines the source of the imported routes. If no routes from a particular source are to be imported, then no additional parameters are required.

  • Page 182: Creating An Aggregate Route

    Chapter 11: Routing Policy Configuration Guide Creating an Aggregate Route Route aggregation is a method of generating a more general route, given the presence of a specific route. The routing process does not perform any aggregation unless explicitly requested. Aggregate-routes can be constructed from one or more of the following building blocks: •...

  • Page 183: Creating An Aggregate Destination

    The <filter-id> is the identifier of the route-filter associated with this aggregate. If there is more than one route-filter for any aggregate-destination and aggregate-source combination, then the ip-router policy aggr-gen destination <aggr-dest-id> source <aggr- src-id> command should be repeated for each <filter-id>. Creating an Aggregate Destination To create an aggregate destination, enter the following command in Configure mode: Create an aggregate...
  • Page 184 Figure 17. Exporting to RIP 160.1.1.1/16 RIP v2 140.1.2.1/24 120.190.1.1/16 120.190.1.2/16 202.1.0.0/10 10.51.0.0/16 140.1.1.4/24 135.3.1.1/24 140.1.1.1/24 (RIP V1) 130.1.1.1/16 130.1.1.3/16 170.1.1.1/16 160.1.5.0/24 170.1.1.7/16 135.3.2.1/24 135.3.3.1/24 Internet...
  • Page 185 The following configuration commands for router R1 • Determine the IP address for each interface. • Specify the static routes configured on the router. • Determine its RIP configuration. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask...

  • Page 186: Importing A Selected Subset Of Routes From One Rip Trusted Gateway

    Chapter 11: Routing Policy Configuration Guide Importing a Selected Subset of Routes from One RIP Trusted Gateway Router R1 has several RIP peers. Router R41 has an interface on the network 10.51.0.0. By default, router R41 advertises network 10.51.0.0/16 in its RIP updates. Router R1 would like to import all routes except the 10.51.0.0/16 route from its peer R41.

  • Page 187: Example 2: Importing From Ospf

    Example 2: Importing from OSPF Due to the nature of OSPF, only the importation of ASE routes may be controlled. OSPF intra-and inter-area routes are always imported into the GSR routing table with a preference of 10. If a tag is specified, the import clause will only apply to routes with the specified tag.
  • Page 188 Figure 18. Exporting to OSPF 140.1.5/24 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 140.1.1.1/24 130.1.1.1/16 140.1.3.1/24 140.1.2.1/24 190.1.1.1/16 120.190.1.1/16 120.190.1.2/16 202.1.2.2/16 160.1.5.2/24 A r e a B a c k b o n e 130.1.1.3/16 160.1.5.2/24 150.20.3.1/16 150.20.3.2/16 A r e a 150.20.0.0...

  • Page 189: Importing A Selected Subset Of Ospf-Ase Routes

    The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask...

  • Page 190: Examples Of Export Policies

    Chapter 11: Routing Policy Configuration Guide Examples of Export Policies Example 1: Exporting to RIP Exporting to RIP is controlled by any of protocol, interface or gateway. If more than one is specified, they are processed from most general (protocol) to most specific (gateway). It is not possible to set metrics for exporting RIP routes into RIP.
  • Page 191 • Determine its RIP configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 interface create ip to-r7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure a default route through 170.1.1.7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route default gateway 170.1.1.7...

  • Page 192: Exporting A Given Static Route To All Rip Interfaces

    Chapter 11: Routing Policy Configuration Guide Exporting a Given Static Route to All RIP Interfaces Router R1 has several static routes, of which one is the default route. We would export this default route over all RIP interfaces. Create a RIP export destination since we would like to export routes into RIP. ip-router policy create rip-export-destination ripExpDst Create a Static export source since we would like to export static routes.

  • Page 193: Exporting All Static Routes Reachable Over A Given Interface To A Specific Rip-Interface

    Create a static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc Create a RIP export source since we would like to export RIP routes. ip-router policy create rip-export-source ripExpSrc Create a Direct export source since we would like to export direct/interface routes. ip-router policy create direct-export-source directExpSrc Create the Export-Policy redistributing the statically created default route, and all (RIP, Direct) routes into RIP.

  • Page 194: Exporting Aggregate-Routes Into Rip

    Chapter 11: Routing Policy Configuration Guide Create the Export-Policy, redistributing all static routes reachable over interface 130.1.1.1 and all (RIP, Direct) routes into RIP. ip-router policy export destination ripExpDst141 source statExpSrc130 network all ip-router policy export destination ripExpDst141 source ripExpSrc network all ip-router policy export destination ripExpDst141 source directExpSrc network all...

  • Page 195: Example 2: Exporting To Ospf

    Create a Aggregate export source since we would to export/redistribute an aggregate/summarized route. ip-router policy create aggr-export-source aggrExpSrc Create a RIP export source since we would like to export RIP routes. ip-router policy create rip-export-source ripExpSrc Create a Direct export source since we would like to export Direct routes. ip-router policy create direct-export-source directExpSrc Create the Export-Policy redistributing all (RIP, Direct) routes and the aggregate route 140.1.0.0/16 into RIP.

  • Page 196: Exporting All Interface & Static Routes To Ospf

    Chapter 11: Routing Policy Configuration Guide The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3...

  • Page 197: Exporting All Rip, Interface & Static Routes To Ospf

    Create a OSPF export destination for type-2 routes since we would like to redistribute certain routes into OSPF as type 2 OSPF-ASE routes. ip-router policy create ospf-export-destination ospfExpDstType2 type 2 metric 4 Create a Static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc Create a Direct export source since we would like to export interface/direct routes.
  • Page 198 Chapter 11: Routing Policy Configuration Guide Create a OSPF export destination for type-2 routes. ip-router policy create ospf-export-destination ospfExpDstType2 type 2 metric 4 Create a OSPF export destination for type-2 routes with a tag of 100. ip-router policy create ospf-export-destination ospfExpDstType2t100 type 2 tag 100 metric 4 Create a RIP export source.
  • Page 199 12. Create the Export-Policy for redistributing all interface, RIP, static, OSPF and OSPF- ASE routes into RIP. ip-router policy export destination ripExpDst source statExpSrc network all ip-router policy export destination ripExpDst source ripExpSrc network all ip-router policy export destination ripExpDst source directExpSrc network all ip-router policy export destination ripExpDst source ospfExpSrc network all...

  • Page 201: Chapter 12: Multicast Routing Configuration Guide

    IP Multicast Overview Multicast routing on the GSR is supported through DVMRP and IGMP. IGMP is used to determine host membership on directly attached subnets. DVMRP is used to determine forwarding of multicast traffic between GSRs. This chapter: • Provides an overview of the GSR’s implementation of the Internet Group Management Protocol (IGMP) •...

  • Page 202: Dvmrp Overview

    Chapter 12: Multicast Routing Configuration Guide The GSR allows per-interface control of the host query interval and response time. Query interval defines the time between IGMP queries. Response time defines the time the GSR will wait for host responses to IGMP queries. The GSR can be configured to deny or accept group membership filters.

  • Page 203: Configuring Igmp

    Configuring IGMP You configure IGMP on the GSR by performing the following configuration tasks: • Creating IP interfaces • Setting global parameters that will be used for all the interfaces on which DVMRP is enabled • Configuring IGMP on individual interfaces. You do so by enabling and disabling IGMP on interfaces and then setting IGMP parameters on the interfaces on which IGMP is enabled •...

  • Page 204: Configuring Igmp Response Wait Time

    Chapter 12: Multicast Routing Configuration Guide Configuring IGMP Response Wait Time You can configure the GSR with a wait time for IGMP Host Membership responses which is different from the default. The wait time you set then applies to all ports on the GSR. The default response time is 10 seconds.

  • Page 205: Starting And Stopping Dvmrp

    Starting and Stopping DVMRP DVMRP is disabled by default on the GSR. To start or stop DVMRP, enter one of the following commands in Configure mode: Start DVMRP. Stop DVMRP. Configuring DVMRP on an Interface DVMRP can be controlled/configured on per-interface basis. An interface does not have to run both DVMRP and IGMP together.

  • Page 206: Configuring The Dvmrp Routing Metric

    Chapter 12: Multicast Routing Configuration Guide Configuring the DVMRP Routing Metric You can configure the DVMRP routing metric associated with a set of destinations for DVMRP reports. The default metric is 1. To configure the DVMRP routing metric, enter the following command in Configure mode: Configure the DVMRP routing metric.

  • Page 207: Configuring A Dvmrp Tunnel

    To prevent the GSR from forwarding any data destined to a scoped group on an interface, enter the following command in the Configure mode: Configure the DVMRP scope. Configuring a DVMRP Tunnel The GSR supports DVMRP tunnels to the MBONE (the multicast backbone of the Internet).

  • Page 208: Monitoring Igmp & Dvmrp

    Chapter 12: Multicast Routing Configuration Guide Monitoring IGMP & DVMRP You can monitor IGMP and DVMRP information on the GSR. To display IGMP and DVMRP information, enter the following commands in the Enable mode. Show all interfaces running DVMRP. Also shows the neighbors on each interface.

  • Page 209: Configuration Examples

    Configuration Examples The following is a sample GSR configuration for DVMRP and IGMP. Seven subnets are created. IGMP is enabled on 4 IP interfaces. The IGMP query interval is set to 30 seconds. DVMRP is enabled on 5 IP interfaces. IGMP is not running on “downstream” interfaces. ! Create VLANS.

  • Page 211: Chapter 13: Ip Policy-Based Forwarding Configuration Guide

    Overview You can configure the GSR to route IP packets according to policies that you define. IP- policy-based routing allows network managers to engineer traffic to make the most efficient use of their network resources. IP policies forward packets based on layer-3 or layer-4 IP header information. You can define IP policies to route packets to a set of next-hop IP addresses based on any combination the following IP header fields: •...

  • Page 212: Configuring Ip Policies

    Chapter 13: IP Policy-Based Forwarding Configuration Guide For example, you can set up an IP policy to send packets originating from a certain network through a firewall, while letting other packets bypass the firewall. Using IP policies, sites that have multiple Internet service providers can cause user groups to use different ISPs.

  • Page 213: Associating The Profile With An Ip Policy

    Associating the Profile with an IP Policy Once you have defined a profile with the acl command, you associate the profile with an IP policy by entering one or more ip-policy statements. An ip-policy statement specifies the next-hop gateway (or gateways) where packets matching a profile are forwarded. To cause packets matching a defined profile to be forwarded to a next-hop gateway, enter the following command in Configure mode: Forward packets matching a...

  • Page 214: Setting Load Distribution For Next-Hop Gateways

    Chapter 13: IP Policy-Based Forwarding Configuration Guide For example, the following commands create an IP policy called “p3”, which consists of two IP policy statements. The ip policy permit statement has a sequence number of 1, which means it is evaluated before the ip policy deny statement, which has a sequence number of 900.

  • Page 215: Checking The Availability Of Next-Hop Gateways

    To set the IP policy action with respect to dynamic or statically configured routes, enter one of the following commands in Configure mode: Cause packets matching the profile to use the IP policy route first. If the next-hop gateway is not reachable, use the dynamic route instead.

  • Page 216: Applying An Ip Policy To An Interface

    Chapter 13: IP Policy-Based Forwarding Configuration Guide Applying an IP Policy to an Interface After you define the IP policy, it must be applied to an inbound IP interface. Once the IP policy is applied to the interface, packets start being forwarded according to the IP policy. To apply an IP policy to an interface, enter one of the following commands in Configure mode: Apply a defined IP policy to...
  • Page 217 In the sample configuration in originating within the corporate network between different ISPs (100.1.1.1 and 200.1.1.1). Group user-a 10.50.*.* Group user-b 11.50.*.* Figure 19. Using an IP policy to route traffic to two different ISPs HTTP traffic originating from network 10.50.0.0 for destination 207.31.0.0/16 is forwarded to 100.1.1.1.

  • Page 218: Prioritizing Service To Customers

    Chapter 13: IP Policy-Based Forwarding Configuration Guide Prioritizing Service to Customers An ISP can use policy-based routing on an access router to supply different customers with different levels of service. The sample configuration in an IP policy to classify customers and route traffic to different networks based on customer type.

  • Page 219: Authenticating Users Through A Firewall

    The following is the IP policy configuration for the Policy Router in interface create ip premium-customer address-netmask 10.50.1.1/16 port et.1.1 interface create ip standard-customer address-netmask 11.50.1.1/16 port et.1.2 acl premium-customer permit ip 10.50.0.0/16 any any any 0 acl standard-customer ip-policy p1 permit acl premium-customer next-hop-list "100.1.1.1 100.1.1.2"...

  • Page 220: Firewall Load Balancing

    Chapter 13: IP Policy-Based Forwarding Configuration Guide The following is the IP policy configuration for the Policy Router in interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1 acl contractors permit ip 10.50.1.0/24 any any any 0 acl full-timers permit ip 10.50.2.0/24 any any any 0 ip-policy access permit acl contractors next-hop-list 11.1.1.1 action policy-only ip-policy access permit acl full-timers next-hop-list 12.1.1.1 action...

  • Page 221: Monitoring Ip Policies

    The following is the configuration for Policy Router 1 in vlan create firewall vlan add ports et.1.(1-5) to firewall interface create ip firewall address-netmask 1.1.1.5/16 vlan firewall acl firewall permit ip any any any 0 ip-policy p1 permit acl firewall next-hop-list “1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4”...
  • Page 222 Chapter 13: IP Policy-Based Forwarding Configuration Guide To display IP policy information, enter the following commands in Enable mode. Display information about all IP policies. Display statistics about a specific IP policy. Display information about all IP policies on a specified interface.
  • Page 223 Legend: The name of the IP policy. The interface where the IP policy was applied. The load distribution setting for IP-policy statements that have more than one next- hop gateway; either first available (the default) or round-robin. The names of the profiles (created with an acl statement) associated with this IP policy.

  • Page 225: Chapter 14: Network Address Translation Configuration Guide

    Overview Note: Some commands in this facility require updated GSR hardware. Please refer to the Release Notes for details. Network Address Translation (NAT) allows an IP address used within one network to be translated into a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet.

  • Page 226: Configuring Nat

    Chapter 14: Network Address Translation Configuration Guide The GSR allows you to create the following NAT address bindings: • Static, one-to-one binding of inside, local address or address pool to outside, global address or address pool. A static address binding does not expire until the command that defines the binding is negated.

  • Page 227: Setting Nat Rules

    Setting NAT Rules Static You create NAT static bindings by entering the following command in Configure mode. Enable NAT with static address binding. Dynamic You create NAT dynamic bindings by entering the following command in Configure mode:. Enable NAT with dynamic address binding.

  • Page 228: Nat And Ftp

    Chapter 14: Network Address Translation Configuration Guide NAT and FTP File Transfer Protocol (FTP) packets require special handling with NAT, because the FTP PORT command packets contain IP address information within the data portion of the packet. It is therefore important for NAT to know which control port is used for FTP (the default is port 21) and the timeout for the FTP session (the default is 30 minutes).

  • Page 229: Using Static Nat

    The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.1/24 port et.2.2 Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT static rules: nat create static protocol ip local-ip 10.1.1.2 global-ip 192.50.20.2 Using Static NAT...

  • Page 230: Dynamic Configuration

    Chapter 14: Network Address Translation Configuration Guide Dynamic Configuration The following example configures a dynamic address binding for inside addresses 10.1.1.0/24 to outside address 192.50.20.0/24: Outbound: Translate source pool 10.1.1.0/24 to global pool 192.50.20.0/24 10.1.1.4 IP network 10.1.1.0/24 10.1.1.2 10.1.1.3 The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.1/24 port et.2.2...

  • Page 231: Dynamic Nat With Ip Overload (Pat) Configuration

    Dynamic bindings are removed when the flow count for that binding goes to zero or the timeout has been reached. The free globals are used again for the next packet. A typical problem is that if there are more local IP addresses as compared to global IP addresses in the pools, then packets will be dropped if all the globals are used.

  • Page 232: Using Dynamic Nat With Ip Overload

    Chapter 14: Network Address Translation Configuration Guide Using Dynamic NAT with IP Overload Dynamic NAT with IP overload can be used when the local network (inside network) will be initializing the connections using TCP or UDP protocols. It creates a binding at run time when the packet comes from a local network defined in the NAT dynamic local ACL pool.

  • Page 233: Using Dynamic Nat With Matching Interface Redundancy

    Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside nat set interface 201-net outside Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.0/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.0/24 matching-...

  • Page 235: Chapter 15: Web Hosting Configuration Guide

    Overview Accessing information on Web sites for both work or personal purposes is becoming a normal practice for an increasing number of people. For many companies, fast and efficient Web access is important for both external customers who need to access the company Web sites, as well as for users on the corporate intranet who need to access Internet Web sites.

  • Page 236: Load Balancing

    Chapter 15: Web Hosting Configuration Guide Load Balancing Note: Some commands in this facility require updated GSR hardware. Please refer to the Release Notes for details. You can use the load balancing feature on the GSR to distribute session load across a group of servers.

  • Page 237: Specifying Load Balancing Policy (Optional)

    Specifying Load Balancing Policy (Optional) The default policy for distributing workload among the load balancing servers is “round- robin,” where the GSR selects the server on a rotating basis without regard to the load on individual servers. Other policies can be chosen for the group, including least loaded, where the server with the fewest number of sessions bound to it is selected to service a new session.

  • Page 238: Load Balancing And Ftp

    Chapter 15: Web Hosting Configuration Guide To set the status of a load balancing server, enter the following command in Enable mode. Set status of load balancing server. Load Balancing and FTP File Transfer Protocol (FTP) packets require special handling with load balancing, because the FTP PORT command packets contain IP address information within the data portion of the packet.

  • Page 239: Setting Timeouts For Load Balancing Mappings

    Setting Timeouts for Load Balancing Mappings A mapping between a host (source) and a load-balancing server (destination) times out after a certain period. You can specify the timeout for source-destination load balancing mappings. To specify the timeout for load balancing mappings, enter the following command in Configure mode.

  • Page 240: Configuration Examples

    Chapter 15: Web Hosting Configuration Guide Configuration Examples This section shows examples of load balancing configurations. Web Hosting with One Virtual Group and Multiple Destination Servers In the following example, a company web site is established with a URL of www.GoodCompany.com.

  • Page 241: Web Hosting With Multiple Virtual Groups And Multiple Destination Servers

    Web Hosting with Multiple Virtual Groups and Multiple Destination Servers In the following example, two different servers are used to provide different services for a site. 10.1.1.1 www.quick.com 10.1.1.2 ftp.quick.com Domain Name www.quick.com ftp.quick.com The network shown above can be created with the following load-balance commands: load-balance create group-name quick-www virtual-ip 207.135.89.16 virtual port 80 protocol tcp load-balance create group-name quick-ftp virtual-ip 207.135.89.16 virtual port 21...

  • Page 242: Virtual Ip Address Ranges

    Chapter 15: Web Hosting Configuration Guide Virtual IP Address Ranges ISPs who provide web hosting services for their clients require a large number of virtual IP addresses (VIPs). The load-balance create vip-range-name and load-balance add host- to-vip-range commands were created specifically for this. An ISP can create a range of VIPs for up to an entire class C network with the load-balance create vip-range-name command.

  • Page 243: Web Caching

    The network shown in the previous example can be created with the following load- balance commands: load-balance create vip-range-name mywwwrange 207.135.89.16-207.135.89.50 virtual-port 80 protocol tcp load-balance add host-to-vip-range 10.1.1.16-10.1.1.50 vip-range-name mywwwrange port 80 load-balance add host-to-vip-range 10.1.2.16-10.1.2.50 vip-range-name mywwwrange port 80 Web Caching Web caching provides a way to store frequently accessed Web objects on a cache of local servers.

  • Page 244: Specifying The Client(S) For The Cache Group (Optional)

    Chapter 15: Web Hosting Configuration Guide To create the cache group, enter the following command in Configure mode: Create the cache group. Specifying the Client(s) for the Cache Group (Optional) You can explicitly specify the hosts whose HTTP requests are or are not redirected to the cache servers.

  • Page 245: Configuration Example

    Configuration Example In the following example, a cache group of seven local servers is configured to store Web objects for users in the local network: Cache1 s2 Servers: 186.89.10.51 186.89.10.55 s1 Servers: 176.89.10.50 176.89.10.51 176.89.10.52 176.89.10.53 176.89.10.54 The following commands configure the cache group ‘cache1’ that contains the servers shown in the figure above and applies the caching policy to the interface ‘ip1’: gs/r(config)# web-cache cache1 create server-list s1 range “176.89.10.50 176.89.10.54”...

  • Page 246: Bypassing Cache Servers

    Chapter 15: Web Hosting Configuration Guide Bypassing Cache Servers Some Web sites require source IP address authentication for user access, therefore HTTP requests for these sites cannot be redirected to the cache servers. To specify the sites for which HTTP requests are not redirected to the cache servers, enter the following command in Configure mode: Define destination sites to which HTTP requests are sent directly.

  • Page 247: Monitoring Web-Caching

    Monitoring Web-Caching To display Web-caching information, enter the following commands in Enable mode. Show information for all caching policies and all server lists. Show caching policy information. Show cache server information. DIGITAL GIGAswitch/Router User Reference Manual web-cache show all web-cache show cache-name web-cache show servers cache |all Web Caching...

  • Page 249: Chapter 16: Ipx Routing Configuration Guide

    IPX Routing Overview The Internetwork Packet Exchange (IPX) is a datagram connectionless protocol for the Novell NetWare environment. You can configure the GSR for IPX routing and SAP. Routers interconnect different network segments and by definitions are network layer devices. Thus routers receive their instructions for forwarding a packet from one segment to another from a network layer protocol.

  • Page 250: Rip (Routing Information Protocol)

    Chapter 16: IPX Routing Configuration Guide RIP (Routing Information Protocol) IPX routers use RIP to create and dynamically maintain a database of internetwork routing information. RIP allows a router to exchange routing information with a neighboring router. As a router becomes aware of any change in the internetwork layout, this information is immediately broadcast to any neighboring routers.

  • Page 251: Configuring Ipx Rip & Sap

    • Routers make periodic broadcasts to make sure all other routers are aware of the internetwork configuration • Routers perform broadcasting whenever they detect a change in the internetwork configurations Configuring IPX RIP & SAP This section provides an overview of configuring various IPX parameters and setting up IPX interfaces.

  • Page 252: Ipx Addresses

    Chapter 16: IPX Routing Configuration Guide IPX Addresses The IPX address is a 12-byte number divided into three parts. The first part is the 4-byte (8-character) IPX external network number. The second part is the 6-byte (12-character) node number. The third part is the 2-byte (4-character) socket number. Configuring IPX Interfaces and Parameters This section provides an overview of configuring various IPX parameters and setting up IPX interfaces.

  • Page 253: Configuring Ipx Routing

    • 802.3: 802.3 encapsulation method used within Novell IPX environments • 802.2: 802.2 encapsulation method used within Novell IPX environments Configure Ethernet II encapsulation. Configure 802.3 SNAP encapsulation. Configure 802.3 IPX encapsulation. Configure 802.2 IPX encapsulation. Configuring IPX Routing By default, IPX routing is enabled on the GSR. Enabling IPX RIP IPX RIP is enabled by default on the GSR.

  • Page 254: Configuring Static Sap Table Entries

    Chapter 16: IPX Routing Configuration Guide Configuring Static SAP Table Entries Servers in an IPX network use SAP to advertise services via broadcast packets. Services from servers are stored in the Server Information Table. If you want to have a service explicitly advertised with different hops, you will need to configure a static entry.

  • Page 255: Creating An Ipx Type 20 Access Control List

    Creating an IPX Type 20 Access Control List IPX type 20 access control lists control the forwarding of IPX type 20 packets. To create an IPX type 20 access control list, enter the following command in Configure mode: Create an IPX type 20 access control list.

  • Page 256: Creating An Ipx Rip Access Control List

    Chapter 16: IPX Routing Configuration Guide Creating an IPX RIP Access Control List IPX RIP access control lists control which RIP updates are allowed. To create an IPX RIP access control list, perform the following task in the Configure mode: Create an IPX RIP access control list.

  • Page 257: Configuration Examples

    Configuration Examples This example performs the following configuration: • Creates IPX interfaces • Adds static RIP routes • Adds static SAP entries • Adds a RIP access list • Adds a SAP access list • Adds a GNS access list ! Create interface ipx1 with ipx address AAAAAAAA interface create ipx ipx1 address AAAAAAAA port et.1.1 output-mac- encapsulation ethernet_802.2_IPX...

  • Page 259: Chapter 17: Access Control List Configuration Guide

    Note: Some commands in this facility require updated GSR hardware. Please refer to the Release Notes for details. This chapter explains how to configure and use Access Control Lists (ACLs) on the GSR. ACLs are lists of selection criteria for specific types of packets. When used in conjunction with certain GSR functions, ACLs allow you to restrict Layer-3/4 traffic going through the router.

  • Page 260: Chapter 17: Access Control List Configuration Guide

    Chapter 17: Access Control List Configuration Guide ACL Basics An ACL consists of one or more rules describing a particular type of IP or IPX traffic. ACLs can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the GSR to either permit or deny packets that match selection criteria specified in the rule.
  • Page 261 These selection criteria are specified as fields of an ACL rule. The following syntax description shows the fields of an IP ACL rule: <name> permit|deny ip Note: The acl permit|deny ip command restricts traffic for all IP-based protocols, such as TCP, UDP, ICMP, and IGMP. Variants of the acl permit|deny ip command exist that allow you to restrict traffic for a specific IP-based protocol;...

  • Page 262: How Acl Rules Are Evaluated

    Chapter 17: Access Control List Configuration Guide How ACL Rules are Evaluated For an ACL with multiple rules, the ordering of the rules is important. When the GSR checks a packet against an ACL, it goes through each rule in the ACL sequentially. If a packet matches a rule, it is forwarded or dropped based on the permit or deny keyword in the rule.
  • Page 263 With the implicit deny rule, this ACL actually has three rules: acl 101 permit ip 1.2.3.4/24 any any any acl 101 permit ip 4.3.2.1/24 any nntp any acl 101 deny any any any any any If a packet comes in and doesn't match the first two rules, the packet is dropped. This is because the third rule (the implicit deny rule) matches all packets.

  • Page 264: Allowing External Responses To Established Tcp Connections

    Chapter 17: Access Control List Configuration Guide Allowing External Responses to Established TCP Connections Typically organizations that are connected to the outside world implement ACLs to deny access to the internal network. If an internal user wishes to connect to the outside world, the request is sent;...

  • Page 265: Editing Acls Offline

    Editing ACLs Offline You can create and edit ACLs on a remote host and then upload them to the GSR with TFTP or RCP. With this method, you use a text editor on a remote host to edit, delete, replace, or reorder ACL rules in a file. Once the changes are made, you can then upload the ACLs to the GSR using TFTP or RCP and make them take effect on the running system.

  • Page 266: Maintaining Acls Using The Acl Editor

    Chapter 17: Access Control List Configuration Guide Maintaining ACLs Using the ACL Editor In addition to the traditional method of maintaining ACLs using TFTP or RCP, the GSR provides a simpler and more user-friendly mechanism to maintain ACLs: the ACL Editor. The ACL Editor can only be accessed within Configure mode using the acl-edit command.

  • Page 267: Applying Acls To Services

    restriction does not prevent you from specifying many rules in an ACL. You just have to put all of these rules into one ACL and apply it to an interface. When a packet comes into the GSR at an interface where an inbound ACL is applied, the GSR compares the packet to the rules specified by that ACL.

  • Page 268: Using Acls As Profiles

    Chapter 17: Access Control List Configuration Guide To apply an ACL to a service, enter the following command in Configure mode: Apply ACL to a service. Using ACLs as Profiles You can use the acl command to define a profile. A profile specifies the criteria that addresses, flows, hosts, or packets must meet to be relevant to certain GSR features.

  • Page 269: Using Profile Acls With The Ip Policy Facility

    • Only certain ACL rule parameters are relevant for each configuration command. For example, the configuration command to create NAT address pools for dynamic bindings (the nat create dynamic command) only looks at the source IP address in the specified ACL rule. The destination IP address, ports, and TOS parameters, if specified, are ignored.

  • Page 270: Using Profile Acls With The Traffic Rate Limiting Facility

    Chapter 17: Access Control List Configuration Guide Using Profile ACLs with the Traffic Rate Limiting Facility Traffic rate limiting is a mechanism that allows you to control bandwidth usage of incoming traffic on a per-flow basis. A flow meeting certain criteria can have its packets re-prioritized or dropped if its bandwidth usage exceeds a specified limit.

  • Page 271: Using Profile Acls With The Port Mirroring Facility

    The following command creates a Profile ACL called local. The local profile specifies as its selection criteria the range of IP addresses in network 10.1.1.0/24.. gs/r(config)# acl local permit ip 10.1.1.0/24 Note: When a Profile ACL is defined for dynamic NAT, only the source IP address field in the acl statement is evaluated.

  • Page 272: Using Profile Acls With The Web Caching Facility

    Chapter 17: Access Control List Configuration Guide Using Profile ACLs with the Web Caching Facility Web caching is the GSR’s ability to direct HTTP requests for frequently accessed Web objects to local cache servers, rather than to the Internet. Since the HTTP requests are handled locally, response time is faster than if the Web objects were retrieved from the Internet.

  • Page 273: Enabling Acl Logging

    This command creates a Profile ACL called prof5 that uses as its selection criteria all packets with a source address of 1.2.3.4 and a destination address of 10.10.10.10: gs/r(config)# acl prof5 permit ip 1.2.3.4 10.10.10.10 To have packets matching Profile ACL prof5’s selection criteria bypass the cache servers, use the following command: gs/r(config)# web-cache policy1 create bypass-list profile prof5 When the Web caching policy is applied to an interface, information in packets originating...

  • Page 274: Monitoring Acls

    Chapter 17: Access Control List Configuration Guide Monitoring ACLs The GSR provides a display of ACL configurations active in the system. To display ACL information, enter the following commands in Enable mode. Show all ACLs. Show a specific ACL. Show an ACL on a specific interface. Show ACLs on all IP interfaces.

  • Page 275: Chapter 18: Security Configuration Guide

    Security Overview The GSR provides security features that help control access to the GSR and filter traffic going through the GSR. Access to the GSR can be controlled by: • Enabling RADIUS • Enabling TACACS • Enabling TACACS Plus • Password authentication Traffic filtering on the GSR enables: •...

  • Page 276: Configuring Gsr Access Security

    Chapter 18: Security Configuration Guide Configuring GSR Access Security This section describes the following methods of controlling access to the GSR: • RADIUS • TACACS • TACACS Plus • Passwords Configuring RADIUS You can secure login or Enable mode access to the GSR by enabling a Remote Authentication Dial-In Service (RADIUS) client.

  • Page 277: Monitoring Radius

    Monitoring RADIUS You can monitor RADIUS configuration and statistics within the GSR. To monitor RADIUS, enter the following commands in Enable mode: Show RADIUS server statistics. Show all RADIUS parameters. Configuring TACACS In addition, Enable mode access to the GSR can be made secure by enabling a Terminal Access Controller Access Control System (TACACS) client.

  • Page 278: Configuring Tacacs Plus

    Chapter 18: Security Configuration Guide Configuring TACACS Plus You can secure login or Enable mode access to the GSR by enabling a TACACS Plus client. A TACACS Plus server responds to the GSR TACACS Plus client to provide authentication. You can configure up to five TACACS Plus server targets on the GSR. A timeout is set to tell the GSR how long to wait for a response from TACACS Plus servers.

  • Page 279: Monitoring Tacacs Plus

    Monitoring TACACS Plus You can monitor TACACS Plus configuration and statistics within the GSR. To monitor TACACS Plus, enter the following commands in Enable mode: Show TACACS Plus server statistics. Show all TACACS Plus parameters. Configuring Passwords The GSR provides password authentication for accessing the User and Enable modes. If TACACS is not enabled on the GSR, only local password authentication is performed.

  • Page 280: Configuring Layer-2 Address Filters

    Chapter 18: Security Configuration Guide • Secure port filters A secure filter shuts down access to the GSR based on MAC addresses. All packets received by a port are dropped. When combined with static entries, however, these filters can be used to drop all received traffic but allow some frames to go through. Configuring Layer-2 Address Filters If you want to control access to a source or destination on a per-MAC address basis, you can configure an address filter.

  • Page 281: Configuring Layer-2 Static Entry Filters

    To configure Layer-2 port address lock filters, enter the following commands in Configure mode: Configure a port address lock filter. Configuring Layer-2 Static Entry Filters Static entry filters allow or force traffic to go to a set of destination ports based on a frame's source MAC address, destination MAC address, or both source and destination MAC addresses in flow bridging mode.

  • Page 282: Monitoring Layer-2 Security Filters

    Chapter 18: Security Configuration Guide You can combine secure port filters with static entries in the following ways: • Combine a source secure port filter with a source static entry to drop all received traffic but allow any frame coming from specific source MAC address to go through •...

  • Page 283: Layer-2 Filter Examples

    Layer-2 Filter Examples Example 1: Address Filters Source filter: The consultant is not allowed to access any file servers. The consultant is only allowed to interact with the engineers on the same Ethernet segment – port et.1.1. All traffic coming from the consultant’s MAC address will be dropped. filters add address-filter name consultant source-mac 001122:334455 vlan 1 in-port-list et.1.1 Destination filter: No one from the engineering group (port et.1.1) should be allowed to...

  • Page 284: Port-To-Address Lock Examples

    Chapter 18: Security Configuration Guide Destination static entry: Restrict “login multicasts” originating from the engineering segment (port et.1.1) from reaching the finance servers. filters add static-entry name login-mcasts dest-mac 010000:334455 vlan 1 in-port-list et.1.1 out-port-list et.1.3 restriction disallow filters add static-entry name login-mcasts dest-mac 010000:334455 vlan 1 in-port-list et.1.1 out-port-list et.1.2 restriction allow Flow static entry: Restrict “login multicasts”...

  • Page 285: Layer-3 Access Control Lists (Acls)

    Destination secure port: To block access to all file servers on all ports from port et.1.1 use the following command: filters add secure-port name engineers direction dest vlan 1 in-port-list et.1.1 To allow all engineers access to the engineering servers, you must “punch” a hole through the secure-port wall.

  • Page 287: Chapter 19: Qos Configuration Guide

    QoS Configuration QoS & Layer-2/Layer-3/Layer-4 Flow Overview The GSR allows network managers to identify traffic and set Quality of Service (QoS) policies without compromising wire speed performance. The GSR can guarantee bandwidth on an application by application basis, thus accommodating high-priority traffic even during peak periods of usage.

  • Page 288: Layer-2 And Layer-3 & Layer-4 Flow Specification

    Chapter 19: QoS Configuration Guide Within the GSR, QoS policies are used to classify Layer-2, Layer-3, and Layer-4 traffic into the following priorities: • Control • High • Medium • By assigning priorities to network traffic, you can ensure that critical traffic will reach its destination even if the exit ports for the traffic are experiencing greater-than-maximum utilization.

  • Page 289: Gsr Queuing Policies

    GSR Queuing Policies You can use one of two queuing policies on the GSR: • Strict priority: Assures the higher priorities of throughput but at the expense of lower priorities. For example, during heavy loads, low-priority traffic can be dropped to preserve throughput of control-priority traffic, and so on.

  • Page 290: Configuring Layer-2 Qos

    • The frame gets assigned a priority within the switch, AND if the exit ports are trunk ports, the frame is assigned an 802.1Q priority. Select a number from 0 to 7. The mapping of 802.1Q to internal priorities is the following: (0 = low) (1,2,3 =medium) (4,5,6 = high) (7 = control).

  • Page 291: Setting An Ip Qos Policy

    Setting an IP QoS Policy To set a QoS policy on an IP traffic flow, enter the following command in Configure mode: Set an IP QoS policy. For example, the following command assigns control priority to any traffic coming from the 10.10.11.0 network: gs/r(config)# qos set ip xyz control 10.10.11.0/24 Specifying Precedence for an IP QoS Policy...

  • Page 292: Specifying Precedence For An Ipx Qos Policy

    Chapter 19: QoS Configuration Guide Specifying Precedence for an IPX QoS Policy To specify the precedence for an IPX QoS policy, enter the following command in Configure mode: Specify precedence for an IPX QoS policy. Configuring GSR Queueing Policy The GSR queuing policy is set on a system-wide basis. The GSR default queuing policy is strict priority.

  • Page 293: Configuring Tos Rewrite For Ip Packets

    The ToS octet part of the IP specification, however, has not been widely employed in the past. The IETF is looking into using the ToS octet to help resolve IP quality problems. Some newer routing protocols, like OSPF and IS-IS, are designed to be able to examine the ToS octet and calculate routes based on the type of service.
  • Page 294 Chapter 19: QoS Configuration Guide The <tos> and <tos-mask> parameters use values ranging from 0 to 255. They are used in conjunction with each other to define which bit in the <tos> field of the packet is significant. The <tos-precedence-rewrite> value ranges from 0 to 7 and is the value that is rewritten in the ToS Precedence field (the first three bits of the ToS octet).

  • Page 295: Monitoring Qos

    The following example will rewrite the ToS Precedence and the ToS fields to 5 and 30 if the incoming packet is from the 10.10.10.0/24 network with the ToS Precedence field set to 2 and the ToS field set to 7. (In this example, the MBZ bit is included in the ToS field.) The figure below shows how the parameter values are derived.

  • Page 296: Limiting Traffic Rate

    Chapter 19: QoS Configuration Guide Limiting Traffic Rate Note: Some commands in this facility require updated GSR hardware. Please refer to the Release Notes for details. Traffic rate limiting provides the ability to control the usage of a fundamental network resource, bandwidth.

  • Page 297: Displaying Rate Limit Information

    Traffic from two interfaces, ‘ipclient1’ with IP address 1.2.2.2 and ‘ipclient2’ with IP address 3.1.1.1, is restricted to 10 Mbps for each flow with the following configuration: vlan create client1 ip vlan create backbone ip vlan create client2 ip vlan add ports et.1.1 to client1 vlan add ports et.1.2 to client2 vlan add ports et.1.8 to backbone interface create ip ipclient1 vlan client1 address-netmask 1.1.1.1/8...

  • Page 299: Chapter 20: Performance Monitoring Guide

    Performance Monitoring Overview The GSR is a full wire-speed layer-2, 3 and 4 switching router. As packets enter the GSR, layer-2, 3, and 4 flow tables are populated on each line card. The flow tables contain information on performance statistics and traffic forwarding. Thus the GSR provides the capability to monitor performance at Layer 2, 3, and 4.
  • Page 300 Chapter 20: Performance Monitoring Guide Show all L2 flows (for ports in flow- bridging mode. Show information about the master MAC table. Show information about a particular MAC address. Show info about multicasts registered by IGMP. Show whether IGMP is on or off on a VLAN.

  • Page 301: Configuring The Gsr For Port Mirroring

    Configuring the GSR for Port Mirroring The GSR allows you to monitor activity with port mirroring. Port mirroring allows you to monitor the performance and activities of one or more ports on the GSR or for traffic defined by an ACL through just a single, separate port. While in Configure mode, you can configure your GSR for port mirroring with a simple command line like the following: Configure Port Mirroring.

  • Page 303: Chapter 21: Rmon Configuration Guide

    RMON Overview You can employ Remote Network Monitoring (RMON) in your network to help monitor traffic at remote points on the network. With RMON, data collection and processing is done with a remote probe, namely the GSR. The GSR also includes RMON agent software that communicates with a network management station via SNMP.

  • Page 304: Configuring And Enabling Rmon

    Chapter 21: RMON Configuration Guide Configuring and Enabling RMON By default, RMON is disabled on the GSR. To configure and enable RMON on the GSR, follow these steps: Turn on the Lite, Standard, or Professional RMON groups by entering the rmon set lite|standard|professional command.

  • Page 305: Rmon Groups

    The next sections describe Lite, Standard, and Professional RMON groups and control tables. RMON Groups The RMON MIB groups are defined in RFCs 1757 (RMON 1) and 2021 (RMON 2). On the GSR, you can configure one or more levels of RMON support for a set of ports. Each level—Lite, Standard, or Professional—enables different sets of RMON groups (described later in this section).

  • Page 306: Lite Rmon Groups

    Chapter 21: RMON Configuration Guide Lite RMON Groups This section describes the RMON groups that are enabled when you specify the Lite support level. The Lite RMON groups are shown in the table below. Table 6. Lite RMON Groups Group EtherStats Event Alarm...

  • Page 307: Control Tables

    The Professional RMON groups are shown in the table below. Table 8. Professional RMON Groups Group Protocol Directory Protocol Distribution Application Layer Host Network Layer Host Application Layer Matrix (and Top N) Network Layer Matrix (and Top N) Address Map User History Control Tables Many RMON groups contain both control and data tables.

  • Page 308: Using Rmon

    Chapter 21: RMON Configuration Guide If you choose to create default control tables, entries are created in the control tables for each port on the GSR for the following groups: Lite groups: Standard groups: Professional groups: A row in the control table is created for each port on the GSR, with the owner set to “monitor”.

  • Page 309: Configuring Rmon Groups

    For example, use the rmon show protocol-distribution command to see the kinds of traffic received on a given port: gs/r# rmon show protocol-distribution et.5.5 RMON II Protocol Distribution Table Index: 506, Port: et.1.7, Owner: monitor Pkts ---- In the example output above, only HTTP and ICMP traffic is being received on this port. To find out which host or user is using these applications/protocols on this port, use the following command: gs/r# rmon show al-matrix et.5.5...
  • Page 310 Chapter 21: RMON Configuration Guide The following table shows the rmon command that you use to configure each RMON group: To configure the Address Map group. To configure the Application Layer Matrix top n entries. To configure the Alarm group. To configure the Packet Capture group.

  • Page 311: Configuration Examples

    To configure the Application Layer and Network Layer Host groups. To configure the Application Layer and Network Layer Matrix groups. To configure the Host group. To configure the Host Top N entries. To configure the Matrix group. To configure the Network Layer Matrix top n entries.
  • Page 312 Chapter 21: RMON Configuration Guide The following examples configure the GSR to create an event when a module is hot swapped into the chassis or any new IP interface is configured. The managed object ifTableLastChanged from RFC 2233) has an object identifier (OID) of 1.3.6.1.2.1.31.1.5.0 and the GSR will poll this OID every 5 minutes (300 seconds).

  • Page 313: Displaying Rmon Information

    Displaying RMON Information The CLI rmon show commands allow you to display the same RMON statistics that can be viewed from a management station. To display RMON statistics for the GSR, use the following CLI command lines in Enable mode: To show Ethernet statistics.

  • Page 314: Rmon Cli Filters

    Chapter 21: RMON Configuration Guide To show all user history logs. To show probe configuration. To display Ethernet statistics and related statistics for WAN ports, RMON has to be activated on that port. To activate RMON on a port, use the frame-relay define service or ppp define service command, and the frame-relay apply service or ppp apply service command.

  • Page 315: Creating Rmon Cli Filters

    The following shows the same rmon show hosts command with a filter applied so that only hosts with inpkts greater than 500 are displayed: gs/r# rmon apply cli-filter 4 gs/r# rmon show hosts et.5.4 RMON I Host Table Filter: inpkts > 500 Address Port -------...

  • Page 316: Troubleshooting Rmon

    Chapter 21: RMON Configuration Guide Troubleshooting RMON If you are not seeing the information you expected with an rmon show command, or if the network management station is not collecting the desired statistics, first check that the port is up. Then, use the rmon show status command to check the RMON configuration on the GSR.

  • Page 317: Allocating Memory To Rmon

    If you or your application are unable to crate a control table row, check the snmp show status output for errors. Make sure that there is a read-write community string. Verify that you can ping the GSR and that no ACLs prevent you from using SNMP to access the GSR.
  • Page 318 Chapter 21: RMON Configuration Guide Any memory allocation failures are reported. The following is an example of the information shown with the rmon show status command: gs/r# rmon show status RMON Status ----------- * RMON is ENABLED * RMON initialization successful. +--------------------------+ | RMON Group Status | +-------+--------+---------+...

  • Page 319: Chapter 22: Wan Configuration Guide

    This chapter provides an overview of Wide Area Network (WAN) applications as well as an overview of both Frame Relay and PPP configuration for the GSR. In addition, you can view an example of a multi-router WAN configuration complete with diagram and configuration files in WAN Overview On the DIGITAL GIGAswitch/Router, Wide Area Network (WAN) routing is performed...

  • Page 320: Configuring Wan Interfaces

    Chapter 22: WAN Configuration Guide For example, you would specify a frame relay serial WAN port located at router slot 4, port 1, on VC 100 as “se.4.1.100”. Using the same approach, a PPP high-speed serial interface (HSSI) WAN port located at router slot 3, port 2 would be identified as “hs.3.2”.

  • Page 321: Mapped Addresses

    The following command line displays an example for a port: interface create ip IPWAN address-netmask 10.50.1.1/16 peer-address 10.50.1.2 port hs.3.1 The following command line displays an example for a VLAN: interface create ip IPWAN address-netmask 10.50.1.1/16 peer-address 10.50.1.2 vlan BLUE Mapped Addresses Mapped peer IP/IPX addresses are very similar to static addresses in that InArp is disabled for Frame Relay and the address negotiated in IPCP/IPXCP is ignored for PPP.

  • Page 322: Forcing Bridged Encapsulation

    Chapter 22: WAN Configuration Guide The following command lines display examples for a port and a VC: interface create ip IPWAN address-netmask 10.50.1.1/16 port hs.3.1 interface create ip IPWAN address-netmask 10.50.1.1/16 port hs.5.2.19 The following command line displays an example for a VLAN: interface create ip IPWAN address-netmask 10.50.1.1/16 vlan BLUE Forcing Bridged Encapsulation WAN for the GSR has the ability to force bridged packet encapsulation.

  • Page 323: Average Packet Size

    the “no history” option. If the compression statistics do not improve or show a ration of less than 1, then compression should be disabled altogether. Average Packet Size In most cases, the larger the packet size, the better the potential compression ratio. This is due to the overhead involved with compression, as well as the compression algorithm.

  • Page 324: Example Configurations

    Chapter 22: WAN Configuration Guide Example Configurations The following command line displays an example for Frame Relay: frame-relay set payload-compress ports se.3.1.300 The following command line displays an example for PPP: ppp set payload-compress port se.4.2 Packet Encryption Packet encryption allows data to travel through unsecured networks. You can enable packet encryption for PPP ports, however, both ends of a link must be configured to use packet encryption.

  • Page 325: Source Filtering And Acls

    of the following sorts of attributes to interfaces on your network, you can begin to shape your network’s QoS configuration to use existing bandwidth more effectively. Source Filtering and ACLs Source filtering and ACLs can be applied to a WAN interface; however, they affect the entire module, not an individual port.

  • Page 326: Random Early Discard (Red)

    The advantage that Frame Relay offers to this type of geographic layout is the ability to switch packet data across the interfaces of different types of devices like switch-routers and bridges, for example.

  • Page 327: Virtual Circuits

    Virtual Circuits You can think of a Virtual Circuit (VC) as a “virtual interface” (sometimes referred to as “sub-interfaces”) over which Frame Relay traffic travels. Frame Relay interfaces on the GSR use one or more VCs to establish bidirectional, end-to-end connections with remote end points throughout the WAN.

  • Page 328: Setting Up A Frame Relay Service Profile

    Chapter 22: WAN Configuration Guide Then, you must set up a frame relay virtual circuit (VC). The following command line displays a simplified example of a VC definition: Define the type and location of a frame relay VC. Setting up a Frame Relay Service Profile Once you have defined the type and location of your Frame Relay WAN interface(s), you can configure your GSR to more efficiently utilize available bandwidth for Frame Relay communications.

  • Page 329: Monitoring Frame Relay Wan Ports

    Monitoring Frame Relay WAN Ports Once you have configured your frame relay WAN interface(s), you can use the CLI to monitor status and statistics for your WAN ports. The following table describes the monitoring commands for WAN interfaces, designed to be used in Enable mode: Display a particular frame relay service profile Display all available frame relay...
  • Page 330 Chapter 22: WAN Configuration Guide Suppose you wish to set up a service profile called “profile1” that includes the following characteristics: • Committed burst value of 2 million and excessive burst value of 1 million • BECN active shaping at 65 frames •...

  • Page 331: Point-To-Point Protocol (Ppp) Overview

    Point-to-Point Protocol (PPP) Overview Because of its ability to quickly and easily accommodate IP and IPX protocol traffic, Point- to-Point Protocol (PPP) routing has become a very important aspect of WAN configuration. Using PPP, you can set up router-to-router, host-to-router, and host-to-host connections.

  • Page 332: Configuring Ppp Interfaces

    Chapter 22: WAN Configuration Guide Configuring PPP Interfaces This section provides an overview of configuring a host of WAN parameters and setting up WAN interfaces. When working in the PPP environment, you must first define the type and location of your WAN interfaces. Having established the type and location of your WAN interfaces, you need to (optionally) define one or more service profiles for your WAN interfaces, then apply a service profile to the desired interface(s).

  • Page 333: Applying A Service Profile To An Active Ppp Port

    PPP traffic. The following command line displays all of the possible attributes used to define a PPP service profile: Define a PPP service profile. Note: If it is necessary to specify a value for Bridging, IP, and/or IPX, you must specify all three of these values at the same time.

  • Page 334: Configuring Multilink Ppp Bundles

    Chapter 22: WAN Configuration Guide Configuring Multilink PPP Bundles The Multilink PPP (MLP) standard defines a method for grouping multiple physical PPP links into a logical pipe, called an “MLP bundle”. Large packets are fragmented and transmitted over each physical link in an MLP bundle. At the destination, MLP reassembles the packets and places them in their correct sequence.

  • Page 335: Monitoring Ppp Wan Ports

    Monitoring PPP WAN Ports Once you have configured your PPP WAN interface(s), you can use the CLI to monitor status and statistics for your WAN ports. The following table describes the monitoring commands for WAN interfaces, designed to be used in Enable mode: Display a particular PPP service profile.
  • Page 336 Chapter 22: WAN Configuration Guide Suppose you wish to set up a service profile called “profile2” that includes the following characteristics: • Bridging enabled • Leave high-, low-, and medium-priority queue depths set to factory defaults • IP and IPX enabled •...

  • Page 337: Wan Configuration Examples

    WAN Configuration Examples Simple Configuration File The following is an example of a simple configuration file used to test frame relay and PPP WAN ports: port set hs.5.1 wan-encapsulation frame-relay speed 45000000 port set hs.5.2 wan-encapsulation ppp speed 45000000 interface create ip fr1 address-netmask 10.1.1.1/16 port hs.5.1.100 interface create ip ppp2 address-netmask 10.2.1.1/16 port hs.5.2 interface create ip lan1 address-netmask 10.20.1.1/16 port et.1.1 interface create ip lan2 address-netmask 10.30.1.1/16 port et.1.2...

  • Page 338: Multi-Router Wan Configuration

    Chapter 22: WAN Configuration Guide Multi-Router WAN Configuration The following is a diagram of a multi-router WAN configuration encompassing three subnets. From the diagram, you can see that R1 is part of both Subnets 1 and 2; R2 is part of both Subnets 2 and 3;...

  • Page 339: Router R1 Configuration File

    Router R1 Configuration File The following configuration file applies to Router R1. ---------------------------------------------------------------------- Configuration for ROUTER R1 ---------------------------------------------------------------------- port set hs.7.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.2 wan-encapsulation ppp speed 45000000 port set et.1.* duplex full frame-relay create vc port hs.7.1.106 frame-relay create vc port hs.3.1.103 frame-relay define service CIRforR1toR6 cir 45000000 bc 450000...

  • Page 340: Router R2 Configuration File

    Chapter 22: WAN Configuration Guide Router R2 Configuration File The following configuration file applies to Router R2. ---------------------------------------------------------------------- Configuration for ROUTER R2 ---------------------------------------------------------------------- port set hs.7.1 wan-encapsulation ppp speed 45000000 port set hs.7.2 wan-encapsulation ppp speed 45000000 port set et.1.* duplex full vlan create s2 id 300 interface create ip PPPforR2toR3 address-netmask 130.130.130.2/16 peer-address 130.130.130.3 port hs.7.2...

  • Page 341: Router R3 Configuration File

    Router R3 Configuration File The following configuration file applies to Router R3. ---------------------------------------------------------------------- Configuration for ROUTER R3 ---------------------------------------------------------------------- port set se.2.1 wan-encapsulation frame-relay speed 1500000 port set et.1.* duplex full port set hs.4.1 wan-encapsulation frame-relay speed 45000000 port set hs.4.2 wan-encapsulation ppp speed 45000000 frame-relay create vc port se.2.1.304 frame-relay create vc port hs.4.1.103 vlan create s1 id 200...

  • Page 342: Router R4 Configuration File

    Chapter 22: WAN Configuration Guide Router R4 Configuration File The following configuration file applies to Router R4. ---------------------------------------------------------------------- Configuration for ROUTER R4 ---------------------------------------------------------------------- port set se.6.1 wan-encapsulation frame-relay speed 1500000 port set se.6.3 wan-encapsulation ppp speed 1500000 port set et.1.* duplex full frame-relay create vc port se.6.1.304 vlan create s1 id 200 vlan add ports se.6.1.304,se.6.3 to s1...

  • Page 343: Router R6 Configuration File

    Router R6 Configuration File The following configuration file applies to Router R6. ---------------------------------------------------------------------- Configuration for ROUTER R6 ---------------------------------------------------------------------- port set et.15.* duplex full port set hs.3.1 wan-encapsulation frame-relay speed 45000000 frame-relay create vc port hs.3.1.106 frame-relay define service CIRforR1toR6 cir 45000000 bc 450000 frame-relay apply service CIRforR1toR6 ports hs.3.1.106 vlan create BridgeforR1toR6 port-based id 106 interface create ip FRforR1toR6 address-netmask 100.100.100.6/16 vlan...
  • Page 346 9032684-03 Printed in U.S.A.

This manual is also suitable for:

Gigaswitch gsr-8

Table of Contents