1. Manuals
  2. Brands
  3. Cabletron Systems Manuals
  4. Switch
  5. IA1100
  6. User's reference manual

Cabletron Systems IA1100 User's Reference Manual

Internet appliance
Hide thumbs Also See for IA1100:
Table of Contents

Advertisement

Quick Links

Download this manual
Internet Appliance
User Reference Manual
9033371

Advertisement

Table of Contents
loading

Related Manuals for Cabletron Systems IA1100

Summary of Contents for Cabletron Systems IA1100

  • Page 1 Internet Appliance User Reference Manual 9033371...
  • Page 2 Changes Cabletron Systems, Inc., reserves the right to make changes in specifications and other information contained in this document without prior notice. The reader should in all cases consult Cabletron Systems, Inc., to determine whether any such changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice.

  • Page 3: Regulatory Compliance Information

    Regulatory Compliance Information Regulatory Compliance Information This product complies with the following: Safety UL 1950; CSA C22.2, No. 950; 73/23/EEC; EN 60950; IEC 950 Electromagnetic FCC Part 15; CSA C108.8; 89/336/EEC; EN 55022; EN 61000-3-2 Compatibility (EMC) EN 61000-3-3; EN 50082-1, AS/NZS 3548; VCCI V-3 Regulatory Compliance Statements FCC Compliance Statement This device complies with Part 15 of the FCC rules.
  • Page 4 Regulatory Compliance Statements NOTICE: The Industry Canada label identifies certified equipment. This certification means that the equipment meets telecommunications network protective, operational, and safety requirements as prescribed in the appropriate Terminal Equipment Technical Requirements document(s). The department does not guarantee the equipment will operate to the user’s satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
  • Page 5 Safety Information: Class 1 Laser Transceivers This product may use Class 1 laser transceivers. Read the following safety information before installing or operating this product. The Class 1 laser transceivers use an optical feedback loop to maintain Class 1 operation limits. This control loop eliminates the need for maintenance checks or adjustments.
  • Page 6 Cabletron Systems, Inc. Program License Agreement Cabletron Systems, Inc. Program License Agreement IMPORTANT: THIS LICENSE APPLIES FOR USE OF PRODUCT IN THE FOLLOWING GEOGRAPHICAL REGIONS: CANADA MEXICO CENTRAL AMERICA SOUTH AMERICA BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT.
  • Page 7 Sections 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Cuba, Estonia, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Moldova, North Korea, the People’s Republic of China, Romania, Russia, Rwanda, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii)
  • Page 8 Cabletron Systems Sales and Service, Inc. Program License Agreement Cabletron Systems Sales and Service, Inc. Program License Agreement IMPORTANT: THIS LICENSE APPLIES FOR USE OF PRODUCT IN THE UNITED STATES OF AMERICA AND BY UNITED STATES OF AMERICA GOVERNMENT END USERS. BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT.
  • Page 9 Republic of China, Romania, Russia, Rwanda, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S.
  • Page 10 Cabletron Systems Limited Program License Agreement Cabletron Systems Limited Program License Agreement IMPORTANT: THIS LICENSE APPLIES FOR THE USE OF THE PRODUCT IN THE FOLLOWING GEOGRAPHICAL REGIONS: EUROPE MIDDLE EAST AFRICA ASIA AUSTRALIA PACIFIC RIM BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT.
  • Page 11 If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Sections 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Cuba, Estonia, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Moldova, North Korea, the People’s...
  • Page 12 Declaration of Conformity Addendum Declaration of Conformity Application of Council Directive(s) Manufacturer’s Name Manufacturer’s Address European Representative’s Name European Representative’s Address Conformance to Directive(s)/Product Standards Equipment Type/Environment We the undersigned, hereby declare, under our sole responsibility, that the equipment packaged with this notice conforms to the above directives.

  • Page 13: Table Of Contents

    Preface ... xxiii About This Manual ... xx iii Who Should Read This Manual? ... xxiii Related Documentation... xxiii Chapter 1: Introduction ... 25 Reviewing Configuration Files ...25 Using the Command Line Interface ...26 Command Modes...26 User Mode...26 Enable Mode...27 Configure Mode ...27 Boot PROM Mode...27 Getting Help with CLI Commands ...28...
  • Page 14 Contents Configuring IA Bridging Functions... 40 Configuring Address-Based or Flow-Based Bridging ... 40 Configuring Spanning Tree ... 42 Adjusting Spanning-Tree Parameters ... 42 Setting the Bridge Priority ... 43 Setting a Port Priority ... 43 Assigning Port Costs ... 43 Adjusting Bridge Protocol Data Unit (BPDU) Intervals...
  • Page 15 Chapter 5: VRRP Configuration Guide... 63 VRRP Overview ...63 Configuring VRRP ...64 Basic VRRP Configuration...64 Configuration of Router R1 ...65 Configuration for Router R2 ...65 Symmetrical Configuration ...65 Configuration of Router R1 ...67 Configuration of Router R2 ...67 Multi-Backup Configuration ...68 Configuration of Router R1 ...69 Configuration of Router R2 ...70 Configuration of Router R3 ...71...
  • Page 16 Contents Chapter 8: BGP Configuration Guide ... 97 BGP Overview ..97 The Internet Appliance (IA) BGP Implementation ... 98 Basic BGP Tasks..98 Setting the Autonomous System Number... 99 Setting the Router ID ... 99 Configuring a BGP Peer Group... 100 Adding and Removing a BGP Peer ...
  • Page 17 Configuring Simple Routing Policies...142 Redistributing Static Routes ...142 Redistributing Directly Attached Networks...143 Redistributing RIP into RIP ...143 Redistributing RIP into OSPF...143 Redistributing OSPF to RIP ...144 Redistributing Aggregate Routes ...144 Simple Route Redistribution Examples ...144 Example 1: Redistribution into RIP...144 Exporting a Given Static Route to All RIP Interfaces ...146 Exporting All Static Routes to All RIP Interfaces...146 Exporting All Static Routes Except the Default Route to All RIP...
  • Page 18 Contents Chapter 10: IP Policy-Based Forwarding Configuration Guide ... 171 Overview ... 171 Configuring IP Policies... 172 Defining an ACL Profile... 172 Associating the Profile with an IP Policy... 173 Creating Multi-statement IP Policies ... 173 Setting Load Distribution for Next-Hop Gateways ... 174 Setting the IP Policy Action ...
  • Page 19 Setting Server Status ...200 Load Balancing and FTP ...201 Allowing Access to Load Balancing Servers...201 Setting Timeouts for Load Balancing Mappings...201 Specifying the VPN Port Number ...202 Displaying Load Balancing Information ...202 Configuration Examples ...203 Web Hosting with One Virtual Group and Multiple Destination Servers...203 Web Hosting with Multiple Virtual Groups and Multiple Destination Servers ...204 Virtual IP Address Ranges ...205...
  • Page 20 Contents Chapter 14: Security Configuration Guide ... 227 Security Overview... 227 Configuring IA Access Security ... 228 Configuring RADIUS ... 228 Monitoring RADIUS... 229 Configuring TACACS ... 229 Monitoring TACACS... 229 Configuring TACACS Plus... 230 Monitoring TACACS Plus ... 231 Configuring Passwords...
  • Page 21 Configuring RMON Groups...254 Configuration Examples ...256 Displaying RMON Information ...257 RMON CLI Filters...258 Creating RMON CLI Filters ...259 Using RMON CLI Filters ...259 Troubleshooting RMON ...260 Allocating Memory to RMON...261 Internet Appliance User Reference Manual Contents...

  • Page 23: Preface

    About This Manual This manual provides detailed information and procedures for configuring the software ™ for the Cabletron instructions in the Internet Appliance 1100/1200 Getting Started Guide to install the chassis and perform basic setup tasks. Then return to this manual for more detailed configuration information.

  • Page 25: Chapter 1: Introduction

    This chapter provides information that you need to know before configuring the Internet Appliance (IA) software. If you have not yet installed the IA, follow the instructions in the Internet Appliance 1100/1200 Getting Started Guide to install the chassis and perform basic setup tasks.

  • Page 26: Using The Command Line Interface

    Chapter 1: Introduction Using the Command Line Interface The CLI allows you to enter and execute commands from the IA Console or from Telnet sessions. Up to four simultaneous Telnet sessions are allowed. CLI commands are grouped by subsystems. For example, the set of commands that let you configure and display IP routing table information all start with ip.

  • Page 27: Enable Mode

    Enable Mode Enable mode provides more facilities than User mode. You can display critical features within Enable mode including router configuration, access control lists, and SNMP statistics. To enter Enable mode from the User mode, enter the command enable (or en), and then supply the password when prompted.

  • Page 28: Getting Help With Cli Commands

    Chapter 1: Introduction Getting Help with CLI Commands Interactive help is available from the CLI by entering the question mark (?) character at any time. The help is context-sensitive; the help provided is based on where in the command you are. For example, if you are at the User mode prompt, enter a question mark (?), as shown in the following example, to list the commands available in User mode: ia>...

  • Page 29: Line Editing Commands

    If you are entering several commands for the same subsystem, you can enter the subsystem name from the CLI. Then, execute individual commands for the subsystem without typing the subsystem name each time. For example, if you are configuring several entries for the IP routing table, you can simply enter ip at the CLI Configure prompt.
  • Page 30 Chapter 1: Introduction Command Resulting Action Ctrl-k Kill line from cursor to end of line Ctrl-l Refresh current line Ctrl-m Carriage return (executes command) Next command from history buffer Ctrl-n Ctrl-o None Ctrl-p Previous command from history buffer Ctrl-q None Refresh current line Ctrl-r None...

  • Page 31: Displaying And Changing Configuration Information

    Command Resulting Action Recall a specific history command. # is the number of the history command to be recalled as shown via the !* command. “<string>” Opaque strings may be specified using double quotes. This prevents interpretation of otherwise special CLI characters. Displaying and Changing Configuration Information The IA provides many commands for displaying and changing configuration information.
  • Page 32 Chapter 1: Introduction Task Save scratchpad to the active configuration. Save the active configuration to startup. The following figure illustrates the configuration files and the commands you can use to save your configuration: Scratchpad temporary location; contents lost at reboot Active in effect until reboot...

  • Page 33: Identifying Ports On The Ia-1100 And Ia-1200

    Identifying Ports on the IA-1100 and IA-1200 The term port refers to a physical connector installed in the IA-1100 and IA-1200. Each port in the IA is referred to by the type of connector (Ethernet or Gigabit Ethernet) and its location.

  • Page 35: Chapter 2: Bridging Configuration Guide

    Bridging Overview The Internet Appliance (IA) provides the following bridging functions: • Compliance with the IEEE 802.1d standard • Wire-speed address-based bridging or flow-based bridging • Ability to logically segment a transparently bridged network into virtual local-area networks (VLANs) based on physical ports or protocol (IP or bridged protocols such ®...

  • Page 36: Bridging Modes (Flow-Based And Address-Based)

    VLAN. Port-based VLANs divide a network into a number of VLANs by assigning a VLAN to each port of a switching device. Then, any traffic received on a given port of a switch belongs to the VLAN associated with that port. VLANs are primarily used for broadcast containment. A Layer-2 broadcast frame is normally transmitted all over a bridged network.

  • Page 37: Port-Based Vlans

    1 is transmitted on ports 2 and 3. It is not transmitted on any other port. MAC Address-Based VLANs In this type of VLAN, each switch (or a central VLAN information server) keeps track of all MAC addresses in a network and maps them to VLANs based on information configured by the network administrator.

  • Page 38: Subnet-Based Vlans

    Subnet-based VLANs are a subset of protocol-based VLANs and determine the VLAN of a frame based on the subnet to which the frame belongs. To do this, the switch must look into the network layer header of the incoming frame. This type of VLAN behaves similarly to a router by segregating different subnets into different broadcast domains.

  • Page 39: Ports, Vlans, And Layer-3 Interfaces

    The implicit VLANs created by the IA are subnet-based VLANs. Most commonly, an IA is used as a combined switch and router. For example, it may be connected to two subnets: S1 and S2. Ports 1 through 8 belong to S1, and ports 9 through 16 belong to S2.

  • Page 40: Explicit And Implicit Vlans

    IP frame received by port 1 is classified as belonging to VLAN IP_VLAN. Trunk ports (802.1Q) are usually used to connect one VLAN-aware switch to another. They carry traffic belonging to several VLANs. For example, suppose that IA A and B are both configured with VLANs V1 and V2.
  • Page 41 For example, the following illustration shows an IA with traffic being sent from port A to port B, port B to port A, port B to port C, and port A to port C. The corresponding bridge tables for address-based and flow-based bridging are shown in the following table.

  • Page 42: Configuring Spanning Tree

    Chapter 2: Bridging Configuration Guide Configuring Spanning Tree The IA supports per VLAN spanning tree. By default, all the VLANs defined belong to the default spanning tree. You can create a separate instance of spanning tree using the following command: Create spanning tree for a VLAN.

  • Page 43: Setting The Bridge Priority

    Setting the Bridge Priority You can globally configure the priority of an individual bridge when two bridges tie for position as the root bridge, or you can configure the likelihood that a bridge will be selected as the root bridge. The lower the bridge's priority, the more likely the bridge will be selected as the root bridge.

  • Page 44: Adjusting Bridge Protocol Data Unit (Bpdu) Intervals

    Chapter 2: Bridging Configuration Guide Adjusting Bridge Protocol Data Unit (BPDU) Intervals You can adjust BPDU intervals as described in the next three sections: • “Adjusting the Interval between Hello Times” • “Defining the Forward Delay Interval” • “Defining the Maximum Age” Adjusting the Interval between Hello Times You can specify the interval between hello time.

  • Page 45: Defining The Maximum Age

    Defining the Maximum Age If a bridge does not hear BPDUs from the root bridge within a specified interval, it assumes that the network has changed and recomputes the spanning-tree topology. To change the default interval setting, enter the following command in Configure mode: Change the amount of time a bridge will wait to hear BPDUs from the root bridge for default spanning tree.

  • Page 46: Configuring Vlan Trunk Ports

    Chapter 2: Bridging Configuration Guide Configuring VLAN Trunk Ports The IA supports standards-based VLAN trunking between multiple IAs as defined by IEEE 802.1Q. 802.1Q adds a header to a standard Ethernet frame that includes a unique VLAN ID per trunk between two IAs. These VLAN IDs extend the VLAN broadcast domain to more than one IA.

  • Page 47: Configuration Examples

    Configuration Examples VLANs are used to associate physical ports on the IA with connected hosts that may be physically separated but need to participate in the same broadcast domain. To associate ports to a VLAN, you must first create a VLAN and then assign ports to the VLAN. This section shows examples of creating an IP VLAN and a DECnet, SNA, and AppleTalk VLAN.

  • Page 49: Chapter 3: Smarttrunk Configuration Guide

    Overview This chapter explains how to configure and monitor SmartTRUNKs on the Internet Appliance (IA). A SmartTRUNK is Cabletron’s technology for load balancing and load sharing. For a description of the SmartTRUNK commands, see the “smarttrunk Command” section of the Internet Appliance Command Line Interface Reference. On the IA, a SmartTRUNK is a group of two or more ports that have been logically combined into a single port.

  • Page 50: Configuring Smarttrunks

    Chapter 3: SmartTRUNK Configuration Guide Configuring SmartTRUNKs To create a SmartTRUNK Create a SmartTRUNK, and specify a control protocol for it. Add physical ports to the SmartTRUNK. Specify the policy for distributing traffic across SmartTRUNK ports. This step is optional; by default, the IA distributes traffic to ports in a round-robin (sequential) manner.

  • Page 51: Add Physical Ports To The Smarttrunk

    Add Physical Ports to the SmartTRUNK You can add any number of ports to a SmartTRUNK. The limit is the number of ports on the IA. Any port on any module can be part of a SmartTRUNK. If one module fails, the remaining ports on other modules remain operational.

  • Page 52: Monitoring Smarttrunks

    Chapter 3: SmartTRUNK Configuration Guide Monitoring SmartTRUNKs Statistics are gathered for data flowing through a SmartTRUNK and each port in the SmartTRUNK. To display SmartTRUNK statistics, enter one of the following commands in Enable mode: Display information about all SmartTRUNKS and the control protocol used.

  • Page 53: Example Configurations

    10.1.1.1 255.255.255.0 ip route-cache distributed interface fasteth 0/0 no ip address channel-group 1 The following is the configuration for the Cisco Catalyst 5K switch: set port channel 3/1-2 on Internet Appliance User Reference Manual Chapter 3: SmartTRUNK Configuration Guide st.2 Router 11.1.1.2/24...
  • Page 54 Chapter 3: SmartTRUNK Configuration Guide The following is the SmartTRUNK configuration for the IA labeled R1 in the diagram: smarttrunk create st.1 protocol no-protocol smarttrunk create st.2 protocol huntgroup smarttrunk create st.3 protocol huntgroup smarttrunk add ports et.1(1-2) to st.1 smarttrunk add ports et.2(1-2) to st.2 smarttrunk add ports et.3(1-2) to st.3 interface create ip to-cisco address-netmask 10.1.1.2/24 port st.1...

  • Page 55: Chapter 4: Ip Routing Configuration Guide

    This chapter describes how to configure IP interfaces and general non-protocol-specific routing parameters. IP Routing Overview Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP handles addressing, routing, fragmentation, reassembly, and protocol demultiplexing. In addition, IP specifies how hosts and routers should process packets, handle errors, and discard packets.

  • Page 56: Ip Routing Protocols

    Chapter 4: IP Routing Configuration Guide TCP and UDP also specify ports that identify the application that is using TCP/UDP. For example, a web server would typically use TCP/UDP port 80, which specifies HTTP-type traffic. The IA supports standards-based TCP, UDP, and IP. IP Routing Protocols The Internet Appliance (IA) supports standards-based unicast routing.

  • Page 57: Configuring Ip Interfaces For A Vlan

    Configuring IP Interfaces for a VLAN You can configure one IP interface per VLAN. Once an IP interface has been assigned to a VLAN, you can add a secondary IP addresses to the VLAN. To configure a VLAN with an IP interface, enter the following command in Configure mode: Create an IP interface for a VLAN.

  • Page 58: Configuring Arp Cache Entries

    Chapter 4: IP Routing Configuration Guide Configuring ARP Cache Entries You can add and delete entries in the ARP cache. To add or delete static ARP entries, enter one of the following commands in Configure mode: Add a static ARP entry. Clear a static ARP entry.

  • Page 59: Configuring Ip Services (Icmp)

    Configuring IP Services (ICMP) The IA provides ICMP message capabilities, including ping and traceroute. Ping allows you to determine the reachability of a certain IP host. Traceroute allows you to trace the IP gateways to an IP host. To access ping or traceroute on the IA, enter the following commands in Enable mode: Specify ping.

  • Page 60: Configuring Direct Broadcast

    Chapter 4: IP Routing Configuration Guide Configuring Direct Broadcast You can configure the IA to forward all directed broadcast traffic from the local subnet to a specified IP address or all associated IP addresses. This is a more efficient method than defining only one local interface and remote IP address destination at a time with the ip-helper command when you are forwarding traffic from more than one interface in the local subnet to a remote destination IP address.

  • Page 61: Monitoring Ip Parameters

    Monitoring IP Parameters The IA provides display of IP statistics and configurations contained in the routing table. Information displayed provides routing and performance information. To display IP information, enter the following commands in Enable mode: Show ARP table entries. Show IP interface configuration. Show all TCP/UDP connections and services.

  • Page 63: Chapter 5: Vrrp Configuration Guide

    VRRP Overview This chapter explains how to set up and monitor the Virtual Router Redundancy Protocol (VRRP) on the Internet Appliance (IA). VRRP is defined in RFC 2338. En- host systems on a LAN are often configured to send packets to a statically configured default router.

  • Page 64: Configuring Vrrp

    Chapter 5: VRRP Configuration Guide Configuring VRRP This section presents three sample VRRP configurations: • A basic VRRP configuration with one virtual router • A symmetrical VRRP configuration with two virtual routers • A multi-backup VRRP configuration with three virtual routers Basic VRRP Configuration Figure 4 shows a basic VRRP configuration with a single virtual router.

  • Page 65: Configuration Of Router R1

    Configuration of Router R1 The following is the configuration file for Router R1 in 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 4: ip-redundancy start vrrp 1 interface test Line 1 adds IP address 10.0.0.1/16 to interface test, making Router R1 the owner of this IP address.
  • Page 66 Chapter 5: VRRP Configuration Guide This configuration allows you to load-balance traffic coming from the hosts on the 10.0.0.0/16 subnet and provides a redundant path to either virtual router. Note: This is the recommended configuration on a network using VRRP. Master for VRID=1 Backup for VRID=2 Interface Addr.

  • Page 67: Configuration Of Router R1

    Configuration of Router R1 The following is the configuration file for Router R1 in 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test 4: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 5: ip-redundancy associate vrrp 2 interface test address 10.0.0.2/16 6: ip-redundancy start vrrp 1 interface test 7: ip-redundancy start vrrp 2 interface test...

  • Page 68: Multi-Backup Configuration

    Chapter 5: VRRP Configuration Guide Multi-Backup Configuration Figure 6 shows a VRRP configuration with three routers and three virtual routers. Each router serves as a Master for one virtual router and as a Backup for each of the others. When a Master router goes down, one of the Backups takes over the IP addresses of its virtual router.

  • Page 69: Configuration Of Router R1

    Configuration of Router R1 The following is the configuration file for Router R1 in 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test 4: ip-redundancy create vrrp 3 interface test 5: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 6: ip-redundancy associate vrrp 2 interface test address 10.0.0.2/16 7: ip-redundancy associate vrrp 3 interface test address 10.0.0.3/16...

  • Page 70: Configuration Of Router R2

    Chapter 5: VRRP Configuration Guide The following table shows the priorities for each virtual router configured on Router R1: Virtual Router – IP address=10.0.0.1/16 VRID=1 – IP address=10.0.0.2/16 VRID=2 – IP address=10.0.0.3/16 VRID=3 Configuration of Router R2 The following is the configuration file for Router R2 in 1: interface create ip test address-netmask 10.0.0.2/16 port et.1.1 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test...

  • Page 71: Configuration Of Router R3

    The following table shows the priorities for each virtual router configured on Router R2: Virtual Router – IP address=10.0.0.1/16 VRID=1 – IP address=10.0.0.2/16 VRID=2 – IP address=10.0.0.3/16 VRID=3 Note: Since 100 is the default priority, line 9, which sets the priority to 100, is actually unnecessary.

  • Page 72: Additional Configuration

    Chapter 5: VRRP Configuration Guide The following table shows the priorities for each virtual router configured on Router R3: Virtual Router – IP address=10.0.0.1/16 VRID=1 – IP address=10.0.0.2/16 VRID=2 – IP address=10.0.0.3/16 VRID=3 Note: Since 100 is the default priority, lines 8 and 9, which set the priority to 100, are actually unnecessary.

  • Page 73: Setting Pre-Empt Mode

    Setting Pre-empt Mode When a Master router goes down, the Backup with the highest priority takes over the IP addresses associated with the Master. By default, when the original Master comes back up, it takes over from the Backup router that assumed its role as Master. When a VRRP router does this, it is said to be in pre-empt mode.

  • Page 74: Monitoring Vrrp

    Chapter 5: VRRP Configuration Guide Monitoring VRRP The IA provides two commands for monitoring a VRRP configuration: ip-redundancy trace, which displays messages when VRRP events occur, and ip-redundancy show, which reports statistics about virtual routers. ip-redundancy trace The ip-redundancy trace command is used for troubleshooting purposes. This command causes messages to be displayed when certain VRRP events occur on the IA.

  • Page 75: Vrrp Configuration Notes

    VRRP Configuration Notes • The Master router sends keep-alive advertisements. The frequency of these keep-alive advertisements is determined by setting the Advertisement interval parameter. The default value is 1 second. • If a Backup router doesn’t receive a keep-alive advertisement from the current Master within a certain period of time, it will transition to the Master state and start sending advertisements itself.
  • Page 76 Chapter 5: VRRP Configuration Guide • As specified in RFC 2338, a Backup router that has transitioned to Master will not respond to pings, accept telnet sessions, or field SNMP requests directed at the virtual router's IP address. Not responding allows network management to notice that the original Master router (i.e., the IP address owner) is down.

  • Page 77: Chapter 6: Rip Configuration Guide

    RIP Overview This chapter describes how to configure the Routing Information Protocol (RIP) on the Internet Appliance (IA). RIP is a distance-vector routing protocol for use in small networks. RIP is described in RFC 1723. A router running RIP broadcasts updates at set intervals.

  • Page 78: Configuring Rip

    Chapter 6: RIP Configuration Guide Configuring RIP By default, RIP is disabled on the IA and on each of the attached interfaces. To configure RIP on the IA, follow these steps: Start the RIP process by entering the rip start command. Use the rip add interface command to inform RIP about the attached interfaces.

  • Page 79: Configuring Rip Parameters

    Configuring RIP Parameters No further configuration is required, and the system default parameters will be used by RIP to exchange routing information. These default parameters may be modified to suit your needs by using the rip set interface command. RIP Parameter Version number Check-zero for RIP reserved parameters Whether RIP packets should be broadcast...

  • Page 80: Configuring Rip Route Preference

    Chapter 6: RIP Configuration Guide Specify the metric to be used when advertising routes that were learned from other protocols. Enable automatic summariza- tion and redistribution of RIP routes. Specify broadcast of RIP packets regardless of number of interfaces present. Check that reserved fields in incoming RIP V1 packets are zero.

  • Page 81: Monitoring Rip

    Monitoring RIP The rip trace command can be used to trace all rip request and response packets. To monitor RIP information, enter the following commands in Enable mode: Show all RIP information. Show RIP export policies. Show RIP global information. Show RIP import policies.

  • Page 82: Configuration Example

    Chapter 6: RIP Configuration Guide Configuration Example ! Example configuration ! Create interface interface create ip ! Configure rip on rip add interface rip set interface rip start ! Set authentication method to md5 rip set interface ! Change default metric-in rip set interface ! Change default metric-out rip set interface...

  • Page 83: Chapter 7: Ospf Configuration Guide

    OSPF Overview Open Shortest Path First (OSPF) is a link-state routing protocol that supports IP subnetting and authentication. The Internet Appliance (IA) supports OSPF Version 2.0 as defined in RFC 1583. Each link-state message contains all the links connected to the router with a specified cost associated with the link.

  • Page 84: Ospf Multipath

    Chapter 7: OSPF Configuration Guide OSPF Multipath The IA also supports OSPF and static Multi-path. If multiple equal-cost OSPF or static routes have been defined for any destination, then the IA discovers and uses all of them. The IA will automatically learn up to four equal-cost OSPF or static routes and retain them in its forwarding information base (FIB).

  • Page 85: Configuring Ospf Interface Parameters

    Configuring OSPF Interface Parameters You can configure the OSPF interface parameters shown in Table 1. OSPF Interface Parameters OSPF Parameter Interface OSPF State (Enable/Disable) Cost No multicast Retransmit interval Transit delay Priority Hello interval Router dead interval Poll Interval Key chain Authentication Method To configure OSPF interface parameters, enter one of the following commands in Configure mode:...

  • Page 86: Configuring An Ospf Area

    Chapter 7: OSPF Configuration Guide Specify the number of seconds required to transmit a link state update on an OSPF interface. Specify the time a neighbor router will listen for OSPF hello packets before declaring the router down. Disable IP multicast for sending OSPF packets to neighbors on an OSPF interface.

  • Page 87: Configuring Ospf Area Parameters

    To create areas and assign interfaces, enter the following commands in the Configure mode: Create an OSPF area. Add an interface to an OSPF area. Add a stub host to an OSPF area. Add a network to an OSPF area for summarization.

  • Page 88: Creating Virtual Links

    Chapter 7: OSPF Configuration Guide Creating Virtual Links In OSPF, virtual links can be established: • To connect an area via a transit area to the backbone • To create a redundant backbone connection via another area Each Area Border Router must be configured with the same virtual link. Note that virtual links cannot be configured through a stub area.

  • Page 89: Configuring Ospf Over Non-Broadcast Multiple Access

    Configuring OSPF over Non-Broadcast Multiple Access You can configure OSPF over NBMA circuits to limit the number of Link State Advertisements (LSAs). LSAs are limited to initial advertisements and any subsequent changes. Periodic LSAs over NBMA circuits are suppressed. To configure OSPF over WAN circuits, enter the following command in Configure mode: Configure OSPF over a WAN circuit.

  • Page 90: Ospf Configuration Examples

    Chapter 7: OSPF Configuration Guide Show all OSPF areas. Show OSPF errors. Show information about OSPF export policies. Shows routes redistributed into OSPF. Show all OSPF global parameters. Show information about OSPF import policies. Show OSPF interfaces. Shows information about all valid next hops mostly derived from the SPF calculation.

  • Page 91: Exporting All Interface And Static Routes To Ospf

    • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.1.1.2 ip add route 160.1.5.0/24 gateway 120.1.1.2...

  • Page 92: Exporting All Rip, Interface, And Static Routes To Ospf

    Chapter 7: OSPF Configuration Guide Create a Static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc Create a Direct export source since we would like to export interface/direct routes. ip-router policy create direct-export-source directExpSrc Create the Export-Policy for redistributing all interface routes and static routes into OSPF.
  • Page 93 Create a OSPF export destination for type-2 routes with a tag of 100. ip-router policy create ospf-export-destination ospfExpDstType2t100 type 2 tag 100 metric 4 Create a RIP export source. ip-router policy export destination ripExpDst source ripExpSrc network all Create a Static export source. ip-router policy create static-export-source statExpSrc Create a Direct export source.
  • Page 94 Chapter 7: OSPF Configuration Guide 12. Create the Export-Policy for redistributing all interface, RIP, static, OSPF and OSPF-ASE routes into RIP. ip-router policy export destination ripExpDst source statExpSrc network all ip-router policy export destination ripExpDst source ripExpSrc network all ip-router policy export destination ripExpDst source directExpSrc network all ip-router policy export destination ripExpDst source ospfExpSrc network all...
  • Page 95 140.1.5/24 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 140.1.1.1/24 130.1.1.1/16 140.1.3.1/24 140.1.2.1/24 190.1.1.1/16 120.190.1.1/16 120.190.1.2/16 202.1.2.2/16 160.1.5.2/24 Figure 7. Exporting to OSPF A r e a B a c k b o n e 130.1.1.3/16 160.1.5.2/24 150.20.3.1/16 150.20.3.2/16 A r e a 150.20.0.0...

  • Page 97: Chapter 8: Bgp Configuration Guide

    BGP Overview The Border Gateway Protocol (BGP) is an exterior gateway protocol that allows IP routers to exchange network reachability information. BGP became an internet standard in 1989 (RFC 1105) and the current version, BGP-4, was published in 1994 (RFC 1771). BGP is typically run between Internet Service Providers.

  • Page 98: The Internet Appliance (Ia) Bgp Implementation

    Chapter 8: BGP Configuration Guide The Internet Appliance (IA) BGP Implementation The Internet Appliance (IA) routing protocol implementation is based on GateD 4.0.3 code (http://www.gated.org). GateD is a modular software program consisting of core services, a routing database, and protocol modules supporting multiple routing protocols (RIP versions 1 and 2, OSPF version 2, BGP version 2 through 4, and Integrated IS-IS).

  • Page 99: Setting The Autonomous System Number

    Setting the Autonomous System Number An autonomous system number identifies your autonomous system to other routers. To set the IA’s autonomous system number, enter the following command in Configure mode: Set the IA’s autonomous system number. The autonomous-system <num1> parameter sets the AS number for the router. Specify a number from 1 to 65534.

  • Page 100: Configuring A Bgp Peer Group

    Chapter 8: BGP Configuration Guide Configuring a BGP Peer Group A BGP peer group is a group of neighbor routers that have the same update policies. To configure a BGP peer group, enter the following command in Configure mode: Configure a BGP peer group. where: peer-group <number-or-string>...

  • Page 101: Adding And Removing A Bgp Peer

    proto Specifies the interior protocol to be used to resolve BGP next hops. Specify one of the following: Use any igp to resolve BGP next hops. Use RIP to resolve BGP next hops. Use OSPF to resolve BGP next hops. ospf static Use static to resolve BGP next hops.

  • Page 102: Using As-Path Regular Expressions

    Chapter 8: BGP Configuration Guide Using AS-Path Regular Expressions An AS-path regular expression is a regular expression where the alphabet is the set of AS numbers. An AS-path regular expression is composed of one or more AS-path expressions. An AS-path expression is composed of AS path terms and AS-path operators. An AS path term is one of the following three objects: autonomous_system Is any valid autonomous system number, from one through 65534 inclusive.

  • Page 103: As-Path Regular Expression Examples

    For example: (4250 .*) Means anything beginning with 4250. (.* 6301 .*) Means anything with 6301. (.* 4250) Means anything ending with 4250. (. * 1104|1125|1888|1135 .*) Means anything containing 1104 or 1125 or 1888 or 1135. AS-path regular expressions are used as one of the parameters for determining which routes are accepted and which routes are advertised.

  • Page 104: Using The As Path Prepend Feature

    Chapter 8: BGP Configuration Guide Using the AS Path Prepend Feature When BGP compares two advertisements of the same prefix that have differing AS paths, the default action is to prefer the path with the lowest number of transit AS hops; in other words, the preference is for the shorter AS path length.

  • Page 105: Bgp Configuration Examples

    d. Re-enter Configure mode. Add the peer-host back to the peer-group. If the as-count option is part of the startup configuration, the above steps are unnecessary. BGP Configuration Examples This section presents sample configurations illustrating BGP features. The following features are demonstrated: •...
  • Page 106 Chapter 8: BGP Configuration Guide BGP keepalive messages are sent between peers periodically to ensure that the peers stay connected. If one of the routers encounters a fatal error condition, a BGP notification message is sent to its BGP peer, and the TCP connection is closed. Figure 8 illustrates a sample BGP peering session.

  • Page 107: Ibgp Configuration Example

    The gated.conf file for router IA1 is as follows: autonomoussystem 1 ; routerid 10.0.0.1 ; bgp yes { The CLI configuration for router IA2 is as follows: interface create ip et.1.1 address-netmask 10.0.0.2/16 port et.1.1 ip-router global set autonomous-system 2 ip-router global set router-id 10.0.0.2 bgp create peer-group pg2w1 type external autonomous-system 1 bgp add peer-host 10.0.0.1 group pg2w1...

  • Page 108: Ibgp Routing Group Example

    Chapter 8: BGP Configuration Guide An IGP, like OSPF, could possibly be used instead of IBGP to exchange routing information between EBGP speakers within an AS. However, injecting full Internet routes (50,000+ routes) into an IGP puts an expensive burden on the IGP routers. Additionally, IGPs cannot communicate all of the BGP attributes for a given route.
  • Page 109 Chapter 8: BGP Configuration Guide Figure 9 shows a sample BGP configuration that uses the Routing group type. AS-64801 10.12.1.1/30 10.12.1.6/30 Cisco lo0 172.23.1.25/30 OSPF 10.12.1.5/30 10.12.1.2/30 IBGP 172.23.1.10/30 172.23.1.5/30 lo0 172.23.1.26/30 172.23.1.6/30 172.23.1.9/30 Figure 9. Sample IBGP Configuration (Routing Group Type) Internet Appliance User Reference Manual...
  • Page 110 Chapter 8: BGP Configuration Guide In this example, OSPF is configured as the IGP in the autonomous system. The following lines in the router IA6 configuration file configure OSPF: # Create a secondary address for the loopback interface interface add ip lo0 address-netmask 172.23.1.26/30 ospf create area backbone ospf add interface to-IA4 to-area backbone ospf add interface to-IA1 to-area backbone...

  • Page 111: Ibgp Internal Group Example

    The following lines on the Cisco router set up IBGP peering with router IA6. router bgp 64801 ! Disable synchronization between BGP and IGP no synchronization neighbor 172.23.1.26 remote-as 64801 ! Allow internal BGP sessions to use any operational interface for TCP ! connections neighbor 172.23.1.26 update-source Loopback0 IBGP Internal Group Example...
  • Page 112 Chapter 8: BGP Configuration Guide Figure 10 illustrates a sample IBGP Internal group configuration. 16.122.128.8/24 AS-1 16.122.128.1/24 17.122.128.1/24 Figure 10. Sample IBGP Configuration (Internal Group Type) The CLI configuration for router IA1 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.2 group int-ibgp-1 bgp add peer-host 16.122.128.8 group int-ibgp-1...
  • Page 113 The gated.conf file for router IA1 is as follows: autonomoussystem 1 ; routerid 16.122.128.1 ; bgp yes { traceoptions aspath detail packets detail open detail update ; group type internal peeras 1 The CLI configuration for router IA2 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.1 group int-ibgp-1...

  • Page 114: Ebgp Multihop Configuration Example

    Chapter 8: BGP Configuration Guide The configuration for router C1 (a Cisco router) is as follows: router bgp 1 no synchronization network 16.122.128.0 mask 255.255.255.0 network 17.122.128.0 mask 255.255.255.0 neighbor 16.122.128.1 remote-as 1 neighbor 16.122.128.1 next-hop-self neighbor 16.122.128.1 soft-reconfiguration inbound neighbor 16.122.128.2 remote-as 1 neighbor 16.122.128.2 next-hop-self neighbor 16.122.128.2 soft-reconfiguration inbound...
  • Page 115 The sample configuration in not connected to the same subnet. AS-64800 16.122.128.1/16 Legend: The CLI configuration for router IA1 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! Specify the gateway option, which indicates EBGP multihop. Set the ! gateway option to the address of the router that has a route to the ! peer.
  • Page 116 Chapter 8: BGP Configuration Guide The gated.conf file for router IA1 is as follows: autonomoussystem 64800 ; routerid 0.0.0.1 ; bgp yes { traceoptions state ; group type external peeras 64801 static { 18.122.0.0 masklen 16 The CLI configuration for router IA2 is as follows: interface create ip to-R1 address-netmask 16.122.128.3/16 port et.1.1 interface create ip to-R3 address-netmask 17.122.128.3/16 port et.1.2 # Static route needed to reach 18.122.0.0/16...

  • Page 117: Community Attribute Example

    The gated.conf file for router IA3 is as follows: static { 16.122.0.0 masklen 16 The CLI configuration for router IA4 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! Specify the gateway option, which indicates EBGP multihop. Set the ! gateway option to the address of the router that has a route to the ! peer.
  • Page 118 Chapter 8: BGP Configuration Guide AS-64901 ISP1 AS-64900 100.200.12.1/24 100.200.13.1/24 Figure 12. Sample BGP Configuration (Specific Community) AS-64902 172.25.1.1/16 172.25.1.2/16 192.168.20.2/16 AS-64899 192.168.20.1/16 192.169.20.1/16 192.169.20.2/16 Internet Appliance User Reference Manual ISP2 172.26.1.2/16 172.26.1.1/16 10.200.14.1/24 10.200.15.1/24 Legend: Physical Link Peering Relationship Information Flow...
  • Page 119 AS-64901 AS-64900 100.200.12.20/24 100.200.13.1/24 Figure 13. Sample BGP Configuration (Well-Known Community) The Community attribute can be used in three ways: In a BGP Group Statement: Any packets sent to this group of BGP peers will have the communities attribute in the BGP packet modified to be this communities attribute value from this AS.
  • Page 120 Chapter 8: BGP Configuration Guide Figure 13, router IA11 has the following configuration: # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64901) ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64901 # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64901) ip-router policy create optional-attributes-list color2 community-id 155...
  • Page 121 Figure 13 on page ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64902 ip-router policy create optional-attributes-list color2 community-id 155 autonomous-system 64902 ip-router policy create bgp-import-source 902color1 optional-attributes-list color1 autonomous-system 64899 sequence-number 1 ip-router policy create bgp-import-source 902color2 optional-attributes-list color2 autonomous-system 64899 sequence-number 2 ip-router policy create bgp-import-source 902color3 optional-attributes-list color1 autonomous-system 64901 sequence-number 3 ip-router policy create bgp-import-source 902color4 optional-attributes-list...
  • Page 122 Chapter 8: BGP Configuration Guide Figure 13 on page # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64902) ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64902 # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64902) ip-router policy create optional-attributes-list color2 community-id 155 autonomous-system 64902...
  • Page 123 The community attribute may be a single community or a set of communities. A maximum of 10 communities may be specified. The community attribute can take any of the following forms: • Specific community The specific community consists of the combination of the AS-value and community •...

  • Page 124: Notes On Using Communities

    Chapter 8: BGP Configuration Guide Notes on Using Communities When originating BGP communities, the set of communities that is actually sent is the union of the communities received with the route (if any), those specified in group policy (if any), and those specified in export policy (if any). When receiving BGP communities, the update is only matched if all communities specified in the optional-attributes-list option of the ip-router policy create command are present in the BGP update.
  • Page 125 In the sample network in the link between router IA13 and router IA11. This is accomplished by setting the Local_Pref attribute. 10.200.12.1/24 IA10 IA12 Figure 14. Sample BGP Configuration (Local_Pref Attribute) Internet Appliance User Reference Manual Figure 14, all the traffic exits Autonomous System 64901 through 10.200.13.1/24 10.200.14.1/24 192.169.20.1/16...

  • Page 126: Notes On Using The Local_Pref Attribute

    Chapter 8: BGP Configuration Guide In router IA12’s CLI configuration file, the import preference is set to 160: # Set the set-pref metric for the IBGP peer group bgp set peer-group as901 set-pref 100 ip-router policy create bgp-import-source as900 autonomous-system 64900 preference 160 Using the formula for local preference [Local_Pref = 254 - (global protocol preference for this route) + metric], the Local_Pref value put out by router IA12 is 254 - 160+100 = 194.
  • Page 127 172.16.200.4/24 172.16.200.6/24 AS 64752 Legend: Figure 15. Sample BGP Configuration (MED Attribute) Routers IA4 and IA6 inform router C1 about network 172.16.200.0/24 through External BGP (EBGP). Router IA6 announced the route with a MED of 10, whereas router IA4 announces the route with a MED of 20. Of the two EBGP routes, router C1 chooses the one with a smaller MED.

  • Page 128: Ebgp Aggregation Example

    Chapter 8: BGP Configuration Guide EBGP Aggregation Example Figure 16 shows a simple EBGP configuration in which one peer is exporting an aggregated route to its upstream peer and restricting the advertisement of contributing routes to the same peer. The aggregated route is 212.19.192.0/19. AS-64900 212.19.199.62/24 212.19.198.1/24...

  • Page 129: Route Reflection Example

    Router IA9 has the following CLI configuration: bgp create peer-group rtr8 type external autonomous system 64900 bgp add peer-host 194.109.86.6 group rtr8 Route Reflection Example In some ISP networks, the internal BGP mesh becomes quite large, and the IBGP full mesh does not scale well.
  • Page 130 Chapter 8: BGP Configuration Guide Figure 17 shows a sample configuration that uses route reflection. AS-64900 EBGP Peer AS-64901 IBGP Cluster Client IA10 Figure 17. Sample BGP Configuration (Route Reflection) In this example, there are two clusters. Router IA10 is the route reflector for the first cluster and router IA11 is the route reflector for the second cluster.
  • Page 131 Router IA11 has router IA12 and router IA13 as client peers and router IA10 as non-client peer. The following line in router IA11’s configuration file specifies it to be a route reflector bgp set peer-group rtr11 reflector-client Even though the IBGP Peers are not fully meshed in AS 64901, the direct routes of router IA14, that is, 192.68.222.0/24 in AS 64902 (which are redistributed in BGP) do show up in the route table of router IA8 in AS64900, as shown below: *********************************************...

  • Page 132: Notes On Using Route Reflection

    Chapter 8: BGP Configuration Guide Notes on Using Route Reflection • Two types of route reflection are supported: – By default, all routes received by the route reflector from a client are sent to all internal peers (including the client’s group, but not the client itself). –...

  • Page 133: Chapter 9: Routing Policy Configuration Guide

    Route Import and Export Policy Overview The Internet Appliance (IA) family of routers supports extremely flexible routing policies. The IA allows the network administrator to control import and export of routing information based on criteria including: • Individual protocol • Source and destination autonomous system •...

  • Page 134: Preference

    Chapter 9: Routing Policy Configuration Guide Preference Preference is the value the IA routing process uses to order preference of routes from one protocol or peer over another. Preference can be set using several different configuration commands. Preference can be set based on one network interface over another, from one protocol over another, or from one remote gateway over another.

  • Page 135: Import Policies

    Import Policies Import policies control the importation of routes from routing protocols and their installation in the routing databases (Routing Information Base and Forwarding Information Base). Import Policies determine which routes received from other systems are used by the IA routing process. Every import policy can have up to two components: •...

  • Page 136: Route-Filter

    Chapter 9: Routing Policy Configuration Guide It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router. Like the other interior protocols, preference cannot be used to choose between OSPF ASE routes. That is done by the OSPF costs. Route-Filter This component specifies the individual routes which are to be imported or restricted.

  • Page 137: Export-Source

    Export-Source This component specifies the source of the exported routes. It can also specify the metric to be associated with the routes exported from this source. The routes to be exported can be identified by their associated attributes: • Their protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate). •...

  • Page 138: Specifying A Route Filter

    Chapter 9: Routing Policy Configuration Guide Specifying a Route Filter Routes are filtered by specifying a route-filter that will match a certain set of routes by destination, or by destination and mask. Among other places, route filters are used with martians and in import and export policies.

  • Page 139: Aggregates And Generates

    Aggregates and Generates Route aggregation is a method of generating a more general route, given the presence of a specific route. It is used, for example, at an autonomous system border to generate a route to a network to be advertised via BGP given the presence of one or more subnets of that network learned via OSPF.

  • Page 140: Route-Filter

    Chapter 9: Routing Policy Configuration Guide The routes contributing to an aggregate can be identified by their associated attributes: • Protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate). • Autonomous system from which the route was learned. • AS path associated with a route. When BGP is configured, all routes are assigned an AS path when they are added to the routing table.

  • Page 141: Authentication Methods

    Authentication Methods There are mainly two authentication methods: Simple Password: In this method, an authentication key of up to 8 characters is included in the packet. If this does not match what is expected, the packet is discarded. This method provides little security, as it is possible to learn the authentication key by watching the protocol packets.

  • Page 142: Configuring Simple Routing Policies

    Chapter 9: Routing Policy Configuration Guide Configuring Simple Routing Policies Simple routing policies provide an efficient way for routing information to be exchanged between routing protocols. The redistribute command can be used to redistribute routes from one routing domain into another routing domain. Redistribution of routes between routing domains is based on route policies.

  • Page 143: Redistributing Directly Attached Networks

    Redistributing Directly Attached Networks Routes to directly attached networks are redistributed to another routing protocol such as RIP or OSPF by the following command. The network parameter specifies a set of routes that will be redistributed by this command. If all direct routes are to be redistributed set the network parameter to all.

  • Page 144: Redistributing Ospf To Rip

    Chapter 9: Routing Policy Configuration Guide Redistributing OSPF to RIP For the purposes of route redistribution and import-export policies, OSPF intra- and inter- area routes are referred to as ospf routes, and external routes redistributed into OSPF are referred to as ospf-ase routes. Examples of ospf-ase routes include static routes, rip routes, direct routes, bgp routes, or aggregate routes, which are redistributed into an OSPF domain.
  • Page 145 • Determine its RIP configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 interface create ip to-r7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure a default route through 170.1.1.7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route default gateway 170.1.1.7...

  • Page 146: Exporting A Given Static Route To All Rip Interfaces

    Chapter 9: Routing Policy Configuration Guide Exporting a Given Static Route to All RIP Interfaces Router R1 has several static routes of which one is the default route. We would export this default route over all RIP interfaces. ip-router policy redistribute from-proto static to-proto rip network default Exporting All Static Routes to All RIP Interfaces Router R1 has several static routes.

  • Page 147: Exporting All Interface & Static Routes To Ospf

    • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 et.1.2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.1.1.2 ip add route 160.1.5.0/24 gateway 120.1.1.2...

  • Page 148: Exporting All Rip, Interface & Static Routes To Ospf

    Chapter 9: Routing Policy Configuration Guide Exporting All RIP, Interface & Static Routes to OSPF Note: Also export interface, static, RIP, OSPF, and OSPF-ASE routes into RIP. In the configuration shown in Version 2 on network 120.190.0.0/16, connecting routers R1 and R2. Router R1 would like to export all RIP, interface, and static routes to OSPF.

  • Page 149: Export Policies

    Export Policies Advanced export policies can be constructed from one or more of the following building blocks: • Export Destinations - This component specifies the destination where the routes are to be exported. It also specifies the attributes associated with the exported routes. The interface, gateway or the autonomous system to which the routes are to be redistributed are a few examples of export-destinations.

  • Page 150: Creating An Export Destination

    Chapter 9: Routing Policy Configuration Guide The <filter-id>, if specified, is the identifier of the route-filter associated with this export- policy. If there is more than one route-filter for any export-destination and export-source combination, then the ip-router policy export destination <exp-dest-id> source <exp-src-id> command should be repeated for each <filter-id>.

  • Page 151: Creating An Import Source

    If you want to create a complex route-filter, and you intend to use that route-filter in several import policies, then the first method is recommended. It you do not have complex filter requirements, then use the second method. After you create one or more building blocks, they are tied together by the ip-router policy import command.

  • Page 152: Creating An Aggregate Route

    Chapter 9: Routing Policy Configuration Guide Creating an Aggregate Route Route aggregation is a method of generating a more general route, given the presence of a specific route. The routing process does not perform any aggregation unless explicitly requested. Aggregate-routes can be constructed from one or more of the following building blocks: •...

  • Page 153: Creating An Aggregate Destination

    The <filter-id> is the identifier of the route-filter associated with this aggregate. If there is more than one route-filter for any aggregate-destination and aggregate-source combination, then the ip-router policy aggr-gen destination <aggr-dest-id> source <aggr- src-id> command should be repeated for each <filter-id>. Creating an Aggregate Destination To create an aggregate destination, enter the following command in Configure mode: Create an aggregate...
  • Page 154 Chapter 9: Routing Policy Configuration Guide The following configuration commands for router R1 • Determine the IP address for each interface. • Specify the static routes configured on the router. • Determine its RIP configuration. RIP V2 Internet Appliance User Reference Manual...

  • Page 155: Importing A Selected Subset Of Routes From One Rip Trusted Gateway

    !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfacesdfff+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 interface create ip to-r7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure a default route through 170.1.1.7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route default gateway 170.1.1.7 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...

  • Page 156: Importing A Selected Subset Of Routes From All Rip Peers Accessible Over A Certain Interface

    Chapter 9: Routing Policy Configuration Guide Add the peer 140.1.1.41 to the list of trusted and source gateways. rip add source-gateways 140.1.1.41 rip add trusted-gateways 140.1.1.41 Create a RIP import source with the gateway as 140.1.1.4 since we would like to import all routes except the 10.51.0.0/16 route from this gateway.

  • Page 157: Example 2: Importing From Ospf

    Example 2: Importing from OSPF Due to the nature of OSPF, only the importation of ASE routes may be controlled. OSPF intra- and inter-area routes are always imported into the IA routing table with a preference of 10. If a tag is specified, the import clause will only apply to routes with the specified tag.
  • Page 158 Figure 19. Exporting to OSPF 140.1.5/24 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 140.1.1.1/24 130.1.1.1/16 140.1.3.1/24 140.1.2.1/24 190.1.1.1/16 120.190.1.1/16 120.190.1.2/16 202.1.2.2/16 160.1.5.2/24 A r e a B a c k b o n e 130.1.1.3/16 160.1.5.2/24 150.20.3.1/16 150.20.3.2/16 A r e a 150.20.0.0...

  • Page 159: Importing A Selected Subset Of Ospf-Ase Routes

    The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask...

  • Page 160: Examples Of Export Policies

    Chapter 9: Routing Policy Configuration Guide Examples of Export Policies Example 1: Exporting to RIP Exporting to RIP is controlled by any of protocol, interface or gateway. If more than one is specified, they are processed from most general (protocol) to most specific (gateway). It is not possible to set metrics for exporting RIP routes into RIP.

  • Page 161: Exporting A Given Static Route To All Rip Interfaces

    • Determine its RIP configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 interface create ip to-r7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure a default route through 170.1.1.7 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route default gateway 170.1.1.7...

  • Page 162: Exporting A Given Static Route To A Specific Rip Interface

    Chapter 9: Routing Policy Configuration Guide Create a Static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc As mentioned above, if no export policy is specified, RIP and interface routes are exported into RIP. If any policy is specified, the defaults are overridden; it is necessary to explicitly specify everything that should be exported.

  • Page 163: Exporting All Static Routes Reachable Over A Given Interface To A Specific Rip-Interface

    Create a Direct export source since we would like to export direct/interface routes. ip-router policy create direct-export-source directExpSrc Create the Export-Policy redistributing the statically created default route, and all (RIP, Direct) routes into RIP. ip-router policy export destination ripExpDst141 source statExpSrc network default ip-router policy export destination ripExpDst141 source ripExpSrc network all...

  • Page 164: Exporting Aggregate-Routes Into Rip

    Chapter 9: Routing Policy Configuration Guide Create the Export-Policy, redistributing all static routes reachable over interface 130.1.1.1 and all (RIP, Direct) routes into RIP. ip-router policy export destination ripExpDst141 source statExpSrc130 network all ip-router policy export destination ripExpDst141 source ripExpSrc network all ip-router policy export destination ripExpDst141 source directExpSrc network all...

  • Page 165: Example 2: Exporting To Ospf

    Create a Aggregate export source since we would to export/redistribute an aggregate/summarized route. ip-router policy create aggr-export-source aggrExpSrc Create a RIP export source since we would like to export RIP routes. ip-router policy create rip-export-source ripExpSrc Create a Direct export source since we would like to export Direct routes. ip-router policy create direct-export-source directExpSrc Create the Export-Policy redistributing all (RIP, Direct) routes and the aggregate route 140.1.0.0/16 into RIP.

  • Page 166: Exporting All Interface & Static Routes To Ospf

    Chapter 9: Routing Policy Configuration Guide • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 interface create ip to-r3 interface create ip to-r41 address-netmask interface create ip to-r42 address-netmask interface create ip to-r6 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2.

  • Page 167: Exporting All Rip, Interface & Static Routes To Ospf

    Create a Direct export source since we would like to export interface/direct routes. ip-router policy create direct-export-source directExpSrc Create the Export-Policy for redistributing all interface routes and static routes into OSPF. ip-router policy export destination ospfExpDstType1 source directExpSrc network all ip-router policy export destination ospfExpDstType2 source statExpSrc network all Exporting All RIP, Interface &...
  • Page 168 Chapter 9: Routing Policy Configuration Guide Create a RIP export source. ip-router policy export destination ripExpDst source ripExpSrc network all Create a Static export source. ip-router policy create static-export-source statExpSrc Create a Direct export source. ip-router policy create direct-export-source directExpSrc Create the Export-Policy for redistributing all interface, RIP and static routes into OSPF.
  • Page 169 12. Create the Export-Policy for redistributing all interface, RIP, static, OSPF and OSPF- ASE routes into RIP. ip-router policy export destination ripExpDst source statExpSrc network all ip-router policy export destination ripExpDst source ripExpSrc network all ip-router policy export destination ripExpDst source directExpSrc network all ip-router policy export destination ripExpDst source ospfExpSrc network all...

  • Page 171: Chapter 10: Ip Policy-Based Forwarding Configuration Guide

    Overview You can configure the Internet Appliance (IA) to route IP packets according to policies that you define. IP-policy-based routing allows network managers to engineer traffic to make the most efficient use of their network resources. IP policies forward packets based on Layer-3 or Layer-4 IP header information. You can define IP policies to route packets to a set of next-hop IP addresses based on any combination the following IP header fields: •...

  • Page 172: Configuring Ip Policies

    Chapter 10: IP Policy-Based Forwarding Configuration Guide For example, you can set up an IP policy to send packets originating from a certain network through a firewall, while letting other packets bypass the firewall. Using IP policies, sites that have multiple Internet service providers can cause user groups to use different ISPs.

  • Page 173: Associating The Profile With An Ip Policy

    Associating the Profile with an IP Policy Once you have defined a profile with the acl command, you associate the profile with an IP policy by entering one or more ip-policy statements. An ip-policy statement specifies the next-hop gateway (or gateways) where packets matching a profile are forwarded. To cause packets matching a defined profile to be forwarded to a next-hop gateway, enter the following command in Configure mode: Forward packets matching a...

  • Page 174: Setting Load Distribution For Next-Hop Gateways

    Chapter 10: IP Policy-Based Forwarding Configuration Guide For example, the following commands create an IP policy called p3, which consists of two IP policy statements. The ip policy permit statement has a sequence number of 1, which means it is evaluated before the ip policy deny statement, which has a sequence number of 900.

  • Page 175: Checking The Availability Of Next-Hop Gateways

    To set the IP policy action with respect to dynamic or statically configured routes, enter one of the following commands in Configure mode: Cause packets matching the profile to use the IP policy route first. If the next-hop gateway is not reachable, use the dynamic route instead.

  • Page 176: Applying An Ip Policy To An Interface

    Chapter 10: IP Policy-Based Forwarding Configuration Guide Applying an IP Policy to an Interface After you define the IP policy, it must be applied to an inbound IP interface. Once the IP policy is applied to the interface, packets start being forwarded according to the IP policy. To apply an IP policy to an interface, enter one of the following commands in Configure mode: Apply a defined IP policy to...
  • Page 177 In the sample configuration in originating within the corporate network between different ISPs (100.1.1.1 and 200.1.1.1). Group user-a 10.50.*.* Group user-b 11.50.*.* Figure 20. Using an IP Policy To Route Traffic To Two Different ISPs HTTP traffic originating from network 10.50.0.0 for destination 207.31.0.0/16 is forwarded to 100.1.1.1.

  • Page 178: Prioritizing Service To Customers

    Chapter 10: IP Policy-Based Forwarding Configuration Guide Prioritizing Service to Customers An ISP can use policy-based routing on an access router to supply different customers with different levels of service. The sample configuration in an IP policy to classify customers and route traffic to different networks based on customer type.

  • Page 179: Authenticating Users Through A Firewall

    The following is the IP policy configuration for the Policy Router in interface create ip premium-customer address-netmask 10.50.1.1/16 port et.1.1 interface create ip standard-customer address-netmask 11.50.1.1/16 port et.1.2 acl premium-customer permit ip 10.50.0.0/16 any any any 0 acl standard-customer ip-policy p1 permit acl premium-customer next-hop-list "100.1.1.1 100.1.1.2"...

  • Page 180: Firewall Load Balancing

    Chapter 10: IP Policy-Based Forwarding Configuration Guide The following is the IP policy configuration for the Policy Router in interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1 acl contractors permit ip 10.50.1.0/24 any any any 0 acl full-timers permit ip 10.50.2.0/24 any any any 0 ip-policy access permit acl contractors next-hop-list 11.1.1.1 action policy-only ip-policy access permit acl full-timers next-hop-list 12.1.1.1 action...

  • Page 181: Monitoring Ip Policies

    The following is the configuration for Policy Router 1 in vlan create firewall vlan add ports et.1.(1-5) to firewall interface create ip firewall address-netmask 1.1.1.5/16 vlan firewall acl firewall permit ip any any any 0 ip-policy p1 permit acl firewall next-hop-list “1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4”...
  • Page 182 Chapter 10: IP Policy-Based Forwarding Configuration Guide Display information about all IP policies on a specified interface. Display information about IP policies that have been applied to all interfaces Clear statistics gathered for IP policies. For example, to display information about an active IP policy named p1, enter the following command in Enable mode: ia# ip-policy show policy-name p1 --------------------------------------------------------------------------------...
  • Page 183 The source address and filtering mask of this flow. The destination address and filtering mask of this flow. For TCP or UDP, the number of the source TCP or UDP port. For TCP or UDP, the number of the destination TCP or UDP port. The TOS value in the packet.

  • Page 185: Chapter 11: Network Address Translation Configuration Guide

    Overview Network Address Translation (NAT) allows an IP address used within one network to be translated into a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet.

  • Page 186: Configuring Nat

    Chapter 11: Network Address Translation Configuration Guide The IA allows you to create the following NAT address bindings: • Static, one-to-one binding of inside, local address or address pool to outside, global address or address pool. A static address binding does not expire until the command that defines the binding is negated.

  • Page 187: Setting Nat Rules

    Setting NAT Rules Static You create NAT static bindings by entering the following command in Configure mode: Enable NAT with static address binding. Dynamic You create NAT dynamic bindings by entering the following command in Configure mode: Enable NAT with dynamic address binding.

  • Page 188: Nat And Ftp

    Chapter 11: Network Address Translation Configuration Guide NAT and FTP File Transfer Protocol (FTP) packets require special handling with NAT, because the FTP PORT command packets contain IP address information within the data portion of the packet. It is therefore important for NAT to know which control port is used for FTP (the default is port 21) and the timeout for the FTP session (the default is 30 minutes).

  • Page 189: Configuration Examples

    Configuration Examples This section shows examples of NAT configurations. Static Configuration The example in Figure 24 outside address 192.50.20.2: Outbound: Translate source 10.1.1.2 to 192.50.20.2 Inbound: Translate destination 192.50.20.2 to 10.1.1.2 IP network 10.1.1.0/24 10.1.1.2 (10.1.1.1/24) The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.1/24 port et.2.2 Next, define the interfaces to be NAT inside or outside:...

  • Page 190: Using Static Nat

    Chapter 11: Network Address Translation Configuration Guide Using Static NAT Static NAT can be used when the local and global IP addresses are to be bound in a fixed manner. These bindings never get removed nor time out until the static NAT command itself is negated.

  • Page 191: Using Dynamic Nat

    Next, define the interfaces to be NAT inside or outside: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.0/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.0/24 Using Dynamic NAT Dynamic NAT can be used when the local network (inside network) is going to initialize...

  • Page 192: Dynamic Nat With Ip Overload (Pat) Configuration

    Chapter 11: Network Address Translation Configuration Guide Dynamic NAT with IP Overload (PAT) Configuration The example in Figure 26 10.1.1.0/24 to outside address 192.50.20.0/24: Outbound: Translate source pool 10.1.1.0/24 to global pool 192.50.20.1-192.50.20.3 10.1.1.4 IP network 10.1.1.0/24 10.1.1.2 10.1.1.3 Figure 26. Dynamic NAT with IP Overload (PAT) Configuration Example The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.1/24 port et.2.2...

  • Page 193: Using Dynamic Nat With Ip Overload

    Using Dynamic NAT with IP Overload Dynamic NAT with IP overload can be used when the local network (inside network) will be initializing the connections using TCP or UDP protocols. It creates a binding at run time when the packet comes from a local network defined in the NAT dynamic local ACL pool.

  • Page 194: Using Dynamic Nat With Matching Interface Redundancy

    Chapter 11: Network Address Translation Configuration Guide The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.0/24 port et.2.2 interface create ip 201-net address-netmask 201.50.20.0/24 port et.2.3 Next, define the interfaces to be NAT inside or outside: nat set interface 10-net inside nat set interface 192-net outside nat set interface 201-net outside...

  • Page 195: Chapter 12: Web Hosting Configuration Guide

    Overview Accessing information on Web sites for both work or personal purposes is becoming a normal practice for an increasing number of people. For many companies, fast and efficient Web access is important for both external customers who need to access the company Web sites, as well as for users on the corporate intranet who need to access Internet Web sites.

  • Page 196: Load Balancing

    Chapter 12: Web Hosting Configuration Guide Load Balancing You can use the load balancing feature on the IA to distribute session load across a group of servers. If you configure the IA to provide load balancing, client requests that go through the IA can be redirected to any one of several predefined hosts.

  • Page 197: Adding Servers To The Load Balancing Group

    Adding Servers to the Load Balancing Group Once a logical server group is created, you specify the servers that can handle client requests. When the IA receives a client request directed to the virtual server address, it redirects the request to the actual server address and port. Server selection is done according to the specified policy.

  • Page 198: Specifying A Connection Threshold

    Chapter 12: Web Hosting Configuration Guide Specifying a Connection Threshold By default, there is no limit on the number of sessions that a load balancing server can service. You can configure a maximum number of connections that each server in a group can service.

  • Page 199: Verifying Extended Content

    You can change the handshake intervals and the number of retries by entering the following Configure-mode commands: Set handshake interval for all servers in specified group. Set handshake interval for specific server. Set number of handshake retries for all servers in specified group. Set number of verification retries for specified server.

  • Page 200: Setting Server Status

    Chapter 12: Web Hosting Configuration Guide Application verification, whether a simple TCP handshake or a user-defined action- response check, involves opening and closing a connection to a load-balancing server. Some applications require specific commands for proper closure of the connection. For example, a connection to an SMTP server application should be closed with the quit command.

  • Page 201: Load Balancing And Ftp

    Load Balancing and FTP File Transfer Protocol (FTP) packets require special handling with load balancing, because the FTP PORT command packets contain IP address information within the data portion of the packet. If the FTP control port used is not port 21, it is important for the IA to know the port number that is used for FTP.

  • Page 202: Specifying The Vpn Port Number

    Chapter 12: Web Hosting Configuration Guide Specifying the VPN Port Number You can specify the port number to be used for secure key transfer in Virtual Private Networks (VPN). The default port number for this usage is 500. To specify a VPN port number, enter the following command in Configure mode: Specify the port number for secure key transfer in VPNs.

  • Page 203: Configuration Examples

    Configuration Examples This section shows examples of load balancing configurations. Web Hosting with One Virtual Group and Multiple Destination Servers Figure 28, a company Web site is established with a URL of www.ctron.com. The system administrator configures the networks so that the IA forwards Web requests among four separate servers, as shown below.

  • Page 204: Web Hosting With Multiple Virtual Groups And Multiple Destination Servers

    Chapter 12: Web Hosting Configuration Guide The following is an example of how to configure a simple verification check where the IA will issue an HTTP command to retrieve an HTML page and check for the string “OK”: load-balance set group-options ctron-www acv-command “GET /test.html” acv-reply “OK”...

  • Page 205: Virtual Ip Address Ranges

    The network shown above can be created with the following load-balance commands: load-balance create group-name quick-www virtual-ip 207.135.89.16 virtual-port 80 protocol tcp load-balance create group-name quick-ftp virtual-ip 207.135.89.16 virtual-port 21 protocol tcp load-balance create group-name quick-smtp virtual-ip 207.135.89.16 virtual-port 25 protocol tcp load-balance add host-to-group 10.1.1.1 group-name quick-www port 80 load-balance add host-to-group 10.1.1.2 group-name quick-ftp port 21 load-balance add host-to-group 10.1.1.3 group-name quick-smtp port 25...

  • Page 206: Web Caching

    Chapter 12: Web Hosting Configuration Guide Group Name www.computers.com www.dvd.com www.vcr.com www.toys.com The network shown in the previous example can be created with the following load- balance commands: load-balance create vip-range-name mywwwrange 207.135.89.16-207.135.89.50 virtual-port 80 protocol tcp load-balance add host-to-vip-range 10.1.1.16-10.1.1.50 vip-range-name mywwwrange port 80 load-balance add host-to-vip-range 10.1.2.16-10.1.2.50 vip-range-name mywwwrange port 80...

  • Page 207: Configuring Web Caching

    Configuring Web Caching The following are the steps in configuring web caching on the IA: Create the cache group (a list of cache servers) to cache Web objects. Specify the hosts whose HTTP requests will be redirected to the cache servers. This step is optional;...

  • Page 208: Redirecting Http Traffic On An Interface

    Chapter 12: Web Hosting Configuration Guide Redirecting HTTP Traffic on an Interface To start the redirection of HTTP requests to the cache servers, you need to apply a caching policy to a specific outbound interface. This interface is typically an interface that connects to the Internet.

  • Page 209: Other Configurations

    The following commands configure the cache group cache1 that contains the servers shown in the figure above and applies the caching policy to the interface ip1: ia(config)# web-cache cache1 create server-list s1 range “176.89.10.50 176.89.10.54” ia(config)# web-cache cache1 create server-list s2 list “186.89.10.51 186.89.10.55”...

  • Page 210: Distributing Frequently-Accessed Sites Across Cache Servers

    Distributing Frequently-Accessed Sites Across Cache Servers The IA uses the destination IP address of the HTTP request to determine which cache server to send the request. However, if there is a Web site that is being accessed very frequently, the cache server serving requests for this destination address may become overloaded with user requests.

  • Page 211: Chapter 13: Access Control List Configuration Guide

    This chapter explains how to configure and use Access Control Lists (ACLs) on the IA. ACLs are lists of selection criteria for specific types of packets. When used in conjunction with certain IA functions, ACLs allow you to restrict Layer-3/4 traffic going through the router.

  • Page 212: Acl Basics

    Chapter 13: Access Control List Configuration Guide ACL Basics An ACL consists of one or more rules describing a particular type of IP traffic. ACLs can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the IA to either permit or deny packets that match selection criteria specified in the rule.

  • Page 213: How Acl Rules Are Evaluated

    Not all fields of an ACL rule need to be specified. If a particular field is not specified, it is treated as a wildcard or don't-care condition. However, if a field is specified, that particular field will be matched against the packet. Each protocol can have a number of different fields to match.

  • Page 214: Implicit Deny Rule

    Chapter 13: Access Control List Configuration Guide If you were to reverse the order of the two rules: acl 101 permit tcp any any any any acl 101 deny tcp 10.2.0.0/16 any any any all TCP packets would be allowed to go through, including traffic from subnet 10.2.0.0/16. This is because TCP traffic coming from 10.2.0.0/16 would match the first rule and be allowed to go through.

  • Page 215: Allowing External Responses To Established Tcp Connections

    If a packet comes in from a network other than 10.1.20.0/24, you might expect the packet to go through because it doesn’t match the first rule. However, that is not the case because of the implicit deny rule. With the implicit deny rule attached, the rule looks like this: acl 102 deny ip 10.1.20.0/24 any any any acl 102 deny any any any any any A packet coming from 10.1.20.0/24 would not match the first rule, but would match the...

  • Page 216: Creating And Modifying Acls

    Chapter 13: Access Control List Configuration Guide The following ACL illustrates this feature: acl 101 permit tcp established acl 101 apply interface int1 input Any incoming TCP packet on interface int1 is examined, and if the packet is in response to an internal request, it is permitted;...

  • Page 217: Maintaining Acls Using The Acl Editor

    If the changes are accessible from a TFTP server, you can upload and make the changes take effect by issuing commands like the following: ia# copy tftp://10.1.1.12/config/acl.changes to scratchpad ia# copy scratchpad to active The first copy command uploads the file acl.changes from a TFTP server and puts the commands into the temporary configuration area, the scratchpad.

  • Page 218: Using Acls

    Chapter 13: Access Control List Configuration Guide Using ACLs It is important to understand that an ACL is simply a definition of packet characteristics specified in a set of rules. An ACL must be enabled in one of the following ways: •...

  • Page 219: Applying Acls To Services

    To apply an ACL to an interface, enter the following command in Configure mode: Apply ACL to an interface. Applying ACLs to Services ACLs can also be created to permit or deny access to system services provided by the IA; for example, HTTP or Telnet servers.

  • Page 220: Using Profile Acls With The Ip Policy Facility

    Chapter 13: Access Control List Configuration Guide Table 3 lists the IA features that use ACL profiles: Table 3. IA Features and ACL Profile Usage IA Feature IP policy Dynamic NAT Port mirroring Rate limiting Web caching Note the following about using Profile ACLs: •...

  • Page 221: Using Profile Acls With The Traffic Rate Limiting Facility

    For example, you can define an IP policy that causes all telnet packets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24 to be forwarded to destination address 10.10.10.10. You use a Profile ACL to define the selection criteria (in this case, telnet packets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24).

  • Page 222: Using Profile Acls With Dynamic Nat

    Chapter 13: Access Control List Configuration Guide When the rate limit definition is applied to an interface (with the rate-limit apply interface command), packets in flows originating from source address 1.2.2.2 are dropped if their bandwidth usage exceeds 10 Mbps. “Limiting Traffic Rate”...

  • Page 223: Using Profile Acls With The Web Caching Facility

    For example, you can mirror all IGMP traffic on the IA. You use a Profile ACL to define the selection criteria (in this example, all IGMP traffic). Then you use a port mirroring command to copy packets that match the selection criteria to a specified mirror port. The following commands illustrate this example.

  • Page 224: Preventing Web Objects From Being Cached

    Chapter 13: Access Control List Configuration Guide The following command creates a Web caching policy that prevents packets matching Profile ACL prof4’s selection criteria (that is, packets with a source address of 10.10.10.10 and a destination address of 1.2.3.4) from being redirected to a cache server. Packets that match the profile’s selection criteria are sent to the Internet instead.

  • Page 225: Enabling Acl Logging

    Enabling ACL Logging To see whether incoming packets are permitted or denied because of an ACL, you can enable ACL Logging when applying the ACL. When ACL Logging is turned on, the router prints out a message on the console about whether a packet is forwarded or dropped.

  • Page 227: Chapter 14: Security Configuration Guide

    Security Overview The Internet Appliance (IA) provides security features that help control access to the IA. Access to the IA can be controlled by: • Enabling RADIUS • Enabling TACACS • Enabling TACACS Plus • Password authentication Internet Appliance User Reference Manual Chapter 14 Security Configuration...

  • Page 228: Configuring Ia Access Security

    Chapter 14: Security Configuration Guide Configuring IA Access Security This section describes the following methods of controlling access to the IA: • RADIUS • TACACS • TACACS Plus • Passwords Configuring RADIUS You can secure login or Enable mode access to the IA by enabling a Remote Authentication Dial-In Service (RADIUS) client.

  • Page 229: Monitoring Radius

    Monitoring RADIUS You can monitor RADIUS configuration and statistics within the IA. To monitor RADIUS, enter the following commands in Enable mode: Show RADIUS server statistics. Show all RADIUS parameters. Configuring TACACS In addition, Enable mode access to the IA can be made secure by enabling a Terminal Access Controller Access Control System (TACACS) client.

  • Page 230: Configuring Tacacs Plus

    Chapter 14: Security Configuration Guide Configuring TACACS Plus You can secure login or Enable mode access to the IA by enabling a TACACS Plus client. A TACACS Plus server responds to the IA TACACS Plus client to provide authentication. You can configure up to five TACACS Plus server targets on the IA. A timeout is set to tell the IA how long to wait for a response from TACACS Plus servers.

  • Page 231: Monitoring Tacacs Plus

    Monitoring TACACS Plus You can monitor TACACS Plus configuration and statistics within the IA. To monitor TACACS Plus, enter the following commands in Enable mode: Show TACACS Plus server statistics. Show all TACACS Plus parameters. Configuring Passwords The IA provides password authentication for accessing the User and Enable modes. If TACACS is not enabled on the IA, only local password authentication is performed.

  • Page 233: Chapter 15: Qos Configuration Guide

    QoS Configuration QoS & Layer-2, -3, and -4 Flow Overview The Internet Appliance (IA) allows network managers to identify traffic and set Quality of Service (QoS) policies without compromising wire speed performance. The IA can guarantee bandwidth on an application by application basis, thus accommodating high- priority traffic even during peak periods of usage.

  • Page 234: Layer-2, -3, And -4 Flow Specification

    Chapter 15: QoS Configuration Guide Within the IA, QoS policies are used to classify Layer-2, -3, and -4 traffic into the following priorities: • Control • High • Medium • By assigning priorities to network traffic, you can ensure that critical traffic will reach its destination even if the exit ports for the traffic are experiencing greater-than-maximum utilization.

  • Page 235: Ia Queuing Policies

    IA Queuing Policies You can use one of two queuing policies on the IA: • Strict priority: Assures the higher priorities of throughput but at the expense of lower priorities. For example, during heavy loads, low-priority traffic can be dropped to preserve throughput of control-priority traffic, and so on.

  • Page 236: Configuring Layer-2 Qos

    • The frame gets assigned a priority within the switch, AND if the exit ports are trunk ports, the frame is assigned an 802.1Q priority. Select a number from 0 to 7. The mapping of 802.1Q to internal priorities is the following: (0 = low) (1,2,3 =medium) (4,5,6 = high) (7 = control).

  • Page 237: Setting An Ip Qos Policy

    Setting an IP QoS Policy To set a QoS policy on an IP traffic flow, enter the following command in Configure mode: Set an IP QoS policy. For example, the following command assigns control priority to any traffic coming from the 10.10.11.0 network: ia(config)# qos set ip xyz control 10.10.11.0/24 Specifying Precedence for an IP QoS Policy...

  • Page 238: Allocating Bandwidth For A Weighted-Fair Queuing Policy

    Chapter 15: QoS Configuration Guide Allocating Bandwidth for a Weighted-Fair Queuing Policy If you enable the weighted-fair queuing policy on the IA, you can allocate bandwidth for the queues on the IA. To allocate bandwidth for each IA queue, enter the following command in Configure mode: Allocate bandwidth for a weighted-fair queuing policy.

  • Page 239: Configuring Tos Rewrite For Ip Packets

    With the ToS rewrite command, you can access the value in the ToS octet (which includes both the Precedence and ToS fields) in each packet. The upper-layer application can then decide how to handle the packet, based on either the Precedence or the ToS field or both fields.
  • Page 240 Chapter 15: QoS Configuration Guide For example, the following command will rewrite the ToS Precedence field to 7 if the ToS Precedence field of the incoming packet is 6: ia(config)# qos set ip tosp6to7 low any any any any 222 any any 224 7 In the above example, the <tos>...

  • Page 241: Monitoring Qos

    Monitoring QoS The IA provides display of QoS statistics and configurations contained in the IA. To display QoS information, enter the following commands in Enable mode: Show all IP QoS flows. Show all Layer-2 QoS flows. Limiting Traffic Rate Traffic rate limiting provides the ability to control the usage of a fundamental network resource, bandwidth.

  • Page 242: Example Configuration

    Chapter 15: QoS Configuration Guide Example Configuration Figure 32 presents an example of configuring rate limiting on the IA. Backbone et.1.8 2.2.2.2/8 Traffic from two interfaces, ipclient1 with IP address 1.2.2.2 and ipclient2 with IP address 3.1.1.1, is restricted to 10 Mbps for each flow with the following configuration: vlan create client1 ip vlan create backbone ip vlan create client2 ip...

  • Page 243: Chapter 16: Performance Monitoring Guide

    Performance Monitoring Overview The Internet Appliance (IA) is a full wire-speed Layer-2, -3 and -4 switching router. As packets enter the IA, Layer-2, -3, and -4 flow tables are populated on each line card. The flow tables contain information on performance statistics and traffic forwarding. Thus the IA provides the capability to monitor performance at Layer 2, 3, and 4.
  • Page 244 Chapter 16: Performance Monitoring Guide Show information about the master MAC table. Show information about a particular MAC address. Show info about multicasts registered by IGMP. Show whether IGMP is on or off on a VLAN. Show info about MACs registered by the system.

  • Page 245: Configuring The Ia For Port Mirroring

    Configuring the IA for Port Mirroring The IA allows you to monitor activity with port mirroring. Port mirroring allows you to monitor the performance and activities of one or more ports on the IA or for traffic defined by an ACL through just a single, separate port. While in Configure mode, you can configure your IA for port mirroring with a simple command line like the following: Configure Port Mirroring.

  • Page 247: Chapter 17: Rmon Configuration Guide

    RMON Overview You can employ Remote Network Monitoring (RMON) in your network to help monitor traffic at remote points on the network. With RMON, data collection and processing is done with a remote probe, namely the Internet Appliance (IA). The IA also includes RMON agent software that communicates with a network management station via SNMP.

  • Page 248: Configuring And Enabling Rmon

    Chapter 17: RMON Configuration Guide Configuring and Enabling RMON By default, RMON is disabled on the IA. To configure and enable RMON on the IA, follow these steps: Turn on the Lite, Standard, or Professional RMON groups by entering the rmon set lite|standard|professional command.

  • Page 249: Rmon Groups

    The next sections describe Lite, Standard, and Professional RMON groups and control tables. RMON Groups The RMON MIB groups are defined in RFCs 1757 (RMON 1) and 2021 (RMON 2). On the IA, you can configure one or more levels of RMON support for a set of ports. Each level— Lite, Standard, or Professional—enables different sets of RMON groups (described later in this section).

  • Page 250: Lite Rmon Groups

    Chapter 17: RMON Configuration Guide Lite RMON Groups This section describes the RMON groups that are enabled when you specify the Lite support level. The Lite RMON groups are shown in Table 4. Lite RMON Groups Group EtherStats Event Alarm History Standard RMON Groups This section describes the RMON groups that are enabled when you specify the Standard...

  • Page 251: Control Tables

    The Professional RMON groups are shown in Table 6. Professional RMON Groups Group Protocol Directory Protocol Distribution Application Layer Host Network Layer Host Application Layer Matrix (and Top N) Network Layer Matrix (and Top N) Address Map User History Control Tables Many RMON groups contain both control and data tables.

  • Page 252: Using Rmon

    Chapter 17: RMON Configuration Guide If you choose to create default control tables, entries are created in the control tables for each port on the IA for the following groups: Lite groups: Standard groups: Professional groups: A row in the control table is created for each port on the IA, with the owner set to monitor. If you want, you can change the owner by using the appropriate rmon command.
  • Page 253 For example, use the rmon show protocol-distribution command to see the kinds of traffic received on a given port: ia# rmon show protocol-distribution et.5.5 RMON II Protocol Distribution Table Index: 506, Port: et.1.7, Owner: monitor Pkts ---- In the example output above, only HTTP and ICMP traffic is being received on this port. To find out which host or user is using these applications/protocols on this port, use the following command: ia# rmon show al-matrix et.5.5...

  • Page 254: Configuring Rmon Groups

    Chapter 17: RMON Configuration Guide Configuring RMON Groups As mentioned previously, control tables in many RMON groups specify the data that is to be collected for the particular RMON group. If the information you want to collect is in the default control tables, then you only need to turn on the default tables when you specify the RMON groups (Lite, Standard, or Professional);...
  • Page 255 To configure the Event group. To configure the History group. To configure the Application Layer and Network Layer Host groups. To configure the Application Layer and Network Layer Matrix groups. To configure the Host group. To configure the Host Top N entries.

  • Page 256: Configuration Examples

    Chapter 17: RMON Configuration Guide Configuration Examples This section shows examples of configuration commands that specify an event that generates an SNMP trap and the alarm condition that triggers the event. The RMON Alarm group allows the IA to poll itself at user-defined intervals. Alarms that constitute an event are logged into the Event table that can then be polled by the management station.

  • Page 257: Displaying Rmon Information

    • Rising and falling event index values are 15, which will trigger the previously configured Event. ia#(config) rmon alarm index 20 variable 1.3.6.1.2.1.31.1.5.0 interval 300 startup both type absolute-value rising-threshold 1 falling- threshold 1 rising-event-index 15 falling-event-index 15 owner "help desk"...

  • Page 258: Rmon Cli Filters

    Chapter 17: RMON Configuration Guide To show Network Layer Matrix logs. To show Application Layer Matrix logs. To show all Network Layer Matrix Top N. To show all Application Layer Matrix Top N. To show all user history logs. To show probe configuration. RMON CLI Filters Because a large number of statistics can be collected for certain RMON groups, you can define and use CLI filters to limit the amount of information displayed with the rmon...

  • Page 259: Creating Rmon Cli Filters

    The following shows the same rmon show hosts command with a filter applied so that only hosts with inpkts greater than 500 are displayed: rmon apply cli-filter 4 ia# rmon show hosts et.5.4 RMON I Host Table Filter: inpkts > 500 Address Port -------...

  • Page 260: Troubleshooting Rmon

    Chapter 17: RMON Configuration Guide Troubleshooting RMON If you are not seeing the information you expected with an rmon show command, or if the network management station is not collecting the desired statistics, first check that the port is up. Then, use the rmon show status command to check the RMON configuration on the IA.

  • Page 261: Allocating Memory To Rmon

    Make sure that the control table is configured for the report that you want. Depending upon the RMON group, default control tables may be created for all ports on the IA. Or, if the RMON group is not one for which default control tables can be created, you will need to configure control table entries using the appropriate rmon command.
  • Page 262 Chapter 17: RMON Configuration Guide Any memory allocation failures are reported. The following is an example of the information shown with the rmon show status command: ia# rmon show status RMON Status ----------- * RMON is ENABLED * RMON initialization successful. +--------------------------+ | RMON Group Status | +-------+--------+---------+...

This manual is also suitable for:

Ia1200

Table of Contents