Page 1 X-Pedition Security Router ™ XSR User’s Guide Version 7.6 P/N 9033837-09...
Page 3 Elektrischer Gefahrenhinweis: Installationen sollten nur durch ausgebildetes und qualifiziertes Personal vorgenommen werden. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice. IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES. Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810 © 2005 Enterasys Networks, Inc. All rights reserved. Part Number: 9033837‐09 September 2005 ENTERASYS NETWORKS, ENTERASYS XSR, and any logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries. All other product names mentioned in this manual may be trademarks or registered trademarks of their respective owners. Documentation URL: http://www.enterasys.com/support/manuals Documentacion URL: http://www.enterasys.com/support/manuals Dokumentation URL: http://www.enterasys.com/support/manuals...
Page 4: Regulatory Compliance Information
Federal Communications Commission (FCC) Notice The XSR complies with Title 47, Part 15, Class A of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operation. NOTE: The XSR has been tested and found to comply with the limits for a class A digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the XSR is operated in a commercial environment. This XSR uses, generates, and can radiate radio frequency energy and if not installed in accordance with the operator’s manual, may cause harmful interference to radio communications. Operation of the XSR in a residential area is likely to cause interference in which case you will be required to correct the interference at your own expense. WARNING: Modifications or changes made to the XSR, and not approved by Enterasys Networks may void the authority granted by the FCC or other such agency to operate the XSR. The XSR complies with Part 68 of the FCC rules and the requirements adopted by the Administrative Council for Terminal Attachments (ACTA). A label on the circuit board of the Network Interface Module contains, among other information, a product identifier in the format listed in the following table. If requested, this number must be provided to the telephone company. A plug and jack used to connect the XSR to the premises wiring and telephone network must comply with the applicable FCC Part 68 rules and requirements adopted by ACTA. Refer to the following table and installation instructions for details. Codes applicable to this equipment: Product NIM-T1/E1-xx, NIM-CT1E1/PRI-xx, NIM-DIRELAY-xx, NIM-TE1-xx, NIM-CTE1-PRI-xx NIM-BRI-U-xx NIM-ADSL-AC-xx If the XSR harms the telephone network, the telephone company will notify you in advance that it may need to temporarily discontinue service. But if advance notice is not practical, the telephone company will notify you as soon as possible. Also, you will be advised of your right to file a complaint with the FCC if you believe it is necessary. The telephone company may make changes in its facilities, equipment, operations, or procedures that could affect the operation of the XSR. If this happens, the telephone company will provide advance notice for you to make necessary modifications and maintain uninterrupted service. If you experience trouble with the XSR, for repair or warranty information, please contact Enterasys Networks, Inc., at 978‐684‐ 1000. If the XSR is causing harm to the telephone network, the telephone company may request that you disconnect the equipment until the problem is solved. The XSR is not intended to be repaired by the customer.
Page 5: Product Safety
Industry Canada Notices This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications. Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la class A prescrites dans le Règlement sur le brouillage radioélectrique édicté par le ministère des Communications du Canada. Equipment Attachments Limitations “NOTICE: The Industry Canada label identifies certified equipment. This certification means that the equipment meets telecommunications network protective, operational and safety requirements as prescribed in the appropriate Terminal Equipment Technical Requirements document(s). The department does not guarantee the equipment will operate to the userʹs satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations. Repairs to certified equipment should be coordinated by a representative designated by the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may give the telecommunications company cause to request the user to disconnect the equipment. Users should ensure for their own protection that the electrical ground connections of the power utility, telephone lines and internal metallic water pipe system, if present, are connected together. This precaution may be particularly important in rural areas. Caution: Users should not attempt to make such connections themselves, but should contact the appropriate electric inspection authority, or electrician, as appropriate.” “NOTICE: The Ringer Equivalence Number (REN) assigned to each terminal device provides an indication of the maximum number of terminals allowed to be connected to a telephone interface. The termination on an interface may consist of any combination of devices subject only to the requirement that the sum of the ringer equivalence Numbers of all the devices does not exceed 5.ʺ R & TTE Directive Declaration Hereby, Enterasys Networks, Inc. declares that this XSR‐1850 X‐Pedition Security Router is compliant with essential requirements and other relevant provisions of Directive 1999/5/EC. Class A ITE Notice WARNING: This is a Class A product. In a domestic environment this product may cause radio interference in which case the ...
Page 6 This product complies with the following: 47 CFR Parts 2 and 15, CSA C108.8, 89/336/EEC, EN 55022, EN 55024, EN 61000‐3‐2, EN 61000‐3‐3, AS/NZS CISPR 22, and VCCI V‐3. Este producto de Enterasys cumple con lo siguiente: 47 CFR Partes 2 y 15, CSA C108.8, 89/336/EEC, EN 55022, EN 55024, EN 61000‐3‐2, EN 61000‐3‐3, AS/NZS CISPR 22, VCCI V‐3. Dieses Produkt entspricht den folgenden Richtlinien: 47 CFR Parts 2 and 15, CSA C108.8, 89/336/EEC, EN 55022, EN 55024, EN 61000‐3‐2, EN 61000‐3‐3, AS/NZS CISPR 22, VCCI V‐3. European Waste Electrical and Electronic Equipment (WEEE) Notice In accordance with Directive 2002/96/EC of the European Parliament on waste electrical and electronic equipment (WEEE): The symbol above indicates that separate collection of electrical and electronic equipment is required and that this product was placed on the European market after August 13, 2005, the date of enforcement for Directive 2002/96/EC. When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. It is the users’ responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please go to http://www.enterasys.com/support/ or contact Enterasys Customer Support at 353 61 705586 (Ireland). This is a class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI) V‐3. If this equipment is used in a domestic environment, radio disturbance may arise. When such trouble occurs, the user may be required to take corrective actions. This is a class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures.
Page 7: Declaration Of Conformity
Enterasys Networks, Inc. declares that the equipment packaged with this notice conforms to the above directives. WARNING: Do not install phone line connections during an electrical storm. WARNING: Do not connect phone line until the interface has been configured through local management. The service provider may shut off service if an un‐configured interface is connected to the phone lines. WARNING: The NIM‐BRI‐ST cannot be connected directly to outside lines. An approved channel service unit (CSU) must be used for connection to the ISDN network. In some areas this CSU is supplied by the network provider and in others it must be supplied by the user. Contact your service provider for details. Federal Information Processing Standard (FIPS) Certification The XSR has been submitted to the National Institute of Standards and Technology (NIST) for FIPS 140‐2 certification and is now officially listed on the NIST pre‐validation list. For more information about the FIPS validation program, go to http:// csrc.nist.gov/cryptval/preval.htm. For the FIPS 140‐1 and 140‐2 Pre‐Validation List, click on the [PDF] link at the top of the page. Declaration of Conformity 73/23/EEC Manufacturer’s Name: Enterasys Networks, Inc. Manufacturer’s Address: 50 Minuteman Road Andover, MA 01810 Nexus House, Newbury Business Park London Road, Newbury Berkshire RG14 2PZ, England EN 55022 EN 61000‐3‐2 EN 61000‐3‐3 EN 55024 EC Directive 73/23/EEC EN 60950 EN 60825 or Light Industrial Environment.
Page 8 Independent Communications Authority of South Africa This product complies with the terms of the provisions of section 54(1) of the Telecommunications Act (Act 103 of 1996) and the Telecommunications Regulation prescribed under the Post Office Act (Act 44 of 1958). VPN Consortium Interoperability The VPN Consortium’s (VPNC) testing program is an important source for certification of conformance to IPSec standards. With rigorous interoperability testing, the VPNC logo program provides IPSec users even more assurance that the XSR will interoperate in typical business environments. VPNC is the only major IPSec testing organization that shows both proof of interoperability as well as the steps taken so that you can reproduce the tests.
Page 9 BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc. on behalf of itself and its Affiliates (as hereinafter defined) (“Enterasys”) that sets forth Your rights and obligations with respect to the Enterasys software program/firmware installed on the Enterasys product (including any accompanying documentation, hardware or media) (“Program”) in the package and prevails over any additional, conflicting or inconsistent terms and conditions appearing on any purchase order or other document submitted by You. “Affiliate” means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. This Agreement constitutes the entire understanding between the parties, and supersedes all prior discussions, representations, understandings or agreements, whether oral or in writing, between the parties with respect to the subject matter of this Agreement. The Program may be contained in firmware, chips or other media. BY INSTALLING OR OTHERWISE USING THE PROGRAM, YOU REPRESENT THAT YOU ARE AUTHORIZED TO ACCEPT THESE TERMS ON BEHALF OF THE END USER (IF THE END USER IS AN ENTITY ON WHOSE BEHALF YOU ARE AUTHORIZED TO ACT, “YOU” AND “YOUR” SHALL BE DEEMED TO REFER TO SUCH ENTITY) AND THAT YOU AGREE THAT YOU ARE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES, AMONG OTHER PROVISIONS, THE LICENSE, THE DISCLAIMER OF WARRANTY AND THE LIMITATION OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT OR ARE NOT AUTHORIZED TO ENTER INTO THIS AGREEMENT, ENTERASYS IS UNWILLING TO LICENSE THE PROGRAM TO YOU AND YOU AGREE TO RETURN THE UNOPENED PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, LEGAL DEPARTMENT AT (978) 684‐1000. You and Enterasys agree as follows: LICENSE. You have the non‐exclusive and non‐transferable right to use only the one (1) copy of the Program provided in this package subject to the terms and conditions of this Agreement. RESTRICTIONS. Except as otherwise authorized in writing by Enterasys, You may not, nor may You permit any third party to: (i) Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of error correction or interoperability, except to the extent expressly permitted by applicable law and to the extent the parties shall not be permitted by that applicable law, such rights are expressly excluded. Information necessary to achieve interoperability or correct errors is available from Enterasys upon request and upon payment of Enterasys’ applicable fee. (ii) Incorporate the Program, in whole or in part, in any other product or create derivative works based on the Program, in ...
Page 10 EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party. If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for civil end uses only and not for military purposes. If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Sections 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Cuba, Estonia, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Moldova, North Korea, the People’s Republic of China, Romania, Russia, Rwanda, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a complete plant or any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program (i) was developed solely at private expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227‐19 (a) through (d) of the Commercial Computer Software‐Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202‐3 and its successors, and use, duplication, or disclosure by the Government is subject to restrictions set forth herein. DISCLAIMER OF WARRANTY. EXCEPT FOR THOSE WARRANTIES EXPRESSLY PROVIDED TO YOU IN WRITING BY Enterasys, Enterasys DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON‐ INFRINGEMENT WITH RESPECT TO THE PROGRAM. IF IMPLIED WARRANTIES MAY NOT BE DISCLAIMED BY APPLICABLE LAW, THEN ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY (30) DAYS AFTER DELIVERY OF THE PROGRAM TO YOU. LIMITATION OF LIABILITY. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM, EVEN IF ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS FOREGOING LIMITATION SHALL APPLY REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH DAMAGES ARE SOUGHT.
Page 11 10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled to seek timely injunctive relief to protect Enterasys’ rights under this Agreement in addition to any and all remedies available at law. 11. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock or assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement. Any attempted assignment, transfer or sublicense in violation of the terms of this Agreement shall be void and a breach of this Agreement. 12. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion. 13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction. 14. TERMINATION. Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and conditions of this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
Page 13: Table Of Contents
Preface Contents of the Guide ... xxvii Conventions Used in This Guide ...xxviii Getting Help ... xxx Chapter 1: Overview Chapter 2: Managing the XSR Utilizing the Command Line Interface ... 2-1 Connecting via the Console Port on XSR Series ... 2-1 Using the Console Port for Dial Backup on the XSR 1800 Series...
Page 14 Configuring an Interface ... 2-22 Displaying Interface Attributes ... 2-22 Managing Message Logs ... 2-23 Logging Commands ... 2-23 Performing Fault Management ... 2-23 Fault Report Commands ... 2-24 Capturing Fault Report Data... 2-24 Using the Real-Time Clock ... 2-25 RTC/Network Clock Options...
Page 15 Chapter 3: Managing LAN/WAN Interfaces Overview of LAN Interfaces ... 3-1 LAN Features ... 3-1 Configuring the LAN ... 3-2 MIB Statistics ... 3-2 Overview of WAN Interfaces ... 3-3 WAN Features ... 3-3 Configuring the WAN ... 3-4 Chapter 4: Configuring T1/E1 & T3/E3 Interfaces Overview ...
Page 16 Secondary IP ... 5-7 Interface & Secondary IP... 5-7 ARP & Secondary IP ... 5-8 ICMP & Secondary IP... 5-8 Routing Table Manager & Secondary IP ... 5-9 OSPF & Secondary IP... 5-9 RIP & Secondary IP... 5-9 Unnumbered Interface & Secondary IP... 5-9 NAT &...
Page 17 Load Balancing ... 5-31 ARP Process on a VRRP Router ... 5-31 Host ARP... 5-31 Proxy ARP ... 5-31 Gratuitous ARP... 5-31 Traffic Process on a VRRP Router ... 5-31 ICMP Ping ... 5-32 Interface Monitoring ... 5-32 Watch Group Monitoring... 5-33 Physical Interface and Physical IP Address Change on a VRRP Router ...
Page 18 Filter Lists ... 6-12 Community Lists ... 6-12 Route Maps ... 6-12 Regular Expressions ... 6-13 Regular Expression Characters... 6-13 Regular Expression Examples ... 6-13 Peer Groups ... 6-14 Initial BGP Configuration ... 6-15 Adding BGP Neighbors ... 6-15 Resetting BGP Connections ... 6-15 Synchronization ...
Page 19 Describing the XSR’s PIM-SM v2 Features ... 7-7 Phase 1: Building a Shared Tree ... 7-8 Phase 2: Building Shortest Path Tree Between Sender & RP ... 7-8 Phase 3: Building Shortest Path Tree Between Sender & Receiver ... 7-9 Neighbor Discovery and DR Election ...
Page 20 Chapter 9: Configuring Frame Relay Overview ... 9-1 Virtual Circuits ... 9-1 DLCIs... 9-1 DTEs... 9-2 DCEs ... 9-2 Frame Relay Features ... 9-3 Multi-Protocol Encapsulation ... 9-3 Address Resolution ... 9-4 Dynamic Resolution Using Inverse ARP ... 9-4 Controlling Congestion in Frame Relay Networks ... 9-4 Rate Enforcement (CIR) - Generic Traffic Shaping ...
Page 21 Configuring ISDN Callback ... 10-12 Point-to-Point with Matched Calling/Called Numbers ... 10-12 Point-to-Point with Different Calling/Called Numbers ... 10-12 Point-to-Multipoint with One Neighbor ... 10-12 Point-to-Multipoint with Multiple Neighbors ... 10-12 Overview of Dial Backup ... 10-13 Dial Backup Features ... 10-13 Sequence of Backup Events ...
Page 22 Backup Using ISDN ... 10-37 Node A (Backed-up Node) Configuration ... 10-37 Node C (Called Node) Configuration ... 10-38 Configuration for Backup with MLPPP Bundle ... 10-39 Node A (Backed-up Node) Configuration ... 10-39 Node C (Called Node) Configuration ... 10-40 Configuration for Ethernet Failover ...
Page 23 Measuring Bandwidth Utilization ... 12-5 Describing Priority Queues... 12-5 Configuring Priority Queues ... 12-5 Describing Traffic Policing ... 12-6 Configuring Traffic Policing... 12-6 Class-based Traffic Shaping ... 12-7 Traffic Shaping per Policy-Map ... 12-8 Differences Between Traffic Policing and Traffic Shaping ... 12-9 Traffic Shaping and Queue Limit ...
Page 24 ADSL Hardware ... 13-5 NIM Card ... 13-5 ADSL on the Motherboard ... 13-6 DSP Firmware ... 13-6 ADSL Data Framing ... 13-6 ATM Support ... 13-6 Virtual Circuits ... 13-6 OAM Cells ... 13-7 Performance Monitoring ... 13-7 Class of Service... 13-7 DSLAM Compatibility ...
Page 25 Server 1 ... 14-17 Server 2 ... 14-18 Client ... 14-18 Limitations ... 14-18 XSR VPN Features ... 14-18 VPN Configuration Overview ... 14-20 Master Encryption Key Generation ... 14-20 ACL Configuration Rules ... 14-21 Configuring ACLs ... 14-21 Selecting Policies: IKE/IPSec Transform-Sets ... 14-22 Security Policy Considerations ...
Page 26 DHCP Client Services ... 15-6 Router Option ... 15-6 Parameter Request List Option ... 15-6 DHCP Client Interaction ... 15-6 Secondary Address Caveats ... 15-6 Interaction with Remote Auto Install (RAI)... 15-7 DHCP Client Timeouts ... 15-7 DHCP CLI Commands ... 15-8 DHCP Set Up Overview ...
Page 27 Application Level Commands ... 16-13 Application Level Gateway ... 16-13 On Board URL Filtering ... 16-14 Denial of Service (DoS) Attack Protection ... 16-15 Alarm Logging ... 16-16 Alarms ... 16-16 Authentication... 16-17 Firewall and NAT ... 16-18 Firewall and VPN ... 16-18 ACLs and Firewall ...
Page 28 DOS Attacks Blocked Counters...B-12 DOS Attacks Blocked Table ...B-12 VPN MIB Tables ...B-12 etsysVpnIkePeer Table ...B-13 etsysVpnIkePeerProposals Table ...B-13 etsysVpnIkeProposal Table ...B-14 etsysVpnIpsecPolicy Table...B-14 etsysVpnIntfPolicy Table ...B-14 etsysVpnIpsecPolicyRule Table ...B-15 etsysVpnIpsecPolProposals Table ...B-15 etsysVpnIpsecProposal Table ...B-16 etsysVpnIpsecPropTransforms Table ...B-16 etsysVpnAhTransform Table ...B-16 etsysVpnEspTransform Table ...B-17 etsysVpnIpcompTransform Table...B-17 ipCidrRouteTable for Static Routes ...B-18...
Page 29: Contents Of The Guide
This guide provides a general overview of the XSR hardware and software features. It describes how to configure and maintain the router. Refer to the XSR CLI Reference Guide and the XSR Getting Started Guide for information not contained in this document. This guide is written for administrators who want to configure the XSR or experienced users who are knowledgeable of basic networking principles.
Page 30: Conventions Used In This Guide
Conventions Used in This Guide • Chapter 11, Configuring ISDN, outlines how to set up the Integrated Services Digital Network protocol on the XSR for BRI, PRI and leased line applications. ISDN protocol tracing and partial decoding of Q921 and Q931 frames is also described. •...
Page 31 Warning: Warns against an action that could result in personal injury or death. Advertencia: Advierte contra una acción que pudiera resultar en lesión corporal o la muerte. Warnhinweis: Warnung vor Handlungen, die zu Verletzung von Personen oder gar Todesfällen führen können! Bold/En negrilla Text in boldface indicates values you type using the keyboard or select using the mouse (for example, a:\setup).
Page 32: Getting Help
Getting Help Getting Help For additional support related to the XSR, contact Enterasys Networks by one of these methods: World Wide Web Phone Internet mail Login Password Acquire the latest image and Release Notes Additional documentation Forward comments or suggestions...
Page 33: Chapter 1: Overview
This chapter briefly describes the functionality of the XSR. Refer to the following chapters in this manual for details on how to configure this functionality and the XSR CLI Reference Guide for a description of associated CLI commands and examples. The following functionality is supported on the XSR: •...
Page 34 and data-compression negotiation. Also supported: PPPoE client and sub-interface monitoring, and Multilink PPP protocols as well as Dial on Demand (DoD), Bandwidth on Demand (BoD), Multi-Class MLPPP. • IP Protocol - IP supports interconnected systems of packet-switched computer communication networks. It uses a 32-bit addressing scheme where an IP address is represented by four fields, each containing 8-bit numbers.
Page 35 • Quality of Service - The XSR provides traffic classification using IP Precedence and DSCP bits, bandwidth control via metered, policed and prioritized traffic queues, and queue management utilizing Tail Drop, Random and Weighted Early Detection (RED, WRED). Also, QoS on Input including classification based on class maps (similar to QoS on Output), marking per traffic flow (DSCP and IP precedence fields), and policing per traffic class, and QoS over VPN.
Page 36 1-4 Overview...
Page 37: Chapter 2: Managing The Xsr
The XSR can be managed via three interfaces with varying levels of control: the Command Line Interface (CLI) for full configuration, performance and fault management; the Simple Network Management Protocol (SNMP) for remote monitoring and firmware upgrades, and the Web for gathering version information.
Page 38: Using The Console Port To Remotely Control The Xsr
Utilizing the Command Line Interface Using the Console Port to Remotely Control the XSR The XSR’s Console port can also be connected to a modem for the purpose of remote console control. Make the connection with a straight-through cable and enter the following XSR commands: XSR(config)#interface serial 0 XSR(config-if<S0>)#physical-layer async XSR(config-if<S0>)#clock rate 9600...
Page 39: Terminal Commands
Terminal Commands If you want to display identification information about the current terminal connection, issue the show whoami command. Refer to the XSR Getting Started Guide and XSR CLI Reference Guide for more information on commands. Connecting via Telnet Once the XSR is properly configured with a valid IP address, you can remotely connect to the CLI via Telnet using the default user admin with no password.
Page 40: Accessing The Initial Prompt
Utilizing the Command Line Interface PuTTY and other shareware programs are compatible with the XSR’s SSH server. Refer to the XSR Getting Started and CLI Reference guides for more details. Accessing the Initial Prompt The CLI is protected by security. Before you can access EXEC mode, you must enter a valid password.
Page 41: Managing The Session
Managing the Session A first-time CLI session is set up with default attributes; e.g., the session is set to time out after 1800 seconds of idle time. You can reconfigure session values such as create users, passwords, and login banners, and set Telnet and Web access. Refer to the XSR CLI Reference Guide for details about these commands.
Page 42 Utilizing the Command Line Interface • Backwardly compatible/transparent to those not requiring RAI. • Console display of RAI progress. • Console interrupt of RAI process at any time. • CLI configurable RAI loading. Persistent, 5-minute try, and none (disable). • No rebooting required to activate configuration. •...
Page 43: Rai Requirements On The Xsr
DHCP client over the LAN: • Operational over an Ethernet interface only on the lowest slot/card/port only. • Uses the options field for TFTP server, IP address, host name and config file. • Optionally uses Reverse DNS if options are not populated. At a branch site, the XSR supports the following features over a PPP IETF serial interface: •...
Page 44 Utilizing the Command Line Interface RAI checks each DLCI, up to 30, on a given interface for a Bootp response, an rDNS server and a TFTP server with a configuration file. The first DLCI that accomplishes this will be chosen. If the connection fails, RAI will reset itself and restart at Phase 1, next media-type.
Page 45 With bootp enabled, DHCP relay and server functionality is disabled on this DLCI for broadcast packets entering from this DLCI. Unicast bootp requests are still forwarded to the server. Configuration on a DLCI by DLCI basis is supported for a bootp response, requiring that a statically-mapped DLCI number be configured with a corresponding IP address.
Page 46 Utilizing the Command Line Interface PPP RAI over a Leased Line PPP over a leased line performs similarly to Frame Relay RAI over a serial link via a leased Telco line. When PPP negotiation is successful, a point-to-point connection is established from the remote XSR to the central router.
Page 47: Cli Editing Rules
The first phase establishes a physical connection (training) on the ADLS line. RAI ADSL attempts a physical connection on the first port of the ADSL card, waiting one minute for training to succeed. If it fails, RAI abandons ADSL RAI and moves to the next available RAI method. After training with the DSLAM, RAI must configure a proper PVC channel on the ADSL line.
Page 48: Setting Cli Configuration Modes
Utilizing the Command Line Interface • Command Recall: Non-help commands are stored in the command history list buffer up to the last 32 commands. You can recall and edit previous commands using shortcut keys. For Ctrl example: applied repeatedly. The up-arrow or down-arrow keys provide the same feature if your terminal supports these keys.
Page 49 Table 2-3 CLI Configuration Modes Mode Function User EXEC Password-protected mode: •Changes terminal settings •Performs basic tests •Displays system information Privileged This mode: EXEC •Sets system operating values •Shows configuration parameters •Saves/copies configurations Global Sets system-wide values. Save changes after a reboot by copying the running- configuration to the startup-configuration Interface Modifies/assigns port parameters on a...
Page 50: User Exec Mode
Utilizing the Command Line Interface Some attributes can be set at this level without acquiring other modes. For example: list access-list-num [deny | permit] [parameter [parameter…]] Show commands can all be entered at EXEC, Privileged EXEC or higher modes. User EXEC Mode You enter User EXEC (or simply EXEC) mode after logging in.
Page 51: Mode Examples
Mode Examples Consider the following examples to change configuration mode: XSR>enable Acquires Privileged EXEC mode XSR#config terminal XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 192.168.2.2.255.255.255.0 Sets up the IP address and subnet mask for this FastEthernet port XSR(config-if<F1>)#exit XSR(config)#exit XSR#disable Quits Privileged EXEC mode XSR>...
Page 52: Cli Command Limits
Utilizing the Command Line Interface CLI Command Limits CLI commands on the XSR are bounded by the following: • Total number of characters in a command line/help message: 299 • Total number of words in a command line: 127 • Number of command history entries recalled: 31 •...
Page 53: Supported Ports
Supported Ports The XSR supports the following port types: • Single-channel ports: Fast- and GigabitEthernet, Sync/Async serial, ATM • Multiple-channel type ports: BRI, T1/E1 Numbering XSR Slots, Cards, and Ports The syntax for XSR slot, card, and port numbering on the CLI, illustrated in slot#/card#/port# These parameters indicate: •...
Page 54: Configuration Examples
Utilizing the Command Line Interface • Virtual Interfaces: – Loopback - Range 0 to 15. Interface type: Internal Loopback. – Dialer - Range: 0 to 255, Interface type: Dialer. – VPN - Range: 0 to 255, Interface type: VPN tunnel/Dialer. –...
Page 55 • BRI-Dialer (IDSN) Example interface dialer 0 Configures dialer interface 0 ip address 2.2.2.2 255.255.255.0 encapsulation Interface/Sub-interface Behavior XSR interfaces and sub-interfaces, channels and channel-groups are added and deleted differently depending on the particular interface. Interface characteristics are as follows: •...
Page 56: Entering Commands That Control Tables
Utilizing the Command Line Interface – Switched: When configuring a switched BRI connection, three serial sub-interfaces are automatically created when you enter: interface bri 2/1 isdn switch-type basic-ni1 – The following sub-interfaces are added: interface serial 2/1:0 interface serial 2/1:1 interface serial 2/1:2 –...
Page 57: Deleting Table Entries
Deleting Table Entries There are two ways to delete an entry from a table depending on the table type. Type (e.g.): XSR(config)#no arp 1.1.1.1 e45e.ffe5.ffee removes the arp entry related to row 1.1.1.1. where no is the command that negates the previous operation and arp is the associated table type.
Page 58: Enabling An Interface
Utilizing the Command Line Interface Ports can be enabled or disabled, configured for default settings, associated tables, clock rate, priority group, and encapsulation, for example. Refer to the XSR CLI Reference Guide for more details on Interface mode commands. Note: All interfaces are disabled by default. Enabling an Interface The following command enables an interface.
Page 59: Managing Message Logs
Managing Message Logs Messages produced by the XSR, whether alarms or events, as well as link state changes for critical ports and a management authentication log, can be routed to various destinations with the logging command. And by issuing the while permitting transmission to others.
Page 60: Fault Report Commands
XSR to capture a new one. Capturing Fault Report Data Enterasys Networks recommends that you enter the following commands from privileged EXEC mode during capture to assist in analysis and simplify the capture process. The report command should only be executed once you are sure that the text has been completely captured since the data is not recoverable afterwards.
Page 61: Using The Real-Time Clock
Using the Real-Time Clock The XSR’s Real-Time Clock (RTC) is employed by other system software modules to time-stamp events, alarms and is useful when no network clock source is accessible. It is normally synchronized with a master clock source over the network using the Simple Network Time Protocol (SNTP) but can also synchronize with the battery-supported RTC chip.
Page 62: Resetting The Configuration To Factory Default
Utilizing the Command Line Interface Resetting the Configuration to Factory Default In situations where the XSR has invalid software or a problem booting up, you can reset the router and return it to its factory default settings by accessing Bootrom Monitor Mode. Take these steps: Power up with a serial Com connection.
Page 63: Configuration Save Options
Configuration Save Options There are several options available regarding configuration: • If you want to make your running configuration the new startup configuration, you can save it to Flash memory with the • If you want to convert your startup configuration into the running configuration, you can reload issue the •...
Page 64: Uploading The Configuration/Crash Report
Utilizing the Command Line Interface Note: If you have inadvertently added errors to the CLI script file, the restoration of startup- config will be stopped at the error line. So, any commands after that line in startup-config are not executed. For more command details, refer to the XSR CLI Reference Guide.
Page 65: Managing The Software Image
Managing the Software Image The XSR can store more than one software image in Flash. Creating Alternate Software Image Files The XSR can create multiple software images, a useful option if you want to quickly select an alternate image. For example, you can create two software image files: xsr1805_b.fls Begin the process by issuing the the name of your software file.
Page 66 Utilizing the Command Line Interface • Optionally, if you have CompactFlash installed, you can download the firmware file to cflash: then perform Step 1 (see below) followed by the • If you use the Cabletron TFTP/BOOTP Services application, which does not recognize long file names, first shorten the Bootrom file name to 8 characters or less with an extension, before beginning the download (i.e.: •...
Page 67 Using TFTP, transfer updateBootrom.fls copy tftp://192.168.27.95/C:/tftpDir/ updateBootrom.fls XSR-1805# flash:updateBootrom.fls Copy 'tftpDir/updateBootrom.fls' from server as 'updateBootrom.fls' into Flash(y/n) ? !!!!!!!!!!!!!!!!!!!!!!!!!! Download from server done File size: 667172 bytes Copy boot-config restore-boot-config XSR-1805# copy flash:boot-config flash:restore-boot-config Copy 'boot-config' from flash: device as 'restore-boot-config' into flash: device(y/n) ? copying file flash:boot-config ->...
Page 68 VPN, console, NIM1 and NIM2 LEDs turn off, immediately enter <Ctrl-C> on the terminal. If you miss this time window, power off and try again. The Bootrom monitor menu should appear as follows: Copyright 2003 Enterasys Networks Inc. HW Version: 9002854-02 REV0A Serial Number: 2854019876543210 CPU: IBM PowerPC 405GP Rev. D VxWorks version: 5.4...
Page 69 – DOS-style full path (without the file name) of the site of the Bootrom file on the host PC. – The username and password to use when connecting to your FTP server on the host PC. Verify the network boot values using the XSR: Local IP address : 192.168.1.1...
Page 70: Loading Software Images
Utilizing the Command Line Interface Programming 131072(0x20000) bytes at address 0xfffa0000 Programming 48299(0xbcab) bytes at address 0xfffc0000 Verifying Bootrom flash sectors Locking 3 Bootrom flash sectors Locking 8 Bootrom flash sectors ***** Bootrom update completed. Do you want to remove the bootrom file bootrom_uncmp.fls? (y/n) Using default Bootrom password.
Page 71 • If the power to XSR fails, try another reload • If a syntax error is indicated, examine your configuration for errors • If XSR crashes, do not retry reloading. Contact Technical Support EOS fallback is configurable from the CLI or via SNMP. Refer to the following section to configure the feature on the CLI or “Configuring EOS Fallback via SNMP”...
Page 72: Downloading With Fips Security
Utilizing the Command Line Interface Set the operation to imageSetSelected: set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.3.1 0100 Set the row to active: set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.11.1 1 Note: The primary image cflash:xsr3004.fls must already exist in the XSR, otherwise the configuration will fail at this point. Reboot the XSR to load the new image by configuring the following: •...
Page 73: Displaying System Status And Statistics
When the XSR boots up, the checksum of these files is calculated and stored in volatile memory. From then on any time the content of those files is changed the hash is recalculated and stored. You can access the hash value in the etsysConfigMgmtPersistentStorageChSum SNMP object and compare it with previous queries to detect configuration changes to the managed entity.
Page 74: Network Management Through Snmp
Network Management through SNMP When the memory governor is asked to allow or deny a new resource, the decision is based on: • memory low watermark • extreme limit You can push the extreme limit of individual resources as long as the memory low watermark is not met.
Page 75: Snmp Informs
SNMP Informs SNMP Informs were first introduced in SNMPv2. An Inform is essentially nothing more than an acknowledged trap. That is, when a remote application receives an Inform it sends back an “I got it” message. When you send an Inform you use the remote engineID with the message and the securityName and engineID exist as a pair in the Remote User table.
Page 76: Alarm Management (Traps)
Network Management through SNMP Alarm Management (Traps) The following events are supported by SNMP traps: snmpTrapColdStart, snmpTrapWarmStart, snmpTrapLinkDown, snmpTrapLinkUp, snmpTrapAuthFailure, entityTrapConfigChange, frameRelayTrapfrDLCIStatusChange, ospfTrapIfStateChange, ospfTrapVirtIfStateChange, ospfTrapNbrStateChange, ospfTrapVirtNbrStateChange, ospfTrapIfConfigError, ospfTrapVirtIfConfigError, ospfTrapIfAuthFailure, ospfTrapVirtIfAuthFailure, ospfTrapIfRxBadPacket, ospfTrapVirtIfRxBadPacket, ospfTrapTxRetransmit, ospfTrapVirtIfTxRetransmit, ospfTrapOriginateLsa, ospfTrapMaxAgeLsa, ospfTrapLsdbOverflow, ospfTrapLsdbApproachingOverflow, bgpTrapEstablished, and bgpTrapBackwardTransition. SNMP alarms are listed in Appendix A: Table”...
Page 77: Configuration Examples
Latency (network delay) is measured with the formula: D(i)=(Ri-Si), which is the round-trip interval between sending and receiving the ICMP packet triggered by the initiator and echoed back by the target. Jitter (network delay variation) is the value between packets i and j as figured by the formula: D(i,j)=(Rj-Ri)-(Sj-Si).
Page 78 Network Management through SNMP Via SNMP The following example creates a row in the aggregate measure table with owner userA. If the entry is created with owner monitor, replace 5.117.115.101.114.65 with 7.109.111.110.105.116.111.114. Create a row (etsysSrvcLvlAggrMeasureStatus): 1.3.6.1.4.1.5624.1.2.39.1.4.2.1.18.5.117.115.101.114.65.1 = 5 (createAndWait) Configure the destination address (etsysSrvcLvlNetMeasureDst) in the network measure table: 1.3.6.1.4.1.5624.1.2.39.1.4.1.1.14.5.117.115.101.114.65.1 = 1.1.1.1 Schedule a measurement...
Page 79: Using The Sla Agent In Snmp
Query a Measurement Now that you have performed the previous actions, you can query the measurement result. Via CLI The following command displays rtr output: XSR#show rtr history Via SNMP Query the etsysSrvcLvlHistoryTable (1.3.6.1.4.1.5624.1.2.39.1.3.1). Using the SLA Agent in SNMP The XSR’s SLA agent implements the Enterasys Service Level Reporting MIB and supported metrics as detailed in the following tables, which may cross-reference each other.
Page 80: Software Image Download Using Netsight
Network Management through SNMP Software Image Download using NetSight The NetSight Remote Administrator application can download an image to the XSR using TFTP. The software image download is initiated through NetSight using an SNMP triggers a TFTP download session initiated from the XSR. Note: The XSR does not support an off-line download triggered by SNMP.
Page 81: Accessing The Xsr Through The Web
Write a plain ASCII file containing the CLI commands you want entered. For example: interface FastEthernet2 ip address 192.168.19.1 255.255.255.0 no shutdown Save and move the file to the root directory of the TFTP server on your PC. Use SNMPv3 to create a row in the Configuration Management MIB. For example, CreateAndWait: 1.3.6.1.4.1.5624.1.2.16.2.7.1.11.1 = 5 If you read the table, one row should be added.
Page 82: Using The Cli For Downloads
Network Management Tools Using the CLI for Downloads TFTP can be used to transfer system firmware to the XSR remotely. A TFTP server must be running on the remote machine and the firmware image file must reside in the TFTP root directory of the server when using the Using SNMP for Downloads You can use an SNMP manager to download or upload firmware from a remote server, and copy...
Page 83: Chapter 3: Managing Lan/Wan Interfaces
Overview of LAN Interfaces The XSR supports two 10/100 Base-T FastEthernet ports on the XSR 1800 Series branch routers and three 10/100/1000 Base-T GigabitEthernet ports on the XSR 3000 Series regional routers. All ports are capable of running in half- and full-duplex modes, and are ANSI/IEEE 802.3 and ANSI/ IEEE 802.3u compliant.
Page 84: Configuring The Lan
Configuring the LAN • Maximum Transmission Unit (MTU) - all frames less than or equal to 1518 bytes are accepted. MTU size is set using the • Speed is enabled using the – 10 - 10 Mbps – 100 - 100 Mbps –...
Page 85: Overview Of Wan Interfaces
Table 3-1 MIB-II Interface Statistics (continued) Variable ifInNUcastPkts IfInDiscards IfInErrors IfOutOctets ifOutUcastPkts ifOutNUcastPkts IfOutErrors IfOutDiscards Overview of WAN Interfaces The XSR supports as many as six serial cards (in an XSR-3250), each of which can support four ports for a maximum of 24 serial ports. Each port is individually configurable regarding speed, media-type, and protocol.
Page 86: Configuring The Wan
Configuring the WAN • Clocking speed - For Sync interfaces, an external clock must be provided. Acceptable clock values range from 2400 Hz to 10 MHz. For Async interfaces, the clock is internally generated and can be set to the following values using –...
Page 87 Configuring the WAN The following example configures the asynchronous serial interface on NIM 2, port 0 with the following non-default values: PPP encapsulation, RS422 cabling, 57600 bps clock rate, MTU size of 1200 bytes, no parity, 7 databits and 2 stopbits. It also assigns the local IP address 192.168.1.1 to the interface.
Page 88 Configuring the WAN 3-6 Managing LAN/WAN Interfaces...
Page 89: Chapter 4: Configuring T1/E1 & T3/E3 Interfaces
Overview The XSR provides Frame Relay and PPP service via T1/E1 and T3/E3 functionality as well as Drop and Insert features. T1/E1 Functionality The XSR provides a T1/E1 subsystem on a single NIM-based I/O card with a maximum of two installed NIMs.
Page 90: T3 Mode
Features • Support for local and remote loopback • Support for an IP interface as a loopback (refer to the CLI Reference Guide for an example) • Timing - line and internal • Framing - T1: SF, ESF; E1: CRC4, NO-CRC4 •...
Page 91: T1/E1 Subsystem Configuration
• Line rate - 34.368 Mbps • Full rate - 34.0995 Mbps (G751) • Sub-rate - approximately 3 Mbps increments up to 33 Mbps • Compatible DSUs supported – Cisco or Quick Eagle (formerly Digital Link) DL3100 E3 -300-33.920 Kbps –...
Page 92: T1 Drop & Insert One-To-One Ds0 Bypassing
Features • Clear Channel service is similar to the full rate service except that the data stream rate is slightly higher because the framing overhead bits are also used to deliver data. – T3 - Not Available – E3 - 34.368Mbps payload T1 Drop &...
Page 93: Configuring Channelized T1/E1 Interfaces
• The D&I NIM supports different framing and line coding on the CO T1 and PBX T1 ports (ESF versus D4, B8ZS versus AMI), but if the ports are not identically configured, the bypass relays will not restore the voice link in the case of an XSR failure or power outage. •...
Page 94: Configuring Un-Channelized T3/E3 Interfaces
Configuring Un-channelized T3/E3 Interfaces Add any additional configuration commands required to enable IP- or PPP-related protocols. 10. Use the no shutdown and exit commands to enable the interface and return to configuration mode. Repeat the previous steps to configure more channel groups. XSR(config-if<S1/0:0>)#no shutdown Configuring Un-channelized T3/E3 Interfaces Perform the following steps to set up an un-channelized T3 or E3 port.
Page 95: Troubleshooting T1/E1 & T3/E3 Links
Troubleshooting T1/E1 & T3/E3 Links This section describes general procedures for troubleshooting T1/E1 lines on the XSR. The following flow diagram shows basic steps to perform. As shown in Figure • T1/E1 & T3/E3 Physical Layer (Layer 1) troubleshooting (loss of signal/frame) •...
Page 96 Troubleshooting T1/E1 & T3/E3 Links Figure 4-3 Are the cables and connectors show controller Most controller errors are caused by incorrectly configured lines including line coding, framing, and clock source parameters. When a T1/E1 or T3/E3 controller (port) is created with an associated channel or channel group, it can exist in three states: •...
Page 97: T1/E1 & T3/E3 Alarm Analysis
Restart the controller: XSR(config-controller<T1/0>)#no shutdown If the T1/E1or T3/E3 controller and line are not up, check that either the T3/E3 NIM LOS or LOF LEDs are shining or one of the following messages displays in the • Receiver has loss of frame (LOF), or •...
Page 98: Receive Remote Alarm Indication (Rai - Yellow Alarm)
Troubleshooting T1/E1 & T3/E3 Links Receive Remote Alarm Indication (RAI - Yellow Alarm) Insert an external loopback cable into the T1/E1 or T3/E3 port. show controller Use the analyze the log report of the XSR. If alarms are reported, contact your service provider. Remove the external loopback cable and the reconnect line.
Page 99: T1/E1 & T3/E3 Error Events Analysis
Figure 4-5 T1/E1 & T3/E3 Alarm Analysis Troubleshooting Actions Flow (Part 2) Receive Remote Alarm Indication (Yellow alarm) - see Figure 1-2 Insert external loopback cable in the port Are there any alarms? Check the cabling Power cycle the Connect line to a different port...
Page 100: Slip Seconds Counter Increasing
Troubleshooting T1/E1 & T3/E3 Links Figure 4-6 Error Events Analysis Is the slip seconds counter increasing? Is the framing loss seconds counter increasing? Is the line code violations counter increasing? If your controller still does not function as desired, contact your service/network provider Note: Statistics displayed with the show controllers command are reset every 24 hours.
Page 101: Framing Loss Seconds Increasing
Framing Loss Seconds Increasing If framing loss seconds are present on the T1/E1 line, usually there is a framing problem. Perform the following steps to correct this problem: Ensure the framing format configured on the controller port matches the framing format of the line.
Page 102 Troubleshooting T1/E1 & T3/E3 Links 4-14 Configuring T1/E1 & T3/E3 Interfaces...
Page 103: Chapter 5: Configuring Ip
Overview This document describes the XSR’s IP protocol suite functionality including: • General IP features (ARP, ICMP, TCP, UDP, TFTP, Telnet, SSH, NAT, VRRP, Proxy DNS, et al.) • IP routing (RIP, OSPF, static routing, triggered-on-demand RIP updates) • VLAN routing •...
Page 104 General IP Features • The Router ID can be configured with the automatically generated from the existing configuration. Alternately, the Router ID is automatically generated as the highest non-zero IP address among all loopback interfaces or, if no loopback interface is configured, the highest non-zero IP address among standard configured interfaces.
Page 105 • Troubleshooting Tools – Ping – Traceroute • IP Routing – – Triggered-on-Demand RIP updates – OSPF including Database Overflow (RFC-1765) and Passive Interfaces – OSPF debugging – Static routes – Default network – CIDR (IP classless) – Router ID configuration RFC-1850 –...
Page 106: Arp And Proxy Arp
General IP Features • Virtual Router Redundancy Protocol (VRRP): RFC-2338 and Definitions of Managed Objects for the Virtual Router Redundancy Protocol: RFC-2787 • Equal-Cost Multi-Path (ECMP) per packet and per flow (round robin) for OSPF, BGP and static routes (RIP excluded) –...
Page 107: Broadcast
When a BOOTP/DHCP response is received, the packet is sent to the requester as a unicast IP packet, according to RFC-951, with clarifications in RFC-1532. The source addresses of the relayed BOOTP/DHCP packets can be selected using ip dhcp relay- source gateway command.
Page 108: Tcp
General IP Features does not actually examine or store full routing tables sent by routing devices, it merely keeps track of which systems are sending such data. Using IRDP, the XSR can specify both a priority and the time after which a device should be assumed down if no further packets are received. The XSR enables router discovery and associated values with the also supports the redirection of packets routed through the same port they were received on with ip redirect...
Page 109: Trivial File Transfer Protocol (Tftp)
hostkey.dat file unless none have been generated or the content of the file is corrupted in which case default keys are used to secure the connection. Note: SSH is enabled by default on port 22. Be aware that with SSH enabled, traditional facilities such as FTP, TFTP, and Telnet are not disabled so to ensure system security, you must disable other communication services.
Page 110: Arp & Secondary Ip
General IP Features An XSR interface can support one primary IP address and multiple secondary IP addresses. Including all XSR interfaces, the total of supported secondary IP addresses allowed depends on the amount of the installed memory, although at present ten secondary IP addresses are supported despite the memory size.
Page 111: Routing Table Manager & Secondary Ip
Routing Table Manager & Secondary IP If the interface is up, each primary and secondary IP address will have an entry in the routing table as a directly connected route. If the interface is rejected or the IP addresses configured on it are removed, the Routing Table Manager (RTM) will delete corresponding table route entries.
Page 112: Vrrp & Secondary Ip
IP Routing Protocols VRRP & Secondary IP Multiple virtual IP addresses per Virtual Router (VR) are available to support multiple logical IP subnets on a single LAN segment. Secondary IP interacts with the XSR’s implementation of the Virtual Router Redundancy Protocol (VRRP) as follows: •...
Page 113: Ripv1 And V2
• Static routes • Route redistribution • Default network • CIDR (classless IP) • Configurable Router ID • Route Preference When you run multiple routing protocols, the XSR assigns a weight to each of them. For more information, refer to RIPv1 and v2 The Routing Information Protocol (RIP) is a distance-vector protocol based on the Bellman-Ford algorithm to learn the shortest path between two points in a network.
Page 114: Triggered-On-Demand Rip
IP Routing Protocols • Offset metric parameters - route metrics via RIP. Adding an offset to an interface might force a route through that interface to become a backup route • Route filtering, in association with access lists, is enabled by the •...
Page 115 • The latest changes are sent when: – The routing database is modified by new data. The latest changes are sent through all interfaces running triggered-on-demand RIP. RFC-2091 also specifies how packet types are handled in the following manner: • An update request is defined as a request to a peer to send its entire routing database.
Page 116: Ospf
IP Routing Protocols • Dial-on-demand connections. Retransmissions are governed by the following conditions, among others: • The retransmission timer is a periodic timer set to 5 seconds. • A limit in the number of retransmissions will be set, after which the routes learned through the specified circuit are marked as unreachable.
Page 117: Lsa Type 3 And 5 Summarization
• Incremental SPF is always enabled. SPF calculation can be changed with • Hello wait intervals with the poll timer to set up adjacencies as quickly as possible with • Retransmission and link-state update intervals with ospf transmit-delay • A host of statistical display commands including: ospf database show ip ospf interface links...
Page 118: Ospf Passive Interfaces
IP Routing Protocols Each LSA type configurable for database overflow can generate a log to reflect pending overflow, overflow entered and exited logs in this format: – Date and time stamp – Router ID (IP address) – Module (OSPF) – Log Description –...
Page 119: Ospf Troubleshooting
OSPF Troubleshooting XSR commands provide debugging of OSPF Version 2 control information including: • Monitoring specific OSPF events from the CLI with • Control Packets with • LSA transmissions/receptions with • Neighbor Events with • Designated Router Events with Be aware that only one CLI debug session is permitted at a time. Null Interface The XSR provides a non-configurable null interface ( installed for OSPF LSA Type 3 and 5 route summarization.
Page 120: Static Routes
IP Routing Protocols – Static routes: 1 – BGP external routes: 20 – OSPF intra-area routes: 108 – OSPF inter-area routes: 110 – OSPF external routes: 112 – RIP routes: 120 – BGP internal routes: 200 – Values between 241 and 255 are reserved for internal use •...
Page 121: Forwarding Vlan, Pppoe Over Vlan
The reserved Tag Type denotes the associated Ethernet frame type of the VLAN Tag while the remaining 16 tag bits comprise this control data: • a 3-bit value indicating the user priority of the Ethernet frame for QoS purposes • a 1-bit Canonical Format Indicator (CFI) denoting the presence of a Routing Information Field •...
Page 122: Vlan Processing Over The Xsr's Ethernet Interfaces
IP Routing Protocols Figure 5-3 VLAN Processing Over the XSR’s Ethernet Interfaces The VLAN routing process, shown in are reflected in the graphic below. Ethernet VLAN Tag IP: 9.9.9.1 Priority CFI Incoming VLAN tagged frame When a VLAN-tagged Ethernet frame is received, it is stripped and the tag’s VLAN ID used to map the frame to a sub-interface of the Ethernet port.
Page 123: Vlan Processing: Vlan-Enabled Ethernet To Wan Interfaces
Figure 5-5 Ethernet VLAN Tag IP: 9.9.9.1 Priority CFI VLAN: 1300 Incoming VLAN tagged frame VLAN Processing: VLAN-enabled Ethernet to WAN Interfaces In this scenario, shown in because no VLAN is linked with the outgoing port (Serial 1). Note: VLAN tags cannot be assigned to a WAN interface - they are relevant only for XSR FastEthernet and GigabitEthernet interfaces.
Page 124: Qos With Vlan
IP Routing Protocols Incoming Serial frame For sample configurations, refer to QoS with VLAN The XSR’s support for Quality of Service (QoS) with VLAN is described in the chapter “Configuring Quality of Service” Policy Based Routing IP packets typically are forwarded according to the route chosen by traditional routing protocols RIP, OSPF, BGP or static routes.
Page 125: Match Clauses
When a policy entry is found for a packet, the table search ends and the packet is processed according to that entry. Each entry has a group of match and set clauses. All match clauses must match in order to process the packet according to the entry.
Page 126: Default Network
IP Routing Protocols Default Network The default network is used to specify candidates for the default route when a default route is not specified or learned. If the network specified by the the routing table from any source (dynamic or static), it is flagged as a candidate default route and is subject to being chosen as the default route for the XSR.
Page 127: Real Time Protocol (Rtp) Header Compression
Leaving the Router ID unconfigured or allowing it to be assigned by default to a physical IP interface can be risky because physical interfaces are impermanent and their IP addresses can be re-configured. A change in an IP address or the state of a physical interface that has been selected as the Router ID will cause the XSR to drop and recreate its neighbor adjacencies, leading to unnecessary instability.
Page 128: Network Address Translation
IP Routing Protocols RTP_compression TX reached maximum allowed connections, RTP compression received un-expected 8 bit CID RTP compression received un-expected 16 bit CID Received CID (mmm) exceeds the negotiated max CID nnn. Network Address Translation Network Address Translation (NAT) maps IP address from one address realm to another, providing transparent routing to end hosts.
Page 129: Virtual Router Redundancy Protocol
• Application Level Gateway (ALG) for FTP, ICMP, Netbios over TCP and UDP – PPTP/GRE ALG for NAPT - allows PPTP traffic to be NATted • Multiple ISP - NAPT based on the egress interface. • With NAPT, routing is not automatically filtered out. Use distribution lists to ensure global networks are advertised out of external ports.
Page 130: Vrrp Definitions
IP Routing Protocols Because the VR uses the IP address of the physical Ethernet interface of XSR1, XSR1 becomes the master VR, also known as the IP address owner. XSR1, as the master VR, assumes the IP address of the VR and is responsible for forwarding packets sent to this IP address. Clients A, B, and C are configured with the default gateway IP address of 10.10.10.1.
Page 131: How The Vrrp Works
• Virtual Router - An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN. It consists of a VR Identifier and a set of associated IP address(es) across a common LAN. A VRRP router may back up one or more VRs. •...
Page 132: Vrrp Features
IP Routing Protocols • Broadcasts an ARP message with the VR’s MAC address to all the IP addresses associated with the VR’s IP address, • Starts the advertisement timer, • And transitions to the master state. • If an advertisement is received that has a higher priority, or a higher IP address (if the priority is the same), then the VRRP router discards the advertisement and remains as the master VR.
Page 133: Load Balancing
Load Balancing The XSR provides load balancing according to the following rules: • Load balancing depends on how your network is designed. • Load balancing is supported by separate physical VRRP routers and not supported on the same physical router which has two LAN ports on the same LAN segment with the same subnet.
Page 134: Icmp Ping
IP Routing Protocols • Master VR - all traffic, including locally generated or forwarding traffic, uses one of the virtual MAC addresses as the source MAC address except VRRP protocol packets, which use the corresponding virtual MAC address as the source MAC address. For example, if four VRs occupy one interface, two are in a master and the others a backup state.
Page 135: Watch Group Monitoring
When the actual IP address owner of the Virtual IP address releases the master state of the VR, it will no longer be able to receive any IP packet destined for that address even though the actual interface is still up. This may cause routing packets to not reach this interface and cause this interface to be considered down by other routers.
Page 136: Equal-Cost Multi-Path (Ecmp)
IP Routing Protocols Equal-Cost Multi-Path (ECMP) Equal-Cost Multi-Path (ECMP) is a technique to forward packets along multiple paths of equal cost, aggregating multiple physical links into one virtual link to effectively increase the total bandwidth of a connection. Internally, the XSR decides which next hop to use in the event that more than one choice is available in the forwarding table and by searching this table, the forwarding engine identifies paths by the next hop.
Page 137: Configuring Rip Examples
Central XSR VPN1: 1.1.1.1 Routes O N2 next hop 1.1.1.2 O N2 next hop 1.1.1.3 S Peer1 next hop nh1 S peer2 next hop nh2 Configuring RIP Examples The following example enables RIP on both FastEthernet interfaces and a serial link of the XSR. The FastEthernet 2 interface is configured to be totally passive (updates not sent or received).
Page 138 Configuring RIP Examples XSR(config-if<F1>)#ip address 192.168.1.100 255.255.255.0 XSR(config-if<F1>)#ip access-group 1 in XSR(config-if<F1>)#ip access-group 1 out XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#media-type V35 XSR(config-if<S1/0>)#encapsulate ppp XSR(config-if<S1/0>)#ip address 154.68.1.47 255.255.255.0 XSR(config)#router rip XSR(config-router)#network 154.68.1.0 XSR(config-router)#network 192.168.1.100 XSR(config)#access-list 1 permit 192.168.1.0 0.0.0.255 XSR(config)#access-list 1 permit 154.68.1.0 0.0.0.255 XSR#copy running-config startup-config The following configuration sets up RIPv1 with Dynamic Host Configuration Protocol (DHCP) Relay enabled.
Page 139: Configuring Unnumbered Ip Serial Interface Example
Configuring Unnumbered IP Serial Interface Example The following example configures an X.21-type, serial interface 1/0 as an unnumbered serial interface. Serial 1/0 is directed to use the IP address of FastEthernet port 1. XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 192.168.1.1 255.255.255.0 XSR(config-if<F1>)#no shutdown XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#media-type x21...
Page 140: Configuring Nat Examples
Configuring NAT Examples Configuring NAT Examples Basic One-to-One Static NAT The following example illustrates inside source address translation on the XSR, as shown in Figure 5-11 below. Inside 10.1.1.1 Reply after reverse lookup SA: 172.20.2.1 DA: 10.1.1.1 The user at 10.1.1.1 opens a connection to host 172.20.2.1. The first packet the XSR receives from host 10.1.1.1 causes the router to check its NAT table.
Page 141: Dynamic Pool Configuration
Dynamic Pool Configuration The following example illustrates dynamic pool translation on the XSR, as shown in Inside SA: 10.1.1.1 DA: 172.21.2.1 10.1.1.1 Reply after reverse lookup SA: 172.21.2.1 DA: 10.1.1.1 Request packet 2 SA: 10.1.1.2 DA: 172.21.2.2 10.1.1.2 reverse lookup SA: 172.21.2.1 DA: 10.1.1.1 Configuring Dynamic Pool Translation...
Page 142: Network Address And Port Translation
Configuring NAT Examples Optional. Add an ACL to permit NAT traffic from the 10.1.1.0 network. All other traffic is implicitly denied. XSR(config)#access-list 57 permit 10.1.1.0 0.0.0.255 Optional. Reset the default NAT timeout interval to 5 minutes: XSR(config)#ip nat translation timeout timeout 300 Enable an interface;...
Page 143: Configuring Napt
Host 172.20.2.1 receives the packet and responds to address 200.2.2.1. When the XSR receives the packet, it searches the NAPT table, using the protocol, global address and port, and translates the address to the inside local address 10.1.1.1 and destination port 1789, then forwards it to address 10.1.1.1. Configuring NAPT Enter the following commands to configure overloading of inside global addresses.
Page 144: Static Nat Within An Interface
Configuring NAT Examples The first packet the XSR receives from 10.1.1.1 is checked against its ACLs. ACL 101 matches and pool NatPool is used. A check is made for existing mapping and if found is used otherwise a new one is created. The global address is 200.2.2.1. Packet are marked as originating from 200.2.2.1 to 172.20.2.1.
Page 145 Figure 5-15 Inside Request SA: 10.1.1.1 DA: 172.20.2.1 10.1.1.1 Internal interface 10.1.1.2 Inside local IP Address Request SA: 10.1.1.2 10.1.1.1 DA: 164.17.2.1 10.1.1.2 As shown in Figure 5-15, packets from the PC at 10.1.1.1 are statically NATted to the PC at 203.2.2.1 but through neither of the pools.
Page 146: Nat Port Forwarding
Configuring Policy Based Routing Example The above optional NAPT commands use ACL 101 for the 200.2.2.0 network and ACL 102 for the 201.2.2.0 network XSR(config-if<F2>)#ip nat source intf-static 10.1.1.1 203.2.2.1 The above optional command statically NATs packets from 10.1.1.1 to 203.2.2.1 NAT Port Forwarding This scenario, as shown in initiated by the PC at 172.20.2.1 to port 4003 on 200.2.2.1.
Page 147: Configuring Vrrp Example
XSR(config-if<G1>)#ip policy These commands create the PBR, map it to ACL 101, and set the forwarding router as 192.168.5.2: XSR(config)#route-map pbr 101 XSR(config-pbr-map)#match ip address 101 XSR(config-pbr-map)#set ip next-hop 192.168.5.2 Configuring VRRP Example The following example configures three VRRP groups to provide forwarding redundancy and load balancing on VRRP routers XSRa and XSRb as follows: •...
Page 148: Configuring Vlan Examples
Configuring VLAN Examples XSRb(config-if<F1>)#vrrp 5 priority 200 XSRb(config-if<F1>)#vrrp 5 adver-int 30 XSRb(config-if<F1>)#vrrp 5 ip 10.10.10.50 XSRb(config-if<F1>)#vrrp 5 preempt delay 2 XSRb(config-if<F1>)#vrrp 5 track serial 2/0 XSRb(config-if<F1>)#vrrp 100 ip 10.10.10.100 XSRb(config-if<F1>)#vrrp 100 priority 65 XSRb(config-if<F1>)#no vrrp 100 preempt XSRb(config-if<F1>)#no shutdown Configuring VLAN Examples The following example configures a VLAN interface on FastEthernet sub-interfaces 2.1 and 2.2: XSR(config)#interface FastEthernet 2.1 XSR(config-if<F1.2>)#vlan 1200...
Page 149: Chapter 6: Configuring The Border Gateway Protocol
Configuring the Border Gateway Protocol Features The XSR supports the following the Border Gateway Protocol (BGP-4) features: • Full mandatory BGP v4 protocol support (RFC-1771) • Support for all BGP v4 MIB tables defined in RFC-1657 including BGP SNMP traps •...
Page 150: Describing Bgp Messages
Overview BGP can be categorized as a path vector routing protocol which defines a route as a pairing between a destination and the qualities of the path to that destination. The main role of a BGP- speaking node is to trade network reachability data with adjacent BGP nodes known as neighbors or peers.
Page 151: Update
• Hold time: Number of seconds that the sender proposes for the value of the Hold Timer. The hold time defines the interval that can elapse without the receipt of an Update or KeepAlive message before the peer is assumed to be disabled. •...
Page 152: As Path
Overview AS Path The AS_PATH attribute, as shown in traversed to reach a destination. The AS that originates the route adds its own AS number when sending the route to its EBGP peers. Subsequently, each AS that receives the route and passes it on to other BGP peers will prepend its own AS number to the list.
Page 153: Next Hop
BGP considers the ORIGIN attribute in its decision-making process to set a preference ranking among multiple routes. Namely, BGP prefers the path with the lowest origin type, where IGP is lower than EGP, and EGP is lower than INCOMPLETE. The attribute is configured with the Next Hop The NEXT_HOP attribute is the next IP address used to reach a destination.
Page 154 Overview Figure 6-3 Local Preference Applied to Direct Egress Traffic from AS. 6-6 Configuring the Border Gateway Protocol...
Page 155: Weight
Weight Weight, as shown in Figure exchanged between routers. It is significant only locally. Higher preference is accorded the route with a higher weight. Weight can be used to influence routes coming from different providers to the same router (one router with multiple connections to two or more providers). The attribute is configured with the Figure 6-4 Weight Applied to Differentiate Between Routes from Multiple Sources...
Page 156: Aggregator
Overview Aggregator The AGGREGATOR attribute, as shown in the aggregate route. It includes the AS and router ID of the BGP speaker that originated the aggregate prefix. It is commonly used for debugging purposes. Multi-Exit Discriminator The MULTI_EXIT_DISC (MED) attribute, as shown in links to discriminate among multiple exit or entry points into the same neighboring AS (influencing ingress traffic).
Page 157: Community
Figure 6-6 Community A BGP community, as shown in common property and is not limited to one network or AS. Communities simplify routing policies by identifying routes based on a logical property rather than an IP prefix or AS number. A BGP speaker can then use this attribute along with others to control which routes to accept, prefer, and relay to other BGP neighbors.
Page 158 Overview learn, advertise, or redistribute routes. When routes are aggregated, the resulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes. Community lists form groups of communities for use in a route map’s match clause. Similar to ACLs, you can create a series of community lists where statements are checked until a match is found and when one statement is satisfied, the test is finished with the community-list-number {permit | deny} community-number...
Page 159: Bgp Path Selection Process
BGP Path Selection Process BGP routers usually consider multiple paths to a destination. The BGP best path selection process decides the optimal path to install in the IP routing table and use for forwarding traffic. Only routes that are synchronized, are free of AS loops and have a valid next-hop are considered in the selection process, as illustrated in BGP Routing Policy The XSR employs Access Control Lists (ACLs), filter lists, community lists, route maps, regular...
Page 160: Access Control Lists
Overview Access Control Lists Access Control Lists (ACLs) are filters which permit or deny access to one or more IP addresses. ACLs generally apply to both route updates and packet filtering but with BGP, route update filtering is emphasized. Prefix-based ACLs control access by specifying which IP addresses are permitted or denied via the network prefix number.
Page 161: Regular Expressions
• Set community attributes for a specific route with • Set the origin for a specific route with • Set the MED of a specific route with • Set the local preference for a specific route with • Set the AS-Path list for a specific route with •...
Page 162: Peer Groups
Overview • Display all routes with any AS path: show ip bgp “.*” – • Display all routes having at least two AS numbers in the AS path: – show ip bgp “. . • Display all routes that traversed AS number 600: show ip bgp “.* 600 .*”...
Page 163: Initial Bgp Configuration
• Permit a local BGP speaker to send the default route 0.0.0.0 to a neighbor as the default route: neighbor default-originate • Configure the COMMUNITIES attribute to be sent to the neighbor at this IP address: neighbor send-community • Permit interior BGP sessions to use any working interface for TCP links: source interface •...
Page 164: Synchronization
Overview Synchronization When an AS provides transit service to other ASs and if there are non-BGP routers in the AS, transit traffic might be dropped if the intermediate non-BGP routers have not learned routes for that traffic via an IGP. BGP synchronization, which is enabled on the XSR by default, stipulates that a BGP router should not advertise to external neighbors destinations learned from IBGP neighbors unless those destinations are also known via an IGP.
Page 165: Recommendations For Route Flap Dampening
prefix is suppressed for a calculated period (a penalty) which is further incremented with every subsequent flap. The penalty is then decremented by a half-life value until the penalty is below a reuse threshold. So, if stable for a certain period, the hold-down is released from the prefix and the route is reused and re-advertised.
Page 166: Scaling Bgp
Overview Scaling BGP BGP requires that all BGP speakers with a single AS (IBGP) be fully meshed, as shown in 10. The result is that for any BGP speakers within an AS, the number of unique BGP sessions required is determined by the following formula: n x (n-1)/2. Be aware that this fully meshed requirement does not scale when a large number of IBGP speakers occupy the AS.
Page 167: Route Reflectors
Overview Route Reflectors Route reflectors are an alternative to the requirement of a fully meshed network within an AS, as illustrated in Figure 6-11. This approach allows a BGP speaker (known as a route reflector) to advertise IBGP learned routes to certain IBGP peers. This is a variation from the standard IBGP behavior of not re-advertising IBGP-learned routes to other IBGP speakers.
Page 168: Confederations
Overview It is typical for a client cluster to have one route reflector and be identified by the reflector’s router ID. If you want greater redundancy and wish to avoid a single point of failure, you can add more than one reflector to a cluster. This is accomplished by configuring all cluster route reflectors with the 4-byte cluster ID so that a reflector can recognize updates from other reflectors within that cluster.
Page 169: Displaying System And Network Statistics
Figure 6-12 isplaying System and Network Statistics The XSR supports BGP statistical displays such as routing table entries, caches, and databases. The XSR can also show data about node accessibility and the path packets take through the network. The XSR offers the following BGP •...
Page 170: Configuring Bgp Route Maps
Configuring BGP Route Maps • Show BGP peer group data: • Show routes matching regular AS path expressions: • Show summary BGP neighbor status: Configuring BGP Route Maps The following example illustrates the use of a route map to modify inbound data from a neighbor. Any route received from 192.168.10.1 matching the filter values set in AS ACL 110 will be permitted with its weight set to 55 and its local preference set to 60.
Page 171: Configuring Bgp Neighbors
XSR(config-router)#neighbor 192.168.57.4 remote-as 200 XSR(config-router)#neighbor 192.168.57.4 route-map 77 out XSR(config-router)#route-map 77 5 permit XSR(config-route-map)#set as-path prepend 100 XSR(config-route-map)#match ip address 12 XSR(config-route-map)#route-map 77 15 permit XSR(config-route-map)#match ip address 2 XSR(config-route-map)#access-list 2 permit any XSR(config-route-map)#access-list 12 permit 230.57.10.0 0.255.255.255 XSR(config-route-map)#access-list 12 permit 231.57.10.0 0.255.255.255 XSR(config-route-map)#access-list 12 permit 0.0.0.0 255.255.255.255 Incoming route-maps can perform prefix-based matching and set various update values.
Page 172: Bgp Aggregate Route Examples
Configuring BGP Route Maps XSR(config-router)#neighbor 192.168.57.69 filter-list 3 out XSR(config-router)#neighbor 192.168.57.69 filter-list 2 in XSR(config-router)#exit XSR(config)#ip as-path access-list 1 permit _102_ XSR(config)#ip as-path access-list 2 permit _200$ XSR(config)#ip as-path access-list 2 permit ^100$ XSR(config)#ip as-path access-list 3 deny _440$ XSR(config)#ip as-path access-list 3 permit .* BGP Aggregate Route Examples The following examples describe how to use aggregate routes in BGP either by redistributing an aggregate route into BGP or by using the conditional aggregate routing feature.
Page 173: Tcp Md5 Authentication For Bgp Example
XSR(config-router)#neighbor 130.32.32.1 remote-as 37 In a BGP speaker in AS 2, configure the peers from AS’s 1 and 3 as special EBGP peers. Node 191.169.57.1 is a standard IBGP peer and 131.21.12.2 is a standard EBGP peer from AS 30. XSR(config)#router bgp 2 XSR(config-router)#bgp confederation identifier 20 XSR(config-router)#bgp confederation peers 1 3...
Page 174: Ebgp Peer Group Example
Configuring BGP Peer Groups XSR(config-router)#neighbor IBGP filter-list 1 out XSR(config-router)#neighbor IBGP filter-list 2 in XSR(config-router)#neighbor 192.168.57.3 peer-group IBGP XSR(config-router)#neighbor 192.168.57.4 peer-group IBGP XSR(config-router)#neighbor 192.168.57.5 peer-group IBGP XSR(config-router)#neighbor 192.168.57.5 filter-list 3 in EBGP Peer Group Example Peer group EBGP in this example is defined not using the rendering it an EBGP peer group by definition.
Page 175 Configuring BGP Peer Groups XSR(config-router)#neighbor 192.168.57.90 send-community XSR(config-router)#neighbor 192.168.57.90 route-map 111 out XSR(config-router)#neighbor route-map 111 10 permit XSR(config-route-map)#match as-path 1 XSR(config-route-map)#set community 50 50 additive XSR(config-route-map)#route-map 111 20 permit XSR(config-route-map)#match as-path 2 XSR(config-route-map)#ip as-path access-list 1 permit 7$ XSR(config-route-map)#ip as-path access-list 2 permit .* Thirdly, community-based matching selectively sets MED and local-preference values for neighbor 192.168.57.55’s routes.
Page 176 Configuring BGP Peer Groups XSR(config-router)#bgp confederation identifier 100 XSR(config-router)#bgp confederation peer 10 20 30 XSR(config-router)#neighbor 192.168.57.50 remote-as 15 XSR(config-router)#neighbor 192.168.57.50 route-map 55 out XSR(config-router)#neighbor 192.168.58.2 remote-as 10 XSR(config-router)#route-map 55 permit 10 XSR(config-route-map)#match ip address 1 XSR(config-route-map)#set community local-as In the final example, confederation 100 holds three AS’s: 10, 20, and 30. For network 2.0.0.0, the route map set-no-export command attribute “no-export.”...
Page 177: Chapter 7: Configuring Pim-Sm And Igmp
This chapter describes Protocol Independent Multicast - Sparse Mode (PIM-SM) and Internet Group Management Protocol (IGMP) configuration. Features The XSR supports the following IGMP/PIM features: • IGMP versions 1, 2 and 3 (on LAN interface only) • PIM-SM version 2 •...
Page 178: Ip Multicast Overview
IP Multicast Overview calculates the checksum based on the whole Register packet including the data portion. When the XSR receives a Register packet, it accepts both partial and whole checksum methods. • The XSR permits configuration of the CRP value and sets the default priority value to 192, as required by the RFC.
Page 179: Outlining Igmp Versions
• Addresses between 239.0.0.0 and 239.255.255.255 should not be forwarded beyond an organization's intranet. • Addresses between 232.0.0.0 and 232.255.255.255 are set aside especially for a Source-Specific Multicast service (SSM). IP multicast enables multiple hosts to receive packets wrapped with the same MAC address: the IP multicast addresses are mapped directly into MAC addresses.
Page 180: Forwarding Multicast Traffic
Describing the XSR’s IP Multicast Features Two basic types of MDTs are source and shared trees, described as follows: • A source tree is a distribution network with its root at the source and branches forming a spanning tree through the network to its receivers. Because this tree uses the shortest path through the network, it is also referred to as a Shortest Path Tree (SPT).
Page 181: Group Membership Actions
IGMP is an asymmetric protocol, so there are separate behaviors for group members (hosts or routers that wish to receive multicast packets) and multicast routers (routers that can forward multicast packets). Group Membership Actions Group members transmit Report messages to inform neighboring multicast routers of their multicast group states.
Page 182: Receiving A Query
Describing the XSR’s IP Multicast Features Receiving a Query When a LAN contains multiple multicast routers, IGMPv3 chooses a single querier per subnet using the same querier election mechanism as IGMPv2, namely by IP address. When a router receives a query with a lower IP address, it sets the Other-Querier-Present timer to Other Querier Present Interval and stops sending queries on the network if it was the previously elected querier.
Page 183: Behavior Of Group Members Among Older Version Group Members
Behavior of Group Members Among Older Version Group Members An IGMPv3 host may be situated in a network where hosts have not yet been upgraded to IGMPv3. A host may allow its IGMPv3 Membership Record to be suppressed by either a Version 1 or Version 2 Membership Report Behavior of Multicast Routers Among Older Version Queriers IGMPv3 routers may be sited on a network where at least one router on the network has not yet...
Page 184: Phase 1: Building A Shared Tree
Describing the XSR’s PIM-SM v2 Features Phase 1: Building a Shared Tree During phase one, PIM-SM builds a shared tree rooted at a special router called Rendezvous Point (RP), as shown in Designed Routers (DR) of the receivers of the group send their join requests. All PIM-SM enabled routers within the PIM domain share uniform mapping between the multicast group and RP.
Page 185: Phase 3: Building Shortest Path Tree Between Sender & Receiver
Describing the XSR’s PIM-SM v2 Features interconnects with a router which is already on the shortest path tree from S to the same multicast group, the Join message can end on that router to get a short-cut path. After the path is established, both the native packet along the SPT tree and Register encapsulated packet will be received by RP.
Page 186: Neighbor Discovery And Dr Election
Describing the XSR’s PIM-SM v2 Features Figure 7-4 Neighbor Discovery and DR Election PIM-SM neighbor discovery and DR election are performed via Hello messages which are sent periodically through each PIM-enabled interface. A Hello Timer is kept for each interface whose timeout event will trigger sending a Hello message.
Page 187: Pim Register Message
PIM Register Message By the end of PIM-SM phase one, the DR for the sender will encapsulate packets from the sender in a Register message and send it to RP for the multicast group. When the DR receives a RegisterStop message from RP, the RegisterStop timer will begin to maintain the state. Before the RegisterStop timer expires, the DR should send a empty Register message to RP so that RP will respond with another RegisterStop message.
Page 188: Source-Specific Multicast
Describing the XSR’s PIM-SM v2 Features Assert messages are used to negotiate which router will forward the multicast packets. The rule for the assert winner is the router with the lower preference (usually a unicast routing protocol preference) and a metric learned from that protocol. If the preference is the same between the two parallel routers, then whichever router has the lower metric toward the source of the data packet will win out.
Page 189: Pim Configuration Examples
PIM Configuration Examples PIM Configuration Examples The following is a simple PIM configuration using the virtual Loopback interface 0 and physical interface FastEthernet 1. Configuring a Loopback interface is a safer way to ensure PIM routers discover each other since specifying a physical IP address could result in a router being ignored if the network connection through that interface is down.
Page 190 PIM Configuration Examples 7-14 Configuring PIM-SM and IGMP...
Page 191: Chapter 8: Configuring Ppp
Overview The Point-to-Point Protocol (PPP), referenced in RFC-1616, is a standard method for transporting multi-protocol datagrams over point-to-point links. PPP defines procedures to assign and manage network addresses, asynchronous and synchronous encapsulation, link configuration, link quality testing, network protocol multiplexing, error detection, and option negotiation for network-layer address and data-compression negotiation.
Page 192: Link Control Protocol (Lcp)
PPP Features – Challenge Handshake Authentication Protocol (CHAP) – Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) • Link Quality Monitoring (LQM) procedures as defined by RFC-1989 • VJ/IP header compression • No restriction on frame size; default is 1500 octets for the information field - as defined by RFC-1661 •...
Page 193: Authentication
Authentication Authentication protocols, as referenced in RFC-1334, are used primarily by hosts and routers to connect to a PPP network server via switched circuits or dialup lines, but might be applied to dedicated links as well. The server can use identification of the connecting host or router to select options for network layer negotiations.
Page 194: Link Quality Monitoring (Lqm)
PPP Features The MS-CHAP challenge, response and success packet formats are identical in format to the standard CHAP challenge, response and success packets, respectively. MS-CHAP defines a set of reason for failure codes returned in the Failure packet Message Field. It also defines a new packet called Change Password Packet, which enables a client to send a response packet based on a new password.
Page 195: Multi-Class Mlppp
• Fragmentation/reassembly • Detection of fragment loss • Optimal buffer usage • MTU size determination • Management of MLPPP bundles • MIB support for network management • Up to four T1/E1 lines can be aggregated running MLPPP • Multi-class MLPPP for up to five multiple sequence number streams over one MLPPP bundle Multi-Class MLPPP The Multi-Class extension to Multi-link PPP, as defined by RFC-2686, provides a means of transmitting multiple sequence traffic streams over one Multi-link PPP bundle on a Multilink or...
Page 196: Mlppp Packet Fragmentation And Serialization Transmission Latency
PPP Features MLPPP Packet Fragmentation and Serialization Transmission Latency MLPPP’s packet transport method over multiple member links is made possible by fragmenting the packet after balancing the load bandwidth to fully utilize the member links’ bandwidth. When sent over a MLPPP link, each fragment carries a sequence number within the Multilink header, as shown in Figure applications in the same order.
Page 197: Fragment Interleaving Over The Link
Table 8-1 Serialization Latency for Different Fragment Size/Link Speed (continued) 1536 kbps 5 us 2024 kbps 4 us The overall serialization latency for a fragment over a synchronous/ asynchronous Serial or T1 link should be multiplied by the size of the transmission queue. To control latency, both the transmission queue size and fragment size must be controlled.
Page 198: Events And Alarms
PPP Features Table 8-2 Multi-Class MLPPP Negotiation (continued) present present present The class number is defaulted to five for both short and the long sequence numbers. That includes four suspendable levels from 0 to 4 with the highest level at 5. The current limits on memory and throughput set the optimized number of class to 4 for the XSR.
Page 199: Ip Address Assignment
IP Address Assignment In PPP, IPCP configuration option type 3 corresponds to IP address negotiation. This configuration option provides a way to negotiate the IP address to be used on the local end of the link. It allows the sender of the Configure-Request to state which IP address is desired, or to request that the peer provide the information.
Page 200: Configuring Ppp With A Dialed Backup Line
Configuring PPP with a Dialed Backup Line Configuring PPP with a Dialed Backup Line You can configure PPP on the following types of physical interfaces: • Asynchronous serial • Synchronous serial • T1/E1 By enabling PPP encapsulation on physical interfaces, PPP can also be used on calls placed by the dialer interfaces that use the physical interfaces.
Page 201: Configuring A Dialed Backup Line
Enter no shutdown to enable this interface. XSR(config-if<S1/0>)#no shutdown Configuring a Dialed Backup Line The following tasks must be performed to configure a Dialed Backup line: • Configure the dialer interface • Configure a physical interface to function as backup •...
Page 202: Configuring The Interface As The Backup Dialer Interface
Configuring a Dialed Backup Line Configuring the Interface as the Backup Dialer Interface Enter interface serial card/port to specify the interface to back up. Enter ip address ip-address mask to specify the IP address and subnet mask of the interface. Enter backup interface dialer number as the backup interface.
Page 203: Configuring Mlppp On A Multilink/Dialer Interface
Configuring MLPPP on a Multilink/Dialer interface Multilink Example The following example enables Multi-Class MLPPP on interfaces 71, 72 and 73 with different fragmentation delay intervals but permits multicast traffic in and out of the firewall on each multilink interface. Additionally, Multilink interface 73 is configured to receive and transmit IP RIP v2 update packets.
Page 204: Configuring Bap
Configuring BAP XSR(config-if<D255>)#multilink min-links 37 XSR(config-if<D255>)#ppp multilink bap XSR(config-if<D255>)#ppp bap number default 1200 XSR(config-if<D255>)#ppp bap number default 1400 XSR(config-if<D255>)#ppp bap call request XSR(config-if<D255>)#ppp multilink fragment-delay 80 XSR(config-if<D255>)#ppp multilink multi-class XSR(config-if<D255>)#dialer called 1200 XSR(config-if<D255>)#dialer called 1400 XSR(config-if<D255>)#dialer idle-timeout 1000000 XSR(config-if<D255>)#dialer watch-group 2 XSR(config-if<D255>)#ip address 200.3.8.21 255.255.255.0 XSR(config-if<D255>)#ip firewall ip-multicast in XSR(config-if<D255>)#ip firewall ip-multicast out...
Page 205: Xsr2 Configuration
XSR1(config-controller<T1-1/0>)#isdn bchan-number-order ascending XSR1(config-controller<T1-1/0>)#no shutdown XSR1(config-controller<T1-1/0>)#dialer pool-member 1 priority 0 Configure BRI interface 2/0 with the basic-ni1 switch type and two SPIDs: XSR1(config)#interface bri 2/0 XSR1(config-if<BRI-2/0>)#isdn switch-type basic-ni1 XSR1(config-if<BRI-2/0>)#isdn spid1 0337250001 XSR1(config-if<BRI-2/0>)#isdn spid2 0337250101 XSR1(config-if<BRI-2/0>)#no shutdown XSR1(config-if<BRI-2/0>)#dialer pool-member 1 priority 0 Configure the Dialer 1 interface with a dialer pool: XSR1(config)#interface Dialer1 XSR1(config-if<D1>)#no shutdown...
Page 206: Dual Xsrs: Bap Using Call/Callback Request
Configuring BAP Configure the Dialer 1 interface with a dialer pool: XSR2(config)#interface Dialer1 XSR2(config-if<D1>)#no shutdown XSR2(config-if<D1>)#dialer pool 1 XSR2(config-if<D1>)#encapsulation ppp Set up BAP on Dialer 1 by enabling BAP and adding BAP phone numbers for XSR1 to call. XSR2(config-if<D1>)#ppp multilink bap XSR2(config-if<D1>)#ppp bap number default 3101 XSR2(config-if<D1>)#ppp bap number default 3102 XSR2(config-if<D1>)#ppp bap number default 3103...
Page 207 Configuring BAP XSR1(config-if<D1>)#dialer pool 1 XSR1(config-if<D1>)#encapsulation ppp XSR1(config-if<D1>)#ppp multilink bap XSR1(config-if<D1>)#ppp bap number default 1301 XSR1(config-if<D1>)#ppp bap number default 1300 XSR1(config-if<D1>)#ppp bap call request XSR1(config-if<D1>)#dialer-group 2 XSR1(config-if<D1>)#dialer map ip 10.10.10.1 3200 XSR1(config-if<D1>)#ip address 10.10.10.2 255.255.255.0 XSR1(config)#access-list 102 permit icmp any any 8 XSR1(config)#dialer-list 2 protocol ip list 102 Further description of MLPPP and configuration of its various applications on the XSR can be found in...
Page 208 Configuring BAP 8-18 Configuring PPP...
Page 209: Chapter 9: Configuring Frame Relay
Overview Frame Relay (FR) is a simple, bit-oriented protocol that offers fast-packet switching for wide-area networking. It combines the statistical multiplexing and port-sharing features of an X.25 connection with fast speed and low delay for high performance and less overhead. Frame Relay organizes data into variable-length, individually addressed units known as frames rather than placing them in fixed time slots for delivery over a packet-switched network where the data channel is occupied only for the duration of the transmission.
Page 210: Dtes
Overview New York From the perspective of the OSI reference model, Frame Relay is a high-performance WAN protocol suite operating at the physical and data link layers (1 and 2). Starting from a source site, variable-length packets are switched between various network segments until the destination is reached.
Page 211: Frame Relay Features
Frame Relay Features The XSR supports the following FR features: • The XSR acts as a DTE/DCE device in the UNI (User Network Interface) interface, supporting FR PVC connections (NNI functionality is not supported) • 10-bit DLCI addressing using a 2-byte DLCI header (3- and 4-byte headers are not supported) •...
Page 212: Address Resolution
Controlling Congestion in Frame Relay Networks Address Resolution The XSR supports dynamic resolution via Inverse ARP to map virtual circuits (DLCI) to remote protocol addresses, as defined in RFC-2390. Dynamic Resolution Using Inverse ARP Inverse ARP lets a network node request a next hop IP address corresponding to a given hardware address.
Page 213: Discard Eligibility (De) Bit
Several other parameters work hand-in-hand with CIR in controlling traffic flow. Committed burst (Bc) is the peak number of bits that the network attempts to deliver during a given period. Bc differs from CIR - it is a number, not a rate. CIR is equal to the committed burst divided by time interval Tc, expressed in the formula: CIR = Bc/Tc.
Page 214 Controlling Congestion in Frame Relay Networks Using BECN bits to control the outbound dataflow is known as adaptive shaping. It is disabled by default on the XSR. To activate it, you must first enable traffic shaping on the port then associate a map class with this interface, sub-interface or DLCI which has the adaptive shaping value set.
Page 215: Link Management Information (Lmi)
Link Management Information (LMI) A FR UNI-DCE device communicates with an attached FR DTE device (e.g., the XSR) about the status of the PVC connections through Link Management Information protocol (LMI). LMI monitors the status of the connection and provides the following data: •...
Page 216: Frf.12 Fragmentation
FRF.12 Fragmentation FRF.12 Fragmentation Generally speaking, it is difficult to deliver good end-to-end quality of service for time-sensitive packets (voice and video) when operating over low speed FR lines (64 kbps or lower), especially when the link is also used to transport large packets (1500-byte FTP traffic). This is due to the fact that it takes 214 milliseconds to send a 1500-byte packet over a 56 kbps link.
Page 217: Map-Class Configuration
until you enter the copy running config startup config configuration into the startup configuration file within Flash. Map-Class Configuration The Map Class configures a common profile (characteristics) that can be applied to PVCs, eliminating the need to configure parameters on all individual PVCs. The configures a FR map class.
Page 218: Interconnecting Via Frame Relay Network
Interconnecting via Frame Relay Network Interconnecting via Frame Relay Network The following typical application uses FR to link remote branches to the corporate network at the central sites via a FR network, as shown in Minneapolis Houston Memphis Toronto • Medium speed FR links (32 - 128 kbps) •...
Page 219 Configuring Frame Relay Multi-point to Point-to-Point Example The following example configures the XSR in New York to connect with XSRs in Andover and Montreal using Frame Relay, as shown in (10.10.10.1) to remote sites Andover (dlci: 980, CIR: 32 Kbps Montreal (dlci: 960, CIR: 32 Kbps) Line rate: 128 Kbps The following CLI commands enable the sample multipoint to point-to-point configuration...
Page 220 Configuring Frame Relay NewYork(config-map-class<frf12>)#frame-relay bc out 4000 NewYork(config-map-class<frf12>)#frame-relay be out 5000 NewYork(config-map-class<frf12>)#frame-relay fragment 53 NewYork(config-map-class<frf12>)#service-policy out Voice Configure Serial interface 2/0 with FR parameters including traffic shaping: NewYork(config)#interface Serial 2/0 NewYork(config-if<S2/0>)#media-type V35 NewYork(config-if<S2/0>)#encapsulation frame-relay NewYork(config-if<S2/0>)#frame-relay lmi-type ANSI NewYork(config-if<S2/0>)#frame-relay traffic-shaping NewYork(config-if<S2/0>)#frame-relay class frf12 NewYork(config-if<S2/0>)#no shutdown Configure Serial sub-interface 2/0.1 for a multi-point connection with DLCIs 980 and 960: NewYork(config)#interface Serial 2/0.1 multi-point...
Page 221 Andover(config-if<S2/0>)#frame-relay lmi-type ANSI Andover(config-if<S2/0>)#frame-relay traffic-shaping Andover(config-if<S2/0>)#frame-relay class frf12 Andover(config-if<S2/0>)#no shutdown Configure Serial sub-interface 2/0.1 for a point-to-point connection with DLCI 980: Andover(config)#interface Serial 2/0.1 point-to-point Andover(config-subif<S2/0.1>)#ip address 10.10.10.2 255.255.255.0 Andover(config-subif<S2/0.1>)#no shutdown Andover(config-subif<S2/0.1>)#frame-relay interface-dlci 980 On the Montreal XSR, create the QoS class maps similar to those on the New York XSR: Montreal(config)#class-map Tos4 Montreal(config-cmap<Tos4>)#match ip precedence 4 Montreal(config-cmap<Tos4>)#class-map EF...
Page 222: Configuring Frame Relay
Configuring Frame Relay 9-14 Configuring Frame Relay...
Page 223: Chapter 10: Configuring Dialer Services
This chapter details information about the XSR’s suite of dialer functionality: • Dial • Ethernet Failover • Backup Dialer • Dial on Demand (DoD) • Bandwidth on Demand (BoD) • Multilink PPP (MLPPP) • Dialer Interface Spoofing • Dialer Watch Overview of Dial Services Dial Services provide network connections across the Public Switched Telephone Network (PSTN).
Page 224: Asynchronous And Synchronous Support
Asynchronous and Synchronous Support Asynchronous and Synchronous Support Synchronous and asynchronous interfaces can be configured for dialed connections to one or more destination networks. When requested, the XSR uses dialing commands to send the phone number of the destination network to a modem. The modem then dials the destination modem and establishes a connection.
Page 225: Dtr Dialing For Synchronous Interfaces
Table 10-1 lists V.25bis options. By default, the synchronous port will use V25bis. The functions of these options are nation-specific, and they may have different implementations. Refer to your modem documentation for a list of supported commands and options. Table 10-1 ITU-T V.25bis Options Option Description Wait tone...
Page 226: Implementing Dial Services
Implementing Dial Services Implementing Dial Services Dial services are provided by dialer interfaces, which are defined as any XSR interface capable of placing or receiving a call. You can implement Dial Services by creating a dialer profile. Refer to Figure 10-2 Figure 10-2 illustrates a sample Dialer Profile which defines interface dialers in five corporate locations served by the XSR.
Page 227: Dialer Interface
to support point-to-point or point-to-multi-point connections and can be non-spoofed for backup purposes. Refer to • Dialer map class defines all line characteristics of calls to the destination including the interval to wait for a dial signal. It is specified with the •...
Page 228: Configuring Encapsulation
Implementing Dial Services Configuring Encapsulation When a clear data link is established between two peers, traffic must be encapsulated and framed for transport across the Dialer media. PPP is the encapsulation method of choice for Dialer Services because it supports multiple protocols and is used for synchronous or asynchronous connections.
Page 229 Figure 10-3 10.1.1.1/24 Interface Dialer0 Map class Dialer pool0 Serial1 Serial0 Serial 3 10.1.1.2/24 Boston Figure 10-4 on page 10-8 illustrates three Dialer Interfaces with three associated Dialer Pools. Dialer Pool 6 supports two Serial interfaces of different priority “weighting”. Dialer Pools 3 and 9 support three Serial interfaces with one interface –...
Page 230 Implementing Dial Services Interface dialer 0 ip address 10.1.1.1 255.0.0.0 encapsulation ppp dialer string 4161234456 class Toronto dialer string 9872312345 class Andover dialer pool 6 Serial 1/1 dialer pool member 6 priority 200 Serial 1/2 dialer pool member 6 priority 140 As illustrated in Dialer Profiles share similar parameters except phone numbers and values specifying the interval to wait for a dial signal.
Page 231 Figure 10-5 Dialer Profile of Destination (416) 123-4456 Network 10.1.1.1/8 Interface dialer 0 ip address 10.1.1.1 255.0.0.0 encapsulation ppp dialer string 4161234456 class Toronto dialer string 9872312345 class Andover dialer pool 6 map class dialer Toronto wait for carrier 20 Dialer Pool 6 contains two ports: Serial 1/1 and Serial 1/2...
Page 232: Configuring The Dialer Interface
Implementing Dial Services Configuring the Dialer Interface The following tasks need to be performed to configure a dialer profile: • Create and configure the dialer interface • Configure a map class (optional but distinguishes dialer profiles) • Configure a physical interface for the dialer interface Creating and Configuring the Dialer Interface Enter interface dialer number to create the dialer interface.
Page 233: Configuring The Map Class
Configuring the Map Class Enter map-class dialer classname to create a map-class identifier. This value must match the classname value you specified in the Enter dialer wait-for-carrier-time seconds to set the interval the local modem waits to answer the call. Configuring the Physical Interface for the Dialer Interface Enter interface serial card/port to specify the interface.
Page 234: Configuring Isdn Callback
Implementing Dial Services Configuring ISDN Callback The following CLI commands configure point-to-point and point-to-multipoint applications with single or multiple neighbors. Point-to-Point with Matched Calling/Called Numbers The following commands configure the called XSR with matched calling and called phone numbers: XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer caller 921 callback XSR(config-if<D1>)#dialer string 6032217921...
Page 235: Overview Of Dial Backup
XSR(config-if<D1>)#dialer idle-timer 0 XSR(config-if<D1>)#dialer map ip 10.10.10.2 9053617921 XSR(config-if<D1>)#dialer map ip 10.10.10.3 9053617363 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 10.10.10.1 255.255.255.0 XSR(config-if<D1>)#no shutdown Overview of Dial Backup The dialed backup feature provides a backup link over a dial line. The backup link is brought up when failure occurs in a primary link, and is brought down when the primary link is restored.
Page 236: Link Failure Backup Example
Link Failure Backup Example Backup link is up, triggering the next action. Static Backup route configured - the routing process searches its configured Static Routing entries and installs the routes that can be reached through the backup interface. 10. Dynamic route - the routing protocol (RIP) learns of new available routes through the backup (dialer) interface and adds them to the IP Routing and Forwarding Table.
Page 237: Configuring The Physical Interface For The Dialer Interface
Configuring the Physical Interface for the Dialer Interface Perform the following steps to set up the physical port for the dialer interface: Enter interface serial card / port to specify the interface. Enter encapsulation ppp to set PPP encapsulation. Enter dialer pool-member pool-number priority priority to assign the interface as a member of the pool that the dialer interface will use.
Page 238: Sample Configuration
Configuring a Dialed Backup Line Sample Configuration Figure 10-8 on page 10-16 shows an example of two dialer interfaces used to back up two separate serial lines using only one dial out line (serial interface 1). Dialer Interface 1 The CLI commands shown below are those used to configure the example shown in Configure interface dialer 1 to use dial pool 5: XSR(config)#interface dialer1 XSR(config-if<D1>)#encapsulation ppp...
Page 239: Overview Of Dial On Demand/Bandwidth On Demand
XSR(config-if<D2>)#encapsulation ppp XSR(config-if<D2>)#dialer pool 5 XSR(config-if<D2>)#no shutdown Configure backup serial port for dial purposes to belong to dial pool 5: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#dialer pool-member 5 XSR(config-if<S1/0>)#no shutdown Configure primary serial port to use dialer 1 as its backup interface: XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#backup interface dialer1 XSR(config-if<S1/1>)#backup delay 110...
Page 240: Dialer Interface Spoofing
Dialer Interface Spoofing For more information on ISDN fundamentals, refer Network” on page 1 Note: Optional commands shown in sample configurations are preceded by an exclamation point. Dialer Interface Spoofing Spoofing on a dialer interface is defined as the line “pretending” to be up when it is not. That is, the line is physically disconnected but the route entry is maintained in the routing table so that when a call is initiated, it is processed promptly, preserving the on-demand nature of the line.
Page 241: Dialer Watch Behavior
A watch group can also be specified for use by the Virtual Router Redundancy Protocol (VRRP) vrrp <number> track watch-group with the “Configuring IP” on page At the outset, the XSR’s Routing Table Manager (RTM) notifies the Dialer subsystem when a route is added or deleted from the routing table.
Page 242: Caveat
Answering Incoming ISDN Calls Caveat The following caveat applies to Dialer Watch functionality: The dialer will not disconnect the secondary backup switched link if this connection has a better cost to the watched route than the primary link. But, you can remedy this situation by entering the ip rip offset Answering Incoming ISDN Calls The XSR handles incoming ISDN calls as follows:...
Page 243: Incoming Call Mapping Example
Incoming Call Mapping Example This example, as shown in requests coming from different remote peers and maps each incoming call to the correct IP interface (Dialer interface). Node A [XSR] Node A (Calling Node) Configuration The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-net3...
Page 244: Node B (Called Node) Configuration
Answering Incoming ISDN Calls Node B (Called Node) Configuration The following commands add two users to validate calls made from Node A. This configuration employs the username/authentication method of mapping incoming calls. XSR(config)#username toronto privilege 0 password cleartext z XSR(config)#username boston privilege 0 password cleartext y These commands add a dialer pool member and set the Central Office switch type on BRI port 1/ XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-net3...
Page 245: Configuring Dod/Bod
XSR(config-if<BRI-1/0>)#dialer pool-member 2 XSR(config-if<BRI-1/0>)#no shutdown The following commands define a dialer group, add a dialer pool, set a 20-second idle timeout, and map BRI interface 1/0 to Dialer port 1. The Node B, specifying Node B’s IP address and phone number as well as enables spoofing on the network.
Page 246: Ppp Point-To-Multipoint Configuration
Configuring DoD/BoD IP address 10.10.10.1 phone# 2300 Node A Note: Configuration commands preceded by exclamation points are optional. PPP Point-to-Multipoint Configuration In this configuration, only one of the peer nodes can initiate the setup of a switched link when access-list defined data traffic is sent to the remote peer. Node A (Calling Node) Configuration The following commands add a dialer pool and dialer group, and set the Central Office switch type on BRI port 1/0.
Page 247: Node B (Called Node) Configuration
! XSR(config-if<D2>)#dialer map ip 20.20.20.2 2401 ! XSR(config-if<D2>)#ip address 20.20.20.1 255.255.255.0 The following command defines interesting packets for the dial out trigger by configuring access list 101 to pass all Type 8 source and destination ICMP traffic up to 20 idle seconds: XSR(config)#access-list 101 permit icmp any any 8 The following command maps ACL 101 to dialer group 3: XSR(config)#dialer-list 3 protocol ip list 101...
Page 248: Node B Configuration
Configuring DoD/BoD XSR(config)#interface dialer 1 XSR(config-if<D1>)#no shutdown XSR(config-if<D1>)#dialer pool 25 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#dialer idle-timeout 35 XSR(config-if<D1>)#dialer-group 3 XSR(config-if<D1>)#dialer map ip 10.10.10.2 2400 XSR(config-if<D1>)#ip address 10.10.10.1 255.255.255.0 The following command defines interesting packets for the dial out trigger by configuring access list 101 to pass all Type 8 source and destination ICMP traffic up to 35 idle seconds: XSR(config)#access-list 101 permit icmp any any 8 The following command maps ACL 101 to dialer group 3:...
Page 249: Dial-In Routing For Dial On Demand Example
Dial-in Routing for Dial on Demand Example The following commands configure dialer interface 1: XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.22.85.1 XSR(config-if<D1>)#ppp authentication pap Enforces authentication username XSR-Andover to map incoming calls on XSR Toronto XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer remote-name XSR-andover Specifies the authenticated username XSR(config-if<D1>)#no shutdown The following command configures authentication of the remote user:...
Page 250: Ppp Point-To-Multipoint Configurations
Configuring DoD/BoD XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.22.85.2 XSR(config-if<D1>)#ppp pap sent-username XSR-andover password secret 0 dolly XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer string 47410 XSR(config-if<D1>)#dialer-group 1 Defines interesting packets to trigger dial out XSR(config-if<D1>)#dialer idle-timeout 20 Terminates call to Toronto if the line is idle for 20 seconds XSR(config-if<D1>)#no shutdown The following commands add a dial pool member and set the Central Office switch type on BRI interface 1/0:...
Page 251: Dial-Out Router Example
Dial-out Router Example The following commands add a dialer pool and dialer group, specify a secret password to be sent to the peer for PAP authentication, and specify three MLPPP call destinations - XSR-Andover, XSR-Boston and XSR-Buffalo - on XSR-Toronto’s Dialer interface 1. Spoofing is enabled by the dialer map command.
Page 252: Mlppp Point-To-Multipoint Configuration
Configuring DoD/BoD XSR(config-if<D2>)#no shutdown XSR(config-if<D2>)#dialer remote-name XSR-Boston The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-net3 XSR(config-if<BRI-1/0>)#dialer pool-member 1 XSR(config-if<BRI-1/0>)#no shutdown The following command sets remote user authentication: XSR(config)#username XSR-toronto password secret 0 code MLPPP Point-to-Multipoint Configuration The following configuration, as illustrated in...
Page 253: Node B (Called Node) Configuration
Node B (Called Node) Configuration The following commands add a dialer pool member with the Central Office switch type to BRI interface 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-net3 XSR(config-if<BRI-1/0>)#dialer pool-member 22 XSR(config-if<BRI-1/0>)#no shutdown The commands below add a dialer pool and enable MLPPP on Dialer port 1: XSR(config)#interface dialer 1 XSR(config-if<D1>)#no shutdown XSR(config-if<D1>)#dialer pool 22...
Page 254: Dial-Out Router Example
Configuring DoD/BoD XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#no shutdown The following commands add a dialer pool member and specify the primary-ni switch on XSR- Toronto’s T1 interface 2/3: XSR(config)#controller t1 2/3 XSR(config-controller<T1-1/1>)#switch-type primary-ni XSR(config-controller<T1-1/1>)#dialer pool-member 1 XSR(config-controller<T1-1/1>)#no shutdown Dial-out Router Example The following commands add a dialer pool and dialer group and specify the call destination - XSR-Toronto on XSR-Andover’s Dialer interface 1.
Page 255: Dial-Out Router Example
Figure 10-15 MLPPP Switched Switched line 172.22.85.2 XSR-Andover 172.22.95.2 Dial-out Router Example The following commands add a dialer pool and dialer group, and specify three MLPPP call destinations - XSR-Andover, XSR-Boston and XSR-Buffalo - on XSR-Toronto’s Dialer interface 1. Spoofing also is enabled by the XSR(config)#interface dialer 1 multi-point XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ip address 172.22.85.1...
Page 256: Dial-In Router Example
Configuring DoD/BoD The following command defines interesting packets for the dial out trigger by configuring ACL 101 to pass all Type 8 source and destination ICMP packets: XSR(config)#access-list 101 permit icmp any any 8 Dial-in Router Example The following commands add a dialer pool and configure PPP Multilink on XSR-Andover’s Dialer interface 1: XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp...
Page 257: Node B Configuration
Switched PPP Multilink Configuration XSR(config)#access-list 101 permit icmp any any 8 The following command maps ACL 101 to dialer group 3: XSR(config)#dialer-list 3 protocol ip list 101 Node B Configuration The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-net3...
Page 258: Node A (Calling Node) Configuration
Switched PPP Multilink Configuration Node A (Calling Node) Configuration The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-net3 XSR(config-if<BRI-1/0>)#dialer pool-member 23 XSR(config-if<BRI-1/0>)#no shutdown The following commands define a dialer group, add a dialer pool, enable MLPPP, set a load threshold of 3 links, and map BRI interface 1/0 to Dialer interface 1.
Page 259: Backup Configuration
Backup Configuration Backup Using ISDN This example configures ISDN NIM cards (either BRI or T1/E1 configured for PRI) to be used for backing-up other interfaces, as shown in Node A [XSR] Node A (Backed-up Node) Configuration The following commands set internal clocking and configure two channel groups with three total timeslots on T1 sub-interface 1/2:0: XSR(config)#controller t1 1/2/0 XSR(config-controller<T1-1/2:0>)#...
Page 260: Node C (Called Node) Configuration
Backup Configuration XSR(config-if<D2>)#dialer pool 22 XSR(config-if<D2>)#dialer string 2501 XSR(config-if<D2>)#ip address 20.20.20.1 255.255.255.0 The following command configures backup Dialer interface 1 on Serial sub-interface 2/0:0: XSR(config)#interface serial 2/0:0 XSR(config-if<S2/0:0>)#no shutdown XSR(config-if<S2/0:0>)#backup interface dialer1 XSR(config-if<S2/0:0>)#encapsulation ppp XSR(config-if<S2/0:0>)#ip address 30.30.30.1 255.255.255.0 The following command configures backup Dialer interface 2 on Serial sub-interface 2/0:1: XSR(config)#interface serial 2/0:1 XSR(config-if<S2/0:1>)#no shutdown XSR(config-if<S2/0:1>)#backup interface dialer 2...
Page 261: Configuration For Backup With Mlppp Bundle
Backup Configuration XSR(config-if<D2>)#no shutdown XSR(config-if<D2>)#dialer pool 28 XSR(config-if<D2>)#encapsulation ppp XSR(config-if<D2>)#dialer called 2501 XSR(config-if<D2>)#ip address 20.20.20.3 255.255.255.0 The following command configures Serial sub-interface 2/0:0: XSR(config)#interface serial 2/0:0 XSR(config-if<S2/0:0>)#no shutdown XSR(config-if<S2/0:0>)#encapsulation ppp XSR(config-if<S2/0:0>)#ip address 30.30.30.3 255.255.255.0 The following command configures Serial sub-interface 2/0:1: XSR(config)#interface serial 2/0:1 XSR(config-if<S2/0:1>)#no shutdown XSR(config-if<S2/0:1>)#encapsulation ppp...
Page 262: Node C (Called Node) Configuration
Backup Configuration XSR(config-if<S2/0:0>)#backup interface dialer1 XSR(config-if<S2/0:0>)#encapsulation ppp XSR(config-if<S2/0:0>)#ip address 30.30.30.1 255.255.255.0 Node C (Called Node) Configuration The following commands configure two channel groups with three total timeslots on T1 sub- interface 0/2:0: XSR(config)#controller t1 0/2/0 XSR(config-controller<T1-0/2:0>)#channel-group 1 timeslots 2 XSR(config-controller<T1-0/2:0>)#channel-group 0 timeslots 1 XSR(config-controller<T1-0/2:0>)#no shutdown The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0:...
Page 263: Configuration For Frame Relay Encapsulation
Backup Configuration Configuration for Frame Relay Encapsulation This backup dial-out example configures FR encapsulation and typical call parameters (dial pool, dial string, dial class) on parent Dialer interface 20 while setting the DLCI and IP address on Dialer sub-interface 20.1: XSR(config)#interface dialer 20 XSR(config-if<D20>)#dial pool 3 XSR(config-if<D20>)#dial string 9053617921 class ISDN...
Page 264 Backup Configuration 10-42 Configuring Dialer Services...
Page 265: Chapter 11: Configuring Integrated Services Digital Network
Configuring Integrated Services Digital Network This chapter outlines how to configure the Integrated Services Digital Network (ISDN) Protocol on the XSR in the following sections: • XSR ISDN features • Understanding ISDN • ISDN configuration topology – – – Leased line •...
Page 266: Bri Features
Understanding ISDN BRI Features • Circuit Mode Data (CMD): Channels (DS0s or B’s) are switched by the CO to the destination user for the duration of the call. – 0utgoing calls supported for Backup, DoD/BoD. – Incoming calls routed to the correct protocol stack based on called number/sub-address and calling number/sub-address.
Page 267: Basic Rate Interface
which provides access to 23 B-channels in North America and Japan and 30 B-channels in Europe and most of Asia, and a 64 Kbps D-channel in both. Basic Rate Interface The XSR’s BRI NIM provides two BRI ports. Each port has two 64 Kbps B-channels and one 16 Kbps D-channel.
Page 268: D-Channel Standards
Understanding ISDN D-Channel Standards The XSR supports several D-channel standards, which are enabled with the command. The accepted standards and some associated switches are: • Europe/ International: basic-net3 for BRI and primary-net5 for PRI • Japan: basic-ntt for BRI and primary-ntt for PRI •...
Page 269: Bandwidth Optimization
reference point represents the customer premises’ wiring. S/T is a point-to-multipoint wiring configuration, that is, the NTI can be connected to as many as eight TEs that contend for the two B channels. Most XSR applications are critical and require point-to-point connections with the ISDN service to ensure that the B channels are available in a timely fashion.
Page 270: Call Monitoring
Understanding ISDN Call Monitoring Call monitoring is also an vital element of the XSR’s ISDN service. Call monitoring features are useful in terms of security, but also enable tracking of call volume and logging of all connections so that administrators can optimize the number of ISDN lines ordered. Given that ISDN costs are often usage-related, this checking and recording also can prevent nasty surprises that users might receive with the monthly phone bill.
Page 271: Q931 Decoding
Rx ISDN-BRI 1/0 03:13:47:676 Q921 UI p 0 sapi 63 tei 127 c/r 1 • 2nd line: info:0F 00 00 06 FF Tx ISDN-BRI 1/0 03:13:52:601 Q921 INFO p 0 nr 0 ns 0 sapi 0 tei 64 c/r0 info:08 00 7B 3A 07 32 38 30 30 35 35 35 Tx ISDN-BRI 1/0 03:13:52:556 Q921 SABME p 1 sapi 0 tei 64 c/r 0 Rx ISDN-BRI 1/0 03:13:52:661 Q921 RR p/f 0 nr 1 sapi 0 tei 64 c/r 0 Reference Parameters...
Page 272 Understanding ISDN – Next line: 18 Channel Id. 81 6C Calling number N0:2800 70 Called number N0:2500 The succeeding section lists all message types and IEs the XSR displays. All unsupported message types and IEs are marked UNKNOWN or IE not Found. Table 11-1 Q931 Decoding Message # 0x00...
Page 273: Decoded Ies
Table 11-1 Q931 Decoding Message # 0x75 0xFF Decoded IEs Only IEs referring to data calls are supported and decoded by the XSR, as shown in the following examples. Those IEs used for voice calls and supplementary services are not applicable. •...
Page 274: Bri (Switched) Configuration Model
ISDN Configuration • channel-group The above commands are mutually exclusive: you can enter one or the other per PRI interface, not both. On the E1 NIM, 30 channels are controlled by ISDN, and 23 channels on the T1 NIM. Other PRI commands include: •...
Page 275 Figure 11-1 Defines the destination interface dialer 0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp and other protocol commands dialer string 5551000 class remNode1 dialer string 5551000 class remNode2 dialer pool 1 dialer-group 1 map-class dialer Access List Access List Dialer List 1 describes interesting packets interface dialer 1...
Page 276: Pri Configuration Model
ISDN Configuration XSR(config)#interface dialer 1 XSR(config-if<D1>)#ip address 2.2.2.2 255.255.255.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#ppp multilink XSR(config-if<D0>)#dialer map ip 192.168.1.10 name HOME 212555756 XSR(config-if<D0>)#dialer pool M XSR(config-if<D0>)#dialer-group 10 XSR(config-if<D0>)#no shutdown XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn switch-type basic-ni1 XSR(config-if<BRI-1/0>)#isdn spid1 0555100001 5551000 XSR(config-if<BRI-1/0>)#isdn spid2 0555300001 5553000 XSR(config-if<BRI-1/0>)#dialer pool-member 1 priority 100 XSR(config-if<BRI-1/0>)#no shutdown XSR(config)#interface bri 1/1...
Page 277 Figure 11-2 interface dialer 0 ip address 111... encapsulation ppp and other protocol commands dialer string 5551000 class remNode1 dialer string 5551000 class remNode2 dialer pool 1 dialer-group 1 map-class dialer Access List Access List Dialer List 1 describes interesting packets Access List Access List...
Page 278: Leased-Line Configuration Model
ISDN Configuration Be aware that the calls in ascending or descending order. The command is recommended only if your service provider requests it to lessen the chance of call collisions. Leased-Line Configuration Model The BRI Leased Line application supports two basic modes: each B channel is routed to a different destination or both B channels are bounded.
Page 279: T1 Pri
XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/1:2>)#encapsulation frame relay The following commands add a third, bundled B1/B2 line on BRI interface 0/1/1 and another lease line on BRI channel 0/1/2:1 with Frame Relay encapsulation. You can add other serial interface commands as needed. XSR(config)#interface bri 0/1/1 XSR(config-if<BRI-1/1>)#leased-line bri 0/1/1 144 XSR(config-if<BRI-1/1>)#no shutdown...
Page 280: Bri Leased Line
ISDN (ITU Standard Q.931) Call Status Cause Codes XSR(config-if<BRI-1/1>)#no shutdown XSR(config-if<BRI-1/1>)#dialer pool-member 1 priority 1 BRI Leased Line The following example configures a leased-line BRI connection: XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#leased-line 64 XSR(config-if<BRI-1/0>)#leased-line 64 XSR(config-if<BRI-1/0>)#no shutdown BRI Leased PPP The following example configures a leased PPP connection on a BRI link: XSR(config)#interface bri 1/0:2 XSR(config-if<BRI-1/0:2>)#no shutdown XSR(config-if<BRI-1/0:2>)#encapsulation ppp...
Page 281 Table 11-2 Call Status Cause Codes (continued) Code Cause Call awarded and being delivered in an established channel Prefix 0 dialed but not allowed Prefix 1 dialed but not allowed Prefix 1 dialed but not required More digits received than allowed, call is proceeding Normal call clearing User busy No user responding...
Page 282 ISDN (ITU Standard Q.931) Call Status Cause Codes Table 11-2 Call Status Cause Codes (continued) Code Cause Incoming calls barred Incoming calls barred within CUG Call waiting not subscribed Bearer capability not authorized Bearer capability not presently available Service or option not available, unspecified Bearer service not implemented Channel type not implemented Transit network selection not implemented...
Page 283: Chapter 12: Configuring Quality Of Service
Overview In a typical network, there are often many users and applications competing for limited system and network resources. While resource sharing on a first-come, first-serve basis may suffice when your network load is light, access can freeze quickly when the network gets congested. Under these conditions, a bandwidth-hungry application (large file transfer files, emails) may devour most of the network bandwidth, depriving applications that send small-sized packets (voice, telnet and other interactive applications) of their fair share of bandwidth, and result in long delays...
Page 284: Mechanisms Providing Qos
Mechanisms Providing QoS • QoS on the dialer interfaces is directly applied to the dialer interface and inherited by the dial pool members (Serial or ISDN). • QoS on MLPPP interfaces. • QoS on point-to-point and point-to-multi-point VPN interfaces. • Control over copy of the ToS byte from/to outer header for VPN tunnels.
Page 285: Describing The Class Map
features in the traffic policy determine how to treat the classified traffic. Traffic policy cannot be applied to multilink PPP interfaces at this time. Note: A Dialer interface is similar to a virtual interface in that only after it dials on a resource from a dialer pool is it able to receive and send data.
Page 286: Queuing And Services
Mechanisms Providing QoS • priority parameter for the queue. Priority queues provide guaranteed bandwidth - they always receive the bandwidth requested. Priority class is not allowed to send more than its guaranteed bandwidth and excess traffic is discarded. Unused priority bandwidth is picked up by the class-default class.
Page 287: Configuring Cbwfq
Configuring CBWFQ CBWFQ is configured using the guarantee during congestion. For example, policy-map keyser guarantees 30 percent of the bandwidth to class sosay and 60 percent of the bandwidth to class intrigue. If one class uses less of the requested share of bandwidth, the excess bandwidth may be used by the other class. XSR(config)#policy-map keyser XSR(config-pmap<keyser>)#class sosay XSR(config-pmap-c<sosay>)#bandwidth percent 30...
Page 288: Describing Traffic Policing
Mechanisms Providing QoS excess bandwidth may be used by CBWFQ. A rule of thumb for configuring PQs is to assign time- sensitive traffic (voice and video) to PQs and other types (e.g., Telnet) to fair queues. Any traffic you do not specially assign (e.g., Email) is automatically directed to the class-default queue. All (100%) of your traffic should not be assigned to PQs - a smaller percentage of lower priority traffic should be designated for fair queues of left unassigned for the default queue.
Page 289: Class-Based Traffic Shaping
Mechanisms Providing QoS This is how the policer works. It maintains two token buckets, one holding tokens for normal burst and the other for excess burst. The policing algorithm handles token refilling and burst checking. Token buckets are refilled every time a new packet arrives. The specified bandwidth and the interval between the arrival time of the new packet and that of the previous packet are used to calculate the number of tokens to refill the buckets.
Page 290: Traffic Shaping Per Policy-Map
Mechanisms Providing QoS Class-based traffic shaping can be configured on any class and applied to any data path (interface or DLCI) with the that policy apply traffic shaping to a class. In the following example, class ring is shaped to 38.4 kbps, with a normal burst size of 15440 bytes.
Page 291: Differences Between Traffic Policing And Traffic Shaping
XSR(config-pmap-c<d32>)#exit XSR(config-pmap<cbts>)#class foo XSR(config-pmap-c<foo>)#shape 38400 15440 XSR(config-pmap-c<foo>)#bandwidth per 30 XSR(config-pmap-c<foo>)#exit XSR(config-pmap<cbts>)#class class-default XSR(config-pmap-c<class-default>)#set ip dscp 33 Differences Between Traffic Policing and Traffic Shaping Traffic shaping and traffic policing may appear identical at first glance, but are marked by the following differences: •...
Page 292: Congestion Control & Avoidance
Mechanisms Providing QoS queue-limit value for the queue size. Be aware that by setting the queue size smaller than the shaper burst, shape will not be able to achieve the configured average rate. When the queue-limit command is not invoked, queue size is determined only by the shaper burst. Congestion Control &...
Page 293: Describing Weighted Random Early Detection
Figure 12-1 MaxP In the following example, class bus has a minimum threshold of 460. RED will start to randomly (with a probability between 0 and 1/10) discard packets when its queue grows over 460 packets. It will start to discard each packet when the queue holds more than 550 packets. Note: Drop Tail and RED cannot be used on the same queue at the same time.
Page 294: Configuration Per Interface
Mechanisms Providing QoS WRED. Traffic marked with a lower drop probability is assigned a higher MaxP, and bigger thresholds for MinTh and MaxTh than traffic marked with DSCP values having a higher drop level. Because higher drop DSCPs have a lower MinTh, as the queue grows, the XSR starts discarding them earlier than low drop DSCPs.
Page 295: Suggestions For Using Qos On The Xsr
the dialer interface is pushed to binded serial and, when disconnected, is removed from the serial port. Refer to “Configuring PPP” Suggestions for Using QoS on the XSR The XSR supports QoS on all interfaces but you should enable QoS only on the data path that actually requires it (generally on lower speed Frame Relay and PPP interfaces) because QoS is fairly processor intensive and may adversely impact router performance.
Page 296: Configuring Qos With Frf.12
QoS with VLAN QoS with MLPPP multi-class regulates the output queue in such a way that, ideally, there is at most one non-priority packet in front of the priority packet so the greatest latency that latency- sensitive packets experience is never bigger than the fragment delay. Practically speaking, latency for priority packets may be in the range of one to three fragment delays, depending on the traffic, link speed and type of interface used.
Page 297: Describing Vlan Qos Packet Flow
Describing VLAN QoS Packet Flow The following scenarios illustrate how prioritized VLAN and non-VLAN packets behave across XSR interfaces with VLAN and QoS configured and include minimal CLI commands. VLAN Packet with Priority Routed out a Fast/GigabitEthernet Interface The following scenario is illustrated in After the XSR accepts a VLAN-tagged Ethernet frame, the tag is stripped and the VLAN ID within the tag is used in the process of mapping the frame to a sub-interface of the Fast/ GigabitEthernet interface.
Page 298: Non-Vlan Ip Packet Routed Out A Fast/Gigabitethernet Interface
QoS with VLAN Ethernet VLAN Tag IP: 9.9.9.1 Priority CFI Incoming VLAN tagged frame Non-VLAN IP Packet Routed Out a Fast/GigabitEthernet Interface In this scenario, shown in FastEthernet 1.1. Since the input IP DSCP was 46 it will match the class matchDscp. The output VLAN frame will be marked with a priority of 4.
Page 299: Qos On Input
Priority levels range from 0 (lowest) to 7. Create a traffic policy. policy-map <policy-map-name> Optional. Mark the IEEE 802.1 priority in the output VLAN header. set cos <0 - 7> Attach the service policy to the input or output interface. interface <Interface name>...
Page 300: Qos Over Vpn Features
QoS on VPN The XSR offers you two choices in applying QoS service policy: • before encryption on the VPN tunnel (virtual VPN) interface or, • after encryption on the underlying physical interface. Copying of the ToS byte brings into play security concerns you must address. As described in RFCs 2475 and 2983, copying of ToS bits may not always be desirable.
Page 301: Qos On A Virtual Interface Example
outer header. In this scenario, all QoS-related parameters are attached to the VPN interface. Note that the VPN interface is a virtual interface without any bandwidth attached to it so certain QoS operations may not be applied here, namely, scheduling packets. But, other QoS parameters which can be applied include: •...
Page 302 QoS on VPN The following commands configure Ser and Vpn policy maps on the XSR Remote 1 as shown in Figure 12-7. XSR Central configuration is not described. Configure the QoS Class Maps RTP and FTP matched to ACLs 110 and 15: XSR(config)#class-map RTP XSR(config-cmap<RTP)#match access-group 110 XSR(config-cmap<RTP)#exit...
Page 303 QoS on VPN XSR(config)#policy-map Ser XSR(config-pmap-Ser>)#class RTP1 XSR(config-pmap-c<RTP1>)#priority high 100 XSR(config-pmap-c<RTP1>)#exit XSR(config-pmap-Ser>)#class FTP1 XSR(config-pmap-c<FTP1>)#bandwidth percent 20 XSR(config-pmap-c<FTP1>)#exit XSR(config-pmap-Ser>)#class class-default XSR(config-pmap-c<class-default>)#set ip dscp 8 Configure ACLs: XSR(config)#access-list 100 permit ip 101.0.0.0 0.0.0.255 102.0.0.0 0.0.0.255 XSR(config)#access-list 110 permit udp any 102.0.0.0 0.0.0.255 eq 3020 XSR(config)#access-list 115 permit tcp any 102.0.0.0 0.0.0.255 range 20 21 Configure the IKE policy foo for pre-share keys: XSR(config)#crypto isakmp proposal foo...
Page 304: Qos And Vpn Interaction
QoS on VPN XSR(config)#interface vpn 1 XSR(config-int-vpn)#ip address 20.20.20.1/24 XSR(config-int-vpn)#copy-tos XSR(config-int-vpn)#service-policy output vpn XSR(config-tms-tunnel)#tunnel t1 XSR(config-tms-tunnel)#set protocol gre XSR(config-tms-tunnel)#set peer 10.10.10.2 XSR(config-tms-tunnel)#set active XSR(config-tms-tunnel)#no shutdown Figure 12-7 traffic traffic QoS and VPN Interaction The mechanism underlying the VPN interface requires that packets be routed twice in the packet processor.
Page 305: Configuring The Shaper On The Vpn Interface
This situation can cause unexpected results when QoS is applied to VPN interfaces. If the rate of traffic traversing the VPN interface is higher than the physical interface bandwidth, packets are dropped after they are sent from the VPN interface. Due to this, QoS statistics may show higher available bandwidth on the VPN interface than the actual output rate on the physical line.
Page 306: Qos Policy Configuration Examples
QoS Policy Configuration Examples Table 12-3 Overhead on IPSec Tunnels Tunnel Type Mode Tunnel ESP Tunnel AH Tunnel ESP As an example, tunnels with ESP and 3DES encoding will add 44 bytes (or more) overhead. Padding for 3DES may add eight more bytes. Calculate the shaper rate with this formula: ShaperRate = LineRate * ( 1 - OverHead/(OverHead +AvgPktSize)) The table below summarizes the shaper rate as a percentage from the line rate for different average packet sizes and tunnel modes.
Page 307: Qos For Frame Relay Policy
QoS Policy Configuration Examples XSR(config-pmap-c<class1>)#queue-limit 40 XSR(config-pmap-c<class1>)#exit XSR(config-pmap<policy1>)#class class2 XSR(config-pmap-c<class2>)#bandwidth 300 XSR(config-pmap-c<class2>)#random-detect 34 56 3 XSR(config-pmap-c<class2>)#exit XSR(config-pmap<policy1>)#class class-default XSR(config-pmap-c<class-default>)#queue-limit 20 XSR(config-pmap-c<class-default>)#exit XSR(config-pmap<policy1>)#exit Apply the configuration to the interface: XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#service-policy output policy1 QoS for Frame Relay Policy The following example sets Serial interface 1/1 for Frame Relay with one DLCI (100) which will support three types of traffic: voice that is assigned to a priority queue with a bandwidth of 20 kbps, FTP that is assigned to fair queue with 50 percent of the remaining bandwidth, and Class1 that is assigned to class-default (and gets the other 50 percent).
Page 308: Qos With Mlppp Multi-Class Policy
QoS Policy Configuration Examples Create a policy map consisting of one or more traffic classes and specify QoS characteristics for each traffic class: XSR(config)#policy-map frame1 XSR(config-pmap<frame1>)#class voice XSR(config-pmap-c<voice>)#priority high 20 2500 XSR(config-pmap-c<voice>)#queue-limit 32 XSR(config-pmap-c<voice>)#set ip dscp 46 XSR(config-pmap-c<voice>)#exit XSR(config-pmap<frame1>)#class ftp XSR(config-pmap-c<ftp>)#bandwidth percent 50 XSR(config-pmap-c<ftp>)#police 30000 3000 6000 conform-action set-dscp-transmit 10 exceed-action set-dscp-transmit 12 violate-action set-dscp-transmit 14...
Page 309: Qos With Frf.12 Policy
QoS Policy Configuration Examples XSR(config-pmap<QoS-Policy>)#class VoIP-RTP XSR(config-pmap-c<class VoIP-RTP>)#priority high 100 XSR(config-pmap-c<class VoIP-RTP>)#class FTP XSR(config-pmap-c<class VoIP-RTP>)#bandwidth per 30 XSR(config)#access-list 101 permit udp any any range 16384 32767 XSR(config)#access-list 102 permit udp any any range 20 21 XSR(config)#interface multilink 1 XSR(config-if<M1>)#ip address 10.1.61.1 255.255.255.0 XSR(config-if<M1>)#service-policy output QoS-Policy XSR(config-if<M1>)#ppp multilink XSR(config-if<M1>)#ppp multilink fragment-delay 10...
Page 310: Qos With Vlan Policy
QoS Policy Configuration Examples XSR(config)#map-class frame-relay VoIP XSR(config-map-class<VoIP>)#frame-relay cir out 256000 XSR(config-map-class<VoIP>)#frame-relay bc out 25600 XSR(config-map-class<VoIP>)#frame-relay be out 0 XSR(config-map-class<VoIP>)#service-policy output QoS-Policy XSR(config-map-class<VoIP>)#frame-relay fragment 300 QoS with VLAN Policy The following example configures QoS on a VLAN interface. First, add the class map cos5To7 with the matching CoS criterion 5 6 7.
Page 311: Input Qos On Ingress To The Diffserv Domain Policy
QoS Policy Configuration Examples XSR(config)#interface multilink 1 XSR(config-if<M1>)#service-policy input InOut XSR(config-if<M1>)#exit XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#service-policy output InOut Input QoS on Ingress to the Diffserv Domain Policy If the XSR is positioned on the edge of the diffserv (DS) domain, it must perform edge traffic conditioning required by the diffserv domain for traffic entering from outside the domain.
Page 312 QoS Policy Configuration Examples XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#service-policy input Eth 12-30 Configuring Quality of Service...
Page 313: Chapter 13: Configuring Adsl
This chapter details the background, features, implementation and configuration of Asymmetric Digital Subscriber Line (ADSL) on the XSR. Overview ADSL (Asymmetric Digital Subscriber Line) is a technology for transmitting digital information at a high bandwidth over existing phone lines. Unlike regular dialup phone service, ADSL provides continuously available, “always on”...
Page 314: Pdu Encapsulation Choices
Features PPPoE (RFC-2516) PPPoE Ethernet MAC VC Multiplexing (RFC-1483/RFC-2684) PDU Encapsulation Choices The XSR’s Protocol Data Unit (PDU) encapsulation choices are described and illustrated as follows. PPP over ATM The XSR’s PPPoA option, as defined by RFC-2364, supports the following features. The router includes an integrated PPPoA client which adds LLC/SNAP encapsulation to packets headed to the DSLAM, and strips the same from packets headed to its interior networks.
Page 315: Ppp Over Ethernet Over Atm (Routed)
Frwd Router / Modem with integrated PPPoA client Local ethernet frames 802.3 This implementation is restricted as follows: • Maximum MTU of 1500 bytes • ATM SVCs are not supported • Frame Relay/ATM internetworking (per FRF.8) is not supported • PPP coding transitions - switching the method (VC-multiplexed PPP to LLC-encapsulated PPP and back) - are not supported •...
Page 316: Routed Ip Over Atm
Features 802.3 The limitations of this configuration are as follows: • Maximum MTU of 1492 bytes • ARP is not supported • Other received bridged PDU types are silently discarded (802.4, 802.5, 802.6, FDDI) • Does not send (PID type 0x00-01) and ignores received (PID type 0x00-01) LAN FCSs •...
Page 317: Adsl Limitations
802.3 Restrictions of this implementation are as follows: • Maximum MTU of 1500 bytes • NLPID-formatted routed IP version 4 PDUs over ATM PVCs are not supported • LLC-encapsulated bridge PDUs are not supported. Any bridged PDUs received and PDUs received which specify a foreign MAC address (not the XSR’s) are silently discarded.
Page 318: Adsl On The Motherboard
Features ADSL on the Motherboard Two versions of ADSL are provided by the XSR Series 1200 routers: • Annex A over POTS on the XSR-1220 • Annex B over ISDN on the XSR-1235 DSP Firmware Digital Signal Processing (DSP) firmware, which the XSR’s onboard ADSL modem uses to communicate with your provider’s Digital Subscriber Line Access Multiplexer (DSLAM), is stored in the adsl.fls...
Page 319: Oam Cells
Note: This circuit can not be used for any other purpose when operating in FUNI mode. OAM Cells OAM cells are messages used to operate, administer, and maintain ATM networks. They provide in-band control functions for virtual circuits, including hop-by-hop and end-to-end functions such as path connectivity and delay measurement.
Page 320: Inverse Arp
Configuration Examples Inverse ARP The XSR employs Inverse ARP as defined in RFC-1293 with modifications specified by RFC-2225 (Classical IP over ATM). Inverse ARP is supported for PVCs which are configured as Routed IPv4 circuits (per RFC-1483), using LLC/SNAP encapsulation. This implementation will not send an ATM hardware address and addresses received will be discarded.
Page 321: Pppoa
VCI values to those requested by the DSL provider. Notice that the Maximum Segment Size (MSS) is set to 1400 bytes for TCP SYN (synchronize) packets. Because a PC connected to a Fast/ GigabitEthernet port may be unable to access Web sites if its MSS setting is too high, subtracting for the PPPoE, IP, TCP, and GRE headers (6, 20, 20, and 24 bytes, respectively) and the PPP Protocol ID should avoid that problem.
Page 322: Ipoa
Configuration Examples The following optional command configures a universal default route: XSR(config)#ip route 0.0.0.0 0.0.0.0 atm 1/0.1 IPoA Enter the following commands to configure a IPoA topology: XSR(config)#interface ATM 1/0 XSR(config-if<ATM1/0>)#no shutdown XSR(config-if<ATM1/0>)#interface ATM 1/0.1 XSR(config-if<ATM0/1/0.1>)#encapsulation snap ipoa XSR(config-if<ATM0/1/0.1>)#ip address 192.168.1.1 255.255.255.0 XSR(config-if<ATM0/1/0.1>)#ip mtu 1492 XSR(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.10 XSR(config)#ip route 30.0.0.10 255.255.255.255 ATM 1/0.1...
Page 323: Chapter 14: Configuring The Virtual Private Network
Configuring the Virtual Private Network VPN Overview As it is most commonly defined, a Virtual Private Network (VPN) allows two or more private networks to be connected over a publicly accessed network. VPNs share some similarities with Wide Area Networks (WAN), but the key feature of VPNs is their use of the Internet rather than reliance on expensive, private leased lines.
Page 324: How A Virtual Private Network Works
Ensuring VPN Security with IPSec/IKE/GRE • Encryption and decryption promote confidentiality by allowing two communicating parties to disguise information they share. The sender encrypts, or scrambles, data before sending it. The receiver decrypts, or unscrambles, the data after receiving it. While in transit, the encrypted information is unintelligible to an intruder.
Page 325 Since IPSec is the standard security protocol, the XSR can establish IPSec connections with third- node devices including routers as well as PCs. An IPSec tunnel basically acts as the network layer protecting all data packets that pass through, regardless of the application or device. The XSR makes it possible to control the type of traffic sent over a VPN by allowing you to define group-based filters (Access Control Lists) which control IP address and protocol/port services allowed through the tunnel.
Page 326: Gre Over Ipsec
Ensuring VPN Security with IPSec/IKE/GRE Original packet After processing As shown above, AH authenticates the entire packet transmitted on the network whereas ESP only covers a portion of the packet transmitted (the higher layer data in transport mode and the entire original packet in tunnel mode).
Page 327: Defining Vpn Encryption
Defining VPN Encryption To ensure that the VPN is secure, limiting user access is only one piece of the puzzle; once the user is authenticated, the data itself needs to be protected as well. Without a mechanism to provide data privacy, information flowing through the channel will be transmitted in clear text, which can easily be viewed or stolen with a packet sniffer.
Page 328: Certificates
Describing Public-Key Infrastructure (PKI) data. Instead of encrypting the data itself, the signing software creates a one-way hash of the data, then uses your private key to encrypt the hash. The encrypted hash, along with other information, such as the hashing algorithm, is known as a digital signature. Certificates A certificate is an electronic document to identify an individual, server, company, or other entity and associate that identity with a public key.
Page 329: Ca Hierarchies
CRL checking is not optional. CRLs are collected automatically by the XSR using information available in the IPSec and CA certificates it has already collected. Two methods are available to perform this collection: • HTTP Get issues an HTTP-based request to collect the certificate. •...
Page 330: Ra Mode
Describing Public-Key Infrastructure (PKI) Asia CA Sales CA A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy. In a certificate chain, the following occurs: • Each certificate is followed by the certificate of its issuer. •...
Page 331: Pending Mode
Pending Mode Once you have authenticated against the parent CA in your XSR certificate chain, you then enroll the XSR's IPSec client certificate against the CA using the SCEP enroll command. Depending on how your CA administrator has configured the CA, you may or may not immediately receive your IPSec client certificate when you first enroll.
Page 332: Vpn Applications
VPN Applications This feature specifies whether the router can clear, set, or copy the DF bit in the encapsulating header. It is available only for IPSec tunnel mode - transport mode is not affected because it does not have an encapsulating IP header. Typical enterprise DF bit settings include hosts which perform these roles: •...
Page 333: Site-To-Site Networks
Site-to-Site Networks Site-to-site tunnels run as point-to-point links. They are useful when connecting geographically dispersed network segments where each segment contains servers and hosts. VPN tunnels play the role of point-to-point links and are transparent from a routing perspective. Figure 14-5 shows a link between two XSR sites, but this architecture can be extended to link many sites by creating a mesh topology.
Page 334: Client Mode
VPN Applications If you filter traffic with ACLs, you will need to write an ACL similar to this example: access- list 101 permit udp any host 192.168.57.4 eq 4500. If you enable the XSR firewall, refer to “Configuring Security on the XSR” traffic is passing the NAT device by entering the show crypto ipsec sa command.
Page 335: Remote Access Networks
the hosts on the private LAN. The XSR's internal NAT operates only on Layer-4 protocols such as TCP and UDP. NAT also employs a set of modules - Application Level Gateway (ALG) - processing non-UDP/TCP protocols such as ICMP and H323. Routing updates are unidirectional - the Central site advertises segments reachable in the corporate network, but the client XSR does not advertise the private LAN.
Page 336: Using Ospf Over A Vpn Network
VPN Applications behind the XSR. After a tunnel has been built, the XSR may advertise routing information about the corporate network to the client. Authentication can be performed in several ways depending on the protocol used. For PPTP, authentication is achieved by means of PPP-based methods such as MS-CHAP, EAP, and PAP. It should be noted that some of these methods are not secure because password and user IDs traverse the Internet in clear-text.
Page 337 From the server’s point of view, connected tunnels are point-to-multipoint links. The VPN interface serving as the server’s tunnel endpoint must be a point-to-multipoint interface. Additionally, the server does not see segments behind the clients because in Client Mode, NAT is employed inside the tunnel and all traffic originating from trusted segments is NAT-ed with the IP address assigned by the server, as shown in Figure 14-8...
Page 338: Configuring Ospf Over Site-To-Central Site In Network Extension Mode
VPN Applications Client • Fast/GigabitEthernet 1 interface: This is private, non-routable segment, usually 192.168.1.0/24. OSPF must be disabled on F1. If OSPF is enabled on this interface it will be advertised to the server. The server's IP routing table will learn a route to this segment via the VPN interface connected to the client.
Page 339: Server 1
The VPN interface on the server may terminate a mix of connections - some of which may be Client-type connections and others may be Network Extension connections. The following OSPF settings should be applied in this scenario: Server Apply the same settings as in the Client Mode scenario. OSPF is enabled on Fast/GigabitEthernet 1 and VPN 1 interfaces and is disabled on Fast/GigabitEthernet 2.
Page 340: Server 1
XSR VPN Features Server 2 Interfaces Fast/GigabitEthernet 1 and VPN 1 Client Interfaces Fast/GigabitEthernet 1, VPN 1 and VPN 2. VPN 1 Limitations Peer-to-Peer IPSec tunnels are configured without the VPN interface by applying crypto maps to physical interfaces. In this application, IPSec is treated as a side effect of data transmission through the interface.
Page 341 - Client mode • Remote Access application – Clients - Windows XP, 2000 (L2TP); NT 4.0, 98, 98 SE, ME, and CE. PPTP available on all clients – L2TP/IPSec protocols SCEP: Certificate and PKI environment - MS-CHAP v2, EAP user authentication: - Username/Password (local database and RADIUS) - SecurID (third-node plug-in) - Certificates (embedded/smart cards) –...
Page 342: Vpn Configuration Overview
VPN Configuration Overview • Authentication, Authorization, and Accounting (AAA) support including AAA per interface (for clients), AAA for PPP, and AAA debugging • Dynamic Host Configuration Protocol (DHCP) support – DHCP Server • OSPF over VPN • DF Bit override on IPSec tunnels •...
Page 343: Acl Configuration Rules
• Enter crypto key master generate in Global configuration mode. Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key.
Page 344: Selecting Policies: Ike/Ipsec Transform-Sets
VPN Configuration Overview XSR(config-if<F2>)#ip address 141.154.196.87 255.255.255.192 If an XSR is configured as a VPN gateway, the external interface (FastEthernet 2, e.g.), can be made more restrictive by only allowing VPN protocols to pass through and barring all other traffic: XSR(config)#access-list 100 permit esp any host 192.168.57.7 XSR(config)#access-list 100 permit ah any host 192.168.57.7 XSR(config)#access-list 100 per udp any eq 500 host 192.168.57.7 eq 500...
Page 345: Security Policy Considerations
More than one IKE proposal can be specified on each node. When IKE negotiation begins, it seeks a common proposal on both peers with identical parameters. IKE policy is configured using the crypto isakmp peer command. Specified parameters are effective when a peer address/subnet matches the IP address of the peer.
Page 346: Creating Crypto Maps
VPN Configuration Overview Configure IKE policy for the remote peer, assuming that two other IKE proposals (try2 and try3) have been configured: XSR(config)#crypto isakmp peer 192.168.57.33/32 XSR(config-isakmp-peer)#proposal try1 try2 try3 XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#nat auto Configure the IPSec transform set. You can specify both kilobyte and seconds SA lifetime values or just one.
Page 347: Authentication, Authorization And Accounting Configuration
Authentication, Authorization and Accounting Configuration The XSR’s AAA implementation handles all authentication, authorization and accounting of users (Remote Access) and peer gateways (Site-to-Site). The components include: • Usernames and passwords for authentication • Associated group name for authorization of network services •...
Page 348: Aaa Commands
VPN Configuration Overview AAA Commands The following XSR AAA commands useful for VPN configuration include: • Configure users and groups with following sub-commands: – policy dns-server – and WINS servers to distribute to remote access users and connecting XSRs. – ip pool user group.
Page 349: Pki Configuration Options
XSR(aaa-user)#aaa password ThISisMYShaREDsecRET The following sample configuration creates user Jeremiah in the PromisedLand usergroup, with DNS, WINS and MPPE encryption, and assigns IP local pool remote_users for remote access: XSR(config)#aaa group PromisedLand XSR(aaa-group)#dns server primary 112.16.1.16 XSR(aaa-group)#dns server secondary 112.30.30.20 XSR(aaa-group)#wins server primary 112.16.1.16 XSR(aaa-group)#wins server secondary 112.16.1.13 XSR(aaa-group)#ip pool remote_users...
Page 350: Configuring Pki
VPN Configuration Overview – crypto ca certificate chain no certificate – • Remove CA identities and all associated CA and IPSec client certificates by entering crypto ca identity <ca name> Configuring PKI The main steps to configure PKI are as follows: •...
Page 351 Certificate has the following attributes: Fingerprint: D423E129 81904CE0 1E6D0FE0 A123A302 Do you accept this certificate? [yes/no] Display your CA certificates to verify all root and associated certificates are present. In the RA Mode example below, ldapca is the root CA of three certificates. Non-RA Mode CAs return one certificate only.
Page 352 VPN Configuration Overview XSR(config)#ip domain acme.com Enroll in an end-entity certificate from a CA for which you have previously authenticated; e.g., ldapca. The CLI script will prompt you to enter and re-enter a challenge password you create or is given to you by your CA administrator. Remember that if you create a password, save it so it can be used later in case you need to revoke the certificate.
Page 353: Interface Vpn Options
Issuer: Valid From: Valid To: Subject: Fingerprint: Certificate Size: RA KeyEncipher Certificate - ldapca-rae State: Version: Serial Number: Issuer: Valid From: Valid To: Subject: Fingerprint: Certificate Size: RA Signature Certificate - ldapca-ras State: Version: Serial Number: Issuer: Valid From: Valid To: Subject: Fingerprint: Certificate Size:...
Page 354: Vpn Interface Sub-Commands
Configuring a Simple VPN Site-to-Site Application VPN Interface Sub-Commands The following sub-commands are available at VPN Interface mode: ip firewall ip address-negotiated ip address ip multicast-redirect ip nat Specifies NAT rules on the VPN interface ip rip Configures RIP routing on the VPN port ip unnumbered ip split-horizon ip ospf...
Page 355 configuration, permit means protect or encrypt, and deny indicates don’t encrypt or allow as is. XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.0.0.255 XSR(config)#access-list 130 permit ip 63.81.64.0 0.0.0.255 63.81.66.0 0.0.0.255 XSR(config)#access-list 140 permit ip 63.81.68.0 0.0.0.255 63.81.66.0 0.0.0.255 Set up IKE Phase 1 protection by entering the following commands: XSR(config)#crypto isakmp proposal Test Designates ISAKMP proposal Test and acquires ISAKMP mode XSR(config-isakmp)#authentication [pre-share | rsa]...
Page 356: Configuring The Vpn Using Ez-Ipsec
Configuring the VPN Using EZ-IPSec XSR(config-crypto-m)#match address 140 Applies map to ACL 140 and renders the ACL bi-directional XSR(config-crypto-m)#set peer 1.1.1.2 Attaches map to peer XSR(config-crypto-m)#mode [tunnel | transport] Selects IPSec mode for XSR-to-XSR (tunnel) or host to XSR (transport) XSR(config-crypto-m)#set security-association level per-host Sets a separate SA for every traffic flow XSR(config)#crypto map Test 20...
Page 357: Ez-Ipsec Configuration
EZ-IPSec is invoked using the standard IPSec policies, relieving you of the complex manual process. It enables dynamic routing over an IPSec tunnel: • Via Client or Network Extension Mode • Supporting RIPv2 and OSPF through the tunnel The security policy automatically created by ESP using 3DES and AES encryption with SHA-1 and MD5 integrity algorithms.
Page 358: Configuration Examples
Configuration Examples XSR(config-tms-tunnel)#set peer 200.10.20.30 Specifies the IP address of the remote peer XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode NEM tunnel connection Note: Pre-shared key proposals are used if a user name is supplied with a tunnel. If no user name is supplied, EZ-IPSec verifies the XSR has one or more valid certificates and it uses RSA signature authentication.
Page 359: Remote Access
Figure 14-12 EZ-IPSec Client, XP Client and Gateway Topology Branch Office EZ-IPSec client FastEthernet 1 RoboPez 172.16.1.1 Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use time-sensitive certificates. XSR(config)#sntp-client server 10.120.84.3 XSR(config)#sntp-client poll-interval 60 Add ACLs to permit IP and UDP traffic: XSR(config)#access-list 130 permit udp any any eq 500 XSR(config)#access-list 130 permit gre any any...
Page 360 Configuration Examples XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac XSR(cfg-crypto-tran)set security-association lifetime kilobytes 10000 Configure the following four crypto maps to match ACLs 150, 140, 120, and 110: XSR(config)#crypto map test 50 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 150 XSR(config)#crypto map test 40 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 140 XSR(config)#crypto map test 20...
Page 361 Configuration Examples Clear the DF bit globally: XSR(config)#crypto ipsec df-bit clear Enable the OSPF engine, VPN and FastEthernet 1 interfaces for routing: XSR(config)#router ospf 1 XSR(config-router)#network 10.120.70.0 0.0.0.255 area 5.5.5.5 XSR(config-router)#network 10.120.112.0 0.0.0.255 area 5.5.5.5 Create a group for NEM and Client mode users: XSR(config)#aaa group sohoclient XSR(aaa-group)#dns server primary 10.120.112.220 XSR(aaa-group)#dns server secondary 0.0.0.0...
Page 362: Gre Tunnel For Ospf
Configuration Examples XSR(config-if)#encapsulation ppp XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assigned overload XSR(config-if)#ppp pap sent-username pezhmon password pezhmon Configure the Network Extension Mode, site-to-site IPSec tunnel to the central site XSR (Robo6). XSR(config)#interface vpn 1 point-to-point XSR(config-int-vpn)#ip address neg XSR(config-int-vpn)#tunnel Pipe XSR(config-tms-tunnel)#set user certificate XSR(config-tms-tunnel)#set protocol ipsec network...
Page 363 XSR(config-isakmp-peer)#proposal shared Configure a set of three IPSec quick mode security parameters that the XSR-3000 is willing to negotiate to within the IKE conversation: XSR(config)#crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac XSR(cfg-crypto-tran)#set security-association lifetime kilobytes 25000 XSR(cfg-crypto-tran)#set security-association lifetime seconds 7200 XSR(config)#crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac XSR(cfg-crypto-tran)#set security-association lifetime kilobytes 25000 XSR(cfg-crypto-tran)#set security-association lifetime seconds 7200...
Page 364: Tunnel B: Xsr-1805 Vpn Gre Site-To-Site Tunnel
Configuration Examples XSR(config-tms-tunnel)#ip ospf dead-interval 4 XSR(config-tms-tunnel)#ip ospf hello-interval 1 XSR(config-tms-tunnel)#ip ospf cost 100 Configure a default static route to the next hop Internet router: XSR(config)#ip route 0.0.0.0 0.0.0.0 63.81.64.1 10. Enable OSPF on the trusted and VPN interfaces: XSR(config)#router ospf 1 XSR(config-router)#network 10.120.84.0 0.0.0.255 area 0.0.0.0 XSR(config-router)#network 192.168.1.0 0.0.0.255 area 0.0.0.0 Tunnel B: XSR-1805 VPN GRE Site-to-Site Tunnel...
Page 365 XSR(config-if<F2>)#ip address 63.81.64.200 255.255.255.0 XSR(config-if<F2>)#no shutdown Add a VPN point-to-point GRE interface with a heartbeat of nine seconds, enable XSR3250A to initiate an outbound tunnel ( gateway (63.81.64.100), and redirect all multicast packets to a unicast address: XSR(config)#interface vpn1 point-to-point XSR(config-int-vpn)#ip multicast-redirect 192.168.1.2 XSR(config-int-vpn)#tunnel “XSR3000A”...
Page 366: Xsr/Cisco Site-To-Site Example
Configuration Examples XSR/Cisco Site-to-Site Example The following Site-to-Site configuration connects a Cisco 2600 router with internal/external IP addresses of 192.168.3.5/192.168.2.5 to a XSR with internal/external IP addresses of 192.168.1.2/ 192.168.2.2. The commands are displayed as they would appear when displayed in the configuration file.
Page 367: Xsr Configuration
Configuration Examples interface FastEthernet0/0 ip address 192.168.3.5 255.255.255.0 speed auto half-duplex no cdp enable interface FastEthernet0/1 ip address 192.168.2.5 255.255.255.0 duplex auto speed auto no cdp enable crypto map regular ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 192.168.1.0 255.255.255.0 192.168.2.2 ip http server ip pim bidir-enable access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255...
Page 368: Interoperability Profile For The Xsr
Interoperability Profile for the XSR XSR(config)#crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac XSR(cfg-crypto-tran)#set pfs group2 XSR(cfg-crypto-tran)#no set security-association life kilo XSR(cfg-crypto-tran)#set security-association life secon 700 XSR(config)#crypto map test 20 XSR(config-crypto-m)#set transform-set esp-des-md5 XSR(config-crypto-m)#match address 120 XSR(config-crypto-m)#set peer 192.168.2.5 XSR(config-crypto-m)#mode tunnel XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#no shutdown XSR(config-if<F1>)#ip address 192.168.1.2 255.255.255.0 XSR(config)#interface fastethernet 2...
Page 369 • Main mode • Triple DES • SHA-1 • MODP group 2 (1024 bits) • Pre-shared secret of “hr5xb84l6aa9r6” • SA lifetime of 28800 seconds (eight hours) with no Kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: •...
Page 370 Interoperability Profile for the XSR XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#exchange-mode main Configure IKE Phase 2 settings by creating the transform-set Secure: XSR(config)#crypto ipsec transform-set Secure esp-3des esp-sha1-hmac XSR(cfg-crypto-tran)#set pfs group2 XSR(cfg-crypto-tran)#set security-association lifetime seconds 3600 Configure the crypto map Highflow which correlates with transform-set Secure and access list 101, and attach the map to the remote peer.
Page 371: Scenario 2: Gateway-To-Gateway With Certificates
Scenario 2: Gateway-to-Gateway with Certificates The following is a typical gateway-to-gateway VPN that uses certificates for authentication, as illustrated in Figure Figure 14-14 10.5.6.0/24 Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet.
Page 372 Interoperability Profile for the XSR Begin by asking your CA administrator for your CA name and URL. The CA’s URL defines its IP address, path and default port (80). You can resolve the CA server address manually by pinging its IP address. Be sure that the XSR time setting is correct according to the UTC time zone so that it is synchronized with the CA’s time.
Page 373 State: CA-AUTHENTICATED Version: Serial Number: 458128729515158954573993 Issuer: C=US, O=sml, CN=hightest Valid From: 2002 Jul 24th, 20:45:13 GMT Valid To: 2003 Jul 24th, 20:55:13 GMT Subject: C=US, O=sml.com, CN=sml_requestor Fingerprint: 91EB5A77 B5CA535A 077B65C5 65035615 Certificate Size: 1695 bytes Enroll in an end-entity certificate from a CA for which you have previously authenticated; e.g., hightest.
Page 374 Interoperability Profile for the XSR Valid To: Subject: Fingerprint: Certificate Size: CA Certificate - PKItestca1 State: Version: Serial Number: Issuer: Valid From: Valid To: Subject: Fingerprint: Certificate Size: RA KeyEncipher Certificate - Hightest-rae State: Version: Serial Number: Issuer: Valid From: Valid To: Subject: Fingerprint:...
Page 375: Chapter 15: Configuring Dhcp
Overview of DHCP The Dynamic Host Configuration Protocol (DHCP) allocates and delivers configuration values, including IP addresses, to Internet hosts. Consisting of two components, DHCP provides host- specific configuration parameters from a DHCP Server to a host, and allocates network addresses to hosts.
Page 376: Dhcp Server Standards
How DHCP Works • Provisioning of differentiated network values by Client Class. • Persistent and user-controllable conflict avoidance to prevent duplicate IP address including configurable ping checking. • Visibility of DHCP network activity and leases through operator reports statistics and logs. •...
Page 377: Dhcp Services
client used a client ID when it got the lease, it will use the same identifier in the message. Alternately, when a lease is near expiration, the client tries to renew it. If unsuccessful in renewing by a certain period, the client enters a rebinding state and sends a DISCOVER message to restart the process.
Page 378: Provisioning Differentiated Network Values By Client Class
DHCP Services control data are carried in tagged data items which are stored in the options field of the DHCP message. The data items themselves, also called options, are enabled on the XSR by the command specifying IP address, hex or ASCII string values. Supported options are defined in the “Dynamic Host Configuration Protocol Commands”...
Page 379: Scope Caveat
When DHCP Server surveys its clients using the manual bindings of a client-identifier or hardware- address, and host address, it generally inherits attributes from an outer down to an inner scope. But, the DHCP Server will override outermost attributes when they are found first at the Host scope. For instance, if a domain-name name in the Pool scope for all clients on the 192.168.57.0 network, DHCP Server always select the...
Page 380: Dhcp Client Services
DHCP Client Services Note: Manual bindings can be added by performing steps 2 and 3 in any order. But, when deleting a binding, enter the no form of the command ( host , hardware-address or client-identifier ) entered first when created. Optionally, specify the client name using any standard ASCII character.
Page 381: Interaction With Remote Auto Install (Rai)
Primary and secondary IP addresses on the same interface are not permitted within the same subnet nor are they allowed within the same subnets already occupied by other interfaces. Also, the primary IP address must be configured before any secondary address is configured. If the primary address is DHCP negotiated, its address and mask are unknown until a DHCP server supplies such addresses.
Page 382: Dhcp Cli Commands
DHCP CLI Commands DHCP CLI Commands The XSR offers CLI commands to provide the following functionality: • DHCP Server address pool(s) with related parameters and DHCP options/vendor extensions. You can configure a DHCP address pool with a name that is a symbolic string (e.g., Accounting) with pool mode - XSR supports adding 1000 network addresses per pool and one DHCP pool per network.
Page 383: Dhcp Set Up Overview
addresses are offered to the client. command. addresses. DHCP Set Up Overview Configuring DHCP Address Pools The DHCP Server is configured by performing the following: • Allocate one or more address pools for DHCP clients. These pools can specify addresses on the local subnets of the router or external subnets whose clients reach the DHCP Server using BOOTP Relay.
Page 384: Create A Corresponding Dhcp Pool
Configuration Steps Add global pool local_clients including the starting IP address of the range and addresses that are unreachable to network clients: XSR(config)#ip local pool local_clients 1.1.1.0/24 XSR(ip-local-pool)#exclude 1.1.1.249 6 Create a Corresponding DHCP Pool Map this local pool to a DHCP pool by specifying the correct name: XSR(config)#ip dhcp pool local_clients Configure DHCP Network Parameters On the pool just supplied to DHCP, define some attributes for network clients.
Page 385: Dhcp Server Configuration Examples
Add to the host scope by specifying the NetBIOS-node-type for this particular host: XSR(config-dhcp-host)#netbios-node-type h-node Specify any numbered options. For example, setting DHCP option 28 specifies the broadcast address in use on the client's subnet: XSR(config)#ip dhcp pool local_clients XSR(config-dhcp-pool)#option 28 ip 255.255.255.255 DHCP Server Configuration Examples The following examples configure DHCP with different options.
Page 386: Bootp Client Support Example
DHCP Server Configuration Examples The domain name for this host is specified as indusriver.com (this will override enterasys.com specified for this pool, and ent.com specified for the class). XSR(config)#ip local pool dpool 1.1.1.0/24 XSR(config)#ip dhcp pool dpool XSR(config-dhcp-pool)#domain-name enterasys.com XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#domain-name ent.com XSR(config-dhcp-class)#hardware-address 00f0.1211.22a1 XSR(config-dhcp-host)#host 1.1.1.20 255.255.255.0...
Page 387: Chapter 16: Configuring Security On The Xsr
This chapter describes the security options available on the XSR including the firewall feature set and methods to protect against hacker attacks. Features The following security features are supported on the XSR: • Standard and Extended Access Control Lists (ACLs) •...
Page 388: Acl Violations Alarm Example
Features To configure ACLs, you define them by number only then apply them to an interface. Any number of entries can be defined in a single ACL and may actually conflict, but they are analyzed in the order in which they appear in the Input and output filters are applied separately and an interface can have only one ACL applied to its input side, and one to its output side.
Page 389: Smurf Attack
Smurf Attack A “smurf” attack involves an attacker sending ICMP echo requests from a falsified source (a spoofed address) to a directed broadcast address, causing all hosts on the target subnet to reply to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, inundating the host whose address is being falsified.
Page 390: Large Icmp Packets
General Security Precautions Large ICMP Packets This protection is triggered for ICMP packets larger than a size you can configure. Such packets are dropped by the XSR if the protection is enabled with the Ping of Death Attack This protection is triggered when an ICMP packet is received with the “more fragments” bit set to 0, and ((IP offset * 8) + IP data length) greater than 65535.
Page 391: Aaa Services
• If you must enable PPP on the WAN, use CHAP authentication • Disable all unnecessary router services (e.g., HTTP, if not used) • Write strict ACLs to limit HTTP, Telnet and SNMP access • Write ACLs to limit the type of ICMP messages •...
Page 392: Connecting Remotely Via Ssh Or Telnet With Aaa Service
AAA Services The method to perform AAA is configured globally by the additional acct-port enable qtimeout service is local, you can authenticate to a RADIUS server or PKI database. Alternately, you can set the AAA method per interface with originating from different interfaces by different methods and overrides the global (invoked by client ) or default AAA method.
Page 393 crypto key master generate Enter crypto key dsa generate Enter When successful, this message will display: use these keys for authentication If you wish to connect using SSH, perform the following steps, otherwise skip to Step for Telnet configuration. Install a freeware program such as PuTTY on your client device. If you load PuTTY, enable these options for maximum ease of use: –...
Page 394 AAA Services Figure 16-8 The SSH login screen will appear as shown in password unless you created both values earlier. Figure 16-9 Back on the CLI, enter session-timeout ssh <15-35000> to set the idle timeout period. Optionally, if you want to tighten security on the XSR, enter ip telnet server disable to deactivate Telnet.
Page 395: Firewall Feature Set Overview
18. Optionally, if you want to tighten security on the XSR, enter ip ssh server disable to deactivate SSH. 19. Enter policy telnet to enable Telnet access for the new user. 20. Enter exit to quit AAA user mode. 21. Enter aaa client telnet to permit the new user to employ Telnet. The XSR is now ready to connect remote login users.
Page 396: Types Of Firewalls
Firewall Feature Set Overview Figure 16-10 There are many possible network configurations for a firewall. The figure above shows a scenario with the firewall connected to the trusted network (internal) and servers that can be accessed externally (via the DMZ). The XSR firewall feature set inspects packets coming in from open ports and either passes them on to the router or drops them based on policies defined in the policy database which is configured using the XSR’s CLI.
Page 397: Alg And Proxy Firewalls
and port numbers. These firewalls are scalable, easy to implement and widely deployed for simple Network layer filtering, but they suffer the following disadvantages: • Do not maintain states for an individual session nor track a session establishment protocol. Ports are usually always open or blocked •...
Page 398: Stateful Inspection Firewalls
XSR Firewall Feature Set Functionality Stateful Inspection Firewalls A stateful inspection firewall combines the aspects of other firewalls to filter packets at the network layer, determine whether session packets are legitimate and evaluate the payload of packets at the application layer. It allows a direct connection between client and host, alleviating the lack of transparency of ALGs.
Page 399: Application Level Commands
Application Level Commands A special action option - Command Level Security (CLS) - to filter inter-protocol actions within several protocols. The CLS examines the message type produced by the application being filtered and either passes or drops specific application commands. For example, FTP GETs can be allowed but PUTs denied.
Page 400: On Board Url Filtering
XSR Firewall Feature Set Functionality On Board URL Filtering This features lets you block access to a list of Uniform Resource Locators (URLs) or limit access to certain approved sites. The XSR extracts the absolute URL from the Get and Host headers of the http Request packet sent by web browser, and matches that to a list of approved (white list), or banned (black list) URLs.
Page 401: Denial Of Service (Dos) Attack Protection
Figure 16-11 Blocked Web Site Screen You must include the re-direct URL in the white URL list when redirect URL is used with a white list, otherwise the XSR will enter an endless loop with the Web browser, performing re-direction to the same re-directed URL because it is not in the list.
Page 402: Alarm Logging
XSR Firewall Feature Set Functionality against the routing table. If a packet is received from an interface with a source IP address that is not routable through this interface, it is considered spoofed and dropped. A high priority log is generated when DoS attacks are detected. These DoS attacks are covered: •...
Page 403: Authentication
• Flooding attacks (TCP, UDP, ICMP) logs • Firewall start and restart • Failures (out of memory) A sample Web access (port 80) permit alarm, which logs at level 4, displays: FW: Permit: Port-2, Out TCP Con_Req, 10.10.10.10(1042) -> 192.168.1.200(80) FW: TCP new session request.
Page 404: Firewall And Nat
XSR Firewall Feature Set Functionality Figure 16-12 illustrates the process by which a user accesses a server after authentication by the XSR firewall, as explained below: A user Telnets to the firewall presenting a name and password. The XSR’s AAA functionality talks to an authentication server or consults a local database based on the user’s credentials.
Page 405: Firewall Cli Commands
Firewall CLI Commands The XSR provides configuration objects which, used in policy rules, can be specified at the CLI. These and other firewall commands are, as follows: • Network - Identifies a network or host. A network with a subnet address or a host with an address and 32-bit mask is specified with configures a network or host residing on the trusted/internal or un-trusted/ external network.
Page 406 Firewall CLI Commands – Non-Unicast packet handling - Packets with broadcast or multicast destination addresses are not allowed to pass in either direction - they must be allowed explicitly. – This rule makes it easy to deny access to IP broadcast/multicast packets through the firewall but to allow access, you must issue the firewall ip-multicast –...
Page 407 • Event Logging - Defines the event threshold for firewall values logged to the Console or Syslog ip firewall logging with alarms down to 7 which cumulatively logs all firewall messages through 0, as follows: – Level 0: Emergency – Level 1: Alert –...
Page 408: Firewall Limitations
Firewall Limitations Firewall Limitations Consider the following caveats regarding firewall operations: • Gating Rules - Internal XSR gating rules, which order traffic filtering, are stored in a temporary file in Flash. Because one gating rule exists for each network source/destination expansion, a potentially enormous number of rules can be generated by just a single firewall policy.
Page 409: Pre-Configuring The Firewall
cache will not automatically switch over. If the firewall is enabled on a slave router, then all sessions would have to be re-established. You would have to re-authenticate users for access to authentication-protected servers. • Load Sharing - If two or more firewall-enabled XSRs are linked, load sharing is not supported. Each XSR would act as a discrete firewall and monitor sessions that pass through it.
Page 410: Configuration Examples
Configuration Examples – Multicast or broadcast filtering for routing and communications protocol filtering • Perform a trial or delayed load to check for configuration errors • Load the configuration in the firewall engine • Enable or disable the firewall: – System wide, or on –...
Page 411 Configuration Examples Figure 16-14 XSR with Firewall Topology 220.150.2.32/28 Frame Relay 220.150.2.35 206.12.44.16/28 Internet 220.150.2.37 220.150.2.17 Internal 220.150.2.36 220.150.2.16/28 Mail server Web server (SMTP) (HTTP) 220.150.2.19 220.150.2.18 Begin by configuring network objects for private, dmz and Mgmt networks: XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 internal XSR(config)#ip firewall network private 220.150.2.32 mask 255.255.255.240 internal XSR(config)#ip firewall network Mgmt 220.150.2.35 mask 255.255.255.255 internal...
Page 412: Xsr With Firewall, Pppoe And Dhcp
Configuration Examples XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 220.150.2.17 255.255.255.0 XSR(config-if<F1>)#no shutdown XSR(config)#interface serial 1/0:0 XSR(config-if<S1/0:0>)#ip address 206.12.44.16/24 XSR(config-if<S1/0:0>)#no shutdown Globally enable the firewall. Even though you have configured and loaded the firewall, only invoking the following command “turns on” the firewall. Once enabled, if you are remotely connected, the firewall will close your session.
Page 413: Xsr With Firewall And Vpn
Configuration Examples XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assigned overload XSR(config-if)#ppp pap sent-username b1jsSW23 “password is not displayed” XSR(config-if)#no shutdown Attach a static route to the PPPoE interface and add a local IP pool: XSR(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet2.1 XSR(config)#ip local pool myDhcpPool 10.10.10.0 255.255.255.0 Specify network objects including Mgmt and Ten for SSH and DHCP service: XSR(config)#ip firewall network INT_NETS 10.10.10.0 mask 10.10.10.255 internal...
Page 414 Configuration Examples – Terminate Network Extension Mode (NEM) and Client mode tunnels – Terminate remote access L2TP/IPSec tunnels – Terminate PPTP remote access tunnels – Firewall inspection on the public VPN interface (the crypto map interface) – Firewall inspection on the trusted VPN interface (the connection to the corporate network) –...
Page 415 Configuration Examples XSR(config-isakmp-peer)#proposal xp soho p2p XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#nat-traversal automatic Configure the following IPSec SAs: XSR(config)#crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac XSR(cfg-crypto-tran)no set security-association lifetime kilobytes XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac XSR(cfg-crypto-tran)set security-association lifetime kilobytes 10000 Configure the following four crypto maps to match ACLs 150, 140, 120, and 110: XSR(config)#crypto map test 50 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 150...
Page 416 Configuration Examples XSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93 Define an IP pool for distribution of tunnel addresses to all client types: XSR(config)#ip local pool test 10.120.70.0 255.255.255.0 Create hosts to resolve hostnames for the certificate servers for CRL retrieval: XSR(config)#ip host parentca 141.154.196.89 XSR(config)#ip host childca2 141.154.196.81 XSR(config)#ip host childca1 141.154.196.83 Clear the DF bit globally:...
Page 417 Configuration Examples XSR(aaa-group)#l2tp compression XSR(aaa-group)#policy vpn Configure the local AAA method for shared secret tunnels (NEM and client mode tunnels): XSR(config)#aaa method local XSR(aaa-method-radius)#group DEFAULT XSR(aaa-method-radius)#qtimeout 0 Configure the RADIUS AAA method to authenticate remote access users: XSR(config)#aaa method radius msradius default XSR(aaa-method-radius)#backup test XSR(aaa-method-radius)#enable XSR(aaa-method-radius)#group DEFAULT...
Page 418 Configuration Examples Define service to support IPSec NAT traversal (Release 7.0 or later): XSR(config)#ip firewall service ietfNatT eq 4500 gt 1023 udp Define service for ISAKMP: XSR(config)#ip firewall service ike eq 500 gt 499 udp Define service for L2TP tunnels: XSR(config)#ip firewall service l2tp eq 1701 eq 1701 udp Define service for RADIUS authentication: XSR(config)#ip firewall service radiusauth gt 1023 eq 1645 udp...
Page 419: Firewall Configuration For Vrrp
Load the firewall configuration: XSR(config)#ip firewall load Globally enable the firewall. Even though you have configured and loaded the firewall, only invoking the following command “turns on” the firewall. Once enabled, if you are remotely connected, the firewall will close your session. Simply login again. XSR(config)#ip firewall enable Firewall Configuration for VRRP This example briefly configures VRRP advertisements to be sent and received on a FastEthernet...
Page 420: Configuring Simple Security
Configuration Examples XSR(config)#ip firewall policy radius internal internal Radius allow bidirectional XSR(config)#ip firewall policy RADacct internal internal Radius_ACCT allow bidirectional Configuring Simple Security This configuration offers simple protection for the XSR. The firewall feature set is not used. First, perform standard port configuration: XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#ip address 192.168.10.1 255.255.255.0 XSR(config-if<F1>)#no shutdown...
Page 421: Rpc Policy Configuration
Configuration Examples RPC Policy Configuration The following configuration creates policies which permit TCP RPC-based applications to flow from a Branch to Corporate network. You can use the keyword bidirectional if you expect the branch network to also have RPC-based services. XSR(config)#ip firewall network Branch 192.168.1.1 192.168.1.10 internal XSR(config)#ip firewall network Corporate 134.141.97.1 134.141.97.200 internal XSR(config)#ip firewall service-group TCPRPC SunRPCTCP MsftRPCTCP...
Page 422 Configuration Examples 16-36 Configuring Security on the XSR...
Page 423: Recommended System Limits
This appendix describes the configuration and memory limits of the XSR as well as system High, Medium and Low severity, firewall and NAT (separately described on events captured by the router. Recommended System Limits The XSR suggests limits on the following configurable functions. These recommended limits are not hard-coded, nor are they the Extreme Limits referenced in but should serve as a guideline for purposes of memory carving.
Page 424 Recommended System Limits Table A-4 XSR Limits (continued) Function SNMP read-only communities SNMP read-write communities SNMP trap servers SNMP users SNMP groups SNMP views Interfaces RIP networks Dialer map classes Dialer pool size Frame Relay map classes Sub-interfaces DLCIs PBR cache entries Route Map entries ADSL channel entries AAA sessions...
Page 425: System Alarms And Events
Table A-4 XSR Limits (continued) Function Firewall external hosts Firewall authentication entries Firewall fragmentation entries Firewall FTP request entries Firewall UDP request entries Firewall Timer Dynamic NAT sessions NAT static one-to-one mappings AAA users Certificates System Alarms and Events The XSR exhibits the following logging behavior for all except firewall and NAT alarms: Table A-5 Alarm Behavior When alarm logging is set to: HIGH...
Page 426 System Alarms and Events Table A-6 High Severity Alarms/Events (continued) Module Message T1E1 Receiver has Loss of Frame (Yellow Alarm). T1E1 LOF alarm on receiver cleared. T1E1 Transmitting Remote Alarm (Yellow Alarm). T1E1 Transmit Remote Alarm cleared. SYNC_ The ISR could not be connected DRIV SYNC_ Init string parse failure...
Page 427 Table A-6 High Severity Alarms/Events (continued) Module Message ISDN Incoming Call <BRI | Serial card/ port:channel> Connected to <calling no.> Unknown Call ISDN North American BRI Interface %d requires SPID configuration ISDN Call <BRI | Serial card/port:channel> Connected to <called_no.> Outgoing test CALL ISDN Call <BRI | Serial card/port:channel>...
Page 428 System Alarms and Events Table A-6 High Severity Alarms/Events (continued) Module Message ETH1_ The ISR could not be connected DRIV ETH1_ Init string parse failure DRIV ETH1_ Unrecoverable error DRIV ETH1_ OS initialization failure DRIV ETH1_ Device not found DRIV ETH0_ The device is stuck in reset DRIV...
Page 429 Table A-6 High Severity Alarms/Events (continued) Module Message User: <username> logged in from address <IP address> User: <username> logged in from console Failed to create CLI session User: <username> failed to log in from address <IP address> Cannot open startup.cfg file! It may have not been generated yet.
Page 430 System Alarms and Events Table A-6 High Severity Alarms/Events (continued) Module Message ASYNC_ Unrecoverable error IDRIV ASYNC_ OS initialization failure IDRIV ASYNC_ Device not found IDRIV Serial 1/0, incompatible LMII,, detected [ANSI | ITU | ILMI ] Serial a/b:d, cannot establish LMI, port is down Refer to the table below for all Medium severity alarms and events reported by the XSR.
Page 431 Table A-7 Medium Severity Alarms/Events (continued) Module Message ERROR: Shared memory allocation failed for Receive Descriptors. T1E1 PCI Init Failed. ERROR: Shared memory allocation failed for Transmit Pending Queue. ERROR: Shared memory allocation failed for Transmit Done Queue. ERROR: Shared memory allocation failed for Transmit Descriptors.
Page 432 System Alarms and Events Table A-7 Medium Severity Alarms/Events (continued) Module Message PPP MS-CHAP authentication failed while being authenticated by remote peer PPP MS-CHAP authentication success while authenticating remote peer's response PPP MS-CHAP authentication success while being authenticated by remote peer PPP PAP authentication failed while authenticating remote peer PPP PAP authentication failed while being...
Page 433: Shutdown Command
Table A-7 Medium Severity Alarms/Events (continued) Module Message ETH0_ PHY write operation unsuccessful DRIV DIAL Dial muxIoctl call fail DIAL Modem on intf # is not responding DIAL Invalid init string for modem on intf # DIAL Number busy for modem on intf # DIAL No dial tone for modem on intf # DIAL...
Page 434 System Alarms and Events Table A-8 Low Severity Alarms/Events (continued) Module Message T1E1 Receive Remote Alarm Indication (Yellow Alarm). T1E1 Receive RAI alarm cleared. T1E1 Receive Alarm Indication Signal (Blue Alarm). T1E1 Receive AIS cleared. Cablelength long failed for slot/card/port. Cablelength short failed for slot/card/port.
Page 435 Table A-8 Low Severity Alarms/Events (continued) Module Message SYNC_ Packets lost > 255 (RX overrun) DRIV Out of memory - frame dropped at port <port number> PLATF Need 'snmp-server system-shutdown' for SNMP reboot Serial a/b:d.e, packet arrived on unconfigured DLCI nnnn ETH1_ Recoverable error DRIV...
Page 436: Firewall And Nat Alarms And Reports
Firewall and NAT Alarms and Reports Table A-8 Low Severity Alarms/Events (continued) Module Message SERIAL Serial a/b - DSR Up CTS Down (MUX_UP) SERIAL Serial a/b - DSR/CTS Down (MUX_UP) serial a/b:d, un-configured DLCI nnn reported active by LMI serial a/b:d, packet arrived on unconfigured DLCI nnn Firewall and NAT Alarms and Reports The XSR reports logging messages for firewall and NAT functionality as listed below.
Page 437 Table A-9 Firewall and NAT Alarms (continued) Severity Report Text 3 - ERROR NAT: No NAT entry found, %IP_P2 3 - ERROR NAT: TCP reset, NAT port %d, %IP_P2 3 - ERROR UDP: NAT unable to forward packet, %IP_P2 4 - WARNING NAT table is full 4 - WARNING NAT: TCP connection closed, freeing NAT port %d...
Page 438 Firewall and NAT Alarms and Reports Table A-9 Firewall and NAT Alarms (continued) Severity 1 - ALERT 1 - ALERT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT 2 - CRIT...
Page 439 Table A-9 Firewall and NAT Alarms (continued) Severity Report Text 3 - ERROR Deny: ICMP unsupported packet %IP2_ICMP 3 - ERROR Deny: java applet %CMD, %IP_P2 3 - ERROR Deny: No filter for %s, %IP_2 3 - ERROR Deny: No filter for ICMP, %IP_2 3 - ERROR Deny: no matching filter, %IP2_ICMP 3 - ERROR...
Page 440 Firewall and NAT Alarms and Reports Table A-9 Firewall and NAT Alarms (continued) Severity 3 - ERROR 3 - ERROR 3 - ERROR 3 - ERROR 3 - ERROR 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING...
Page 441: Standard Ascii Character Table
Table A-9 Firewall and NAT Alarms (continued) Severity 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 - WARNING 4 WARNING...
Page 442 Standard ASCII Character Table 107: k 114: r 121: y A-20 Alarms/Events, System Limits, and Standard ASCII Table 108: l 109: m 115: s 116: t 122: z 123: { 110: n 112: p 117: u 118: v 124: 125: } 113: q 120: x 126: ~...
Page 443: Appendix B: Xsr Snmp Proprietary And Associated Standard Mibs
This appendix lists and describes XSR-supported SNMP tables and objects for the following standard (partial listing) and proprietary MIBS: • “Service Level Reporting MIB Tables” • “BGP v4 MIB Tables” • “Firewall MIB Tables” • “VPN MIB • “ipCidrRouteTable for Static Routes” •...
Page 444: Etsyssrvclvlownertable
Service Level Reporting MIB Tables Table B-10 etsysSrvcLvlMetricTable etsysSrvcLvlMetric Description RoundTripPacketLost RoundTripPacketLossAverage RoundTripDelay RoundTripDelayAverage RoundTripIpdv etsysSrvcLvlOwnerTable A management entity interested in creating and activating remote SLA measurements must previously be registered in the Service Level Owners Table which contains owner's contact information.
Page 445: Etsyssrvclvlnetmeasuretable
Table B-12 etsysSrvcLvlHistoryTable Field etsysSrvcLvlHistoryTimestamp etsysSrvcLvlHistoryValue etsysSrvcLvlNetMeasureTable Entries in the Service Level Network Measurement Table display several metric measurements per packet exchange. Each measurement step produces a single result per metric with measurement intervals and metrics saved in the Table. Once the etsysSrvcLvlAggrMeasureTable becomes active, you cannot modify any fields in this table, but, by setting the etsysSrvcLvlAggrMeasureStatus back to notInService, you can modify the etsysSrvcLvlNetMeasureBeginTime and etsysSrvcLvlNetMeasureDuration, and set the etsysSrvcLvlAggrMeasureStatus back to active.
Page 446: Etsyssrvclvlaggrmeasuretable
Service Level Reporting MIB Tables Table B-13 etsysSrvcLvlNetMeasureTable (continued) Field etsysSrvcLvlNetMeasureMap etsysSrvcLvlNetMeasureSingletons etsysSrvcLvlNetMeasureOperState etsysSrvcLvlAggrMeasureTable Entries in the Service Level Aggregate Measurement Table display several metric measurements per packet exchange. Each step of the measurement produces a single result with the interval and metric saved in the etsysSrvcLvlHistoryTable.
Page 447: Bgp V4 Mib Tables
Table B-14 etsysSrvcLvlAggrMeasureTable (continued) Field etsysSrvcLvlAggrMeasureHistoryOwnerIndex etsysSrvcLvlAggrMeasureHistoryMetric etsysSrvcLvlAggrMeasureAdminState etsysSrvcLvlAggrMeasureMap etsysSrvcLvlAggrMeasureStatus BGP v4 MIB Tables The XSR supports the following BGP v4 tables, whose fields are described in the following pages: • General Variables • Peer Table • Received Path Attribute Table •...
Page 448 BGP v4 MIB Tables Table B-16 BGP v4 Peer Table (continued) Field bgpPeerAdminStatus bgpPeerNegotiatedVersion bgpPeerLocalAddr bgpPeerLocalPort bgpPeerRemoteAddr bgpPeerRemotePort bgpPeerRemoteAs bgpPeerInUpdates bgpPeerOutUpdates bgpPeerInTotalMessages bgpPeerOutTotalMessages bgpPeerLastError bgpPeerFsmEstablishedTransitions bgpPeerFsmEstablishedTime bgpPeerConnectRetryInterval bgpPeerHoldTime B-6 XSR SNMP Proprietary and Associated Standard MIBs Description The desired state of the BGP connection. A transition from stop to start will cause the BGP Start Event to be generated.
Page 449: Bgp-4 Received Path Attribute Table
Table B-16 BGP v4 Peer Table (continued) Field bgpPeerKeepAlive bgpPeerHoldTimeConfigured bgpPeerKeepAliveConfigured bgpPeerMinASOriginationInterval bgpPeerMinRouteAdvertisementInterval bgpPeerInUpdateElapsedTime BGP-4 Received Path Attribute Table Table B-17 BGP-4 Received Path Attribute Table Field bgp4PathAttrPeer bgp4PathAttrIpAddrPrefixLen bgp4PathAttrIpAddrPrefix bgp4PathAttrOrigin Description Interval for the KeepAlive timer established with the peer, range: 1-21845 seconds.
Page 450: Bgp-4 Traps
BGP v4 MIB Tables Table B-17 BGP-4 Received Path Attribute Table (continued) Field bgp4PathAttrASPathSegment bgp4PathAttrNextHop bgp4PathAttrMultiExitDisc bgp4PathAttrLocalPref bgp4PathAttrAtomicAggregate bgp4PathAttrAggregatorAS bgp4PathAttrAggregatorAddr bgp4PathAttrCalcLocalPref bgp4PathAttrBest bgp4PathAttrUnknown BGP-4 Traps Table B-18 BGP-4 Traps Field Description bgpEstablished The BGP Established event is generated when the BGP FSM enters the ESTABLISHED state. bgpBackwardTransition The BGPBackwardTransition Event is generated when the BGP FSM moves from a higher numbered state to a lower number state.
Page 451: Firewall Mib Tables
Firewall MIB Tables The firewall MIB contains the following tables, most of which are detailed in this section: Firewall on Interface Group, Interface to Policy Group, Group Policy, Policy Rule Definition, Authentication Group, Network in Network Group, Network Group, Network, Compound Filter, Sub Filter, IP Header Filter, Offset Filter, IP Options Header Filter, Data Filter, Policy Rule True, Session Totals, IP Session, Auth Address Group, and DOS Blocked Group.
Page 452: Monitoring Objects
Firewall MIB Tables Monitoring Objects This section describes counters and statistics that are available to SNMP from the firewall. All fields are read-only and cannot be modified. The XSR supports SNMP gets only for these objects. Policy Rule Table Totals Counters These counters track the number of policy hit totals.
Page 453: Ip Session Counters
IP Session Counters These counters track the activities of IP sessions. Table B-24 IP Sessions Field etsysFWIpSessionNumEntries etsysFWIpSessionLastChange IP Session Table This table contains information about each active IP session. Table B-25 IP Session Table Field etsysFWIpSessionIndex etsysFWIpSessionIPVersion etsysFWIpSessionSrcAddress etsysFWIpSessionDstAddress etsysFWIpSessionSrcPort etsysFWIpSessionDstPort etsysFWIpSessionProtocolID...
Page 454: Dos Attacks Blocked Counters
VPN MIB Tables Table B-27 Authenticated Addresses Table (continued) Field etsysFWAuthAddressIPVersion etsysFWAuthAddressIPAddress etsysFWAuthAddressGroupName etsysFWAuthAddressIdleTime DOS Attacks Blocked Counters These elements reflect the DOS attack summaries stored in the firewall. Table B-28 DOS Attacks Blocked Field etsysFWDoSBlockedNumEntries etsysFWDoSBlockedLastChange DOS Attacks Blocked Table These elements reflect the hits against DOS attack types recognized by the firewall.
Page 455: Etsysvpnikepeer Table
• etsysVpnIpsecProposalTable • etsysVpnIpsecPropTransformsTable • etsysVpnAhTransformTable • etsysVpnEspTransformTable • etsysVpnIpcompTransformTable • ospfIfTable • rip2IfConfTable • ipCidrRouteTable for Static Routes etsysVpnIkePeer Table This table is used to configure an IKE peer and the associated parameters of that peer. The table index is {etsysVpnIkePeerAddrType, etsyVpnIkePeerAddress}. Table B-30 etsysVpnIkePeerTable Field etsysVpnIkePeerAddrType...
Page 456: Etsysvpnikeproposal Table
VPN MIB Tables Table B-31 etsysVpnIkePeerProposalsTable (continued) Field etsysVpnIkePeerPropName etsysVpnIkePeerPropRowStatus etsysVpnIkeProposal Table This table contains the IKE proposals used during IKE negotiation. The named row is equivalent to the crypto isakmp proposal is the name referenced in the etsysVpnIkePeerProposalsTable. Table B-32 etsysVpnIkeProposalTable Field etsysVpnIkePropName etsysVpnIkePropEncryptAlgorithm...
Page 457: Etsysvpnipsecpolicyrule Table
Table B-34 etsysVpnIntfPolicyTable Field etsysVpnIntfPolicyName etsysVpnIntfPolicyDFHandling etsysVpnIntfPolicyRowStatus etsysVpnIpsecPolicyRule Table This table defines the IPSec policy rules. The table index is {etsysVpnIpsecPolicyName, etsysVpnPolRulePriority}. Table B-35 etsysVpnIpsecPolicyRuleTable Field etsysVpnIpsecPolRulePriority etsysVpnIpsecPolRulePeerAddrType etsysVpnIpsecPolRulePeerAddress etsysVpnIpsecPolRuleCommonSA etsysVpnIpsecPolRuleMode etsysVpnIpsecPolRuleSelectorId etsysVpnIpsecPolRuleRowStatus etsysVpnIpsecPolProposals Table This table links IPSec proposals in the etsysVpnIpsecProposalTable with IPSec policy rules in the etsysVpnIpsecPolRuleTable.
Page 458: Etsysvpnipsecproposal Table
VPN MIB Tables etsysVpnIpsecProposal Table This table contains the IPSec proposals. The table index is {etsysVpnIpsecPropName}. Table B-37 etsysVpnIpsecProposalTable Field etsysVpnIpsecPropName etsysVpnIpsecPropMaxLifetimeSec etsysVpnIpsecPropMaxLifetimeKB etsysVpnIpsecPropUsePfs etsysVpnIpsecPropGroupId etsysVpnIpsecPropRowStatus etsysVpnIpsecPropTransforms Table This table aggregates transforms from the ipspAhTransformTable, ipspEspTransformTable, and ipspIpcompTransformTable into transform sets. The table index is {etsysVpnIpsecPropName, etsysVpnIpsecPropTranType}.
Page 459: Etsysvpnesptransform Table
Table B-39 etsysVpnAhTransformTable (continued) Field etsysVpnAhTranMaxLifetimeKB etsysVpnAhTranRowStatus etsysVpnEspTransform Table This table lists all the ESP transforms created by adding ESP rows to the etsysVpnIpsecPropTransformsTable. The table also contains read-only rows for XSR EZ-IPSec transforms. The table index is {etsysVpnEspTranName}. Table B-40 etsysVpnEspTransformTable Field etsysVpnEspTranName etsysVpnEspTranCipherTransformId...
Page 460: Ipcidrroutetable For Static Routes
ipCidrRouteTable for Static Routes ipCidrRouteTable for Static Routes VPN configuration on the XSR may require a default route to the next-hop Internet gateway. Static routes can be added with the IP Forwarding MIB (RFC-2096). This MIB is not currently implemented on the XSR, although it is one the core recommended MIBs for all Enterasys devices. The MIB updates and obsoletes the MIB-II ipRouteTable.
Page 461: Enterasys Configuration Management Mib
Enterasys Configuration Management MIB The Enterasys Configuration Management MIB supports parameters for an SNMP management entity to reset the managed entity, upload and download executable images and configuration files, and identify the active executable image and configuration files. Be aware that only one operation can be specified at a time.
Page 462: Enterasys Configuration Change Mib
Enterasys Configuration Change MIB Table B-43 etsysConfigurationManagement (continued) Field etsysConfigMgmtChangeNextAvailableIndex sysConfigMgmtPersistentStorageChSum Enterasys Configuration Change MIB The Enterasys Configuration Change MIB supports parameters for SNMP management entities to determine if and when configuration changes have occurred. Refer to the supported fields in the following table.
Page 463: Enterasys Snmp Persistence Mib
Table B-44 etsysConfigurationChange MIB (continued) Field etsysConfigChangeFirmwareGroup etsysConfigChangeCompliance Enterasys SNMP Persistence MIB This MIB permits management applications to commit persistent SNMP configuration information to persistent storage. Table B-45 etsysSnmpPersistenceMIB Field etsysSnmpPersistenceMode etsysSnmpPersistenceSave etsysSnmpPersistenceStatus etsysSnmpPersistenceStatusTime etsysSnmpPersistenceError etsysSnmpPersistenceErrorTime Description A collection of objects providing firmware change data. The compliance statement for configurable devices.
Page 464: Enterasys Syslog Client Mib
Enterasys Syslog Client MIB Table B-45 etsysSnmpPersistenceMIB (continued) Field etsysSnmpPersistenceGroup etsysSnmpPersistenceCompliance Enterasys Syslog Client MIB This Enterasys MIB module defines a portion of the SNMP Enterprise MIBs under the Enterasys Enterprise OID pertaining toconfiguriation of Syslog-compatible diagnostic messages generated for the XSR. Table B-46 Enterasys Syslog Client MIB Field etsysSyslogClient Group...
Page 465 Table B-46 Enterasys Syslog Client MIB (continued) Field • etsysSyslogServerAddressType • etsysSyslogServerAddress • etsysSyslogServerUdpPort • etsysSyslogServerFacility • etsysSyslogServerSeverity • etsysSyslogServerMessagesIgnored • etsysSyslogServerRowStatus Syslog Server Defaults etsysSyslogServerDefaultUdpPort etsysSyslogServerDefaultFacility etsysSyslogServerDefaultSeverity Units of Conformance etsysSyslogClientGroup Description The type of Internet address by which the Syslog server is specified in etsysSyslogServerAddress.
Page 466 Enterasys Syslog Client MIB Table B-46 Enterasys Syslog Client MIB (continued) Field etsysSyslogServerGroup etsysSyslogServerDefaultsGroup Compliance Statements etsysSyslogClientCompliance etsysSyslogClientControl etsysSyslogServerUdpPort etsysSyslogServerFacility etsysSyslogServerSeverity etsysSyslogServerDefaultUdpPort etsysSyslogServerDefaultFacility etsysSyslogServerDefaultSeverity etsysSyslogApplicationAllowedServers B-24 XSR SNMP Proprietary and Associated Standard MIBs Description A collection of objects providing descriptions of syslog servers for sending system messages to: •...

This manual is also suitable for:

X-pedition xsr

Enterasys Security Router X-PeditionTM User Manual

Chapter 1: Overview

Chapter 2: Managing the XSR

Chapter 3: Managing LAN/WAN Interfaces

Chapter 4: Configuring T1/E1 & T3/E3 Interfaces

Chapter 5: Configuring IP

Chapter 6: Configuring the Border Gateway Protocol

Chapter 7: Configuring PIM-SM and IGMP

Quick Links

Troubleshooting

Related Manuals for Enterasys Security Router X-PeditionTM

Summary of Contents for Enterasys Security Router X-PeditionTM