Page 1 X-Pedition Security Router ™ XSR CLI Reference Guide Version 7.6 P/N 9033842-07...
Page 3 Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its Web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Page 4 ENTERASYS IS UNWILLING TO LICENSE THE PROGRAM TO YOU AND YOU AGREE TO RETURN THE UNOPENED PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, LEGAL DEPARTMENT AT (978) 684‐1000. You and Enterasys agree as follows: LICENSE. You have the non‐exclusive and non‐transferable right to use only the one (1) copy of the Program provided in this package subject to the terms and conditions of this Agreement. RESTRICTIONS. Except as otherwise authorized in writing by Enterasys, You may not, nor may You permit any third party to: (i) Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of error correction or interoperability, except to the extent expressly permitted by applicable law and to the extent the parties shall not be permitted by that applicable law, such rights are expressly excluded. Information necessary to achieve interoperability or correct errors is available from Enterasys upon request and upon payment of Enterasys’ applicable fee. (ii) Incorporate the Program, in whole or in part, in any other product or create derivative works based on the Program, in whole or in part. (iii) Publish, disclose, copy, reproduce or transmit the Program, in whole or in part. (iv) Assign, sell, license, sublicense, rent, lease, encumber by way of security interest, pledge or otherwise transfer the Program, in whole or in part. (v) Remove any copyright, trademark, proprietary rights, disclaimer or warning notice included on or embedded in any part of the Program. APPLICABLE LAW. This Agreement shall be interpreted and governed under the laws and in the state and federal courts of the Commonwealth of Massachusetts without regard to its conflicts of laws provisions. You accept the personal jurisdiction and venue of the Commonwealth of Massachusetts courts. None of the 1980 United Nations Convention on Contracts for the International Sale of Goods, the United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement. Enterasys Networks, Inc. FIRMWARE LICENSE AGREEMENT CAREFULLY READ THIS LICENSE AGREEMENT.
Page 5 EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party. If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for civil end uses only and not for military purposes. If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Sections 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Cuba, Estonia, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Moldova, North Korea, the People’s Republic of China, Romania, Russia, Rwanda, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a complete plant o r any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program (i) was developed solely at private expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227‐ 19 (a) through (d) of the Commercial Computer Software‐Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202‐3 and its successors, and use, duplication, or disclosure by the Government is subject to restrictions set forth herein. DISCLAIMER OF WARRANTY. EXCEPT FOR THOSE WARRANTIES EXPRESSLY PROVIDED TO YOU IN WRITING BY ENTERASYS, ENTERASYS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON‐INFRINGEMENT WITH RESPECT TO THE PROGRAM. IF IMPLIED WARRANTIES MAY NOT BE DISCLAIMED BY APPLICABLE LAW, THEN ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY (30) DAYS AFTER DELIVERY OF THE PROGRAM TO YOU. LIMITATION OF LIABILITY. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM, EVEN IF ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS FOREGOING LIMITATION SHALL APPLY REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH DAMAGES ARE SOUGHT.
Page 6 OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled to seek timely injunctive relief to protect Enterasys’ rights under this Agreement in addition to any and all remedies available at law. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock or assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement. Any attempted assignment, transfer or sublicense in violation of the terms of this Agreement shall be void and a breach of this Agreement. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction. TERMINATION. Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and conditions of this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
Page 7: Table Of Contents
Preface Chapter 1: Network Management Observing Syntax and Conventions ... 1-1 Network Management Commands ... 1-1 General Network Management Commands ...1-2 General Show Commands ... 1-14 snmp-server Commands ... 1-16 SNMP Show Commands ... 1-34 SLA Agent Commands ... 1-37 RTR-mode Commands ...
Page 8 Other IP Commands ... 5-151 IP Clear and Show Commands ... 5-168 Network Address Translation Commands ... 5-182 Virtual Router Redundancy Protocol Commands ... 5-191 VRRP Clear and Show Commands ...5-197 Chapter 6: Configuring the Border Gateway Protocol Observing Syntax and Conventions ... 6-83 BGP Configuration Commands ...
Page 9 QoS Show Commands ... 12-105 Chapter 13: Configuring ADSL Observing Syntax and Conventions ... 13-83 ADSL Configuration Commands ... 13-83 CMV Commands ... 13-83 Other ADSL Commands ... 13-87 PPP Configuration Commands ... 13-99 ATM Clear and Show Commands ... 13-103 Chapter 14: Configuring the VPN Observing Syntax and Conventions ...
Page 10 viii...
Page 11: Preface
This guide describes the Command Line Interface (CLI) commands needed to mount, connect, power‐up, and maintain an XSR from Enterasys Networks. This guide is written for administrators who want to configure the XSR or experienced users who are knowledgeable in basic networking principles. Contents of the Guide Information in this guide is arranged as follows: • Chapter 1, Network Management, describes fundamental network control commands. • Chapter 2, Configuring the T1/E1 & T3/E3 Subsystems, details commands for T1/E1 and T3/E3 NIM cards. • Chapter 3, Configuring the XSR Platform, describes platform subsystem commands. • Chapter 4, Configuring Hardware Controllers, describes commands to configure the hardware controllers over serial lines. • Chapter 5, Configuring the Internet Protocol, describes IP commands. • Chapter 6, Configuring the Border Gateway Protocol, details BGP commands. • Chapter 7 Configuring IP Multicast, defines XSR commands for Protocol Independent Multicast ‐ Sparse Mode (PIM‐SM) and the Internet Group Management Protocol (IGMP). • Chapter 8, Configuring the Point‐to‐Point Protocol, describes PPP setup. • Chapter 9, Configuring Frame Relay, details commands to configure Frame Relay. • Chapter 10, Configuring the Dialer Interface, describes commands to set up network connections over the Public Switch Telephone Network, provide a backup link over a dial line, and configure BoD/DoD. • Chapter 11, ISDN BRI and PRI Commands, details commands to set up ISDN. • Chapter 12, Configuring Quality of Service, outlines QoS setup commands. • Chapter 13, Configuring ADSL, describes configuration commands for ADSL including CMV, ATM and associated PPP commands.
Page 12: Conventions Used In This Guide
Las referencias a los terminos FastEthernet y GigabitEthernet son generalmente intercambiables en el contenido de esta guia. http://www.enterasys.com (603) 332-9400 1-800-872-8440 (toll-free in U.S. and Canada) For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support/gtac-all.html support@enterasys.com To expedite your message, please type [xsr] in the subject line.
Page 13 Login Password Acquire the latest image and Release Notes Additional documentation Forward comments or suggestions Before contacting Enterasys Networks for technical support, have the following information ready: • Your Enterasys Networks service contract number • A description of the failure • A description of any action(s) already taken to resolve the problem (e.g., rebooting the unit, reconfiguring modules, etc.) • The serial and revision numbers of any relevant Enterasys Networks products in the network • A description of your network environment (layout, cable type, etc.) • Network load and frame size at the time of the problem • The XSR’s history (i.e., have you returned the device before, is this a recurring problem, etc.) • Any previous Return Material Authorization (RMA) numbers. ftp://ftp.enterasys.com anonymous your Email address http://www.enterasys.com/download http://www.enterasys.com/support/manuals techwriting@enterasys.com To expedite your message, type [techwriting] in the subject line, and...
Page 15: Chapter 1: Network Management
Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config‐if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub‐command headings are displayed in red text. soho.enterasys.com Network Management Commands This chapter includes the following subsets of network management commands: • “General Network Management Commands” on page 1‐2 • “General Show Commands” on page 1‐14 • “snmp‐server Commands” on page 1‐16 • “SNMP Show Commands” on page 1‐34 • “SLA Agent Commands” on page 1‐37 • “RTR‐mode Commands” on page 1‐43 • “RTR Show Commands” on page 1‐45 Network Management Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic)
Page 16: General Network Management Commands
General Network Management Commands General Network Management Commands banner This command creates a login banner at the XSR’s CLI prompt. Text is entered one line at time and should not exceed 80 characters per line. Each successive entry adds a line to the banner, as shown in the example. Syntax banner login bannerLine bannerLine Syntax of the “no” Form Use the no form of this command to remove all banners: XSR(config)#no banner login Mode Global configuration: Example The following example configures a login banner: XSR(config)#banner login “Welcome Larry” XSR(config)#banner login “You’re in the office now” XSR(config)#banner login “Start working!”...
Page 17 crypto key dsa This command generates the Digital Signature Algorithm (DSA) type host key pair (private and public) as well as displays the public key. A unique set of host keys are created each time the XSR reboots but we recommend you generate a new pair of host keys when you believe security may be compromised. The master encryption key is used to encrypt the keys before being saved in the hostkey.dat file in Flash. Access to this file is restricted and it cannot be read or copied. All SSH connection requests use the host keys stored in the hostkey.dat file unless none have been generated or the content of the file is corrupted. In those circumstances, default keys are used to secure the connection. Additional host key behavior is described as follows: • If you have not generated a master encryption key before using SSH, the XSR will prompt you with the crypto key master generate • One to three minutes will elapse while host keys are generated by depending on the device load at the time. • SSH accepts no new connections during host key generation. • The command is ignored if stored in the startup‐config file. • If the master key is changed, you are not required to generate a new DSA key pair. • If you remove the master key, the DSA key pair is removed as well (hostkey.dat is deleted). Syntax crypto key dsa {generate | remove | show} generate remove show Mode...
Page 18 General Network Management Commands Example XSR#disable enable This command jumps to Privileged EXEC mode. Syntax enable Mode EXEC: XSR> Example XSR>enable This command terminates configuration mode. Syntax Mode Any configuration Example XSR(config)#end exit This command quits the current mode to a higher level. If you are in EXEC mode, it terminates the Telnet, SSH, or Console session. Syntax exit Mode Example XSR(config)#exit 1-4 Network Management...
Page 19: Ip Http Port
Note: If you try to set the port-number but it is already in use (Telnet, e.g.) , it will be reset to the default value automatically. Mode Global configuration: Default Port number: 80 Example XSR(config)#ip http port 1234 ip http server This command enables/disables HTTP (Web) service to the router. If the optional parameter is not supplied, the HTTP server will be enabled. Since the HTTP server is disabled at boot‐up, you must either manually enable it using the CLI or enable it in the Incoming HTTP server port number from 1024 to 65535. Sets the HTTP port to default. XSR(config)# General Network Management Commands startup-config file.
Page 20: Ip Ssh Server
General Network Management Commands Syntax ip http server [enable | disable] enable disable Syntax of the “no” Form The no form of this command disables the HTTP server: no ip http server Mode Global configuration: Default Disable Examples XSR(config)#ip http server enable XSR(config)#no ip http server ip ssh server This command enables/disables Secure Shell (SSH) service to the client. Because the SSH server is enabled at boot‐up, you can either manually disable the SSH server using CLI, or disable the SSH ...
Page 21: Ip Telnet Server
• Port number 22 Example XSR(config)#ip ssh server enable ip telnet port This command changes the Telnet port where incoming Telnet sessions connect to. Syntax ip telnet port {port_number | default} port_number default Note: If you try to set the port-number but it is already in use (the Web, e.g.) , it will be reset to the default value automatically.
Page 22: Sample Output
Type escape sequence to abort Timeout Timeout Timeout Timeout Timeout Packets: Sent = 5, Received = 0, Lost = 5 The following example shows a successful ping: XSR#ping 134.141.235.165 Type escape sequence to abort Reply from 192.168.27.165: 20ms 1-8 Network Management XSR(config)# Destination address to be pinged. Source address for the ping packet. If not configured, the Router ID is used. Payload size, ranging from 1 to 65000. XSR#...
Page 23 • interface-fastEthernet • interface-loopback • interface-serial • map-class-dialer • map-class-frame-relay • policy-map • policy-map-class • router-ospf • router-rip • subinterface This command is used in conjunction with the show running-config user. The Syntax privilege operationMode {level value | reset} {command | commandgroup} privilege operationMode username command displays user information. Associates privilege level with a command. Configuration mode associated with privilege level.
Page 24 Privilege for special user admin: 15 • Only administrators can add, delete, or change user rights. • Only administrators can change privilege levels for commands. • Users can change their own passwords but not their privilege levels. Examples This example sets the privilege level for the XSR(config)#privilege configure level 6 username This example resets the privilege level for the XSR(config)#privilege configure reset username This example sets the privilege level for the XSR(config)#privilege router-rip level 13 neighbor 1-10 Network Management Privilege level associated with the mode of operation ranging from 0 to 15 (highest). Resets the privilege level to the default. Command within that mode to set a privilege for. Set of commands to associate with a privilege. For example, T1 Controller group commands. XSR(config)# show ) commands with low‐level security such as , etc. show ) commands with higher level security such as ...
Page 25 session-timeout This command sets the interval for closing a connection when there is no input. If the keyword console, ssh, or Telnet is used, the timeout becomes the default value for the next session of the specified type, otherwise, the timeout applies to the current session. When the console session times out, it will sit idle and prompt you for your user ID and password again. Syntax session-timeout {timeout | console timeout | ssh timeout | telnet timeout} timeout console telnet Mode Global configuration: Defaults • Timeout: 1,800 seconds • If neither Console, SSH, nor Telnet is specified, the timeout value will be set for the current session. Example This example sets the current Console timeout session to 15 seconds: XSR(config)#session-timeout console 15 terminal This command changes the terminal screen width and length. Syntax terminal {width | length} size width length size...
Page 26 XSR>traceroute 140.252.13.65 172.15.57.99 traceroute to 140.252.13.65,30 hops max,40 bytes packets 1. 140.252.13. 2. 140.252.13. Parameters in the Response A probe timeout is signaled by an asterisk ” *”. Abnormal Termination Signs !P ‐ Protocol Unreachable !N ‐ Network Unreachable !H ‐ Host Unreachable 1-12 Network Management traceroute Network address of the destination. Source address for the ping packet. If this is not set, the Router ID is used. 3520 ms 10 ms 10 ms 65120ms 120ms 120ms utility uses UDP as the transport layer. It ...
Page 27 username This command adds a user, privilege level, password, and encryption type for those accessing the XSR. Assigning privilege levels lets you control which users can manage selective resources. The username command can also be used in conjunction with the usernames with particular configuration modes. For example, if configuring T1/E1 requires that a user have a privilege level of 6 or higher, any user with a privilege of 5 or lower would be prohibited from configuring the T1/E1 controller. Caution: We recommend that you add no more than 3000 users due to a size limit for the the user.dat file. Also, we suggest keeping usernames and passwords as short as possible to avoid breaching the 200 Kbyte limit.
Page 28: General Show Commands
General Show Commands Note: No user can be deleted if you presently logged in as that user and admin or other level 15 users can not be deleted unless at least one such administrator remains configured. Mode Global configuration: Defaults • Username: admin •...
Page 29: Show Ip Http
Sample Output The following output displays public key: XSR(config)#crypto key dsa show ---- BEGIN SSH2 PUBLIC KEY ---- Subject: root Comment: "1024-bit dsa, administrator@Robo1, Mon Mar 03 2003 05:06:16" AAAAB3NzaC1kc3MAAACBAIgwEkVM26GpC9L+cu9HnXps8S6Qlrhp7mwGudUYDMETdWj53j u6umHQPwekw0AsTH256mbFedfilcr+W207db+YKunWh59nan/kHGg1iZpwfeaE2kNO4om2 PqXGqdJd7tEI6Ut0cCV7R9roVUDkhmkWWcxaLL5r+YkIV7II6b33AAAAFQCO4IaKlgIhPg W3oRkNWe3mq9iDrwAAAIBKHSIUIf/KkYd9r5bi7Ec8OHTbkCAcZqwH4gJIh8EryaMWAm7c zjWtSlLNYhz+q5J2uoPKjct4gqxRv4RLo5yKxsSIcgD6WauvANO7yzQ1CRFBAXL9iZZMEa AhJQbAE1WVXjD61kBmKvrcR2ZDEnpRaueAaojF4Rslo66Y6pn77gAAAIAKjfSPLGIXe0gF JqsEIPkrY+0sMwltOV+zd8NPp/NqkIOxg9kZVASQCn/huAv6Sc3WN/WSQU/BpYu2jI8C1S 1S9BEezin8bNE8YWVLwaG1Fx+GOTEugbgflhgMfNHtzaaHEMfmLq80EJ3jRv+zjwaWYPzT wuo+3CNydBZSwe7fmA== ---- END SSH2 PUBLIC KEY ---- show ip http This command information about the HTTP (Web) session.
Page 30: Snmp-Server Commands
snmp-server Commands Sample Output The following is output from the XSR#show ip telnet TELNET Information: Telnet Server: Enabled Telnet Port: 23 Active Telnet Sessions: 1 snmp-server Commands This command set configures the SNMP agent on the XSR. Currently, SNMP v1/v2 and v3 are supported. All commands are invoked in Global configuration mode. If the SNMP server is disabled, executing any SNMP configuration command except for automatically turn the SNMP server on after it successfully executes. By default, the SNMP server is disabled at boot‐up. All SNMP Global configuration‐level commands have a privilege level of 15 and all commands have a level of 10. The MIBs listed in Table 1‐1 can be accessed on the XSR. Table 1-1 Supported Proprietary and Standard MIB Objects ctron‐chassis‐mib Enterasys’ Download PPP LCP PPP IP...
Page 31 Table 1-1 Supported Proprietary and Standard MIB Objects (continued) Description Enterasys This MIB allows an SNMP management entity to upload and download Configuration executable images and configuration files to the XSR and identify the Management active executable image and configuration files. Using this MIB to reset the XSR will succeed only if SNMP system shutdown is enabled with the snmp-server system-shutdown command (see page 1‐27). Enterasys Syslog The XSR allows read‐only access to the Syslog server configuration. Client Enterasys SNMP This MIB lets SNMP save configuration changes to the startup‐config file. Persistence When reconfiguration occurs via SNMP or the CLI, changes remain volatile until running‐config is saved to startup‐config. By setting etsysSnmp PersistenceSave to save (2), running‐config is saved to startup‐config. The only etsysSnmpPersistenceMode supported is pushButtonSave (2). Enterasys Firewall This MIB implements SNMP‐based Firewall monitoring of the XSR. Host Resource RFC‐2790. This MIB provides monitoring of CPU load and memory. Entity MIB V2 RFC‐2737. This MIB contains tables for physical and logical entities managed by the SNMP agent. SNMPv3 MIBs The SNMPv3 MIBs implemented on the XSR’s are: RFC‐3411 Framework, RFC‐3412 MPD, RFC‐3414 USM, RFC‐3415 VACM MIB‐II RFC‐1213. All objects except the EGP and AT groups. Address ...
Page 32 snmp-server Commands snmp-server community This command allows a community string to access MIBs in the XSR. Syntax snmp-server community community-string [view view-name][ro | rw] [access-list- num] community-string view-name access-list-num Notes: You can configure up to 20 read-only and read-write community strings. Community-based write access is available for the ct-download MIB only. For write access to other MIBs, use SNMPv3.
Page 33 Syntax of the “no” Form The no form of this command offers no contact information: no snmp-server contact Mode Global configuration: Default Null string Example XSR(config)#snmp-server contact LarryCurtis@enterasys.com XSR(config)#snmp-server contact “Larry Curtis 508 767-2536” snmp-server enable/disable This command enables or disables the SNMP server. If the server is disabled, using any snmp CLI command will turn it back on. Syntax snmp-server {enable | disable} enable disable Mode Global configuration: Default Disable snmp-server enable traps This command enables traps and informs to be sent. SNMPv1 traps and v3 informs are supported, ...
Page 34 snmp-server Commands Syntax of the “no” Form The no form of this command disables the sending of specified traps: no snmp-server enable traps [[snmp [authentication]] entity | frame-relay] Mode Global configuration: Default Disabled Examples To enable all SNMP traps, enter the following command: XSR(config)#snmp-server enable traps snmp To enable authentication SNMP traps only, enter the following command: XSR(config)#snmp-server enable traps snmp authentication snmp-server engineID This command specifies a value for the SNMP engine on the XSR. Within SNMP v3, users are localized to the device by this Engine ID. A textual convention for SnmpEngineID is specified by RFC‐3411. Using this textual convention, the Engine ID is created with the MAC address and enterprise number for Enterasys. In order to transmit v3 informs, the XSR requires the engineIDs of remote SNMP entities which this command allows you to configure. The command also lets you configure the XSR local engineID.
Page 35 Mode Global configuration: Example The following example specifies the Engine ID: XSR(config)#snmp-server engineID local 00020AF100 results in an engine ID of 0x800015F80500020AF100 snmp-server group This command configures a new SNMP group to associate SNMP users with views. Syntax snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview][access access-list] group group-name auth noauth priv read readview write writeview access access-list Syntax of the “no”...
Page 36 snmp-server Commands snmp-server host This command specifies host parameters of the SNMP server; it adds a new management station to send traps to. If the address already exists, the command will update the server’s configuration which is stored in the snmpTarget MIB defined by RFC‐2573. Syntax snmp-server host ip-addr {traps | informs version {2c | 3 [{auth | noauth | priv}]] community-stringOrUser [udp-port port][notification-type] ip-addr traps informs version auth noauth priv community- stringOrUser udp-port port notification- type Note: You can configure up to 20 hosts. Syntax of the “no”...
Page 37 Example The following examples illustrate an SNMP host with trap on and off: XSR(config)#snmp-server host 192.168.1.10 traps trapsOn XSR(config)#no snmp-server host 192.168.2.11 Sample Output The following are three sample outputs from the command: Notification host: 192.168.2.10 udp-port: 162 user: v3user Notification host: 192.168.10.2 udp-port: 162 user: public Notification host: 192.168.1.5 user: testuser snmp-server informs This command specifies inform request options. Syntax snmp-server informs [retries retries] [timeout seconds] [pending pending] Syntax of the “no”...
Page 38 snmp-server Commands Example This example shows an inform with 1 retry, a 5‐second timeout and a 10 pending value: XSR(config)#snmp-server informs retries 1 timeout 5 pending 10 snmp-server location This command specifies the location of the SNMP server. Syntax snmp-server location location-string location-string Syntax of the “no” Form The no form of this command deletes a location for the SNMP server: no snmp-server location Mode Global configuration: Default Null string Example The following example describes the SNMP server location. Note the quotation marks: XSR(config)#snmp-server location “Beacon Street Branch” snmp-server max-traps-per-window This command specifies the number of traps allowed in the time window.
Page 39 Default 0 traps (unlimited) Example The following example sets the traps permitted to 1000: XSR(config)#snmp-server max-traps-per-window 1000 snmp-server min-trap-spacing This command sets the interval between successive SNMP traps. Trap spacing is only guaranteed to occur at least every spacing ‐ it might occur more often. The command implementation can exhibit a jitter of +0 to +200 milliseconds and is linked to the XSR’s fast timer tick interval. Syntax snmp-server min-trap-spacing spacing spacing Syntax of the “no” Form The no formsets the minimum interval between successive traps to the default value: no snmp-server min-trap-spacing Mode Global configuration: Default 200 milliseconds Example The following example limits the minimum trap interval to 1 minute: XSR#snmp-server min-trap-spacing 60000 snmp-server packetsize This command sets the maximum allowable incoming and outgoing packet size in bytes. Packets larger than this value are dropped. Syntax snmp-server packetsize size size Minimum interval between successive traps, ranging from 0 to 3,600,000 ...
Page 40 snmp-server Commands Syntax of the “no” Form The no form sets the maximum allowed incoming and outgoing packetsize to the default: no snmp-server packetsize Mode Global configuration: Default 1,500 bytes Example The following example specifies the peak packet size as 1000 bytes: XSR#snmp-server packetsize 1000 snmp-server queue-length This command sets the retransmission queue length. Traps which have no route to the host are put into the retransmission queue for resending later. Syntax snmp-server queue-length length length Syntax of the “no” Form The no command resets the retransmission queue length to the default: no snmp-server queue-length Mode Global configuration: Default Example The following example sets the retransmission queue length to 50:...
Page 41 Syntax snmp-server set entityMIB {entPhysicalAlias | entPhysicalAssetID} host <string> entPhysicalAlias entPhysicalAssetID string Syntax of the “no” Form The no command sets the PhysicalAlias or PhysicalAssetID in the Entity MIB as an empty string: no snmp-server set entityMIB {entPhysicalAlias | entPhysicalAssetID} host Mode Global configuration: Example The following example provides an alias for the host: XSR(config)#snmp-server set entityMIB entPhysicalAlias host aliasSalesServer snmp-server system-shutdown This command allows the SNMP server to reboot the XSR (usually after a software download). Syntax snmp-server system-shutdown Syntax of the “no”...
Page 42 snmp-server Commands snmp-server tftp-server-list This command specifies an Access Control List (ACL) to limit TFTP servers’ access during SNMP downloads. Syntax snmp-server tftp-server-list access-list-num access-list-num Syntax of the “no” Form The no form removes any ACL limiting other TFTP servers’ access during SNMP downloads: no snmp-server tftp-server-list Mode Global configuration: Example The following example limits TFTP servers to ACL #57: XSR#snmp-server tftp-server-list 57 snmp-server trap-source This command sets the interface serving as the source for all traps and informs. Use the address of the interface from which the trap/inform goes out as the source address for the trap/inform. Syntax snmp-server trap-source {interface} interface Note: If the interface does not have an IP address or if the interface is deleted afterwards, it will use the address of the interface from which the trap/inform goes out as the source address for the trap/ inform.
Page 43 snmp-server trap-timeout This command specifies the interval traps in the retransmission queue are retried if no route exists to the host that SNMP traps will to be sent to. Syntax snmp-server trap-timeout timeout timeout Syntax of the “no” Form The no form of this command sets the trap‐timeout to the default value: no snmp-server trap-timeout Mode Global configuration: Default 30 seconds snmp-server user This command configures local or remote users in an SNMP group with security models, authentication, passwords, privacy settings, and ACLs, and adding users to the USM user table. Note: Be aware that the engineID of the remote SNMP entity must be configured before you add a user since passwords are hashed with the engineID to create a localized key.
Page 44 snmp-server Commands auth-password priv des56 priv-password access access-list Syntax of the “no” Form Use the no form of this command to remove a user: snmp-server user username groupname {v1 | v2c | v3} Mode Global configuration: Example The example below configures ljc of the v3authgrp SNMP group with strong v3 level security, MD5 authentication, and the password acorntree: XSR(config)#snmp-server user ljc v3 auth v3authgrp md5 acorntree snmp-server view This command creates or updates a view entry. The XSR provides one default view which is used for all community commands which do not specify a view parameter. The v1default view includes ...
Page 45 Mode XSR(config)# Global configuration: Examples The following example creates a view of all objects on the XSR: XSR(config)#snmp-server view v3view internet included The following example creates a view of all objects in the MIB‐II subtree: XSR(config)#snmp-server view mib2 mib-2 included The following example creates a view for TCP: XSR(config)#snmp-server view TCPview tcp included The following example creates a view of all objects in the MIB‐II subtree excluding 1.3.6.1: XSR(config)#snmp-server view MIBIIview 1.3.6.1 excluded The following example removes a view of MIN‐II subtree 1.3.6.1: XSR(config)#no snmp-server view 1.3.6.1 The following example creates a view of all objects in private Enterasys and Cabletron MIBs except for the etsysConfigurationChange MIB: XSR(config)#snmp-server view Enterasys private included XSR(config)#snmp-server view Enterasys etsysConfigurationChangeMIB excluded Sample Output The following is sample output from the command:...
Page 46 snmp-server Commands Table 1-2 MIB Names for SNMP View Commands (continued) SNMP Term atEntry ipAddrEntry ipRouteEntry ipNetToMediaEntry icmp tcpConnEntry udpEntry transmission pppLcp pppIp frameRelayDTE tunnelMIB snmp ospf rip2 ifMIB entityMIB cabletron chassis ctTimedResetMIB ctDownload enterasys etsysConfigurationChangeMIB etsysSyslogClientMIB etsysSnmpPersistenceMIB etsysFirewallMIB etsysServiceLevelReportingMIB snmpFrameworkMIB 1-32 Network Management SNMP Numerical ID...
Page 47 Table 1-2 MIB Names for SNMP View Commands (continued) SNMP Term snmpMPDMIB snmpUsmMIB snmpVacmMIB snmpEngine snmpMPDStats usmStats usmUser usmUserTable vacmContextTable vacmSecurityToGroupTable vacmAccessTable vacmMIBViews vacmViewTreeFamilyTable snmp-server window-time This command specifies the length, in seconds, of the moving window used to count the number of traps sent. Syntax snmp-server window-time time time Syntax of the “no” Form The no form of this command sets the length of the moving window used to count the number of traps sent in recently to default: no snmp-server window-time Mode Global configuration: ...
Page 48: Snmp Show Commands
SNMP Show Commands SNMP Show Commands show snmp This command information about the SNMP server. Syntax show snmp [location] location Mode Privileged EXEC: Sample Output The following is sample output from the command: XSRtop(config)#show snmp Chassis serial#: 0000019876543210 In counters: 0 Bad SNMP version errors 0 Unknown community names 0 Illegal operations for name supplied 0 Encoding errors 0 Packets too big 0 No such names...
Page 49: Show Snmp Engineid
0 Silent drops 0 Proxy drops The example below shows output with the location option entered: XSR#show snmp location Haverhill Mass. show snmp engineID This command displays the identification of the local SNMP engine. Syntax show snmp engineID Mode Privileged EXEC: XSR# Sample Output The following is sample output from the command: XSR#show snmp engineID Local SNMP engineID: 800015F8030001F423E691 IP-addr 10.10.1.48 show snmp group This command displays the names of groups on the XSR with their security model and views. Syntax show snmp group Mode...
Page 50: Show Snmp User
SNMP Show Commands grouname: nm readview: v1default notifyview: nmMIBIIview The following is sample output from the command: XSR#show snmp group groupname: v3RWGroup readview: v3view notifyview: <no notifyview specified> groupname: v3ROGroup readview: v3view notifyview: <no notifyview specified> show snmp host This command displays information from the SNMP Host table. Syntax show snmp host Sample Output The following is sample output from the command: Notification host: 192.168.2.10 udp-port: 162 user: v3user Notification host: 192.168.10.2 udp-port: 162...
Page 51: Sla Agent Commands
User name: authprivUser Engine ID: 800015f8030001f423e691 storage-type: nonvolatile Parameter Description storage-type show snmp view This command displays information on each SNMP view in the group username table. Syntax show snmp view Mode Privileged EXEC: XSR# Sample Output The following is sample output from the command: XSR#show snmp view viewname: included: excluded: viewname: included: excluded: viewname: included: excluded: SLA Agent Commands aggregate period This command specifies the period between two aggregate measurement action intervals by the ...
Page 52 SLA Agent Commands Syntax aggregate-period period period Syntax of the “no” Form The no form of this command returns to the default value: aggregate-period period Mode RTR Echo configuration: Default 600 seconds Example The following example sets a one‐minute aggregate period: XSR(config-rtr-echo-1)#aggregate-period 60 buckets-of-history-kept This command specifies how many history entries will be maintained by the Response Time Reporter (RTR). Syntax buckets-of-history-kept size size Syntax of the “no” Form The no form of this command returns to the default value: no buckets-of-history-kept Mode RTR Echo configuration: Default •...
Page 53 Example This example sets the buckets‐of‐history value to 5 records: XSR(config-rtr-echo-1)#buckets-of-history-kept 5 frequency This command specifies how frequently to send a Response Time Reporter (RTR) probe. The value you configure for frequency must be larger than your configured timeout value so that a user cannot have a frequency of 1 second and a timeout of 1001 milliseconds. Syntax frequency {frequency-interval} frequency-interval Syntax of the “no” Form The no form of this command returns to the default value: no frequency Mode RTR Echo configuration: Default Frequency: 60 seconds Example The following example sets the RTR frequency to 2 seconds: XSR(config-rtr-echo-57)#frequency 2 This command associates a Response Time Reporter (RTR) with a map ‐ an administratively assigned name. Syntax map {map-name} map-name Syntax of the “no” Form The no form of this command returns to the default value: no map How often to send a probe, ranging from 1 to 604,800 seconds.
Page 54 SLA Agent Commands Mode RTR Echo configuration: Example The following example creates an RTR map: XSR(config-rtr-echo-57)#map "network in Peoria" owner This command binds a Response Time Reporter (RTR) owner (administrator) to a measurement entry. Note: Because the Enterasys service level reporting MIB requires an owner to be created before an entry, an owner must be added first. Syntax owner {owner-name} owner-name Syntax of the “no”...
Page 55 Mode RTR Echo configuration: Default Payload size: 12 bytes Example The following example limits the RTR payload size to 32 bytes: XSR(config-rtr-echo-57)#request-data-size 32 This command specifies an identifier (name) for this Response Time Reporter (RTR) measurement. Syntax tag {name-tag} name-tag Syntax of the “no” Form The no form of this command removes any configured tag: no tag Mode RTR Echo configuration: Example The following example specifies the RTR name: XSR(config-rtr-echo-57)#tag "one-way packet loss" timeout This command specifies a timeout for the Response Time Reporter (RTR). Be aware that the timeout value must be smaller than the frequency value. So, a user cannot have a frequency of 1 second and a timeout of 1001 milliseconds. Syntax timeout {timeout-value} timeout-value XSR(config-rtr-echo-xx)# Name assigned to this measurement. XSR(config-rtr-echo-xx)# Timeout, ranging from 1 to 604800000 milliseconds.
Page 56 SLA Agent Commands Syntax of the “no” Form The no form of this command returns to the default value: no timeout Mode RTR Echo configuration: Default 5000 milliseconds Example The following example resets the RTR timeout to 500 milliseconds: XSR(config-rtr-echo-57)#timeout 500 type This command specifies the type of Response Time Reporter (RTR) measurement to be performed ‐ ICMP Echo ‐ as well as the destination and source host IP addresses. Syntax type {echo} protocol {ipIcmpEcho} dst [source-ipaddr src] Mode RTR configuration: Next Mode RTR Echo configuration: Example The following example sets the RTR type and acquires RTR Echo mode: XSR(config-rtr-57)#type echo protocol ipIcmpEcho 192.168.57.3 XSR(config-rtr-echo-57) 1-42 Network Management XSR(config-rtr-echo-xx)#...
Page 57: Rtr-Mode Commands
RTR-mode Commands This command creates a Response Time Reporter (RTR) entry. The following are sub‐commands: • rtr owner • rtr schedule description. Syntax rtr operation-id operation-id Mode Global configuration: Next Mode RTR configuration: Example The following command configures RTR entry 1 and acquires RTR mode: XSR(config)#rtr 1 XSR(config-rtr-1)# rtr owner This command registers the Response Time Reporter (RTR) administrator (owner). Syntax rtr owner {owner-name}[ipAddress][quota quota][email email][sms sms] owner-name: ipAddress quota email Mode Global configuration: registers the RTR administrator. Go to page 1‐43 for the command description.
Page 58 RTR-mode Commands Default Quota: 700 Example The following example registers the RTR owner: XSR(config)#rtr owner operator1 192.168.57.5 email larrycurtis@enterays.com quota 1000 rtr schedule This command schedules an Response Time Reporter (RTR) entry. Syntax rtr schedule operation-id [[life {forever | lifetime}] start-time {hh:mm:[ss][month day | day month] | pending | now | after hh:mm:ss}] operation-id lifetime hh:mm:ss month pending...
Page 59: Rtr Show Commands
RTR Show Commands show rtr operation-state This command displays the current operational state of the Response Time Reporter (RTR). Syntax show rtr operation-state [operation-id] operation-id Mode EXEC configuration: Sample Output The following is sample output from the command: XSR>show rtr operation-state 57 RTR Entry Number: 1 Number of Operations Attempted: 84 Timeout Occurred: FALSE Operational State of Entry: INACTIVE show rtr configuration This command displays your configuration of the Response Time Reporter (RTR).
Page 60 RTR Show Commands Status of Entry (SNMP RowStatus): active Protocol Type: ipIcmpEcho Target Address: 192.168.57.3 Source Address: 192.168.57.43 Request Size (data portion): 12 Life (seconds): 5000 Next Scheduled Start Time: Start Time already passed Number of History Buckets kept: 15 show rtr history This command displays the measurement history of the Response Time Reporter (RTR).
Page 61: Chapter 2: Configuring T1/E1 And T3/E3 Subsystems
Configuring T1/E1 and T3/E3 Subsystems Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered soho.enterasys.com T1/E1 &...
Page 62 T1/E1 & T3/E3 Commands cablelength For T3 controllers only This command specifies the distance of cabling from the XSR to the network equipment for a T3 NIM card only. Note: Although you can specify cable length from 0 to 450 feet, the XSR recognizes only two ranges: 0 to 224 and 225 to 450. For example, entering 35 feet selects the 0 to 224 range. If you later change the cable length to 40 feet, there is no change because 40 falls within the 0 to 224 range.
Page 63 the received signals. This feature is provided by placing a transmit attenuator in the data path. This attenuation is selectable from 0, ‐7.5, ‐15, or ‐22.5 dB. Note: Long haul line build-out (LBO) compensates for the loss in decibels based on the distance from the device to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal strength on the circuit be boosted to compensate for loss over that distance. The ideal signal strength should be between -15 dB and -22 dB, which is calculated by adding the Telecom/PTT company loss + cable length loss + line build out.
Page 64 T1/E1 & T3/E3 Commands Syntax cablelength short Syntax of the “no” form The no form of this command returns the value to the default setting: no cablelength short Defaults 133 feet Mode Controller configuration: Example The following example sets the short haul LBO to 266 feet: XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#cablelength short 266 channel-group For T1/E1 controllers only This command specifies timeslots that map to channel‐groups for T1/E1/ISDN‐PRI data lines (for channelized/fractional T1/E1/ISDN‐PRI services). Timeslots and fractional/channelized T1/E1 groups allow multiple logical WAN interfaces to be created out of a single channelized T1 or E1 controller port. The logical interfaces created can have different encapsulation types – PPP, Frame Relay, etc. For each channel group (a fraction of a T1/ E1/ISDN‐PRI line), the following values must be set: The channel group must be identified by a channel group number. One or more timeslots of the T1/E1/ISDN‐PRI line must be assigned to a particular channel ...
Page 65: Clock Source
range speed Syntax of the “no” Form Use the no form of the command to remove a channel group: no channel-group number Defaults Speed: 64 kbps for both T1 and E1 controllers. Mode Controller configuration: Example The following example issues the channels are created – the first creates group number 0 with timeslots 1 to 10; the second creates group number 1 with timeslots 11 to 20, both with default speeds of 64 kbps. XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#description T1 for Acme XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#channel-group 0 timeslot 1-10 XSR(config-controller<T1-1/0>)#channel-group 1 timeslot 11-20 clock source This command defines the clock source for a T1/E1 or T3/E3 line. It is needed because of ...
Page 66 T1/E1 & T3/E3 Commands Default Line Mode Controller configuration: Examples The following example configures the T1 controller on NIM 1, port 0 (first port), with ESF framing, B8ZS line encoding and line source clocking: XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#clock source line This example set the E3 controller in with line source clocking and a national reserved bit of 0: XSR(config-controller<E3-1/2/0>)#clock source line XSR(config-controller<E3-1/2/0>)#national bit 0 controller This command configures a T1/E1 or T3/E3 controller. You can invoke or T3/E3 NIM card is present on the XSR. This command automatically provides a full‐rate channel group on port 0, by default, and acquires Controller mode in which additional commands defining clock source, framing, line encoding, and others must be executed to configure the controller. For T1/E1 controllers only, if you prefer to configure a channel other than 0, you can manually create a channel group using all timeslots and proceed with port configuration. If no additional commands are specified in this mode, a default non‐channelized port is created with default values. Syntax controller {t1 | e1 | t3 | e3}{slot/card/port} controller {t1 | e1 | t3 | e3}{card/port} A T1 controller.
Page 67 Syntax of the “no” Form The no form of this command deletes the defined controller: no controller {t1 | e1| t3 | e3}{slot/card/port} no controller {t1 | e1| t3 | e3}{card/port} Mode Global configuration: Next Mode Controller configuration: Default Full rate Examples The following example sets the T1 NIM on board 1, port 0 (first port) and maps timeslots to the channel group. Also, it assigns an IP interface, sets PPP encoding and enables Serial port 1/0: XSR(config-controller)#controller t1 1/0 XSR(config-controller<T1-1/0>)#clock source line XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#channel-group 0 timeslots 1,3-5,8 XSR(config-controller<T1-1/0>)#no shutdown XSR(config)#interface serial 1/0:0...
Page 68 T1/E1 & T3/E3 Commands Syntax crc {16 | 32} 16 or 32 Syntax of the “‘no” Form The no form of this command returns to the default setting: no crc Default Mode Interface configuration: Example This example enables the 32‐bit CRC on the T1 interface: XSR(config)#interface serial 1/0:2 XSR(config-if<S1/0:2)#crc 32 description This command identifies the T1/E1 or T3/E3 controller. The description string provides a more descriptive name/comment for a particular T1/E1 or T3/E3 line. This parameter can be a string value of arbitrary length (max 80 characters). In all statistics reporting, this value identifies the T1/ E1 or T3/E3 line in a more descriptive way. This command is functional for all serial interfaces. Syntax description “string” “string” Syntax of the “no” Form The no form of the command deletes the description: no description Mode...
Page 69: Dsu Mode
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#clock source line XSR(config-controller<T1-1/0>)#description “Acme’s T1” The following example describes the T3 controller in slot 1, card 2: XSR(config)#controller t3 1/2 XSR(config-controller<T3-1/2/0>)#description “T3 Up at ACME” dsu mode For T3/E3 un-channelized controllers only This command configures an unchannelized sub‐rate T3/E3 port to emulate a proprietary Data Service Unit (DSU) scheme. The XSR supports interoperability with a wide range of third‐party DSU vendors. Local DSU mode configuration must match the remote configuration, so you must know what type of DSU is connected to the remote port to determine if it interoperates with a T3 or E3 NIM. This command enables interoperability with providers using various T3 or E3 DSUs to provision the T3/E3 line. Syntax dsu mode {digitallink | kentrox | larscom | adtran | verilink} digitallink kentrox larscom...
Page 70 T1/E1 & T3/E3 Commands XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 250 XSR(config-controller<T3-1/2/0>)#dsu mode adtran dsu bandwidth For T3 controllers only This command specifies the peak allowable bandwidth used by the T3/E3 port. DSU bandwidth configuration must match the remote configuration and it is important that you know the bandwidth value set on the remote port. For example, if you reduce the bandwidth to 7,000 kbps on the local port, you must do the same on the remote port. This command reduces bandwidth by padding the T3/E3 frame. For E3 ports in bypass framing mode, DSU bandwidth defaults to 34,368 kbps. Even though the XSR lets you configure a continuous range of bandwidths in sub‐rate modes, vendors support bandwidths only in certain values. So, the XSR sets the user‐configured bandwidth to the closest vendor‐supported bandwidth (refer to Table 2‐1) and a message displayed showing the new bandwidth. Use the vendor‐supported bandwidth the XSR sets. Note: DSU bandwidth is configurable only for an unchannelized T3/E3 port. Table 2-1 Vendor DSU Bandwidth DSU Mode digitallink kentrox...
Page 71 Mode Controller configuration: Default • T3: 44,210 kbps (full‐rate) • E3: 34,099.5 kbps (full‐rate) Example The following example configures the T3 controller in slot 1, card 2 with line source clocking, M13 framing, in unchannelized mode, with a cable length of 250, DSU interoperability mode set to a Kentrox DSU, and a DSU bandwidth of 44,210 kbps: XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#no channelized XSR(config-controller<T3-1/2/0>)#clock source line XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 250 XSR(config-controller<T3-1/2/0>)#dsu mode 1 XSR(config-controller<T3-1/2/0>)#dsu bandwidth 44210 e-bit-reset This command sets the E‐bit in the E1 frame to zero while the port is in an asynchronous state. Syntax e-bit-reset Syntax of the “no” Form The no form of this command negates the E‐‐bit reset: no e-bit-reset Mode Controller configuration: ...
Page 72 T1/E1 & T3/E3 Commands equipment For T3/E3 controllers only This command configures the T3/E3 controller as network or customer equipment and operates according to the T1.403 ANSI standard, allowing equipment configured as network equipment to disregard network loopback commands from the far‐end device. Note: Since remote loopback requests are available only when C-bit framing is invoked for a T3 port, the equipment command is useful only when framing is set to C-bit. Syntax equipment {customer | network} loopback customer...
Page 73 Note: The C-bit T3 parity framing format is an enhancement of the original M13 format. The main difference is the C-bit framing format always stuffs the first bit of the 8th block in each sub-frame. So, in C-bit format, C-bits permit greater management and performance functions on the M frame. Syntax framing {sf | esf} (T1) framing {crc4 | no-crc4} (E1)
Page 74: Interface Serial
T1/E1 & T3/E3 Commands interface serial This command configures the Serial interface automatically created by the in conjunction with T1/E1 and T3/E3 NIM operations. The T3 module offers channels to PPP and Frame Relay protocol stacks. T3/E3 Serial channels are configured and monitored similar to serial channels provisioned via T1/E1 and serial NIMs. For full and sub‐rate T3 or E3 mode, the port and channel setting is 0 only. Syntax interface serial {slot | card | port0 | channel0} slot Slot number of a system from 0 to 6 card slots. The motherboard is slot zero. If the slot number is 0, it can be omitted. card Defines NIM card number in the card slot: 1 or 2. port Defines the port number on the slot or the port number on a NIM card, from 0 to 3. Mode Interface configuration: Example The following example configures Serial interface 2/0: XSR(config)#interface serial 2/0 XSR(config-if<S2/0>)# international bit For E3 controllers only This command sets bits 6 and 8, respectively, of set II in the E3 frame.
Page 75 Example The following example configures the E3 controller in slot 1, card 2 with line source clocking and international bits of 0 and 0: XSR(config)#controller e3 1/2/0 XSR(config-controller<E3-1/2/0>)#clock source line XSR(config-controller<E3-1/2/0>)#international bit 0 0 invert data For T1/E1 controllers only This command inverts the data stream. Data inversion is a method of avoiding excessive zeroes that is superseded by the use of B8ZS line encoding. However, in cases where the network or remote node does not support this type of line coding, data belonging to an HDLC stream can be inverted to satisfy requirements of the line. Syntax invert data Syntax of the “no” Form Disable inverting the data stream by using the command’s no form: no invert data Default Data is not inverted.
Page 76 Controller configuration: Example This example sets the T1 controller with ESF framing, and B8ZS line encoding: XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs loopback For T1/E1 controllers only This command implements loopback tests on a T1/E1/ISDN‐PRI subsystem. Typically, it is used for diagnostic purposes although you can configure an IP address as a loopback interface as shown in the example. If you configure a loopback address for the XSR, it will be used as the Router ID. If there is no loopback address defined, the Router ID is the highest non‐zero IP address of existing configured and active interfaces. When a T1/E1/ISDN‐PRI line malfunctions, one troubleshooting option is to perform various loopback tests, for instance, isolating pieces of the link to test separately. Loopback testing should begin on the local router and proceed to testing the service/network provider. Be aware that all loopback testing is intrusive, and while loopback tests run, data transfers over the link are barred. Syntax loopback {diagnostic | local {line | payload}} diagnostic 2-70 Configuring T1/E1 and T3/E3 Subsystems XSR(config-controller<xx>)# Loops the outgoing transmit signal back to the receive signal. Use the ...
Page 77: National Bit
local line local payload Syntax of the “no” Form no loopback Default Disabled Mode Controller configuration: Examples The following example initiates a local loopback test: XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#channel-group 0 timeslot 1-24 speed 64 XSR(config-controller<T1-1/0>)#loopback local The following example configures an IP address as a loopback interface: XSR(config)#interface loopback 0 XSR(config-if<L0>)#ip address 193.23.24.1 255.255.255.255 XSR(config-if<L0>)#no shutdown national bit For E3 controllers only...
Page 78 T1/E1 & T3/E3 Commands Mode Controller configuration: Default Example The following example configures the E3 controller in slot 1, card 2 with line source clocking and a national reserved bit of 0: XSR(config)#controller e3 1/2/0 XSR(config-controller<E3-1/2/0>)#clock source line XSR(config-controller<E3-1/2/0>)#national bit 0 scramble For T3/E3 controllers only This command assists clock recovery on the receiving end of a T3/E3 port by randomizing the pattern of 1s and 0s carried in the physical layer frame. Randomizing the bits can prevent continuous, non‐variable bit patterns, in other words, long strings of all 1s or 0s. Several physical layer protocols rely on transitions between 1s and 0s to maintain clocking. Scrambling can prevent some bit patterns from being mistakenly interpreted as alarms. The following conditions must be met: • Scrambling is used only for full‐rate/sub‐rate T3/E3 ports and they must be configured as unchannelized for scrambling to take affect. • Remote and local T3/E3 scrambling configuration must match. • For T3 controllers, all DSU modes support scrambling except Clear mode. • For E3 controllers, only Kentrox mode supports scrambling. • This value is configurable only on an unchannelized T3/E3 port.
Page 79 Example The following example configures the T3 controller in slot 1, card 2 with line source clocking, M13 framing, in unchannelized mode, cablelength of 250, DSU interoperability mode set to a Kentrox DSU, DSU bandwidth of 44210, and scrambling enabled: XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#no channelized XSR(config-controller<T3-1/2/0>)#clock source line XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 250 XSR(config-controller<T3-1/2/0>)#dsu mode kentrox XSR(config-controller<T3-1/2/0>)#dsu bandwidth 44210 XSR(config-controller<T3-1/2/0>)#scramble shutdown This command disables disables a T1/E1/ISDN‐PRI controller or the T3/E3 controller and all interfaces related to it. The command does not require any specific booting procedure and can be performed dynamically during system run‐time. When the interface is created, it is disabled by default. Disabling a T3/E/3 controller causes a T3 port to transmit: • An Alarm Indication Signal (AIS) for M13 framing. • An idle signal (for C‐bit framing). Ten seconds must elapse for alarms to clear after enabling a T3 port. Shutting down a controller causes an E3 port to transmit AIS. Note: The AIS, also known as a blue alarm, is transmitted to notify the downstream device that an upstream line failure has occurred.
Page 80: T1/E1 And T3/E3 Clear And Show Commands
T1/E1 and T3/E3 Clear and Show Commands Examples The following example disables a T1 controller: XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#shutdown The following example re‐enables a T3 controller: XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#no shutdown T1/E1 and T3/E3 Clear and Show Commands clear controller This command clears controller counters for individual T1/E1 or T3/E3 controllers. It clears only counters shown with reset or bring down the controller. Syntax clear controller {t1 | e1 | t3 | e3}{slot/card/port} clear controller {t1 | e1 | t3 | e3}{card/port} slot card...
Page 81: Show Controllers
show controllers This command displays the status and statistics for any controller. The T1/E1, T3/E3, and ATM subsystems track various status and statistical parameters, including the current controller configuration. The command also displays Maintenance Data Link (MDL) information (received strings) if MDL is configured and framing is set to C‐bit on T3 NIMs. Notes: The network can remotely test XSR’s T1 ports by placing them in loopback. If this occurs, the controller will change state to DOWN for the duration of the test even if it remains synchronized. Statistics displayed with the show controllers command are reset every 24 hours.
Page 82 T1/E1 and T3/E3 Clear and Show Commands 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 Rx ABCD * * * * * * F F 0 * F F F F F F F F F F F F F F Channel 1: Timeslots 1,2,3,4,5,6,7,8,9,10 64kbps Base rate...
Page 83: Parameter Descriptions
Latest No Code Alarms Detected: 24 Hour Statistics cleared: MAY 04 22:33:47 Current time: MAY 04 22:34:13 Interval LVC Total 4352 0 Current 4352 0 ( 28s) Note: The 24 hour statistics is applied differently based on the selected farming type, the following table marks the valid fields by a * LCV PCV CCV PES PSES SEFS UAS LES CES CSES T3 C_bit...
Page 84 T1/E1 and T3/E3 Clear and Show Commands Rx ABCD * * * * * * F F 0 * F F F F F F F F F F F F F F T3 0/1/0 is up Applique type Alarms detected Network Line Loopback MDL transmission is disabled 2-78 Configuring T1/E1 and T3/E3 Subsystems Time slot that bypasses between port 0 and 1 carry Channel Associated Signaling (CAS). CAS signaling comprises four bits: Bit A, C, C and D. This line shows CAS signaling for each voice channel by which you can determine channel status based on the current CAS value. It is a debug aid. Channels marked with an asterisk (*) are read as follows: • 1 ‐ On the displayed port, timeslot 10 is used for data and is marked with an asterisk (*) • 2 ‐ On the complementary port, (the other port of the card) timeslots 1 through 6 are used for data. • 3 ‐ All time slots not used for data on neither port are bypassed between the two ports and their CAS ‐displayed. T3 controller in slot 0 is operating. The controllerʹs state can be up, down, or administratively down. Loopback conditions are shown as (Locally looped) or (Remotely Looped). Channelized or Non Channelized. Any alarms detected by the controller are displayed here. Any active alarm will bring the controller to Oper Down state. The YELLOW LED beside the port connector is ON for all physical alarms, but stays OFF for loopback modes. ...
Page 85 FEAC code received Framing is Line Code is Clock Source is Line Code Violations (Valid for C‐ bit, M13, g751 & bypass) P‐bit Coding Violation (Valid for C‐bit & M13) C‐bit Coding Violation (Valid for C‐bit) P‐bit Err Secs (Valid for C‐bit & M13) Displays the last 4 FEAC codes or commands that were received. Applicable for C‐bit parity framing only, per ANSI T1.105‐1995. This field are intended for T3 line debugging by carrier personal. Values (the last four codes are just displayed, subsequent codes will overwrite current ones) listed are as follows: • DS3 Eqpt. Failure (SA) • DS3 LOS • DS3 Out‐of‐Frame • DS3 AIS Received • DS3 IDLE Received • DS3 Eqpt. Failure (NSA) • Common Eqpt. Failure (NSA) • Multiple DS1 LOS • DS1 Eqpt. Failure (SA) • Single DS1 LOS • DS1 Eqpt. Failure (NSA) • No code is being received Command values are as follows: •...
Page 86: Drop And Insert Commands
Drop and Insert Commands P‐bit Severely Err Secs (Valid for C‐bit & M13) Severely Err Secs (Valid for g751) SES is a second in which more then 43 LCV were counted or one or more Out‐ Severely Err Framing Secs (Valid for C‐bit, M13 & g751) Unavailable Secs (Valid for C‐bit, M13 & g751) Line Err Secs C‐bit Errored Secs (Valid for C‐ bit) C‐bit Severely Errored Secs (Valid for C‐bit) Drop and Insert Commands These commands effect the operation of the T1/E1 Drop and Insert NIM. drop-and-insert-group This command, which takes no parameters, instructs the T1 controller to offer all its idle time slots not configured as part of a channel‐group to the Drop and Insert (D&I) agent. The T1 controller thus operates in mixed Data/Voice mode. For T1 lines, robbed bit signaling is used for Channel‐Associated Signaling (CAS). Robbed Bit Signaling uses one bit of each timeslot for signaling every sixth frame. The XSR is configured in such a way that RBS is disabled for data timeslots (timeslots belonging to a channel group) and data can be passed at 64 or 56 Kbs. When the command is issued for both T1 controllers on the NIM, time slots which are idle on both ports will be connected. It is mandatory that the T1 port connected to the Central Office derive its timing from the up stream line and the port connected to the PBX supply timing to the downstream line. Syntax drop-and-insert-group [cas | clear] For use if the device downstream is a PBX using rob bit signalling. Entering no parameter is equivalent to entering the no command.
Page 87: Show Controller
Mode Controller configuration: Default Example This configuration instructs the XSR to terminate timeslots 1, 2, 3, 4, 5, 6 and 7 of controller T1 0/1/ 0 into a PPP channel and bypass the rest of the timeslots from T1 controller 0/1/0 to controller T1 0/ 1/1. controller port T0/1/0 is connected to the Central Office and controller port T0/1/1 is connected the the PBX down stream. Note that setting the clock source to internal is mandatory. XSR(config)controller T1 0/1/0 XSR(config-controller<T1-0/1/0>)#drop-and-insert-group XSR(config-controller<T1-0/1/0>)#channel group 0 timeslots 1,2,3-7 speed 56 XSR(config-controller<T1-0/1/0>)#clock source line XSR(config-controller<T1-0/1/0>)#no shutdown XSR(config-if<S0/1/0>)#interface serial 0/1/0 XSR(config-if<S0/1/0>)#encapsulation ppp XSR(config-if<S0/1/0>)#no shutdown XSR(config)#controller 0/1/1 XSR(config-controller<T1-0/1/0>)#drop-and-insert-group XSR(config-controller<T1-0/1/0>)#no channel group 0 XSR(config-controller<T1-0/1/0>)#clock source internal XSR(config-controller<T1-0/1/0>)#no shutdown show controller For Drop &...
Page 88 Drop and Insert Commands Applique type is Fractional T1. Loopback is set as none. Cablelength long and short 0. Framing is esf, Line Encoding is b8zs, Clock Source is line. Description: None Alarms Detected: None Rx 0signal level -0.0DB (Accuracy:+/-3DB) Bypass time slots table ( * data time slots on s/c/0 and s/c/1): 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 Rx ABCD * * * * * * F F 0 * F F F F F F F F F F F F F F...
Page 89: Chapter 3: Configuring The Xsr Platform
Observing Syntax and Conventions The CLI command syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub-commands soho.enterasys.com Platform Commands The following sets of commands define the platform subsystem software of the XSR: • “Clock Commands” on page 3‐84.
Page 90: Clock Commands
Clock Commands Clock Commands clock set This command sets the current time of the Real Time Clock chip (software module clock). After resetting the XSR, you must manually set the clock. Syntax clock set hh:mm:ss wday mday month year hh:mm:ss wday mday month year Mode Privileged EXEC: Example Set the clock to 2:59:59 p.m., Friday, October 7, 2002. Type the following: XSR#clock set 14:59:59 06 07 10 2002 clock timezone This command sets the time zone to reflect the local time and can be offset by up to 12 hours behind or 13 hours ahead of the Universal Time Clock (UTC) time as set for Greenwich Mean Time (GMT). Syntax clock timezone hh mm Mode Privileged EXEC: ...
Page 91: Crypto Key Commands
Crypto Key Commands crypto key master generate This command generates a random master encryption key. When the command is entered, you are prompted to identify the previous master key. If you successfully identify it, the current secure data files are converted to use the new key. If not, you have the following options: • Retry entering the previous key, • Abort the key change, • Remove the previous file set and enter a new key. Note: This CLI command is not reflected in the running-config. Syntax crypto key master generate Mode Global configuration: Example XSR(config)#crypto key master generate crypto key master remove This command removes the master encryption key. When entered, the command prompts you to ...
Page 92: Other Platform Commands
Other Platform Commands crypto key master specify This command allows you to specify a master encryption key. When entered, the command first prompts you to identify the previous master key. If you cannot identify it, you have the following options: • Retry entering the previous key, • Abort the key change, • Remove the previous file set and enter a new key. If you successfully identify a new key or proceed regardless of a correct response, you are prompted to specify a new key numbering 24 bytes. This new key will be rejected if it is identified as a weak, semi‐weak, or possibly weak key. If you specify a valid new key, the current secure data files are converted to the new key. Note: This CLI command is not reflected in the running-config. Syntax crypto key master specify Mode Global configuration: Example XSR(config)#crypto key master specify Other Platform Commands cpu-utilization This command enables the XSR to calculate the interval it spends on particular tasks and provides ...
Page 93 Example XSR(config)#cpu-utilization debug processor This command defines a method to force forwarding engine jobs to a specific CPU or allows the jobs to float between available CPUs. Syntax debug processor {number | job type | interface | mobility} number job type interface mobility Mode Privileged EXEC: Examples The following example forces CPU 0 to accept forwarding jobs input to F1: XSR#debug processor 0 Input FE1 FIXED Input Job for Interface FastEthernet 1 is now fixed to Processor #0 This example forces CPU 1 to accept protocol forwarding jobs on interface F2: XSR#debug processor 1 Protocol FE2 FIXED Protocol Job for Interface FastEthernet 2 is now fixed to Processor #1...
Page 94 Other Platform Commands Example XSR#hostname XSR-1800 XSR-1800# logging This command enables/disables message logging at varying severity levels for specified destinations. Refer to Appendix A in the XSR User’s Guide for a list of most router alarms and events. Normally, only HIGH severity alarms are logged to red flag critical events and those requiring operator intervention. The DEBUG alarm level is meant for maintenance personnel only. The XSR may discard LOW and DEBUG level alarms if the system is too occupied to deliver them. The number of discarded messages is displayed by the following line in output: Discards: high=0 medium=0 low=4 debug=22 The XSR supports as many as three Syslog servers, with logging severity levels separately configurable for each server. You can disable logging to individual Syslogs with the xxx.xxx.xxx.xxx LogGen Functionality The file option permits logging to a persistent alarm file on a CompactFlash card for HIGH or MEDIUM alarms only. If no CompactFlash card is installed, persistent logging is not performed. The router copies messages from the logging buffer in RAM to the cflash: file loggen once per second. If power to the XSR is lost, the alarm history is preserved in loggen. When the XSR comes up again it copies the history from loggen back into the RAM buffer. The entire logging history is available including alarms before and after power‐down. The XSR’s LogGen functionality declares a message flood if too many outstanding messages are reported by other software modules in the router. LogGen then temporarily quits reporting on the Console so users can keep access to the CLI. Messages are logged to the RAM buffer only, and are gradually reported to all other enabled destinations. The message flood ends when LogGen reduces the number of outstanding messages below the defined threshold. Syntax logging [console | buffered | monitor | snmp | A.B.C.D | A.B.C.D | A.B.C.D | file...
Page 95: User Guidelines
medium debug timestamp local Syntax of the “no” Form Use the no form of this command to disable the earlier configured service: no logging [console | buffered | monitor | snmp | A.B.C.D | file | timestamp] Mode Global Configuration: XSR(config)# Defaults • File: off • A.B.C.D.: 0.0.0.0 (no messages sent until an IP address is set) • Logging level: High for all destinations User Guidelines The table below displays standard syslog error message types and definitions. Message Type Definition 0: Emergency System is unusable...
Page 96 Other Platform Commands Debug, severity = 7 (Debug) Examples This example sets logging at High for the console with a local timestamp: XSR#logging console high timestamp local The following example sets a Low logging level for all destinations with a UTC timestamp: XSR#logging low timestamp utc This example sets persistent logging of High severity messages to CFlash: with a local timestamp: XSR#logging file high timestamp local The following example sets the logging timestamp to local time. For information about a related command, refer to XSR#logging timestamp local The following example sets the logging timestamp to universal time: XSR#logging timestamp utc Sample Output The following is a sample LogGen message: <186>Jan 27 09:13:05 10.8.40.2 LOGGEN: Message Flood: Display disabled,messages logged to History Buffer.
Page 97: Sntp Commands
Mode Global configuration: Examples The following example selects a 5‐minute auto install: XSR(config)#netload The following example selects a persistent auto install: XSR(config)#netload persistent SNTP Commands sntp-client This command enables the SNTP client and sets the Simple Network Time Protocol (SNTP) primary and alternate server IP addresses. Once the XSR is configured, it sends a time request to the SNTP server every poll interval to update local time. Note: Setting the SNTP Server IP address to 0.0.0.0 disables the SNTP client. Syntax sntp-client server A.B.C.D [A.B.C.D] A.B.C.D [A.B.C.D Syntax of the “no” Form The no form of this command disables the SNTP client: no sntp-client Mode Global configuration: ...
Page 98 SNTP Commands sntp-client poll-interval This command configures the interval the SNTP client waits, when synchronized, before sending another time request to an SNTP server. The poll‐interval is applied continuously after the client is first synchronized. If both primary and alternate servers are configured, polls are sent only to the first server, once this was detected to be active and only if this server becomes inactive will the client start polling the alternate server. A client declares a server inactive if no response is received to ten consecutive requests. When the time is not synchronized after boot up, a resynchronization interval is used to send time requests to the server at fixed intervals of 60 seconds. A maximum of 10 such requests are sent in case no answer was received before the SNTP client decides this server is down. If an alternate server address is configured, requests are sent out to it. The resync interval is used instead of the polling interval to ensure the time is learned fairly quickly if the poll interval was set to a higher value. After initial synchronization, client requests are sent using the configured poll interval. Syntax sntp-client poll-interval [value] Parameters value Mode Global configuration: Default 512 seconds sntp-server enable This command enables the SNTP server. Syntax sntp-server enable Mode Global configuration: Default Disabled 3-92 Configuring the XSR Platform Poll‐interval, ranging from 16 to 16284 seconds.
Page 99: Show Sntp
no sntp-server This command disables the SNTP server. Syntax no sntp-server Mode Global configuration: show sntp This command displays the current status of the SNTP server. Syntax show sntp Output XSR>show sntp SNTP server 30.10.1.22 1.1.1.1 Client Status: Enabled Server Status: Enabled Poll Interval: 512 Server requests: Current Time: 00:36:42-UTC-Tuesday, 30-MAR-2004 Parameter Descriptions SNTP server 30.10.1.22 Stratum #Polls...
Page 100: Platform Clear And Show Commands
Platform Clear and Show Commands Nominal freq is xxxxx Hz, actual freq is xxxx Hz, precision is 2**16 Reference time is 12345678.12345678 (01:01:01.123 EDT Mon Jan 1 2004) Clock offset is 1.1234 msec, root delay is 123.12 msec Root dispersion is 12.12 msec, peer dispersion is 1.12 msec Platform Clear and Show Commands clear counter processor This command clears processor performance information. CPU utilization is averaged over an 8‐ second interval. Syntax clear counter processor Mode Privileged EXEC: Example XSR#clear counter processor clear fault-report This command deletes the fault report from RAM. Syntax clear fault-report Mode Privileged EXEC: Example XSR#clear fault-report Sample Output No fault report to clear.
Page 101: Clear Logging
clear logging This command deletes all messages from the logging buffer in RAM. Syntax clear logging Mode Privileged EXEC: Example XSR#clear logging show buffers This command displays platform memory statistics and is helpful in discovering where memory leaks exist in various XSR modules. Memory is allocated in increments no smaller than 64 bytes. Syntax show buffers Mode Privileged EXEC configuration: Sample Output XSR#show buffers Common Buffer Pool Usage: Pre-Allocated: 1000 for FE Total: 4560 1696 byte buffers = 7733760 bytes Used: Eth2: T1E1-0/2:...
Page 102 Platform Clear and Show Commands Memory Block Allocation: Memory Options enabled: None. --------------------------------------------------------------------- Size Carved --------------------------------------------------------------------- 1024 2080 4096 9216 17408 40960 69632 135168 291104 480000 700000 1560000 ---------------------------------------------------------------------- TotalBytes: Overhead: Uncarved: Max Heap: Parameter Descriptions Size Carved Number Carved Number in Use Average Size in Use Max Size Request Number of Requests Size Upgraded...
Page 103 Overhead Uncarved Max Heap show buffers i/o This command displays summary I/O (data buffers, frame elements) memory usage statistics. Allocations are based on the hardware present in the XSR. Syntax show buffers i/o Mode Privileged EXEC configuration: Sample Output Common Buffer Pool Usage: ------------------------------------------------------------ Pre-Allocated: 2000 for FE Total:10680*1696 byte buffers Used: FE Frag: Fwd Eng: T1E1-0/2: FE Frag: Fwd Eng: Eth1: Free: Buffers: 10680. Extra Mblks: 500. FrameElements: 5000 Jumbo buffers: Available: Sum of overhead bytes used for memory tracking, etc.
Page 104 Platform Clear and Show Commands Parameter Descriptions Common Buffer Pool Usage Used: FE Frag Fwd Eng Free Jumbo buffers: 8192 16384 32768 65536: Available: 8/ 8 4/ 4 2/ 2 1/ 1: show buffers malloc This command displays summary Malloc (tables, configuration structure) area memory statistics. Syntax show buffers malloc Mode Privileged EXEC configuration: 3-98 Configuring the XSR Platform One buffer pool exists for data buffers. These buffer blocks are pre‐ allocated as shown below: • 2000 for FE: 2000 x 1696‐byte buffers were pre‐allocated for use by the Forwarding Engine. • 1000 for FE Frag: 1000 x 1696‐byte buffers were pre‐allocated for use by FE Fragmentation. • 2048 for Eth1: 2048 x 1696‐byte buffers were pre‐allocated for use by the ...
Page 105: Show Clock
Sample Output Memory Block Allocation: Memory Options enabled: None. ------------------------------------------------------------------ Size Carved ------------------------------------------------------------------ 1024 2080 4096 9216 17408 40960 69632 135168 291104 480000 700000 1560000 ------------------------------------------------------------------ TotalBytes: Overhead: Uncarved: Max Heap: Parameter Descriptions show buffers Refer to the show clock This command shows current Universal Time Clock (UTC) set by Greenwich Mean Time (GMT). Syntax show clock Mode Privileged EXEC: ...
Page 106 Platform Clear and Show Commands show cpu-utilization This command tracks current use of various CPU processes as a percentage of total CPU usage for the last five second, one minute, and five‐minute intervals, and the number of times each process was called in total since the XSR was powered on. Also, CPU utilization is shown: the first percentage indicates total CPU usage, the second indicates the percentage of CPU time spent at the interrupt level, and remaining percentages are total CPU usage for 1‐ and 5‐minute periods. The command is a good diagnostic tool to measure which process is consuming the most CPU time and how strenuously the CPU is working as a whole. The XSR is operating normally if the CPU can satisfy advertised throughput levels at maximum capacity. Be aware that this command draws on processor capacity at the expense of operational needs. Syntax show cpu-utilization Mode EXEC or Privileged EXEC: Default CPU usage tracking is on by default. Sample Output XSR#show processes cpu Process OSPF Idle Other CPU utilization for five seconds: 14.53%/0.80%; one minute: 9.88%; five minutes: 8.20% Parameter Description Process Invoked...
Page 107 show fault-report This command displays the fault report captured when the XSR experiences a system problem. It contains information that pinpoints the cause of the software failure. This data is highly technical and is intended only for the use of service support engineers to diagnose the problem. The fault report can be viewed in Bootrom monitor mode or on the CLI. If the XSR experiences a processor exception, the software captures a fault report and restarts automatically. Only the first fault report is saved in case of multiple failures in a special RAM area and is preserved if the XSR is re‐booted but is lost if the XSR is powered down. Note: The XSR can store one fault report only. The fault report contains the following data relevant to the failure: • Cause of processor exception • Time stamp • Contents of processor registers • Operating system status • Status of tasks, current task (e.g., crashed task) • Contents of stacks (task stacks, interrupt stack) • Status of one special task (packet processor by default) • Code around the crash program counter • Task message queues • Memory management statistics • Task stack traces for all tasks Watchdog Fault Report A fault report is also captured in case a catastrophic watchdog interrupt occurs. If the software ...
Page 108 Platform Clear and Show Commands Sample Output The following is sample output from an XSR‐3020 router: Fault Report captured in node RouterName on Fault: Data TLB Miss Processor up-time = 1234 hours 59 minutes 59 seconds Processor = PowerPC 405 GP Exception Vector Number = 0x1100 PC=00012345 r0 =12345678...
Page 109: Show Logging
004276be 12345678 12345678 12345678 12345678 12345678 12345678 12345678 004276ce 12345678 12345678 12345678 12345678 12345678 12345678 12345678 004276de 12345678 12345678 12345678 12345678 12345678 12345678 12345678 etc. for all tasks End of fault report. When the XSR is automatically rebooted after a crash it performs a warm start. The following message is logged: 11 May 29 22:20:59 TORONTO: System warm boot from crash show logging This command displays the current message logging settings including all possible logging ...
Page 110 Platform Clear and Show Commands Syntax show logging Mode EXEC or Privileged EXEC: Example XSR>show logging file Sample Output The following example displays the logging file information: XSR#show logging file History of logging to file cflash:loggen File logging disabled File cflash:loggen does not exist. show logging history This command displays the contents of the logging history buffer. Mode Privileged EXEC: Example XSR#show logging history Sample Output...
Page 111: Show Version
Mode Privileged EXEC: Sample Output The following is example is output from an XSR‐1805: XSR#show version Enterasys Networks Operating Software Copyright 2002 by Enterasys Networks Inc. Hardware: Motherboard Information: XSR-1800 ID: 9002854-02 REV0A Serial Number: 0000019876543210 Processor: IBM PowerPC 405GP Rev. D at 200MHz RAM installed: 32MB Flash installed: 8MB on processor board, 16Mb compact flash CompactFlash: SunDisk SDP 5/3 0.6 has 32047104 bytes...
Page 112 Software file is “xsr1800.fls” with VPN; with Firewall XSR-1800 uptime is 33 days, 10 hours, 44 minutes. The following example displays output from an XSR‐3150: XSR#show version Enterasys Networks Operating Software Copyright 2003 by Enterasys Networks Inc. Hardware: Motherboard Information: XSR-3150 ID: 9002914-04 REV0A CPLD Rev 3 Serial Number: 3646031700233215...
Page 113: File System Commands
XSR#show whoami Sample Output XSR#show whoami Comm Server “Enterasys”, current line at 9600bps. File System Commands The XSR employs an MS‐DOS‐compatible file system in Flash memory. The following commands are available. boot system This command creates a image. This file name points to the firmware file loaded during system initialization in the following sequence: The boot‐config file is looked up in either flash: or cflash: • If boot‐config is not found there, the router proceeds to Step 2. • If the file named in boot‐config is not found, the router goes to Step 3. If the default file ( An FTP/TFTP server as defined in network parameters of Bootrom mode is queried. If the image is not found in this remote location, initialization is suspended in Bootrom mode. The command initiates a script requiring confirmation of your intention. Syntax boot system <newName.FLS> Mode Global configuration: Default • XSR1800.FLS ‐ for Series 1800 routers •...
Page 114 File System Commands XSR(config)#rename VPN_XSR1800.fls xsr1800.fls Rename flash:VPN_xsr1800.fls to flash:xsr1800.fls(y/n) ? y renaming file flash:VPN_xsr1800.fls -> flash:xsr1800.fls XSR# The following example renames the firmware file as part of an FTP/TFTP transfer. After entering the command, you are prompted by this script: XSR-1800#copy tftp://192.168.37.162/c:\firmware\VPN_xsr1800.fls flash:xsr1800.fls Copy 'c:\firmware\VPN_xsr1800.fls' from server as 'xsr1800.fls' into Flash(y/n) ? y !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Download from server done File size: 3242460 bytes XSR-1800# This command changes the current directory to ...
Page 115 Copy ‘XSR1800.FLS’from server as ‘XSR1800.FLS’ into Flash (y/n) ?y !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Download from server done File size: 1856714 bytes The image is copied to flash: is temporarily without valid software in Flash and the XSR should not be reloaded or powered‐ down. A new TFTP copy should be initiated. The CLI session which initiated the copy is blocked during TFTP loading. flash:startup-config. file on a TFTP server over the network. Enter: ipconfig command at a DOS prompt will reveal the and its checksum verified. Should the transfer fail, then the router File System Commands tftp:[[// The location must be an IP address. xsr1800.fls XSR CLI Reference Guide 3-109 flash: so as to ...
Page 116 File System Commands Configuration Load This example loads startup‐config via the network from a TFTP server. The XSR does not load the configuration from the network automatically. XSR#copy tftp:TFTP1/tftpfiles/tftpimage flash:startup-config Save Running Configuration To save configuration changes into non‐volatile memory, the running configuration must be copied into startup configuration: XSR#copy running-config startup-config copy running-config startup-config This command copies the running configuration to the startup configuration file which is stored in non‐volatile memory. It initiates a script requiring confirmation of your intention. Syntax copy running-config startup-config Mode Privileged EXEC: Example XSR#copy running-config startup-config Sample Output XSR#copy running-config startup-config Copy 'running-config' as 'startup-config' into flash: device (y/n) ? y Running-config saved to startup-config.
Page 117 Mode Privileged EXEC: Example XSR#copy startup-config tftp://192.168.1.100/cfg.txt Sample Output XSR#copy startup-config tftp://192.168.1.100/abc.cfg Copy 'startup-config' from Flash to server as 'abc.cfg'(y/n) ? y Upload to server done File size: 2997 bytes delete <file> This command removes a file from the XSR file system. It initiates a script requiring confirmation of your intention. Syntax delete [flash: | cflash:] filename flash: cflash: filename Mode...
Page 118 File System Commands Mode Privileged EXEC: Default flash: unless you change the default using the Example XSR#dir flash: Sample Output The following is sample output from an XSR 1800 Series router: XSR#dir flash: Listing Directory flash: size 817496 3220453 2,328,576 bytes free 6,381,568 bytes total more This command shows a file’s contents in ASCII format by default or hexadecimal (binary) format. Syntax XSR#more [/ascii | /binary | flash: | cflash:]filename /ascii...
Page 119 Default • Format: ASCII • Directory: current directory Examples XSR#more /ascii flash:startup-config XSR#more flash:startup-config Sample Output In ASCII format ( Controller t1 1/0 Clock source line primary Framing esf In Binary format ( 00000000 12345678 12345678 12345678 12345678 00000010 12345678 12345678 12345678 12345678 00000020 12345678 12345678 12345678 12345678 This command displays the current directory. Syntax XSR#pwd Mode...
Page 120 File System Commands which is specified in the flash:boot‐config file. Although you cannot configure the secondary EOS file, if you wish to rename it, use the does not exist in the flash: directory, EOS fallback will seach for the default xsr1800.fls or specified in the bootrom using the Bootrom monitor mode commands When you reboot the router using running config the Be aware that the reload command does not appear in For more information on how to use this command, refer to the Chapter 2: Managing the XSR in the XSR User’s Guide. Syntax reload [in | at [mmm | hh:mm] | cancel | cold | warm | fallback] primary-file {cflash: | flash:} duration [config | snmp [ip-address]]...
Page 121 XSR#reload at 12:12 fallback config 10 config snmp 192.168.57.4 Sample Output The following output is displayed, prompting you for a response, when you issue a cold reload: XSR#reload cold Proceed with reload (y/n)? y X-Pedition Security Router Bootrom Copyright 2004 Enterasys Networks Inc ...etc. proceeds with warm start The following output is displayed when you cancel a reload: XSR#reload cancel No EOS Fallback is enabled No reload is scheduled rename This command renames a file in the ...
Page 122: Show Reload
File System Commands Example XSR#rename cflash:xsr3000.fls.5512 flash:xsr3000.fls show hostname This command displays the name you specified for the XSR. Syntax show hostname Mode EXEC: XSR> Example XSR#show hostname Sample Output XSR#show hostname Local hostname is XSR show reload This command displays data about scheduled reloads of the Enterasys Operating System (EOS). Syntax show reload Mode Privileged EXEC: Sample Output The following is sample output from the command when a reload is scheduled: XSR#show reload Reload scheduled in 9:56 minutes eos fallback eos fallback...
Page 123 XSR#show reload No reload is scheduled No EOS fallback Parameter Description running/not polling crash monitoring fallback config snmp monitoring test duration primary file show running-config This command displays the router’s running configuration as a sequence of CLI commands segmented by module. The XSR gathers data from all system modules but collects and displays only those values different from default settings. Syntax show running-config Mode Privileged EXEC: Example XSR#show running-config Sample Output The XSR 1800 Series sample output below displays as a number of CLI commands under the appropriate modules:...
Page 124 File System Commands session-timeout console 35000 session-timeout telnet 35000 session-timeout ssh 35000 !T1E1 controller t1 0/2/0 clock source internal no shutdown !IKE crypto isakmp proposal try1 authentication pre-share encryption aes hash md5 group 5 lifetime 40000 crypto isakmp peer 2.2.2.2 255.255.255.255 crypto isakmp peer 1.1.1.1 255.255.255.255 !IPSEC crypto ipsec transform-set jj...
Page 125 File System Commands !OSPF router ospf 1 network 30.1.1.0 0.0.0.255 area 0.0.0.0 network 20.1.1.0 0.0.0.255 area 0.0.0.0 !RIP router rip !SNMP snmp-server community public rw snmp-server enable !AAA aaa group ii dns server primary 0.0.0.0 dns server secondary 0.0.0.0 wins server primary 0.0.0.0 wins server secondary 0.0.0.0...
Page 126 File System Commands verify This command verifies a packed software image file. The file name must end in *.fls. If the directory name is not specified, the current directory is used. Syntax XSR#verify [flash: | cflash:]filename.fls flash: cflash: filename.fls Mode Privileged EXEC: Sample Output The following sample XSR 1800 Series output displays a correct message: XSR#verify xsr1800.fls Verifying SW image file, j.fls File chksum=0xeb14 SW Image size=070452 sum=0x6a9e compressed_size=1578677 entry=0x10000 Diagnostics size=815012 sum=0x2a32 compressed_size=266244 entry=0x10000 xsr1800.fls is a valid S/W image file or an error message: Invalid chksum(0xf2d9)!=Expected chksum0x4800 write...
Page 127: Bootrom Monitor Mode Commands
Bootrom Monitor Mode Commands Bootrom monitor mode offers special user access for Flash:/CompactFlash: file operations and on occasions when the XSR lacks valid software or runs abnormally. Enter the mode by pressing the key combination ( list command groups by typing All sub‐commands in each group can be listed by entering the command group letter. The main menu provides the following functions: • Reboot warm or cold • Update Bootrom • File system‐related commands for the Flash ROM file system • Modify network parameters • Various status/show commands – Version number – Hardware information – Display crash information • Display or change date and time on real‐time clock • Commands for development use only This command initiates a cold reboot. This command initiates a warm reboot. This command changes the Bootrom password. The default password is blank. You are prompted to enter a password by the following script: XSR-1800: bp Enter current password: Enter new password: ****** Re-enter new password: ****** Password has changed.
Page 128 Bootrom Monitor Mode Commands If the Bootrom password is lost on the XSR 1800 Series, you can restore it by pressing the Default button. Be aware that when pressed, the Default button erases all configuration files and the master encryption key. This command updates the Bootrom file from a local file. You are prompted to enter data by the following script. When the “ appears, enter y. Be sure not to interrupt the process or power down the XSR or it may be affected adversely. After you have updated this file, you can delete it from Flash to conserve space for other files. The following example displays output from an XSR 1800 Series router: XSR-1800: bu cflash:bootrom1_20.fls Checking cflash:bootrom1_18.fls... Updating bootrom with file, “cflash:bootrom1_18.fls”. Proceed with erasing current Bootrom in flash and replace with cflash:bootrom2_02.fls?y ***************************************************** Do not interrupt or power down until complete!
Page 129 This command displays system date and time with this sample output: XSR-1800: da Date: Thursday, 29-MAY-2003. Time: 10:14:07 This command removes a file from This command displays free disk space with this sample output: XSR-1800: df Free space on flash: is 3383296 bytes (0x33a000). This command lists the contents of the current directory in long format. The XSR 1800 Series sample output is shown as follows: XSR-1800: dir size -------- 1728458 1569 794828 1352 808220 3383296(0x33a000) bytes free on flash: The XSR 3000 Series sample output is shown as follows: XSR-3250: dir Listing Directory flash:: -rwxrwxrwx -rwxrwxrwx -rwxrwxrwx...
Page 130 Enter ‘.’ = clear a field; ‘-’ = go to previous field; Local IP address (192.168.1.1) : Gateway IP address () : 3-124 Configuring the XSR Platform hh mm ss files to cflash: or a PC since any files in CTRL-C and acquire Bootrom mode is negated. You can still acquire Bootrom CTRL-C hostname CLI command, this name will be used as the CLI . For example: .dat flash: will be deleted. You upon seeing the X‐Pedition Security Router ^C = quit .cert .cfg , ...
Page 131 Remote Host IP address (192.168.1.10) : Remote file path (c:\) : Use TFTP (no) : Ftp userid (anonymous) : Ftp password () : Local target name (robo1) : Autoboot (yes) : Quick boot (no) : Permanently save the network parameters? (y/n) This command saves a file over the network using a remote IP address/file path.
Page 132 XSR-3250 ID: 9002914-04 REV0A CPLD Rev 3 Serial Number: 2914024201123206 Processor: Broadcom BCM1250 Rev 2 at 600MHz PowerSupply1, PowerSupply2 Fans 1 2 3 4 5 7 8 10 CPU Temperature Max: 80C Router Temperature Max: 60C 3-126 Configuring the XSR Platform 85febb90 par2= 85febaf8 par3=...
Page 133 Creation date: Apr 14 2003, 10:12:36 1 2 3 : 10.120.112.33 : 10.120.112.88 : c:/tftpDir : TFTP : XSR1 : enabled : no : 192.168.1.1 X-Pedition Security Router Bootrom Copyright 2003 Enterasys Networks Inc. Bootrom Monitor Mode Commands XSR CLI Reference Guide 3-127...
Page 134 Bootrom Monitor Mode Commands 3-128 Configuring the XSR Platform...
Page 135: Chapter 4: Configuring Hardware Controllers
Observing Syntax and Conventions The CLI command syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. soho.enterasys.com Hardware Controller Commands The following command sets allow you to define synchronization features for the XSR: • “Hardware Controller Commands” on page 4‐83 •...
Page 136 Hardware Controller Commands Syntax clock rate bps Configures the clock rate in bits per second (baud) on the line (async only). Valid rates are: 2400, 4800, 7200, 9600, 14400, 19200, 28800, 38400, 57600, and 115200. Syntax of the “no” Form no clock rate Mode Interface configuration: Default 9600 Example XSR(config-if<S1/0>)#clock rate 19200 databits This command sets the number of data bits accepted on a serial port. The command is valid and takes effect only when the interface is running in Async mode. In Sync mode, the clock rate is received externally. Syntax databits bits bits Number of databits per character on a serial port, ranging from 5 to 8. Mode Interface configuration: Syntax of the “no” Form no databits Default Example...
Page 137 • When connecting an setting must be set to • When the Gigabit Fiber port is uses, both duplex and speed must be set to auto on both ends of the line to avoid an unpredictable link. Syntax duplex {full | half | auto} full half auto Alphanumeric characters which describe the interface. XSR(config-if<xx>)# speed command, forces the FastEthernet/ auto , duplex will be set to auto , no speed, or no duplex sets both duplex and speed to auto. auto setting on an XSR to a forced setting on another router, the forced half-duplex regardless of the speed (10 or 100 Mbits). Forces the interface to operate at full‐duplex. Forces the interface to operate at half‐duplex. Allows the port to set the speed and duplex mode automatically. Hardware Controller Commands half XSR CLI Reference Guide 4-85...
Page 138 Hardware Controller Commands Syntax of the “no” Form no duplex Default auto Mode Interface configuration: Example XSR(config-if<F1/0>)#duplex full XSR(config-if<F1/0>)#speed 100 loopback This command forces the port into internal loopback mode. That is, the sender is internally connected to the receiver. This command is normallyused for diagnostic purposes only. Note: Issuing this command will isolate the port from any connected network. Syntax loopback Syntax of the “no” Form no loopback Mode Interface configuration: ...
Page 139 media-type This command sets the media‐type appropriate to the cable type that the interface is connected to. Syntax media-type {RS232 | RS422 | RS449 | RS530A | V35 | X21} Note: The XSR Serial NIM does not detect the media-type of an attached cable. You must configure the correct interface media-type matching the attached cable for the serial interface to function properly.
Page 140 Hardware Controller Commands parity This command configures the parity on a serial interface. It is valid and takes effect only when the interface is in Asynchronous mode. Syntax parity {even | mark | none | odd | space} even mark none space Syntax of the “no” Form The no form of this command invokes the none value: no parity Mode Interface configuration: Default None Example XSR(config-if<S1/0>)#parity odd physical-layer This command specifies the mode of a serial interface as either synchronous or asynchronous. If set to synchronous, the port is configured as a DTE requiring an external transmit and receive clock to be supplied. If set to asynchronous, the interface will supply its own clock. Note: A serial interface configured as a synchronous serial port must have an external transmit and receive clock.
Page 141 Mode Interface configuration: Default Sync Example XSR(config-if<S1/0>)#physical-layer async shutdown This command disables an interface. When the interface is created, it is disabled by default. Note: Issuing this command causes the interface to drop its link while disabled. Syntax shutdown Syntax of the “no” Form no shutdown Mode Interface configuration: Default When the interface is created, it is disabled by default. Example XSR(config-if<S1/0>)#no shutdown speed This command, used in conjunction with the to operate at a specific speed and/or duplex mode. Setting the speed or duplex to auto‐negotiate ...
Page 142 Mode Interface configuration: Default Auto Example XSR(config-if<S1/0>)#speed auto XSR(config-if<S1/0>)#duplex auto stopbits This command sets the number of stop‐bits on a serial port. It is valid and takes effect only when the interface is running in asynchronous mode. Syntax stopbits {1 | 2} Syntax of the “no” Form no stopbits 4-90 Configuring Hardware Controllers auto setting on an XSR to a forced setting on another router, the forced half-duplex regardless of the speed (10 or 100 Mbits). auto then you may use a cross‐over or straight‐through Forces the interface to operate at 10 Mbits per second. Forces the interface to operate at 100 Mbits per second. Allows the port to set the speed and duplex mode automatically. XSR(config-if<Fx>)# One stop bit. Two stop bits.
Page 143 Mode Interface configuration: Default Example The following example sets 2 stopbits on Serial port 1/0: XSR(config-if<S1/0>)#stopbits 2 vlan This command configures a Virtual LAN (VLAN) ID on a sub‐interface. Note: Similar to the PPPoE sub-interface, you must issue the no shutdown command to keep the interface up. Syntax vlan vlan-id vlan-id Syntax of the “no” Form The no form of this command removes the VLAN ID configuration: no vlan Mode Sub‐Interface configuration: Examples The following example configures a FastEthernet sub‐interface with VLAN ID 10:...
Page 144: Hardware Controller Clear And Show Commands
Hardware Controller Clear and Show Commands Hardware Controller Clear and Show Commands clear counters fastethernet This command clears MIB‐II counters for the FastEthernet interface. The counters cleared include: • ifInOctets • ifInUcastPkts • ifInNUcastPkts • ifInDiscards • ifInErrors • ifOutOctets • ifOutUcastPkts • ifOutNUcastPkts • ifOutDiscards • ifOutErrors • ifInUnknownProtos Syntax clear counters fastethernet interface sub-interface interface sub-interface Mode...
Page 145: Clear Interface Gigabitethernet
Mode Privileged EXEC: Example The following example clears the MIB‐II counters on GigabitEthernet port 3, sub‐interface 2: XSR#clear counters gigabitethernet 3.2 clear interface fastethernet This command resets the hardware logic on the FastEthernet interface. Using it preserves the current loopback mode, duplex mode and speed. This command is available on the XSR 1800 Series routers only. Note: Issuing this command causes the interface to drop its link, any packets that it may have received, and any packets that may be in the process of being transmitted, while it resets. It preserves the current loopback mode, duplex mode and speed.
Page 146 Hardware Controller Clear and Show Commands Example The following example resets GigabitEthernet port 1, sub‐interface 5: XSR#clear counters gigabitethernet 1.5 clear counters serial This command clears serial interface counters. The counters cleared are: • ifInOctets • ifInUcastPkts • ifInNUcastPkts • ifInDiscards • ifInErrors • ifOutOctets • ifOutUcastPkts • ifOutNUcastPkts • ifOutDiscards • ifOutErrors • ifInUnknownProtos Syntax clear counters serial [card / port] card port Mode...
Page 147 Syntax clear interface serial [card/port] card port Mode Privileged EXEC: Example XSR#clear interface serial 1/0 show controllers fastethernet This command displays detailed FastEthernet controller data for a port. This interface is available on the XSR 1800 Series routers only. Syntax show controllers fastethernet number number Mode Privileged EXEC or Global configuration: Sample Output The following example displays output from FastEthernet port 1: XSR(config)#show controllers fastethernet 1 Packet Processor Tx Scheduler Stats: 157 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX...
Page 148 Hardware Controller Clear and Show Commands dataLen 0x00000000, status 0x00001300, buffer 0x00000000 dataLen 0x00000000, status 0x00001300, buffer 0x00000000 dataLen 0x00000000, status 0x00001300, buffer 0x00000000 dataLen 0x00000000, status 0x00001300, buffer 0x00000000 [...] RX RING ENTRIES: The ring starts at 0x01fcc000. RxDRNum = 128, pRxMblkDR = 0x01f33c88, RxDRIdx = 19 RxBuffSize = 1728, RxBuffOffset = 160 dataLen 0x00000000, status 0x00008000, buffer 0x01cc6c20 dataLen 0x00000000, status 0x00008000, buffer 0x01cc72e0...
Page 149 datalen 0x00000000, status 0x00000000, buffer 0x80000000 datalen 0x00000000, status 0x00000000, buffer 0x80000000 datalen 0x00000000, status 0x00000000, buffer 0x80000000 datalen 0x00000000, status 0x00000000, buffer 0x80000000 datalen 0x00000000, status 0x00000000, buffer 0x80000000 [...] RX RING: Ring starts at 0x81568c60. RMaxDR=512, pRCurrDR=0x00000830, RIdx=0 datalen 0x00000000, status 0x00000000, buffer 0x8ff5df60 datalen 0x00000000, status 0x00000000, buffer 0x8ff5e620 datalen 0x00000000, status 0x00000000, buffer 0x8fe86ce0...
Page 150 Hardware Controller Clear and Show Commands Packet Processor Tx Scheduler Stats: 0 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX The unit number is 50331656. The interrupt number is 26.
Page 151 channel ISDN BRI D‐ or B‐channel, either 0 for the D‐channel, and 1 or 2 for the B‐ channels. sub-interface ISDN BRI sub‐interface, ranging from 1 to 30. Mode Privileged EXEC or Global configuration: Sample Output The following example displays output by the command: XSR(config)#show interface bri 1/0 ********** Serial Interface Stats ********** D-Serial 1/0:0 is Admin Up / Oper Down ********************** ISDN Layer 1: DOWN Layer 2: DOWN Term. 1 Spid:2200555 State: Term. 2 Spid:2201555 State: Total Length = 257 The name of this device is bri0/1/0:0 .
Page 152 Hardware Controller Clear and Show Commands show interface dialer This command displays information about the Dialer interface. Syntax show interface dialer [number] number Mode Privileged EXEC or Global configuration: Sample Output The following example displays information about Dialer interface 3: XSR#show interface dialer 3 ********** Dialer Interface Stats ********** Dialer3 is Admin Down Internet address is not assigned Dialer3 Dialer state is: DOWN Wait for carrier default: 60, default retry: 3 Dial String...
Page 153 Internet address is 54.54.54.1, subnet mask is 255.255.255.0 Secondary Internet address is 57.57.57.1, subnet mask is 255.255.255.0 Secondary Internet address is 58.58.58.1, subnet mask is 255.255.255.0 Secondary The name of this device is Eth1. The physical link is currently up. The device is in polling mode, and is active.
Page 154 Hardware Controller Clear and Show Commands The Name of the Access Concentrator is c3600-1 The Session Id is 0x0005 The MAC Address of the Access Concentrator is The MTU is 1492 Other Interface Statistics: ifOperStatus ifInOctets ifOutOctets Configured VLANs: VLAN Id PPP Encapsulation show interface gigabitethernet This command displays information about a GigabitEthernet interface which is available on XSR ...
Page 155 ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen show interface loopback This command displays information about the loopback interface. Syntax show interface loopback [number] number Mode Privileged EXEC or Global configuration: Sample Output The following is sample output from Loopback interface 5: XSR#show interface loopback5 Loopback5 is Admin Up Description: My loopback interface Internet address is 57.57.57.57, subnet mask is 255.255.255.0 show interface multilink This command displays information about the Multilink interface.
Page 156 Hardware Controller Clear and Show Commands XSR#show interface multilink 8 ********** Multilink Interface Stats ********** Multilink 8 is Admin Down Internet address is not assigned State: CLOSED Multilink State: CLOSED Max Fragment delay is 10 ms MLPPP Bundle Info: Control Object state is Admin Down / Oper Down Multilink PPP has no memberlinks Data Object state is Admin Down The adjacent is DOWN and data passing is FALSE...
Page 157 Sent: 0 octets, 0 unicast packets, 0 discards, 0 errors. MTU is 1500 bytes. Proxy ARP is enabled. Helper address is not set. Directed broadcast is enabled. Outgoing access list is not set. Inbound access list is not set. IP Policy Based Routing is not enabled. The following example is sample output from the ...
Page 158 Hardware Controller Clear and Show Commands ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen show interface vpn This command displays attributes of the configured VPN interface. Syntax show interface vpn [0-255] Mode Privileged EXEC or Global configuration: Sample Output The following is sample output displaying VPN interface 57 statistics: XSRtop#show interface vpn 57 Vpn 57 is Admin Up Internet address is 4.4.4.4, subnet mask is 255.255.255.0 Multicast redirect to 6.6.6.6 is enabled.
Page 159: Chapter 5: Configuring The Internet Protocol
• “PBR Clear and Show Commands” on page 5‐148. • “ARP Commands” on page 5‐149. • “Other IP Commands” on page 5‐151. • “IP Clear and Show Commands” on page 5‐168. • “Network Address Translation Commands” on page 5‐182. • “Virtual Router Redundancy Protocol Commands” on page 5‐191. Configuring the Internet Protocol Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies interface type and number, e.g.: indicates a FastEthernet, and Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis , ...
Page 160: Ospf Commands
The default value is Type 0 authentication; that is, no authentication. Example This example enables authentication on OSPF area 10.0.0.0. interface Serial 1/1, whose address is 172.16.77.1, is part of area 10.0.0.0, so an authentication mechanism could be defined for it: XSR(config)#interface serial 1/1 XSR(config-if<S1/1)#ip address 172.16.77.1 255.255.255.0 XSR(config-if<S1/1)#ip ospf message-digest-key 20 md5 pass1 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.77.1 0.0.0.0 area 10.0.0.0 XSR(config-router)#area 10.0.0.0 authentication message-digest area default-cost This command sets the cost value for the default route that is sent into a stub area by an Area Border Router (ABR). This command is restricted to ABRs attached to stub areas. Syntax area area-id default-cost cost area-id cost 5-84 Configuring the Internet Protocol OSPF area to be authenticated, expressed in decimals or IP addresses.
Page 161: Area Nssa
Mode Router configuration: Default Example The following command sets the cost value for the stub area 10 as 99: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 172.16.101.5 255.255.255.252 XSR(config-if<S1/0>)#router ospf XSR(config-router)#network 172.16.101.5 0.0.0.0 area 10 XSR(config-router)#area 10 stub no-summary XSR(config-router)#area 10 default-cost 99 area nssa This command configures an area as a Not So Stubby Area (NSSA) which allows some external routes represented by external Link‐State Advertisements (LSAs) to be imported into it. This is in contrast to a stub area that does not allow any external routes. External routes that are not imported into an NSSA can be represented by means of a default route. It is used when an OSPF inter‐network is connected to multiple non‐OSPF routing domains. Syntax...
Page 162: Area Range
OSPF Commands Default No NSSA defined Example The following example configures area 10 as a NSSA area: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.10.5 255.255.255.252 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.10.5 0.0.0.0 area 10 XSR(config-router)#area 10 nssa default-information-originate area range This command defines the range of addresses to be used by Area Boundary Routers (ABRs) when they communicate routes to other areas. ABRs summarize an area’s intra‐area routes into inter‐ area routes which are then injected into other areas. The metric used is the highest metric of the included intra‐area routes. The forwarding address is 0. Other actions implemented by this command include: • A summary range becomes active if it includes at least one intra‐area route being leaked into the area. • A discard route is installed for an active summary range. Conversely, when it becomes inactive, the discard route is removed. • The cost of the summary range is the highest cost among all leaked intra‐area routes.
Page 163: Area Stub
Mode Router configuration: Examples This example sets the address range used by this router for summarized routes learned at the boundary of area 0.0.0.0, as 172.16.0.0/16: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.240.0 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.16.1 0.0.0.0 area 0.0.0.0 XSR(config-router)#area range 0.0.0.0 172.16.0.0 255.255.0.0 The following example aggregates 64.64.64.0/24 in area 1 into summary route 64.0.0.0/8 and makes the summary available for creation of inter‐area routes: XSR(config)#router ospf 1 XSR(config-router)#area 1 range 64.0.0.0 255.0.0.0 area stub This command defines an area as a stub area. Syntax area area-id stub [no-summary]...
Page 164 XSR(config)#network 172.16.152.0 0.0.0.0 area 10 XSR(config)#area 10 stub area virtual-link This command defines an OSPF virtual link, which represents a logical connection between the backbone and a non‐backbone OSPF area. Backbones are areas including all ABRs, networks not wholly contained in any area, and their attached routers. Syntax area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [authentication-key key | message-digest-key keyid md5 key] area-id router-id authentication...
Page 165 The no form of this command removes the virtual link: no area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [authentication-key key | message-digest-key keyid md5 key] Mode Router configuration: XSR(config-router)# Defaults • hello‐interval seconds: 10 seconds • retransmit‐interval seconds: 5 seconds • transmit‐delay seconds: 1 second • dead‐interval seconds: 40 seconds • authentication‐key key: No default •...
Page 166 OSPF Commands Area 0.0.0.0 auto-virtual-link This command automatically creates virtual links. Refer to the more related information. Syntax auto-virtual-link Syntax This command’s no form negates the automatic creation of a virtual link: no auto-virtual-link Mode OSPF Router configuration: Example XSR(config-router)#auto-virtual-link database-overflow This command dynamically limits the size of OSPF Link‐State database overflow, a condition where the XSR is unable to maintain the database in its entirety. Typically, database overflow occurs when a router imports a large number of external, Type 5 LSA routes into OSPF. This command lets you control other LSA types as well: 1‐4, 7, and 10. Usually, this problem can be averted by proper configuration of OSPF routers into stub areas or NSSAs, since AS‐external LSAs are omitted from this type of Link‐State databases. But, in the event of an unexpected database overflow, there is insufficient time to perform this type of isolation. Syntax database-overflow [LSA type][option] LSA Type: asbr-summary external 5-90 Configuring the Internet Protocol Figure 5-1...
Page 167 Warning Level: 0 Mode OSPF Router configuration: Examples The following example configures parameters for Type 5 external LSA database overflow: XSR(config)#router ospf 1 XSR(config-router)#database-overflow external limit 1000 XSR (config-router)#database-overflow external exit-overflow-interval 3600 XSR(config-router)#database-overflow external warning-level 900 The following example configures parameters for Type 2 network LSA database overflow: XSR(config)#router ospf 1 XSR(config-router)#database-overflow network limit 1000 XSR (config-router)#database-overflow external exit-overflow-interval 3600 XSR(config-router)#database-overflow external warning-level 900 distance (OSPF) This command defines an administrative distance (route preference) for the OSPF domain. OSPF ...
Page 168 Syntax distance ospf {intra | inter | ext} weight intra inter weight Syntax of the “no” Form The no command resets the administrative distance to the default value for the particular type of routes. If no type of routes is referenced, the distance for all three types of OSPF routes are reset to the default. no distance OSPF {intra | inter | ext} Mode Router configuration: Default • Distances between 241 and 255 are reserved for internal use. • The condition of intra‐area distance is less than inter‐area distance is less than external distance is always preserved. If you attempt to configure otherwise, the configuration will fail and you will receive a warning message. • Default distances must not be the same for any two routing protocols. •...
Page 169 OSPF Commands Example This example sets the administrative distance for OSPF external routes to 65. Note that you can do so only if both intra and inter OSPF distances are less than 65, otherwise you will not be permitted to change the value. XSR(config)#router ospf 1 XSR(config-router)#distance ospf ext 65 XSR CLI Reference Guide 5-93...
Page 170: Ip Ospf Cost
OSPF Commands ip ospf cost This command sets the cost of sending a packet on a interface. Each router interface that participates in OSPF routing is assigned a default cost. This command overwrites the default. Syntax ip ospf cost cost cost Syntax of the “no” Form no ip ospf cost Mode Interface configuration: Default Example The following example sets cost 20 for interface FastEthernet 1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip ospf cost 20 ip ospf dead-interval This command sets the interval a router must wait to receive a hello packet from its neighbor before determining that the neighbor is out of service. Syntax...
Page 171 Default Four times the value of the seconds parameter defined in the Example The following example sets the dead interval to 20 for FastEthernet port 2: XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F2>)#ip ospf dead-interval 20 ip ospf hello-interval This command sets the number of seconds a router must wait before sending a hello packet to neighbor routers on the interface. Syntax ip ospf hello-interval seconds seconds Syntax of the “no” Form The no form of this command sets the value to the default: no ip ospf hello-interval Mode Interface configuration: Default •...
Page 172 The following example enables OSPF MD5 authentication on interface Serial 1/0, and sets the key identifier at 20, and the password as pass1. XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 172.16.77.1 255.255.255.0 XSR(config-if<S1/0>)#ip ospf message-digest-key 20 md5 pass1 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.77.1 0.0.0.0 area 10.0.0.0 XSR(config-router)#area 10.0.0.0 authentication message-digest ip ospf passive This command suppresses OSPF packets from being sent or received over a specified interface. Syntax ip ospf passive Syntax of the “no” Form This command’s no form removes the passive action on the interface:...
Page 173: Ip Ospf Priority
Syntax of the “no” Form The no form of this command removes the poll interval: no ip ospf poll-interval Mode Interface configuration: Example This example configures the poll interval to 12 times the default hello interval (10 seconds): XSR(config-if<S1/0:0>)#ip ospf poll-interval 120 ip ospf priority This command sets the OSPF priority value for router interfaces. The priority value is communicated between routers by means of hello messages and this value influences the election of a designated router. Syntax ip ospf priority number number Syntax of the “no” Form The no form of this command sets the value to the default: no ip ospf priority XSR(config-if<xx>#...
Page 174 OSPF Commands Mode Interface configuration: Default Example The following example sets OSPF priority to 20 for FastEthernet port 1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F1>)#ip ospf priority 20 ip ospf retransmit-interval This command sets the interval between retransmissions of link state advertisements for adjacencies that belong to this interface. Syntax ip ospf retransmit-interval seconds seconds Syntax of the “no” Form The no form of this command sets the value to the default: no ip ospf retransmit-interval Mode Interface configuration: ...
Page 175 ip ospf transmit-delay This command sets the interval required to transmit a link state update packet on this interface. Syntax ip ospf transmit-delay seconds seconds Syntax of the “no” Form The no form of this command sets the value to the default. no ip ospf transmit-delay Mode Interface configuration: Default 1 second Example The following example sets the interval required to transmit a link state update packet on interface FastEthernet 1 at 20 seconds: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F1>)#ip ospf transmit-delay 20 network This command identifies and defines area IDs for interfaces OSPF runs on. Syntax network address wildcard-mask area area-id address...
Page 176 Example In this example, three routers are configured to run OSPF. Router R1 and R3 are internal routers. R1 is internal to area 1, and R3 internal to area 0. R2 is an Area Border Router (ABR). Enter the following commands on R1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 131.108.1.1 255.255.255.0 XSR(config)#router ospf 1 XSR(config-router)#network 131.108.1.0 0.0.255.255 area 1 On R2 (ABR), enter the following commands: XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 131.108.1.2 255.255.255.0 XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 131.108.2.3 255.255.255.0 XSR(config)#router ospf 1 XSR(config-router)#network 131.108.1.0 0.0.0.255 area 1 XSR(config-router)#network 131.108.2.0 0.0.0.255 area 0...
Page 177: Router Ospf
[metric metricvalue] Mode Router configuration: Default Disabled Examples This example redistributes static routes from 5 hops away into RIP: XSR(config-router)#router rip XSR(config-router)#redistribute static 5 The following example redistributes intra, inter and external OSPF routes into RIP: XSR(config-router)#redistribute ospf match internal match external The following example imports all OSPF routes into RIP with the default RIP metric of 1. It is equivalent to the command entered earlier. XSR(config-router)#redistribute ospf router ospf This command enables the Open Shortest Path First (OSPF) protocol. Syntax router ospf process-id process-id Syntax of the “no” Form The no form of this command disables OSPF:...
Page 178 OSPF Commands Next Mode Router configuration: Default OSPF disabled Example The following example enables OSPF routing: XSR(config)#router ospf 2 XSR(config-router)# summary address This command summarizes locally‐sourced (Type‐5) routes on the XSR which are redistributed from other protocols into OSPF. Type‐7 translations are not summarized. Other actions implemented include: • A summary range becomes active if it includes at least one locally sourced route being redistributed into OSPF. If an active summary range is advertised, then a discard route will be installed for the summary range. Conversely, when it becomes inactive, the discard route is removed. • Activated summary ranges to be advertised will result in a Type‐5 Linke‐State Announcement (LSA). If they include a NSSA area, then they will also produce a Type‐7 LSA for each NSSA area. • The type/cost of the summary range is the highest type/cost among all included locally‐ sourced routes. The forwarding address is 0. • Summary ranges may overlap. So, for a locally‐sourced route, the most specific range becomes active. • Appendix E processing provides a unique link‐state ID for all Type‐5 LSAs advertised, be they the result of Type‐7 to Type‐5 translations, summarization or locally‐sourced routes which are not summarized. • A Type‐5 LSA generated by translation may supplant a Type‐5 LSA originating from a local source. This will not affect what is being generated into a NSSA because translations are not ...
Page 179: Timers Spf
Syntax of the “no” Form The no form of this command restores the default timer values: no timers spf Mode Router configuration: Defaults • spf‐delay: 5 • spf‐holdtime: 10 Example XSR(config)#router ospf 1 XSR(config-router)#network 172.15.0.0 0.0.255.255 area 0.0.0.0 XSR(config-router)#timers spf 7 3 Subnet/mask used for the summary range. Suppress routes in the summary range. Value used in the generated Type‐5 LSA . XSR(config-router)# Delay between the receipt of an update and the SPF execution, ranging from 0 to 4,294,967,295 seconds. Minimum interval, in seconds, between two consecutive OSPF calculations. Range: 0 to 65,535. A value of 0 indicates that two consecutive OSPF calculations are performed immediately after the other. XSR(config-router)# OSPF Commands...
Page 180: Ospf Debug And Show Commands
OSPF Debug and Show Commands OSPF Debug and Show Commands debug ip ospf dr This command debugs OSPF designated router events. As with all XSR debug commands, it is set to privilege level 15 by default. Note: This command does not display in running config because it is a debug function. It must be set manually every time the XSR is rebooted.
Page 181 OSPF Packet transmitted. OSPF Hello Packet. OSPF Version. OSPF Packet Type. OSPF Packet length. OSPF Router ID. OSPF Area ID. OSPF Packet Checksum. Authentication. Outgoing interface. Destination IP address. OSPF Debug and Show Commands XSR CLI Reference Guide 5-105...
Page 182 OSPF: Rx LSA. router, nbr:10.0.0.1 age:002f opt:22 id:10.0.0.1 rid:10.0.0.1 seq:800001aa chk:f671 l:36 The following example displays a queue delayed acknowledgement: <191>May 21 07:52:39 1.1.1.4 OSPF: Queue Delayed Ack. router, nbr:10.0.0.1 age:002f opt:22 id:10.0.0.1 rid:10.0.0.1 seq:800001aa chk:f671 l:36 The following example displays an AS border router Type 4 summary LSA: OSPF: Rx LSA. asbr-summary, nbr:10.0.0.1 age:03e6 opt:02 id:10.0.0.1 rid:1.1.1.4 seq:80000065 chk:3c9f l:28 The following example displays a transmitted external Type 5 LSA from outgoing interface ...
Page 183 Parameter Descriptions Add LSA summary aid:0.0.0.4 age:0000 opt:02 id:53.53.53.0 rid:1.1.1.4 seq:80000001 chk:4867 l:28 Rx LSA router Queue Delayed Ack asbr-summary Tx LSA Rtx LSA external from GigabitEthernet 2 Rx Ack Upd LSA debug ip ospf nbr This command debugs OSPF neighbor events. As with all XSR debug commands, it is set to privilege level 15 by default. Note: This command does not display in running config because it is a debug function. It must be set manually every time the XSR is rebooted.
Page 184 OSPF: Tx DDP. nbr:10.0.0.1 mtu:05dc opt:42 flg:00 seq:00002400 from GigabitEthernet 2.1 The following example displays a received database description packet from incoming interface GigabitEthernet 2.1 ‐ I: OSPF: Rx DDP. nbr:10.0.0.1 mtu:05dc opt:42 flg:03 seq:00002401 from GigabitEthernet 2.1 The following example displays a Neighbor Changing state where the neighbor router ID is 10.0.0.1, the neighbor IP address is 2.2.3.21, and the previous state is EXCHANGE. OSPF: NBR change state. nbr:10.0.0.1 ipa:1.2.3.21 state:EXCHANGE The following example indicates the neighbor is a slave for the database exchange: OSPF: NBR is slave. nbr:10.0.0.1 ipa:2.2.3.21 state:EX_START Parameter Descriptions Tx DDP...
Page 185: Show Ip Ospf
XSR#show ip ospf Routing Process "ospf 1 " with ID 1.1.1.4 Supports only single TOS(TOS0) route It is an area border and autonomous system boundary router Summary Link update interval is 0 seconds. External Link update interval is 0 seconds.
Page 186 OSPF Debug and Show Commands It is Summary Link update interval External Link update interval Redistributing External Routes from Number of areas in this router Number of interfaces in this area Area authentication SPF algorithm executed Area ranges show ip ospf border-routers This command displays information about OSPF internal route table entries to ABRs and ASBRs.
Page 187: Show Ip Ospf Database
This command displays the link state (LS) database. Syntax show ip ospf database show ip ospf database router [link-state-id] show ip ospf database network [link-state-id] show ip ospf database summary [link-state-id] show ip ospf database asbr-summary [link-state-id] show ip ospf database nssa-external [link-state-id]...
Page 188 (Link ID) Network/subnet number: 172.14.0.0. (Link Data) Network Mask: 255.255.0.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: another router (point-to-point) (Link ID) Neighboring Router ID: 192.168.44.2 (Link Data) Router Interface address: 192.168.22.1 Number of TOS metrics: 0...
Page 189 Net Link States (Area 0.0.0.0) Routing Bit Set on this LSA LS age: 332 Options: (No TOS-capability, DC) LS Type: Network Links Link State ID: 172.16.150.1 (address of Designated Router) Advertising Router: 192.168.44.1 LS Seq. Number: 80000004 Checksum: 0xF627 Length: 32 Network mask: /24 Attached Router: 192.168.44.1...
Page 190 Length: 28 Network Mask: /0 TOS: 0 Metric: 16777215 External Parameter Response XSR>show ip ospf database external OSPF Router with ID (192.168.44.2) Type-5 AS External Link States Routing Bit Set on this LSA LS age: 98 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 172.14.0.0 (External Network Number)
Page 191 Forward Address: 192.168.33.2 External Route Tag: 0 Database-summary Parameter Response XSR>show ip ospf data database-summary OSPF Router with ID (192.168.44.1) AreaID Router Network 0.0.0.0 AS External Total Parameter Descriptions For No Parameter Link ID This field varies as a function of LS record type as follows: • Router link states ‐ router ID of the router originating the record. • Network links states ‐ interface IP address of designated router to the broadcast network. •...
Page 192 OSPF Debug and Show Commands Type of router Number of links Link connected to (Link ID) Point‐to‐point Transit network Stub network Virtual link (Link Data) Point‐to‐point link Transit network Stub network Virtual link Number of TOS metrics Metric For Network Parameter Routing bit LSA age Options LS Type Link State ID Advertising Router LS Seq. Number Checksum Length Network mask Attached router For Summary Parameter Display Routing bit LSA age...
Page 193 LS Type Summary links (network) for summary LS record. Link State ID IP address of the summarized network. Advertising Router Originating router ID. LS Seq. Number Sequence number assigned by OSPF to this LS record at the time of its origination. Checksum Field in a LS record used to verify the integrity of the contents upon the receipt by another router. Length Length of the LS record in bytes. Network mask Summary mask for the summarized network. 0 due to non support of TOS. Metric Cost to reach summary network from advertising router (ABR). For ASB-summary Parameter Display LSA age Age of the LS record in seconds. Options Meaning of Bit settings in the options field. LS Type Summary links (AS Boundary Router) for an asb‐summary LS record. Link State ID Router ID of the ASBR. Advertising Router Originating router ID. LS Seq. Number Sequence number assigned by OSPF to this LS record at the time of its origination. Checksum Field in a LS record used to verify the integrity of the contents upon the receipt by another router. Length Length of the LS record in bytes.
Page 194 OSPF Debug and Show Commands Length Network mask Metric type Metric Forward address External route tag For NSSA-external Parameter Routing bit LSA age Options LS Type Link State ID Advertising Router LS Seq. Number Checksum Length Network mask Metric type Metric Forward address External route tag For Database-summary Parameter Area ID Area ID Network S‐net S‐ASBR Type‐7 5-118 Configuring the Internet Protocol Length of the LS record in bytes.
Page 195: Show Ip Ospf Interface
Area 0.0.0.2 Router ID 51.51.51.1,Network Type BROADCAST,Cost: 10 Transmit Delay is 1 sec,State DR,Priority 1 Designated Router id 51.51.51.1, Interface addr 51.51.51.1 No backup designated router on this network Timer intervals configured, Hello 10,Dead 40,Wait 40,Retransmit 5 No Hellos (Passive Interface)
Page 196: Show Ip Ospf Neighbor
OSPF Debug and Show Commands Network type Cost Transmit delay State Priority Designated Router id Interface addr Timer intervals configured Neighbor count Adjacent neighbor count Sum of adjacent (FULL state) neighbors on this port. secondary show ip ospf neighbor This command displays the state of communication between this router and its neighbor routers. Syntax show ip ospf neighbor [type number] [neighbor-id] [detail] type number neighbor-id detail Mode EXEC or Global configuration: 5-120 Configuring the Internet Protocol OSPF network type. Values can be broadcast, non‐broadcast, point‐to‐...
Page 197 Dead interval is 40 sec(s) Link state retransmission interval is 5 sec(s) Parameter Description State Dead Intvl Address Interface In the area Options show ip ospf virtual-links This command displays data about virtual links configured on a router. Syntax show ip ospf virtual-links Mode EXEC or Global configuration: State Dead Intvl FULL FULL Router ID of the neighbor. Priority of the neighbor over this interface. OSPF communication state with followed by the interface status of the neighbor.
Page 198 OSPF Debug and Show Commands Sample Output The following is sample output: XSR>show ip ospf virtual-links Virtual Link OSPF_VLI to router 192.168.22.1 is up Run as demand circuit. DoNotAge LSA not allowed (Number of Dcbitless LSA is 2). Transit area 4, via interface Serial1, Cost of using 64...
Page 199: Rip Commands
RIP Commands distance (RIP) This command defines administrative distances (route preference) in the RIP domain. The RIP default ranks higher than all other routed distances. If several routes to the same destination are offered to the Routing Table Manager (RTM) by different protocols, installation is based on the distance of the protocol with the lowest value. You can set the same distance for different protocols (except for multiple static routes) with a tiebreak based on default distances. Refer to distance ospf OSPF and static routes. Syntax distance weight weight Syntax of the “no” Form The no command resets the administrative distance to the default value: no distance weight Defaults • Distances between 241 and 255 are reserved for internal use. • Default distances must not be the same for any two routing protocols. • Refer to Table 5‐2 below for default distances. Table 5-2 Default Administrative Distances Route Source Connected Static BGP external...
Page 200 {in | out} [type number] Mode Router configuration: Default No filter applied Example The following example suppresses network 192.5.34.0 from being advertised in updates on FastEthernet interface 1: XSR(config)#access-list 1 deny 192.5.34.0 0.0.0.255 XSR(config)#router rip XSR(config-router)#distribute-list 1 out fastethernet 1 5-124 Configuring the Internet Protocol XSR(config-router)# IP access list number, ranging from 1 to 199. The list defines which networks will be sent and suppressed in routing updates. Applies the access list to incoming routing updates. Applies the access list to outgoing routing updates. Interface type: ATM, BRI, Dialer, Fast/GigabitEthernet, Loopback, Multilink, Serial, or VPN. Interface number on which the access list should be applied. If no ...
Page 201: Ip Rip Authentication
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip authentication key phone XSR(config-if<F1>)#ip rip authentication mode text Note: The command refers to one key only, not a key chain. RIP Example The following example, as shown in Figure Router 1, also enabling routing exchanges on the serial link Router 1‐Router 2 (Serial port 2). Identifies the key. Valid values are strings of 16 characters or less. Spaces can be used if the complete key is bounded by quotations. XSR(config-if<xx>)# 5‐2, enables RIP on both FastEthernet interfaces of RIP Commands XSR CLI Reference Guide 5-125...
Page 202: Ip Rip Authentication Mode
Tex: XSR(config)#router rip XSR(config-router)#network 192.168.1.0 XSR(config-router)#network 192.169.1.0 XSR(config-router)#neighbor 192.5.10.1 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#no receive-interface fastethernet 2 XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip rip disable-triggered-updates XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip rip receive version 1 2 XSR(config-if<S1/0>)#ip rip send version 2 XSR(config-if<S1/0>)#ip split-horizon poison XSR(config-if<S1/0>)#ip rip authentication key Tex...
Page 203 Serial 1/0 is allowed to receive both version 1 and 2 RIP, and transmits version 2. The method used is split horizon with poison reverse. Authentication mode text is used, and the text is Tex: XSR(config)#router rip XSR(config-router)#network 192.168.1.0 XSR(config-router)#network 192.169.1.0 XSR(config-router)#neighbor 192.5.10.1 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#no receive-interface fastethernet 2 XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip rip disable-triggered-updates XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip rip receive version 1 2 XSR(config-if<S1/0>)#ip rip send version 2 XSR(config-if<S1/0>)#ip split-horizon poison XSR(config-if<S1/0>)#ip rip authentication key Tex...
Page 204: Ip Rip Offset
RIP Commands Default Allows RIP to respond to a triggered update. Example This example prevents RIP from responding to a request for triggered updates on F1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip disable-triggered-updates ip rip offset This command adds an offset onto incoming/outgoing metrics to routes learned via RIP. Syntax ip rip offset value value Syntax of the “no” Form The no form of this command removes an offset: no ip rip offset Mode Interface configuration: Default No offset applied Example The following example sets an offset of 1 for Serial port 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip rip offset 1 Adding an offset on an interface makes it a backup port. Suppose R1 is only 2 hops away from Rx ...
Page 205: Ip Rip Receive Version
Mode Interface configuration: Default Accept both RIP version 1 and 2 Example This example sets both RIP versions 1 and 2 for update packets received on FastEthernet port 1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip receive version 1 2 Figure 5-3 Offset Example Distance Router 1-Router x2+1 hops Backup Router 1 INTERNET Serial 1/0 Serial 1/1 INTERNET Distance Router1-Rx2 hops RIP version 1. RIP version 2. XSR(config-if<xx>)#...
Page 206: Ip Rip Send Version
RIP Commands ip rip send version This command sets RIP v1 or v2 for update packets sent on the interface. Syntax ip rip send version {1 | 2 | r1compatible} r1compatible Syntax of the “no” Form The no form restores the version of update packets that was transmitted by the RIP module: no ip rip send version Mode Interface configuration: Default Version 1 Example The following example sets RIP version 2 for packets sent on FastEthernet interface 1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip send version 2 ip split-horizon This command sets split horizon mode for the packets to be sent by RIP.
Page 207 Syntax of the “no” Form The no form of this command disables RIP on the specified interface: no neighbor neighborAddress Mode Router configuration: Example This example instructs the XSR to send RIP updates to all ports on network 192.5.0.0 except interface F2. Also, the XSR(config)#router rip XSR(config-router)#network 192.5.0.0 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#neighbor 192.5.10.1 commands can be used to specify additional neighbors or peers. IP address of a peer router with which routing datawill be exchanged. XSR(config-router)# neighbor command allows sending RIP updates specifically to 192.5.10.1. passive-interface command, RIP updates XSR CLI Reference Guide 5-131 RIP Commands...
Page 208 This command attaches a network of directly connected networks to a RIP routing process. Syntax network netAddress netAddress Syntax of the “no” Form The no form of this command disables RIP on the specified interface: no network netAddress Mode Router configuration: Example This example attaches network 192.168.1.0 to the RIP routing process: XSR(config)#router rip XSR(config-router)#network 192.168.1.0 passive-interface This command prevents RIP from transmitting update packets on an interface (although it can still monitor updates on the interface). Syntax passive-interface type num type Interface types include: ATM, BRI, Dialer, Fast/ GigabitEthernet, Loopback, Multilink, Serial, and VPN. Physical interface number. Syntax of the “no” Form The no form of this command removes the passive‐interface action:...
Page 209 Syntax of the “no” Form no receive-interface type num Mode Router configuration: Default Allows the reception of RIP updates on an interface. Example The following example denies the reception of RIP updates on F2: XSR(config-router)#no receive-interface fastethernet 2 redistribute (OSPF/Static) This command redistributes static or OSPF routes into RIP. Syntax redistribute {ospf | static}{match external [1 | 2]| internal} metric metricvalue ospf static match external internal metric metricvalue Interface type.
Page 210: Router Rip
Default Disabled Examples This example redistributes static routes from 5 hops away into RIP: XSR(config-router)#router rip XSR(config-router)#redistribute static 5 This example redistributes intra, inter and external OSPF routes into RIP: XSR(config-router)#redistribute ospf match internal match external The following example imports all OSPF routes into RIP with the default RIP metric of 1. It is equivalent to the command entered earlier. XSR(config-router)#redistribute ospf router rip This command enables/disables the Routing Information Protocol (RIP). Notes: The XSR supports a total of 750 RIP routing entries with 64 MBytes of memory installed.
Page 211 Syntax of the “no” Form The no form of this command resets the timers to the default value: no timers basic Mode Router configuration: Defaults • Update: 30 seconds • Invalid: 180 seconds • Flush: 300 seconds Example The following example sets values for the RIP timers: XSR(config-router)#timers basic 10 30 60 Interval the RIP timer is revised, ranging from 1 to 2,147,483,647 seconds. Interval the RIP timer is deemed invalid, ranging from 1 to 2,147,483,647 seconds. The invalid interval must be at least three times the update interval. Interval the RIP timer is flushed, ranging from 1 to 2,147,483,647 seconds. The flush interval must be larger than the invalid interval. XSR(config-router)# RIP Commands XSR CLI Reference Guide 5-135...
Page 212: Rip Show Commands
RIP Show Commands RIP Show Commands show ip rip This command displays configuration data and statistics global to all ports. Syntax show ip rip [interface | database] interface database Mode EXEC or Global configuration: Sample Output The following is a sample response with no option chosen: XSR#show ip rip Global RIP Stats: RIP is enabled RIP timers (in seconds): Update interval: 30 Invalid interval 180 Flush interval: 300 Routing for Networks:...
Page 213: Rtp Header Compression Commands
RTP Header Compression Commands The following commands configures the Real Time Protocol (RTP) header compression on PPP serial interfaces. The following criteria must be met in order to select packets fro RTP compression Must be a UDP packet via: 192.168.29.22 via: 192.168.29.22 via: 201.1.1.0 Networks assigned to routing using the Neighbors configured to trade routing data used in Pointto‐Point exchange of routing data. Ports RIP will not send update packets on. Ports RIP will not receive update packets on. Access list for controlling receive/send updates. IP address and mask assigned to this interface. Respond to a request for a trigger update from another router. Send and receive RIP versions. Split horizon mode. A value that will be added to routes learned via RIP. RTP Header Compression Commands cost:2 age:16 FastEthernet2 cost:2 age:16 FastEthernet2 cost:2 age: - Serial2/0:1.1 network command in RIP.
Page 214 RTP Header Compression Commands UDP payload must be less than 500 bytes Packet must not be fragmented The destination port of the packet must be within user configured port range (there is no restriction on the source port) Note: The XSR doesn’t impose any restrictions on RTP de‐compression. clear ip rtp header compression interface serial This command clears the RTP header compression statistics for the specific PPP serial interface. Syntax show ip rtp header-compression interface serial slot/port{.sub-interface} slot/port{.sub-interface Mode Privileged EXEC: Example The following example clears the RTP Statistics for serial interface 2/0:1 XSR# clear ip rtp header‐compression interface serial 2/0:1 ip rtp compression connections By default, the software supports a total of 16 RTP header compression connections on the PPP interface. This command will allow the user to change the number of RTP header compression connections in order to specify the total number of RTP header compression connections supported on an interface. If either end of the PPP link have different max‐num‐connection values, than the link will negotiate to the lower value.
Page 215 Mode Interface configuration: This command is applicable only on serial interface with PPP encapsulation. Note: The XSR currently does not block this command on ʺinterface dialerʺ and on ʺinterface multilinkʺ, but the command has no effect on these interfaces. This command requires a reboot of the interface to take effect. Example The following example set the RTP header compression connections to 100, on PPP serial interface S1/0: XSR(config-if<S1/0>)rtp compression connections 100 ip rtp header-compression This command enables or disables the RTP header compression feature on PPP serial interfaces. The optional passive keyword tells the XSR to compress outgoing RTP packets only if incoming RTP packets on the same interface are compressed. If you use the command without the passive keyword, the software compresses all RTP traffic. Note: With this release, XSR now supports both the VJ Header Compression (for TCP and UDP header) and the new IP Header Compression (for TCP, UDP and RTP header compression). XSR cannot be configured to initiates VJ header compression, but it does response to VJ Header compression configuration option from the remote peer with a NAK or REJ. In this release, the behavior is changed slightly. If RTP is not enabled, then upon receiving a VJ header compression negotiation option, the XSR sends back a NAK or REJ, same as in current release. Syntax ip rtp header-compression {passive} Parameters passive Syntax of the “no” Form The no command disables the RTP header compression feature: no ip rtp header-compression Default Disabled...
Page 216 RTP Header Compression Commands Mode Interface configuration: This command is applicable only on serial interface with PPP encapsulation. Note: The XSR currently does not block this command on ʺinterface dialerʺ and on ʺinterface multilinkʺ, but the command has no effect on these interfaces. This command requires a reboot of the interface to take effect. Example The following example enables RTP header compression on PPP serial interface S1/0: XSR(config-if<S1/0>)#ip rtp header-compression ip rtp range This command specifies the destination port range of UDP packets used to screen for RTP compression. Syntax ip rtp range starting-port-Num end-Port-Num starting-port-Num end-port-Num Syntax of the “no” Form The no command removes the RTP packet ranges no ip rtp range Default Disabled Mode Interface configuration: ...
Page 217 This command displays the RTP header compression statistics for the specific PPP serial interface. Note: The existing command “show ppp interface serial” has been updated to add the following line in the PPP stats section “TX/RX IP Header Compression (IPHC is enabled” if IP header compression has been negotiated with the remote peer. See page 8‐102 for information on the command “show ppp interface serial”. Syntax show ip rtp header-compression interface serial slot/port{.sub-interface} slot/port{.sub-interface Mode Privileged EXEC: Example The following example displays the RTP Statistics for serial interface 2/0:1 Router# show ip rtp header‐compression interface serial 2/0:1 RTP/UDP/IP Header compression statistics: Interface Serial 2/0:1 Active/Negotiated connections: RX = 0/0 TX = 0/0 Rcvd: Compr. RTP = 0 Compr. UDP = 0 Full Header = 0 Error = 0 Bytes rcvd = 0 Send: Compr. RTP = 0 Compr. UDP = 0 Full Header = 0 Rej. IP = 0 Bytes sent = 0 Misses = 0 hit Ratio = 0% Parameter Descriptions Interface Serial...
Page 218: Triggered On Demand Rip Commands
Triggered on Demand RIP Commands Rcvd: Compr. RTP Compr. UDP Full Header Errors Dropped Total Pkts Bytes Rcvd Bytes Saved Efficiency Improve Sent Compr. RTP Compr. UDP Full Header Rejected IP Rejected non RTP Total Pkts Bytes Rcvd Bytes Saved Efficiency Improve Misses Hit ratio...
Page 219 Example This example sets the number of retransmissions to 50: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 1.0.0.0 255.0.0.0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ip rip triggered-on-demand XSR(config-if<S1/0>)#ip rip max-retransmissions 50 XSR(config)#router rip XSR(config-router)#network 1.0.0.0 ip rip polling-interval This command sets the polling interval for triggered RIP requests. If a request gets no response after retransmissions peak, requests will continually transmit at intervals set by this command. Note: The polling interval should be less than the dialer spoofing timeout. Syntax...
Page 220 Mode Interface configuration: Default 30 seconds Example The following example sets the polling interval to 120 seconds: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 1.0.0.0 255.0.0.0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ip rip triggered-on-demand XSR(config-if<S1/0>)#ip rip polling-interval 120 XSR(config)#router rip XSR(config-router)#network 1.0.0.0 ip rip triggered-on-demand This command enables triggered‐on‐demand RIP on the specified interface. It is available on a point‐to‐point Serial (WAN) interface only. On‐demand RIP permits the update of an XSR’s RIP routing table only when the database changes or when a next hop’s reachability is detected on the WAN side of the connection. This functionality reduces the on‐demand WAN circuit’s routing traffic and allows the link to be brought down when application traffic ceases. Regular RIP updates would prevent the connection from being torn down when application use ends. On‐demand RIP is available under conditions where the route is learned through a dialer or dialer backup connection and a dial on demand link.
Page 221: Policy-Based Routing Commands
Mode Interface configuration: Default Disabled Example The following example configures triggered RIP on Serial port 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 1.0.0.0 255.0.0.0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ip rip triggered-on-demand XSR(config-router)#network 1.0.0.0 Policy-Based Routing Commands Policy‐Based Routing (PBR) on the XSR. ip policy This command applies PBR to XSR Fast/GigabitEthernet, Dialer, Loopback, Multilink, VPN and Serial interfaces. Syntax ip policy Syntax of the “no” Form The no command negates PBR on XSR interfaces: no ip policy Mode Interface configuration:...
Page 222 Syntax route-map pbr sequence-number sequence-number Syntax of the “no” Form The no command deletes the specified policy entry or the whole policy table if no sequence number is specified: no route-map pbr [sequence-number] Mode Global configuration: Next Mode PBR Map configuration: Example In the following example, policy entry number 10 is created: XSR(config)#route-map pbr 10 XSR(config-pbr-map)# 5-146 Configuring the Internet Protocol Adds/deletes PBR match clauses. See page 5‐147 for command ‐ Adds or deletes PBR set clauses for the next‐hop router. See page 5‐147 for ‐ Adds or deletes PBR set clauses on an interface. See page 5‐148 for command Sequential number of the policy entry in the PBR route map table. XSR(config)# XSR(config-pbr-map)#...
Page 223: Match Ip Address
Syntax of the “no” Form The no command deletes the specified ACL match clause: no match ip address access-number Mode PBR Map configuration: Example In the following example, ACL 101 is used to match the traffic: XSR(config-pbr-map)#match ip address 101 set ip next-hop This command specifies a next‐hop IP address as the forwarding router for Policy Based Routing. Syntax set ip next-hop ip-address ipaddress Syntax of the “no” Form The no command deletes the specified set clause: no set ip next-hope ip-address Mode PBR Map configuration: ...
Page 224: Pbr Clear And Show Commands
PBR Clear and Show Commands set interface This command specifies an XSR interface as the forwarding port for Policy Based Routing. Syntax set interface interface-num interface-num Syntax of the “no” Form The no command deletes the specified set clause: no set interface interface-num Mode PBR Map configuration: Example The following example sets F1 as the forwarding interface: XSR(config-pbr-map)#set interface FastEthernet 1 PBR Clear and Show Commands clear ip pbr-cache This command deletes entries from the PBR cache table. Syntax clear ip pbr-cache Mode...
Page 225: Arp Commands
XSR>show ip pbr-cache Source 192.168.1.1 192.168.1.1 192.168.1.1 Parameter Descriptions Source Destination IP Protocol TCP/UDP Port ICMP Code show route-map pbr This command displays the Policy Map Table you have configured. This is the Global Route Map that is used for Policy Based Routing. Syntax show route-map pbr Mode EXEC configuration: Sample Output The following is sample output when the command is issued: XSR>show route-map pbr route-map pbr, sequence 10 Match clauses: ip address 102 ip address 101 Set clauses: next-hop 192.168.27.33...
Page 226 ARP Commands Syntax arp ip-address hardware-address ip-address hardware-address Syntax of the “no” Form The no form of this command deletes the specified permanent ARP entry: no arp ip-address hardware-address Mode Global configuration: Default No permanent ARP entries in the ARP table. Example The example below adds a permanent ARP entry for the IP address 130.2.3.1: XSR(config)#arp 130.2.3.1 0003.4712.7a99 arp-timeout This command sets the duration of a dynamic ARP entry in the ARP table before expiring. Syntax arp-timeout seconds seconds Syntax of the “no” Form The no form of his command restores the default value: no arp-timeout Mode Global configuration: ...
Page 227: Other Ip Commands
{address mask | address&mask | negotiated}{secondary] 5‐4: Figure 5-4 ARP Timeout Example 130.2.3.0/24 130.2.3.1 130.2.3.3 Host 1 IP address of the interface. Network mask for the configured IP address. Address/mask in format A.B.C.D./m, where A.B.C.D. is the address, and m is the number of bits set to 1 in the mask. IP address negotiated over PPP. BRI, loopback, Fast/ GigabitEthernet and secondary IP interfaces are not supported. A secondary IP address. If keyword is omitted, the configured address is the primary IP address. Secondary is required to add or remove such an address. Other IP Commands 130.2.3.2 Host 2 Router 1 XSR CLI Reference Guide 5-151...
Page 228 Other IP Commands Mode Interface configuration: Examples The following CIDR example sets IP address 192.168.1.1 with a mask of /24 on interface F1. XSR(config)# interface FastEthernet 1 XSR(config-if)# ip address 192.168.1.1/24 The following example sets the IP address 192.168.1.1 on G2: XSR(config)#interface gigabitethernet 2 XSR(config-if<F1>)#ip address 192.168.1.1 255.255.255.0 In the example below, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for F1: XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#ip address 131.108.1.27 255.255.255.0 XSR(config-if<F1>)#ip add 192.31.7.17 255.255.255.0 secondary XSR(config-if<F1>)#ip add 192.31.8.17 255.255.255.0 secondary The following example configures 1.1.1.1 as the primary and other IP addresses as secondary ...
Page 229 [access-list-number] Parameters access-list- number Syntax of the “no” Form The no form of this command disables directed broadcast globally: no ip directed-broadcast [access-list-number] XSR(config)# 5‐5, Router 1 sets two candidates for the default Figure 5-5 IP Default Route Example Router 1 Serial 1 Metric Serial 1/1 198.15.1.0 INTERNET Router 3 ACL number. If this is set, a broadcast must pass the ACL to be forwarded. If not set, all broadcasts are forwarded. Other IP Commands INTERNET 199.15.1.0...
Page 230 Other IP Commands Mode Interface configuration: Default Enabled Example The following example denies ICMP broadcasts on port FastEthernet 1: XSR(config)#access-list 100 deny ICMP any any XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip directed-broadcast 100 The following example removes the previous restriction on interface FastEthernet 1 (broadcast will be performed for all protocols): XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#no ip directed-broadcast ip dhcp relay-source gateway This command allows users to select the source address to use when relaying packets to the DHCP servers. The DHCP servers are configured using ip helper‐address command. Syntax ip dhcp relay-source gateway Syntax of the “no”...
Page 231 ip domain This command identifies the domain to which the XSR belongs. If the command is reissued, it is considered an update of the domain name and will overwrite the old value with a new value. The XSR uses the domain name to help create a certificate subject name, which is automatically formated to: <host name>.<domain name>. You can configure the host name with the command. If the host name is not set when you issue the the hardcoded DefaultName. Note: For Verisign CA interoperability, you must enter the domain name that you specified when registering with Verisign. Syntax ip domain name {domain-name} domain-name Syntax of the “no” Form The no form of this command resets the IP domain name to no value: no ip domain name {domain-name} Mode Global configuration: Example...
Page 232 Other IP Commands Parameters round-robin per-flow Syntax of the “no” Form The no form of the command disables equal‐cost multi‐path: no ip equal-cost multi-path Mode Global configuration: Default Disabled Example The following example enables equal‐cost multi‐path and sets the selection method as per‐flow: XSR(config)# ip equal-cost multi-path per-flow ip forward-protocol This command enables broadcast forwarding and specifies which protocols and ports will be forwarded. The IP forward protocol is one of two commands used for UDP broadcast forwarding. Also refer to the If a certain service exists inside the node, and there is no need to forward the request to remote networks, the no form of this command should be used to disable the forwarding for the specific port. Such requests will not be automatically blocked from being forwarded, just because a service for them exists in the node. Note: The XSR supports a maximum of 50 IP helper addresses per port and 50 IP forward ports with (64 MBytes of memory installed.
Page 233 NetBIOS Name Server (port 137) • NetBIOS Datagram Server (port 138) • Boot Protocol (BTP) client and server datagrams (ports 67, 68) • TACACS service (port 49) • IEN‐116 Name Service (port 42) 5‐6, forwards UDP traffic to a router across the Figure 5-6 IP Forward-Protocol Example Router 1 INTERNET Global Configuration ip forward-protocol UDP interface ethernet 1 ip helper-address 196.1.1.255 Other IP Commands Router 2 196.1.1.0 XSR CLI Reference Guide 5-157...
Page 234 Mode Interface configuration: Example In this example, with one server on network 191.168.1.255 and the other on network 192.24.1.255, you permit UDP broadcasts from hosts on either network segment to reach both servers: 5-158 Configuring the Internet Protocol 5‐7, occurs when a Host requests an IP address with no DHCP server Figure 5-7 DHCP Functionality Example Router 1 DHCP Relay eth 1 Function Global Configuration ip forward-protocol UDP interface ethernet 1 ip helper-address address1 Destination broadcast or host address used when forwarding. XSR(config-if<xx>)#...
Page 235 Syntax of the “no” Form Use the no form of this command to remove the name‐to‐address mapping: no ip host name address Mode Global configuration: Default Disabled Example The following example defines a static mapping for host ACME: XSR(config>)#ip host ACME 192.168.57.28 ip irdp This command enables/disables the ICMP Router Discovery Protocol (IRDP), which dynamically discovers routes to other networks, as defined by RFC‐1256. IRDP allows hosts to locate routers and can also infer router locations by checking RIP updates. When the XSR operates as a client, router discovery packets are generated. When the device operates as a host, router discovery packets are received. The IRDP client/server implementation does not actually examine or store full routing tables sent by routing devices, it merely keeps track of which systems are sending such data. Using IRDP, the XSR can specify both a priority and a period after which a device should be assumed down if no other packets are received. Case‐sensitive name of the host. Associated IP address. XSR(config>)# Other IP Commands...
Page 236 XSR(config-if<F1>)#ip irdp holdtime 10 XSR(config-if<F1>)#ip irdp preference 10 XSR(config-if<F1>)#ip irdp multicast ip mtu This command sets the Maximum Transmit Unit (MTU) size on a port. Syntax ip mtu size size Syntax of the “no” Form The no form of this command restores the default value: no ip mtu 5-160 Configuring the Internet Protocol :Multicast address (224.0.0.1) instead of IP broadcasts. The interval router advertisements are held valid, ranging from 1 to 9000 seconds. Value must exceed advertinterval but cannot exceed 9000 seconds. Peak interval between router advertisements, ranging from 3 to 1800 seconds. Value from ‐2147483647 to 2147483647 that sets a router to be the preferred router to which others home. Higher values raise XSR’s preference level. XSR(config-if<xx>)# The MTU size, ranging from 68 to 1500 bytes.
Page 237 Mode Interface configuration: Default 1500 Example The following example sets the MTU size to 1200 for interface Serial 1/0: XSR(config-if<S1/0>)#ip mtu 1200 ip proxy-arp This command enables/disables Proxy ARP on a per interface basis, allowing the XSR to answer ARP requests on one network for a host on another network. It is available for Fast/ GigabitEthernet interfaces only. Syntax ip proxy-arp Syntax of the “no” Form The no form of this command disables Proxy ARP: no ip proxy-arp Mode Interface configuration: Default Enabled Example The following example disables proxy arp on interface F1: XSR(config)#interface fastethernet 1 XSR(config-if)#no ip proxy-arp ip proxy-dns This command enables Proxy DNS. The XSR’s implementation of this feature supports the ...
Page 238 Other IP Commands Syntax ip proxy-dns enable Syntax of the “no” Form The no form of this command disables Proxy DNS: no ip proxy-dns enable Mode Global configuration: Default Disabled ip proxy-dns name server This command specifies up to six name servers the proxy DNS server will use. Syntax ip proxy-dns name-server server-address1 [server-address2...server-address6] server-address1 server-address2...server-address6 Syntax of the “no” Form The no form of this command removes the configured name server: no ip proxy-dns name-server server-address1 [server-address2...server-address6] Mode Global configuration: ...
Page 239 # number distance Syntax of the “no” Form This command’s no form removes a static route from the routing table: no ip route {A.B.C.D. mask}|{address&mask}{address |interface-type #}}[distance]} If neither next hop, nor distance is cited, all static routes identified by the pair {prefix, mask} are deleted. XSR(config)# The IP route prefix for the static route destination. The prefix mask for the static route destination. The forwarding router’s IP address and mask, expressed as A.B.C.D./N where A.B.C.D. is the address and N is the number of set bits in the mask.. The forwarding router’s IP address. The IP network interface: ATM, Dialer, Fast/GigabitEthernet, Loopback, Multilink, null, or VPN. Identifies the card and port number: <1‐2>/<0‐0>, or the card, port and sub‐ interface number: <1‐2>/<0‐0>.<1‐64> Administrative metric (preference). Range: ATM (1 to255), BRI (1 to 240), Dialer (0 to 253), Fast/GigabitEthernet (1 to 240), Loopback (1 to 240), Multilink (1‐240), and Serial (1 to 120). Only static routes identified by the pair {prefix, mask}, and matching this distance are deleted. Other IP Commands XSR CLI Reference Guide 5-163...
Page 240 Syntax of the “no” Form The no form of this command resets the maximum number of multiple static routes to the default: no ip route maximum_multiple Mode Global configuration: Default Example The following example sets the maximum value to 6: XSR(config)#ip route maximum-multiple 6 5-164 Configuring the Internet Protocol XSR(config)# 5‐8, sets 2 static routes to networks 192.1.2.0 and 193.62.5.0 through Figure 5-8 Static Route Example 192.31.7.65 INTERNET Router 1 193.62.5.0 Maximum number of multiple static routes allowed, ranging from 2 to 8. XSR(config)# Router 2 192.1.2.0...
Page 241 ip tcp adjust-mss This command sets the Maximum Segment Size (MSS) for TCP SYN (synchronize) packets. When the XSR terminates PPPoE traffic, a PC connected to the FastEthernet interface may have problems accessing Web sites if the PCʹs Maximum Transmission Unit (MTU) setting is too high. The MTU contains maximum segment size (MSS) values for TCP packets transmitted by the PC. Some Web sites do not perform Path MTU discovery correctly. To address this issue, the XSR automatically sets the TCP MSS to 1452 when using PPPoE ports. This forces both TCP peers to send 1492 byte packets so Path MTU discovery never has to deal with PPPoEʹs 1492‐byte MTU. This is a sub‐command of Interface mode and is configured with the following commands: • interface fast/gigaethernetx.x • ip address negotiated • encapsulation ppp/mux pppoe • ip mtu 1492 • ip tcp adjust-mtu 1400 Setting the MSS will cause all TCP SYN packets with the MSS option being modified if the option value exceeds the configured MSS. Syntax ip tcp adjust-mss mss Mode PPPoE Interface configuration: Default 1452 bytes Example...
Page 242 Other IP Commands ip telnet server This command enables or disables Telnet service to the XSR. If the optional parameter is not supplied, the Telnet server is enabled. Since the Telnet server is enabled at boot‐up, you must either manually disable it using the CLI or disable it in the startup‐config file. Syntax ip telnet server [enable enable disable Syntax of the “no” Form The no form of this command disables the Telnet server: no ip telnet server Mode Global configuration: Default Enabled Example The following example disables the Telnet server: XSR(config)#ip telnet server enable XSR(config)#no ip telnet server ip unnumbered This command enables IP processing on a serial interface without assigning an explicit IP address ...
Page 243 Default Disabled Example In this example, Serial 1 is given F2ʹs address. The serial port is unnumbered: XSR(config-if<F2>)#ip address 145.22.4.67 255.255.255.0 XSR(config)#interface serial 1 XSR(config-if<S1>)#ip unnumbered fastethernet 2 ip router-id This command configures a router identifier, an IPv4 address specified in dotted decimal notation. It is used in routing protocols such as OSPF to uniquely identify a routing instance. Syntax ip router-id [ip-address] ip-address Syntax of the “no” Form The no form of this command removes a router identifier: no ip router-id Mode Global configuration: Type of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface. XSR(config-if<xx>)# IP Address of router.
Page 244: Ip Clear And Show Commands
IP Clear and Show Commands Example The following example configures a router identifier: XSR(config)#ip router-id 1.2.3.4 IP Clear and Show Commands clear arp-cache This command deletes all nonstatic entries from the ARP cache. Syntax clear arp-cache Mode Privileged EXEC: clear ip interface-counters This command clears all IP interface counters. If you do not enter the optional type or number value, all interface counters will be erased. Syntax clear ip interface-counters [type][number] type number Mode Privileged (EXEC): clear ip proxy-dns cache This command clears the proxy DNS cache.
Page 245: Show Ip Arp
clear ip traffic-counters This command clears all IP related counters (IP, ICMP, ARP, UDP, TCP, RIP, OSPF) displayed by the show ip traffic Syntax clear ip traffic-counters Mode Privileged EXEC: clear tcp counters This command clears all TCP counters. Syntax clear tcp counters Mode Privileged EXEC: show ip arp This command displays all entries in the ARP cache. Syntax show ip arp [ip-address] [H.H.H] [type number] ip-address H.H.H type number Mode EXEC or Global configuration: Sample Output...
Page 246: Show Ip Interface
IP Clear and Show Commands Internet 134.141.235.137 Internet 134.141.235.150 Internet 134.141.235.155 Internet 134.141.235.124 Internet 58.58.58.1 Internet 57.57.57.1 Internet 54.54.54.1 Internet 53.53.53.1 Internet 52.52.52.1 Internet 51.51.51.1 XSR>show ip arp 134.141.235.165 Protocol Address Internet 134.141.235.165 XSR>show ip arp FastEthernet1 Protocol Address Internet 134.141.235.251 Internet 134.141.235.165...
Page 247 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Router Discovery is disabled FastEthernet 0 is Admin Up Internet address is 134.141.235.165/24 Last change: 11:14 AM Rcvd:...
Page 248 Helper address is not set. Directed broadcast is enabled. Outgoing access list is not set. Inbound access list is not set. Router discovery is disabled. The following is sample output from a VLAN interface on FastEthernet sub‐interface 2.1: XSR#show ip interface FastEthernet 2.1 FastEthernet2.1 is Admin Up Internet address is 1.2.3.4, subnet mask is 255.255.255.0 Rcvd: 956984 octets, 11 unicast packets, 0 discards, 0 errors, 0 unknown protocol.
Page 249: Show Ip Irdp
Broadcast address is used. Advertisements will occur between every 450 and 600 seconds. Advertisements are valid for 1800 seconds. Preference will be 100. Serial 1 has router server discovery disabled FastEthernet2 has router server discovery disabled Parameter Description Broadcast address is used Advertisements will ...
Page 250: Show Ip Route
IP Clear and Show Commands Sample Output The following is sample output from the command: XSR>show ip proxy-dns cache Name www.enterasys.com www.test.com Parameter Description Name show ip route This command displays information about the Routing Table including route types, IP addresses, and costs. Administrative distances are referenced in each Routing Table entry within the brackets as follows: [distance/metric]. The command also displays all alternative routes where more than one route exists to a destination. Syntax show ip route [connected | address [mask [longer-prefixes]]| bgp | ospf | rip | static] connected address...
Page 251 Sample Output The following is sample output. Note the route costs as indicated within brackets. XSR>show ip route Codes: C-connected, S-static, R-RIP, O-OSPF, IA-OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default, D - default route originated from default net O E2 222.51.51.0/24 O IA 192.169.1.0/24 O 192.168.25.0/24...
Page 252 IP Clear and Show Commands [x/y] [0060] show ip static database This command displays static route information including the destination IP address, gateway IP address, and administrative distance. Syntax show ip static database [A.B.C.D. A.B.C.D./mask | interface-type | distance] distance A.B.C.D. A.B.C.D./<0-32> interface-type Mode EXEC configuration: Sample Output The following is sample output: XSR#show ip static database Maximum number of multiple static routes: 4 Routing Information Sources: Parameter Description Maximum number of ...
Page 253: Show Ip Traffic
show ip traffic This command displays general IP protocols statistics. Syntax show ip traffic Mode EXEC or Global configuration: Sample Output The following is sample output: XSR>show ip traffic IP statistics: Rcvd: 9040 total, 919 local destination, 7020 to be forwarded 5 header errors, 45 IP destination not valid 63 unknown protocol, 0 discards Frags: 30 fragments, 10 reassembled, 0 couldn't reassemble 5 fragmented, 15 fragments, 0 couldn't fragment...
Page 254 IP Clear and Show Commands 0 link state updates, 0 link state acks Sent: 0 total ARP statistics: Rcvd: 87441 requests, 5 replies Sent: 3 requests, 36 replies (0 proxy) Parameter Description Total Local destination To be forwarded Header errors IP destination not valid Unknown protocol Discards Generated Drop no route show resources This command displays the allowable number of resource entries created and memory utilized. ...
Page 255 Max Unresolved ARP Requests| Routing Table Size| Number of Static Routes| Number of Secondary IP| Number of Virtual IP| IP Helper Addresses| UDP Broadcast Fwd Entries| OSPF LSA type 1| OSPF LSA type 2| OSPF LSA type 3| OSPF LSA type 4| OSPF LSA type 5| OSPF LSA type 7| Number of ACList Entries|...
Page 256: Show Tcp
IP Clear and Show Commands Parameter Description 64MgB Resource ResourcesInUse Bytes Per Resource Total Bytes InUse show tcp This command displays TCP statistics. Syntax show tcp {connections | general} connections general Configuration Mode EXEC or Global configuration: Sample Output The following are sample responses: Connection Table XSR>show tcp connections -----------TCP Statistics----------- Current Connections Local Address 134.141.235.165.23 134.141.235.165.23 General Information Display...
Page 257 4 transitions from LISTEN to SYN-RCVD 2 transitions from SYN-SENT or SYN-RCVD to CLOSED 2 transitions from ESTABLISHED or CLOSE-WAIT to CLOSE Parameter Description Connection state - Possible states for a TCP connection: LISTEN SYNSENT SYNRCVD ESTAB FINWAIT1 FINWAIT2 CLOSEWAIT CLOSING LASTACK TIMEWAIT...
Page 258: Network Address Translation Commands
Network Address Translation Commands Default Standard Telnet port 23. If the port is not provided, the client will try to connect to port 23 on the remote server. Example The following example connects you to the XSR at 192.57.189.4 via Telnet: XSR#telnet 192.57.189.4 23 Network Address Translation Commands The XSR commands below configure Network Address Translation (NAT). clear ip nat translation This command clears dynamic NAT translations from the table before they time out. Although the XSR times out NAT translations by default, it is useful to clear translations before the timeout. Syntax clear ip nat translation interface {[all | global-ip local-ip] | [protocol global- ip global-port local-ip local-port]} interface global-ip local-ip...
Page 259: Ip Local Pool
The following example clears a specific UDP entry from the NAPT table: XSR#clear ip nat translation fastEthernet 1 17 200.2.233.1 1220 192.168.27.95 1220 1 NAPT entries or NAT mapping removed The following example clears all NAPT translations for host 192.168.50.2 on the private network: XSR#clear ip nat translation fastEthernet 1 192.168.50.2 0.0.0.0 4 NAPT entries or NAT mapping removed The following example clears all NAPT translations for, to, and from the NATted address of 10.10.10.15: XSR#clear ip nat translation fastEthernet 1 0.0.0.0 10.10.10.15 5 NAPT entries or NAT mapping removed ip local pool This command configures a local pool of IP addresses for distribution to remote peers seeking connection to an interface. The command acquires IP Local Pool mode and makes available this sub‐command: exclude • ‐ Bars a range of IP addresses from the local pool. Refer to page 5‐184 for the sub‐ command definition. Syntax ip local pool pool-name IP-address subnet-mask pool-name IP-address subnet-mask Note: The pool size (mask) must be /16 or higher (Class B or C) thus limiting any one pool to 64,000 IP addresses.
Page 260 Network Address Translation Commands Next Mode IP Local Pool configuration: Example The following example creates local IP address pool marketing, which contains all IP addresses in the range 203.57.99.0 to 203.57.99.255: XSR(config)#ip local pool marketing 203.57.99.0 255.255.255.0 exclude This sub‐command bars the use of a range of IP addresses from an earlier created IP pool. Syntax exclude {ip address}{number} ip address number Syntax of the “no” Form The no form of this command removes the specified IP address from the exclude list: exclude {ip address}{number} Mode Local IP Pool configuration: Examples The following example excludes the ten IP addresses between 192.168.57.100 and 192.168.57.110 from local pool HQ: XSR(config)#ip local pool HQ 192.168.57.0 255.255.255.0 XSR(ip-local-pool)#exclude 192.168.57.100 10 The following example negates the exclusion of IP addresses 192.168.57.105 and 192.168.57.106 ...
Page 261 Syntax ip nat pool name name Syntax of the “no” Form The no command removes one or more addresses from the NAT pool: no ip nat pool name Mode Global configuration: Example The following example configures the IP NAT pool NATpool: XSR(config)#ip nat pool NATpool ip nat service list ???SPTD??? This command specifies a port other than the default port for the File Transfer Protocol (FTP). It is used when you want NAT to pass only FTP control sessions that are using that port. In this case, all client requests using the default port (21) will be dropped by NAT. Syntax ip nat service list access-list-number ftp tcp port port-number list acl-number port port-number Syntax of the “no”...
Page 262 Network Address Translation Commands XSR(config)#ip nat service list 1 ftp tcp port 2021 XSR(config)#access-list 1 permit 10.1.1.1 This example sets non‐standard port 2021 and standard port 21 for FTP. Be aware that if the FTP server is using both the default and another port, both ports must be configured in NAT. XSR(config)#ip nat service list 1 ftp tcp port 21 XSR(config)#ip nat service list 1 ftp tcp port 2021 XSR(config)#access-list 1 permit 10.1.1.1 ip nat source (interface mode - NAPT) This command applies Pool Network Address Translation (NAT) and Network Address Port ...
Page 263 ip nat source intf-static (interface mode) This command configures a single static translation entry in the Network Address Translation (NAT) table. Interface static NAT is similar to global NAT; it takes precedence over global static NAT with the implication that if an outgoing/incoming packet matches the interface static NAT no other form of NAT will be performed. Syntax ip nat source [list ACL_number] intf-static {local-ip global-ip |{tcp | udp} local-ip local-port global-ip global-port} list ACL_number static local-ip global-ip tcp | udp local-port global-port Syntax of the “no” Form The no form of the command removes a single static translation entry: no ip nat intf-source static local-ip global-ip Mode...
Page 264 Network Address Translation Commands global-ip tcp | udp local-port global-port Syntax of the “no” Form The no form of the command removes a single static translation entry: no ip nat source static local-ip global-ip Mode Global configuration: Example The following example configures a static NAT system: XSR(config)#ip nat source static 192.178.15.97 10.10.10.5 ip nat translation This command changes the interval after which translations time out. Syntax ip nat translation {timeout | udp-timeout | tcp-timeout | icmp-timeout}[seconds] | [never] timeout udp-timeout...
Page 265: Show Ip Nat Translations
Defaults • Timeout: 180 seconds (3 minutes) • UDP‐timeout: 300 seconds (5 minutes) • TCP‐timeout: 86,400 seconds (24 hours) • ICMP‐timeout: 60 seconds Example The example below times out UDP port translation entries in 15 minutes: XSR(config)#ip nat translation udp-timeout 900 show ip nat translations This command displays active NAPT translations. Syntax show ip nat translations [interface] Mode EXEC or Global configuration: Sample Output The following example displays four static NAT entries. Note that external hosts are not tracked for static NAT nor are idle times. XSR#show ip nat translations Interface GigabitEthernet 2 ============================================================= Num Interface-Static NAT : 4 ---------------------------------------...
Page 266 Network Address Translation Commands NAPT using address: 10.10.10.2 Num translations: 8 --------------------------------------- Private Host (Local IP Addr) 192.168.50.90:1024 192.168.50.90:1024 192.168.50.91:1024 192.168.50.91:1024 192.168.50.70:1024 192.168.50.70:1024 192.168.50.71:1024 192.168.50.71:1024 The following example displays NAT pool entries with overload statistics. Note that a unique NAT IP address is assigned to each internal host and that if there are more internal hosts than the number of addresses in the pool, then multiple internal hosts will share a single NAT address.. XSR#show ip nat translations Pool name: NATPool with overload ACL Number: 100 --------------------------------------- NAPT using address: 10.10.10.131 Num translations: 2...
Page 267: Virtual Router Redundancy Protocol Commands
Virtual Router Redundancy Protocol Commands vrrp <group> adver-int This command configures the interval between successive advertisements sent by the master VR in a virtual group. Advertisements sent by the master VR communicate the state and priority of the current master VR. Note: All virtual routers in a virtual group must have the same advertisement interval. Syntax vrrp group adver-int [sec] interval group interval Syntax of the “no” Form Use the no form of this command to restore the default value: no vrrp group adver-int Defaults •...
Page 268 Virtual Router Redundancy Protocol Commands message is accepted and if not, it is discarded. All routers within the group must share the same authentication string. Note: Plain text authentication is not meant to be used for security. It simply provides a way to prevent a misconfigured router from participating in the VRRP. Syntax vrrp group authentication string group Virtual router group number.
Page 269 XSR(config-if<F1>)#no vrrp 1 ip 10.0.1.20 or vrrp ip 10.0.1.20 vrrp <group> master-respond-ping This command allows the Virtual Router (VR) master to respond to an ICMP ping regardless of actual IP address ownership. RFC‐2338 specifies that a VR master that is not the actual address owner should not respond to ICMP ping associated with the virtual IP address. This configuration should be consistent on all interfaces participating in a VR. Syntax vrrp <group> master-respond-ping group Syntax of the “no” Form The no form of this command disables the functionality: no vrrp group master-respond-ping VR group number. If you do not specify an input group number, the default group number will be used. Limit: 11 addresses per VR, 44 per router. IP address of the VR. XSR(config-if<xx>)# VR group number, ranging from 1 to 255. Virtual Router Redundancy Protocol Commands XSR CLI Reference Guide 5-193...
Page 270 Virtual Router Redundancy Protocol Commands Defaults • Disabled ‐ the VR master will not respond to an ICMP echo request sent to the virtual IP address if it is not the physical owner. • If no group is provided, the default group is 1. Mode Interface configuration: Examples The following example enables this feature for VR 2 on interface F1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 2 master-respond-ping The following example disables this feature for VR 2 on interface F1: XSR(config-if<F1>)#no vrrp 2 master-respond-ping vrrp <group> preempt This command configures the router to take over as master Virtual Router (VR) for a virtual group if it has higher priority than the current master VR. This feature is enabled by default. You can also configure a delay, which will cause the virtual router to wait the specified interval before issuing an advertisement claiming master ownership. Notes: The XSR established as the IP address owner will pre-empt another VR, regardless of the setting of this command.
Page 271 • Group: 1 , ranging from 1 to 255 Mode Interface configuration: Examples This example sets priority 150 for VR group 1 on F1: XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 1 priority 150 or vrrp priority 150 The following example sets priority to default for VR group 1 on F1: XSR(config-if<F1>)#no vrrp 1 priority XSR(config-if<xx>)# VR group number. Priority of the router within the VRRP group. Range: 1 to 254. XSR(config-if<xx>)# or no vrrp priority Virtual Router Redundancy Protocol Commands XSR CLI Reference Guide 5-195...
Page 272 Notes: This command should be used on the interface most likely to be chosen master of the corresponding VR. The command has no effect if the interface is configured as a backup VR. The XSR supports one track interface per VR only, so every time it is configured, the router will overwrite the previous one.
Page 273: Vrrp Clear And Show Commands
XSR(config)#interface fastethernet 1 XSR(config-if)#vrrp 2 track serial 1/0 This example disables the tracking of interface Serial 1/0 by interface F1 on VR 2: XSR(config-if)#no vrrp 2 track VRRP Clear and Show Commands clear vrrp-counters This command clears statistics for a specified VRRP group; it is governed by the following considerations: • If you do not specify both group and interface, the statistics for all Virtual Routers (VR) in the VRRP group on this router will be cleared. • If you specify only the group and not the interface, statistics for all the VRs in the VRRP group whose group ID matches the specified ID on this router will be cleared. • If you do specify the interface only, statistics for all VRs in the VRRP group configured on this interface on this router will be cleared. • If you specify both group and interface, only statistics for this specified VRRP group on this router will be cleared. Syntax clear vrrp-counters [group][interface] group interface...
Page 274 Sample Output The following sample output displays configuration data for all virtual routers on this router: XSR#show vrrp Ethernet Interface: Group ID: State: Preempt: Priority: Adver-int: Master Down Timer: Authentication Code: Virtual IP: Primary IP: Master Router IP: Virtual MAC: BecomeMaster: AdvertiseRcvd: ChecksumErrors: VersionErrrors: PriorityZeroPktsRcvd: PriorityZeroPktsSend: InvalidTypePktsRcvd: UnknownAuthType: AuthTypeErrors: AuthFailures: ------------------------------- Ethernet Interface:...
Page 275 This sample output displays configuration data of a virtual router on interface FastEthernet 2: XSR#show vrrp interface fastethernet 2 Eathernet Interface: Group ID: State: Preempt: Priority: Adver-int: Advertise Interval Timer: 1 Authentication Code: Virtual IP: Primary IP: Master Router IP: Virtual MAC: BecomeMaster: AdvertiseRcvd: ChecksumErrors: VersionErrrors: PriorityZeroPktsRcvd: PriorityZeroPktsSend: InvalidTypePktsRcvd: UnknownAuthType: AuthTypeErrors: AuthFailures: Parameter Description Fast Ethernet Interface...
Page 276 AuthTypeErrors AuthFailures show vrrp summary This command displays VRRP summary information on this router. Syntax show vrrp summary Mode XSR> EXEC: Sample Output The following sample output displays VRRP summary data on the XSR: -------------------VRRP SUMMARY----------------------------- Maximum number of VRs per router: 5-200 Configuring the Internet Protocol Master or backup Preempt enabled or not Preempt delay seconds Priority of this group Advertisement interval If in backup state, displays the seconds remaining to trigger Master Down Timer or Master Delay Timer; if in master state, displays the seconds remaining to trigger the next advertisement. Password Virtual IP address Interface IP address ...
Page 277 Maximum number of virtual addresses per VR: Number of virtual IP address in use: Fast Ethernet 1 Fast Ethernet 2 ------------------------------------------------------------ VRRP Clear and Show Commands Fast Ethernet 3 XSR CLI Reference Guide 5-201...
Page 278 VRRP Clear and Show Commands 5-202 Configuring the Internet Protocol...
Page 279: Chapter 6: Configuring The Border Gateway Protocol
• “Route Map Commands” on page 6‐110. • “BGP Set Commands” on page 6‐114. • “BGP Clear and Show Commands” on page 6‐122. • “BGP Debug Commands” on page 6‐132. router bgp This command activates a BGP routing process, after which you can configure these additional parameters: • BGP neighbors Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values...
Page 280 BGP Configuration Commands • Networks • Neighbor parameters • Routing policies Syntax router bgp autonomous-system autonomous-system Syntax of the “no” Form The no form of this command sets the default parameter ‐ disabled: no router bgp autonomous-system Mode Global configuration: Examples The following example activates the BGP routing process on a router belonging to AS 100. Note that the XSR acquires Router configuration mode after executing the command: XSR(config)#router bgp 100 XSR(config-router)# The following example displays an error message when you try to activate another BGP process when one is already running. In this example the BGP process was already activated with AS 100 when an attempt was made to activate it again with the AS 11. XSR(config)#router bgp 11 % BGP Already running in AS 100 aggregate-address This command creates an aggregate entry in a BGP routing table which is useful for reducing the ...
Page 281 Mode Router configuration: Default Disabled Example The following example aggregates routes ranging from 192.168.0.0 to 192.168.255.0, each with a mask of 255.255.255.0, into a single aggregate route of 192.168.0.0 with a mask of 255.255.0.0. The optional summary‐only keyword can be used to direct only the aggregate route be advertised to this router’s neighbors. Ommiting the as‐set option can indicate that all of the routes originate in the same AS and follow the same routing policy, this resulting in no loss of any BGP attribute data within the aggregate. XSR(config)#router bgp 100 XSR(config-router)#aggregate-address 192.168.0.0 255.255.0.0 summary-only auto-summary This command restores the default behavior of BGP by summarizing redistributed IGP subnets on classful network boundaries. Automatic summarization of IGP subnets reduces the number of routes in the BGP routing table, improving router performance and reducing the amount of bandwidth used by routing traffic between BGP peers. Syntax auto-summary Syntax of the “no” Form The no form of this command removes BGP summarization: no auto-summary Prevents data loss, including contents of BGP attributes, from more specific routes in the aggregate route. Note that when the contents of those attributes vary within more specific routes, reducing them ...
Page 282 BGP Configuration Commands Mode Router configuration: Default Enabled Example The following example configures summarization in BGP process 100: XSR(config)#router bgp 100 XSR(config-router)#auto-summary bgp always-compare-med This command instructs the XSR to compare the Multi Exit Discriminator (MED) value for paths from neighbors in different ASs. MED is one of the parameters considered by the XSR when selecting the best path. The path with the lowest MED value is chosen when all higher‐ranking BGP route selection criteria are the same for all competing paths to the same destination. Syntax bgp always-compare-med Syntax of the “no” Form The no form of this command removes the MED value: no bgp always-compare-med Mode Router configuration: Default The default value for this command is to only compare the MED values for paths from neighbors in the same AS. Example The following example sets MED within BGP process 100: XSR(config)#router bgp 100...
Page 283 Mode Router configuration: Default A missing MED attribute is considered to have a value of zero. Example This example configures the bgp bestpath med missing‐as‐worst value within BGP process 100: XSR(config)#router bgp 100 XSR(config-router)#bgp bestpath med missing-as-worst bgp client-to-client reflection This command instructs the XSR to reflect routes from a BGP route reflector to clients. When a full IBGP mesh already exists, route reflection is redundant and can be disabled by using the client-to-client reflection Syntax bgp client-to-client reflection Syntax of the “no” Form The no form of this command disables the default reflection behavior: no bgp client-to-client reflection Mode Router configuration: ...
Page 284: Bgp Confederation Identifier
BGP Configuration Commands Example This example first disables the default reflection setting on this router then restores the default: XSR(config)#router bgp 100 XSR(config-router)#no bgp client-to-client reflection XSR(config-router)#bgp client-to-client reflection bgp cluster-id This command sets the cluster identifier for a BGP cluster that contains more than one route reflector. A cluster is comprised of one or more route reflectors and clients of those reflectors. Clusters containing one route reflector are identified by the router identifier of the route reflector. Syntax bgp cluster-id cluster-id cluster-id Syntax of the “no” Form The no form of this command resets the cluster identifier to the default: no bgp cluster-id Mode Router configuration: Default The default value is the router identifier of the route reflector in the cluster. Example The following example configures the bgp cluster‐id value within the BGP process 600. The BGP ...
Page 285: Bgp Confederation Peers
[autonomous-system][autonomous-system]...] Mode Router configuration: Example The following example configures the BGP confederation peers value within BGP process 100. The ASs assigned to the confederation using this command are 600, 700, and 800. Confederation 44 is configured using the router belongs is also a member of confederation 44. XSR(config)#router bgp 100 XSR(config-router)#bgp confederation identifier 44 XSR(config-router)#bgp confederation peers 600 700 800 AS number, ranging from 1 to 65535. XSR(config-router)# AS number, ranging from 1 to 65535. XSR(config-router)# bgp confederation identifier BGP Configuration Commands command. The AS 100 to which this XSR CLI Reference Guide 6-89...
Page 286: Bgp Dampening
The no form of this command disables BGP dampening: no bgp dampening Mode Router configuration: Defaults • Half‐life ‐ 15 minutes • Reuse ‐ 750 • Suppress ‐ 2000 • Suppress‐max ‐ 60 minutes • Disabled. Example The following example enables route flap dampening: XSR(config)#router bgp 100 XSR(config)#bgp dampening 6-90 Configuring the Border Gateway Protocol Interval after which the route’s penalty becomes half its value, ranging from 1 to 45 minutes. How low a route’s penalty must become before the route becomes eligible for use again after being suppressed, ranging from 1 to 20000. How high a route’s penalty must become before the route is suppressed, ranging from 1 to 20000. Peak interval a route can be suppressed regardless of how unstable it is. Range: 1 to 255 minutes. Route map number applied to dampened routes, ranging from 1 to 199. XSR(config-router)#...
Page 287: Distance Bgp
Syntax of the “no” Form The no form of this command reverts to the local preference default: no bgp default local-preference Mode Router configuration: Default Example This example configures the BGP default local‐preference of 300 for BGP process 100. This setting indicates that all routes this router advertises to its internal BGP neighbors will have a local preference of 300. XSR(config)#router bgp 100 XSR(config-router)#bgp default local-preference 300 distance bgp This command sets the BGP route preference ‐ administrative distance ‐ for its external and internal routes submitted to the routing table. Syntax distance bgp external internal external internal Syntax of the “no” Form The no form of the command removes the configured value: no distance bgp Local preference value, ranging from 0 to 4294967295.
Page 288 BGP Configuration Commands Defaults • External: 20 • Internal: 200 Mode Router configuration: Example This example sets BGP external and internal administrative distances to 50 and 150, respectively: XSR#config terminal XSR(config)#router bgp 100 XSR(config-router)#distance bgp 50 150 neighbor advertisement-interval This command sets the minimum interval that a router waits between sending BGP routing updates to its neighbor. Before entering this command, a neighbor or peer group must be identified by means of the neighbor remote‐as or neighbor peer‐group command. Configuring a minimum interval of zero means that there is no delay in sending BGP routing updates to its neighbor. Syntax neighbor {ip-address | peer-group-name} advertisement-interval seconds ip-address peer-group-name seconds Syntax of the “no” Form The no form returns to the advertisement interval default:...
Page 289 Example The following example sets the neighbor advertisement‐interval value within BGP process 100. neighbor remote-as Note that the entered. In the example, the router on which the configuration occurs resides in AS 100. Neighbor 192.168.1.1 resides in AS 101. The default update interval between these peers has been changed from 30 to 90 seconds. XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 advertisement-interval 90 neighbor default-originate This command sends the route 0.0.0.0 to the BGP neighbor of the router that this command is entered on so that it can be used as the default route. Before entering this command, a neighbor or peer group must be identified by means of the commands. Syntax neighbor {ip-address | peer-group-name} default-originate ip-address peer-group-name Syntax of the “no” Form The no form of this command returns to the default value: no neighbor {ip-address | peer-group-name} default-originate Mode Router configuration: ...
Page 290 XSR(config)#access-list 1 permit 10.0.0.0 255.0.0.0 XSR(config)#access-list 1 permit 11.0.0.0 255.0.0.0 XSR(config)#access-list 1 permit 12.0.0.0 255.0.0.0 XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 distribute-list 1 in 6-94 Configuring the Border Gateway Protocol neighbor peer-group command. Also, the prefix‐based ACL must be configured. Neighbor’s IP address. BGP peer group by name. Range: 1 to 64 characters. ACL, ranging from 1 to 199.
Page 291 Mode Router configuration: Default Not enabled Example The following example allows connections to or from neighbor 192.168.1.1, which resides on a network that is not directly connected: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 ebgp-multihop neighbor filter-list This command sets up a BGP filter based on AS path. Before entering this command, a neighbor or peer group must be identified by means of the command. Also, the AS path‐based access list must be configured. Note: Perform a clear ip bgp neighbor <IP address> whenever this command is changed. Syntax neighbor {ip-address | peer-group-name} filter-list filter-list {in | out | weight...
Page 292 Mode Router configuration: Example This example applies filter list 1 to incoming advertisements from neighbor 192.168.1.1. Only routes which start with AS path 200 and end with AS path 500 will be accepted from the neighbor. XSR(config)#ip as-path access-list 1 permit “^200 .* 500$” XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 filter-list 1 in neighbor maximum-prefix This command controls the number of prefixes received from a particular neighbor. When the maximum number of prefixes is exceeded, a CEASE message is sent and the connection is cleared. To reactivate the session, enter zero, no prefixes will be accepted from the neighbor. Syntax neighbor {ip-address | peer-group-name} maximum-prefix value [threshold][warning- only]...
Page 293 Mode Router configuration: Defaults • No restriction on the number of prefixes. • Threshold: 75 prefixes Example The following example sets the maximum number of prefixes allowed from the neighbor at 192.168.1.1 to 10000: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 maximum-prefix 10000 neighbor next-hop-self This command disables automatic next‐hop selection. Updates meant for the specified system or peer group are forced to advertise this router as the next hop. Syntax neighbor {ip-address | peer-group-name} next-hop-self ip-address peer-group-name Syntax of the “no” Form The no form of this command returns to the default value: no neighbor {ip-address | peer-group-name} next-hop-self Mode Router configuration:...
Page 294: Neighbor Password
BGP Configuration Commands Example The following example sets the router at 192.168.1.1 as the next hop: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 next-hop-self neighbor password This command sets a password for Message Digest 5 (MD5) authentication on the TCP connection between the XSR that this command is entered on and a BGP neighbor. The same password must be configured on both routers. When a password is configured for a neighbor, the existing session is replaced by a new session. Syntax neighbor {ip-address | peer-group-name} password password-value ip-address peer-group-name password-value Syntax of the “no” Form This command’s no form removes the password for the specified router: no neighbor {ip-address | peer-group-name} password password-value Mode Router configuration: ...
Page 295 Syntax of the “no” Form The no form of this command removes the specifed neighbor peer group: no neighbor {ip-address | peer-group-name} peer-group [peer-group-name] Mode Router configuration: Example The following example creates peer group ExternalGroup and assigns neighbor 192.168.1.1 to peer group ExternalGroup: XSR(config)#router bgp 100 XSR(config-router)#neighbor ExternalGroup peer-group XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 peer-group ExternalGroup neighbor remote-as This command adds an entry to the BGP neighbor table. BGP requires manual neighbor configuration. The configuration of neighbors on both of the neighboring BGP routers allows a BGP session to be set up between the routers and allows the exchange of BGP update messages. For external BGP neighbors, the IP address specified is that of the neighbor interface to the shared subnet between routers (unless ebgp‐multihop is enabled). For internal BGP neighbors, the neighbor IP address is any reachable IP address from the router. Syntax...
Page 296 The no form of this command deletes the specified neighbor’s route map: no neighbor {ip-address | peer-group-name} route-map route-map# {in | out} Mode Router configuration: Example The following example adds a neighbor route map: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 route-map 1 in 6-100 Configuring the Border Gateway Protocol XSR(config-router)# Neighbor’s IP address. BGP peer group by name. Range: 1 to 64 characters. Identifies the route map number. Range: 1‐199. Route map is applied to inbound routes. Route map is applied to outbound routes. XSR(config-router)#...
Page 297 Syntax of the “no” Form The no form of this command removes a neighbor’s route reflector: no neighbor {ip-address | peer-group-name} route-reflector-client Mode Router configuration: Example The following example sets a neighbor’s reoute reflector: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 route-reflector-client neighbor send-community This command instructs the system to send a community attributed to a BGP neighbor. Syntax neighbor {ip-address | peer-group-name} send-community ip-address peer-group-name Syntax of the “no” Form The no form of this command removes a neighbor’s community:...
Page 298: Neighbor Shutdown
BGP Configuration Commands Example The following example sets a neighbor’s community: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 send-community neighbor shutdown This command disables a neighbor or peer‐group. Syntax neighbor {ip-address | peer-group-name} shutdown ip-address peer-group-name Syntax of the “no” Form The no form of this command returns to the command default: no neighbor {ip-address | peer-group-name} shutdown Mode Router configuration: ...
Page 299: Neighbor Timers
{ip-address | peer-group-name} soft-reconfiguration inbound Mode Router configuration: Default No soft reconfiguration is done. Example The following example configures soft reconfiguration on the router: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 soft-reconfiguration inbound neighbor timers This command changes the values of BGP timers for a peer or peer group. When a session is started, BGP negotiates the hold‐time with the neighbor, selecting the smaller value. The keep‐ alive timer is then set based on the negotiated hold‐time and the configured keep‐alive interval. By default, the keep‐alive timer is set to 30 seconds and the hold‐time timer set to 90 seconds. This 1 to 3 ratio is strictly maintained between the timers. Note: Perform a clear ip bgp neighbor <IP address> whenever this command is changed.
Page 300 Syntax of the “no” Form The no form of this command removes a neighbor’s update source: no neighbor {ip-address | peer-group-name} update-source interface Mode Router configuration: Default Best outbound interface. Example The following example sources BGP TCP connections for the specified neighbor with the IP address of the loopback interface rather than the best local address: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 update-source loopback 0 6-104 Configuring the Border Gateway Protocol XSR(config-router)# Neighbor’s IP address. BGP peer group by name. Range: 1 to 64 characters. Identifies the interface to be used as the source. XSR(config-router)#...
Page 301: Neighbor Weight
Syntax of the “no” Form The no form of this command removes a neighbor’s weight: no neighbor {ip-address | peer-group-name} weight value Mode Router configuration: Example The following example sets the specified neighbor’s weight to 100: XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 weight 100 ip as-path access-list This command creates an as‐path filter list which can be applied to filter inbound and outbound BGP updates. The as‐path variable in the BGP routing update message is examined against a required parameter of this command, which represents AS numbers identified by means of a regular expression. Multiple regular expressions can be configured under a particular as‐path filter list. Note: Perform a clear ip bgp whenever this command is changed.
Page 302 BGP Configuration Commands deny as-regular- expression Syntax of the “no” Form The no form of this command removes the configured filter list: no ip as-path access-list access-list-number Mode Global configuration: Example The following example configures the IP as‐path access‐list value in the context of configuring a route map and performing a match using the The as‐path access list is 33, ends with a regular expression “.* 640 .*” and is referenced in the match as‐path command, which in turn is configured inside of the route map 33. This means that a match occurs if the as‐path variable in a BGP update message contains AS 640. XSR(config)#ip as-path access-list 33 permit “.* 640 .*” XSR(config)#route-map 33 permit 1 XSR(config-route-map)#match as-path 33 XSR(config-route-map)#set local-preference 300 ip community-list This command defines a community list that filters on the BGP COMMUNITY attribute. The ...
Page 303 XSR(config)#ip community-list 88 permit 2000 XSR(config)#ip community-list 88 permit 3000 XSR(config)#ip community-list 88 permit 4000 network This command specifies the list of networks for the BGP routing process. Networks can be learned from connected routes or via dynamic routing. The BGP process must be notified about the networks it will route which con occurs via manual injection of routes into the BGP process with the network command. Routes originated by BGP via the code set to IGP. Network numbers that are injected into BGP by means of the exist in the IP routing table on the router as static, directly‐connected, or dynamically‐derived routes. If network numbers do not already exist, they will not be placed into the BGP table, even though they will appear in the router’s configuration. Syntax network network-number [mask network-mask] network-number mask Community number as it was defined for this router via the community command. Valid values are: • Range: 1 to 4,294,967,200. •...
Page 304 [mask network-mask] Mode Router configuration: Example The following example configures a network with and without the optional mask keyword. In the optional mask statement, the network‐number represents a subnet of class B network 172.17.0.0. A default Class C network mask is assumed for the network 192.168.1.0 in the configuration statement without the optional parameters. XSR(config)#router bgp 100 XSR(config-router)#network 172.17.151.0 mask 255.255.255.0 XSR(config-router)#network 192.168.1.0 redistribute This command redistributes routes from a protocol into the BGP. Redistributed routes can be learned from dynamic routing (OSPF, RIP), static routes, and connected routes. Redistributed routes can have their path attributes set in BGP by the default, redistributed static routes have their origin code set to incomplete unless otherwise configured by Syntax redistribute {ospf | rip | static | connected} [metric metric-value | route-map...
Page 305: Timers Bgp
Mode Router configuration: Default Redistribution is not enabled. Example The following example redistributes static routes into BGP: XSR(config)#router bgp 100 XSR(config-router)#redistribute static synchronization This command synchronizes BGP with the IGP in the AS. You should synchronize BGP with IGP if there are routers in the AS that are not BGP routers. Syntax synchronization Syntax of the “no” Form The no form of this command disables synchronization: no synchronization Mode Router configuration: Default Enabled Example The following example disables synchronization: XSR(config)#router bgp 100 XSR(config-router)#no synchronization timers bgp This command resets BGP timers. When a session is started on a router, BGP negotiates hold‐time with the neighbor and selects the smaller value. The keepalive timer is then set based on the negotiated hold‐time and the configured keepalive period. By default, the keepalive timer is set at 60 ...
Page 306: Route Map Commands
Syntax of the “no” Form The no form of this command deletes the timers value: no timers bgp Mode Router configuration: Defaults • Keepalive timer: 30 seconds • Holdtime timer: 90 seconds Example The following example sets the hold‐timer interval to 30 seconds: XSR(config)#router bgp 100 XSR(config-router)#timers bgp 30 Route Map Commands Route maps are comprised of sets of match and set commands. Match commands define the match criteria for route maps. Routes that match all defined match criteria are processed via set commands and those that do not match all of the defined match criteria in the route map are ignored. match as-path This command matches the values of the as_path variable in BGP routing update messages to the values of AS numbers identified through the AS‐path access list. A route must match at least one match statement of a match any match statements, the route is not advertised on outbound route maps and is not accepted on inbound route maps. Syntax...
Page 307 Syntax of the “no” Form The no form of this command removes the patch list number: no match as-path path-list-number Mode Route‐map configuration: Example This example sets the match as‐path in the context of configuring a route map and as‐path ACL 33. XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match as-path 33 XSR(config-route-map)#set local-preference 300 XSR(config-route-map)#exit XSR(config)#ip as-path access-list 33 permit “.* 550 .*” Route map 1 is configured with the optional permit keyword and sequence number 1. If these values are omitted, a route map will default to the permit keyword and sequence number 10. After route map 1 is defined via the command which references as‐path access list 33 ‐ the last configuration statement in the example. AS‐path access list 33 ends with a regular expression “.* 550 .*”, indicating a match will occur if the as_path variable in a BGP update message contains AS number 550. If a match occurs, then the for the matching BGP updates to 300, overriding the default value of 100. A route flagged with a ...
Page 308: Match Metric
Route Map Commands Mode Route‐map configuration: Default No match based on community list Example The following example configures the match community value in the context of configuring a route map named 1 and community list 77 on XSRA and XSRB: Router A configuration: XSRA(config)#route-map 1 permit 1 XSRA(config-route-map)#match community 77 XSRA(config-route-map)#set local-preference 500 XSRA(config-route-map)#exit XSRA(config)#ip community-list 77 permit 300:22 Router B configuration: XSRB(config)#route-map 1 permit 1 XSRB(config-route-map)#match community 77 XSRB(config-route-map)#set local-preference 200 XSRB(config-route-map)#exit XSRB(config)#ip community-list 77 permit 300:22 XSRA and XSRB are border routers within the same AS. The community is identified by name ...
Page 309 Mode Route‐map configuration: Example The following example sets the match metric to 300: XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match metric 300 match ip address This command matches IP addresses in a BGP routing update message. A route must match at least one match statement of a on outbound route maps and is not accepted on inbound route maps. Syntax match ip address access-list-number access-list-number Syntax of the “no” Form The no form of this command removes the match IP address value: no match ip address access-list-number Mode Route‐map configuration: Default No matching based on IP prefix. Example The following example sets the matching IP address to 10: XSR(config)#access-list 10 permit 10.0.0.0 255.0.0.0 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 10...
Page 310: Bgp Set Commands
BGP Set Commands Syntax match ip next-hop access-list-number access-list-number Syntax of the “no” Form The no form of this command removes the match next hop value: no match ip next-hop access-list-number Mode Route‐map configuration: Default No matching based on IP next hop. Example The following example sets the matching IP next hop to 10: XSR(config)#access-list 10 permit 1.2.3.4 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip next-hop 10 BGP Set Commands Route maps are comprised of sets of match and set commands. Match commands define the match ...
Page 311: Set Community
as-path-string Syntax of the “no” Form The no form of this command removes the AS path value: no set as-path Mode Route‐map configuration: Example The following example configures the as‐path value in the context of configuring a route map and match the command. The identifies the BGP routing updates to which the In this case, match clause ʺ.*ʺ will match all routes. Relevant updates will have one instance of the AS number 100 prepended into their AS path variable. Assuming that all of the BGP route selection criteria remain the same, the routes with the fewest AS numbers in the AS path variable will be chosen as the best routes to the identified destinations. If more than one AS path is to be prepended, then the string should be surrounded by quotes. XSR(config)#ip as-path access-list 37 permit ".*" XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match as-path 37 XSR(config-route-map)#set as-path prepend 100 XSR(config-route-map)#set as-path prepend "100 100"...
Page 312 XSR(config-route-map)#match ip address 37 XSR(config-route-map)#set community 500:10 XSR(config-route-map)#exit XSR(config)#route-map 1 permit 2 XSR(config-route-map)#set community none XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 send-community XSR(config-router)#neighbor 192.168.1.1 route-map 1 out Route map 1 is applied to the outgoing BGP updates between this router and its peering neighbor identified by IP address 192.168.1.1 in AS 101. The first instance of route map 1 matches the destinations in the BGP updates against the criteria specified in ACL 37 (10.0.0.0/8). If there is not a match, the second instance of route map 1 is invoked, which matches on all remaining routes and removes any community attributes. This means that routes matching ACL 37 criteria will have a community attribute set to 500:10, but all of the other routes advertised to 192.168.1.1 will not. The BGP peer 192.168.1.1 will then have the option to apply a desired routing policy to all routes arriving from this router with the community attribute set to 500:10. set dampening This command configures route flap dampening, a mechanism to combat network overhead ...
Page 313 • The XSR penalizes a route marked as unstable with a value of 1024 each time it fails. If penalties accrue beyond the suppress threshold you set, the route is no longer advertised. • The XSR permits suppressed routes to rejoin the BGP routing table when their penalties drop below the threshold. • After a route assumes a penalty, the XSR cuts the penalty in half each time a half‐life interval you configure elapses. • When penalties drop below the configurable reuse value, the XSR frees the route, re‐inserting it into the BGP routing table. • The XSR does not suppress routes indefinitely. You can set the max‐suppress value and fix the maximum period a route can be suppressed before it is advertised again. Syntax set dampening half-life | reuse | suppress | suppress-max half-life Interval after which the route’s penalty becomes half its value, ranging from 1 to 45 minutes. reuse Specifies how low a route’s penalty must become before the route becomes eligible for use again after being suppressed, ranging from 1 to 20,000 seconds. suppress Specifies how high a route’s penalty must become before the route is suppressed, ranging from 1 to 20,000. suppress-max Specifies that maximum interval in minutes that a route can be suppressed regardless of how unstable it is, ranging from 1 to 20,000 minutes. Syntax of the “no” Form The no form of this command removes route dampening: no set dampening Mode...
Page 314 BGP Set Commands XSR(config)#router bgp 100 XSR(config)#bgp dampening route-map 1 set ip next-hop This command specifies where to output packets that pass a match clause of a route map for policy routing. It modifies the value of the next hop attribute in a BGP routing update message. The next‐hop attribute identifies the next hop to reach a route. Next‐hop for an EBGP session is the IP address of the BGP neighbor that announced the route. Next‐hop for IBGP sessions is either the BGP neighbor that announced the route (for routes that originate inside the AS) or the BGP neighbor from which the route was learned (for routes injected into the AS via EBGP). Syntax set ip next-hop value value Syntax of the “no” Form The no form of this command removes the next hop value: no set ip next-hop value Mode Route‐map configuration: Example The following example sets the IP next hop attribute in the BGP update which matches 10.0.0.0 ...
Page 315: Set Metric
XSR(config-route-map)#match as-path 37 XSR(config-route-map)#set local-preference 400 Route map 1 uses the match as‐path command that is referencing an as‐path access list 37. This list identifies the BGP routing updates to which the set local‐preference command will apply. The relevant updates will have the value of their local preference set to 400, which is higher than the default of 100. Assuming that all of the BGP route selection criteria remain the same, the routes with the highest local preference will be chosen as the best routes to the identified destinations. This, however, applies only in multi‐homed ASs as the local preference attribute impacts only which way the traffic leaves an AS if there are multiple exit points from it. set metric This command modifies the metric associated with routes that match a particular route map. This command can also be used to manipulate the value of the MED for matching BGP routes. Be sure that a match clause has been specified. Metrics are values that the router uses to indicate preferred paths to networks. Updates with non‐ zero metrics are used for route selection inside the AS. BGP automatically compares metrics for routes to internal neighbors. You can use metric to select the best path when there are multiple alternatives. Routes with lower metric values are more preferred. Syntax set metric metric-value metric-value Syntax of the “no” Form The no form of this command removes the metric value: no set metric metric-value XSR(config-route-map)# The value of the metric, ranging from 0 to 2,147,483,647. BGP Set Commands...
Page 316: Set Origin
XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 66 XSR(config-route-map)#set metric 20 XSR(config-route-map)#exit XSR(config)#route-map 1 permit 2 XSR(config-route-map)#set metric 30 XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 route-map 1 out The set metric command is used to change the value of the MED, which impacts the flow of inbound traffic into a multi‐homed AS. All of the outbound updates leaving this router and matching ACL 66 will have MED value of 20 assigned to them. All of the remaining updates will have the MED value of 30. A lower value of MED is preferred in the BGP route selection process. set origin This command assigns a value to the origin attribute in the BGP routing update message which impacts BGP route selection. Ensure that a match clause has been specified. This attribute indicates where a routing update is derived. BGP prefers routes with the lowest ...
Page 317: Set Weight
Mode Route‐map configuration: Default The default value for this command is the default value for the origin code. The default value for the origin code is incomplete for routes that are advertised into BGP by means of the redistribute command. Example The following example configures the set origin value for redistributed static routes: XSR(config)#route-map 1 permit 1 XSR(config-route-map)#set origin igp XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#redistribute static route-map 1 set weight This command specifies the weight value for matching BGP routing table entries. Be sure that a match clause has been specified. Weight is used for best path selection and is assigned locally to the router. It is not propagated or carried through any route updates. Routes with a higher weight are preferred when multiple routes exist to the same destination. Syntax set weight weight weight Weight is local to the XSR on which it is configured, and it is not propagated in BGP routing update messages. But, it is the first value considered in the BGP route selection process. Routes with the higher weight are prefered over alternate routes to the same destinations but with a lower weight. Range: 0 to 65535. Syntax of the “no” Form The no form of this command removes the weight value:...
Page 318: Bgp Clear And Show Commands
XSR(config)#route-map 1 permit 2 XSR(config-route-map)#match as-path 57 XSR(config-route-map)#set weight 5000 XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.2.1 remote-as 102 XSR(config-router)# XSR(config-router)#neighbor 192.168.1.1 route-map 1 in XSR(config-router)#neighbor 192.168.2.1 route-map 1 in The two instances of route map 1 perform a match on IP as‐path access lists 67 and 57, in that order with a weight of 6000 for updates matching ACL 67, and 5000 for updates matching ACL 57. If the same destinations are advertised by all two remote neighbors, the outbound traffic from this router will be directed to the neighbor who had a match on ACL 67, as those routes will have the highest value of the weight parameter. BGP Clear and Show Commands clear ip bgp This command resets one or more BGP connections, by either a hard or soft reset. Soft resets are ...
Page 319: Clear Ip Bgp Dampening
Syntax clear ip bgp {* | address | peer-group peer-group-name} [soft [in | out]]} address peer-group-name soft Mode Privileged EXEC: Examples This example displays all BGP connections and neighbors cleared by means of a hard reset, the most drastic way of clearing BGP links. XSR#clear ip bgp * The following example displays a soft inbound reset with neighbor 192.168.11.1: XSR#clear ip bgp 192.168.11.1 soft in clear ip bgp dampening This command resets BGP dampening parameters to the system default and unsuppresses suppressed routes. Syntax clear ip bgp {dampening [ip-address mask]} ip-address mask...
Page 320: Show Ip Bgp
Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *> 192.1.1.0/24 55.5.5.0/24 *> 55.5.5.0/24 *> 6.6.6.2/32 Local Router ID: IP Address of the router Status codes: • s – the bgp table entry is suppressed • * - the bgp table entry is valid •...
Page 321: Show Ip Bgp Community
Display Parameters Network Next Hop Metric LocPrf Weight Path The following is sample output from the command: XSR#show ip bgp 55.5.5.0/24 BGP routing table entry for 55.5.5.0 255.255.255.0 Paths: (2 available, learned over EBGP) AS Path 200, Aggregator 500 Next Hop 52.52.52.3 from 52.52.52.3 (52.52.52.3) Origin ?, localpref 200, weight 100, atomic, valid BGP routing table entry for 55.5.5.0 255.255.255.0 Paths: (2 available, best #1, learned over EBGP) AS Path 300...
Page 322 BGP Clear and Show Commands XSR#show ip bgp community 400 Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *>...
Page 323 Mode EXEC configuration: Example The following is sample output from the command: XSR#show ip bgp dampened-paths Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete *> 192.4.4.0/24 *> 192.1.1.0/24 show ip bgp filter-list This command displays routes conforming to a specified filter list.
Page 324: Show Ip Bgp Neighbors
EXEC configuration: Example The following is sample output from the command. The output is filtered to show only that the 192.168.72.100 neighbor and the route refresh capability has been exchanged with this neighbor. XSR#show ip bgp neighbors 192.168.72.100 BGP neighbor is 192.168.72.100 remote AS 300 external link BGP version 4, remote router ID 192.168.72.100 BGP state = ESTABLISHED 6-128 Configuring the Border Gateway Protocol XSR> Next Hop 192.168.72.100 192.168.72.100 192.168.72.100...
Page 325 Route Refresh request: received 0 sent 0 Last reset: Peer connection reset 3 accepted prefixes Outgoing update AS path filter list is 33 Route map for outgoing advertisements is 60 Display Parameters BGP neighbor BGP neighbor external link BGP version remote router ID BGP state Hold Time keepalive interval Neighbor capabilities Route Refresh Address family IPv4 Unicast Received notifications...
Page 326: Show Ip Bgp Regexp
BGP Clear and Show Commands show ip bgp peer-group This command displays information about the BGP peer group belonging to the router that this command is entered on. Syntax show ip bgp peer-group [peer-group-name][summary] peer-group-name summary Mode EXEC configuration: Example The following is sample output from the command: XSR#show ip bgp peer-group external BGP peer group is external BGP version 4 Minimum time between advertisement runs is 0 seconds peer-group is external, members 18.1.1.3 192.168.72.19...
Page 327: Show Ip Bgp Summary
Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *> 192.1.1.0/24 *> 66.6.6.2/32 *> 55.5.5.0/24 *> 6.6.6.2/32 show ip bgp summary This command displays status for all BGP connections.
Page 328: Bgp Debug Commands
BGP Debug Commands show route-map This command displays configured route maps and information about policy maps that are referenced. Syntax show route-map [map-number] map-number Mode EXEC configuration: Example The following is sample output from the command: XSR#show route-map route-map 1, permit, sequence 1 Match clauses: community-list 1 Set clauses: local-preference 300 route-map 1, permit, sequence 2 Match clauses: community-list 2 Set clauses: local-preference 200 route-map 2, permit...
Page 329 Syntax of the “no” Form The no form of this command disables debugging output: no debug ip bgp [events | updates] Mode EXEC configuration: XSR> Default BGP debugging is disabled. Examples The following is sample output with the events option chosen: XSR#debug ip bgp events BGP: Event:STOP, Nbr:192.168.2.1, AS:300, Skt:0, State:IDLE BGP: Event:START, Nbr: 192.168.2.1, AS:300, Skt:0, State:PEND_START BGP: Event:START, Nbr: 192.168.2.1, AS:300, Skt:2, State:CONNECT BGP: Event:TCP_OPEN, Nbr: 192.168.2.1, AS:300, Skt:2, State:OPENSENT BGP: Event:RX_OPEN, Nbr: 192.168.2.1, AS:300, Skt:2, State:OPENCONFIRM BGP: Event:RX_KEEP, Nbr: 192.168.2.1, AS:300, Skt:2, State:ESTABLISHED...
Page 330 BGP Debug Commands Display Parameters Rx Update Tx Update w/ attr Origin AS_SEQ Path Next Hop Rx NLRI Prefix Tx NLRI show ip traffic This command display BGP statistics among other IP data. Syntax show ip traffic Mode EXEC configuration: Example The following sample outputdisplays only BGP‐specific data: XSR#show ip traffic BGP Statistics: Rcvd: 184 total 3 opens, 0 notifications, 4 updates 177 keepalives, 0 route-refresh Sent: 186 total...
Page 331: Chapter 7: Configuring Ip Multicast
Observing Syntax and Conventions The CLI command syntax and conventions use the notation described below. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub-commands soho.enterasys.com IGMP and Generic Multicast Commands The following command sets define IP Multicast functionality on the XSR, including: •...
Page 332: Ip Igmp Version
Observing Syntax and Conventions Syntax The no form of the command disables the multicast service: no ip multicast-routing Mode Global configuration: Default Disabled Example In the following example, multicast service is enabled on the XSR: XSR(config)#ip multicast-routing ip igmp version This command manually sets the IGMP version on a local interface. Syntax ip igmp version version_number version_number Syntax of the “no” Form The no form of this command sets the default value. no ip igmp version Mode Interface configuration: Default IGMP Version 2 Example The following example sets the IGMP version number to 3:...
Page 333 ip igmp join This command manually joins a multicast group to a local interface. Syntax ip igmp join-group group-address group-address Syntax of the “no” Form The no form of this command cancels membership in a group: no ip igmp join-group group-address Mode Interface configuration: Example The following example joins the XSR to multicast group 225.2.2.1: XSR(config-if<F1>)#ip igmp join-group 225.2.2.1 ip igmp last-member-query-count This command configures the retransmit count at which the XSR sends IGMP group‐specific host query messages. Syntax ip igmp last-member-query-count count count Syntax of the “no”...
Page 334 Observing Syntax and Conventions ip igmp last-member-query-interval This command sets the frequency at which IGMP group‐specific host query messages are sent. Syntax ip igmp last-member-query-interval interval interval Syntax of the “no” Form The no form of this command sets this frequency to the default: no ip igmp last-member-query-interval Mode Interface configuration: Default 1000 milliseconds Example This example changes the IGMP group‐specific host query message interval to 2 seconds: XSR(config-if<F1>)#ip igmp last-member-query-interval 2000 ip igmp query-interval This command configures the frequency at which the XSR sends IGMP host query messages. Syntax ip igmp query-interval seconds seconds Syntax of the “no”...
Page 335 Example This example changes the frequency which IGMP host‐query messages are sent to 3 minutes: XSR(config-if<F1>)#ip igmp query-interval 180 ip igmp query-max-response-time This command configures the maximum response time advertised in IGMP queries. Syntax ip igmp query-max-response-time seconds seconds Syntax of the “no” Form The no form of this command sets this response time to the default: no ip igmp query-max-response-time Mode Interface configuration: Default 10 seconds Example The following example sets a maximum response time of 8 seconds: XSR(config-if<F1>)#ip igmp query-max-response-time 8 ip igmp querier-timeout This command sets the timeout period before the XSR takes over as the querier for the interface after the previous querier has stopped querying.
Page 336 XSR(config-if<F1>)#ip igmp querier-timeout 30 ip multicast ttl-threshold This command sets the Time‐To‐Live (TTL) threshold of packets being forwarded out an interface. Syntax ip multicast ttl-threshold ttl-value ttl-value Syntax of the “no” Form The no form of this command sets this threshold to the default value: no ip multicast ttl-threshold Mode Interface configuration: Default Zero ‐ all multicast packets are forwarded out the interface. Example The following example sets the TTL threshold on a border router to 20. Multicast packets must have a TTL greater than 20 in order to be forwarded out this interface: XSR(config-if<F1>)#ip multicast ttl-threshold 20 7-88 Configuring IP Multicast XSR(config-if<xx>)# Time‐to‐live value, ranging from 0 to 255 hops. XSR(config-if<xx>)#...
Page 337: Pim Commands
Syntax of the “no” Form The no form of this command disables PIM on an interface: no ip pim sparse-mod Mode Interface configuration: Default PIM‐SM is disabled on an interface Example The following example enables PIM sparse mode on F1: XSR(config-if<F1>)#ip pim sparse-mode ip pim bsr-border This command specifies an interface so BootStrap Router (BSR) messages are not sent or received through an interface. Syntax ip pim bsr-border Syntax of the “no” Form The no form of this command removes the BSR border setting: no ip pim bsr-border Mode Interface configuration: XSR(config-if<xx>)# XSR(config-if<xx>)#...
Page 338 PIM Commands Example The following example sets interface F1 as the PIM domain border: XSR(config-if<F1>)#ip pim bsr-border ip pim bsr-candidate This command enables the XSR to announce its candidacy as a BootStrap Router (BSR). Syntax ip pim bsr-candidate type number [hash-mask-length [priority]] type number hash-mask- length priority Syntax of the “no” Form The no form of this command removes this XSR as a BSR candidate: no ip pim bsr-candidate Mode Global configuration: Defaults • BSR candidate is not enabled with this router. •...
Page 339 This command sets the priority for which a router is elected as the Designated Router (DR). Syntax ip pim dr-priority priority-value priority-value Syntax of the “no” Form The no form of this command disables the DR functionality: no ip pim dr-priority Mode Interface configuration: Defaults • DR functionality is disabled on the interface • DR‐priority: 1 Example The following example sets the DR priority value of F1 to 20: XSR(config-if<F1>)#ip pim dr-priority 20 ip pim message-interval This command configures the frequency at which a Protocol Independent Multicast Sparse Mode (PIM‐SM) router sends periodic join and prune messages. Syntax ip pim message-interval seconds seconds Syntax of the “no”...
Page 340 PIM Commands Default 60 seconds Example The following example changes the PIM‐SM message interval to 120 seconds: XSR(config-if<F1>)#ip pim message-interval 120 ip pim query-interval This command sets the frequency of Protocol Independent Multicast (PIM) router query messages. Syntax ip pim query-interval seconds seconds Syntax of the “no” Form The no form of this command sets the interval to the default value: no ip pim query-interval Mode Interface configuration: Default 30 seconds Example This example resets the PIM router query message interval to 60 seconds: XSR(config-if<F1>)#ip pim query-interval 60 ip pim rp-address This command sets the static Rendezvous Point (RP) for the specific multicast group. ...
Page 341 Syntax of the “no” Form The no form of this command removes the static RP configuration: no ip pim rp-address rp-address Mode Global configuration: Example This example configures the RP used by the multicast groups within the range 225.1.1.0/24: XSR(config)#access-list 2 permit 225.1.1.0 0.0.0.255 XSR(config)#ip pim rp-address 192.168.2.5 ip pim rp-candidate This command sets the XSR to advertise itself as a PIM candidate Rendezvous Point (RP) to the BSR. Only one candidate RP can be configured per box. Syntax ip pim rp-candidate type number [group-list access-list][priority priority-value] type number access-list priority priority-value...
Page 342 The no command removes the static RP configuration: no ip pim RegCksum wholepacket Mode Global configuration: Default Checksum based on header only. Example The following example changes the calculation of the register packet to the industry standard: XSR(config)#ip pim RegCksum wholepacket ip pim spt-threshold This command configures the threshold over which a PIM leaf router should join the shortest path source tree for the specified group. Syntax ip pim spt-threshold {kbps|infinity} [group-list access-list] kbps infinity group-list access-list Syntax of the “no” Form The no form of this command restores the threshold to the default: no ip pim spt-threshold Mode Global configuration: ...
Page 343: Igmp Clear And Show Commands
Default The threshold is 0 Example The following example sets the source tree switching threshold to 4 kbps: XSR(config)#ip pim spt-threshold 4 IGMP Clear and Show Commands clear ip mroute This command deletes entries from the multicast table. Syntax clear ip mroute [group-address][source-address] group-address source-address Mode EXEC configuration: show ip igmp groups This command displays the multicast groups with receivers that are directly connected to the XSR and were learned through the Internet Group Management Protocol (IGMP). Syntax show ip igmp groups [group-address | type number | summary] group-address type number...
Page 344: Show Ip Igmp Interface
IGMP Clear and Show Commands State: Mode: Current version: Group IP: Reporter IP: V1MEM exist timer: V2MEM exist timer: Member expire timer: Source IP: Parameters in the Response Group IP Interface name State Mode Reporter IP V1MEM exist timer V2MEM exist timer Member expire timer Source IP Forward state Timer show ip igmp interface This command displays multicast‐related information about an interface.
Page 345 IGMP state: Multicast ttl threshold: 0 Current query Interval: Last Member Interval: Querier timeout: Max Response Timeout: Current robust value: Querier IP: Query sending timer: Group configured: -------------------------------------------------------- Interface name: Interface state: IGMP version: Protocol owner: IGMP state: Multicast ttl threshold: 0 Current query Interval: Last Member Interval: Querier timeout:...
Page 346: Show Ip Mroute
IGMP Clear and Show Commands show ip mroute This command displays entries in the IP multicast routing table. Syntax show ip mroute [][source-address][summary] group-address source-address summary Mode EXEC configuration: Example The following example displays sample responses: XSR>show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, P - Pruned F - Register flag, T - SPT-bit set Timers: Uptime/Expires Interface state: Interface, Next-Hop, State/Mode...
Page 347 Parameters in the Response Flags (198.92.37.100/32, 224.0.255.1) uptime flags Incoming interface RPF neighbor Outgoing interface list FastEthernet1 Forward/Sparse time/time (uptime/ expiration time) show ip pim bsr This command displays Bootstrap Router (BSR) version 2 information. Syntax show ip pim bsr Mode EXEC configuration: Provides information about following entries: • D ‐ Dense:‐ Entry is operating in dense mode. • S ‐ Sparse: Entry is operating in sparse mode. • C ‐ Connected: A member of the multicast group is present on the directly connected interface. • P ‐ Pruned: Route has been pruned. • F ‐ Register flag: Indicates that the software is Registering for a ...
Page 348 Example The following example displays sample responses: XSR>#show ip pim bsr PIMv2 Bootstrap information This system is the Elected Bootstrap Router (BSR) BSR address: 192.168.27.1 Uptime: 04:37:46, BSR Priority: 4, Hash mask length: 30 Next bootstrap message in 00:00:03 seconds This system is the Candidate Bootstrap Router (CBSR) Candidate BSR Address: 50.0.0.30 Priority: 0, Hash Mask Length: 30...
Page 349 XSR>#show ip pim neighbor PIM Neighbor Table Neighbor Address Interface DR Priority 192.168.26.2 192.168.26.33 192.168.27.1 192.192.27.13 Parameters Descriptions Neighbor Address Interface DR Priority Uptime Expires Mode (DR) IP address of the next‐hop router. Interface type and number that is configured to run PIM. Number of PIM neighbors discovered through this interface. The interval between Hello messages. The default is 30 seconds. IP address of the designated router on the LAN. Interface type. Interface number. XSR> Uptime Ethernet0 15:38:16 Ethernet0 13:33:20 Ethernet1 15:33:20...
Page 350 IGMP Clear and Show Commands show ip pim rp This command displays the active rendezvous points (RPs) that are cached with associated multicast routing entries. Syntax show ip pim rp [group-address | mapping] group-address mapping Mode EXEC configuration: Example The following example display sample responses: XSR>show ip pim rp Group: 224.2.240.20, RP: 192.168.10.13 Group: 224.1.127.155, RP: 192.168.10.13 Group: 224.2.127.154, RP: 192.168.10.13 Group: 224.2.128.153, RP: 192.168.10.13 XSR>show ip pim rp mapping Group Address: 224.0.0.0 Mask: 240.0.0.0...
Page 351 Example The following example displays sample responses: XSR>show ip pim rp-hash 239.1.1.1 RP 192.168.27.12 Parameter Descriptions Address of the RP for the group specified (239.1.1.1). IGMP Clear and Show Commands XSR CLI Reference Guide 7-103...
Page 352 IGMP Clear and Show Commands 7-104 Configuring IP Multicast...
Page 353: Chapter 8: Configuring The Point-To-Point Protocol
Configuring the Point-to-Point Protocol Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub-command soho.enterasys.com PPP Commands This chapter defines Point‐to‐Point Protocol (PPP) service profiles, specify and monitor serial ...
Page 354: Encapsulation Ppp
Mode Interface configuration: Example The following example enables PPP encapsulation on Serial interface 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp interface This command selects a physical or virtual port for configuration as a router interface. The XSR supports ATM, BRI, Dialer, Fast/GigabitEthernet, Loopback, Multilink, Serial, or VPN interfaces. For configuration purposes, all serial ports and T1/E1/ISDN‐PRI channel groups are treated as a serial interface. Optionally, you can set up the Console port on the XSR 1800 series as a WAN interface for dial backup purposes (refer to the Caution below). Do so by entering Caution: Be aware that when you enable the Console port as a WAN port, you can no longer directly connect to it because it is in data communication mode. Your only access to the CLI will be to Telnet to an IP address of a configured port.
Page 355 Syntax interface type slot_num card_num port_num sub-interface_num type ATM, BRI, Dialer, Fast/GigabitEthernet, Loopback, Multilink, Serial or VPN port. slot_num The NIM number ranging from 0 to 6 depending on the XSR model. card_num The NIM card number ranging from 1 to 2 depending on the NIM installed in the slot. port_num The physical port number ranging from: 0 (ATM), 0 to 1 (BRI), 0 to 255 (Dialer & VPN), 0 to 15 (Loopback), 1 to 32767 (Multilink), 0 to 3 (Serial), 1 to 2 (FastEthernet), 1 to 3 (GigabitEthernet), and 0 (Console). If a Serial port resides on a T1/E1 port, then channel group data must be added at the end of the string to mark which channel group of the T1/E1 port will be set: card_num/NIM_num/ port_within_NIM: [channel‐group_num]. For example, 0/2/1:15 sets channel‐group 15 of the T1 or E1 port 1 in NIM slot 2 on the motherboard. sub- Number ranging from 1 to 30 (ATM, BRI & Serial), and 1 to 64 (Fast/ interface_num GigabitEthernet). Slots, cards, ports, and sub‐interfaces are expressed as follows on the CLI: <0-0>/<1-2>/<0-3> <1-2>/<0-3> <1-2>/<0-3>.<1-30> <1-2>/<0-3>:<0-31> <1-2>/<0-3>:<0-31> .<1-30> Note: Leading zeros defined in interface_num can be omitted. For example, 0/1/2 is equivalent to 1/2. Syntax of the “no”...
Page 356: Ppp Authentication
PPP Commands XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown The following example selects channel group 12 of the T1/E1 port1 on the second NIM card so that later configurations will apply to this serial port: XSR(config)#interface serial 2/1:12 XSR(config-if<s2/1:12)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown ppp authentication This command specifies the type and order in which CHAP, MS‐CHAP or PAP protocols are requested on the interface. Once CHAP, PAP authentication or both have been enabled, the XSR requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and password to be checked against a matching entry in the local username database. CHAP authentication sends a challenge to the remote device. The remote device must encrypt the challenge value with a shared secret and return the encrypted value and its name to the XSR in a response message. The XSR uses the remote deviceʹs name to look up the appropriate secret in the local username database. It uses the looked‐up secret to encrypt the original challenge and verify that encrypted values match. MS‐CHAP is closely derived from the PPP CHAP with the exception that it uses MD4 as the hashing algorithm. You may enable PAP or CHAP, MS‐CHAP or all of them, in either order. If both methods are enabled, then the first method specified will be requested during link negotiation. If the peer suggests using the second method or simply refuses the first, then the second method is tried. Some remote devices support CHAP only and some PAP only. The order in which you specify the methods will be based on your concerns about the remote deviceʹs ability to correctly negotiate the appropriate method as well as your concern about data line security. PAP usernames and passwords are sent as clear‐text strings and can be intercepted and reused. CHAP has eliminated most of the known security holes. Enabling or disabling PPP authentication does not affect the XSRʹs willingness to authenticate ...
Page 357 ms-chap pap chap Preference of MS‐CHAP authentication, then PAP authentication, then CHAP. Syntax of the “no” Form The no form of this command disable PPP authentication: no ppp authentication Default Not enabled Mode Interface configuration: XSR(config-if<xx>)# Example 1 Figure 8‐1 shows two routers, Site A and Site B, attempting to authenticate each other using CHAP. The configuration example follows. Figure 8-1 Site A (Serial Interface 1/0) Challenge - ID 4 Response - ID 8 Success/Failure - ID 4 Figure 8‐1 shows both routers send challenges and responses and either a failure or success. The ...
Page 358 PPP Commands Example 2 Figure 8‐2 shows two routers, Site A and Site B, and only one peer configured to do authentication (using chap) with only Site B issuing the challenge. The configuration example follows. Response - ID 9 Refer to the following sample configuration for the preceding example. On Site A enter the following commands: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp authentication chap On Site B enter the following commands: XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#encapsulation ppp XSR(config-if<S1/1)#no ppp authentication ppp chap This command specifies a unique hostname on an interface, refuses CHAP authentication requests from peers, or uses a default password during CHAP authentication when no other password is available. It can enable multiple routers to appear to have the same hostname when using CHAP authentication. This command can be used to set a default password during authentication challenges when the challengerʹs username cannot be found in the username list. It is also required when the challenger does not specify its name in the challenge packet and a default password must be sent. Be aware that this password is only used in response to challenges and is not used to authenticate the peer.
Page 359 Syntax of the “no” Form The no form of this command disables either function: no ppp chap {hostname | refuse | password} Mode Interface configuration: Examples The following example creates the alternate CHAP hostname freud and the default chap password sigmund: XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ppp chap hostname freud XSR(config-if<D1>)#ppp chap password sigmund The following example enables CHAP authentication refusal: XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ppp chap refuse ppp keepalive This command sets the keepalive timer on a Point‐to‐Point port. PPP keepalives are sent out as ...
Page 360 PPP Commands Example The following example sets Serial interface 1/0 to have keepalive configured at 8‐second intervals: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ppp keepalive 8 ppp lcp max-configure This command configures the restart timer counter for the peak number of Configure‐Requests sent out on a Point‐to‐Point interface. Using the Link Control Protocol (LCP), the command applies to any Serial, or Dialer port, or Fast/GigabitEthernet sub‐interface on which PPP encapsulation is set. This counter totals the peak number of configure requests sent without receiving a Configure‐Ack, Configure‐Nak or Configure‐Reject. Syntax ppp lcp max-configure number number Syntax of the “no” Form The no command resets the counter to the default value: no ppp lcp max-configure Default Mode Serial, Dialer or Fast/GigabitEthernet sub‐interface configuration: ...
Page 361 Syntax ppp lcp max-failure number number Syntax of the “no” Form The no command resets the counter to the default value: no ppp lcp max-failure Default Mode Serial, Dialer or Fast/GigabitEthernet Sub‐interface configuration: Examples The following example sets the lcp max‐failure value at 100 packets on Serial interface 2/1: XSR(config)#interface serial 2/1 XSR(config-if<S2/1>)#ppp lcp max-failure 100 The following example sets the lcp max‐failure value at 200 packets on FastEthernet sub‐interface 2/1.1: XSR(config)#interface fastethernet 2.1 XSR(config-if<F2/1:1>)#ppp lcp max-failure 200 ppp lcp max-terminate This command configures the restart timer counter for the number of Terminate‐Requests sent out ...
Page 362 PPP Commands Mode Serial, Dialer and Fast/GigabitEthernet Sub‐interface configuration: Example The following example sets the terminate‐request counter at 10 requests on Dialer interface 57: XSR(config)#interface dialer 57 XSR(config-if<D57>)#ppp lcp max-terminate 10 ppp max-bad-auth This command permits multiple authentication failures. It configures a Point‐to‐Point interface not to reset itself immediately after an authentication failure but to allow a specified number of authentication retries. This command applies to any serial interface on which PPP encapsulation is enabled. Syntax ppp max-bad-auth number number Syntax of the “no” Form Use the no form of this command to reset to the default (immediate reset): no ppp max-bad-auth Default Mode Interface configuration: Example The following example sets serial interface 1/0 to allow five additional retries after an initial authentication failure (for a total of six failed authentication attempts): XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ppp authentication chap...
Page 363 Syntax ppp pap sent-username [username] password [password] username password Syntax of the “no” Form Use the no form of this command to delete the username and password: no pap sent-username Default No username or password Mode Interface configuration: Example This example configuration of a the PAP authentication username of jim and a clear text PAP password of evans on serial interface 2/1: XSR(config)#interface serial 2/1 XSR(config-if<S2/1>)#encapsulation ppp XSR(config-if<S1/1>)#no shutdown XSR(config-if<S2/1>)#ppp pap sent-username jim pass evans ppp peer default ip address This command specifies the default IP address of a remote peer for use during PPP/IPCP ...
Page 364 PPP Commands Syntax ppp peer default ip address {ip address} ip address Syntax of the “no” Form Use the no form of this command to remove the IP address: no ppp peer default ip address Mode Interface configuration: Examples This example sets the peer’s IP address on Serial interface 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp peer default ip address 192.168.1.3 This example sets the peer’s IP address on P2P Dialer interface 1: XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ppp peer default ip address 10.10.10.1...
Page 365 Syntax of the “no” Form Use the no form of this command to disable LQM: no ppp quality Default Disabled Mode Interface configuration: Example The following example enables LQM on Serial interface 2/0: XSR(config)#interface serial 2/0 XSR(config-if<S2/0>)#encapsulation ppp XSR(config-if<S2/0>)#no shutdown XSR(config-if<S2/0>)#ppp quality 75 ppp timeout retry This command sets the restart timer for Configure‐Requests and Terminate‐Requests on a Point‐ to‐Point interface. The timer is the peak interval to wait for a response during PPP negotiation. This command applies to any serial port on which PPP encapsulation is enabled. Syntax ppp timeout retry seconds seconds Syntax of the “no” Form The no command resets the timer to the default value: no ppp timeout retry Default...
Page 366 Syntax of the “no” Form The no form of this command deletes the user: no username name Default No password is predefined Mode Global configuration: 8-96 Configuring the Point-to-Point Protocol “Network Management” on page 1 User ID. The password will not be encrypted. The password will be encrypted. or . 0 means the input password is expected to be unencrypted; 5 means the input password is already encrypted so it will not be encrypted again. For CHAP authentication: specifies the secret password for the local router or the remote system. The secret is encrypted when stored on the local router. The password can be up to 255 ASCII characters. Enclose the password in double quotes if entering a string with spaces. There is no limit to the number of username‐password combinations that can be specified, allowing any number of remote systems to be authenticated. XSR(config}# for more details.
Page 367: Ppp Debug, Clear And Show Commands
Example The following example enables CHAP on serial interface 1/0 and defines a password for local server Bob and remote server John: XSR(config)#hostname Bob XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp authentication chap XSR(config)#username John password remote_dev PPP Debug, Clear and Show Commands debug ppp packet This command enables PPP debugging for an interface from outside the actual interface. It performs the same PPP debugging as the mode. Note: All XSR debug commands are set to privilege level 15 by default. Syntax debug ppp packet [interface type/number] limit [x][type1][type2]…...
Page 368 PPP Debug, Clear and Show Commands XSR#debug ppp packet serial 2/0:0 limit 10 lcp bacp bap Sample Output The following debugging output displays all PPP control packets: May 21, 2003: 13:00:00 Rx 20 bytes LCP CONFIG_REQ: MRU: 1500 Magic Number: 12345678 (0xBC614E) May 21, 2003: 13:00:00 Tx 12 bytes IPCP CONFIG_ACK: IP Address: 10.10.10.10 If the length field in the packet in the content does not match the total packet length, it will be displayed as a warning:...
Page 369 Syntax of the “no” Form The no form of this command removes PPP debugging on the interface: no ppp debug packet Default Limit: 100 packets Mode Interface configuration: Example This example sets PPP debugging of IPCP and LQM packets with a 50‐packet limit on Serial 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp debug packet limit 50 ipcp lqm Sample Output The following debugging output is displayed on Multilink interface 57: XSR#show interface multilink 57 ********** Multilink Interface Stats ********** Multilink 57 is Admin Up Internet address is 192.168.34.1, subnet mask is 255.255.255.0 IPCP...
Page 370: Show Ppp
PPP Debug, Clear and Show Commands XSR#show ppp interface ********** PPP Stats ********** Serial 1/0:0: PPP is Admin Up / Oper Up / Link Speed: 64000 Current State: IPCP Current State: Multilink Current State: LCP STATS Total Rcv Pck: Total Rcv Control Pck: Total Rcv Data Pck: Total Rcv Pck Discarded: Total Tx Pck:...
Page 371 Mode EXEC or Global configuration: Sample Output The following output is displayed for Serial and Multilink interfaces: XSR#show ppp Serial 1/0 PPP State: LCP State: OPENED Multilink 8 MLPPP State: LCP State: OPENED The following output is displayed for configured Dialer interfaces: XSR#show ppp Dialer0 LCP Current State: INITIAL IPCP Current State: INITIAL Dialer1 MLPPP State: LCP State: opened Multilink State: opened Dialer2 MLPPP State: LCP State: opened Multilink State: opened Dialer3 MLPPP State:...
Page 372 PPP Debug, Clear and Show Commands Mode EXEC or Global configuration: Sample Output The following output is produced by this command: Serial 1/0 is Admin Up / Oper Up Internet address is 25.25.25.3, subnet mask is 255.255.255.0 State: OPENED IPCP State: OPENED Multilink State: OPENED show ppp interface This command displays all configured PPP instances, the interface they belong to and their status. To issue this command correctly, follow the guidelines below: •...
Page 373 Mode EXEC or Global configuration: Sample Output The following output displays with a PPP connection established (PPP quality has not been enabled on the interface so the LINK QUALITY statistic is not monitoring): XSR>show ppp interface serial 1/0 ********** MLPPP Stats ********** Multilink 8: MLPPP is Admin Up / Oper Up Group Num: 8 State: OPENED IPCP State: OPENED Multilink State: OPENED Bundle Size: Max Load Threshold: Bundle Tx Load Avg: Bundle Rx Load Avg: Last Tx...
Page 374 PPP Debug, Clear and Show Commands Serial 1/0:0 Serial 1/0:3 Serial 1/0:7 Serial 1/0:13 Serial 1/0:10 Serial 1/0:1 Serial 1/0:25 Serial 1/0:11 Serial 1/0:24 Serial 1/0:12 Serial 1/0:5 Serial 1/0:16 Serial 1/0:14 Serial 1/0:29 The following displays output with PPP quality enabled and a PPP connection: XSR>show ppp serial 0/4/1 ********** PPP Stats ********** Interface Serial 0/4/1 Current State: IPCP...
Page 375 Quality: good LocalPeriod: 100000 OutLQRs:1000InLQRs: 1000 LCP Configuration: LCP CONFIGURATION InitialMRU: MagicNumber: FcsSize: LQR CONFIGURATION Period: Status: Output Parameters Summary For PPP link status and statistics, refer to the following section. For LQR status and statistics, go to page 106. For LQR parameters, go to page 107. LCP Statistics This section displays PPP‐link specific management information. Rx Control Pck Discarded Range 32‐bit counter Description Sum of received packets discarded because length is too short (less than 4). Rx Control Pck Error Range 32‐bit counter Description Sum of received packets n detected with an error in the control field.
Page 376 PPP Debug, Clear and Show Commands RemoteToLocalProtocolCompression Range Description LocalMRU Range Description RemoteMRU Range Description ReceiveFcsSize Range Description TransmitFcsSize Range Description LQR Status and Statistics This section displays LQR parameters displayed for the local PPP entity. Values are displayed only if LQR Quality Monitoring has been successfully negotiated on the link. Quality Range Description LocalPeriod Range 8-106 Configuring the Point-to-Point Protocol INTEGER {enabled (1), disabled (2)} Indicates whether the remote PPP entity will use Protocol Compression when sending packets to the local PPP entity. The value is meaningful only when the link has reached the open state.
Page 377 Description The LQR reporting period, in hundredths of a second, that is in effect for the local PPP entity. OutLQRs Range 32‐bit counter Description Value of the OutLQRs counter on the local node for the link. OutLQRs increases by one for each transmitted Link ‐Quality ‐Report packet. LCP Configuration This section describes LCP configuration data displayed for a PPP Link. InitialMRU Range Integer ‐ 0 to 2147483647 Description Initial Maximum Receive Unit (MRU) that the local PPP entity will advertise to the remote entity. If the value of this variable is 0 then the local PPP entity will not advertise any MRU to the remote entity and the default MRU will be assumed. Changing this object will take effect when the link is next restarted. Default 1500 MagicNumber Range Integer ‐ False or True Description If true (2), the local node will try to perform Magic Number negotiation with the remote node. If false (1), negotiation is not tried. The local node will comply with any magic number negotiations tried by the remote node, per the PPP RFC. Changing this object will take effect when the link is next restarted. Defaults False FcsSize Range Integer ‐ 0 to 128 Description Size of the FCS, in bits, the local node will try to negotiate for use with the remote node. Regardless of this value’s object, the local node will comply with any FCS size negotiations started by the remote node, according to the PPP RFC. Changing this object will take effect when the link is next restarted. Default LQR Configuration This section describes LQR configuration data displayed for a PPP link.
Page 378: Multilink Ppp Commands
Multilink PPP Commands Status Range Description Default Multilink PPP Commands interface multilink This command names the multilink group and creates a logic interface for this multilink group. Only the PPP multilink group is supported currently. Syntax interface multilink number [1-32767] 1-32767 Syntax of the “no” Form The no form of this command deletes the multilink group: no interface multilink number [1-32767] Default No multilink group Mode Global configuration: Next Mode Multilink Interface configuration: Example The following example enables multilink on group 2 with serial interface 1/1 configured as the physical interface: XSR(config)#interface multilink 2 XSR(config-if<M2>)ppp multilink endpoint ip 192.168.10.214...
Page 379 XSR(config-if<S1/1>)#multilink-group 2 XSR(config-if<S1/1>)#encapsulation ppp XSR(config-if<S1/1>)#ppp multilink XSR(config-if<S1/1>)#no shutdown multilink max-links This command sets the maximum number of links allowed in this bundle. If multilink BAP is configured and the number of active links exceed the maximum number of links, BAP will try to negotiate the links down. Syntax multilink max-links number (1-255) 1-255 Default Mode Dialer Interface configuration: Example This example sets the minimum multilink limit to 6 on Dialer port 4: XSR(config)#interface dialer 4 XSR(config-<D4>)#multilink min-links 6 multilink min-links This command triggers the dialer to maintain the minimum number of links in a bundled multilink over a switched line and should be configured on the called side of a connection. It is the first means by which the XSR effects Bandwidth‐on‐Demand (BoD). The multilink load-threshold traffic via BoD. A third means to effect BoD is by use of the Bandwidth Allocation Protocol (BAP) which is activated by several link, and can request a phone number from a central repository with the ...
Page 380 Multilink PPP Commands Default Mode Dialer Interface configuration: Examples The following example sets the minimum multilink limit to 6 on the terminating dialer interface: XSR(config)#interface dialer 4 XSR(config-if<D4>)#multilink min-links 6 ppp bap call This command sets Bandwidth Allocation Protocol (BAP) call values on a dialer interface to set up Bandwidth‐on‐Demand (BoD). It permits the port to accept links from and initiate links to a peer. The multilink load-threshold via BoD. It is also provided by setting the Note: The multilink load-threshold command must be set to operate BAP. Syntax ppp bap call {accept | request} accept Accepts links from a peer. This default lets peers can add links to the ML bundle.
Page 381 XSR(config-if<D1>)#ppp bap callback request ppp bap number This command specifies the Bandwidth Allocation Protocol (BAP) phone number which a peer can dial to connect and set up Bandwidth‐on‐Demand (BoD). It applies to dialer interfaces only. The multilink load-threshold via BoD. It is also provided by setting the Note: The multilink load-threshold command must be set to operate BAP. command is a second means by which the XSR controls traffic multilink min-links Local router initiates a link addition upon peer notification. Local router requests a peer to initiate a link. XSR(config-if<Dx>)# command is a second means by which the XSR controls traffic multilink min-links Multilink PPP Commands command. command. XSR CLI Reference Guide 8-111...
Page 382 Multilink PPP Commands Syntax ppp bap number {default phone-number} default phone-number Syntax of the “no” Form The no command removes a BAP phone number: no ppp bap number {default phone-number} Mode Dialer Interface configuration: Example The following example specifies the BAP default phone number: XSR(config)#interface dialer 1 XSR(config-if<D1>)#ppp bap number ppp bap timeout This command configures Bandwidth Allocation Protocol (BAP) action timeouts to set up Bandwidth‐on‐Demand (BoD). The multilink load-threshold via BoD. It is also provided by setting the ...
Page 383: Ppp Multilink
Example The following example resets the BAP pending timeout on Dialer port 1: XSR(config)#interface dialer 1 XSR(config-if<D1>)#ppp bap timeout pending 60 ppp multilink This command enables Multilink PPP on an XSR interface. Multilink PPP operates over single or multiple interfaces that are configured to support both Dial‐on‐Demand rotary groups and PPP encapsulation. It applies to asynchronous serial interfaces, and ISDN leased‐line Basic Rate Interfaces (BRIs), and ISDN Primary Rate Interfaces (PRIs). This command is associated with the following multilink sub‐commands: endpoint – to page 8‐114 for command details. fragment-delay – command details. – fragment disable page 8‐117 for command details. – group page 8‐118 for command details. load-threshold – multilink bundle. See page 8‐119 for details. multi-class – page 8‐120 for command details. Multilink PPP BAP is designed to manage bandwidth of a multilink bundle. BAP works in conjunction with the (BoD) when bandwidth must be added or removed on the XSR. BAP negotiates with the peer to add or drop a link, and can request a phone number from a central site repository using the ...
Page 384: Ppp Multilink Endpoint
Multilink PPP Commands Default Disabled Mode Dialer or Serial Interface configuration: Examples The following example configures a dialer for Multilink PPP. It does not show the configuration of the physical interfaces. XSR(config)#interface dialer 0 XSR(config-if<D0>)#ip address 101.0.0.2 255.0.0.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#dialer idle-timeout 500 XSR(config-if<D0>)#dialer map ip 101.0.0.1 name ny broadcast 41612345678922 XSR(config-if<D0>)#dialer load-threshold 30 either XSR(config-if<D0>)#ppp authentication chap XSR(config-if<D0>)#ppp multilink The following example configures Multilink PPP leased‐line service on BRI interface 2/1. Specifying the leased‐line speed of 56 kbps adds two B‐channels to the BRI port, one of which is ...
Page 385 interface string phone Mode Dialer, Multilink, BRI Interface, and Controller configuration: XSR(config-controller<T/Exx>) Default Hostname Example The following example sets the PPP multilink endpoint value over virtual multilink interface 57: XSR(config)#interface multilink 57 XSR(config-if<M57>)#ppp multilink endpoint null XSR(config-if<M57>)#ppp multilink endpoint hostname XSR(config-if<M57>)#ppp multilink endpoint ip address 1.1.1.1 XSR(config-if<M57>)#ppp multilink endpoint string aaaaaaa XSR(config-if<M57>)#ppp multilink endpoint phone 1234567890 ppp multilink fragment-delay This command sets the maximum fragment delay interval in milliseconds. The value is used to ...
Page 386 Multilink PPP Commands entered, no maximum fragment size will be set and the fragment size will only be decided with the load balance. Table 8-1 Maximum Fragment Size (bytes)/Fragment Delay (ms) Link Speed 56 kbps 64 kbps 128 kbps 256 kbps 512 kbps 768 kbps 1536 kbps 2024 kbps Syntax ppp multilink fragment-delay value value Syntax of the “no” Form The no form of this command deletes the fragment‐delay setting: no ppp multilink fragment-delay Mode...
Page 387 ppp multilink fragment disable This command disables fragmentation over a bundle PPP connection, supporting Multilink and Dialer interfaces. Syntax ppp multilink fragment disable Syntax of the “no” Form The no form of this command enables fragmentation (default mode): no ppp multilink fragment disable Mode Interface configuration: Default Enabled Examples The following example disables fragmentation over Multilink interface 1: XSR(config-if<M1>)#ppp multilink fragment disable Display Examples The following examples display fragmentation settings by the command: XSR#show interface multilink 1 ********** Multilink Interface Stats ********** Multilink 1 is Admin Up Internet address is 30.30.30.2, subnet mask is 255.255.255.0...
Page 388 Multilink PPP Commands Group Num: 1 IPCP Multilink Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Fragmentation is disabled Bundle Size: Class Level Tx: Max Load Threshold: Bundle Tx Load Avg: Bundle Rx Load Avg: No Of Pck...
Page 389 Syntax of the “no” Form The no form of this command removes the PPP multilink group: no multilink-group Default Disabled with no specific multilink group assigned Mode Interface configuration: Examples The following example assigns PPP link Serial interface 1/1 to the PPP multilink group 20: XSR(config-if<S1/1>)#multilink group 20 The next example also assigns PPP link Serial interface 1/1 to the PPP multilink group 20: XSR(config-if<S1/1>)#ppp multilink group 20 multilink load-threshold This command sets the multilink load threshold which triggers the dialer to add or delete a link from the multilink bundle. It should be configured on the called side of a connection only. This command effects Bandwidth‐on‐Demand (BoD) on the XSR. In determining whether to trigger the dialer, the XSR monitors only the bundle load. The load threshold provides the dialer with a trigger to add or delete the multilink member link from the member link bundle. The load is sampled every second and averaged over an 8‐second period. Triggering is delayed for 10 seconds when the load surpasses or falls below the threshold. Triggering is generated when: • Either the inbound or outbound traffic surpasses the threshold; or • Both inbound and outbound traffic fall below the threshold. No triggering is generated when: • The number of member links is already equal to the max‐links value set on the bundle when the load surpasses the threshold; and •...
Page 390 Multilink PPP Commands Syntax multilink load-threshold number (1-255) 1-255 Default Mode Dialer Interface configuration: Example The following example sets the multilink PPP load threshold to 250 on the terminating Dialer interface: XSR(config)#interface dialer 4 XSR(config-<D4>)#multilink load-threshold 250 ppp multilink multi-class This command enables Multi‐Class MLPPP (Multilink PPP) for the Multilink PPP header format providing Quality of Service (QoS) for selected packets between peers. It supports five streams of sequence numbers, the long sequence format by default, and the short sequence number by negotiation. Any class lower than the default requested by the peer will be accepted, and higher than the default will eventually trigger a reject message if the value is accepted by the peer. Syntax ppp multilink multi-class Syntax of the “no” Form The no form of this command disables multi‐class MLPPP: no ppp multilink multi-class Defaults •...
Page 391 Multilink PPP Commands Example The following example enables the multi‐class MLPPP option: XSR(config-if<D57>)#ppp multilink multi-class XSR CLI Reference Guide 8-121...
Page 392: Multilink Show Commands
Multilink Show Commands Multilink Show Commands show interface multilink This command displays multilink interface statistics including MLPPP status for both the bundle and the member link. Syntax show interface multilink [number] card/port number Mode XSR> EXEC: Sample Output Thefollowing is sample output for Multilink interface 8: XSR>show interface multilink 8 ********** Multilink Interface Stats ********** Multilink 8: MLPPP is Admin Up / Oper Up Group Num: 8 IPCP Multilink...
Page 393 PPP Multilink Status LCP State Range INITIAL/ STARTING/ CLOSED/ STOPPED/ CLOSING/ STOPPING/ REQSENT/ ACKRCVD/ ACKSENT/ OPENED Description LCP state. Refer to RFC‐1661 for details. IPCP State Range INITIAL/ STARTING/ CLOSED/ STOPPED/ CLOSING/ STOPPING/ REQSENT/ ACKRCVD/ ACKSENT/ OPENED Description IPCP state. Refer to RFC‐1332 for details. Multilink State Range OPENED/CLOSED Description MLPPP state, OPENED if negotiation with peer successful; CLOSED otherwise. Multi-Class State Range OPENED/CLOSED Description Multi‐Class state, OPENED if negotiation is successful with the peer; CLOSED otherwise. Bundle Size Range 1‐256 Description Number of member links under the bundle. Class Level Tx/Rx Range 1‐5 Description Multi‐Class level after negotiation. 1 for multi‐class disabled.
Page 394 Multilink Show Commands Max Fragment Size Range Description High Pri Member link is Serial 1/00 Range Description PPP Multilink Bundle Statistics Rx Stats Total Data Control Null Discard Pck Too Long Invalid Proto Wrong Proto Padding Error Invalid Cls# Error to CP No Lower Lyr No Upper Lyr Others Tx Stats Total Data Control Null ...
Page 395 show ppp interface multilink/dialer This command displays PPP status, statistics and configuration data for interfaces running PPP. Syntax show ppp interface [interface type/number][option type] interface type number option type none multi-class memberlink Mode EXEC: XSR> Sample Output The following example displays output without Multi‐Class configured: ********** MLPPP Bundle Stats ********** Multilink 8: MLPPP is Admin Up Open Up Group Num: 8 IPCP Multilink Multi-Class...
Page 396 Multilink Show Commands Invalid Proto: Wrong Proto: Padding Error: Invalid Cls#: Error to CP: No Lower Lyr: No Upper Lyr: Others: Tx Stats Total: Data: Control: Null: Discard: Pck Too Long: No Lower Lyr: EnQueue Full: Others: The following is is sample output with Multi‐Class configured: ********** MLPPP Bundle Stats ********** Multilink 8: MLPPP is Admin Up / Oper Up Group Num: 8 IPCP...
Page 397 Pck Too Long: Invalid Proto: Wrong Proto: Padding Error: Invalid Cls#: Error to CP: No Lower Lyr: No Upper Lyr: Others: Tx Stats Total: Data: Control: Null: Discard: Pck Too Long: No Lower Lyr: EnQueue Full: Others: show interface multilink Refer to the ...
Page 398 Multilink Show Commands Max Fragment delay is 10 ms Max Fragment Size is 256 bytes Class QoSCls# ExpctSeq# LastFwdSeq# LastM# maxFListSize FragListSize TxSeq# TxBufferSize Rx Load Average Tx Load Average Rx Stats: Total Discard SeqError FListFull Seq<Exp NoBgnFlg AddFgFail CleanQ Tx Stats: Total Discard...
Page 399 Description Equivalent QoS class, • -1: fair class. • 0: low priority class. • 1: normal priority class. • 2: medium priority class. • 3: high priority class. ExpctSeq# Range ‐1 ‐ 16777215 Description Next expected sequence number of receiving fragment for this class. LastFwdSeq# Range ‐1 ‐ 16777215 Description Last forwarded sequence number of the fragment of this class to the upper layer. LastM# Range ‐1 ‐ 16777215 Description Last M (the smallest received sequence number) of all the member links in ...
Page 400 Multilink Show Commands Rx Stats Total Discard Seq Error FlistFull Seq<Exp NoBgnFlg AddFgFail CleanQ Tx Stats Total Discard CleanQ Qfull show ppp interface multilink/dialer memberlink This command displays general member link statistics under MLPPP or specific member link statistics if specified. Syntax show ppp interface multilink <1-32767> memberlink [type number] show ppp interface dialer <1-256> memberlink [type number] Parameters type Interface type serial. If serial is specified, only this serial member link statistics ...
Page 401 IPCP Multilink Multi-Class Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Serial 1/0:0 Tx: Total Rx: Total PPP Multilink Member Link Paremeter Descriptions The detail of transmit/receive statistics for the member link Serial 1/00 Total Sum of fragments transmitted over this member link. Discard Sum of transmitting fragments discarded over this member due to invalid length or no lower layer. Total Sum of fragments received over this member link.
Page 402 Multilink Show Commands ********** MLPPP Member Link MultiClassStats ********** Multilink 1: MLPPP is Admin Up / Oper Up Group Num: 1 IPCP Multilink Multi-Class Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Class Serial 1/0:0 LastRxSeq#...
Page 403 Rx Stats Total Discard SeqError FlistFull Seq<Exp NoBgnFlg AddFgFail CleanQ Tx Stats Total Discard CleanQ Qfull show ppp interface dialer x mlpppgroup x bap This command displays BAP multilink bundle statistics of a specific bundle under the dialer interface. You can view individual multilink bundles when more than one exists on the dialer interface. Syntax show ppp interface dialer <number> mlpppgroup <number> bap number number Mode XSR> EXEC: Sample Output The following is sample output from the command: ********** MLPPP Bundle Stats **********...
Page 404 Multilink Show Commands BACP Multilink Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 Max Fragment delay is 10 ms Bundle Size: Class Level Tx: Max Load Threshold: Bundle Tx Load Avg: Bundle Rx Load Avg: No Of Pck in Rx Buf Q: 0...
Page 405 Rcv Call-ReqAck: Rcv CallBack-Req: Rcv CallBack-ReqAck: Rcv LinkDrop-Req: Rcv LinkDrop-ReqAck: Tx Call-Req: Tx Call-ReqAck: Tx CallBack-Req: Tx CallBack-ReqAck: Tx LinkDrop-Req: Tx LinkDrop-ReqAck: Discriminators Local Serial 3/2/0:26 Serial 3/2/0:30 Serial 3/2/0:29 Serial 3/2/0:28 Serial 3/2/0:27 Serial 3/2/0:25 Serial 3/2/0:24 Serial 3/2/0:23 Serial 3/2/0:22 Serial 3/2/0:21 Serial 3/2/0:20...
Page 406 Multilink Show Commands 8-136 Configuring the Point-to-Point Protocol...
Page 407: Chapter 9: Configuring Frame Relay
Observing Syntax and Conventions CLI command syntax and conventions use the notation described below. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. soho.enterasys.com Frame Relay Commands This chapter describes the configurable features of the Frame Relay interface for the XSR in the following command subsets: •...
Page 408 Frame Relay Commands Syntax encapsulation frame-relay Syntax of the “no” Form Disable Frame Relay encapsulation on the interface with the no form: no encapsulation frame-relay Mode Interface configuration: Example This example sets Frame Relay encapsulation on interface serial 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#no shutdown frame-relay class This command associates a map class to an interface or sub‐interface. It can be applied to both Frame Relay interfaces and sub‐interfaces. Note: Frame Relay traffic shaping must be enabled on the interface for this command to be effective.
Page 409 Syntax of the “no” Form The no form removes the association of the map class to the interface or sub‐interface: no frame-relay class name Mode Interface configuration: Example The following commands set Frame Relay map classes fastlink and normlink with an outbound CIR value of 56 kbps and 25.6 kbps, respectively: XSR(config)#map-class frame-relay fastlink XSR(config-map-class<fastlink>)#frame-relay cir out 56000 XSR(config)#map-class frame-relay normlink XSR(config-map-class<normlink>)#frame-relay cir out 25600 The following commands direct serial link 1/0 to use QoS values from the normlink map class unless explicitly overridden. XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-map-class<fastlink>)#frame-relay traffic-shaping XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#frame-relay class normlink The following commands configure sub‐interface serial 1/0.2 to use a different map class (fastlink) ...
Page 410 Frame Relay Commands Once chosen as static, no inverse ARP will be sent out by default. A free inverse ARP request (similar to above) can be requested by this command. Once chosen as static, this DLCI can be made to respond to a broadcast bootp message entering on this DLCI from the frame‐relay network. Non‐broadcast bootp will still be sent to the local DHCP server or relayed to the IP helper address server.. Notes: The remote site must support sending inverse-arp responses or the interface will come down. An inverse arp is sent from the XSR at a rate of 1 every 4 seconds. It is not configurable. Syntax frame-relay interface-dlci nn [[keep-alive nn [gratuitous-inverse-arp]] | [gratuitous-inverse-arp [keep-alive nn]] | [ip A.B.C.D [[bootp [[gratuitous-...
Page 411 Next Mode Frame Relay DLCI configuration: Examples The following example maps DLCIs 16 and 18 on serial sub‐interface 1/0.1 to the specified IP addresses, supporting bootp and sending a free inverse ARP. Also, DLCI 17 is configured on sub‐ interface 1/0.2, a free inverse ARP is sent, and emote keep‐alive is supported in P2P mode. XSR(config)#interface serial 1/0.1 multi-point XSR(config-subif)#ip helper 10.10.1.2 XSR(config-subif)#ip address 133.133.1.1 255.255.255.0 XSR(config-subif)#frame-relay interface-dlci 16 ip 133.133.1.2 gratuitous- inverse-arp bootp XSR(config-fr-dlci)#frame-relay interface-dlci 18 ip 133.133.1.3 bootp XSR(config-fr-dlci)#no shutdown XSR(config-fr-dlci)#interface serial 1/0.2 point-to-point XSR(config-subif)#ip helper 10.10.1.2 XSR(config-subif)#ip address 133.134.1.1 255.255.255.0 XSR(config-subif)#frame-relay interface-dlci 17 gratuitous-inverse-arp keep-alive XSR(config-fr-dlci)#no shutdown...
Page 412 Frame Relay Commands XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dte XSR(config-if<S1/0>)#frame-relay lmi-type ansi The following example configures Serial interface 1/0 to act as a Frame Relay DCE, and to use the ANSI Annex‐D LMI: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-type ansi frame-relay lmi-t391dte This command sets the interval between LMI Link Integrity Verification (LIV) message transmissions on the Data Terminal Equipment (DTE) interface. Note: On third-party devices, the LMI LIV period may be configured using the KeepAlive configuration on the interface.
Page 413 frame-relay lmi-n391dte This command sets the full status‐polling interval when the Digital Terminal Equipment (DTE) interface is configured to set the full status message‐polling interval. Syntax frame-relay lmi-n391dte num_ka-exchanges num_ka-exchanges Syntax of the “no” Form The no form of this command restores the default interval value: no frame-relay lmi-n391dte Default Mode Interface configuration: Example This example establishes that a status inquiry will be sent every five seconds and that one of every ten status inquiries generated will request a full status response from the Frame Relay switch. The other nine status inquiries will request keep‐alive exchanges only: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dte XSR(config-if<S1/0>)#frame-relay lmi-n391dte 10 XSR(config-if<S1/0>)#frame-relay lmi-t391dte 5 XSR(config-if<S1/0>)#no shutdown frame-relay lmi-n392dce This command sets the error threshold on a Data Communications Equipment (DCE) interface.
Page 414 Frame Relay Commands Default Mode Interface configuration: Example This example sets the LMI failure threshold to 5 for the DCE device: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-n392dce 5 frame-relay lmi-n392dte This command sets the error threshold on a Data Terminal Equipment (DTE) interface. Syntax frame-relay lmi-n392dte threshold threshold Syntax of the “no” Form Use the no command to remove the current setting: no frame-relay lmi-n392dte Default Mode Interface configuration: Example The following example sets the LMI failure threshold to 5 for the DTE device: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay...
Page 415 frame-relay lmi-t392dce This command sets polling verification timer on a Data Communications Equipment (DCE) interface. The timer marks the duration that the DCE expects to receive a Status Enquiry from a DTE device. Syntax frame-relay lmi-t392dce period_in_sec events Syntax of the “no” Form The no form of this command restores the default interval: no frame-relay lmi-t392dce Default 15 seconds Example The following example sets the DCE to wait 20 seconds for a status enquiry from the DTE before declaring an error event: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-t392dce 20 frame-relay lmi-n392dce This command sets the error threshold on a Data Communications Equipment (DCE) interface. Syntax frame-relay lmi-n392dce threshold threshold Syntax of the “no”...
Page 416 Frame Relay Commands Mode Interface configuration: Example This example sets the LMI failure threshold to 5 for the DCE device: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-n392dce 5 frame-relay lmi-n393dce This command sets the monitored event count on a Data Communications Equipment (DCE) interface. Syntax frame-relay lmi-n393dce events events Syntax of the “no” Form The no form of this command removes the current setting: no frame-relay lmi-n393dce Default Mode Interface configuration: Example This example sets the LMI monitored events count to 10 on serial port 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay...
Page 417 frame-relay lmi-type This command configures the Local Management Interface (LMI) type on a per‐interface basis. Syntax frame-relay lmi-type {ilmi | ansi | q933a | auto | none} ilmi Interim LMI (FRF 1.1). ansi Annex D defined by American National Standards Institute (ANSI) standard T1.617. q933a ITU‐T Q.933 Annex A. auto The port will attempt to detect and match the LMI type used by the attached Frame Relay switch. none No LMI used. This is meant to test or connect XSRs directly. Syntax of the “no” Form Use the no command to return to the default LMI type: no frame-relay lmi-type {ilmi | ansi | q933a | auto | none} Default auto Mode...
Page 418 This example enables both traffic shaping and per‐virtual circuit queuing: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay traffic-shaping XSR(config-if<S1/0>)#no shutdown interface This command selects a physical port for configuration as a router interface. The XSR supports FastEthernet or GigabitEthernet, serial, and T1/E1/ISDN‐PRI physical ports. For configuration purposes, all serial ports and T1/E1/ISDN‐PRI channel groups are treated as a serial port. Optionally, you can set up the Console port as a WAN interface for dial backup purposes (refer to the Caution below). Caution: Be aware that when you enable the Console port as a WAN port, you can no longer directly connect to it because it is in data communication mode. Your only access to the CLI will be to Telnet to an IP address of a configured port.
Page 419: Frame Relay Map Class Commands
Note: Leading zeros defined in interface_num can be omitted. For example, 0/1/2 is equivalent to 1/ Syntax of the “no” Form The no command deletes the interface: no interface serial port_num interface_num Note: You cannot directly delete a Serial interface assigned to a T1/E1 channel group. You must instead delete a channel group to erase the Serial port.
Page 420 Frame Relay Map Class Commands Mode Virtual Circuit configuration: Example The first three commands in the following example set up Serial sub‐interface 1/0.1 with associated DLCI 16. The last two commands define map class Hello. XSR(config)#interface serial 1/0.1 point-to-point XSR(config-if<S1/0>)#interface serial 1/0.1 point-to-point XSR(config-subif)#frame-relay interface-dlci 16 XSR(config-fr-dlci)#class Hello XSR(config)#map-class frame-relay Hello XSR(config-map-class<Hello>)#frame-relay cir out 128000 frame-relay adaptive-shaping This command enables and selects the mechanism to trigger adaptive shaping, the dynamic imposition of traffic shaping parameters (CIR, Bc, Be) based on external feedback indicating upstream congestion conditions. Frame Relay switches use BECN (Back End Congestion Notification) to indicate congestion and throttle the DTE traffic rate. Syntax frame-relay adaptive-shaping Syntax of the “no”...
Page 421 Syntax frame-relay bc out bits bits Syntax of the “no” Form The no command resets the committed burst size to its default value: no frame-relay bc out Mode Map Class configuration: XSR(config-map-class)# Default 7000 bits Example This example creates the map class slowlink with bc set to 6000 bits: XSR(config)#map-class frame-relay slowlink XSR(config-map-class<slowlink>)#frame-relay bc out 6000 frame-relay be This command specifies the outgoing excess Burst size (Be) for a Frame Relay map‐class. Syntax frame-relay be out bits bits Syntax of the “no” Form The no command resets the committed burst size to its default value: no frame-relay be out Mode...
Page 422 Frame Relay Map Class Commands Example This example adds map class slowlink with Be of 10000 and Bc of 6000 bits: XSR(config)#map-class frame-relay slowlink XSR(config-map-class<slowlink>)#frame-relay be out 10000 XSR(config-map-class<slowlink>)#frame-relay bc out 6000 frame-relay cir This command specifies the outgoing Committed Information Rate (CIR) for a Frame Relay map‐ class. CIR, Bc and Be values specify how the XSR forwards packets under normal and congested conditions using the following equation: Tc = Bc/CIR = 7,000 bits / 56,000 bps = 125 mS (Bc and CIR values are default) Frame Relay networks are committed to deliver Bc bits of data every Tc, so maximum committed throughput equals 7,000/125mS = 56kbps = CIR. In this sense, Committed Burst (Bc) is not really a burst but a “smoothing” function for the number of bits that the XSR is allowed to transmit during the Tc period in order to achieve the specified CIR. Since the maximum number of bits that can be sent during Tc is Bc plus Be bits, using the default values, maximum throughput equals (Bc + Be)/Tc = (7,000 + 7,000)/125mS = 112kbps = 2 * 56kbps = 2 * CIR. Syntax frame-relay cir out rate rate Syntax of the “no” Form The no command resets the CIR to its default value: no frame-relay cir out Mode...
Page 423 frame-relay fragment This command specifies the FRF.12 end‐to‐end fragment size for a Frame Relay map‐class. Fragment size is defined in bytes. It specifies the number of payload bytes from the original frame that will go into each fragment. The transmitted fragment will include eight additional bytes from headers (6) and CRC(2). Note: For proper operation of fragmentation, QOS is required to classify a service-policy which will define a high priority queue. The queue must send frames no larger than the fragment size or fragmentation will also be applied to high priority queue data and latency will grow, defeating the primary purpose of FRF.12 fragmentation.
Page 424 Frame Relay Map Class Commands dialer map-class-name Syntax of the “no” Form no map-class [frame-relay | dialer] map-class-name Mode Global configuration: Next Mode FR Map‐Class configuration: XSR(config-map-class)# Example This example defines frame relay map‐class normlink: XSR(config)#map-class frame-relay normlink XSR(config-map-class<normlink>)#frame-relay adaptive-shaping XSR(config-map-class<normlink>)#frame-relay cir out 64000 XSR(config-map-class<normlink>)#frame-relay bc out 8000 XSR(config-map-class<normlink>)#frame-relay be out 8000 XSR(config-map-class<normlink>)#service-policy output HighPriority service-policy This command sets the service‐policy profile for the class map. The service‐policy is a flexible ...
Page 425 Example The following example specifies HighPriority as the policy for the class map: XSR(config-map-class)#service-policy out HighPriority shutdown This command disables an interface or sub‐interface. A sub‐interface is shut down (no longer passing data) when one of the following occurs: • An explicit • A shutdown shutdown • A Syntax shutdown Syntax of the “no” Form Use the no command to enable the interface after it is shut down: no shutdown Mode Interface configuration: sub-interface This command starts configuration for a sub‐interface on a serial interface. You can configure up to 50 sub‐interfaces on the XSR. Syntax interface serial interface_id.sub-interface_num [multi-point | point-to-point interface_id.sub- interface-num multi-point point-to-point Mode...
Page 426: Frame Relay Clear And Show Commands
Frame Relay Clear and Show Commands Examples This example selects sub‐interface Serial 1/0.5 on a serial interface: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#interface serial 1/0.5 multi-point XSR(config-subif<S1/0.5>)#no shutdown This example selects a sub‐interface on a T1/E1 card: XSR(config)#interface serial 2/1 XSR(config-if<S2/1>)#encapsulation frame-relay XSR(config-if<S2/1>)#no shutdown XSR(config-if<S2/1>)#interface serial 2/1:12.1 multi-point XSR(config-subif<S2/1:12.1>)#no shutdown Frame Relay Clear and Show Commands clear frame-relay counter This command clears the statistics of a particular Frame Relay DLCI, or all DLCIs under a ...
Page 427 Sample Output The following is sample output from the command: XSR(config)#show frame-relay fragment Frame Relay End-to-End Fragmentation Summary interface Serial 2/0.1 Serial 1/0:0.1 If the interface‐num or sub‐interface number is set and the dlci‐num is not, all learned inverse ARP entries for the interface and its logical sub‐interfaces will be cleared. The DLCI of a particular virtual port whose inverse ARP entry is to be cleared. A specific interface for which Frame Relay fragmentation data will be shown. Interface number containing the DLCI(s) for which to show fragmentation data. Specific DLCI for which to display fragmentation data. Router# dlci frag-size Frame Relay Clear and Show Commands in-frag out-frag dropped-frag XSR CLI Reference Guide 9-103...
Page 428 Frame Relay Clear and Show Commands XSR(config)#show frame-relay fragment interface serial 2/0.1 960 Frame Relay End-to-End Fragmentation Detailed Statistics Serial 2/0.1 DLCI = 960 Incoming Traffic Fragmented pkts Fragmented bytes Assembled pkts Assembled bytes Non-fragmented pkts Non-fragmented bytes Dropped Assembled pkts Pkt Sequence # Errors Unexpected Begin Frag Parameter Descriptions...
Page 429 in fragments with unexpected Sum of fragments received by this DLCI that have an unexpected B (Begin) bit set. B bit set When this occurs, all fragments being reassembled are dropped and a new frame is begun with this fragment. out interleaved packets Sum of packets leaving this DLCI that have been interleaved between segments. show frame-relay lmi This command displays Local Management Interface (LMI) statistics. Enter the command without arguments to obtain statistics about all Frame Relay interfaces. Syntax show frame-relay lmi [interface] [interface-num] interface -num Mode EXEC or Global configuration: Sample Output The following example displays output on Serial interface 2/0 from an XSR with a Serial NIM installed: XSR#show frame-relay lmi LMI Statistics for Serial 2/0 (Frame Relay DTE) Interface = INACTIVE Status Enq.
Page 430 Frame Relay Clear and Show Commands Parameter Descriptions The configured or auto‐detected LMI type. If the port is set for AUTO LMI, then the XSR shows AUTO (nn), where nn is ILMI, ANSI, or ITU if the port has successfully negotiated/ detected the LMI supported by the switch, otherwise it displays AUTO. Status Enq. Sent Sum of LMI status enquiry messages sent. Status Msgs Rcvd Sum of LMI status messages received. Status Timeouts Sum of times the status message was not received within the keepalive time value. Update Status Rcvd Sum of LMI asynchronous update status messages received. Invalid L2 LMI info Sum of received LMI messages with invalid unnumbered information field. Invalid L3 LMI Sum of LMI messages with invalid fields.fields Un‐configured DLCIs List of un‐configured DLCIs are reported to be in an Active state by the Frame Relay switch. This field is not displayed if the configured LMI type is None. Down DLCIs List of configured DLCIs are reported to be in a Down or Inactive state by the Frame Relay switch. This field is not displayed if the configured LMI type is None. Interface Down marks the port as active but not communicating with the switch; Inactive marks the port as shut down; Up marks the port as operational. Local/net sequence Value of current or next to transmit/received LMI control packet. number show frame-relay map This command displays data from current frame‐relay map entries. Syntax show frame-relay map Mode EXEC or Global configuration: ...
Page 431 The following example displays a point‐to‐point Frame Relay map: XSR#show frame-relay map Frame Relay Map Statistics (Serial 2/0) Serial 2/0.3 gratuitous-inverse-arp, bootp, static ip 2.2.2.3 Parameter Descriptions Serial 2/0 Identifies a Frame Relay interface being displayed. Serial 2/0.1 Identifies the specific sub‐interface that is associated with a DLCI. dlci 981(0x3D5,0xF450) DLCI number displayed three ways: its decimal value, its hexadecimal value (0x3D5), and its value as it appears on the wire (0xF450). Remote Addr.10.10.10.5 The remote peer IP address learned using Inverse ARP. Remote Addr. The node is waiting for Inverse ARP response to resolve un‐resolved the remote peerʹs IP address. Remote Addr.P2P This DLCI does not require Inverse ARP to resolve the remote peer’s IP address. gratuitous Inverse‐arp This DLCI will offer a free Inverse ARP to help the remote learn changes to the local interface. The response from the remote is not used for address resolution. bootp This DLCI will respond to a broadcast bootp request originated from the adjacent peer. The bootp response includes the static IP address configured on this DLCI. static ip 2.2.2.3 This DLCI has been configured with a static IP address for the remote peer. Inverse arp ...
Page 432 Frame Relay Clear and Show Commands PVC Statistics for Serial 2/0:1.1 (Frame Relay DTE) DLCI INPUT: Packets BECN pkts OUTPUT: Packets BECN pkts bcast pkts PVC created: 12/01/2000 02:23:37 FRF.12 = ENABLED Adaptive Shape = DISABLED minCIR=28000 Parameter Descriptions One of the Data‐link Connection Identifier numbers for the PVC. DLCI PVC STATUS Status of the PVC: ...
Page 433 FRF.12 FRF.12 has been disabled on this PVC. This line is not printed if disabled. Fragment size Size of the payload for fragmented packets. Adaptive Shape Status of Adaptive Shaping for this PVC. Shaping Drops Sum of packets dropped due to traffic shaping. minCIR The minimum Committed Information Rate, bits/sec. Current Committed burst size, in bits. Current Excess burst size, in bits. Interval Bc/CIR in milliseconds. show frame-relay traffic This command displays global Frame Relay statistics since the last reload. Syntax show frame-relay traffic Mode EXEC or Global configuration: Sample Output XSR#show frame-relay traffic Frame Relay statistics: TX: ARP requests = 19 RX: ARP requests = 2 show frame-relay map-class This command displays Frame Relay map‐class usage data. It provides a view of all configured ...
Page 434 Frame Relay Clear and Show Commands Serial 1/0, CIR= 64000, Bc=8000, BE= 9000, fragment=53 Adaptive Shaping: Disabled, Service Policy: Voice # FR Ports = 1, # FR sub-Interfaces = 3, # DLCIs = 7 show interface serial The following statistics are added to the command if the port is configured for Frame Relay. Sample Output The following example displays T1 statistics: XSR#show interface serial 2/0:1 ********** Serial Interface Stats **********...
Page 435 The card is 2. The channel is 0. The current MTU is 1506. The device is in polling mode, and is active. The last driver error is (null). The physical-layer is HDLC-SYNC, the TX, RX clock source is external. The device uses CRC-16 for Tx. The device uses CRC-16 for Rx.
Page 436 Frame Relay Clear and Show Commands 9-112 Configuring Frame Relay...
Page 437: Chapter 10: Configuring The Dialer Interface
This chapter describes commands for the dialer, dialer backup, and Dial‐on‐Demand/Bandwidth‐ on‐Demand services. Observing Syntax and Conventions The CLI command syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered soho.enterasys.com Dialer Interface Commands The following set of commands defines dial services on the XSR: •...
Page 438: Dialer Pool
Dialer Interface Commands • The dialer string where the dialer DTR serial interface is added. • The serial interface must be configured for synchronous data mode. • The modem must be configured with DTR‐controlled dialing interface, CTS follows DCD, DTR disconnects, sync data mode and a preset dialing out telephone number. Syntax dialer dtr Syntax of the “no” Form no dialer dtr Default DTR dialing is disabled Mode Interface configuration: Example XSR(config-if<S1/1>)#dialer dtr dialer pool This command specifies which dialer pool the dialer interface should use. The dialer interface will use one of the physical interfaces in the dialer pool to attach to the interfaceʹs configured destination. Syntax dialer pool number number Syntax of the “no”...
Page 439 Mode Interface configuration: Note: This command is intended for dialer interfaces only. Example The following example shows dialer interface 0 assigned to dialer pool 6. XSR(config)#interface dialer 0 XSR(config-if<D1>)#dialer pool 6 XSR(config-if<D1>)#no shutdown dialer pool-member This command configures physical interfaces for dial devices only. Syntax dialer pool-member number [priority priority] number priority Syntax of the “no” Form no dialer pool-member number Defaults •...
Page 440 Dialer Interface Commands dialer string This command creates a string used to place a call a destination or subnet. Typically, it is the telephone number needed for dialing. Syntax dialer string dial-string [class class-name] dial-string class-name Syntax of the “no” Form no dialer string dial-string Mode Interface configuration: Example This example shows that dialer interface 0 configured to use map‐class XXX when using dialer string 9055559988: XSR(config-if)#interface dialer 0 XSR(config-if<D0>)#dialer string 9055559988 class XXX dialer wait-for-carrier-time (interface configuration) This command configures the time a dialer interface waits for a carrier signal. It is used when ...
Page 441: Interface Dialer
Example The following example specifies a wait time of 90 seconds for the carrier signal on serial port 1/0: XSR(config-if<S1/0>)#dialer wait-for-carrier-time 90 dialer wait-for-carrier-time (map-class dialer configuration) This command configures the time to wait for a carrier signal associated with a specific dialer map class. Dialer map classes are used to configure certain characteristics with dialer strings when configuring dialer ports. Syntax dialer wait-for-carrier-time seconds seconds Syntax of the “no” Form The no form of this command resets to the default value: no dialer wait-for-carrier-time Default 60 seconds Mode Map‐class dialer configuration: Example The example below specifies a 120‐second wait time for the carrier signal of the dialer map class TEST on Dialer port 57: XSR(config-if<D57>)#interface dialer 57 XSR(config-if<D57>)#ip address 196.16.25.1 255.255.255.0 XSR(config-if<D57>)#encapsulation ppp XSR(config-if<D57>)#dialer remote-name SiteA XSR(config-if<D57>)#dialer string 4165555584 class TEST...
Page 442 Dialer Interface Commands This mode of operation of the dialer interface is called spoofing and it is the default mode for this interface. Spoofing mode changes to non‐spoofing mode when the following conditions are met: • Another interface or sub‐interface is set with the • The interface configured with the Dial‐on‐demand applications require that a dialer‐group, dialer‐list and ACL also be configured. Syntax interface dialer [number | multi-point][sub-interface] number multi-point sub-interface Syntax of the “no” Form The no form of this command removes the dialer interface: interface dialer number Mode Global configuration: Next Mode Dialer Interface configuration: Default Interface is spoofed Examples The following example configures Dialer port 200 in backup mode with minimal settings: XSR(config)#interface dialer 200 XSR(config-if<D200>)#ip address 200.17.10.5 255.255.255.0 XSR(config-if<D200>)#encapsulation ppp XSR(config-if<D200>)#authentication chap...
Page 443 XSR(config-if<D3>)#dialer-group 7 XSR(config-if<D3>)#access-list 101 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 XSR(config)#dialer-list 7 protocol ip list 101 map-class dialer This command defines the dial stringʹs characteristics and associates them with a unique class name. Once the that classname must be configured. The classname assigned must match the classname assigned to the dialer string class classname so they can be linked. Syntax map-class dialer classname classname Default None ‐ no class name Mode Global configuration: Next Mode Map‐Class Dialer configuration: Example The example below specifies a 90‐second wait time for the carrier signal of the dialer map class TEST on Dialer port 0: XSR(config)#interface dialer 0 XSR(config-if<D0>)#ip address 196.16.25.1 255.255.255.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#dialer remote-name sitea...
Page 444: Dialer Interface Clear And Show Commands
Dialer Interface Clear and Show Commands Syntax of the “no” Form The no form of this command removes the modem‐init‐string: no modem-init-string Mode Map‐Class Dialer configuration: Example The following example specifies a modem initialization string to disable dialtone detection for the Map Class Remote: XSR(config-map-class<Remote>)#modem-init-string ATX3 Dialer Interface Clear and Show Commands clear dialer This command clears dialer statistics for physical interfaces connected to the dialer interfaces. If the interface is not specified, all interface (for the dialer) statistics will be cleared. Syntax clear dialer Mode Privileged EXEC: Example XSR#clear dialer show dialer This command displays general information and some configurations of interfaces configured ...
Page 445 Example XSR#show dialer 1 Sample Output The following is sample output from the #show dialer 5 Dialer5 Dialer state is: UP Wait for carrier default: 60, default retry: 3 Dial String 3200 Dialer pool 23 (Serial 2/0:0, ) Parameter Descriptions Dialer1 Wait for carrier(30 secs) Seconds to wait for carrier signal. Default retry Dial String Successes Failures Map Class Dialer pool 2, priority 0...
Page 446 Dialer Interface Clear and Show Commands Phone numbers: <2400:12> Connection speed/type: <64k>/<On Demand> Dialer maps configured on Interface <Dialer2>: Next hop IP address: <20.20.20.2> Phone numbers: <2400> Connection speed/type: <not set>/<On Demand> show dialer sessions This command displays information regarding dialer sessions. Syntax show dialer sessions Mode EXEC: ...
Page 447: Dial Backup Commands
Dial Backup Commands The following set of commands defines a backup dial line. backup This command set backup functionality on Serial, Ethernet or sub‐interfaces. You can also specify a delay before a secondary interface is brought up or down after a primary interface is brought up or down. We suggest this command be used when lines suffer intermittent disruptions causing the primary line to come up and fall temporarily. A backup delay ensures the secondary line does not come up and down prematurely. Note: The XSR sets UTC for time-range calculation. Syntax backup interface dialer dialer-interface-number [delay enable-delay disable-delay [never]][time-range hh:mm hh:mm] interface delay enable-delay disable-delay never time-range hh:mm hh:mm Syntax of the “no” Form The no form of this command removes backup from the interface: no backup interface Default...
Page 448 Dial Backup Commands backup interface dialer This command designates a Serial or Fast/GigabitEthernet/GigabitEthernet interface or sub‐ interface as a backup dialer interface. Caution: To configure a backup FastEthernet/GigabitEthernet interface or sub-interface, the port must be in the shutdown state. Syntax backup interface dialer number number Syntax of the “no” Form no backup interface dialer number Note: Only one dialer interface can be associated with one dialer pool but one dialer pool may be associated with many dialer interfaces.
Page 449 XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#no shutdown XSR(config)#interface fastethernet 2.1 XSR(config-if>)#backup interface dialer 57 XSR(config-if>)#encapsulation ppp XSR(config-if>)#ip address negotiated XSR(config-if>)#ip mtu 1492 XSR(config-if>)#no shutdown backup time-range This command configures a period when the backup dialer should be up and down, regardless of traffic on the line. A backup dialer port is configured to protect a primary interface and once its time‐range is specified, the backup dialer port can be enabled and disabled. Syntax backup time-range start-time end-time start-time end-time Syntax of the “no” Form The no form of this command disables the time‐range feature: no backup time-range Default None...
Page 450: Dod/Bod Commands
DOD/BOD Commands show interface dialer This command displays general information for a dialer interface. Syntax show interface dialer number number Mode Privileged EXEC: Sample Output The example below displays output from the XSR#show interface dialer ********** Dialer Interface Stats ********** Dialer1 is Admin Up Internet address is 10.10.10.1, subnet mask is 255.255.255.0 Dialer1 Dialer state is: UP Wait for carrier default: 60, default retry: 3 Dial String Dialer pool 3...
Page 451 Syntax dialer-group group-number group-number Syntax of the ‘no’ Form Use the no form of this command to remove an interface from the specified dialer access group: no dialer-group Mode Dialer Interface configuration: Example The following example configures dialer group 7 on dialer interface 1, mapping ACL 101 to dialer‐ list 7: XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer-group 7 XSR(config)#access-list 101 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 XSR(config)#dialer-list 7 protocol ip list 101 dialer-list This command defines a dialer list to control dialing by protocol or by a combination of protocol and Access Control List (ACL). Because IP is the sole protocol supported at this time, an ACL must be specified using the Syntax dialer-list dialer-group protocol protocol-name list access-list-number] dialer-group...
Page 452 DOD/BOD Commands Example The following example maps ACL 1350 to dialer list 57: XSR(config)#access-list 57 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 XSR(config)#dialer-list 57 protocol ip list 1350 dialer called This command maps incoming calls to one of the dialer interfaces. A maximum number of 32 called numbers per dialer interface can be configured. Syntax dialer called DNIS:subaddress DNIS:subaddress Syntax of the “no” Form The no form of this command removes the configured number: no dialer called DNIS:subaddress Mode Dialer Interface configuration: Example The following example configures a dialer profile for a receiver with DNIS 12345 and ISDN ...
Page 453 Note: If the ISDN switch does not provide the calling number, callback will fail. Syntax of the “no” Form The no form of this command disables the feature: no dialer caller number Mode Dialer Interface configuration: Example The following example configures the dialer caller numbers to screen: XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer caller 5084712345 dialer idle-timeout This command specifies the idle timeout interval before the XSR disconnects the line. The timeout trigger is based on outbound traffic only. Caution: This command must be invoked on the called side of a link with a 0 value to ensure the link is not dropped after 120 seconds by the called side.
Page 454: Dialer Map
Protocol address used to match against addresses to which packets are destined. The remote system with which the local router or access server communicates. Case-sensitive name or ID of the remote device (usually the host name).) It is used for incoming call mapping based on the authenticated user name negotiated under PPP.
Page 455 Example The following example configures a next hop IP address, SPC, hostname and line speed for map class AcmeMap: XSR(config)#dialer map 1 XSR(config-if<D1>)#dialer map ip 192.168.57.9 class AcmeMap name AcmeHost spc speed 56 12345:6789 dialer persistent This command brings up a permanent switched connection in the absence of an interesting packet or primary‐line‐down backup dial trigger. Syntax dialer persistent [delay n] Syntax of the “no” Form The no form of this command deletes the persistent setting: no dialer persistent Mode Dialer Interface configuration: Default ‐1 second Example The following example configures Dialer interface 57 to be persistent for two minutes: XSR(config)#interface dialer 57...
Page 456 Re‐enable: 5 seconds Example Assuming you have configured Serial interfaces 1/0, 1/1, and 1/2 as part of dialer pool 1, the following example sets the dialer to attempt dialing each interface five times (if all attempts are unsuccessful), indefinitely until the dial trigger is reset or a connection is successfully established. XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer redial attempts 5 forever dialer remote-name This command specifies, for a dialer interface, the PPP authenticated user name of the remote router that is calling in. Syntax dialer remote-name username username Mode Dialer Interface configuration: Example The following example sets the authentication name for the remote router on Dialer interface 7: XSR(config)#interface dialer 7 XSR(config-if<D1>)#dialer remote-name “Auth West” 10-102 Configuring the Dialer Interface Number of redial attempts made if dial-up or ISDN connection establishment fails, ranging from 1 to 65535.
Page 457: Dialer Watch Commands
Dialer Watch Commands dialer watch-group This command enables Dialer Watch backup on a dialer interface with up to 16 watch‐groups. Note: The XSR sets UTC for time-range calculation. Syntax dialer watch-group group-number group-number Syntax of the “no” Form Use the no form of this command to disable this feature: no dialer watch-group group-number Mode Dialer Interface configuration: Example The following example configures a dialer watch group: XSR(config-if<D3>)#dialer watch-group 57 dialer watch-list This command adds a list of IP addresses you want monitored. Use this command with the dialer watch‐group interface configuration command. The number of the group list must match the group number.
Page 458 Dialer Watch Commands address-mask initial-delay connect-delay disconnect-delay start-time end-time Syntax of the “no” Form Use the no form of this command to disable this feature: no dialer watch-list group-number [delay route-check initial initial-delay][delay connect connect-delay][delay disconnect disconnect-delay][ip ip-address address- mask] Mode Dialer Interface configuration: Default • Initial delay: 30 seconds • Connect delay: 2 seconds • Disconnect delay: 2 seconds Example The following example configures the dialer watch option: XSR(config-if<D9>)dialer watch-list 57 delay route-check initial 15 delay connect 1 delay disconnect 1 ip 192.168.69.9 255.255.255.0...
Page 459 dial string: 3200, success: 0, fail: 0 Dialer pool 1 stats: member: Serial 1/3:0, available B-channels: 30, Watch-group stats: watch-group 1, rt cnt 1, trigg cnt 1, state is UP, delays: init 10, connect 3, disconnect 3, time range 10:15 11:15 timer expires in 18h:32m:28s watch-group 2, rt cnt 1, trigg cnt 1, state is UP,...
Page 460 Dialer Watch Commands 10-106 Configuring the Dialer Interface...
Page 461: Chapter 11: Isdn Bri And Pri Commands
Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered soho.enterasys.com ISDN Commands The following set of commands allows you to configure BRI/PRI functionality on the XSR. interface bri This command configures a BRI interface for each physical BRI port on the BRI NIM card. When ...
Page 462 ISDN Commands Syntax of the “no” Form no interface bri board/slot Mode Global configuration: Next Mode BRI Interface configuration: Example The following example acquires BRI B‐channel 1 interface mode: XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)# isdn answer1, isdn answer2 (BRI) This command, the incoming setup message for ISDN BRI calls. Issue the incoming calls based on the called‐party or sub‐address number. If you do not specify this command, all calls are processed or accepted. If you specify the command, the XSR must verify the incoming called‐party number and the sub‐address before processing and/or accepting the call. The verification proceeds from right to left for the called‐ party number; it also proceeds from right to left for the sub‐address number. You can configure the called‐party number only or the sub‐address. In such a case, only the configured value is verified. To configure a sub‐address only, include the colon (:) before the sub‐ address number. Note: This command is applicable to the BRI ETSI switch only. Syntax isdn answer1 [called-party-number][:subaddress] called-...
Page 463 Syntax of the “no” Form Use the no form of this command to remove the verification request: no isdn answer1 [called-party-number][:subaddress] Default No verification of either number Mode BRI Interface configuration: Examples The following example configures BRI interface 1/1 with called‐party and sub‐address numbers: XSR(config)#interface bri 1/1 XSR(config-if<BRsaI-1/1>)#isdn answer1 6171234:5678 The following example configures BRI interface 2/0 with a sub‐address number only: XSR(config)#interface bri 2/0 XSR(config-if<BRI-2/0>)#isdn answer1:5678 isdn bchan-number-order (PRI) This command configures an ISDN PRI interface to choose an outgoing call in either ascending or descending order. The XSR selects the lowest or highest available B‐channel starting at either channel B1 (ascending) or channel B23 for a T1 anD‐channel B30 for an E1 (descending). Use this command only if your service provider requests it to decrease the probability of call collisions. Syntax isdn bchan-number-order {ascending | descending} ascending descending Syntax of the “no”...
Page 464 ISDN Commands Example The following example sets the T1 controller to make call selections in ascending order: XSR(config)#controller t1 1/0/0 XSR(config-controller<T1-1/0:0>)#description “T1 at Acme” XSR(config-controller<T1-1/0:0>)#framing esf XSR(config-controller<T1-1/0:0>)#linecode b8zs XSR(config-controller<T1-1/0:0>)#pri-group XSR(config-controller<T1-2/1>isdn bchan-number-order ascending isdn call This command is used for debugging purposes only to test call setup procedures with a Central Office ISDN switch or test equipment. It is automatically disconnected after 30 seconds. Note: Enter this command in Privileged EXEC, not Global configuration mode. Syntax isdn call c/p [board/slot/port] dialing-string [56 | 64] dialing-string Mode Privileged EXEC: ...
Page 465 A PRI or BRI port can have only one ISDN calling‐number entry. For ISDN PRI, this command is intended for use when the network offers better pricing on calls in which devices present the caller number. When configured, the calling number is included in the outgoing setup message. Note: There is no mechanism to mark outgoing calls with the Calling Number and Calling Subaddress for call routing on the receiving end. Syntax isdn calling-number calling-number:subaddress calling-number :subaddress Syntax of the “no” Form no isdn calling-number Mode BRI Interface configuration: ...
Page 466 ISDN Commands Example The following example sets up a test call on channel 24 on BRI port 1/1: XSR#isdn disconnect 1/1 24 <186>Jul 28 22:49:51 10.10.10.20 ISDN: No Channel Available For Test Call isdn spid1, isdn spid2 (BRI) This command specifies the Service Profile Identification Number (SPID) which is supplied by your ISDN service provider. North America (NOAM) ISDN switches use Fully Initializing Terminals (FIT) service which require the CPE to register its SPID with the Central Office (CO) before service can begin. Syntax isdn spid1 spid-number {max digits| ldn} {max digits} isdn spid2 spid-number {max digits} ldn} {max digits} spid-number Syntax of the “no”...
Page 467 Note: This command is valid only after the pri-group command was issued. Syntax isdn switch-type switch-type {basic-dms100 | basic-ni1 | basic-ntt | basic-net3 | primary-net5 | primary-ni2 | primary-5ess | primary-dms100 | primary-ntt} BRI Switch Types: basic-dms100 basic-ni1 basic-5ess basic-ntt basic-net3 PRI Switch Types: primary-net5...
Page 468 ISDN Commands Example The following example selects a switch type on the BRI 1/1 interface: XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#isdn switch-type basic-net3 leased-line bri This command sets up an ISDN BRI port for leased‐line operation. Leased‐line service at 64 or 128 kbps via BRI is provided in Japan and Germany. The 56 and 112 kbps speeds are provided for eventual North American deployment of this service. Once a BRI interface is configured for access over leased lines, it is no longer a dialer interface, and signaling over the D‐channel no longer applies. Although the interface is called interface BRI, it is configured as a synchronous serial port and all serial port commands are available. This command creates a serial interface that is configured as a standard serial port. It can be issued once for speeds equal to and higher then 112 as both B‐channels are bound to the created serial interface. For 56 and 64 bps speeds, the command can be issued twice to create individual serial interfaces :1 and :2 for B1 and B2, respectively. After you enter the command, you must exit BRI configuration mode and configure the channels by entering interface bri [board/port:1] ports are configured as regular synchronous serial interfaces. Note: The shutdown/no shutdown channel commands are overridden by the interface bri shutdown/no shutdown commands.
Page 469 Examples The following example configures two data streams on leased‐line BRI interface 1/1 at 56 kbps with PPP encapsulation: XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#leased-line 56 XSR(config)#interface bri 1/1:1 XSR(config-if<BRI-1/1:1>)#ip address 1.1.1.2 255.255.255.0 XSR(config-if<BRI-1/1:1>)#encapsulation ppp The following example configures BRI B‐channel 2: XSR(config)#interface bri 1/1:2 XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/1:2>)#encapsulation frame-relay The following example configures one data stream on leased‐line BRI interface 1/1 at 112 kbps with Frame Relay encapsulation: XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#leased-line 112 XSR(config)#interface bri 0/1/2:1 XSR(config-if<BRI-1/2:1>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/2:1>)#encapsulation frame-relay pri-group This command configures a T1/E1 port to ISDN PRI on a channelized E1/T1 card. All 23 T1 or 30 ...
Page 470: Isdn Debug And Show Commands
ISDN Debug and Show Commands shutdown (BRI) This command forces all data calls to be disconnected and signals all internal XSR resources that the port is not available. Syntax shutdown [board/slot/port] board/slot/port Syntax of the “no” Form no shutdown [board/slot/port] Mode Interface configuration: ISDN Debug and Show Commands debug isdn This command initiates a Layer 2 or 3 ISDN debug session to trace failed calls at the D channel level. Issuing the command has the effect of locking out debugging by any other Telnet or Console connection. If both Layer 2 (Q921) and 3 (Q931) choices are selected, tracing will display both layers. Note: To prevent unauthorized personnel from observing the debug session on the network, users with privilege level 15 only can issue this command.
Page 471 Syntax of the “no” Form The no form of this command removes ISDN message tracing. You may choose to issue the command with all or no parameters selected. no debug isdn slot/card/port Q931 | Q921 [limit {10‐9999}] Default Messages: 100 Mode EXEC Configuration: Examples The following example configures Layer 3 ISDN debugging on the specified interface: XSR#debug isdn 0/1/0 q931 ISDN-DBG 0/1/0 Enable Q931 Tracing show controllers bri This command displays physical line data concerning Basic Rate Interface (BRI) sub‐interfaces. Syntax show controllers bri [board/slot/port] [:channel number] board /slot /port Mode Privileged EXEC or Global configuration: Example The following output is produced for BRI sub‐interface 2/1:0 XSR#show controllers bri 2/1:0 Forward Engine Serial Layer Tx/Rx Stats:...
Page 472 ISDN Debug and Show Commands Packet Processor Tx Scheduler Stats: 0 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX The unit number is 167772177. The interrupt number is 27.
Page 473 • PRI ‐ show interface serial 2/1:0 - 14 Use the following table for reference. Table 11-1 Channel Number Mappings Service Provider Channel Numbering B‐channels 1‐23 1‐31 1, 2 Syntax (PRI) show interface bri [card/port]:[channel number] :channel number Syntax (BRI) show interface bri [card/port]:[channel number] channel number Mode Privileged EXEC or Global configuration: ...
Page 474 ISDN Debug and Show Commands Standard output of the command follows but is not displayed here. The following output is displayed for the BRI interface 2/1: XSR#sh interface bri 2/1 ********** Serial Interface Stats ********** D-Serial 2/1:0 is Admin Down / Oper Down ********************** ISDN Layer 1: DOWN The name of this device is bri2/1/0. The card is 2. The port is 1.
Page 475 show isdn history This command displays past ISDN actions on the XSR. Syntax show isdn history [board/slot/port] board/slot/port Mode Privileged EXEC or Global configuration: Sample Output The following output displays incoming and outgoing call data for BRI interface 1/0 and its sub‐ interfaces: XSR#show isdn history 1/0 ********************** ISDN Call History ISDN-BRI Channel 1/0:2 1/0:1 1/0:1 1/0:1 1/0:1 1/0:1 1/0:2 1/0:1 The following output displays incoming call data for PRI interface 2/0 and sub‐interfaces 23 ‐ 30: XSR#show isdn history 2/0 ********************** ISDN Call History ISDN-PRI Channel Serial 2/0:30 Serial 2/0:29...
Page 476 ISDN Debug and Show Commands show isdn active This command displays current call information of all BRI or PRI ports, or only the selected port specified by board/slot/port identifier. Syntax show isdn active [board/slot/port] board/slot/port Mode Privileged EXEC or Global configuration: Sample Output The following output displays current call data on BRI interface 1/0: XSR#show isdn active 1/0 ************************** ISDN Layer 1: Ch No State CONNECTED OUTGOING CONNECTED INCOMING Parameter Descriptions Call Type Calling or Called Phone 10 least significant digits ...
Page 477 show isdn service This command displays the service status of all or selected ISDN ports. Syntax show isdn service [board/slot/port] board/slot/port Mode Privileged EXEC or Global configuration: Parameter Descriptions Layer 1 Status Layer 2 Status Examples The following example displays statistics fom the BRI NOAM port: XSR#show isdn service 1/1 ********************** ISDN Layer 1: Term. 1 Spid:2200555 State: Term. 2 Spid:2201555 State: Ch No State IDLE The following example shows output from BRI port 1/0: #show isdn service 1/0 (BRI) ********************** ISDN Layer 1: Ch No...
Page 478 ISDN Debug and Show Commands 20 CONNECTED 25 CONNECTED 30 CONNECTED 11-100 ISDN BRI and PRI Commands 21 CONNECTED 22 CONNECTED 26 CONNECTED 27 CONNECTED 23 CONNECTED 24 CONNECTED 28 CONNECTED 29 CONNECTED...
Page 479: Chapter 12: Configuring Quality Of Service
Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z}] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub‐command headings are displayed in red text. soho.enterasys.com QoS Commands The following set of commands configure Quality of Service (QoS) values for the XSR: • “Policy‐Map Commands” on page 12‐84. • “Class‐map Commands” on page 12‐101. • “QoS Show Commands” on page 12‐105. Configuring Quality of Service Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic)
Page 480: Policy-Map Commands
Policy-Map Commands service-policy This command attaches a policy map to an output or input interface. You can attach a single policy map to one or more interfaces. Syntax service-policy [input | output] policy-map-name policy-map-name Syntax of the “no” Form The no form of the command removes a policy map from the interface: no service-policy [input | output] Mode Interface configuration: Example The following example associates policy map ACMEpolicy with Serial 1/0: XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#service-policy output ACMEpolicy Policy-Map Commands policy-map This command creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. Sub‐commands associated with this command are: • bandwidth page 12‐86 for the command definition.
Page 481 • random-detect exponential-weighting-constant weight factor for the average queue size calculation.Refer to page 12‐95 for the command definition. • random-detect precedence maximum drop probability values for a IP precedence value. Go to page 12‐96 for the command definition. set cos • ‐ Marks the IEEE 802.1 priority in the header of output VLAN packets with a Class of Service (CoS) matching clause. Go to page 12‐97 for the command definition. • set ip dscp ‐ Marks a packet by setting the IP Differentiated Services Code Point (DSCP) parameter. Go to page 12‐98 for the command definition. set ip precedence • command definition. • shape ‐ Enables and configures traffic shaping on a class. Go to page 12‐100 for the command definition. Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you can configure policies for classes whose match criteria are defined in a class policy-map map. Invoking the you can configure or modify the class policies for that policy map. You can configure class policies in a policy map only if the classes have match criteria defined for them. You use the class-map You can configure up to 64 class policies in a policy map.
Page 482 Policy-Map Commands Example These commands create class‐map class1 and define its match criteria: XSR(config)#class-map class1 XSR(config-cmap<class1>)#match access-group 136 These commands create the policy map which is defined to contain policy specifications for class1 and the default class: XSR(config)#policy-map policy1 XSR(config-pmap<policy1>)#class class1 XSR(config-pmap-c<class1>)#bandwidth 2000 XSR(config-pmap-c<class1>)#queue-limit 40 XSR(config-pmap<policy1>)#class class-default XSR(config-pmap-c<class-default>)#queue-limit 20 bandwidth This command specifies or modify the bandwidth allocated for a class belonging to a policy map. It is used in conjunction with a class defined by the command specifies the bandwidth for traffic in that class. Class‐Based Weighted Fair Queueing (CBWFQ) derives the weight for packets belonging to the class from the bandwidth allocated to the class. CBWFQ then uses the weight to ensure that the queue for the class is serviced fairly. The amount of bandwidth can be specified in percentages or kilobits per second (kbps). When configured in kbps, the class weight is calculated as a ratio of the bandwidth specified for that class over the available link bandwidth. The available link bandwidth is equal to the interface bandwidth minus the sum of all bandwidth reserved for low latency queues. When configured in percentages, the class weight is equal to the bandwidth percentages. Configuring bandwidth in percentages is most useful when the underlying link bandwidth is unknown, changes over time, or the relative class bandwidth distributions are known. For interfaces that have adaptive shaping rates, CBWFQ can be set by configuring class bandwidths in percentages. The following restrictions apply to the • If the ...
Page 483 Syntax of the “no” Form Remove the bandwidth specified for a class by using the no form of this command: no bandwidth Mode Policy‐Map Class configuration: Example The following example specifies a bandwidth of 2000 Kbps for polmap6: XSR(config)#policy-map polmap6 XSR(config-pmap<polmap6>)#class acl22 XSR(config-pmap-c<acl22>)#bandwidth 2000 XSR(config-pmap-c<acl22>)#queue-limit 30 class This QoS policy‐map sub‐command specifies the name of the traffic class whose policy you want to create or to change and sets the criteria for classifying traffic. The XSR provides a robust set of matching rules for you to define the criteria. Before using the policy map you want to change. This also allows you to enter QoS policy‐map configuration mode. After you specify a policy map, you can configure policy for new classes or modify policy for any existing classes in that policy map. The class name you specify in the policy map ties the characteristics for that class ‐ that is, its policy ‐ to the class map and its match criteria, as configured using the When a class is removed, available bandwidth for the interface is incremented by the amount previously allocated to the class. Note: The XSR supports a maximum of 64 traffic classes. The predefined default class called class‐default is the class to which traffic is directed if that traffic ...
Page 484 Policy-Map Commands Syntax of the “no” Form The no form of this command removes a class from the policy map: no class {class-name} Mode Policy‐Map configuration: Next Mode Policy‐Map Class configuration: Example This example creates class1 with a minimum of 20 percent in the event of congestion, and the queue reserved for this class can enqueue 40 packets before tail drop is enacted to handle additional packets. XSR(config)#policy-map policy1 XSR(config-pmap-policy1>)#class class1 XSR(config-pmap-c<class1>)#bandwidth percent 20 XSR(config-pmap-c<class1>)#queue-limit 40 These commands create class2 with a minimum of 3000 kbps of bandwidth for this class in the event of congestion. RED drops up to one out of three packets when the average queue size becomes bigger than 34 and drops each packet if it becomes bigger than 57. RED packet drop is used for congestion avoidance. XSR(config-pmap<policy1>)#class class2 XSR(config-pmap-c<class2>)#bandwidth 3000 XSR(config-pmap-c<class2>)#random-detect 34 57 3 These commands configure the default map class where a maximum of 20 packets per queue are ...
Page 485 police This command configures traffic policing. Syntax police bps [burst-normal][burst-max][conform-action action][exceed-action action][violate-action action] burst-normal burst-max conform-action exceed-action violate-action action Syntax of the “no” Form Traffic policing is removed by using the no form of this command: no police Defaults • burst‐normal: average rate multiplied by one second) • conform‐action: transmit • exceed‐action: drop • violate‐action: drop • Command is disabled by default Mode Policy‐Map Class configuration: Average rate ranging from 1,000 to 100,000,000 bps. Normal burst size ranging from 1,000 to 51,200,000 bps. If less than 1000 bytes burst‐normal will be set to 1000 bytes. Excess burst size ranging from 1,000 to 51,2000,000 bytes. Value must be greater than or equal to normal‐burst size. It will automatically be changed to ...
Page 486 Policy-Map Commands Example The following example defines a traffic class using the from the traffic class with the Traffic Policing configuration, which is configured in the service policy using the this service policy to the interface. In this example, traffic policing is configured with the average rate of 8000 bits per second and the normal burst size at 1200 bytes and an excess burst of 2000 bytes for all packets leaving F1/0: XSR(config)#class-map access-match XSR(config-cmap<access-match>)#match access-group 1 XSR(config)#policy-map police-setting XSR(config-pmap<police-setting>)#class access-match XSR(config-pmap-c<access-match>)#police 8000 1200 2000 conform-action transmit exceed-action drop XSR(config>)interface fastethernet 1/0 XSR(config-if<F1>)#service-policy output police-setting priority This command gives priority to a class of traffic belonging to a policy map. It configures low latency queueing, providing strict Priority Queues (PQ) over Class‐based Weighted Fair Queueing (CBWFQ). Strict PQ allows delay‐sensitive data such as voice to be de‐queued and sent before packets in other queues are dequeued. The burst argument specifies the burst size and, as such, configures the network to accommodate temporary bursts of traffic. The default burst value, which is computed as 1 second of traffic at the configured bandwidth rate, is used when the burst argument is not specified. Priority queues can be reserved by absolute bandwidth with these settings: high, medium, low and ...
Page 487 Mode Policy‐Map Class configuration: Example The following example configures two PQs for the policy map policy57, with a high priority level, guaranteed bandwidth of 300 kbps and a one‐time allowable burst size of 500 kbps for the map‐ class voice; and a low priority bandwidth, 80 bytes of guaranteed bandwidth, and a burst size 2000 bytes for map‐class beta. XSR(config)#policy-map policy57 XSR(config-pmap<policy57>)#class voice XSR(config-pmap-c<voice>)#priority high 300 500 XSR(config-pmap<policy57>)#class beta XSR(config-pmap-c<beta>)#priority low 80 2000 queue-limit This command specifies or modifies the maximum number of packets the queue can hold for a class policy configured in a policy map. Class‐Based Weighted Fair Queueing (CBWFQ) creates a queue for every class for which a class map is defined. Packets satisfying the match criteria for a class accumulate in the queue reserved for the class until they are sent, which occurs when the queue is serviced by the Fair Queueing process. When the peak packet threshold you set for the class is reached, any further packet enqueueing to the class queue causes tail drop. Syntax queue-limit number-of-packets number-of- packets Syntax of the “no” Form The no form of the command removes the queue packet limit from a class. If RED is not configured, the queue limit is restored to the default value.
Page 488 Policy-Map Commands XSR(config)#policy-map policy75 XSR(config-pmap<policy75>)#class acl203 XSR(config-pmap-c<acl203>)#bandwidth percent 35 XSR(config-pmap-c<acl203>)#queue-limit 50 random-detect (RED) This command configures RED for a policy map. This command configures and enables Random Early Detect (RED) for the class. RED is a congestion avoidance mechanism that slows traffic by randomly dropping packets during congestion and is useful with protocols like TCP that respond to dropped packets by reducing the transmission rate. While RED may be implemented using WRED, this command is retained for compatibility with earlier releases and simplicity of configuration when only RED is required. Syntax random-detect min-thres max-thres [mark-prob] min-thres max-thres mark-prob Syntax of the “no” Form The no form of this command disable RED on an interface: no random-detect Mode Policy‐Map Class configuration: Defaults • Disabled •...
Page 489 random-detect (WRED) This command configures and enables Weighted Random Early Detect (WRED) for the class. WRED is a congestion avoidance mechanism that slows traffic by randomly dropping packets when congestion exists. WRED is useful with protocols like TCP that respond to dropped packets by decreasing the transmission rate. To set or change WRED parameters, use the If no parameter passed to the command, the default is prec‐based WRED. Syntax random-detect {dscp-based | prec-based} dscp-based prec-based Syntax of the “no” Form The no form of this command disables WRED on an interface: no random-detect Mode Policy‐Map Class configuration: Default Prec‐based Example The following example enables WRED as DSCP‐based with the default values for parameters: XSR(config)#policy-map DSCP XSR(config-pmap<DSCP>)#class A XSR(config-pmap-c<a>)#random-detect dscp-based random-detect dscp This command changes the Weighted Random Early Detect (WRED) minimum and maximum threshold and maximum drop probability for a DiffServ Code Point (DSCP) value. This command specifies the DiffServ Code Point (DSCP) value. The DSCP can be a number from 0 to 63, or any of the following keywords: af1, af12 , af13, af21, af22, af23, af31, af32, af33, af41, af42, ...
Page 490 Policy-Map Commands Syntax random-detect dscp dscp-value min-thres max-thres [mark-prob] dscp-value min-thres max-thres mark-prob Syntax of the “no” Form The no form reverts WRED parameters to the default for a DSCP value: no random-detect Mode Policy‐Map Class configuration: Defaults • Disabled • Default min‐threshold settings used by the following table. The default max‐threshold and mark‐probability are all DSCP values. Table 12-1 DSCP Threshold/Max Drop Probability Parameters DSCP af11 af12 af13 Af21 Af22...
Page 491 Table 12-1 DSCP Threshold/Max Drop Probability Parameters (continued) DSCP Initial parameters for all other DSCP values Examples The following example enables WRED with a minimum threshold for DSCP af21 of 24 and maximum threshold of 40. The dropping probability is 1/4th. All other DSCPs have default values. XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect dscp-based XSR(config-pmap-c<a>)#random-detect dscp af21 24 40 4 The following example sets WRED It sets DSCP 33 WRED parameters to 10, 20, 10 and changes the setting for all other DSCP values from initial to default 5, 10, 20. XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect dscp-based XSR(config-pmap-c<a>)#random-detect dscp 33 10 20 10 XSR(config-pmap-c<a>)#random-detect default 5 10 20 random-detect exponential-weighting-constant This command configures the Weighted Random Early Detect (WRED) exponential weight factor ...
Page 492 Policy-Map Commands Syntax of the “no” Form The no form of this command sets the constant to the default value of 9: no random-detect exponential-weighting-constant Mode Policy‐Map Class configuration: Example The following example enables WRED and sets the weight constant to (1/2)^5: XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect dscp-based XSR(config-pmap-c<a>)#random-detect exponential-weighting-constant 5 random-detect precedence This command sets Weighted Random Early Detect (WRED) the minimum and maximum threshold and maximum drop probability values for a IP precedence value. The default WRED maximum drop probability (MaxP) is 1/10 and the default maximum threshold (MaxTh) is 40 for all IP precedence values. The default minimum threshold is calculated from MaxTh based on following formula: MinTh = (1/2 ‐ precvalue/16) x MaxTh To change the default setting, use the so, all IP precedence will share the same values except those which were explicitly configured random-detect precedence with revert to the original default setting, enter Syntax random-detect precedence prec-value min-thres max-thres [mark-prob]default prec-value min-thres max-thres...
Page 493 Defaults • Disabled • Mark‐prob: 10 Mode Policy‐Map Class configuration: Examples The following example enables WRED with a minimum IP precedence threshold of 24 and maximum of 40. The dropping probability is 1/4. All other precedence types have default values. XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect prec-based XSR(config-pmap-c<a>)#random-detect precedence 3 24 40 4 The following example sets WRED as RED with a minimum threshold of 10 and maximum threshold of 20: XSR(config)#policy-map foo XSR(config-pmap<foo>)#class a XSR(config-pmap-c<a>)#random-detect prec-based XSR(config-pmap-c<a>)#random-detect precedence default 10 20 set cos This command marks the IEEE 802.1 priority in the header of output VLAN packets with a Class of Service (CoS) matching clause. As part of CoS configuration, the XSR associates a policy map with a class of traffic. By comparison, the VLAN packets.
Page 494 Policy-Map Commands Mode Policy‐Map Class configuration: Example The following example configures policy‐map setCosTo4 that matches input priority value range from 5 to 7 and sets the output VLAN priority to 4: XSR(config)#policy-map setCosTo4 XSR(config-pmap<setCosTo4>)#class matchCos5To7 XSR(config-pmap-c<matchCos5to7>)#set cos 4 set ip dscp This command marks a packet by setting the IP Differentiated Services Code Point (DSCP) in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other QoS services can then operate on the bit settings. Note: You cannot mark a packet by the IP precedence with the set ip precedence command and mark the same packet with an IP DSCP value by entering the set ip dscp command. The network gives priority (or some type of expedited handling) to marked traffic. Typically, you ...
Page 495 Syntax of the “no” Form The no form of this command removes a previously set IP DSCP: no set ip dscp Mode Policy‐Map Class configuration: Example In the following example, the IP DSCP TOS byte is set to 8 for class1 and cs2 for class2 in policy57: XSR(config)#policy-map policy57 XSR(config-pmap<policy57>)#class class1 XSR(config-pmap-c<class1>)#set ip dscp 8 XSR(config-pmap<policy57>)#class class2 XSR(config-pmap-c<class1>)#set ip dscp cs2 set ip precedence This command sets the precedence value in the IP header. The network gives priority (or some type of expedited handling) to marked traffic through the application of CBWFQ or RED at points downstream in the network. Typically, you set IP Precedence at the edge of the network (or administrative domain); data then is queued based on the precedence. CBWFQ can speed up handling for certain precedence traffic at congestion points. Syntax set ip precedence ip-precedence-value ip-precedence-value Syntax of the “no”...
Page 496 Policy-Map Commands Mode Policy‐Map Class configuration: Example The following example sets the IP Precedence bit to 7 for packets that satisfy the match criteria of the class map called class39. All packets that satisfy the match criteria of class39 are marked with the IP Precedence value of 7. How packets marked with the IP Precedence value of 7 are treated is determined by your network configuration. XSR(config)#policy-map policy57 XSR(config-pmap<policy57>)#class class39 XSR(config-pmap-c<class39>)#set ip precedence 7 shape This command enables and configures traffic shaping on a class. It can be applied to any fair‐class or priority class. The default burst is sufficient to achieve the average rate and is calculated from the rate and the default measurement interval of 10 milliseconds: Burst equals rate multiplied by (10 milliseconds divided by 1000) In order to sustain the average rate, the normal burst cannot be less than the default burst. The default value for exceed burst is equal to the normal burst. Syntax shape rate [[burst]exceed-burst] rate burst exceed-burst Syntax of the “no” Form The no form of this command disables traffic shaping on a class: no shape Default Disabled Mode Policy‐Map Class configuration: ...
Page 497: Class-Map Commands
Class-map Commands class-map This command creates a class map for matching packets to a specified class. Use it to specify the name of the class for which you want to create or modify class map match criteria. Packets arriving at the output interface are checked against the match criteria set for a class map to determine if the packet belongs to that class. Sub‐commands associated with the command are: match access-group • configured ACL. Go to page 12‐102 for the command definition. • match cos page 12‐103 for the command definition. match ip dscp • match criterion. Go to page 12‐103 for the command definition. • match ip precedence for the command definition. Syntax class-map {match-all match-any} class-map-name match-all match-any class-map- name Syntax of the “no” Form Use the no form of this command to remove an existing class map: no class-map [match-all] | [match-any] word Mode Global configuration: ...
Page 498 Class-map Commands XSR(config)#class-map class57 XSR(config-cmap<class57>)#match access-group 136 XSR(config)#policy-map policy99 XSR(config-pmap<policy99>)#class class57 XSR(config-pmap-c<class57>)#bandwidth percent 10 XSR(config-pmap-c<class57>)#queue-limit 40 XSR(config-pmap<policy99>)#class class-default XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#service-policy output policy99 match access-group This command configures the match criteria for a class map on the basis of the specified Access Control List (ACL). You define traffic classes based on match criteria including ACLs, DSCP and/or IP Precedence. Packets satisfying the match criteria for a class constitute the traffic for that class. match access-group match criteria against which packets are checked to determine if they belong to the class set by the class map. match access-group To use the specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria: • match access-group •...
Page 499: Match Cos
match cos This command identifies a specific IEEE 802.1 priority value as a match criterion. Up to 8 priority values can be matched in one match statement. For example, if you wanted the priority values of 0, 1, 2, 3, 4, 5, 6, or 7 (note that only one of the priority values must be a successful match criterion, not all of the specified priority values), enter the This command is used by the class map to identify a specific priority value marking on the header of incoming VLAN packets. By comparison, the VLAN packets. For information on the Hardware Controllers chapter. Syntax match cos ieee802.1p-value [ieee802.1p-value] [ieee802.1p-value] ... ieee802.1p-value Syntax of the “no” Form The no form of this command removes the match clause: no match cos Default No match clause for VLAN priority Mode Class‐map configuration: Example The following example example configures classmap matchCos5To7 that matches input priority values from 5 to 7: XSR(config)#class-map matchCos5To7 XSR(config-cmap<matchCos5To7>)#match cos 5 6 7 match ip dscp This command identifies a specific IP Differentiated Service Code Point (DSCP) value as a match ...
Page 500: Match Ip Precedence
Class-map Commands Syntax match ip dscp ip-dscp-value [ip-dscp-value][ip-dscp-value] [ip-dscp-value] [ip- dscp-value][ip-dscp-value][ip-dscp-value][ip-dscp-value] ip-dscp-value Syntax of the “no” Form To remove a specific IP DSCP value from a class map, use the no form of this command: no match ip dscp ip-dscp-value [ip-dscp-value][ip-dscp-value][ip-dscp-value][ip- dscp-value][ip-dscp-value][ip-dscp-value][ip-dscp-value] Mode Class‐map configuration: Example The following example shows how to configure the service policy called priority55 and attach service policy priority55 to an interface. In this example, the class map ipdscp15 will evaluate all packets entering interface F1 for an IP DSCP value of 15. If the incoming packet has been marked with the IP DSCP value of 15, the packet will be treated with a high priority level. XSR(config)#class-map ipdscp15 XSR(config-cmap<ipdscp15>)#match ip dscp 15 XSR(config)#policy-map priority55 XSR(config-pmap<priority55>)#class ipdscp15 XSR(config-pmap-c<ipdscp15>)#priority high 55 XSR(config)#interface fastethernet 1...
Page 501: Qos Show Commands
Syntax of the “no” Form Use the no form of this command to remove IP precedence values from a class map: no match ip precedence ip-precedence-value [ip-precedence-value] [ip-precedence- value][ip-precedence-value][ip-precedence-value][ip-precedence-value][ip- precedence-value] [ip-precedence-value][ip-precedence-value] Mode Class‐map configuration: Example The following example shows how to configure the service policy called priority50 and attach service policy priority50 to an interface. In this example, the class map called ipprec5 will evaluate all packets entering F1/0/0 for an IP precedence value of 5. If the incoming packet has been marked with the IP precedence value of 5, the packet will be treated with a priority level of 50. XSR(config)#class-map ipprec5 XSR(config-cmap<ipprec5>)#match ip precedence 5 XSR(config)#policy-map priority50 XSR(config-pmap<priority50>)#class ipprec5 XSR(config-pmap-c<ipprec5>)#priority high 50 XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#service-policy output priority50 QoS Show Commands show class-map This command displays all class maps and their matching criteria.
Page 502 QoS Show Commands Class map c3 Match access-group 103 Class map c2 Match ip precedence 2 Class map c1 Match ip dscp 32 show policy-map This command displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps. It displays the configuration of a service policy map created policy-map using the class configurations comprising any existing service policy map, whether or not that service policy map has been attached to an interface. Syntax show policy-map [policy-map] interface-type policy-map interface type Default All existing policy map configurations are displayed.
Page 503 show policy-map interface This command shows the configuration of all service policies applied on an interface or Frame Relay Data‐link Connection Identifier (DLCI). It displays the configuration for classes on the specified interface or specified DLCI only if a service policy has been attached to the interface or PVC. This command shows input and the output policies applied to the interfaces.Counters displayed after you enter the congestion is present on the interface. Note: This command displays policy information about Frame Relay PVCs only if Frame Relay Traffic Shaping (FRTS) is enabled on the interface. Counters displayed after you enter the show policy‐map interface command are updated only if congestion is present on the interface. When QoS is applied to a Dialer interface, this command displays no data. To display the policy‐ map after the dialer has built the connection, enter the show policy map command on the interface from the dialer pool that the dialer called on and not the dialer interface itself. Syntax show policy-map interface interface-type [dlci dlci] mlpppgroup interface type dlci...
Page 504 QoS Show Commands XSR(config)#map-class frame-relay foo XSR(config-map-class<foo>)#frame-relay cir out 100000 XSR(config-map-class<foo>)#frame-relay bc out 10000 XSR(config-map-class<foo>)#service-policy output mypolicy XSR(config-map-class<foo>)#service policy input mypolicy XSR#show policy-map interface s1/0.1 dlci 100 Serial1/0.1: DLCI 100 - output: mypolicy Class smallPackets Priority High Bandwidth 800 (kbps)Actual bandwidth 0 (kbps), Random-detect : Avg Qsize: 5.32, Random Drops : 54 min-th : 20 max-th : 25 mark-prob : 1/2...
Page 505 Tail drops NoBuff Error Avg Qsize Random Drops min-th max-th mark-prob show random-detect interface This command displays data about Random Early Detection (RED). Syntax show random-detect interface [interface-type interface-number] interface-type interface-number Mode XSR> EXEC: Sample Output The following commands configure policy‐map Shape: XSR(config)#policy-map Shape XSR(config-pmap<Shape>)#class d32 XSR(config-pmap-c<d32>)#bandwidth per 30 XSR(config-pmap-c<d32>)#random-detect dscp-based XSR(config-pmap-c<d32>)#random-detect dscp 32 10 20 10 XSR(config-pmap-c<d32>)#random-detect dscp default 2 5 20 The following is sample output from the command. There are drops only from class d32.
Page 506 QoS Show Commands DSCP min-th 12-110 Configuring Quality of Service max-th mark-prob tail drop 1900 early drop...
Page 507 Exponential weighting constant: 9 Parameter Descriptions Average Queue size Total Random Drops Min-th Max-th Mark-prob DSCP Tail drop Early drop show shape interface This command displays information about QoS traffic shaping. Syntax show shape interface [interface-type interface-number] interface-type interface-number Mode Privileged EXEC or Global configuration: Average output queue size for this interface. Sum of packets dropped for all DSCP codepoint.. Minimum threshold. Maximum length of the queue. When the average queue size is larger than this number, any additional packets will be dropped. Probability (1/mark‐prob) for random drops. DSCP code point.
Page 508 QoS Show Commands Sample Output This following commands configure shape information for each class. In the following example policy‐map shape is configured as follows: XSR(config)#policy-map Shape XSR(config-pmap<Shape>)#class d32 XSR(config-pmap-c<d32>)#bandwidth per 30 XSR(config-pmap-c<d32>)#shape 400000 50000 XSR(config-pmap-c<d32>)#class d33 XSR(config-pmap-c<d33>)#bandwidth per 30 XSR(config-pmap-c<d32>)#shape 100000 12500 The following is sample output displays shape information for classes d32 and d33: XSR# show shape interface serial 1/0:0 Serial 0/1/0:0 output: Shape Serial 0/1/1:1 output: Shape Class d32 Traffic shaping Average Normal...
Page 509: Chapter 13: Configuring Adsl
Observing Syntax and Conventions The CLI command syntax and conventions use the notation described below. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub-command soho.enterasys.com ADSL Configuration Commands The following command sets define ADSL functionality on the XSR including: •...
Page 510 CMV Commands Syntax cmv append command-ID offset value command-ID offset value Mode ATM Interface configuration: Example The following example adds the CMV DOPT 1 with a hex value: XSR(config-if<ATM0/1/1>)#cmv append DOPT 1 0x306090c0 cmv clear This command removes all Command Management Variable (CMV) commands from the CMV training list which is used by the DSP firmware when the line is in training mode. This command is intended for use by Enterasys field service personnel only. This command requires that the ADSL NIM be installed and the DSP firmware file be present in the Flash: directory. Syntax cmv clear Mode ATM Interface configuration: Example The following example deletes all CMVs from the training list: XSR(config-if<ATM0/1/1>)#cmv clear cmv cr This command reads a Command Management Variable (CMV) from the DSP. This command is ...
Page 511 Syntax cmv cr command-ID offset command-ID offset Mode ATM Interface configuration: Example The following example reads CMV STAT 0 from the DSP: XSR(config-if<ATM0/1/1>)#cmv cr STAT 0 cmv cw This command writes a Command Management Variable (CMV) to the DSP. This command is intended for use by Enterasys field service personnel only. This command requires that the ADSL NIM be installed and the DSP firmware file be present in the Flash: directory. Syntax cmv cw command-ID offset value command-ID offset value Mode ATM Interface configuration: Example The following example writes UOPT 2 with a hex value to the DSP: XSR(config-if<ATM0/1/1>)#cmv cw UOPT 2 0x0c0e1014 cmv delete This command deletes the specified Command Management Variable (CMV) from the DSP ...
Page 512 CMV Commands Syntax cmv delete command-ID offset [value] command-ID offset value Mode ATM Interface configuration: Example The following example deletes CMV OPTN2, from the retaining list: XSR(config-if<ATM0/1/1>)#cmv delete OPTN 2 cmv print This command prints the Command Management Variable (CMV) training list on the console. The training list is used by the DSP firmware when the line is in training mode. This command is intended for use by Enterasys field service personnel only. This command requires that the ADSL NIM be installed and the DSP firmware file be present in the Flash: directory. Syntax cmv print Mode ATM Interface configuration: Example The following example prints the CMV training list to the console: XSR(config-if<ATM0/1/1>)#cmv print cmv save This command saves the Command Management Variable (CMV) training list to a file. The training list is used by the DSP firmware when the line is in training mode. This command is ...
Page 513: Other Adsl Commands
Syntax cmv save file-name file-name Mode ATM Interface configuration: Example The following example saves the CMV training list to file retrain‐list: XSR(config-if<ATM0/1/1>)#cmv save retrain-list Save complete XSR(config-if<ATM0/1/1>)# Other ADSL Commands description This command adds a description string to an existing ATM interface object. This command requires that the ADSL NIM be installed and the DSP firmware file be present in Flash: directory. Syntax description description_text description_text Syntax of the “no” Form The no form of this command sets the description text to an empty string: no description Mode ATM Interface configuration: Example The following example adds ADSL Line to the interface object: XSR(config-if<ATM0/1/1>)#description “ADSL Line” The name of the file used to save the CMV training list.
Page 514: Interface Atm
Other ADSL Commands interface atm This command creates an ATM interface object and its associated device driver which downloads the specified firmware file to the on‐board DSP. Depending on the size of the DSP firmware and the characteristics of the download procedure, this procedure may take a noticeable amount of time. After a successful load, the interface and device driver is in the administrative down state (shutdown). Caution: This command requires that the ADSL NIM be installed and the DSP firmware file be present in the Flash: directory. Syntax interface atm {slot/card/port} slot card port Syntax of the “no” Form The no form of this command removes the interface object and all associated sub‐interface objects. ...
Page 515 • backup ‐ configures and enables a backup interface for the ATM sub‐interface. Refer to page 13‐90 for the command description. crypto • ‐ enables and configures VPN parameters on the sub‐interface. Refer to page 13‐92 for the command description. • description ‐ adds a description string to an existing ATM sub‐interface. Refer to page 13‐92 for the command description. encapsulation • ‐ selects the data encapsulation method for this ATM sub‐interface. Refer to page 13‐92 for the command description. • exit ‐ quits ATM Sub‐Interface mode and returns to Global mode. Refer to page 13‐93 for the command description. ip address • ‐ specifies the IP address and subnet mask of the ATM sub‐interface or requests the IP address and subnet mask be negotiated. Refer to page 13‐93 for the command description. • no shutdown ‐ sets the ATM sub‐interface to the administrative up state and enables the virtual circuit. Refer to page 13‐94 for the command description. oam-pvc • ‐ enables end‐to‐end F5 (circuit) OAM cell procedures for ATM Permanent Virtual Circuit (PVC) management. Refer to page 13‐95 for the command description. • oam-retry ‐ configures parameters related to OAM cell handling for ATM VC management. Refer to page 13‐96 for the command description. • ‐ sets the sub‐interface circuit type to PVC and specifies ATM VPI/VCI values. Refer to ...
Page 516 Other ADSL Commands Defaults • Backup: Disabled • VPN: Disabled • Description: Set to the empty string • Encapsulation: None • IP: Not configured • PPP: Not configured • OAM procedures: Disabled • ATM PVC VPI/VCI: Set to 1/32 • The sub‐interface will be in the shutdown state Example The following example creates an ATM sub‐interface object on ATM interface slot 0, card 1, port 1: XSR(config)#interface atm 0/1/1.1 point-to-point XSR(config-if<ATM0/1/1.1>)# backup This command configures and enables a backup interface for this ATM sub‐interface. This command requires a properly configured ATM sub‐interface and Dialer group. Syntax backup {delay down-wait {up-wait | never} | interface dialer id | time-range begin-hh:mm end-hh:mm} down-wait up-wait |...
Page 517 Default Disabled by default. When enabled, all operational parameters must be specified. Example The following example configures a sub‐interface backup with a Dialer ID of 1, delay of 20 seconds before switching to the backup, and a delay of 10 seconds before switching back to the ATM sub‐interface. The example also configures the sub‐interface to switch to the backup line at 8:30 P.M. then switch back to the normal interface at 9:50 P.M. : XSR(config-if<ATM0/1/0.1>)#backup interface Dialer1 XSR(config-if<ATM0/1/0.1>)#backup delay 20 10 XSR(config-if<ATM0/1/0.1>)#backup time-range 20:30 21:50 crypto This command enables and configures the DF‐bit VPN parameter on this ATM sub‐interface. This command requires a properly configured ATM sub‐interface. Syntax crypto {ezipsec | ipsec df-bit {clear | copy | set}| map [map-name]} ezipsec ipsec df-bit clear copy map-name Syntax of the “no”...
Page 518 Other ADSL Commands XSR(config-if<ATM0/1/0.1>)#crypto ezipsec XSR(config-if<ATM0/1/0.1>)#crypto ipsec df-bit copy XSR(config-if<ATM0/1/0.1>)#crypto map ets-vpn description This command adds a description string to an existing ATM sub‐interface. This command requires a properly configured ATM sub‐interface. Syntax description description_text description _text Syntax of the “no” Form The no form of this command sets the description text to an empty string: no description Mode ATM Sub‐Interface configuration: Example The following example adds the ADSL VC 1/32 text string to the sub‐interface object: XSR(config-if<ATM0/1/0.1>)#description “ADSL VC 1/32” encapsulation This command selects the data encapsulation method for this ATM sub‐interface. Be aware that an encapsulation method must be selected before the sub‐interface can pass data. Note: This command requires a properly configured ATM sub-interface. In order to change encapsulation, you must issue the no encapsulation command first before restting the value.
Page 519 service -name Syntax of the “no” Form The no form of this command removes any form of encapsulation, effectively disabling the sub‐ interface: no encapsulation Mode ATM Sub‐Interface configuration: Default The default encapsulation is none. An encapsulation method must be specified before the sub‐ interface can pass data. When the sub‐interface is configured for PPPoE encapsulation, the source Ethernet MAC address will be set to the MAC address of FastEthernet interface 2. Example The following example configures the sub‐interface for LLC/SNAP multiplexing and PPPoA encapsulated traffic: XSR(config-if<ATM0/1/0.1>)#encapsulation snap pppoa exit This command quits the ATM Sub‐Interface mode and returns to Global mode. Syntax exit Mode ATM Sub‐Interface configuration: Example The following example exits the sub‐interface ATM command mode from ATM interface slot 0, card 1, port 0, sub‐interface 1: XSR(config-if<ATM0/1/0.1>)#exit XSR(config)# ip address This command specifies the IP address and subnet mask of the ATM sub‐interface or requests the IP address and subnet mask be negotiated. This command requires a properly configured ATM sub‐interface. The name of the PPPoE service. If not specified, PPPoE connects to the first advertised service name. At this time, the XSR will connect with the first ...
Page 520 Other ADSL Commands Syntax ip address {ip-address/subnet-mask | negotiated} ip-address subnet-mask negotiated Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ip address Mode ATM Sub‐Interface configuration: Default • IP address: 0.0.0.0 • Subnet mask: 0.0.0.0. Example This example sets the sub‐interface IP address to 10.1.1.1 and the subnet mask to 255.0.0.0: XSR(config-if<ATM0/1/0.1>)#ip address 10.1.1.1 255.0.0.0 XSR(config-if<ATM0/1/0.1>)#ip address 10.1.1.1/8 no shutdown This command sets the ATM sub‐interface to the administrative Up state ( enables the virtual circuit.
Page 521 oam-pvc This command enables end‐to‐end F5 (circuit) OAM cell procedures for ATM Permanent Virtual Circuit (PVC) management. OAM cells and how they are used are as follows: • Alarm Indication Signal (AIS) – Received from the network to indicate a problem in the forward‐to‐XSR data flow. • Continuity Check (CC) – Echoed to the sender when received. The XSR does not generate CC cells for connectivity management but will respond to CC procedure negotiation cells. • Loopback – Echoed back to the sender when received. The XSR sends loopback cells to monitor the end‐to‐end connectivity on the VC. • Remote Defect Indication (RDI) – Received from the network to indicate a problem in the reverse‐from‐XSR data flow. Sent to the network to indicate a problem in the local node XSR as well as in response to any AIS cells received. The loopback cells monitor and declare the circuit up or down as follows: • The circuit is UP immediately after line training completes successfully. • The circuit is declared DOWN when down‐count consecutive loopback response cells are missed. • The circuit is declared UP when up‐count consecutive loopback response cells are received. This command requires a properly configured ATM sub‐interface. Syntax oam-pvc [manage][frequency] manage frequency Syntax of the “no” Form The no form of this command disables all OAM procedures for this sub‐interface: no oam-pvc Mode ATM Sub‐Interface configuration: Defaults •...
Page 522: Oam Retry
Other ADSL Commands Example The following example sets the OAM frequency to 20 seconds: XSR(config-if<ATM0/1/0.1>)#oam-pvc manage 20 oam retry This command configures parameters related to OAM cell handling for ATM VC management. This command requires a properly configured ATM sub‐interface. Syntax oam retry up-count down-count retry-frequency up-count down-count retry- frequency Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no oam retry Mode ATM Sub‐Interface configuration: Default • Initial down‐count value: 5 • Initial up‐count value: 3 • Initial retry‐frequency value: 10 •...
Page 523 Syntax pvc vpi/vci vpi/vci Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no pvc Mode ATM Sub‐Interface configuration: Default VPI/VCI defaults to 1/32. This is not the ILMI virtual circuit. Example This example sets the sub‐interface circuit type to PVC and sets the ATM VPI/VCI values to 2/48: XSR(config-if<ATM0/1/0.1>)#pvc 2/48 shutdown This command sets the ATM sub‐interface to the administrative Down state halting all data traffic on this VC. Syntax shutdown Syntax of the “no” Form Refer to the atm sub-interface Mode ATM Sub‐Interface configuration: Example The following example sets the ATM sub‐interface to the administrative down state: XSR(config-if<ATM0/1/0.1>)#shutdown ATM VC identifier values. VPI range: 0 to 255, VCI range: 0 to 65535. XSR(config-if<ATMx/x/x.x>)# command on page 13‐88.
Page 524 Other ADSL Commands no shutdown This command sets the ATM interface to the administrative Up state and enables the line for operation. Data traffic cannot flow until at least one associated sub‐interface is set to the administrative Up state. Issuing this command does not change the administrative state of sub‐ interfaces associated with this ATM interface. This command surveys the status of the DSP firmware (which was loaded and started at boot time) and if it finds it in an illegal state (i.e., crashed), it reloads and restarts the DSP firmware before proceeding with the and characteristics of the download process, this operation may take a noticeable length of time. Syntax no shutdown Mode ATM Interface configuration: Example The following example sets the ATM interface to the administrative up state: XSR(config-if<ATM0/1/0>)#no shutdown shutdown This command sets the ATM interface to the administrative Down state. As a result, all ATM sub‐ interfaces associated with this ATM interface are shut down, all data traffic is stopped and the line disabled. Syntax shutdown Syntax of the “no” Form Refer to no shutdown Mode ATM Interface configuration: Example The following example sets the ATM interface to the administrative down state: XSR(config-if<ATM0/1/0>)#shutdown 13-98 Configuring ADSL no shutdown...
Page 525: Ppp Configuration Commands
PPP Configuration Commands This section lists the subset of PPP configuration commands that apply when an ATM sub‐ interface is configured for PPPoA or PPPoE encapsulation. ppp chap This command configures PPP to use the Challenge Handshake Authentication Protocol (CHAP) for user authentication on a PPP session. This command requires a properly configured ATM sub‐ interface specifying encapsulation type PPPoA or PPPoE. Syntax ppp chap {hostname <name> | password pwd | refuse} name refuse Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ppp chap Mode ATM Sub‐Interface configuration: Default Disabled Example The following example designates the CHAP hostname ENT1: XSR(config-if<ATM0/1/0.1>)#ppp chap hostname ENT1 ppp keepalive This command enables PPP to use LCP echo requests as a keepalive mechanism. It requires a ...
Page 526 PPP Configuration Commands Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ppp keepalive Mode ATM Sub‐Interface configuration: Defaults • Disabled • Keepalive period: 30 seconds Example This example enables the keepalive mechanism and sets the time between messages to 20 seconds: XSR(config-if<ATM0/1/0.1>)#ppp keepalive 20 ppp lcp This command configures Link Control Protocol (LCP) parameters for PPP. It requires a properly configured ATM sub‐interface specifying encapsulation type PPPoA or PPPoE. Syntax ppp lcp {max-configure <count1> | max-failure <count2> | max-terminate <count3>} max-configure count1 max-failure count2 max-terminate count3 Syntax of the “no”...
Page 527 Example The following example sets LCP parameters: XSR(config-if<ATM0/1/0.1>)#ppp lcp max-configure 5 max-failure 5 max-terminate 2 XSR(config-if<ATM0/1/0.1>)# ppp max-bad-auth This command configures the maximum number of authentication failures for PPP. It requires a properly configured ATM sub‐interface specifying encapsulation type PPPoA or PPPoE. Syntax ppp max-bad-auth <count> count Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ppp max-bad-auth Mode ATM Sub‐Interface configuration: Default Default number of attempts: 0 Example The following example resets the command parameter to 16: XSR(config-if<ATM0/1/0.1>)#ppp max-bad-auth 16 ppp pap This command configures PPP to use the Password Authentication Protocol (PAP) for user ...
Page 528 PPP Configuration Commands Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ppp pap Mode ATM Sub‐Interface configuration: Default PAP is disabled Example The following example sets the PAP user name to bob and the password to confidential: XSR(config-if<ATM0/1/0.1>)#ppp sent-name bob password confidential ppp quality This command configures the minimum link quality for PPP, which is a measure of the amount of data successfully passed over the link. The minimum quality value is specified as a percentage of the total data sent. This command requires a properly configured ATM sub‐interface specifying encapsulation type PPPoA or PPPoE. Syntax ppp quality <percent> percent Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ppp quality Mode ATM Sub‐Interface configuration: ...
Page 529: Atm Clear And Show Commands
ppp timeout retry This command sets the maximum time to wait for a response during PPP negotiation. It requires a properly configured ATM sub‐interface specifying encapsulation type PPPoA or PPPoE. Syntax ppp timeout retry <seconds> seconds Syntax of the “no” Form The no form of this command returns this parameter to its default setting: no ppp timeout retry Mode ATM Sub‐Interface configuration: Default 3 seconds Example This example resets the maximum wait time for a response during PPP negotiation to 12 seconds: XSR(config-if<ATM0/1/0.1>)#ppp timeout retry 12 ATM Clear and Show Commands clear counters atm This command clears ATM counters for the ATM interface. Syntax clear counters atm {slot/card/port} slot...
Page 530 ATM Clear and Show Commands Example The following example clears the ATM counters: XSR#clear counters atm show controllers atm This command displays internal hardware configuration and operational interface details regarding: receive (Rx) and transmit (Tx) DMA descriptors, memory usage, and PCI device ID information. When you issue the command to display sub‐interface statistics, the output returned includes: packet processor (QOS) scheduling statistics, ATM sub‐interface counters, ATM sub‐ interface data plane status, and driver circuit statistics. Syntax show controllers atm {slot/card/port.sub-interface} slot card port sub-interface Mode EXEC or Privileged EXEC: Examples The following is sample output when an interface is specified: XSR#show controllers atm 1/0 ********** ATM Controller Stats ********** ATM 1/0 DSP Image File: CFlash:adsl.fls DSP File Rev.
Page 531 The following is sample output when a sub‐interface is specified: XSR#show controllers atm 1/0.1 ********** ATM Sub-Interface Stats ********** ATM 1/0.1 Packet Processor Tx Scheduler Stats: 952 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX Statistic Counters: Rx PacketTotalCount Rx PacketDiscardCount...
Page 532 ATM Clear and Show Commands Parameters in the Sub-Interface Response DSP Image File: CFlash:adsl.fls DSP Image Rev.: 43e2ea93 DMT state: 42 OAM counters/ UNK counters Cells: total_count/ tx_notready/tx_toomany Packet Processor Tx Scheduler Stats 952 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX ATM Sub-interface Statistic Counters:...
Page 533 show interface atm This command displays the running configuration and statistical details for an ATM interface. Statistics supported by the ADSL interface are hardware dependent. General categories include the following: • Analog details including upstream and downstream bit rates • ATM cell counters (especially OAM cells) • OAM (circuit UP/DOWN) state • Frame (AAL5) counters • Layer state information • VC table • Administrative state (Enabled/Disabled) • Operational state (Up/Down) • Loopback on • DSP firmware • Backup interface • Description string When you issue the command to display sub‐interface statistics, the output returned includes: • VPI/VCI • IP address (value + configured or negotiated) • Encapsulation method • Administrative state (enabled/disabled) • Operational state (Up/Down) •...
Page 534 ATM Clear and Show Commands Examples The following is sample output when an interface is specified: XSR#show interface atm 1/0 ********** ATM Interface Stats ********** ATM 1/0 is Admin Up / Oper Up The name of this device is adsl Administrative State is ENABLED Operational State is UP OAM circuit is UP The upstream data rate is 480 kbit/sec The downstream data rate is 10208 kbit/sec General info:...
Page 535 The logical link is currently Up The Name of the Access Concentrator is ENTERASY-CDDU1S The Session Id is 0x000b The MAC Address of the Access Concentrator is The MTU is 1492 The name of this device is adsl-0 Administrative state is ENABLED Operational State is UP Circuit monitoring enabled VPI is 1.
Page 536 ATM Clear and Show Commands General info: Parameters in the Sub-Interface Response ATM 1/0.1 is Admin Up / Oper Up Internet address is 30.0.0.11, subnet mask is 255.255.255.255 State: OPENED/IPCP State: OPENED PPP Layer Information PPPoE is Oper Up The logical link is currently Up The Name of the Access Concentrator is ENTERASY-CDDU1S The Session Id is 0x000b...
Page 537: Chapter 14: Configuring The Vpn
Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) XSR(aaa-method-xx)# Next Mode entries display the CLI prompt after a command is entered. Sub-command soho.enterasys.com VPN Commands The following command subsets configure the Virtual Private Network suite of functionality for the XSR: •...
Page 538: Pki Commands
• “Additional Tunnel Termination Commands” on page 14‐134. • “DF Bit Commands” on page 14‐137. Note: AAA commands are described in Chapter 13: Configuring Security. PKI commands The following commands configure Public Key Infrastructure (PKI) on the XSR. CA Identity Mode Commands crypto ca identity This command declares the Certificate Authority (CA) the XSR should use and identifies CAs which may be required as part of the CA chain for the router or a peer IPSec client. If you previously declared the CA and just want to update its characteristics, specify the name you previously created. In some cases, the CA might require a particular CA name, such as its domain name. Performing this command acquires CA Identity mode, where you can specify CA characteristics with the following sub‐commands: • crl frequency and other maintenance that may be performed periodically. Refer to page 14‐85 for the command definition. enrollment http-proxy •...
Page 539 Mode Global configuration: Next Mode Certificate Authority Identity configuration: Examples The following example declares and identifies characteristics of the CA. In this example, the name ACMEca is created for the CA, which is located at configuration required to declare a CA. XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server The following example sets a nonstandard retry period and count, and permits the router to accept certificates when CRLs are not obtainable. XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://AAA_ca/coldstorage/scripts.exe XSR(ca-identity)#query url ldap://serverx XSR(ca-identity)#enrollment retry period 20 XSR(ca-identity)#enrollment retry count 100 In the example above, if the XSR does not get a certificate back from the CA within 20 minutes of sending a certificate request, it will resend the request. The XSR will repeat certificate requests every retry period until until 100 requests have been sent. If the CA is not available at the specified location, obtain the URL from your CA administrator.
Page 540 CA Identity Mode Commands Mode Certificate Authority Identity configuration: Example The following example sets the CRL to be retrieved for five hours: XSR(config)#crypto ca identity ACMEca XSR(ca-identify)crl frequency 300 enrollment http-proxy This command specifies the local HTTP proxy server name and port. Syntax enrollment http-proxy hostname port_# hostname port_# Syntax of the “no” Form The no form of this command clears the proxy server setting: no enrollment http-proxy Mode Certificate Authority Identity configuration: Example The following example sets the HTTP proxy server IP address and port #: XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment http-proxy 192.168.57.9 999 enrollment retry count This command specifies how many times the XSR resends a certificate request when it does not ...
Page 541 Syntax of the “no” Form The no form of this command resets the value to the default: no enrollment retry count Default Mode Certificate Authority Identity configuration: Example The following example declares a CA, and changes the retry period to 10 minutes and the retry count to 60. The XSR will resend the certificate request every 10 minutes until it receives the certificate or until approximately 10 hours pass since the original request was sent, whichever occurs first. (10 minutes x 60 tries = 600 minutes [10 hours]). XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server XSR(ca-identity)#enrollment retry period 10 XSR(ca-identity)#enrollment retry count 60 enrollment retry period This command specifies the wait period between certificate requests. Syntax enrollment retry period minutes minutes The interval, ranging from 1 to 60 minutes, the XSR waits before resending a ...
Page 542 CA Identity Mode Commands XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server XSR(ca-identity)#enrollment retry period 5 enrollment url This command sets the Uniform Resource Locator (URL) of the Certificate Authority (CA). If the CA cgi‐bin script site is not the default /cgi‐bin/ pkiclient.exe at the CA, you must also include the non‐standard script site in the URL as http://CA_name/ script_location where script_location is the full path to the CA scripts. Be aware that the URL format may vary. Syntax enrollment url url The URL of the CA where the XSR sends certificate requests. The URL may be in the form of http://CA_name where CA_name is the CAʹs host IP address or defined static IP hostname. Syntax of the “no” Form This command’s no form deletes the CAʹs URL value from the configuration: no enrollment url url Mode Certificate Authority Identity configuration: Examples The following example shows the minimum configuration required to declare a CA: XSR(config)#crypto ca identity ACMEca...
Page 543 Please make a note of it. Password:**** Re-enter password:**** Include the router serial number in the subject name (y/n) ? y The serial number in the certificate will be: 3526015000250142 Request certificate from CA (y/n) ? y You may experience a short delay while RSA keys are generated.
Page 544: Other Certificate Commands
Other Certificate Commands show crypto ca identity This command displays data about enrolled Certificate Authorities (CA). Syntax show crypto ca identity Mode EXEC or Global configuration: Sample Output The following output displays when you invoke the command: XSR#show crypto ca identity CA Identity - childca2 Enrollment Information: Retry Period: Retry Count: Crl Frequency: CA Identity - childca1 Enrollment Information: Retry Period: Retry Count: Crl Frequency:...
Page 545 Mode Global configuration: Sample Output The following script prompts you to accept the certificate. XSR#crypto ca authenticate ACMEca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y crypto ca certificate chain This command invokes Certificate Chain mode. In this mode, you can delete a certificate by entering the no certificate • Ask the CA administrator to revoke XSRʹs certificates at the CA; you must supply the challenge password you created when you first got the certificates with • Remove the XSRʹs certificates from the configuration using the Syntax crypto ca certificate chain name name...
Page 546 Other Certificate Commands crypto ca crl request This command downloads a new Certificate Revocation List (CRL) from the specified Certificate Authority (CA), updating the CRL. Syntax crypto ca crl request name name CA name. Use the same name you declared using Mode Global configuration: Example The following below immediately downloads the latest CRL to the router: XSR(config)#crypto ca crl request show crypto ca crls This command displays data about Certificate Revocation Lists (CRL) issued by a Certificate Authority (CA). Syntax show crypto ca crls Mode EXEC or Global configuration: Sample Output The following output displays when you invoke the command:...
Page 547 Issuer: Valid From: Valid To: Issuing CDP: ic%20Key%20Services,CN=Services,CN=Configuration,DC=sml,DC=com?certificateRevoc ationList?base?objectclass=cRLDistributionPoint Crl Size: show crypto ca certificates This command lists information about the following: • XSR certificate, if you have requested them from CAs (see the • CA certificates, if you received them (refer to the Syntax show crypto ca certificates Mode EXEC or Global configuration: Example The following sample output shows two XSRs’ certificates and the CAʹs certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair. XSR>show crypto ca certificates Certificate Subject Name Name: XSR.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95...
Page 548: Ike Security Protocol Commands
IKE Security Protocol Commands The following is sample output from the command when the CA supports an RA. In this example, CA and RA certificates were requested earlier by the XSR>show crypto ca certificates CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption IKE Security Protocol Commands The following commands configure the Internet Key Exchange (IKE) Security Protocol on the XSR.
Page 549: Isakmp Protocol Policy Mode Commands
ISAKMP Protocol Policy Mode Commands crypto isakmp proposal This command defines an IKE proposal (policy) ‐ a set of parameters used during IKE negotiation. It invokes ISAKMP protocol policy configuration mode where the following sub‐commands are available to specify parameters in the proposal: authentication • the command definition. • encryption command definition. • group ‐ Diffie‐Hellman group type used by an IKE proposal. Refer to page 14‐97 for the command definition. hash • ‐ Hash algorithm used by an IKE proposal. Refer to page 14‐98 for the command definition. • lifetime definition. Many IKE proposals (policies) can be configured on each peer participating in IPSec. When IKE negotiation begins, it tries to find a common proposal (policy) on both peers; the common proposal contains exactly the same encryption, hash, authentication, and Diffie‐Hellman values. The lifetime value does not necessarily have to be the same. Syntax crypto isakmp proposal name name Syntax of the “no” Form To delete an IKE proposal (policy), use the no form of this command: no crypto isakmp proposal name Defaults...
Page 550 ISAKMP Protocol Policy Mode Commands Next Mode ISAKMP protocol proposal configuration: Example The following example configures two policies for the peer: XSR(config)#crypto isakmp proposal 57 XSR(config-isakmp)#hash md5 XSR(config-isakmp)#authentication rsa-sig XSR(config-isakmp)#group2 XSR(config-isakmp)#lifetime 5000 XSR(config)#crypto isakmp policy 99 XSR(config-isakmp)#authentication pre-share XSR(config-isakmp)#lifetime 10000 The above configuration results in the following policies: XSR# show crypto isakmp proposal Name Authentication RSASignature PreSharedKeys DEFAULT RSASignature authentication This command specifies the authentication method used within an IKE proposal (policy).
Page 551 encryption This command sets the encryption algorithm used in an IKE proposal (policy). Syntax encryption {des | 3des | aes} 3des Syntax of the “no” Form The no form of this commands resets the algorithm to the default: no encryption Default 3DES Mode ISAKMP protocol proposal configuration: Example This example specifies 3DES as the encryption method for the IKE proposal ACMEproposal: XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#encryption 3des group This command sets the Diffie‐Hellman group in an IKE proposal (policy). Note: Due to the lack of an IETF standard, IKE Diffie-Helman bit groups 2048, 3072, and 4096 are not enabled.
Page 552 ISAKMP Protocol Policy Mode Commands Syntax of the “no” Form The no form of this command resets the value to the default: no group Default Group 2 Mode ISAKMP protocol policy configuration: Example The following example configures Group 5 on ACMEproposal: XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#Group5 hash This command sets the hash algorithm used in an IKE proposal (policy). Syntax hash {sha | md5} Syntax of the “no” Form The no form this command resets to the default ‐ sha: no hash Default Mode ISAKMP Protocol Policy configuration: ...
Page 553: Remote Peer Isakmp Protocol Policy Mode Commands
lifetime This command specifies the lifetime of an IKE Security Association (SA) for a given IKE proposal (policy). Syntax lifetime seconds seconds Syntax of the “no” Form The no form of this command resets to the default value: no lifetime Default 28,800 seconds (8 hours) Mode ISAKMP protocol policy configuration: Example The following example sets the IKE SA lifetime at 8 hours for ACMEproposal: XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#lifetime 28800 Remote Peer ISAKMP Protocol Policy Mode Commands crypto isakmp peer This command configures the remote peer’s IP address and/or subnet and acquires ISAKMP configuration mode. The following sub‐commands can be entered at ISAKMP Peer mode: config-mode •...
Page 554 Remote Peer ISAKMP Protocol Policy Mode Commands Syntax crypto isakmp peer_address subnet-mask peer_address subnet-mask Syntax The no form of this command removes policies from a remote peer: no crypto isakmp peer peer_address subnet-mask Mode Global configuration: Next Mode Remote Peer ISAKMP protocol policy configuration: Example The following example sets the remote peer’s IKE policies: XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255 XSR(config-isakmp)# config-mode This command sets the local IKE Mode Configuration role. While not officially an IETF standard, config‐mode is the de facto standard for assigning IP addresses within IKE. Internet Key Exchange (IKE) Mode Configuration, as implemented by many vendors, allows a gateway to download an IP address (and other network level configuration) to the client as part of IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client to be used ...
Page 555 Use the user-id <string> command instead. Due to the vulnerability of pre-shared keys on VPN devices using aggressive mode tunnels, Enterasys Networks recommends instead using a certificate or employing a very long password which is not listed in a dictionary. Syntax...
Page 556 Remote Peer ISAKMP Protocol Policy Mode Commands XSR(config-isakmp-peer)#exchange-mode main nat-traversal The command sets the IKE and IPSec NAT (Network Address Translation) traversal mode used when communicating with remote peers matching the peer subnet and wildcard masks. The automatic parameter configures IKE to automatically detect unroutable IP addresses between the local and remote gateway and to then switch to UDP encapsulation of IPSec traffic. The alternate values for this parameter (enabled and disabled) unconditionally turn UDP encapsulation of IPSec packets on or off, respectively. Syntax nat-traversal {automatic | enabled | disabled} automatic enabled disabled Syntax of the “no” Form The no form of this command resets the default value: no nat-traversal Default Disabled Mode Remote Peer ISAKMP protocol policy configuration: Example The following example sets IKE NAT mode to enabled: XSR(config-isakmp-peer)#nat-traversal enabled proposal This command attaches up to three IKE policies to a remote peer. Proposals are configured with ...
Page 557 Syntax of the “no” Form The no form of this command removes policies from the peer: no proposal Mode Remote Peer ISAKMP protocol policy configuration: Example The following example attaches a proposal to the remote peer: XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255 XSR(config-isakmp-peer)#proposal 3des_md5_gh2 user-id This command defines the identity information to be used during aggressive IKE Phase 1 negotiation for peer‐to‐peer connections. Enter it when configuring the peer’s ISAKMP for a peer with pre‐shared keys whose IP address is dynamic. If you specify no ID, the IP address will be used by default. But, in that case, you will have to re‐configure (with a new entry in the database) both ends of the tunnel every time the address changes. Note: The exchange mode for this ISAKMP must be set to aggressive. Syntax user-id “string” “string”...
Page 558: Remote Peer Show Commands
Remote Peer Show Commands Remote Peer Show Commands show crypto isakmp peer This command displays attributes for each ISAKMP peer. IKEʹs first configuration derives from the IP address of the remote peer. ISAKMP peers created by EZ‐IPSec configuration are marked with an asterisk (*) in the leftmost column of the other user‐defined ISAKMP policies ‐ they are reserved for EZ‐IPSec. Syntax show crypto isakmp peer Mode EXEC or Global configuration: Sample Output The following is sample output from the command: XSR#show crypto isakmp peer Applicable Subnet 192.168.57.4/2 192.168.57.9/32 The following output was produced by an ISAKMP peer created by EZ‐IPSec: XSR#show crypto isakmp peer Applicable Subnet * 141.154.196.87/32 Main Parameter Description Applicable subnet...
Page 559 show crypto isakmp proposal This command lists attributes for each Internet Key Exchange (IKE) proposal. ISAKMP proposals created with EZ‐IPSec are marked with an asterisk (*) in the be used in other user‐defined ISAKMP policies ‐ they are reserved for EZ‐IPSec. Syntax show crypto isakmp proposal Mode EXEC or Global configuration: Sample Output XSR#show crypto isakmp proposal Name test The following output was produced by ISAKMP proposals created via EZ‐IPSec: XSR#show crypto isakmp proposal Name *ez-ike-3des-sha-psk *ez-ike-3des-md5-psk *ez-ike-3des-sha-rsa *ez-ike-3des-md5-rsa show crypto isakmp sa This command lists all current Internet Key Exchange Security Associations (SAs) for your XSR. An SA occupies a certain state depending upon where in the authentication process the peers are and what exchange mode they share ‐ Aggressive, Main or Quick. During long exchanges, some of the MM states may be seen. Refer to the Parameter Descriptions for further explanation. Syntax show crypto isakmp sa Mode...
Page 560: Ipsec Commands
IPSec Commands Parameters Descriptions Main Mode Exchange MM_NO_STATE MM_SA_SETUP MM_KEY_EXCH MM_KEY_AUTH Aggressive Mode Exchange AG_NO_STATE AG_INIT_EXCH AG_AUTH Quick Mode Exchange QM_IDLE IPSec Commands This section describes commands that configure the IPSec protocol which provides anti‐replay protection as well as data authentication and encryption. access-list This command creates an access list which is used to define which IP traffic will and will not be protected by the crypto process. ACLs associated with IPSec crypto map entries have these primary functions: • Select outbound traffic to be protected by IPSec: the keyword permit equates with protected traffic. • Indicate the data flow to be protected by the new Security Associations (SAs) ‐ specified by a single permit entry‐ when initiating negotiations for IPSec SAs. • Process inbound traffic to filter out and discard traffic that should have been protected by IPSec. • Determine whether or not to accept requests for IPSec SAs on behalf of the requested data flows when processing IKE negotiation from the IPSec peer (negotiation is done only for ipsec‐...
Page 561 Syntax access-list acl-number {deny | permit} protocol [source_addr source_mask [eq port] destination_addr destination_mask [eq port] acl-number deny permit protocol eq port source-addr source-mask destination-addr destination-mask Syntax of the “no” Form The no form of this command removes the access list: no access-list acl-number {deny | permit} protocol [source_addr source_mask [eq port] destination_addr destination_mask [eq port] Default An extended ACL defaults to a list that denies everything.
Page 562: Ipsec Clear And Show Commands
IPSec Clear and Show Commands IPSec Clear and Show Commands clear crypto sa This command deletes IPSec Security Associations (SAs) as follows: • If the SAs were established via IKE, they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.) peer • The keyword deletes any IPSec SAs for the specified peer. • The keyword deletes any IPSec SAs for the named crypto map set. • The counters clear the SAs themselves. Note: If there are many thousands of tunnels in use, this command will use as many system resources as are available for as long as necessary to complete the task, making the XSR appear “frozen.”...
Page 563 Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR.
Page 564: Crypto Map Mode Commands
Crypto Map Mode Commands Sample Output The following output displays when a master key is generated: XSR(config)#crypto key master generate New key is 8573 4583 3994 2ff5 A script displays when a master key is specified, prompting you for the following information: XSR(config)#crypto key master specify Specify first encryption key in hex digits: Specify second encryption key in hex digits: Specify third encryption key in hex digits: Are you sure? Crypto Map Mode Commands crypto map (Global IPSec)
Page 565: Match Address
Crypto Map Rules A crypto map is a collection of rules, each with a different seq‐num but the same map‐name. So, for a given interface, you can have certain traffic forwarded to one IPSec peer with specified security applied to that traffic, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish this you create two crypto maps, each with the same map‐name, but each with a different seq‐num. Crypto map rules are searched in order of seq‐ num. Sequence numbers, in addition to determining the order in which traffic is tested against the rules, are used as an anti‐replay device to reject duplicate and old packets and so prevent an intruder from copying a conversation and using it to work out encryption algorithms. Syntax crypto map map-name seq-num [ipsec-isakmp] map-name seq-num ipsec-isakmp Syntax of the “no” Form To delete a crypto map entry, use the no form of this command: no crypto map map-name [seq-num] Mode Global configuration: Next Mode Crypto Map configuration: Sample Output The following example creates the crypto map ACMEmap: XSR(config)#crypto map ACMEmap 7 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 120 match address...
Page 566 Crypto Map Mode Commands access-list-id Syntax of the “no” Form Use the no form to remove the ACL from a crypto map entry: no match address [access-list-id] Default No access lists are matched to the crypto map entry. Mode Crypto Map configuration: Example The following static crypto map example shows the minimum required crypto map configuration when IKE will be used to establish the SAs: XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config-crypto-m)#match address 101 XSR(config-crypto-m)#set transform-set my_t_set1 XSR(config-crypto-m)#set peer 10.0.0.1 mode This command selects one of two IPSec‐defined encapsulation modes, tunnel or transport, for a transform‐set. Tunnel mode, the default, typically is used with VPNs because the entire private network packet is carried as the payload of the IPSec packet. Transport mode carries only the payload (TCP or UDP typically) of the private network packet as the payload of the IPSec packet.
Page 567: Set Peer
Mode Crypto Map configuration: Example This example defines a transform‐set and changes the mode to transport mode. The mode value only applies to IP traffic with source and destination addresses at the local and remote IPSec peers. XSR(config)#crypto ipsec transform-set newer esp-des esp-sha-hmc XSR(config)crypto map ACMEmap 14 XSR(config-crypto-m)#mode transport set peer This command specifies an IPSec peer in a crypto map entry. When traffic passing through the interface matches a crypto map entry, a tunnel is opened to the peer specified by this command. Syntax set peer ip-address ip-address Syntax of the “no” Form To remove an IPSec peer from a crypto map entry, use the no form of this command: no set peer {hostname | ip-address} Default No peer is defined Mode Crypto Map configuration: ...
Page 568 Crypto Map Mode Commands set security-association level per-host This command specifies that separate IPSec Security Associations (SAs) should be requested for each source/destination host pair. Syntax set security-association level per-host Syntax of the “no” Form The no form specifies that one SA should be requested for each crypto map ACL permit entry. no set security-association level per-host Default For a given crypto map, all traffic between two IPSec peers matching a single crypto map ACL permit entry will share the same SA. Mode Crypto Map configuration: Example The following example sets the SA request on a per‐host basis: XSR(config)crypto map ACMEmap XSR(config-crypto-m)#set security-association level per-host set transform-set This command specifies which transform‐sets can be used with the crypto map entry.
Page 569: Crypto Transform Mode Commands
Example This example defines two transform‐sets, specifying both can be used within a crypto map entry. When traffic matches ACL 101, the SA can use either transform‐set my_t_set1 (first priority) or my_t_set2 (second priority) depending on which transform‐set matches the remote peerʹs transform‐sets. XSR(config)#crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac XSR(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config-crypto-m)#match address 101 XSR(config-crypto-m)#set transform-set my_t_set1 my_t_set2 XSR(config-crypto-m)#set peer 10.0.0.1 Crypto Transform Mode Commands crypto ipsec transform-set This command defines a transform‐set which is an acceptable combination of security protocols ...
Page 570 Crypto Transform Mode Commands Mode of the “no” Form The no form of the command deletes a transform‐set: no crypto ipsec transform-set transform-set-name Mode Global configuration: Next Mode Crypto Transform configuration: Example The following example defines the transforms to apply for t‐set1 SA negoatiation: XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac set pfs This command specifies that IPSec ask for Perfect Forward Secrecy (PFS) when requesting new Security Associations (SAs) for this crypto map entry, or that IPSec requires PFS when receiving requests for new SAs. PFS is a security condition under which there is confidence that the compromise of a session’s key will not lead to easier compromise of the key used in the next session (after the key is refreshed). When PFS is used a session’s keys are generated independently, so a key compromised in one session will not affect the keys used in subsequent sessions. Note: Due to the lack of an IETF standard, IKE Diffie-Helman bit groups 2048, 3072, and 4096 are not enabled.
Page 571 Mode Crypto Transform configuration: Example This example selects PFS group 2 whenever a new SA is negotiated for crypto map ACMEmap: XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac XSR(cfg-crypto-tran)#set pfs group2 set security-association lifetime This command sets the lifetime interval used when negotiating IPSec Security Associations (SAs). Data passing through the XSR is encrypted using keys generated during IKE exchange. The lifetime of those keys may be defined in seconds or in data volume which was encrypted using those keys. When that lifetime expires new keys are generated and traffic continues to be passed using new keys. Syntax set security-association lifetime {seconds seconds | kilobytes kilobytes} seconds kilobytes Syntax of the “no” Form The no form of this command disables the specified lifetime metric. It does not reset the default: no set security-association lifetime {seconds | kilobytes} Default...
Page 572: Crypto Show Commands
Crypto Show Commands Crypto Show Commands show crypto ipsec sa This command displays current Security Associations (SAs) settings. Syntax show crypto ipsec sa map-name address Mode EXEC or Global configuration: Sample Output The following is sample output when NAT is not present between the crypto endpoints. The first section is the inbound SA, and the second section, the outbound SA. The UDP port follow the the IP address for crypto endpoints when a NAT is present. XSR#show crypto ipsec sa 10.1.1.2/32, UDP, 1701 ESP: SPI=f5ae2b52, Transform=3DES/HMAC-SHA, Life=3575S/249929KB Local crypto endpt.=10.2.1.34, Remote crypto endpt.=10.1.1.2 Encapsulation=Transport 10.2.1.34/32, UDP, 1701 ESP: SPI=5419ec15, Transform=3DES/HMAC-SHA, Life=3575S/249933KB...
Page 573 SPI=40d5e065 Transform Life=3589s/249932KB Local crypto endpt.‐10.2.1.34:4500 Remote crypto endpt.‐10.2.1.34:4500 Encapsulation UDP‐Encaps show crypto ipsec transform-set This command displays configured transform‐sets. IPSec transform‐sets created with EZ‐IPSec configuration are marked with an asterisk (*) in the in other user‐defined IPSec policies. They are reserved for EZ‐IPSec Syntax show crypto ipsec transform-set [transform-set-name] transform-set-name Mode EXEC or Global configuration: Sample Output The following example was produced from manually configured transform‐sets: XSR#show crypto ipsec transform-set Name esp-3des-md5 ah-sha The following output was produced by EZ‐IPSec transform‐sets: XSR#show crypto ipsec transform-set Name *ez-esp-3des-sha-pfs *ez-esp-3des-sha-no-pfs *ez-esp-3des-md5-pfs *ez-esp-3des-md5-no-pfs...
Page 574 Crypto Show Commands show crypto map This command displays the crypto map configuration. IPSec crypto maps created with EZ‐IPSec configuration are marked with an asterisk (*) in the leftmost column of the proposals may not be used in other user‐defined IPSec policies. They are reserved for EZ‐IPSec. Syntax show crypto map [interface type | tag map-name] type map-name Mode EXEC or Global configuration: Sample Output XSR#show crypto map Crypto Map Table Name ezipsec test IPSec Policy Rule Table Name *c03 *n03 test.10 110 llProcess test.20 120 llProcess EZ-IPSec Access Control List...
Page 575: Interface Cli Commands
Interface CLI Commands crypto map This command applies a previously defined crypto map to an interface. It is governed by the following rules: • A crypto map must be assigned to an interface before that port can provide IPSec services. • Only 1 crypto map can be assigned an interface although it can be attached to multiple ports. • A crypto map may not be assigned to an interface that already has • Crypto maps may not be assigned to a VPN interface ( it is invalid at Interface VPN mode). Syntax crypto map map-name map-name Syntax of the “no” Form Delete a crypto map from the interface with the no form of this command: no crypto map [map-name] Mode Interface configuration: Next Mode Crypto Map configuration: Sample Output This example assigns crypto map ACMEmap to the F1 interface. When traffic passes through F1, it will be evaluated against all the crypto map entries in the ACMEmap set. When outbound traffic matches an access list in one of the ACMEmap crypto map entries, a Security Association will be established for that crypto map entryʹs configuration (if no SA or connection already exists).
Page 576: Interface Vpn Commands
Interface VPN Commands crypto ezipsec This command creates a suite of IPSec policies, sorted by cryptographic strength, that are offered to the remote security gateway. The gateway selects one of these policies based on its local configuration. EZ‐IPSec relies upon the IKE Mode Configuration protocol to obtain an IP address from the remote security gateway. An EZ‐IPSec crypto map is also created and attached to the interface under configuration. Refer to the XSR User’s Guide for specific examples and how Be aware of the following rules governing this command: • Crypto ezipsec • Crypto maps may be attached to other network interfaces. • EZ‐IPSec parameters cannot be changed but can be supplemented with custom values. Syntax crypto ezipsec Syntax of the “no” Form no crypto ezipsec Default Disabled Mode Interface configuration: Example The following example configures EZ‐IPSec on Serial interface 1: XSR(config-if<S1/0>)#crypto ezipsec Interface VPN Commands interface vpn This command acquires virtual Interface VPN configuration mode from which you can configure ...
Page 577 • ip multicast-redirect - forward multicast traffic multicast packet redirection to the unicast address of the remote tunnel endpoint. Refer to page 14‐126 for the command definition. • ip address ‐ Defines an explicit IP address on this virtual interface. Refer to page 5‐151 for the command description. • ip nat source ‐ Controls NAT on packets entering this VPN port. Refer to page 5‐186 for the command description. • ip rip commands ‐ Configures RIP options on the VPN interface. Refer to the “Configuring the Internet Protocol” on page 5‐83 chapter for descriptions of RIP commands. • ip split-horizon ‐ Sets RIP split‐horizon options on the VPN port. Refer to page 5‐130 for the command description. ip unnumbered • ‐ Creates an unnumbered VPN interface. Refer to page 5‐166 for the command description. • service-policy ‐ Attaches a policy map to an VPN output or input interface. Refer to page 14‐127 for the command description. tunnel • ‐ Creates a tunnel to a VPN gateway. Refer to page 14‐127 for the command description.
Page 578 Interface VPN Commands A multi‐point interface accepts many inbound tunnels and is used when the XSR is configured as a remote access VPN gateway. Note: The no shutdown command is not required to bring up the virtual interface because it is always enabled. Syntax interface vpn {number}{point-to-point | multi-point} number point-to-point multi-point Syntax of the “no” Form The following command deletes the specified VPN interface: no interface vpn Mode Global configuration: ...
Page 579 Mode VPN Interface configuration: XSR(config‐if<xx>)# Example The following example configures VPN interface 1 with an IP address, and TOS copy enabled. It also sets a peer IP address, GRE, and turns on the associated VPN tunnel. XSR(config)#interface vpn 1 XSR(config-int-vpn)#ip address 20.20.20.1/24 XSR(config-int-vpn)#copy-tos XSR(config-int-vpn)#service-policy output vpn XSR(config-int-vpn)#tunnel t1 XSR#(config-tms-tunnel)#set protocol gre XSR#(config-tms-tunnel)#set peer 10.10.10.2 XSR#(config-tms-tunnel)#set active XSR#(config-tms-tunnel)#no shutdown description This commands describes a VPN interface and any tunnel it contains. Syntax description comment comment Everything to the end of the line is recorded as a comment. Use quotation marks for multiple words. Syntax of the “no” Form The no form of this command deletes the description described earlier: no description Mode...
Page 580 Interface VPN Commands ip address negotiated This command marks the VPN interface to dynamically get its IP address via the tunnel protocol. PPTP and L2TP protocols use PPP IPCP and IPSec/IKE uses the Mode Configuration protocol. Syntax ip address negotiated Syntax of the “no” Form no ip address negotiated Mode Interface Internet Protocol configuration: Example The following example sets the VPN interface to get its IP address from the tunnel protocol: XSR(config)#interface vpn 57 point-to-point XSR(config-int<vpn>)#ip address negotiated ip multicast-redirect This command controls redirection of multicast packets to the unicast address of the remote tunnel endpoint or to an explicitly defined address such as another IP address at the end of an unnumbered tunnel. The command is useful because native IPSec tunnels attached to VPN interfaces will not easily forward multicast traffic without substantial crypto map configuration. Multicast redirection must be enabled to support RIP over IPSec tunnels when explicit multicast policy rules are not included in the Security Policy Database. Redirection is not required for PPTP and L2TP tunnels.
Page 581: Tunnel Commands
Mode Internet Protocol Interface configuration: Example This example redirects multicast traffic to the remote tunnel server: XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#ip multicast-redirect tunnel-endpoint service-policy This command attaches a policy map to an VPN output or input interface. You can attach a single policy map to one or more interfaces. Syntax service-policy [input | output] policy-map-name policy-map-name Syntax of the “no” Form The no form of the command removes a policy map from the interface: no service-policy [input | output] Mode Interface configuration: Example The following example attaches service policy VPNpolicy to VPN output interface 1: XSR(config)#interface vpn 1 XSR(config-int<vpn>)#service-policy output VPNpolicy Tunnel Commands tunnel This sub‐command of ...
Page 582 Tunnel Commands • set protocol - mode or network extension mode. Refer to page 14‐130 for the command definition. set user - • for the command definition. Syntax tunnel tunnel-name tunnel-name Syntax of the “no” Form The no form of this command deletes the tunnel: no tunnel tunnel-name Mode Interface Internet Protocol configuration: Next Mode Tunnel configuration: Example The following example adds the tunnel ACME_VPN: XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)# set active This command enables the tunnel.
Page 583 Mode Tunnel configuration: Example The following example enables the tunnel ACME_VPN: XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set active set heartbeat This command configures the mechanism to probe a tunnel peer to monitor tunnel connectivity. Ping is used over IKE/IPSec tunnels configured with dynamically assigned addresses. Syntax set heartbeat {interval | retries>} [A.B.C.D] interval retries A.B.C.D. Syntax of the “no” Form The no form of this command disables the heartbeat: no set heartbeat Defaults • Interval: 6 seconds • Retries: 3 Mode Tunnel configuration: ...
Page 584 Tunnel Commands set peer This command specifies the physical IP address of the remote VPN gateway. Syntax set peer ip-address ip-address Syntax of the “no” Form no set peer ip-address Mode Tunnel configuration: Example The following example sets the IP address of the remote VPN gateway: XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set peer ip-address 192.168.57.9 set protocol This command defines the VPN tunneling protocol ‐ Generic Routing Encapsulation (GRE) or IP Security (IPSec) ‐ used to create the tunnel. IPSec accepts one of two sub‐commands that create a Client or Network Extension mode site‐to‐ site tunnel. Client mode creates NAT on the VPN interface to hide the addresses of the trusted network (attached to F1). IPSec security policy encrypts data passing to and from the IP address assigned to the tunnel. Network extension mode creates IPSec security policies that encrypt traffic ...
Page 585: Set User
Mode Tunnel configuration: Default IPSec Examples The following example sets the IPSec tunnel protocol in client mode: XSR(config)#interface vpn 29 point-to-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set protocol ipsec client-mode The example below connects a GRE tunnel attached to a VPN interface: XSR(config)#interface vpn 2 point-to-point XSR(config-int<vpn>)#ip address 192.168.1.123 255.255.255.0 XSR#(config-int<vpn>)#tunnel my-gre-tunnel XSR#(config-tms-tunnel)#set protocol gre XSR#(config-tms-tunnel)#set peer 10.1.2.3 XSR#(config-tms-tunnel)#set active set user This command specifies a user’s identity when connecting to a peer. It invokes EZ‐IPSec by applying the credentials (password and/or certificate) used during tunnel creation obtained from the AAA subsystem. An EZ‐IPSec tunnel uses aggressive mode with the username as the IKE identity. Refer to the ...
Page 586: Tunnel Clear And Show Commands
Tunnel Clear and Show Commands Tunnel Clear and Show Commands clear tunnel This command terminates a non‐GRE tunnel associated with a user or tunnel ID. Tunnels will re‐ establish themselves if set to do so unless the user is disabled in its database. For example, a cleared IPSec tunnel will re‐establish if traffic is initiated. Note: This command terminates all but GRE and GRE/IPSec tunnels with an error message displayed if you attempt to do so. To bring down a GRE tunnel, remove its interface or use the no set active command.
Page 587 User: xsrclient Tunnel ID: VPN Interface: Group: Connect Time: Protocol: Authentication Method: Packets In/Out: Errors In/Out: Discards In/Out: The following is sample output queried by the Tunnel ID 40000001: XSR#show tunnel 40000001 Tunnel ID: 40000001 User: VPN Interface: Group: Connect Time: Protocol: Authentication Method: Packets In/Out: Errors In/Out: Discards In/Out: Parameter Description VPN Interface VPN port number to which the client is connected.
Page 588: Additional Tunnel Termination Commands
Additional Tunnel Termination Commands Additional Tunnel Termination Commands ip local pool This command configures a local pool of IP addresses for when a remote peer connects to a point‐ to‐multipoint interface or for use by DHCP. Note: If an aaa user is configured to use a static IP address which belongs to a local IP pool, you must exclude that address from the local pool to prevent it from being assigned to another user. The command acquires IP Local Pool configuration mode and provides these sub‐commands: exclude •...
Page 589 exclude This sub‐command bars the use of a range of IP addresses from an earlier created IP pool. Syntax exclude {ip address} {number} ip address number Syntax of the “no” Form The no form of this command removes the specified IP address from the exclude list: exclude {ip address}{number} Mode Local IP Pool configuration: Examples The following example excludes the 10 IP addresses between 192.168.57.100 and 192.168.57.110 from local pool HQ: XSR(config)#ip local pool HQ 192.168.57.0 255.255.255.0 XSR(ip-local-pool)#exclude 192.168.57.100 10 The following example negates the exclusion of IP addresses 192.168.57.105 and 192.168.57.106 from the earlier excluded range of IP addresses in local pool HQ: XSR(config)#ip local pool HQ XSR(ip-local-pool)#no exclude 192.168.57.105 2 exit This sub‐command quits IP Local Pool configuration mode.
Page 590: Show Ip Local Pool
Additional Tunnel Termination Commands show ip local pool This command displays statistics for any defined IP address pools. Syntax show ip local pool [name] name Mode Privileged EXEC: Sample Output This output displays when the command is specified without a name: XSR#show ip local pool -----------IP Pools Statistics----------- Pool Subnet test 10.120.122.0 local 1.1.1.0 1.2.3.4 test 192.168.57.1 test1 192.168.57.252 test3 192.168.58.0 The following output displays when the command is specified with the name test: XSR#show ip local pool test...
Page 591: Df Bit Commands
DF Bit Commands crypto ipsec df-bit (Global configuration) This command sets the DF bit for the encapsulating header in VPN Tunnel Mode to all interfaces. The clear setting for the DF bit should be used for encapsulating Tunnel Mode IPSec traffic when you can transmit packets larger than the available MTU size or you do not know the available MTU size. Syntax crypto ipsec df-bit {clear | set | copy} clear Name of the IP pool. Mask of the IP pool. IP address subnetwork of the IP pool. Sum of unused IP addresses within the pool. Sum of occupied IP addresses within the pool. Sum of IP addresses barred from use within the pool. Sum of IP addresses set aside within the pool, such as the initial address 192.168.57.0 within the 192.168.57.256 range. XSR will clear the DF bit from the outer IP header; the router may fragment the packet to add IPSec encapsulation. XSR will set the DF bit in the outer IP header but the router may fragment the packet if the original packet had the DF bit cleared. DF Bit Commands XSR CLI Reference Guide 14-137...
Page 592 Note: This command overrides any existing DF bit global settings. Syntax crypto ipsec df-bit {clear | set | copy} clear copy Defaults • Disabled • Copy setting Mode Interface configuration: Example The following example sets the DF bit on F1: XSR(config-if<F1>)#crypto ipsec df-bit set 14-138 Configuring the VPN XSR will search the original packet for the outer DF bit setting. XSR(config)# XSR will clear the DF bit from the outer IP header; the router may fragment the packet to add IPSec encapsulation. XSR will set the DF bit in the outer IP header but the router may fragment the packet if the original packet had the DF bit cleared. XSR will search the original packet for the outer DF bit setting. XSR(config-if<xx>)#...
Page 593: Chapter 15: Configuring Dhcp
Observing Syntax and Conventions The CLI command syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Sub-command Next Mode entries display the CLI prompt after a command is entered soho.enterasys.com DHCP Commands The following commands configure the Dynamic Host Configuration Protocol (DHCP) on the XSR. bootfile This command sets the name of the default boot image for a DHCP client. Depending on the client ...
Page 594 DHCP Commands Syntax of the “no” Form Use the no form of this command to delete the boot image name: no bootfile Mode Any of the following command modes are available: DHCP pool configuration: DHCP host configuration: DHCP client class configuration: Example The following example specifies roboboot as the name of the boot file: XSR(config-dhcp-pool)#bootfile roboboot client-class This command specifies the name of a DHCP client class. The XSR aggregates DHCP clients which will share the same configured attributes. Adding a client class to different DHCP pools in not permitted. For example, you cannot add client class marketing to both pool1 and pool2. Note: Adding a client class to different DHCP pools in not permitted. For example, you cannot add client class marketing to both pool1 and pool2.
Page 595 Example The following example specifies string clientclass1 that will be the name of the client class: XSR(config-dhcp-pool)#client-class cc1 client-identifier This command specifies the unique identifier (in dotted hexadecimal notation) for a Microsoft DHCP client. It is valid for manual bindings only. Microsoft DHCP clients require client identifiers instead of hardware addresses. The client identifier is formed by concatenating the media type and the Ethernet hardware (MAC) address. For example, the Microsoft client identifier for Ethernet address 0001.f401.2710 is 0100.01f4.0127.10, where the leading 01 (italicized above) indicates the Ethernet media type. Be aware that you cannot add a client identifier to different DHCP pools. For example, client ID 0100.01f4.0127.10 cannot be added to both pool1 and pool2. Note: You cannot add a client identifier to different DHCP pools. For example, client ID 0100.01f4.0127.10 cannot be added to both pool1 and pool2. Syntax client-identifier identifier [client-class name] identifier name Syntax of the “no”...
Page 596 DHCP Commands Example The following example specifies the client identifier for MAC address 00.01f4.0127.10 in dotted hexadecimal notation: XSR(config-dhcp)#client-identifier 0100.01f4.0127.10 The following example specifies the client identifier for MAC address 0001.f401.2710 in dotted hexadecimal notation, for the host with IP address 10.10.10.20: XSR(config-dhcp-pool)#host 10.10.10.20 255.255.255.0 XSR(config-dhcp-host)#client-identifier 0100.01f4.0127.10 The following example specifies the client identifier for MAC address 00.01f4.0127.10 in dotted hexadecimal notation, and adds it to class eng: XSR(config-dhcp-pool)#client-class eng XSR(config-dhcp-class)#client-identifier 0100.01f4.0127.10 client-name This command specifies the name of a DHCP client. The client name should not include the domain name. The command is available from DHCP host mode only. Syntax client-name name name Syntax of the “no” Form Use the no form of this command to remove the client name: no client-name name Mode DHCP host configuration only: Example The following example specifies a string soho1 that will be the name of the client with MAC address 1111.2222.3333: XSR(config-dhcp-pool)#hardware-address 1111.2222.3333 XSR(config-dhcp-host)#client-name soho1...
Page 597 IP address of a default router. One IP address is required. Specifies up to eight addresses in the command line listed in order of preference (default router address has the highest priority, then router address 2, etc.). DHCP Commands XSR CLI Reference Guide 15-87...
Page 598 DHCP Commands Mode Any of the following command modes are available: DHCP pool configuration: DHCP host configuration: DHCP client class configuration: Example The following example sets 14.12.1.99 as the IP address of the default router for any client in the subnet with three other routers in descending order of preference: XSR(config-dhcp-pool)#default-router 14.12.1.99 14.13.1.66 14.12.1.56 14.12.1.57 The following example specifies 14.12.1.1 as the IP address of the default router for the host with MAC address 0010.a4f5.28a1: XSR(config-dhcp-pool)#hardware-address 0010.a4f5.28a1 XSR(config-dhcp-host)#default-router 14.12.1.1 The following example specifies 14.12.1.99 as the IP address of the default router for any client in the client class eng: XSR(config-dhcp-pool)#client-class eng XSR(config-dhcp-class)#default-router 14.12.1.99 dns-server This command specifies the DNS IP servers available to a DHCP client. It is available from DHCP pool, host, or client class mode. Depending on the client configuration inheritance, the command should be used from the proper mode. If it is specified from multiple modes, an override mechanism chooses the innermost config value, with host as innermost, then client‐class and pool as the most general. Syntax dns-server address [address2...address8] address address2 ...
Page 599 Example The following example specifies 11.12.1.99 as the IP address of the DNS server of a client in the subnet: XSR(config-dhcp-pool)#dns-server 11.12.1.99 The following example specifies 11.12.1.99 as the IP address of the DNS server of the host with the MAC address 1111.2222.3333: XSR(config-dhcp-pool)#hardware-address 1111.2222.3333 XSR(config-dhcp-host)#dns-server 11.12.1.99 The following example specifies 11.12.1.99 as the IP address of the DNS server of a client in the client‐class engineering: XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#dns-server 11.12.1.99 domain-name This command specifies the domain name for DHCP client services by the DHCP server. Depending on the client configuration inheritance, the command should be used from the proper mode. If it is specified from multiple modes, an override mechanism chooses the innermost config value, with host as innermost, then client‐class and pool as the most general. Syntax domain-name domain domain Syntax of the “no” Form Use the no form of this command to remove the domain name: no domain-name Mode Any of the following command modes are available: DHCP pool configuration: DHCP host configuration: DHCP client class configuration: Examples The following example specifies enterasys.com as the domain name of a client in the subnet: XSR(config-dhcp-pool)#domain-name enterasys.com The following example specifies enterasys.com as the domain name of the host with the MAC ...
Page 600 DHCP Commands The following example specifies enterasys.com as the domain name of any client in the client‐class engineering: XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#domain-name enterasys.com hardware-address This command sets the hardware address of a DHCP client and is valid for manual bindings only. Note: You cannot add a hardware address to different DHCP pools. Hardware address 0100.01f4.0127.10 cannot be added to both pool1 and pool2, e.g. Syntax hardware-address address type [client-class name] address type name Syntax of the “no”...
Page 601 Examples The following example specifies the hardware address for the DHCP client host to be of Ethernet type with MAC address 0001.f401.2710: XSR(config-dhcp-pool)#hardware-address 0001.f401.2710 ethernet The following example specifies the hardware address for the DHCP client host with IP address 10.10.10.20 to be of Ethernet type with 0001.f401.2710 as the MAC address: XSR(config-dhcp-pool)#host 10.10.10.20 255.255.255.0 XSR(config-dhcp-host)#hardware-address 0001.f401.2710 ethernet The following example sets the hardware address for the DHCP host in class eng to be of Ethernet type with MAC address 0001.f401.2710: XSR(config-dhcp-pool)#client-class writer XSR(config-dhcp-class)#hardware-address 0001.f401.2710 ethernet host This command specifies the IP address and network mask for a manual binding to a DHCP client. By default, the DHCP server will examine its defined IP address pools if the mask and prefix length are unspecified. If no mask is specified in the IP address pool database, the Class A, B, or C natural mask is used. This command is valid for manual bindings only. Note: You cannot add a host to different DHCP pools. For example, host firewall cannot be added to both pool1 and pool2.
Page 602: Ip Address Dhcp
DHCP Commands Next Mode When this command is specified from either DHCP pool configuration mode or DHCP class configuration sub‐mode, the CLI acquires DHCP host configuration mode. When specified from DHCP host or client mode, the command does not acquire a sub‐mode. XSR(config-dhcp-host)# Examples This example sets 15.12.1.99 as the IP address of the client and 255.255.248.0 as its subnet mask: XSR(config-dhcp-pool)#host 15.12.1.99 255.255.248.0 The following example specifies 15.12.1.99 as the IP address and 255.255.248.0 as the subnet mask, for the host with hardware address 1111.2222.3333: XSR(config-dhcp-pool)#hardware-address 1111.2222.3333 XSR(config-dhcp-host)#host 15.12.1.99 255.255.248.0 The following example specifies 15.12.1.99 as the IP address and 255.255.248.0 as the subnet mask for the client in the client‐class eng: XSR(config-dhcp-pool)#client-class eng XSR(config-dhcp-class)#host 15.12.1.99 255.255.248.0 ip address dhcp This command configures an interface as a DHCP Client. An Ethernet interface can be configured to use DHCP Client to acquire an IP address as well as other configuration parameters. Bootfile download is not supported. Note: When an interface address is configured to be DHCP negotiated the only legal version of the no command is entered as no ip address dhcp.
Page 603 Default DCHP Client is not active on an interface Mode Interface configuration: Example The following example enables DHCP Client: XSR(config)#interface FastEthernet1 XSR(config-if<F1>)#ip address dhcp ip dhcp ping packets This command specifies the number of packets a DHCP server sends to an IP address as part of a ping operation. The DHCP server pings an IP address before assigning the address to a requesting client. If the ping is unanswered, the DHCP server assumes that the address is not in use and assigns the address to the requesting client. Setting the number argument to a value of 0 turns off the DHCP server ping operation completely. Syntax ip dhcp ping packets number number Syntax of the “no” Form Use the no form of this command to prevent the server from pinging IP addresses: no ip dhcp ping packets Default Two packets Mode Global configuration: ...
Page 604: Ip Dhcp Pool
DHCP Commands Syntax ip dhcp ping timeout milliseconds milliseconds Syntax of the “no” Form Use the no form of this command to restore the ping timeout default: no ip dhcp ping timeout Default 500 milliseconds Mode Global configuration: Example The following example specifies that the DHCP server will wait 900 milliseconds for a ping reply before considering the ping a failure: XSR(config)#ip dhcp ping timeout 900 ip dhcp pool This command configures a DHCP server IP address pool. The XSR supports adding 1000 network addresses per pool and one DHCP pool per network. Class B or higher subnet masks are supported. Note: The DHCP pool name must match the name given the IP local pool. Syntax ip dhcp pool name name...
Page 605 Mode Global configuration: Next Mode DHCP pool configuration: Example The following example adds IP local pool sales with specified subnetworks and defines sales as the name of the DHCP server IP address pool: XSR(config)#ip local pool sales 192.168.57.0/24 XSR(config)#ip dhcp pool sales XSR(config-dhcp-pool)# ip dhcp server This command enables the DHCP Server features on the XSR. By default, DHCP server services are disabled on all XSR interfaces, which means that the DHCP server will not respond to client requests received on any XSR ports. DHCP Server can be enabled on a FastEthernet/GigabitEthernet primary interface and VLAN sub‐interface. Secondary interface assignment is not supported. Note: If either DHCP/BOOTP Relay (using ip helper-address) or DHCP Server is enabled on one FastEthernet/GigabitEthernet port, you cannot also configure the other service on the second Fast/GigabitEthernet port.
Page 606 DHCP Commands ip local pool This command, when issued multiply, configures a local pool of IP addresses to be used for a DHCP Server pool range. Use it in conjunction with the no form of to create one or more local address pools from which IP addresses are assigned when a remote peer connects. Note: For clients that use a statically defined IP address (do not use DHCP to obtain an IP address), you must exclude that address from the local pool. The command acquires IP Local Pool mode and makes available the following sub‐commands: • exclude ‐ Bars a range of IP addresses from the local pool. Refer to page 15‐97 for the sub‐ command definition.
Page 607 exclude This sub‐command of created IP pool. Syntax exclude {ip address}{number} ip address number Syntax of the “no” Form The no form exempts the specified IP address from being excluded from the pool: exclude {ip address}{number} Mode Local IP Pool configuration: Examples The following example excludes the ten IP addresses between 192.168.57.100 and 192.168.57.110 from local pool HQ: XSR(config)#ip local pool HQ 192.168.57.0 255.255.255.0 XSR(ip-local-pool)#exclude 192.168.57.100 10 The following example negates the exclusion of IP addresses 192.168.57.105 and 192.168.57.106 from the earlier excluded range of IP addresses in local pool HQ: XSR(config)#ip local pool HQ XSR(ip-local-pool)#no exclude 192.168.57.105 2 exit This sub‐command of ...
Page 608 DHCP Commands lease This command configures the duration of the lease for an IP address that a DHCP server assigns to a DHCP client. The lease time set is the system default value which overrides the non‐specified default value (one day). If the client requests a lease period exceeding the period configured on the server, the lease interval offered by the server will equal that of the value configured by this command. If the client does not request a particular lease period ‐ typical client behavior ‐ it is granted the configured default value. Manual bindings are not held accountable to this lease period. Depending on the client configuration inheritance, the command should be used from the proper mode. If it is specified from multiple modes, an override mechanism chooses the innermost config value, with client‐class as innermost, then pool as most general. Syntax lease {days [hours] [minutes] | infinite} days hours minutes infinite Syntax of the “no” Form Use the no form of this command to restore the default value: no lease Default One day Mode Either of the following command modes are available: DHCP pool configuration: DHCP client class configuration: Example The following example configures a one‐day lease: XSR(config-dhcp-pool)#lease 1 The following example configures a one‐hour lease: XSR(config-dhcp-pool)#lease 0 1...
Page 609 netbios-name-server This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft DHCP clients. Depending on the client configuration inheritance, the command should be used from the proper mode. If it is specified from multiple modes, an override mechanism chooses the innermost config value, with host as innermost, then client‐class and pool as the most general. Syntax netbios-name-server address [address2...address8] address address2 .. address8 Syntax of the “no” Form Use the no form of this command to remove the NetBIOS name server list: no netbios-name-server Mode DHCP Pool, Host, or Client Class config mode: host)# XSR(config-dhcp-class)# Example The following example specifies the IP address of a NetBIOS name server available to a Microsoft DHCP client in the subnet: XSR(config-dhcp-pool)#netbios-name-server 13.12.1.90 The following example specifies the IP address of a NetBIOS name server available to the Microsoft DHCP client with client identifier 1111.2222.3333.4444: XSR(config-dhcp-pool)#client-identifier 1111.2222.3333.4444 XSR(config-dhcp-host)#netbios-name-server 13.12.1.90 The following example specifies the IP address of a NetBIOS name server available to a Microsoft DHCP client in the client class engineering: XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)# netbios-name-server 13.12.1.90 IP address of a NetBIOS WINS server.
Page 610 DHCP Commands netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Depending on the client configuration inheritance, the command should be used in proper mode. If it is specified from multiple modes, an override mechanism chooses the innermost config value, with host as innermost, then client‐class and pool as the most general. Syntax netbios-node-type type type Syntax of the “no” Form Use the no form of this command to remove the NetBIOS node type: no netbios-node-type Mode Any of the following command modes are available: DHCP pool configuration: DHCP host configuration: DHCP client class configuration: Example This example sets NetBIOS name server type as hybrid for a Microsoft DHCP client in the subnet: XSR(config-dhcp)#netbios node-type h-node The following example specifies the NetBIOS name server type as hybrid for the Microsoft DHCP client with MAC address 0010.a4f5.28a1: XSR(config-dhcp-pool)#hardware-address 0010.a4f5.28a1 XSR(config-dhcp-host)#netbios node-type h-node The following example specifies the NetBIOS name server type as hybrid for a Microsoft DHCP client in the client class engineering: XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#netbios node-type h-node 15-100 Configuring DHCP Specifies the NetBIOS node type.
Page 611 next-server This command specifies the server from which the initial boot file will be loaded. The server can be designated either by IP address or hostname. Syntax next-server server [hostname | ip_address] hostname ip_address Syntax of the “no” Form Use the no form of this command to remove the next‐server: no next-server server [hostname | ip_address] Mode Any of the following command modes are available: DHCP pool configuration: DHCP host configuration: DHCP client class configuration: Example The following example specifies the IP address of a next‐server: XSR(config-dhcp-pool)next-server 192.168.57.4 option This command configures DHCP server options/extensions. DHCP Server provides a framework for passing configuration data to hosts on a TCP/IP network. Configuration values and other control data are carried in tagged data items stored in the options field of the DHCP message. The data items are also called options or client extensions. The current set of XSR‐supported DHCP options and BOOTP vendor extensions are described in Table 15‐1 on page generally in RFC‐2132. Default values are defined in RFC‐1122. Depending on the client configuration inheritance, the command should be used from the proper ...
Page 612 Default Description Causes subsequent fields to align on word boundaries. Length: 1 octet Client's subnet mask (RFC-950). If both Subnet Mask and Router options are descrip- specified in a DHCP reply, the Subnet Mask option must be expressed first. tion...
Page 613 Table 15-1 XSR-Supported DHCP Options (continued) Protocol Category/ Name Type Name BOOTP/IP Server address list Domain Basic, MS Name DHCP Client/ Server IP address list Log Server Servers/IP address list Cookie BOOTP/IP Server address list LPR Server Servers/IP address list Impress BOOTP/IP Server...
Page 614 Values: 0=disable; 1=enable false Specifies ifa client will respond to subnet mask requests via ICMP. Length: 1 octet Values: 0=do not respond; 1=respond Specifies if a client will solicit routers using Router Discovery mechanism (RFC-1256). Length: 1 octet Values: 0=disable; 1=enable...
Page 615 Routes consist of a list of IP address pairs: the first is the destination address, the second is the router for the destination. The default route 0.0.0.0 is an illegal destination for a static route.
Page 616 DHCP Commands Table 15-1 XSR-Supported DHCP Options (continued) Protocol Category/ Name Type NetBIOS WINS/ NetBIOS, MS over TCP/ DHCP Client/ IP Name IP address list Server NetBIOS WINS/ over TCP/ NetBIOS /IP address Datagram list Distribution Server NetBIOS WINS/ over TCP/ NetBIOS, MS IP Node DHCP Client/...
Page 617 Table 15-1 XSR-Supported DHCP Options (continued) Protocol Category/ Name Type DHCP Message Type Server IP address Identifier Parameter Hex integer Request List Message String Maximum 16-bit hex DHCP integer Message Size Renewing Lease Data, (T1) Time MS DHCP Value Client/32-bit hex integer Rebinding Lease Data,...
Page 618 DHCP Commands Table 15-1 XSR-Supported DHCP Options (continued) Protocol Category/ Name Type Client- Basic/String Identifier NIS+ Servers/ Domain ASCII string NIS+ Servers/IP Servers address list Bootfile BOOTP/ name String Mobile IP Servers/IP Home address list Agent SMTP Servers/IP Server address list POP3 Servers/IP Server...
Page 619 Server Extension/IP address Note: DHCP options marked with an asterisk (*) can also be configured at the CLI. Examples The following example configures DHCP option 33, which specifies static routes that the client should install in its routing cache. If multiple routes to the same destination are set, they are listed in descending order of priority. The routes consist of IP address pairs. The first address is the destination address, the second address is the router for the destination. XSR(config-dhcp-pool)#option 33 ip 90.1.1.90 123.124.23.26 90.1.1.90 123.24.56.78 The following example configures DHCP option 19, which specifies whether the client should enable its IP layer for packet forwarding. Values of 0 and 1 disable and enable IP forwarding, respectively. IP forwarding is enabled in the following example: XSR(config-dhcp-pool)#option 19 hex 01 The following example configures DHCP option 1, which sets the client’s subnet mask as higher priority when it and the router ID are specified in the DHCP REPLY: XSR(config-dhcp-pool)#option 1 ip 255.255.255.0 The following example configures DHCP option 2, which locates a client as an offset 4650 seconds ...
Page 620 The following example sets DHCP option 14, specifying the pathname where a DHCP client’s core image will be placed if the client crashes: XSR(config-dhcp-pool)#option 14 ascii c:/dump/path The following example configures DHCP option 31, which specifies that the DHCP client should not perform subnet mask discovery: XSR(config-dhcp-pool)#option 29 hex 00 The following example configures DHCP option 19, which specifies that the DHCP client should configure its IP layer for packet forwarding: XSR(config-dhcp-pool)#option 19 hex 01 The following example configures DHCP option 31, which specifies that the DHCP client should perform Router Discovery: XSR(config-dhcp-pool)#option 31 hex 01 The following example configures DHCP option 47, which specifies a NetBIOS over TCP/IP scope parameter for a DHCP client: XSR(config-dhcp-pool)#option 47 ascii scope The following example configures DHCP option 40, which specifies the DHCP client’s NIS domain: XSR(config-dhcp-pool)#option 40 ascii NISserver The following example configures DHCP option 18, which specifies the pathname of a file retrievable through TFTP: XSR(config-dhcp-pool)#option 18 ascii /extension/path The following example configures DHCP option 18, which specifies a list of prioritized static ...
Page 621: Dhcp Clear And Show Commands
service dhcp This command enables DHCP server functionality to respond to client requests. Although DHCP server is enabled by default on all XSR interfaces, you can optionally enable or disable it on a specific interface. Syntax service dhcp [interface] interface Syntax of the “no” Form Disable the DHCP server by using the no form of this command: no service dhcp [interface] Default Enabled on all interfaces Mode Global configuration: XSR(config)# Example: The example below enables DHCP services on interface FastEthernet 1: XSR(config)#service dhcp fastethernet 1 DHCP Clear and Show Commands clear ip dhcp binding This command deletes an automatic address binding from the DHCP server binding database. no host Use the ...
Page 622 DHCP Clear and Show Commands Example The example below deletes address binding 18.12.22.99 from a DHCP server bindings database: XSR#clear ip dhcp binding 18.12.22.99 clear ip dhcp server statistics This command resets all DHCP server counters. All counters are cumulative and are initialized, or set to zero, with this command. Syntax clear ip DHCP server statistics Mode Privileged EXEC: Example The following example resets all DHCP counters to zero: XSR#clear ip DHCP server statistics show dhcp lease This command displays DHCP Client information. Syntax show dhcp lease Mode Privileged EXEC: ...
Page 623: Show Interface
Parameter Descriptions Temp IP addr Temp sub net mask Temp default-gateway addr State DHCP Lease Server DNS Server DHCP Transaction ID Lease/ Renewal/ Rebind Next timer fires after show interface This command displays DHCP interface’s IP address and subnet mask. When negotiating, the interface will indicate ʺInternet address is not assignedʺ. Syntax show interface Examples The following example does not display the DHCP assigned address while the protocol is negotiating: XSR#show interface FastEthernet 1 is Admin Up Internet address is not assigned The following example displays the DHCP assigned address when the protocol has finished ...
Page 624 DHCP Clear and Show Commands show ip dhcp binding This command displays active address bindings on the DHCP server. If the address is not specified, all address bindings are shown. Otherwise, only the binding for the specified client is displayed. The lease expiration time can be displayed based on the Universal Time Clock (UTC) or local clock. If the local clock is not specified, UTC is the default. Note: BOOTP bindings do not have leases: their Active designation is always N. Syntax show ip dhcp binding [ip-address][utc | local] ip-address local Mode Privileged EXEC or Global configuration: Examples The following examples display the lease expiration in default UTC time: XSR#show ip dhcp binding 168.16.22.11 IP address 168.16.1.11...
Page 625 11.1.0.253 The following example the displays lease expiration of DHCP client 11.1.0.253 in local time: XSR#show ip dhcp binding local 11.1.0.253 IP address 11.1.0.253 Parameter Descriptions IP address Hardware address Lease expiration Type Act(tive) show ip dhcp server statistics This command displays DHCP server statistics. Syntax show ip dhcp server statistics Mode Privileged EXEC or Global configuration: Example The following example displays DHCP server statistics: XSR# show ip DHCP server statistics Database agents Memory usage Address pools...
Page 626 DHCP Clear and Show Commands Message BOOTREPLY DHCPOFFER DHCPACK DHCPNAK Parameter Descriptions Memory usage Address pools Database agents Automatic bindings Manual bindings Expired bindings Malformed messages Message 15-116 Configuring DHCP Sent Sum of bytes of RAM allocated by the DHCP server. Sum of configured address pools in the DHCP database. Sum of database agents entered in the DHCP database. Sum of IP addresses automatically mapped to the Ethernet MAC addresses of hosts found in the DHCP database. Sum of IP addresses manually mapped to the Ethernet MAC addresses of hosts found in the DHCP database. Sum of expired leases. Sum of truncated or corrupted messages received by the DHCP server. DHCP message type received by the DHCP server.
Page 627: Chapter 16: Configuring Security
Observing Syntax and Conventions The CLI Syntax and conventions use the notation described in the following table. Convention [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Next Mode entries display the CLI prompt after a command is entered. Sub-command soho.enterasys.com The following set of commands allows you to define security features for the XSR, including: • “General Security Commands” on page 16‐84 •...
Page 628: General Security Commands
• IP (Any Internet Protocol) • TCP (Transmission Protocol) • UDP (User Datagram Protocol) • ICMP (Internet Control Message Protocol) • ESP (Encapsulation Security Payload) • GRE (Generic Router Encapsulation) protocol • AH (Authentication Header) protocol New and existing ACL entries can be added/replaced in a particular ACL without you having to rewrite the entire ACL by using the insert/replace number parameters. If neither the insert nor the replace option is specified, then the new entry is appended to the list. This is noteworthy since ACL criteria are evaluated in the order displayed by the Apply restrictions defined by an ACL with Syntax access-list list# {insert | replace} entry# {deny | permit}{protocol}|{log} {srcIpAddr [srcWildCardBits]| [qualifier] | source-port | host srcIpAddr | any}...
Page 629 srcWild Specifies bits to ignore in the source address. CardBits Note: The srcWildCardBits/dstWildCardBits mask specifies bits to ignore (which allow any value where the bits are set), as opposed to the traditional method of specifying bits to keep. host Only the exact source address matches the condition. Same as srcWildCardBits = 0.0.0.0. Any source address matches the condition. Same as srcWildCardBits = 255.255.255.255. qualifier Value applied to the source port: than, source-port Optional source port number (0 ‐ 65535). ...
Page 630 General Security Commands list# ent1 ent2 Mode Global configuration: Default No access list defined (that is, all access permitted) Examples The following example denies access only for ICMP packets coming from hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be permitted. XSR(config)#access-list 100 deny ICMP 192.5.34.0 0.0.0.255 XSR(config)#access-list 100 deny ICMP 128.88.0.0 0.0.255.255 XSR(config)#access-list 100 deny ICMP 36.0.0.0 0.255.255.255 The following example replaces entry 87 with the following entry: XSR(config)#access-list 123 replace 87 deny ip host 1.2.1.2 The following example removes entries 16, 17 and 18 from ACL 177: XSR(config)#no access-list 177 16 18 The following example removes the entire ACL 102:...
Page 631 Syntax access-list list# [[{insert | replace | move}] [{entry# destination source1 [source2]]}{deny | permit}{log} {srcIpAddr [srcWildCardBits]| host srcIpAddr | any} list# Standard access list number ranging from 1 to 99. insert New access entry is inserted before an existing entry # in an ACL. The access-list replace Same as above, except the new access entry replaces an entry # in the existing ACL (the entry # must already exist.) move Moves a sequence of ACL entries in front of another entry. entry Sequential entry number in ACL to add/delete ranging from 1 to 999. destination Position before which entries are to be moved. Range: 1‐999. source1 Sequential number of first ACL entry to move. Range: 1‐999. source2 Sequential number of last ACL entry to move. Range: 1‐999. deny Denies access if specified conditions are met. permit Permits access if conditions met.
Page 632 General Security Commands Examples The following example allows access only to those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected. XSR(config)#access-list 1 permit 192.5.34.0 0.0.0.255 XSR(config)#access-list 1 permit 128.88.0.0 0.0.255.255 XSR(config)#access-list 1 permit 36.0.0.0 0.255.255.255 The following example replaces entry 88 with the following entry: XSR(config)#access-list 57 replace 88 deny host 1.2.1.2 The example below removes entries 16, 17 and 18 from ACL 87: XSR(config)#no access-list 87 16 18 The following example removes the entire ACL 57: XSR(config)#no access-list 57 The next example moves entries 16 ‐ 18 from ACL 57 to its start: XSR(config)#access-list 57 move 1 16 18 The example below moves entry 2 to the end of ACL 57:...
Page 633 Syntax of the “no” Form Threshold logging is disabled with the no form of this command: no access-list log-update-threshold Mode Global configuration: Default Disabled Example The following example enables alarm logging for ACL 101 and sets the log threshold at 10000: XSR(config)#access-list 101 deny ip 15.15.15.1 0.0.0.255 16.16.16.1 0.0.0.255 log XSR(config)#access-list log-update-threshold 10000 hostdos This command enables host security protection against various DoS attacks via source IP address validation. Note: Performing source address validation can improve security in some situations but can erroneously discard valid packets in situations where inbound and outbound paths differ and will negatively impact some routing protocols.
Page 634 {in | out} Mode Interface configuration: Example The following example, as illustrated in Figure interface FastEthernet 1. ACL 101 will route only packets with a destination of network 192.5.34.0. All packets with other destinations received on FastEthernet 1 will be dropped. XSR(config)#access-list 101 permit any 192.5.34.0 0.0.0.255 XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#ip access-group 1 16-90 Configuring Security Number of an access list, ranging from 1 to 199. Filters on inbound packets Filters on outbound packets XSR(config-if<xx>)# 16‐1, applies ACL 101 to all inbound packets on Figure 16-1 IP Access-Group Example Eth1 Router 1 192.5.34.0 192.6.34.0 192.7.34.0...
Page 635: Security Clear And Show Commands
Security Clear and Show Commands clear hostdos-counters This command clears all host security statistics. Syntax clear hostdos-counters Mode Privileged EXEC: show access-lists This command displays configured IP access lists. When it is issued from Global mode, it also prints a sequential entry number beside each ACL entry. This number can be used by the list no access-list and delete. Since entry numbers are only useable in Global mode, (and may change when Global mode is exited) they are only displayed when in that mode. Syntax show access-lists [number] number Mode Privileged EXEC or Global configuration: Sample Output The following output displays when the command is issued at the Privileged EXEC mode: XSR>show access-lists 101 Extended IP access list 101 permit tcp host 18.2.32.130 any established permit icmp host 18.2.32.130 any permit tcp host 18.2.32.130 host 171.69.2.141 gt 1023...
Page 636: Show Hostdos
Security Clear and Show Commands show access-list log-update-threshold This command displays ACL log information. It is processed as follows: • A packet with a fresh source IP address on the ACL group is reported immediately. Data is cached to keep track of the occurrence happening again in the near future. • All other arrivals of the packet with existing source IP address data on that ACL group will increment the number of packets and, after five minutes, log an alarm with the sum of packets gathered in the last five minutes. The count will reset after the alarm is logged. • For enabled threshold data, if the count matches the threshold then the alarm is logged and the count reset. Other packets received after the threshold is met will increment the count until the next threshold is met or five minutes have elapsed. Syntax show access-list log-update-threshold Mode Privileged EXEC or Global configuration: Sample Output The following example displays a sample ACL log: XSR#show access-list log-update-threshold access-list log-update-threshold 10000 show hostdos This command displays enabled host security features and their statistics. Syntax show hostdos Mode Privileged EXEC or Global configuration: ...
Page 637: Aaa Commands
IP packet with Multicast/broadcast source address Always enabled No attacks Syn flood attack mitigation Always enabled 100 attacks Fragmented ICMP traffic Enabled 38 attacks Large ICMP packets Enabled;Size 1024 42 attacks Ping-of-Death attack Always enabled No attack Filter TCP traffic with Syn and Fin bits set Always enabled No attack AAA Commands...
Page 638: Aaa Usergroup Commands
AAA Usergroup Commands Mode Global configuration: Examples The following example configures the Telnet sub‐system to use the AAA sub‐system: XSR(config)#aaa client telnet The following example configures the SSH sub‐system to accept AAA: XSR(config)#aaa client ssh AAA Usergroup Commands aaa group This command adds a local user group and acquires Usergroup configuration mode. Each user defined in the node must belong to one group only. The following sub‐commands are available in Usergroup mode: • dns server definition. ip pool • ‐ Links a globally defined pool of IP addresses to the user group. Refer to page 16‐95 for the command definition. • pptp encrypt mppe the command definition. • privilege • wins server definition.
Page 639: Dns Server
Example The following example adds the usergroup headquarters: XSR(config)#aaa group headquarters XSR(aaa-group)# dns server This command sets the address of DNS servers. These addresses are given to connecting clients during connection time. Syntax dns server [primary | secondary] ip-address primary secondary ip-address Syntax of the “no” Form The no form of this command removes the configured server: no dns server [primary | secondary] ip-address Mode Usergroup configuration: Example The following example sets the primary DNS server IP address: XSR(config)#aaa group headquarters XSR(aaa-group)#dns server primary 192.168.57.9 ip pool This command links a globally defined pool of IP addresses to the group of users. IP pool is ...
Page 640 AAA Usergroup Commands Syntax of the “no” Form The no form unlinks a pool of addresses from a group of users: no ip pool pool-name Mode Usergroup configuration: Example The following example adds the IP pool denver: XSR(config)#aaa group headquarters XSR(aaa-group)#ip pool denver pptp encrypt mppe This command enables Microsoft Point‐to‐Point Encryption (MPPE) on a PPTP connection. The command must be added to the interface that will carry PPTP‐MPPE traffic. All Windows clients using MPPE require MS‐CHAP. Note: All configurable MPPE options must be identical on both tunnel endpoints. Syntax pptp encrypt mppe {auto | 40 | 128} auto...
Page 641: Aaa User Commands
wins server This command sets the WINS server address which is given to connecting clients during connection time. Syntax wins server [primary | secondary] ip-address replace secondary ip-address Syntax of the “no” Form The no form of this command removes the configured server: no wins server [primary | secondary] ip-address Mode Usergroup configuration: Example The following example sets the secondary WINS server IP address: XSR(config)#aaa group headquarters XSR(aaa-group)#wins server secondary 192.168.57.9 AAA User Commands aaa user This command creates a new user profile in the local user database. During authentication, user‐...
Page 642 AAA User Commands Syntax aaa user user-name user-name Syntax of the “no” Form The no form of this command deletes the user profile: no aaa user user-name Mode Global configuration: Next Mode Username configuration: Example The following example adds the user ernest to the DEFAULT usergroup: XSR(config)aaa user ernest XSR(aaa-user)# group This command specifies the group the user belongs to. Syntax group group-name group-name Syntax of the “no” Form The no form of this command resets a user to the DEFAULT group: no group Default...
Page 643 ip address This command specifies the IP address to be assigned to the remote user. If an IP address is not specified, it is taken from the pool associated with the userʹs group. If an IP address is specified at the user level, it is used instead of taking a new address from the pool. Syntax ip address ip-address ip-address Syntax of the “no” Form The no form of this command removes the IP address from a user profile: no ip address Default IP address is not assigned to the user. Mode Username configuration: Example This example sets an IP address that will be assignd to remote user ted: XSR(config)#aaa user ted XSR(aaa-user)#ip address 192.168.57.9 255.255.255.0 password This command specifies a userʹs password. Syntax password password password Syntax of the “no” Form The no form of this command removes the password from a user profile: no password password Mode...
Page 644 AAA User Commands Example The following example sets the password williams for user ted: XSR(config)#aaa user ted XSR(aaa-user)#password williams policy This command configures the userʹs policy or authorized list of services, and it overrides the policy specified by the userʹs group. It is available in both AAA User and AAA Group configuration modes. Up to four keywords can be specified in the command statement. Syntax policy {vpn | telnet | console | firewall | ssh | ppp} [vpn | telnet | firewall | ssh | ppp ...} telnet console firewall Note: A sub-system keyword can be stated no more than once in the command.
Page 645: Aaa Method Commands
privilege This command configures the privilege level of a user. It is available from both AAA User and AAA Group configuration modes. Compare this command with the Interface mode command on page 111. Syntax privilege level (0-15) level Syntax of the No Form Use the no form of this command to restore the privilege level default: no privilege Default Mode AAA User/Group configuration: Example The following example specifies a privilege level of 15 for user kramer: XSR(config)#aaa user kramer XSR(aaa-user)#privilege 15 AAA Method Commands aaa method This command is executed at the Global Mode. This command configures the AAA method (plug‐in) to be used. The following sub‐commands are available in AAA Method mode: • acct-port - command definition. address - •...
Page 646 AAA Method Commands • client ‐ Configures the default AAA method (plug‐in) for each client service. Refer to page 16‐106 for the command definition. enable - • command definition. • group - Specifies the name of an existing group. Refer to page 16‐107 for the command definition. hash enable - • command definition. • key - Sets the authentication and encryption key used between the XSR and the server daemon running on a RADIUS server. Refer to page 16‐108 for the command definition. qtimeout - • retransmit - • to page 16‐109 • timeout - retransmitting. Refer to page 16‐110 for the command definition. Syntax aaa method {local | radius | pki} method-name [default] local radius method-name...
Page 647 acct-port This command specifies the UDP port for accounting requests and uses the RADIUS method only. Note: If the port number is 0, the host will not be used for accounting. Syntax acct-port port-number port-number Syntax of the “no” Form The no form of this command resets to the default port number: no acct-port Default Authorization port number: 1646. Mode AAA Method configuration: Example This example uses RADIUS SBR to reset the UDP accounting port to 6000: XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#auth-port 6000 address This command specifies the address of the RADIUS server with either a host name or IP address. It ...
Page 648 AAA Method Commands Mode AAA Method configuration: Example The following example sets number9 as the RADIUS server host‐name: XSR(config)#aaa method radius ias default XSR(aaa-method-radius)#address host-name number9 attempts This command sets the number of consecutive login attempts that must transpire before the RADIUS methodʹs backup method is used. It is used for the RADIUS method only. When a user login request fails because the server did not respond, it is a failed attempt. Syntax attempts [number-of-attempts] number-of-attempts Syntax of the “no” Form The no form of this command resets to the default attempts number: no attempts Default Mode AAA Method configuration: Example This example resets the attempts value to 10 on the RADIUS IAS server: XSR(config)#aaa method radius ias default XSR(aaa-method-radius)#attempts 10 auth-port This command specifies the UDP port for authentication requests. It is used for the RADIUS ...
Page 649 Syntax auth-port port-number port-number Syntax of the “no” Form The no form of this command resets to the default port number ‐ 1645: no auth-port Default The default authorization port number is 1645. Mode AAA Method configuration: Example The following example resets the UDP authentication port to 5000: XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#auth-port 5000 backup This command creates a name for a backup RADIUS server. The RADIUS backup method does not permit loops. That is, method 1 can have a backup method 2 but its backup method 3 cannot back up method 1. Be aware that when the primary RADIUS server fails and AAA switches to the backup, use of the primary server will not automatically be restored when it comes back on line. You must manually restart the primary server with the Syntax backup name name Syntax of the “no” Form The no form of this command deletes the backup RADIUS server: no backup name Mode...
Page 650 AAA Method Commands client This command configures the default AAA method (plug‐in) for each client service. If a client service is not registered by this command, requests from that service will fall through to the overall default method. For example, if the authentication mode has not been set for Telnet using then the default AAA method set for Telnet users via the users will be authenticated by Telnet’s AAA scheme using its own user database. Note: You can specify a username as username@method, allowing that user to explicitly specify which AAA method to use for that login attempt. Syntax client {vpn | telnet | firewall | console | ssh | ppp} Note: PPP uses AAA only when acting as the authenticator (that is, when validating the peer).
Page 651 Default Enabled Mode AAA Method configuration: Example The following example enables the RADIUS server: XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#enable group This command specifies the group added earlier using the available for all AAA methods (local, RADIUS and PKI). The group will be used when a group name is not returned in the RADIUS response. Syntax group group-name group-name Syntax of the “no” Form The no form of this command resets to the default group ‐ DEFAULT: no group Default DEFAULT Mode AAA Method configuration: Example The following example sets the group redsox as the default group: XSR(config)#aaa group redsox XSR(config)#aaa method local default XSR(aaa-method-local)#group redsox XSR(aaa-method-radius)# The name of a valid (existing) group.
Page 652 AAA Method Commands hash enable This command enables the hash for the plugin and is used for the RADIUS method only. The sub‐ command may be a plugin‐type dependent command. Syntax hash enable Syntax of the “no” Form The no form of this command disables hashing: no hash enable Default Disabled Mode AAA Method configuration: Example The following example enables the RADIUS hash: XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#hash enable This command specifies the authentication and encryption key used between the XSR and the server daemon running on this RADIUS server. The sub‐command may be a plugin‐type dependent command. It is used for the RADIUS method only. Syntax key key-string key-string Syntax of the “no” Form The no form of this command clears the key attribute: no key Mode...
Page 653 Example The following example resets the RADIUS key value to 1234qwerty: XSR(config)#aaa method radius default XSR(aaa-method-radius)#key 1234qwerty qtimeout This command specifies the interval a timeout request is allowed to sit unprocessed on AAAʹs internal queue before it is discarded. Syntax qtimeout seconds seconds Syntax of the “no” Form The no form of this command resets to the default value: no qtimeout Default 30 seconds Mode AAA Method configuration: Example The following example sets the qtimeout to 3,600 seconds: XSR(aaa-method-local)#qtimeout 3600 retransmit This command specifies the number of times an AAA RADIUS server request is re‐sent to a server if that server is not responding or responding slowly. It is used for RADIUS (1‐5) only. Syntax retransmit [retries] retries Syntax of the “no” Form The no form of this command resets the value to the default: no retransmit Timeout value ranging from 0 to 5000 seconds.
Page 654 AAA Method Commands Default Mode AAA Method configuration: Example The following example lengthens the retransmit value to 5: XSR(config)#aaa method radius default XSR(aaa-method-radius)#retransmit 5 timeout This command specifies the interval, in seconds, that the XSR waits for the AAA RADIUS server to reply before retransmitting. It is used for the RADIUS method only. Syntax timeout seconds seconds Syntax of the “no” Form The no form of this command resets to the default value: no timeout Default 5 seconds Mode AAA Method configuration: Example The following example resets the RADIUS AAA timeout to 25 seconds: XSR(aaa-method-radius)#timeout 25 16-110 Configuring Security XSR(aaa-method-xx)# Timeout value ranging from 1 to 30 seconds.
Page 655: Aaa Per-Interface Commands
AAA Per-Interface Commands aaa-method This command is executed at the Interface Mode. This command specifies the name of the AAA method you will use for authentication requests originating from this interface. With this command, you can process authentication requests originating from different interfaces by different methods. The command is governed by the following rules: • If an interface has no method specified or the specified method does not exist, standard AAA method selection applies. @<method> • • IKE is not affected because it always employs the PKI method. • The interface‐specific method will override the service typeʹs default method (assigned via the client sub‐command in AAA method configuration mode) and the AAA serviceʹs default method. Syntax aaa method method-name method-name Syntax of the “no” Form The no form of this command de‐selects this method: no aaa method Mode Interface configuration: Example This example sets the PPP method for AAA service on FastEthernet interface 2: XSR(config-if<F2>)#aaa method PPP aaa privilege This command associates the specified interface with a maximum privilege level available for AAA ...
Page 656: Aaa Debug And Show Commands
AAA Debug and Show Commands Syntax of the “no” Form The no form of this command removes the user/group/interface restriction: no aaa privilege Mode Interface configuration: Default Privilege level: 15' Example This example resets the privilege level to 10 on GigabitEthernet interface 2: XSR(config-if<G2>)#aaa privilege 10 AAA Debug and Show Commands debug aaa This command activates/deactivates the output of AAA debugging data, which is classified by Authentication, Accounting and Authorization categories. The command’s output will be sent to the terminal that most recently requested debug information. Also, if multiple AAA debug messages are activated, all debug data will be sent to the terminal from which it was most recently activated. Syntax debug aaa {accounting | authentication | authorization} accounting authentication authorization...
Page 657 AAuthenticatePlugin::queue (alg == 0xf) groupplugin Reply: Pool IRMauthorizeMsg::clientLogon [test] The following is a debug authentication message showing the Local method failed with MSCHAP: Local::queue(test) AAuthenticatePlugin::queue (alg == 0xf) (Local) Failed mschap authentication (Local) do_ms_chap: Invalid user name or password Method [Local]: Error for user [test] on [Authenticate] show aaa group This command displays properties of the AAA group. Syntax show aaa group group-name group-name Default If a group‐name is not specified, all groups are displayed including the DEFAULT group.
Page 658 AAA Debug and Show Commands IP Address is: 0.0.0.0 IP Mask is: 0.0.0.0 Primary DNS server is: 0.0.0.0 Secondary DNS server is: 0.0.0.0 Primary WINS server is: 0.0.0.0 Secondary WINS server is: 0.0.0.0 IP pool for the group is: PPTP encryption is 128 bit Access Policy is: firewall Privilege Level is: 0 show aaa user...
Page 659: Firewall Feature Set Commands
Default If the method‐name is not set, all methods and method attributes display. Mode EXEC or Global configuration: Sample Output The following output is displayed by entering XSR#show aaa method AAA Method Stats: Method Type: PKI Default group name is: DEFAULT Queue timeout is: 0 Registered Clients: VPN Method Type: Local (Default Method) Default group name is: acme Queue timeout is: 5000 Registered Clients: VPN Method Type: Radius, Method Name: def This method is currently enabled...
Page 660 Firewall Feature Set Commands port # Syntax of the “no” Form The no form sets either the timeout or Auth port to its default value: no ip firewall auth {timeout # | port #} Defaults • Timeout: 1800 seconds • Authentication port: 3000 Mode Global configuration: Example The following example resets the ICMP idle timeout: XSR(config)#ip firewall icmp timeout 3000 ip firewall disable/enable When issued in Global mode, this command is a “master switch” which activates or deactivates the firewall system‐wide. You can also use this command as a “local switch” in Interface configuration mode, enabling or disabling the firewall on a per interface basis. The command ...
Page 661 Default Disabled globally Mode Global or Interface configuration: Example The following example enables the firewall globally: XSR(config)#ip firewall enable ip firewall filter This command defines the filter object for non‐TCP and UDP traffic, for which no stateful inspection is required. By default, all non‐TCP and UDP traffic is dropped by the firewall. To allow certain IP protocols to pass through the firewall, a filter object must be configured. Filtering is performed on the protocol ID and source and destination addresses which are network objects. Protocols can be specified by number or name. If a name is used, it should match that specified by the Internet Assigned Numbers Authority (IANA). Refer to: http://www.iana.org/assignments/protocol‐numbers A name for any firewall object must use these alpha‐numeric characters only: case), ‐ , (dash), or objects such as ANY_EXTERNAL and user‐defined object names are case‐sensitive. Note: Logging for the filter is performed on a per packet basis. Syntax ip firewall filter filter_name src_net_name dst_net_name {protocol-id prot-number | protocol-name prot-name} [type number] [allow-log] bidirectional filter_name src_net_name...
Page 662 Firewall Feature Set Commands Defaults Deny all Mode Global configuration: Example The following example permits any remote host to run a PPTP tunnel to a server on the internal network: XSR(config)#ip firewall network pptp-server 120.21.1.18/32 internal XSR(config)#ip fire filter allow--gre ANY_EXTERNAL pptp-server 47 protocol-id XSR(config)#ip firewall filter allow--gre pptp-server ANY_EXTERNAL protocol-id 47 ip firewall icmp timeout This command defines the object which handles all configuration for ICMP packet inspection. Syntax ip firewall icmp timeout <seconds> seconds Syntax of the “no”...
Page 663 {all, none, selected network_name} Default Deny all HTML pages with Java and ActiveX applets Mode Global configuration: Example The following example configures corporate‐network as a network group object listing all reachable networks, excluding any ActiveX applets, at corporate headquarters: XSR(config)#ip firewall java selected corporate-network XSR(config)#ip firewall activex none ip firewall load This command loads current firewall settings into the router’s inspection engine. The current configuration comprises all CLI commands that have been entered since the last load. Executing this command clears all sessions thus requiring all TCP connections be re‐established. Because the no version of this command is not available, in order to undo a recent firewall configuration you must execute no versions of commands which invoke the configuration. Optionally, you can build the configuration but not disturb the firewall engine. This is a useful tool to configure the firewall while incrementally checking its validity. Also, you can schedule a load although this option blocks any firewall configuration in the interim. Syntax ip firewall load delay [trial]{1-7 [hh:mm]|hh:mm}[enable |disable] trial 1-7 hh: mm: Permit HTML pages with Java from all IP addresses.
Page 664 Firewall Feature Set Commands enable disable Note: If the command is issued when a load delay is pending, the following error message displays: Load: Configuration locked due to scheduled load delay Syntax of the “no” Form The no form of this command cancels a scheduled load and unlocks the firewall config CLI: XSR(config)#no ip firewall load delay Mode Global configuration: ...
Page 665 Syntax ip firewall logging event-threshold 0-7 event- threshold Syntax of the “no” Form The no form of this command sets firewall logging to the default value: no ip firewall logging event-threshold Default Level 3 ‐ All denies and series faults are logged Mode Global configuration: Example This example sets firewall logging for all messages Notice level: XSR(config)#ip firewall logging 5 ip firewall network This command defines a network object specifying a network or host IP address or address group (base and subnet mask or start and end IP address) that is tagged as internal or external. Naming a location is helpful in using this object for rules indicating any internal/external network. Network objects are referenced by the name within the policy and network group objects. Define network objects for internal hosts and networks. A name for any firewall object must use these alpha‐numeric characters only: Events of severity equal to or lesser than the specified value log as follows: • Level 0: Emergency •...
Page 666 Firewall Feature Set Commands Also, all firewall object names including pre‐defined objects such as ANY_EXTERNAL and user‐ defined object names are case‐sensitive. Notes: A DMZ is considered an internal network. Use care when you have a configuration with internal and external addresses that overlap and exist off the same physical interface. In this case, the XSR may not be able to identify an address in the overlap range as being internal or external.
Page 667 XSR(config)#ip fi network remote-access 10.1.1.0 m 255.255.255.0 i XSR(config)#ip firewall network-group private-net sales remote-access ip firewall policy This command configures a firewall policy comprised of policy objects. Each object/rule is tagged with a name which places the policies in order using a before and after keyword. This permits you to enter policies in an order different than which they will be applied. The XSR firewall enforces a deny all policy by default. So, unless there is a policy object configured to allow traffic in a particular direction, packets will not pass through the firewall. This eliminates the need to define catch‐all reject policies in each direction. Policies apply to traffic directed at the router, as well. So, policy objects must be defined to allow management traffic into the router. Be aware that the console port is always available for management purposes. A name for any firewall object must use these alpha‐numeric characters only: case), ‐ , (dash), or objects such as ANY_EXTERNAL and user‐defined object names are case‐sensitive. Notes: Citing a policy’s intent in the name is useful if its function is not apparent from the definition.
Page 668 Firewall Feature Set Commands Syntax ip firewall policy policy_name src_net_name dst_net_name serv_name {allow | allow- log | allow-auth group_name | reject | log | url-b | url-w | cls name ... name}[before policy_name | after policy_name | first] [bidirectional] src_net_name dst_net_name serv_name allow...
Page 669 Example The following policy allows FTP access to a host. Be aware that the host’s source IP address will be authenticated against the group sales‐group. XSR(config)#ip firewall network sales-host 192.168.100.2 mask 255.255.255.255 internal XSR(config)#ip firewall policy allow-eng-ftp ANY_INTERNAL sales-host ftp allow- auth sales-group ip firewall redirectURL This command redirects a user’s HTTP access to the specified re‐directURL page if that user attempts to access a URL not permitted by the white URL list. If re‐directURL is not configured, the XSR generates a default blocked page. Note: This command takes effect immediately. Syntax ip firewall redirectURL redirect_url_string redirect_url_string Syntax of the “no” Form The no form of this command removes a previously configured redirectURL: no ip firewall redirectURL Mode...
Page 670 Firewall Feature Set Commands Syntax of the “no” Form The no form of this command sets the default RPC timeout value: no ip firewall rpc timeout Default 5 seconds Mode Global configuration: Example The following example resets the Microsoft RPC idle timeout interval to 10 minutes: XSR(config)#ip firewall rpc microsoft-rpc timeout 6000 ip firewall service This command defines a service object which reflects an application, its transport protocol (TCP or UDP), protocol type and port number ranges. The XSR supports a number of pre‐defined services which can be viewed with policy objects or you can add your own service. Intrinsic services ANY_TCP and ANY_UDP are available for all TCP or UDP ports. A service is comprised of a source and destination port range, and protocol. For flexibility, port ranges can be specified using qualifiers such as eq, lt and gt which are also available for configuring access lists. A name for any firewall object must use these alpha‐numeric characters only: case), ‐ ...
Page 671 Syntax of the “no” Form The no form of this command disables the selected service: no ip firewall service name Mode Global configuration: Example The following example defines the FTP service (although this is un‐necessary as it is one of the pre‐defined services). The source port range could be any of the un‐reserved ports but the destination must be 21. XSR(config)#ip firewall service ftp gt 1023 eq 21 range 21 22 tcp ip firewall service-group This command permits the aggregation of more than one service object, providing for easier policy configuration. Up to ten service objects (and service group) can be included in a service group. A name for any firewall object must use these alpha‐numeric characters only: case), ‐ , (dash), or Syntax ip firewall service-group name name1 ...
Page 672 Firewall Feature Set Commands ip firewall tcp/udp timeout This command resets the idle timeout interval for Firewall sessions applying TCP or UDP packet inspection. If the Firewall session is idle for the specified period, it will be shut down. Syntax ip firewall {tcp | udp} timeout <number> number Syntax of the “no” Form The no form of this command sets the default TCP timeout value: no ip firewall {tcp | udp} timeout Default 60 seconds Mode Global configuration: Example The following example sets the firewall session for UDP traffic to time out if idle for 10 minutes: XSR(config)#ip firewall udp timeout 6000 ip firewall url-load-black/white-list This command clears the specified Black URL or the White URL database then re‐loads it from a ...
Page 673: Firewall Interface Commands
Examples The following examples configure valid inputs: ip firewall url-load-black-list blacklist.txt ip firewall url-load-black-list flash:blacklist.txt ip firewall url-load-white-list cflash:whitelist.txt Firewall Interface Commands ip firewall disable This command disables firewall operation on a particular interface discrete from its application globally. The command behaves separately and interactively at Global and Interface modes as follows: • The system‐level firewall is disabled by default. • The interface‐level firewall is enabled by default unless explicitly disabled. • If the firewall is enabled, packet inspection will occur on all interfaces that have the firewall enabled at the interface level. • A particular interface may be enabled but subsequently disabling the firewall globally overrides all enabled interfaces • If you enable the firewall globally, all interfaces will be enabled until you subsequently disable a particular interface • Enable displays in • Even if you have not configured the firewall, entering packet inspection.
Page 674 Firewall Interface Commands Example The following example disables the firewall on FastEthernet port 2 only: XSR(config-if<F2>)#ip firewall disable ip firewall ip-broadcast This command allows incoming/outgoing IP packets through the firewall with 255.255.255.255 set as the destination address. It enables broadcast protocols such as DHCP to traverse the firewall. Syntax ip firewall ip-broadcast {in | out | both} in or out both Syntax of the “no” Form The no form of this command denies the selected broadcast packets: no ip firewall ip-broadcast {in | out | both} Default IP broadcast packets are not allowed inbound and outbound.
Page 675 Syntax of the “no” Form The no form of this command disables the selected IP option: XSR(config-if<xx>)# Requests routing that includes the specified routers. This routing path includes a sequence of IP addresses a datagram must follow to its destination but allows multiple network hops between successive addresses on the list. Specifies an exact route through the Internet. This routing path includes a sequence of IP addresses a datagram must follow, hop by hop, from its source to destination. The path between two successive addresses in the list must consist of a single physical network. Traces a route. It allows the source to create an empty list of IP addresses and arrange for each router that router that handles a datagram to add its IP address to the list. When a datagram arrives, the destination device can extract and and process the list of addresses. Records timestamps along a route. It is similar to the record‐route option in that every router from source to destination adds its IP address, and a timestamp, to the list. The time‐stamp notes the time and date a router handled the datagram, expressed in milliseconds since midnight, Universal Time. Any IP option other than those explicitly supported by the command. All IP options allowed. Packets entering or exiting an interface. Packets entering and exiting an interface. Firewall Interface Commands XSR CLI Reference Guide 16-131...
Page 676 Firewall Interface Commands no ip firewall ip-options {loose-source-route | strict-source-route | record- route | time-stamp | other | all} {in | out | both} Default IP options are not allowed inbound and outbound. Mode Interface configuration: Example The following example sets loose source routing on both incoming and outgoing packets at F2: XSR(config-if<F2>)#ip firewall ip-op loose-source-route both ip firewall sync-attack-protect The SYNC attack monitor/blocker isolates a host that generates a flood of SYNC packets to the XSR’s firewall and blocks traffic from that specific host, while allowing data packets to pass. Syntax ip firewall sync-attack-protect {block-host | check-host | sync-queue} threshold [threshold]...
Page 677: Firewall Show Commands
Example The following example blocks the host when the sync packets exceed 1000 packets per second: XSR(config-if<F2>)#ip firewall sync-attack-protect block-host threshold 1000 Firewall Show Commands show ip firewall config Since the firewall is configured in a two‐step process, the XSR provides a means to view the un‐ committed configuration. This command displays the firewall configuration combining existing commands with those entered recently, which permits a view of the complete firewall configuration with modifications. If no firewall commands were executed since the last load then the running configuration will be displayed. If this command is issued after the firewall commands were entered but before a firewall load was performed, the following text appears: Uncommitted Firewall Configuration: If the command is issued after a firewall load was performed, the following text appears: Committed Firewall Configuration: Syntax show ip firewall config Mode EXEC or Privileged EXEC Mode: Sample Output The following is sample output of the command: Firewall configuration...
Page 678 Firewall Show Commands Ip firewall policy dmz private SMTP allow ! Policies: between dmz and external Ip firewall policy ANY_EXTERNAL dmz HTTP allow Ip firewall policy dmz ANY_EXTERNAL HTTP allow Ip firewall policy ANY_EXTERNAL dmz SMTP allow Ip firewall policy dmz ANY_EXTERNAL SMTP allow Policy: Allow any from private to the external Ip firewall private ANY_EXTERNAL any allow ip firewall filter private dmz 17...
Page 679 Mode EXEC or Privileged EXEC Mode: Sample Output The following output displays Filter Source Name Network noICMP show ip firewall network This static counter shows all network objects configured. If a network object name is specified then only that object is displayed. Syntax show ip firewall network [name] Mode EXEC or Privileged EXEC Mode: Sample Output This output displays a network object for the Engineering firewall in the 192.168.100.0/24 range: Name Engineering show ip firewall network-group This static counter shows all network group objects. If a network group object is also specified ...
Page 680 Firewall Show Commands Sample Output The output below displays network objects for the Private‐network and Partner‐networks groups. Note that only member objects names are shown. You can enter the object. Name Private-network Partner-networks ext192 show ip firewall service This static counter displays all configured service objects. It includes three versions: Show ip firewall service • • Show ip firewall user-defined • Show ip firewall service name Syntax show ip firewall service [user-defined | name] user-defined name Mode...
Page 681 Mode EXEC or Privileged EXEC Mode: Sample Output The following output displays firewall service group data: Name all-my-tcp-services show ip firewall policy This static counter displays all policy objects in the order they will be applied. If a name is specified then only that policy object is displayed. Syntax show ip firewall policy [name] name Mode EXEC or Privileged EXEC Mode: Sample Output The following sample output displays configured firewall policies: Name Source Network outftp admin outhttp priv-network inftp partner1 show ip firewall sessions...
Page 682 Firewall Show Commands Mode EXEC or Privileged EXEC Mode: Default If no options are specified all sessions are displayed. Sample Output The following sample output displays current firewall sessions: XSR#show ip firewall sessions icmp Source Address 192.168.100.100 192.168.100.100 show ip firewall auth This dynamic counter displays the IP addresses that have been authenticated along with the group‐name. Syntax show ip firewall auth Mode EXEC or Privileged EXEC Mode: Sample Output The following sample output displays host authentication data: XSR#show ip firewall auth...
Page 683 Sample Output The following sample output displays summary statistics: Overall Firewall Status: Enabled Protected Interfaces: FastEthernet2 Unprotected Interfaces: FastEthernet1 Session Information -------------------------------------------------------- active ICMP Total Blocked DOS Attacks ------------------- Land: Christmas Tree: Ping of Death: Anti-Spoofing: ICMP Flood: Smurf: SYN Flood: Tear Drop: TCP Backlog Queue Length: 23 TCP Backlog Queue Congested: Yes Subnets tracked = 43, Total TCP Sessions = 1230268, TCP session Rate = 1509/sec...
Page 684 Firewall Show Commands Mode EXEC or Privileged EXEC Mode: Example The following is sample output from the command: show ip firewall urLlist Black URLs from File: blacklist.txt 1. www.cisco.com 2. www.playboy.com 3. readme.eml 4. amber.cl White URLs from File: NOT LOADED Redirect URL: www.msnbc.com 16-140 Configuring Security XSR>...

This manual is also suitable for:

X-pedition xsr

Enterasys X-Pedition XSR CLI Cli Reference Manual

Preface

Chapter 1: Network Management

Chapter 2: Configuring T1/E1 and T3/E3 Subsystems

Chapter 3: Configuring the XSR Platform

Chapter 4: Configuring Hardware Controllers

Chapter 5: Configuring the Internet Protocol

Chapter 6: Configuring the Border Gateway Protocol

Chapter 7: Configuring IP Multicast

Chapter 8: Configuring the Point-To-Point Protocol

Chapter 9: Configuring Frame Relay

Chapter 10: Configuring the Dialer Interface

Chapter 11: ISDN BRI and PRI Commands

Chapter 12: Configuring Quality of Service

Chapter 13: Configuring ADSL

Chapter 14: Configuring the VPN

Chapter 15: Configuring DHCP

Chapter 16: Configuring Security

Quick Links

Related Manuals for Enterasys X-Pedition XSR CLI

Summary of Contents for Enterasys X-Pedition XSR CLI