Enterasys Networks XSR-3020 manual XSR with Firewall Topology

Page 57

 

 

 

 

 

Firewall Sample Configuration

 

Figure 3-1 XSR with Firewall Topology

 

 

 

 

 

 

220.150.2.32/28

 

Frame Relay S1

XSR-3020

220.150.2.35

220.150.2.37

 

 

 

Internet

206.12.44.16/28

 

 

FE1

 

FE2

 

 

 

 

 

 

 

 

 

 

220.150.2.17

 

 

 

 

 

 

 

 

 

Internal

 

 

 

 

 

 

220.150.2.36

 

220.150.2.16/28

DMZ

 

 

 

Web server

(HTTP)

220.150.2.19

Mail server

(SMTP)

220.150.2.18

In this configuration, the firewall provides protected access from the private to dmz networks. That is, access is restricted to Web and mail traffic only. The hosts in the private network are provided full access to the Internet but access is denied from the Internet to the private network. Also, all Java and ActiveX pages, IP options, IP broadcast and multicast packets are banned.

Begin by specifying network objects for private, dmz, and Mgmt networks:

XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 internal XSR(config)#ip firewall network private 220.150.2.32 mask 255.255.255.240 internal

XSR(config)#ip firewall network Mgmt 220.150.2.35 mask 255.255.255.0 internal

Log only critical events:

XSR(config)#ip firewall logging event-threshold 3

Set policies between the dmz and external networks. Note that policy objects and names are case- sensitive and you must cite network names exactly:

XSR(config)#ip firewall policy a1 private dmz HTTP allow

XSR(config)#ip firewall policy a2 dmz private HTTP allow

XSR(config)#ip firewall policy a3 private dmz HTTP allow

XSR(config)#ip firewall policy a4 dmz private HTTP allow

Set the policies between the dmz and external networks:

XSR(config)#ip firewall policy a5 ANY_EXTERNAL dmz SMTP allow XSR(config)#ip firewall policy a6 dmz ANY_EXTERNAL SMTP allow XSR(config)#ip firewall policy a7 ANY_EXTERNAL dmz SMTP allow XSR(config)#ip firewall policy a8 dmz ANY_EXTERNAL SMTP allow

Set policies to allow any traffic from private to external and Mgmt networks:

XSR(config)#ip firewall policy a9 private ANY_EXTERNAL ANY_TCP allow XSR(config)#ip firewall policy Telnetsess Mgmt Mgmt Telnet allow bidirectional

Allow ICMP traffic to pass from the dmz to private, private to all external, and all external to private networks:

XSR(config)#ip firewall filter allowICMP private dmz protocol-id 1 XSR(config)#ip firewall filter allowICMP private ANY_EXTERNAL protocol-id 1 XSR(config)#ip firewall filter allowICMP ANY_EXTERNAL dmz protocol-id 1

XSR Getting Started Guide 3-13

Page 56 Page 58
Image 57
Page 56 Page 58
Contents Version PeditionSecurity RouterPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Industry Canada Notices Product Safety Supplement to Product Instructions Vcci Notice N826 Enterasys Networks, Inc. Firmware License Agreement Page Page Contents BRI Leased Line BRI Leased Frame Relay BRI Switched Line Index Appendix a SpecificationsXiv About This Guide Contents of the GuideBold/En negrilla FTP Getting HelpXviii System Description OverviewPstn Hardware FeaturesXSR-3020 Operating System Software FeaturesIndustry-common CLI IP ProtocolSnmp and Statistics Gathering IP RoutingFrame Relay SecurityIntegrated Services Digital Network Isdn BRI/PRI Dynamic Host Configuration Protocol DhcpVirtual Private Network VPN Quality of Service QoSGRE over IPSec Dial Backup Dial ServiceAsynchronous Digital Subscriber Line Adsl Dial-on-Demand/Bandwidth-on-Demand DoD/BoDInstallation Overview Installation Overview Installation Site Suggestions IntroductionVerifying Your Shipment Removing XSR Cover Installing NIM Cards and Rack MountingRemoving NIM Slot Cover Fastening Rack Brackets CompactFlash Card Installation Installing a CompactFlash Memory CardFormatting the CompactFlash Card CompactFlash Card for the Adsl NIMConnecting Serial COM Console Cable Connecting Cables11 Connecting High Speed Serial Connector 3020 15 Attaching Ethernet Connector 17 Attaching Ethernet LAN NIM Connector 19 Connecting Power Supply Cord Initializing XSR Software Software ConfigurationInitializing XSR Software Optional Configuring Remote Auto Install Configuring RAI for Frame RelayOpening a COM Console Session Remote Auto Install Attempting Forever Configuring RAI over Adsl Configuring RAI for Dhcp over LANVirtual-template 1 pppoe limit per-mac Configuring the XSR Name and User Information Setting the ClockSetting User Name, Privilege and Password Configuring the LAN Ports Configuring the WAN PortsPRI Configuration BRI Configuration BRI Leased LineBRI Leased Frame Relay BRI Switched Line Adsl Configuration PPPoEPPPoA IPoA Firewall Sample ConfigurationXSR with Firewall Topology Complete LAN and WAN interface configuration Setting Up RIP RoutingConfiguring Frame Relay Point to Point Networks Configure Ospf RoutingSetting Up an Snmp Community String, Traps and V3 Values Viewing Your Configuration Configuring Message Logging and Severity LevelProduct Version Connecting Remotely via the WebWeb Product Version Window Backup Site Hostname branch2 LAN-PPP Services Sample ConfigurationFrame Relay WAN Link with PPP Backup Sample Configuration Configure Users and Passwords Configure LAN InterfaceConfigure Quality of Service XSRconfig-pmap-cpriority-server#priority medium 20 Configure WAN/Frame Relay PortConfigure Ospf Routing Configure More Access ListsApply QoS Configure the Dial Backup Connection Configure DHCP/BOOTP RelayConfigure Snmp VPN Site-to-Site Sample ConfigurationSet Up IKE Phase I Security Configure Access Control ListsConfigure IKE Policy for Remote Peer Generate Master Encryption KeyConfigure Crypto Maps Configuring VPN at Interface Mode and Setting Up RIPCreate a Transform Set Configuring Authentication AAA VPN Sample Configuration with Network Extension ModeVPN Topology with NEM, EZ-IPSec and Internet Access Create the Isakmp IKE global peer Initialization Output XSR Rebooting CharacteristicsReboot Triggers Reboot TriggersPower-up Error Conditions Bootrom Monitor Mode Commands Bootrom Monitor Mode Commands Copy DelDir Ffc Rename RemoveFTP Bootrom Monitor Mode Commands Bootrom Monitor Mode Commands Software Configuration System Specifications SpecificationsNIM WAN Cable, CompactFlash and Accessory SpecificationsXSR Getting Started Guide A-3 COM COM Console PortMini-GBIC Fiber, Copper Port GigabitEthernet PortsCopper/Fiber-optic Ethernet NIMs Regulatory/Safety Compliance21 DTE Port Serial NIM Card PortFigure A-8 EIA-232/530 DTE Pin Assignments Figure A-9 EIA-449 DTE Pin Assignments Figure A-10 Combined V.35/EIA-232/530 DTE Pin Assignments Figure A-11 DTE Pin Assignments T1/E1/ISDN PRI T1/E1/ISDN PRI NIM Card PortsGrounding Shunt for E1 NIM Cards Balun for E1 or PRI NIM CardsFigure A-16 Installing a Grounding Shunt on the E1 NIM Card Installing Shunt/Terminal StripFigure A-17 1-Port T3/E3 NIM Card T3/E3 NIM CardBRI-S/T Port BRI-S/T NIM Card PortsTermination Shunt for the Isdn BRI-S/T NIM Card Figure A-21 Isdn BRI-U NIM Card RJ-49C ports shown Port BRI-U NIM Card PortsFigure A-23 Adsl NIM Card Port Adsl NIM Card PortFigure A-25 T1/E1 D&I NIM Card T1/E1 Drop & Insert D&I NIMLED Behavior CompactFlash Memory CardPWR Index Index-2

XSR-3020 specifications

Enterasys Networks XSR-3020 is a sophisticated Layer 2 and Layer 3 switch designed to meet the demands of modern networking environments. Known for its robust performance and versatility, the XSR-3020 is an ideal solution for enterprises that require high efficiency, comprehensive security, and network reliability.

This switch supports a variety of advanced technologies, making it suitable for both data center and edge deployments. One of its standout features is its scalability. The XSR-3020 can accommodate growing network demands by allowing for easy integration of additional modules. This capacity for expansion ensures that organizations can adapt their networks without the need for complete hardware replacements.

The XSR-3020 offers high-speed connectivity through its multiple gigabit Ethernet ports, providing up to 48 10/100/1000BASE-T ports in a single chassis. This high-density design optimizes the physical space and ensures that organizations can connect numerous devices simultaneously without sacrificing performance. Additionally, it supports Power over Ethernet (PoE), allowing users to power network devices, such as IP cameras and access points, directly through the switch. This feature streamlines installations and reduces the clutter of electrical wiring.

Security is a critical consideration in today’s network landscape, and the XSR-3020 addresses this need with robust security features. It incorporates advanced access control capabilities, enabling administrators to segment traffic and enforce policies effectively. The switch also supports 802.1X authentication, ensuring that only authorized devices can connect to the network.

In terms of management, the XSR-3020 is designed to simplify operations through its user-friendly interface and extensive support for management protocols. It offers native support for Simple Network Management Protocol (SNMP) and can be easily integrated with various network management systems, allowing for efficient monitoring and troubleshooting.

Another key characteristic of the XSR-3020 is its reliability. With features such as redundant power supplies and fans, the switch ensures high availability, minimizing downtime for critical applications. It is also built to withstand harsh conditions, making it suitable for diverse environments.

Overall, the Enterasys Networks XSR-3020 combines high performance, scalability, and security, making it an excellent choice for organizations looking to enhance their network infrastructure. Its comprehensive set of features positions it as a reliable backbone for any modern enterprise network, ensuring that businesses can operate efficiently and securely.
Top Page Image Contents