Enterasys Networks XSR-3020 manual VPN Topology with NEM, EZ-IPSec and Internet Access

Page 74

VPN Sample Configuration with Network Extension Mode

Figure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access

GigabitEthernet 1: 172.16.10/24

eth0: 10.11.11.1/24

Gigabitethernet 2: 26.26.26.10/24

eth1: 26.26.26.11/24

Virtual IP Pool: 172.16.10.0/24

 

26.26.26.0/24

XSR 3020

XSR 3020

 

 

eth0: 10.12.12.1/24

172.16.10.0

eth1: 26.26.26.12/24

 

 

XSR 3020

If you have not already generated a master encryption key, you must do so now to configure the VPN. A master key need only be generated once.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable you may have to return to factory defaults, which erases the master key forcing you to generate a new one.

Generate the master key. Refer to the following sample key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5 163b 4bdf fe92 dbc1 1232 ffe0 f8d9 3649

Apply the following ACLs to the public interface of the XSR before creating the VPN configuration. These ACLs are applied only to an XSR configured to terminate Network Extension Mode (NEM) tunnels initiated from ANG-1100s. These ACLs allow all outbound IP traffic and established inbound TCP traffic and employ well-known protocol numbers for IKE UDP (500) and ICMP to and from the public interface (if preferred).

XSR(config)#access-list 1 deny 26.26.26.0 0.0.0.255 XSR(config)#access-list 1 permit any XSR(config)#access-list 110 permit udp any any eq 500 XSR(config)#access-list 110 permit icmp any host 26.26.26.10 XSR(config)#access-list 110 deny ip any any

XSR(config)#access-list 111 permit udp any any eq 500 XSR(config)#access-list 111 permit icmp host 26.26.26.10 any XSR(config)#access-list 111 deny ip any any

XSR(config)#interface gigabitethernet 2

XSR(config-if<G2>)#ip access-group 110 in

XSR(config-if<G2>)#ip access-group 111 out

Enable Network Address Translation:

XSR(config-if<G2>)#ip nat source assigned overload

Create the VPN virtual subnet:

XSR(config)#ip local pool virtual_subnet 10.10.10.0 255.255.255.248

3-30 Software Configuration

Image 74
Contents PeditionSecurity Router VersionPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Industry Canada Notices Product Safety Supplement to Product Instructions Vcci Notice N826 Enterasys Networks, Inc. Firmware License Agreement Page Page Contents BRI Leased Line BRI Leased Frame Relay BRI Switched Line Appendix a Specifications IndexXiv Contents of the Guide About This GuideBold/En negrilla Getting Help FTPXviii Overview System DescriptionHardware Features PstnXSR-3020 Industry-common CLI Software FeaturesOperating System IP ProtocolIP Routing Snmp and Statistics GatheringSecurity Frame RelayDynamic Host Configuration Protocol Dhcp Integrated Services Digital Network Isdn BRI/PRIQuality of Service QoS Virtual Private Network VPNGRE over IPSec Asynchronous Digital Subscriber Line Adsl Dial ServiceDial Backup Dial-on-Demand/Bandwidth-on-Demand DoD/BoDInstallation Overview Installation Overview Verifying Your Shipment Installation Site SuggestionsIntroduction Installing NIM Cards and Rack Mounting Removing XSR CoverRemoving NIM Slot Cover Fastening Rack Brackets Installing a CompactFlash Memory Card CompactFlash Card InstallationCompactFlash Card for the Adsl NIM Formatting the CompactFlash CardConnecting Cables Connecting Serial COM Console Cable11 Connecting High Speed Serial Connector 3020 15 Attaching Ethernet Connector 17 Attaching Ethernet LAN NIM Connector 19 Connecting Power Supply Cord Software Configuration Initializing XSR SoftwareInitializing XSR Software Opening a COM Console Session Optional Configuring Remote Auto InstallConfiguring RAI for Frame Relay Remote Auto Install Attempting Forever Configuring RAI for Dhcp over LAN Configuring RAI over AdslVirtual-template 1 pppoe limit per-mac Setting User Name, Privilege and Password Configuring the XSR Name and User InformationSetting the Clock PRI Configuration Configuring the LAN PortsConfiguring the WAN Ports BRI Leased Frame Relay BRI ConfigurationBRI Leased Line BRI Switched Line PPPoA Adsl ConfigurationPPPoE Firewall Sample Configuration IPoAXSR with Firewall Topology Setting Up RIP Routing Complete LAN and WAN interface configurationConfigure Ospf Routing Configuring Frame Relay Point to Point NetworksSetting Up an Snmp Community String, Traps and V3 Values Configuring Message Logging and Severity Level Viewing Your ConfigurationConnecting Remotely via the Web Product VersionWeb Product Version Window LAN-PPP Services Sample Configuration Backup Site Hostname branch2Frame Relay WAN Link with PPP Backup Sample Configuration Configure Quality of Service Configure Users and PasswordsConfigure LAN Interface Configure WAN/Frame Relay Port XSRconfig-pmap-cpriority-server#priority medium 20Apply QoS Configure Ospf RoutingConfigure More Access Lists Configure DHCP/BOOTP Relay Configure the Dial Backup ConnectionVPN Site-to-Site Sample Configuration Configure SnmpConfigure IKE Policy for Remote Peer Configure Access Control ListsSet Up IKE Phase I Security Generate Master Encryption KeyCreate a Transform Set Configure Crypto MapsConfiguring VPN at Interface Mode and Setting Up RIP VPN Sample Configuration with Network Extension Mode Configuring Authentication AAAVPN Topology with NEM, EZ-IPSec and Internet Access Create the Isakmp IKE global peer XSR Rebooting Characteristics Initialization OutputReboot Triggers Reboot TriggersPower-up Error Conditions Bootrom Monitor Mode Commands Bootrom Monitor Mode Commands Dir CopyDel Ffc Remove RenameFTP Bootrom Monitor Mode Commands Bootrom Monitor Mode Commands Software Configuration Specifications System SpecificationsCable, CompactFlash and Accessory Specifications NIM WANXSR Getting Started Guide A-3 COM Console Port COMGigabitEthernet Ports Mini-GBIC Fiber, Copper PortRegulatory/Safety Compliance Copper/Fiber-optic Ethernet NIMsPort Serial NIM Card Port 21 DTEFigure A-8 EIA-232/530 DTE Pin Assignments Figure A-9 EIA-449 DTE Pin Assignments Figure A-10 Combined V.35/EIA-232/530 DTE Pin Assignments Figure A-11 DTE Pin Assignments T1/E1/ISDN PRI NIM Card Ports T1/E1/ISDN PRIBalun for E1 or PRI NIM Cards Grounding Shunt for E1 NIM CardsInstalling Shunt/Terminal Strip Figure A-16 Installing a Grounding Shunt on the E1 NIM CardT3/E3 NIM Card Figure A-17 1-Port T3/E3 NIM CardPort BRI-S/T NIM Card Ports BRI-S/TTermination Shunt for the Isdn BRI-S/T NIM Card Port BRI-U NIM Card Ports Figure A-21 Isdn BRI-U NIM Card RJ-49C ports shownPort Adsl NIM Card Port Figure A-23 Adsl NIM CardT1/E1 Drop & Insert D&I NIM Figure A-25 T1/E1 D&I NIM CardCompactFlash Memory Card LED BehaviorPWR Index Index-2

XSR-3020 specifications

Enterasys Networks XSR-3020 is a sophisticated Layer 2 and Layer 3 switch designed to meet the demands of modern networking environments. Known for its robust performance and versatility, the XSR-3020 is an ideal solution for enterprises that require high efficiency, comprehensive security, and network reliability.

This switch supports a variety of advanced technologies, making it suitable for both data center and edge deployments. One of its standout features is its scalability. The XSR-3020 can accommodate growing network demands by allowing for easy integration of additional modules. This capacity for expansion ensures that organizations can adapt their networks without the need for complete hardware replacements.

The XSR-3020 offers high-speed connectivity through its multiple gigabit Ethernet ports, providing up to 48 10/100/1000BASE-T ports in a single chassis. This high-density design optimizes the physical space and ensures that organizations can connect numerous devices simultaneously without sacrificing performance. Additionally, it supports Power over Ethernet (PoE), allowing users to power network devices, such as IP cameras and access points, directly through the switch. This feature streamlines installations and reduces the clutter of electrical wiring.

Security is a critical consideration in today’s network landscape, and the XSR-3020 addresses this need with robust security features. It incorporates advanced access control capabilities, enabling administrators to segment traffic and enforce policies effectively. The switch also supports 802.1X authentication, ensuring that only authorized devices can connect to the network.

In terms of management, the XSR-3020 is designed to simplify operations through its user-friendly interface and extensive support for management protocols. It offers native support for Simple Network Management Protocol (SNMP) and can be easily integrated with various network management systems, allowing for efficient monitoring and troubleshooting.

Another key characteristic of the XSR-3020 is its reliability. With features such as redundant power supplies and fans, the switch ensures high availability, minimizing downtime for critical applications. It is also built to withstand harsh conditions, making it suitable for diverse environments.

Overall, the Enterasys Networks XSR-3020 combines high performance, scalability, and security, making it an excellent choice for organizations looking to enhance their network infrastructure. Its comprehensive set of features positions it as a reliable backbone for any modern enterprise network, ensuring that businesses can operate efficiently and securely.