Manuals / Cabletron Systems / Computer Equipment / Network Router

Cabletron Systems SmartSwitch manual Creating Multi-statement IP Policies

Models: SmartSwitch

1 338

Download 338 pages 45.77 Kb

Page 211

Chapter 13: IP Policy-Based Forwarding Configuration Guide

cause packets matching a defined profile to be forwarded to a next-hop gateway, enter the following command in Configure mode:

Forward packets matching a profile to a next-hop gateway.

ip-policy <name> permit acl <profile> next- hop-list <ip-addr-list>

For example, the following command creates an IP policy called “p1” and specifies that packets matching profile “prof1” are forwarded to next-hop gateway 10.10.10.10:

ssr(config)# ip-policy p1 permit acl prof1 next-hop-list 10.10.10.10

You can also set up a policy to prevent packets from being forwarded by an IP policy. To prevent packets matching a defined profile from being forwarded by an IP policy to a next-hop gateway, enter the following command in Configure mode:

Prevent packets matching a profile from being forwarded by an IP policy.

ip-policy <name> deny acl <profile>

Packets matching the specified profile are forwarded using dynamic routes instead.

For example, the following command creates an IP policy called “p2” that prevents packets matching prof1 from being forwarded using an IP policy:

ssr(config)# ip-policy p2 deny acl prof1

Creating Multi-statement IP Policies

An IP policy can contain more than one ip-policystatement. For example, an IP policy can contain one statement that sends all packets matching a profile to one next-hop gateway, and another statement that sends packets matching a different profile to a different next- hop gateway. If an IP policy has multiple ip-policystatements, you can assign each statement a sequence number that controls the order in which they are evaluated. Statements are evaluated from lowest sequence number to highest.

To specify the order in which IP policy statements are evaluated by an IP policy, enter the following command in Configure mode:

Specify a sequence number for IP policy statements

ip-policy <name> permitdeny acl <profile> sequence <num>

For example, the following commands create an IP policy called “p3”, which consists of two IP policy statements. The ip policy permit statement has a sequence number of 1,

SmartSwitch Router User Reference Manual

211

Image 211

Cabletron Systems SmartSwitch manual Creating Multi-statement IP Policies

Contents

9032578-04 SmartSwitch Router User Reference ManualSmartSwitch Router User Reference Manual Vcci Notice Industry Canada NoticeCabletron SYSTEMS, INC Program License Agreement SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual Cabletron Systems Limited Program License Agreement SmartSwitch Router User Reference Manual Laser Radiation and Connectors Safety InformationEC Directive 73/23/EEC EC Directive 89/336/EECSmartSwitch Router User Reference Manual Contents Hot Swapping Line Cards and Control Modules Creating a non-IP/non-IPX Vlan SmartTRUNK Configuration GuideVrrp Configuration Guide 127 IP Multicast Overview 199 Multicast Routing Configuration Guide 199209 Web Hosting Configuration Guide 233 255 QoS Configuration Guide 283 WAN Configuration Guide 315 Contents Who Should Read This Manual? How to Use This ManualPreface About This ManualPreface For Information About See Installing and setting up the SSRManaging the SSR using Cabletron’s Related DocumentationPreface SmartSwitch Router User Reference Manual Feature Specification SSR Hardware and software specificationsChapter SSR Product Overview Multicast IGMP, Dvmrp IPX RIP, SAPSupported Routing Protocols Supported Media Encapsulation TypeUnderstanding the Command Line Interface Configuring the SmartSwitch RouterRouting Information Protocol RIP Version 1 Key Sequence Command Basic Line Editing CommandsAccess Modes Common CLI key commandsUser Mode Enable Mode Exit Configure Mode Pvst Boot Prom ModeConfiguration Files Loading System Images and Configuration FilesDisabling a Function or Feature Boot and System ImageSsr# system show version Loading System Image SoftwareActivating the Configuration Commands in the Scratchpad Loading Boot Prom SoftwareEnter the system image list command to verify the change CLI displays the following message Copying the Configuration to the Startup Configuration FileEnter yes or y to activate the changes Managing the SSR Displaying Configuration ChangesSetting SSR Date and Time Setting the SSR NameConfiguring NTP Configuring Snmp Services Configuring the SSR CLIConfiguring DNS Configuring Logging Connecting Between the SSR and Other SystemsTask Command Monitoring ConfigurationReboot Show the status of the switching fabric Show the SSR login bannerShow the type of Power-On Self Test Post Show the configuration changesHot Swapping Overview Chapter Hot Swapping Line Cards Control ModulesHot Swapping Line Cards Removing the Line Card Deactivating the Line CardHot Swapping a Secondary Control Module Installing a New Line CardHot Swapping One Type of Line Card With Another Removing the Control Module Deactivating the Control ModuleInstalling the Control Module Hot Swapping a Switching Fabric Module SSR 8600 onlySSR-SF-16 Offline Switching Fabric Bridging Overview Chapter Bridging Configuration GuideSpanning Tree Ieee 802.1d Bridging Modes Flow-Based and Address-Based Vlan OverviewSubnet-based VLANs Port-based VLANsMAC-address-based VLANs Protocol-based VLANsVLANs and the SSR SSR Vlan SupportMulticast-based VLANs Policy-based VLANsPorts, VLANs, and L3 Interfaces Access Ports and Trunk Ports 802.1Q supportConfiguring Address-based or Flow-based Bridging Configuring SSR Bridging FunctionsExplicit and Implicit VLANs Address-Based Bridge Table Flow-Based Bridge Table Configuring Spanning TreeSetting the Bridge Priority Adjusting Spanning-Tree ParametersMore ports for a particular Vlan Adjusting Bridge Protocol Data Unit Bpdu Intervals Setting a Port PriorityAssigning Port Costs Defining the Forward Delay Interval Adjusting the Interval between Hello TimesDefining the Maximum Age Creating a Port or Protocol Based Vlan Configuring a Port or Protocol based VlanConfiguring Vlan Trunk Ports Configuring VLANs for BridgingMonitoring Bridging Configuring Layer-2 FiltersShow information on MACs Configuration ExamplesCreating an IP or IPX Vlan Creating a non-IP/non-IPX VlanPage Overview Chapter SmartTRUNK Configuration GuideCreating a SmartTRUNK Configuring SmartTRUNKsAdd Physical Ports to the SmartTRUNK Specify Traffic Distribution Policy Optional Monitoring SmartTRUNKsSt.2 St.4 Router Switch Server Example ConfigurationsSmartTRUNK Configuration Guide Page Chapter Configuration GuideDhcp Overview Client Parameters Configuring DhcpConfiguring an IP Address Pool Configuring Client ParametersGrouping Scopes with a Common Interface Configuring a Static IP AddressUpdating the Lease Database Configuring Dhcp Server ParametersMonitoring the Dhcp Server Define a static IP address for Dhcp Configuration ExamplesDefine Dhcp network parameters for the scope ‘scope1’ Define an IP address pool for addresses 10.1.1.10 throughConfiguring Secondary Subnets Include ‘scope2’ in the superscope ‘super1’ Secondary Subnets and Directly-Connected ClientsInteracting with Relay Agents Define the address pool for ‘scope1’ Page IP Routing Overview Chapter IP Routing Configuration GuideMulticast Routing Protocols IP Routing ProtocolsSSR supports standards-based TCP, UDP, and IP Unicast Routing ProtocolsSpecifying Ethernet Encapsulation Method Configuring IP Interfaces and ParametersConfiguring IP Addresses to Ports Configuring IP Interfaces for a VlanConfiguring ARP Cache Entries Configuring Address Resolution Protocol ARPConfiguring Proxy ARP Specifying IP Interfaces for Rarp Configuring Reverse Address Resolution Protocol RarpDefining MAC-to-IP Address Mappings Specify ping Configuring DNS ParametersConfiguring IP Services Icmp Monitoring RarpConfiguring Direct Broadcast Configuring IP HelperConfiguring Denial of Service DOS Monitoring IP Parameters Configuring Router DiscoveryAssigning IP/IPX Interfaces IP Routing Configuration Guide Vrrp Overview Configuring VrrpFollowing is the configuration file for Router R1 in Figure Basic Vrrp ConfigurationBackup Configuration of Router R1Configuration for Router R2 Symmetrical ConfigurationFollowing is the configuration file for Router R2 in Figure Symmetrical Vrrp Configuration Master for VRID=1 Master for VRID=2 Backup for VRID=2Configuration of Router R2 Multi-Backup ConfigurationMulti-Backup Vrrp Configuration SmartSwitch Router User Reference Manual 101 Virtual Router Default Priority Configured Priority Configuration of Router R3 Additional ConfigurationFollowing is the configuration file for Router R3 in Figure Setting the Advertisement Interval Setting the Backup PrioritySetting Pre-empt Mode Monitoring Vrrp Setting an Authentication KeyIp-redundancy trace Specific virtual router Vrrp Configuration NotesIp-redundancy show Virtual routers Display information about allSmartSwitch Router User Reference Manual 107 108 Configuring RIP Chapter RIP Configuration GuideRIP Overview Configuring RIP Parameters Configuring RIP InterfacesEnabling and Disabling RIP Specify that RIP V2 packets Set the authentication methodCharacters Set the authentication method To RIPConfiguring RIP Route Default-Metric Configuring RIP Route PreferenceMonitoring RIP Configuration Example 114 Ospf Overview OspfOspf Multipath Configuring OspfEnable Ospf Disable OspfOspf Parameter Default Value Configuring Ospf Interface ParametersOspf Interface Parameters Create an Ospf area Configuring an Ospf AreaAdd an interface to an Ospf area Add a network to an Ospf area for Configuring Ospf Area ParametersCreating Virtual Links Add a stub host to an Ospf areaSet virtual link Configuring Ospf over Non-Broadcast Multiple AccessCreate a virtual LinkMonitoring Ospf Ospf Configuration Examples Exporting All RIP, Interface & Static Routes to Ospf Exporting All Interface & Static Routes to OspfCreate a Static export source Create a Ospf export destination for type-1 routesCreate a Ospf export destination for type-2 routes Create a RIP export sourceCreate Ospf export source Create a RIP export destinationCreate OSPF-ASE export source R10 BGP Overview Chapter BGP Configuration GuideSSR BGP Implementation Basic BGP TasksIp-router global set autonomous-system num1 loops num2 Setting the Autonomous System NumberSetting the Router ID Configuring a BGP Peer GroupAutonomous-system number WhereAdding and Removing a BGP Peer Using AS-Path Regular ExpressionsStarting BGP 132 AS-Path Regular Expression Examples Using the AS Path Prepend FeatureTo import MCI routes with a preference Following is an example BGP Configuration ExamplesBGP Peering Session Example AS-1 AS-2 CLI configuration for router SSR1 is as followsPhysical Link Peering Relationship Gated.conf file for router SSR2 is as follows Ibgp Configuration ExampleCLI configuration for router SSR2 is as follows Gated.conf file for router SSR1 is as followsIbgp Routing Group Example AS-64801 Sample Ibgp Configuration Routing Group TypeFollowing lines in the Cisco router configure Ospf Ibgp Internal Group Example Sample Ibgp Configuration Internal Group Type Illustrates a sample Ibgp Internal group configurationSmartSwitch Router User Reference Manual 143 Configuration for router C1 a Cisco router is as follows Ebgp Multihop Configuration ExampleConfiguration for router C2 a Cisco router is as follows Physical Link AS-64800CLI configuration for router SSR3 is as follows Gated.conf file for router SSR4 is as follows CLI configuration for router SSR4 is as followsCommunity Attribute Example Gated.conf file for router SSR3 is as followsSample BGP Configuration Specific Community Sample BGP Configuration Well-Known Community , router SSR11 has the following configuration , router SSR13 has the following configuration , router SSR14 has the following configuration , router SSR10 has the following configurationSmartSwitch Router User Reference Manual 153 LocalPref Attribute Example Sample BGP Configuration LocalPref Attribute Multi-Exit Discriminator Attribute Example Router SSR6 has the following CLI configuration Sample BGP Configuration MED AttributeAS-64901 Router SSR8 has the following CLI configurationEbgp Aggregation Example AS-64900Route Reflection Example Router SSR9 has the following CLI configurationAS-64902 Shows a sample configuration that uses route reflectionSmartSwitch Router User Reference Manual 161 162 Route Import and Export Policy Overview Chapter Routing Policy Configuration GuidePreference Defined by CLI Command Default Default Preference ValuesPreference Import-Source Import PoliciesExport-Source Export PoliciesRoute-Filter Export-DestinationSpecifying a Route Filter Aggregates and Generates Aggregate-Source Aggregate-DestinationAuthentication Methods AuthenticationAuthentication Keys and Key Management Configuring Simple Routing PoliciesRedistributing Directly Attached Networks Redistributing Static RoutesRedistributing RIP into Ospf Redistributing Ospf to RIP Redistributing RIP into RIPRedistributing Aggregate Routes Example 1 Redistribution into RIP Simple Route Redistribution ExamplesTo redistribute aggregate Routes into OspfExporting All Static Routes to All RIP Interfaces Exporting a Given Static Route to All RIP InterfacesExample 2 Redistribution into Ospf 176 Configuring Advanced Routing Policies 178 Creating an Export Source Creating an Export DestinationCreate a RIP import Creating an Import SourceCreating a Route Filter Creating an Aggregate RouteSmartSwitch Router User Reference Manual 181 Example 1 Importing from RIP Creating an Aggregate DestinationCreating an Aggregate Source Examples of Import PoliciesR41 184 Example 2 Importing from Ospf 186 R41 Importing a Selected Subset of OSPF-ASE Routes Example 1 Exporting to RIP Examples of Export PoliciesIp-router policy create rip-export-source ripExpSrc Exporting a Given Static Route to a Specific RIP Interface Exporting Aggregate-Routes into RIP Ip-router policy create aggr-export-source aggrExpSrc Example 2 Exporting to Ospf SmartSwitch Router User Reference Manual 195 196 SmartSwitch Router User Reference Manual 197 198 IP Multicast Overview Chapter Multicast Routing Configuration GuideIgmp Overview Dvmrp Overview Configuring Igmp Response Wait Time Configuring IgmpConfiguring Igmp on an IP Interface Configuring Igmp Query IntervalConfiguring Per-Interface Control of Igmp Membership Configuring DvmrpStarting and Stopping Dvmrp Configuring Dvmrp Parameters Configuring Dvmrp on an InterfaceConfiguring the Dvmrp Routing Metric Configuring a Dvmrp Tunnel Configuring Dvmrp TTL & ScopeMonitoring Igmp & Dvmrp Multicast protocols Igmp Show all interfaces runningShow all multicast routes Page 208 Chapter IP Policy-Based Forwarding Configuration Guide Defining an ACL Profile Configuring IP PoliciesAssociating the Profile with an IP Policy Creating Multi-statement IP Policies Setting the IP Policy Action Setting Load Distribution for Next-hop GatewaysChecking the Availability of Next-hop Gateways Applying an IP Policy to an InterfaceAll IP interfaces on the SSR IP Policy Configuration ExamplesRouting Traffic to Different ISPs An IP interface Apply a defined IP policy toUsing an IP policy to route traffic to two different ISPs Using an IP policy to prioritize service to customers Prioritizing Service to CustomersUsing an IP policy to authenticate users through a firewall Authenticating Users through a FirewallSelecting Next Hop Gateway from IP Packet Information Firewall Load BalancingDisplay statistics about a Monitoring IP PoliciesDisplay information about all IP policiesIp-policy show interface interface SmartSwitch Router User Reference Manual 221 222 Chapter Network Address Translation Configuration Guide Setting Inside and Outside Interfaces Configuring NATDynamic Setting NAT RulesManaging Dynamic Bindings StaticMonitoring NAT Static ConfigurationSpecify the FTP session timeout NAT and FTPThen, define the NAT static rules Using Static NATFirst step is to create the interfaces Next, define the interfaces to be NAT inside or outsideUsing Dynamic NAT Dynamic ConfigurationDynamic NAT with IP Overload PAT Configuration Dynamic NAT with Outside Interface Redundancy Using Dynamic NAT with IP OverloadUsing Dynamic NAT with Matching Interface Redundancy 232 Chapter Web Hosting Configuration Guide Specifying Load Balancing Policy Optional Configuring Load BalancingLoad Balancing Creating the Server GroupAdding Servers to the Load Balancing Group Setting Server StatusSetting Timeouts for Load Balancing Mappings Allowing Access to Load Balancing ServersLoad Balancing and FTP Displaying Load Balancing Information Configuration Examples207.135.89.16 10.1.1.1 Ftp.quick..com 10.1.1.2 Ftp.quick.com Internet Router User Queries207.135.89.16 207.135.89.17 207.135.89.18 Virtual IP Address RangesWeb Caching Configuring Web CachingNot redirected to cache servers Creating the Cache GroupSpecifying the Clients for the Cache Group Optional Redirected to cache serversOther Configurations Configuration ExampleBypassing Cache Servers Monitoring Web-Caching Distributing Frequently-Accessed Sites Across Cache ServersProxy Server Redundancy Show cache server information Show caching policy informationIPX Routing Overview Chapter IPX Routing Configuration GuideRIP Routing Information Protocol SAP Service Advertising Protocol Creating IPX Interfaces Configuring IPX RIP & SAPIPX Addresses Specifying IPX Encapsulation Method Configuring IPX Interfaces and ParametersConfiguring IPX Addresses to Ports Configuring IPX Interfaces for a VlanEnabling SAP Configuring IPX RoutingConfiguring Static Routes Enabling IPX RIPControlling Access to IPX Networks Configuring Static SAP Table EntriesCreating an IPX Access Control List Creating an IPX SAP Access Control List Creating an IPX Type 20 Access Control ListCreating an IPX GNS Access Control List Monitoring an IPX Network Creating an IPX RIP Access Control ListAdds a SAP access list Adds a GNS access list 254 Chapter Access Control List Configuration Guide Defining Selection Criteria in ACL Rules ACL BasicsHow ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Creating and Modifying ACLs Following ACL illustrates this featureEditing ACLs Offline Maintaining ACLs Using the ACL Editor Applying ACLs to Interfaces Using ACLsThese uses of ACLs are described in the following sections Using ACLs as Profiles Applying ACLs to ServicesSSR Feature ACL Profile Usage Following SSR features use ACL profilesUsing Profile ACLs with the IP Policy Facility Using Profile ACLs with the Traffic Rate Limiting Facility Using Profile ACLs with the Port Mirroring Facility Using Profile ACLs with Dynamic NATRedirecting Http Traffic to Cache Servers Using Profile ACLs with the Web Caching FacilityPreventing Web Objects From Being Cached Enabling ACL LoggingMonitoring ACLs 270 Security Overview Chapter Security Configuration GuideConfiguring Radius Configuring SSR Access SecurityMonitoring Radius Configuring TacacsMonitoring Tacacs Monitoring Tacacs Plus Configuring Tacacs PlusLayer-2 Security Filters Configuring PasswordsConfiguring Layer-2 Port-to-Address Lock Filters Configuring Layer-2 Address FiltersConfigure a destination static Configuring Layer-2 Static Entry FiltersConfiguring Layer-2 Secure Port Filters Configure a source staticMonitoring Layer-2 Security Filters Et.1.1 Et.1.2 Et.1.3 Hub Layer-2 Filter ExamplesStatic Entries Example Example 2 Secure Ports Port-to-Address Lock ExamplesLayer-3 Access Control Lists ACLs 282 QoS & Layer-2/Layer-3/Layer-4 Flow Overview Chapter QoS Configuration GuidePrecedence for Layer-3 Flows Layer-2 and Layer-3 & Layer-4 Flow SpecificationTraffic Prioritization for Layer-2 Flows Configuring Layer-2 QoSSSR Queuing Policies Traffic Prioritization for Layer-3 & Layer-4 Flows Configuring IP QoS PoliciesSpecifying Precedence for an IP QoS Policy Configuring IPX QoS PoliciesSetting an IP QoS Policy Setting an IPX QoS PolicySpecifying Precedence for an IPX QoS Policy Configuring SSR Queueing PolicyAllocating Bandwidth for a Weighted-Fair Queuing Policy ToS RewriteMBZ Configuring ToS Rewrite for IP PacketsTos-rewrite Show all IPX QoS flows Monitoring QoSLimiting Traffic Rate Show all IP QoS flowsInterface Example ConfigurationDefine a rate limit profile Apply a rate limit profile to anInterface interface Displaying Rate Limit Information294 Performance Monitoring Overview Chapter Performance Monitoring GuideParticular MAC address Show info about multicasts Show port error statisticsShow information about the master MAC table Show information about aMonitoring Broadcast Traffic Configuring the SSR for Port MirroringOnly IP ACLs can be specified for port mirroring 298 Rmon Overview Configuring and Enabling RmonExample of Rmon Configuration Commands Lite Rmon Groups Rmon GroupsProfessional Rmon Groups Standard Rmon GroupsControl Tables Using Rmon Configuring Rmon Groups Size owner string status enabledisable EnabledisableNum status enabledisable String status enabledisableRmon user-history-control index index-number Port port owner string status enabledisableOid type absolutedelta status enabledisable Rmon protocol-distribution index index-numberDisplaying Rmon Information Rmon CLI Filters 01000CCCCCCC Following shows Host table output without a CLI filterUsing Rmon CLI Filters Troubleshooting RmonCreating Rmon CLI Filters 312 Ssr# rmon show status Rmon Status Allocating Memory to RmonRmon set memory number WAN Overview WANStatic Addresses Configuring WAN InterfacesPrimary and Secondary Addresses Static, Mapped, and Dynamic Peer IP/IPX AddressesDynamic Addresses Following command line displays an example for a VlanFollowing command line displays two examples for PPP Mapped AddressesForcing Bridged Encapsulation Following command line displays an example for PPPPacket Compression Link Integrity Example ConfigurationsAverage Packet Size Nature of the DataPacket Encryption WAN Quality of ServiceRandom Early Discard RED Weighted-Fair QueueingSource Filtering and ACLs Congestion ManagementVirtual Circuits Frame Relay OverviewAdaptive Shaping Permanent Virtual Circuits PVCs Configuring Frame Relay Interfaces for the SSRApplying a Service Profile to an Active Frame Relay WAN Port Setting up a Frame Relay Service ProfileMonitoring Frame Relay WAN Ports Frame Relay Port Configuration326 Point-to-Point Protocol PPP Overview Configuring PPP InterfacesUse of LCP Magic Numbers Defining the Type and Location of a PPP Interface Setting up a PPP Service ProfileConfiguring Multilink PPP Bundles Applying a Service Profile to an Active PPP PortCompression on MLP Bundles or Links Monitoring PPP WAN Ports PPP Port ConfigurationSsrconfig# ppp apply service profile2 ports hs.5.1 Simple Configuration File WAN Configuration ExamplesMulti-router WAN configuration Multi-Router WAN ConfigurationFollowing configuration file applies to Router R2 Router R1 Configuration FileFollowing configuration file applies to Router R1 Router R2 Configuration FileFollowing configuration file applies to Router R4 Router R3 Configuration FileFollowing configuration file applies to Router R3 Router R4 Configuration FileFollowing configuration file applies to Router R6 Router R5 Configuration FileFollowing configuration file applies to Router R5 Router R6 Configuration FileSmartSwitch Router User Reference Manual 337 338