Main
Page
Notice
Regulatory Compliance Information
Federal Communications Commission (FCC) Notice
Industry Canada Notices
R & TTE Directive Declaration
Class A ITE Notice
Clase A. Aviso de ITE
Klasse A ITE Anmerkung
Page
Declaration of Conformity
N826
Australian Telecom
Federal Information Processing Standard (FIPS) Certification
Independent Communications Authority of South Africa
SS/366.01
APPROVED
VPN Consortium Interoperability
Enterasys Networks, Inc. Firmware License Agreement
Page
Page
Page
Contents
Preface
Chapter 1: Overview Chapter 2: Managing the XSR
Page
Chapter 3: Managing LAN/WAN Interfaces
Chapter 4: Configuring T1/E1 & T3/E3 Interfaces
Chapter 5: Configuring IP
Page
Chapter 6: Configuring the Border Gateway Protocol
Chapter 7: Configuring PIM-SM and IGMP
Chapter 8: Configuring PPP
Chapter 9: Configuring Frame Relay
Chapter 10: Configuring Dialer Services
Page
Chapter 11: Configuring Integrated Services Digital Network
Chapter 12: Configuring Quality of Service
Chapter 13: Configuring ADSL
Chapter 14: Configuring the Virtual Private Network
Chapter 15: Configuring DHCP
Chapter 16: Configuring Security on the XSR
Appendix A: Alarms/Events, System Limits, and Standard ASCII Table
Appendix B: XSR SNMP Proprietary and Associated Standard MIBs
Page
Preface
Contents of the Guide
Conventions Used in This Guide
+
Getting Help
Overview
Page
Page
Page
Managing the XSR
Utilizing the Command Line Interface
Connecting via the Console Port on XSR Series
Using the Console Port for Dial Backup on the XSR 1800 Series
Using the Console Port to Remotely Control the XSR
Connecting a Serial Interface to a Modem
Terminal Commands
Connecting via Telnet
Connecting via SSH
Accessing the Initial Prompt
Synchronizing the Clock
Managing the Session
Remote Auto Install
RAI Features and Requirements
Page
RAI Requirements on the XSR
How RAI Components Work
Frame Relay (Remote Router)
Bootp Client
Reverse DNS Client
TFTP Client
Frame Relay (Central Site)
DHCP over LAN (RAI over Ethernet)
PPP RAI over a Leased Line
PPP RAI over a Dial-in Line
PPP RAI over ADSL
CLI Editing Rules
Setting CLI Configuration Modes
Table 2-3 CLI Configuration Modes Mode Function Access Method Prompt
User EXEC Mode
Privileged EXEC Mode
Global Configuration Mode
Exiting From the Current Mode
Mode Examples
Observing Command Syntax and Conventions
CLI Command Limits
Describing Ports and Interfaces
Supported Physical Interfaces
Supported Virtual Interfaces
Supported Ports
Numbering XSR Slots, Cards, and Ports
Setting Port Configuration Mode
Setting Interface Type and Numbering
Configuration Examples
Page
Entering Commands that Control Tables
Adding Table Entries
Deleting Table Entries
Modifying Table Entries
Displaying Table Entries
Managing XSR Interfaces
Enabling an Interface
Disabling an Interface
Configuring an Interface
Displaying Interface Attributes
Managing Message Logs
Logging Commands
Performing Fault Management
Fault Report Commands
Capturing Fault Report Data
Using the Real-Time Clock
RTC/Network Clock Options
RTC Commands
Managing the System Configuration
Resetting the Configuration to Factory Default
Using the Default Button (XSR 1800/1200 Series Only)
Configuration Save Options
Using File System Commands
Bulk Configuration Management
Downloading the Configuration
Uploading the Configuration/Crash Report
Full-config Backup
Creating Alternate Configuration Files
Managing the Software Image
Creating Alternate Software Image Files
BootRom Upgrade Choices
Upgrading from Version 2.xx to 3.xx code on the XSR 1800 Series
Upgrading from Version 1.xx to 2.xx code on the XSR 1800 Series
Using the Bootrom Update Utility
Page
Local Bootrom Upgrade
Page
Loading Software Images
Using EOS Fallback to Upgrade the Image
Configuring EOS Fallback on the CLI
Configuring EOS Fallback via SNMP
Downloading with FIPS Security
Software Image Commands
Configuration Change Hashing
Displaying System Status and Statistics
Memory Management
Creating Resources
Network Management through SNMP
SNMP Informs
Shaping Trap Traffic
Statistics
Alarm Management (Traps)
Network Monitoring via Service Level Agreement Agent
Measuring Performance Metrics
Configuration Examples
Create an Owner
Via SNMP
Create a Measurement to Ping
Page
Query a Measurement
Via SNMP
Using the SLA Agent in SNMP
Full Configuration Backup/Restore
Cabletron CTdownload MIB
Enterasys Configuration Management MIB
Software Image Download using NetSight
SNMP Download with Auto-Reboot Option
CLI Translator
Appending CLI Commands to Configuration Files via SNMP
Accessing the XSR Through the Web
Network Management Tools
NetSight Atlas Router Services Manager v2.0
Firmware Upgrade Procedures
Using the CLI for Downloads
Fault Reporting
Auto-discovery
Managing LAN/WAN Interfaces
Overview of LAN Interfaces
LAN Features
Configuring the LAN
MIB Statistics
Overview of WAN Interfaces
WAN Features
Configuring the WAN
Page
Page
Configuring T1/E1 & T3/E3 Interfaces
T1/E1 Functionality
T3/E3 Functionality
T1/E1 Mode
T3 Mode
E3 Mode
T1/E1 Subsystem Configuration
T3/E3 Subsystem Configuration
T1 Drop & Insert One-to-One DS0 Bypassing
Drop and Insert Features
PSTN Frame Relay
Configuring Channelized T1/E1 Interfaces
Configuring Un-channelized T3/E3 Interfaces
Troubleshooting T1/E1 & T3/E3 Links
T1/E1 & T3/E3 Physical Layer Troubleshooting
Page
T1/E1 & T3/E3 Alarm Analysis
Receive Alarm Indication Signal (AIS - Blue Alarm)
Receive Remote Alarm Indication (RAI - Yellow Alarm)
Transmit Remote Alarm Indication (RAI - Yellow Alarm)
Transmit Sending Remote Alarm (Red Alarm)
Transmit Alarm Indication Signal (AIS - Blue Alarm)
Figure 4-5 T1/E1 & T3/E3 Alarm Analysis Troubleshooting Actions Flow (Part 2)
T1/E1 & T3/E3 Error Events Analysis
displaying troubleshooting actions.
controller output. Here are some troubleshooting steps you can perform with a flowchart
Figure 4-6 T1/E1 & T3/E3 Error Events Analysis Troubleshooting Flowchart
Slip Seconds Counter Increasing
Framing Loss Seconds Increasing
Line Code Violations Increasing
Configuring the D&I NIM
Page
Configuring IP
General IP Features
Page
Page
ARP and Proxy ARP
Proxy DNS
BOOTP/DHCP Relay
Broadcast
Directed Broadcast
Local Broadcast
ICMP
TCP
UDP
Tel net
SSH
Trivial File Transfer Protocol (TFTP)
IP Interface
Secondary IP
Interface & Secondary IP
ARP & Secondary IP
ICMP & Secondary IP
Routing Table Manager & Secondary IP
OSPF & Secondary IP
RIP & Secondary IP
Unnumbered Interface & Secondary IP
NAT & Secondary IP
IP Routing Protocols
RIPv1 and v2
Triggered-on-Demand RIP
How Triggered-on-Demand RIP Works
Page
OSPF
LSA Type 3 and 5 Summarization
OSPF Database Overflow
OSPF Passive Interfaces
OSPF Troubleshooting
Null Interface
Route Preference
Static Routes
VLAN Routing
Forwarding VLAN, PPPoE over VLAN
WAN XSR
VLAN Processing Over the XSRs Ethernet Interfaces
VLAN Processing: VLAN-enabled Ethernet to Standard LAN Interfaces
Figure 5-5 VLAN Ethernet to Fast/GigabitEthernet Topology
VLAN Processing: VLAN-enabled Ethernet to WAN Interfaces
VLAN Processing: WAN Interface to a VLAN-enabled Ethernet Interface
QoS with VLAN
Policy Based Routing
Accessing the Global Routing Policy Table
Match Clauses
Set Clauses
PBR Cache
Default Network
Classless Inter-Domain Routing (CIDR)
Router ID
Real Time Protocol (RTP) Header Compression
Network Address Translation
Features
Virtual Router Redundancy Protocol
VRRP Definitions
How the VRRP Works
Different States of a VRRP Router
VRRP Features
Multiple Virtual IP Addresses per VR
Multiple VRs Per Router
Authentication
Load Balancing
ARP Process on a VRRP Router
Host ARP
Proxy ARP
Gratuitous ARP
ICMP Ping
Interface Monitoring
Watch Group Monitoring
Physical Interface and Physical IP Address Change on a VRRP Router
Equal-Cost Multi-Path (ECMP)
Configuration Considerations
Figure 5-10 ECMP VPN Load Balancing Topology
Configuring RIP Examples
Central XSR
Remote XSR1
Remote XSR2
Page
Configuring Unnumbered IP Serial Interface Example
Configuring OSPF Example
Configuring NAT Examples
Basic One-to-One Static NAT
Configuring Static Translation
Dynamic Pool Configuration
Configuring Dynamic Pool Translation
Network Address and Port Translation
Configuring NAPT
Multiple NAT Pools within an Interface
Static NAT within an Interface
Page
NAT Port Forwarding
Configuring Policy Based Routing Example
Configuring VRRP Example
Router XSRa
Router XSRb
Configuring VLAN Examples
The following example configures a VLAN interface on FastEthernet sub-interfaces 2.1 and 2.2:
For a QoS with VLAN example, refer to QoS with VLAN on page 14.
The following example configures a VLAN interface for PPPoE:
Configuring the Border Gateway Protocol
Describing BGP Messages
Open
Update
Keepalive
Notification
Defining BGP Path Attributes
AS Path
Origin
Next Hop
Local Preference
Page
Weight
Atomic Aggregate
Aggregator
Multi-Exit Discriminator
Community
Page
Page
Access Control Lists
Filter Lists
Community Lists
Route Maps
Regular Expressions
Regular Expression Characters
Regular Expression Examples
Peer Groups
Creating a Peer Group
Assigning Peer Group Options
Initial BGP Configuration
Adding BGP Neighbors
Resetting BGP Connections
Synchronization
Address Aggregation
Route Flap Dampening
Recommendations for Route Flap Dampening
Capability Advertisement
Route Refresh
Scaling BGP
Route Reflectors
Confederations
Displaying System and Network Statistics
Configuring BGP Route Maps
Configuring BGP Neighbors
BGP Path Filtering by Neighbor Example
BGP Aggregate Route Examples
Configuring BGP Confederations
TCP MD5 Authentication for BGP Example
Configuring BGP Peer Groups
IBGP Peer Group Example
EBGP Peer Group Example
BGP Community with Route Maps Examples
Page
Page
Configuring PIM-SM and IGMP
Differences with Industry-Standard Approach
IP Multicast Overview
Defining Multicast Group Addressing
Outlining IGMP Versions
Comparing Multicast Distribution Trees
Forwarding Multicast Traffic
Describing the XSRs IP Multicast Features
Group Membership Actions
Sending and Receiving Queries and Reports
Sending a Query
Receiving a Query
Receiving a Report
Interoperating with Older IGMP Versions
Query Version Distinctions
Behavior of Group Members Among Older Version Queriers
Behavior of Group Members Among Older Version Group Members
Behavior of Multicast Routers Among Older Version Queriers
Describing the XSRs PIM-SM v2 Features
Phase 1: Building a Shared Tree
Phase 2: Building Shortest Path Tree Between Sender & RP
Phase 3: Building Shortest Path Tree Between Sender & Receiver
Neighbor Discovery and DR Election
PIM Register Message
PIM Join/Prune Message
Bootstrap & Rendezvous Point
Assert Processing
Source-Specific Multicast
PIM SM over Frame Relay
PIM Configuration Examples
Page
Configuring PPP
PPP Features
Link Control Protocol (LCP)
Network Control Protocol (NCP)
Authentication
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Microsoft Challenge Handshake Protocol (MS-CHAP)
Link Quality Monitoring (LQM)
Multilink PPP (MLPPP)
Multi-Class MLPPP
MLPPP Packet Fragmentation and Serialization Transmission Latency
Fragment Interleaving Over the Link
Multilink Head Format Negotiation
Events and Alarms
Multi-Class Option Negotiation
Multi-Class Receiving Packet
IP Control Protocol (IPCP)
IP Address Assignment
PPP Bandwidth Allocation/Control Protocols (BAP/BAPC)
Configuring PPP with a Dialed Backup Line
Configuring a Synchronous Serial Interface
Configuring a Dialed Backup Line
Configuring the Physical Interface for the Dialer Interface
Configuring the Interface as the Backup Dialer Interface
Configuring MLPPP on a Multilink/Dialer interface
Multilink Example
Dialer Example
Configuring BAP
Dual XSRs: One Router Using DoD with Call Request
XSR1 Configuration
XSR2 Configuration
3. Configure the Dialer 1 interface with a dialer pool:
4. Set up BAP on Dialer 1 by enabling BAP and adding BAP phone numbers for XSR1 to call.
Dual XSRs: BAP Using Call/Callback Request
XSR1 Configuration
XSR2 Configuration
Page
Page
Configuring Frame Relay
Virtual Circuits
DLCIs
Page
Frame Relay Features
Multi-Protocol Encapsulation
Address Resolution
Dynamic Resolution Using Inverse ARP
Controlling Congestion in Frame Relay Networks
Rate Enforcement (CIR) - Generic Traffic Shaping
Discard Eligibility (DE) Bit
Forward Explicit Congestion Notification (FECN)
Backward Explicit Congestion Notification (BECN)
Page
Link Management Information (LMI)
Sub-interfaces
FRF.12 Fragmentation
End-to-End Fragmentation
User Configuration Commands
Map-Class Configuration
Show Running Configuration
Reports and Alarms
Clear Statistics
Interconnecting via Frame Relay Network
Frame Relay
Central Sites Branch Sites
Network
Configuring Frame Relay
Multi-point to Point-to-Point Example
New York
Andover Montreal
Frame Relay Network
Configure Serial sub-interface 2/0.1 for a multi-point connection with DLCIs 980 and 960:
On the Andover XSR, create the QoS class maps similar to those on the New York XSR:
Configure the policy map frf12 with criteria similar to those on the New York XSR:
Configure Serial sub-interface 2/0.1 for a point-to-point connection with DLCI 980:
On the Montreal XSR, create the QoS class maps similar to those on the New York XSR:
Configure the policy map frf12 with criteria similar to those on the New York XSR:
Configure Serial sub-interface 2/0.1 for a point-to-point connection with DLCI 960:
Page
Configuring Dialer Services
Overview of Dial Services
Dial Services Features
Asynchronous and Synchronous Support
AT Commands on Asynchronous Ports
V.25bis over Synchronous Interfaces
DTR Dialing for Synchronous Interfaces
Time of Day feature
Typical Use for Dial Services
Ethernet Backup
Implementing Dial Services
Dialer Profiles
Dialer Profile
Dialer Interface
Dialer Strings
Dialer Pool
Addressing Dialer Resources
Configuring Encapsulation
ISDN Callback
XSR Users Guide 10-7
Figure 10-3 Logical View of Dialer Profiles
10-8 Configuring Dialer Services
Figure 10-4 Sample Dialer Topology
XSR Users Guide 10-9
Figure 10-5 Dialer Profile of Destination (416) 123-4456
Creating and Configuring the Dialer Interface
Configuring the Map Class
Configuring the Physical Interface for the Dialer Interface
Sample Dialer Configuration
Configuring ISDN Callback
Point-to-Point with Matched Calling/Called Numbers
Point-to-Point with Different Calling/Called Numbers
Point-to-Multipoint with One Neighbor
Point-to-Multipoint with Multiple Neighbors
Overview of Dial Backup
Dial Backup Features
Sequence of Backup Events
Link Failure Backup Example
Configuring a Dialed Backup Line
Configuring the Physical Interface for the Dialer Interface
Configuring Interface as the Backup Dialer Interface
Sample Configuration
Overview of Dial on Demand/Bandwidth on Demand
Dialer Interface Spoofing
Dialer Watch
Dialer Watch Behavior
Caveat
Answering Incoming ISDN Calls
Incoming Call Mapping Example
Node A [XSR]
Node D [XSR]
Node D (Calling Node) Configuration
Configuring DoD/BoD
Figure 10-11 Dial on Demand Topology
PPP Point-to-Multipoint Configuration
[XSR]
PPP Multipoint-to-Multipoint Configuration
Node A Configuration
Node B Configuration
PPP Point-to-Point Configurations
Dial-in Routing for Dial on Demand Example
+
Dial-out Routing for Dial on Demand Example
+
The following command maps ACL 101 to dialer group 1:
PPP Point-to-Multipoint Configurations
+
MLPPP Point-to-Multipoint Configuration
MLPPP Point-to-Point Configurations
+
MLPPP Point-to-Multipoint Configurations
Figure 10-15 MLPPP Point-to-Multipoint Topology
The following commands add a pool member and configure the primary-ni switch on T1 interface 2/3:
The following command maps ACL 101 to dialer group 1:
MLPPP Multipoint-to-Multipoint Configuration
Node A Configuration
Node B Configuration
Switched PPP Multilink Configuration
Bandwidth-on-Demand
[XSR]
Page
Backup Configuration
Backup Using ISDN
[XSR]
Node A (Backed-up Node) Configuration
Page
Configuration for Backup with MLPPP Bundle
Node A (Backed-up Node) Configuration
Configuration for Ethernet Failover
Configuration for Frame Relay Encapsulation
Page
Configuring Integrated Services Digital Network
ISDN Features
BRI Features
PRI Features
Understanding ISDN
Basic Rate Interface
Primary Rate Interface
B-Channels
D-Channel
D-Channel Standards
D-Channel Signaling and Carrier Networks
ISDN Equipment Configurations
Bandwidth Optimization
Security
Call Monitoring
ISDN Trace
Trace Decoding
Q921 Decoding
Reference Parameters
Q931 Decoding
+ Next line: 04 Bearer capability 8890
Decoded IEs
BRI NI-1, DMS100 & 5ESS SPID Registration
Terminal Endpoint Identifier (TEI) Management Procedures
ISDN Configuration
BRI (Switched) Configuration Model
ISDN Configuration
XSR
XSR Users Guide 11-11
Figure 11-1 .Switched BRI Configuration Model
PRI Configuration Model
Figure 11-2 .PRI Configuration Model
XSR
Leased-Line Configuration Model
IP
More Configuration Examples
T1 PRI
E1 PRI
ISDN BRI
BRI Leased Line
ISDN (ITU Standard Q.931) Call Status Cause Codes
Page
Table 11-2 Call Status Cause Codes (continued) Code Cause
Configuring Quality of Service
Mechanisms Providing QoS
Traffic Classification
Describing the Class Map
Describing the Policy Map
Queuing and Services
Describing Class-Based Weight Fair Queuing
Configuring CBWFQ
Measuring Bandwidth Utilization
Describing Priority Queues
Configuring Priority Queues
Describing Traffic Policing
Configuring Traffic Policing
Class-based Traffic Shaping
Traffic Shaping per Policy-Map
Differences Between Traffic Policing and Traffic Shaping
Traffic Shaping and Queue Limit
Congestion Control & Avoidance
Describing Queue Size Control (Drop Tail)
Describing Random Early Detection
Describing Weighted Random Early Detection
Configuration per Interface
Suggestions for Using QoS on the XSR
QoS and Link Fragmentation and Interleaving (LFI)
Configuring QoS with MLPPP Multi-Class
Configuring QoS with FRF.12
QoS with VLAN
Traffic Classification
Describing VLAN QoS Packet Flow
VLAN Packet with Priority Routed out a Fast/GigabitEthernet Interface
VLAN Packet with Priority Routed out a Serial Interface
Figure 12-4 LAN/QoS Serial Scenario
Non-VLAN IP Packet Routed Out a Fast/GigabitEthernet Interface
QoS with VLAN Configuration Process
Follow the steps below to configure the XSR for QoS with VLAN routing. 1. Configure a sub-interface.
interface <Interface name> <slot/card/number>
2. Stipulate a VLAN ID on the su b-interface.
vlan <number>
QoS on Input
QoS on VPN
QoS over VPN Features
Configuring QoS on a Physical Interface
Configuring QoS on a Virtual Tunnel Interface
QoS on a Virtual Interface Example
Page
Configure ACLs:
Configure the IKE policy foo for pre-share keys:
Configure output VPN interface 1 for ToS byte copying, GRE, and other values:
Configure the IPSec SA:
Configure GigabitEthernet interface 2 and Serial sub-interface 1/0:0
QoS and VPN Interaction
`
route
Configuring the Shaper on the VPN Interface
QoS Policy Configuration Examples
Simple QoS on Physical Interface Policy
QoS for Frame Relay Policy
Configure map class parameters and apply the policy to the ports:
QoS with MLPPP Multi-Class Policy
QoS with FRF.12 Policy
QoS with VLAN Policy
Input and Output QoS Policy
Input QoS on Ingress to the Diffserv Domain Policy
Page
Configuring ADSL
PDU Encapsulation Choices
PPP over ATM
PPP over Ethernet over ATM (Routed)
Routed IP over ATM
ADSL Limitations
ADSL Hardware
NIM Card
ADSL on the Motherboard
DSP Firmware
ADSL Data Framing
ATM Support
Virtual Circuits
OAM Cells
Performance Monitoring
DSLAM Compatibility
Access Concentrator Restrictions
Inverse ARP
QoS
SNMP
PPPoE
PPPoA
problems, add the crypto ipsec df-bit clear command to your configuration.
IPoA
Configuring the Virtual Private Network
VPN Overview
Internet Security Issues
How a Virtual Private Network Works
Ensuring VPN Security with IPSec/IKE/GRE
Page
GRE over IPSec
Defining VPN Encryption
Describing Public-Key Infrastructure (PKI)
Digital Signatures
Certificates
Machine Certificates for the XSR
CA Hierarchies
Certificate Chains
RA Mode
Pending Mode
Enroll Password
CRL Retrieval
Renewing and Revoking Certificates
DF Bit Functionality
VPN Applications
Site-to-Site Networks
Site-to-Central-Site Networks
NAT Traversal
Client Mode
Client Mode
Network Extension Mode
Network Extension Mode (NEM)
Remote Access Networks
Using OSPF Over a VPN Network
OSPF Commands
Configuring OSPF Over Site-to-Central Site in Client Mode
INTERNET
Server
VPN tunnel
Client
INTERNET
Configuring OSPF over Site-to-Central Site in Network Extension Mode
VPN tunnel
Configuring OSPF with Fail Over (Redundancy)
Server 1
Server 2
INTERNET
Limitations
XSR VPN Features
Page
VPN Configuration Overview
Master Encryption Key Generation
ACL Configuration Rules
Configuring ACLs
Selecting Policies: IKE/IPSec Transform-Sets
Security Policy Considerations
Configuring Policy
Creating Crypto Maps
Configuring Crypto Maps
Authentication, Authorization and Accounting Configuration
AAA Commands
Configuring AAA
PKI Configuration Options
Configuring PKI
PKI Certificate Enrollment Example
5. Set the CRL retrieval rate and download the latest CRL (optional).
6. Add a static host to store IP addresses for use by the CRL mechanism.
Page
Interface VPN Options
VPN Interface Sub-Commands
Configuring a Simple VPN Site-to-Site Application
Central Site Branch Office
configuration, permit means protect or encrypt, and deny indicates dont encrypt or allow as is.
4. Set up IKE Phase 1 protection by entering the following commands:
+
+
+
Configuring the VPN Using EZ-IPSec
EZ-IPSec Configuration
+
XSR with VPN - Central Gateway
Figure 14-12 EZ-IPSec Client, XP Client and Gateway Topology
Add ACLs to permit IP and UDP traffic:
Add ACLs for IP local pool/EZ-IPSec, Network Extension address and L2TP:
Define IKE Phase I security parameters with the following two policies:
Branch Office
EZ-IPSec client
Remote Access
Windows XP - L2TP/IPSec or PPTP Client
Central Site
Configure the following four crypto maps to match ACLs 150, 140, 120, and 110:
Configure and enable the FastEthernet 1 interface:
Configure FastEthernet interface 2 with the attached crypto map test:
Add a default route to the next hop Internet gateway:
Define an IP pool for distribution of tunnel addresses to all client types:
Clear the DF bit globally:
Enable the OSPF engine, VPN and FastEthernet 1 interfaces for routing:
Create a group for NEM and Client mode users:
Configure the RADIUS AAA method to authenticate remote access users:
Set branch office EZ-IPSec on the PPPoE, FastEthernet sub-interface 2.2, using certificates:
GRE Tunnel for OSPF
Tunnel A: XSR-3250 VPN GRE Site-to-Site Tunnel
Page
Tunnel B: XSR-1805 VPN GRE Site-to-Site Tunnel
Page
XSR/Cisco Site-to-Site Example
Cisco Configuration
XSR Configuration
Interoperability Profile for the XSR
Scenario 1: Gateway-to-Gateway with Pre-Shared Secrets
Page
Page
Scenario 2: Gateway-to-Gateway with Certificates
Page
Page
Page
Configuring DHCP
Overview of DHCP
DHCP Server Standards
How DHCP Works
DHCP Services
Persistent Storage of Network Parameters for Clients
Temporary or Permanent Network Address Allocation
Lease
Assigned Network Configuration Values to Clients: Options
Provisioning Differentiated Network Values by Client Class
BOOTP Legacy Support
Nested Scopes: IP Pool Subsets
Pool (subnet) Client Class Host
Values are inherited from outer scopes
Scope Caveat
Manual Bindings
DHCP Client Services
Router Option
Parameter Request List Option
DHCP Client Interaction
Secondary Address Caveats
DHCP Client Timeouts
DHCP CLI Commands
DHCP Set Up Overview
Configuring DHCP Address Pools
Configuring DHCP - Network Configuration Parameters
Configuration Steps
Create an IP Local Client Pool
Create a Corresponding DHCP Pool
Configure DHCP Network Parameters
Enable the DHCP Server
Optional: Set Up a DHCP Nested Scope
Optional: Configure a DHCP Manual Binding
DHCP Server Configuration Examples
Pool with Hybrid Servers Example
Manual Binding Example
Manual Binding with Class Example
BOOTP Client Support Example
DHCP Option Examples
Configuring Security on the XSR
Access Control Lists
ACL Violations Alarm Example
Packet Filtering
LANd Attack
Smurf Attack
Fraggle Attack
IP Packet with Multicast/Broadcast Source Address
Spoofed Address Check
SYN Flood Attack Mitigation
General Security Precautions
AAA Services
Connecting Remotely via SSH or Telnet with AAA Service
Page
Page
Firewall Feature Set Overview
Reasons for Installing a Firewall
Types of Firewalls
ACL and Packet Filter Firewalls
DMZ
Router
Internal HTTP server
ALG and Proxy Firewalls
Stateful Inspection Firewalls
XSR Firewall Feature Set Functionality
Stateful Firewall Inspection (SFI)
Filtering non-TCP/UDP Packets
Application Level Commands
Application Level Gateway
On Board URL Filtering
Importing URL Lists from an ASCII File
Writing URL List Entries
Enabling URL Filtering in Firewall Policy
Configuring URL Redirection
Denial of Service (DoS) Attack Protection
Alarm Logging
Alarms
Authentication
Firewall and NAT
Firewall and VPN
ACLs and Firewall
Dynamic Reconfiguration
Firewall CLI Commands
Page
Page
Firewall Limitations
Pre-configuring the Firewall
Steps to Configure the Firewall
XSR with Firewall
DMZ
Internal
XSR with Firewall, PPPoE and DHCP
PPPoE/NAT/Firewall
10.10.10.1
FE2 FE1
XSR with Firewall and VPN
172.16.1.0
router SSR
FE2
FE1
141.154.196.106
Configure the following IPSec SAs:
Configure the following four crypto maps to match ACLs 150, 140, 120, and 110:
Add a default route to the next hop Internet gateway:
Configure FastEthernet interface 1 to permit multicast packets in and out:
Configure FastEthernet interface 2 with the attached crypto map test:
Page
Page
Page
Firewall Configuration for VRRP
Firewall Configuration for RADIUS Authentication and Accounting
Configuring Simple Security
RPC Policy Configuration
Page
A
Alarms/Events, System Limits, and Standard ASCII Table
Recommended System Limits
Table A-4 XSR Limits (continued)
System Alarms and Events
The XSR exhibits the following logging behavior for all except firewall and NAT alarms:
Table A-4 XSR Limits (continued)
Table A-5 Alarm Behavior
Table A-6 High Severity Alarms/Events
Page
Page
Page
Page
Table A-7 Medium Severity Alarms/Events
Page
Page
Table A-8 Low Severity Alarms/Events
Page
Table A-8 Low Severity Alarms/Events (continued)
Firewall and NAT Alarms and Reports
Page
Page
Page
Page
Standard ASCII Character Table
Page
B
XSR SNMP Proprietary and Associated Standard MIBs
Service Level Reporting MIB Tables
etsysSrvcLvlMetricTable
etsysSrvcLvlOwnerTable
etsysSrvcLvlHistoryTable
etsysSrvcLvlNetMeasureTable
etsysSrvcLvlAggrMeasureTable
BGP v4 MIB Tables
General Variables Table
BGP v4 Peer Table
Table B-16 BGP v4 Peer Table (continued)
BGP-4 Received Path Attribute Table
Table B-17 BGP-4 Received Path Attribute Table
Table B-16 BGP v4 Peer Table (continued)
BGP-4 Traps
Table B-18 BGP-4 Traps
Table B-17 BGP-4 Received Path Attribute Table (continued)
Firewall MIB Tables
Global Interface Operations
Monitoring Objects
Policy Rule Table Totals Counters
Ses sio n Tota ls Tab le
Policy Rule True Table
Session Totals Counters
IP Session Counters
IP Session Table
Authenticated Address Counters
Authenticated Addresses Table
DOS Attacks Blocked Counters
VPN MIB Tables
etsysVpnIkePeer Table
etsysVpnIkePeerProposals Table
etsysVpnIkeProposal Table
etsysVpnIpsecPolicy Table
etsysVpnIntfPolicy Table
etsysVpnIpsecPolicyRule Table
etsysVpnIpsecPolProposals Table
etsysVpnIpsecProposal Table
etsysVpnIpsecPropTransforms Table
etsysVpnAhTransform Table
etsysVpnEspTransform Table
etsysVpnIpcompTransform Table
ipCidrRouteTable for Static Routes
Host Resources MIB Objects
Enterasys Configuration Management MIB
Enterasys Configuration Change MIB
Enterasys SNMP Persistence MIB
Table B-44 etsysConfigurationChange MIB (continued)
Table B-45 etsysSnmpPersistenceMIB
Enterasys Syslog Client MIB
Syslog Server Defaults
Units of Conformance
Table B-46 Enterasys Syslog Client MIB (continued)
Compliance Statements
Table B-46 Enterasys Syslog Client MIB (continued)