Configure ACLs | Enterasys Networks X-PeditionTM specs

QoS on VPN

XSR(config)#policy-map Ser

XSR(config-pmap-Ser>)#class RTP1

XSR(config-pmap-c<RTP1>)#priority high 100

XSR(config-pmap-c<RTP1>)#exit

XSR(config-pmap-Ser>)#class FTP1

XSR(config-pmap-c<FTP1>)#bandwidth percent 20

XSR(config-pmap-c<FTP1>)#exit

XSR(config-pmap-Ser>)#class class-default

XSR(config-pmap-c<class-default>)#set ip dscp 8

Configure ACLs:

XSR(config)#access-list 100 permit ip 101.0.0.0 0.0.0.255 102.0.0.0 0.0.0.255 XSR(config)#access-list 110 permit udp any 102.0.0.0 0.0.0.255 eq 3020 XSR(config)#access-list 115 permit tcp any 102.0.0.0 0.0.0.255 range 20 21

Configure the IKE policy foo for pre-share keys:

XSR(config)#crypto isakmp proposal foo

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#exit

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

XSR(config-isakmp-peer)#proposal foo

Configure the IPSec SA:

XSR(config)#crypto ipsec transform-set test esp-3des esp-md5-hmac XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes XSR(cfg-crypto-tran)#no set security-association lifetime seconds XSR(cfg-crypto-tran)#exit

XSR(config)#crypto map test 10

XSR(config-crypto-m)#set transform-set test

XSR(config-crypto-m)#match address 100

XSR(config-crypto-m)#set peer 10.10.10.2

Configure GigabitEthernet interface 2 and Serial sub-interface 1/0:0

XSR(config)#interface GigabitEthernet 2

XSR(config-if<G1>)#ip address 101.0.0.101 255.255.255.0

XSR(config-if<G1>)#no shutdown

XSR(config-if<G1>)#exit

XSR(config)#interface serial 1/0

XSR(config<S1/1>)#exit

XSR(config)#interface serial 1/0:0

XSR(config-if<S1/0:0>)#crypto map test

XSR(config-if<S1/0:0>)#encapsulation ppp

XSR(config-if<S1/0:0>)#ip address 10.10.10.1 255.255.255.0

XSR(config-if<S1/0:0>)#service-policy output Ser

XSR(config-if<S1/0:0>)#no shutdown

Configure output VPN interface 1 for ToS byte copying, GRE, and other values:

XSR User’s Guide 12-21

Image 303

Enterasys Networks X-PeditionTM Configure ACLs, Configure the IKE policy foo for pre-share keys, Configure the IPSec SA

Contents

Version PeditionSecurity RouterPage Enterasys Networks, Inc Minuteman Road Andover, MA Federal Communications Commission FCC Notice Regulatory Compliance Information Class a ITE Notice Clase A. Aviso de ITE Product SafetyIndustry Canada Notices TTE Directive Declaration Vcci Notice Electromagnetic Compatibility EMCCompatibilidad Electromágnetica EMC Elektro- magnetische Kompatibilität EMC USA Declaration of Conformity Approved Enterasys Networks, Inc Firmware License Agreement Viii Page Page Contents Configuring an Interface Displaying Interface Attributes Configuring T1/E1 & T3/E3 Interfaces Configuring IPManaging LAN/WAN Interfaces How Triggered-on-Demand RIP Works Configuration Considerations Configuring the Border Gateway Protocol Route Reflectors Confederations Configuring PIM-SM and Igmp Configuring PPP Configuring Dialer Services Configuring Frame Relay 10-13 Configuring Quality of Service Configuring Integrated Services Digital Network Configuring Adsl Configuring the Virtual Private Network Configuring Dhcp Configuring Security on the XSR Appendix B XSR Snmp Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters DOS Attacks Blocked Table Preface Contents of the Guide Following conventions are used in this guide Conventions Used in This Guide Bold/En negrilla FTP Getting Help Overview Overview XSR User’s Guide Overview Connecting via the Console Port on XSR Series Utilizing the Command Line Interface Connecting a Serial Interface to a Modem Using the Console Port to Remotely Control the XSR Connecting via Telnet Connecting via SSHTerminal Commands Synchronizing the Clock Accessing the Initial Prompt Remote Auto Install RAI Features and RequirementsManaging the Session Utilizing the Command Line Interface RAI Requirements on the XSR How RAI Components WorkFrame Relay Remote Router Frame Relay Central Site Bootp ClientReverse DNS Client Tftp Client Dhcp over LAN RAI over Ethernet PPP RAI over a Leased Line PPP RAI over a Dial-in LinePPP RAI over Adsl CLI Editing Rules CLI Shortcuts Command Description Setting CLI Configuration Modes Refer to -1for a graphic example of configuration modes CLI Configuration Modes Function Access Method Prompt Privileged Exec Mode Global Configuration ModeExiting From the Current Mode User Exec Mode Mode Examples Observing Command Syntax and ConventionsFollowing example Supported Virtual Interfaces CLI Command LimitsDescribing Ports and Interfaces Supported Physical Interfaces Supported Ports Setting Interface Type and NumberingSetting Port Configuration Mode Numbering XSR Slots, Cards, and Ports Dialer Example Configuration ExamplesT1 Example T1-PRI Isdn Example Following interfaces are added BRI-Dialer Idsn Example You may type Entering Commands that Control TablesAdding Table Entries Following sub-interfaces are added Displaying Table Entries Managing XSR InterfacesDeleting Table Entries Modifying Table Entries Disabling an Interface Configuring an InterfaceFollowing command enables an interface Enabling an Interface Performing Fault Management Logging CommandsManaging Message Logs Capturing Fault Report Data Fault Report Commands RTC/Network Clock Options Using the Real-Time ClockManaging the System Configuration RTC Commands Using the Default Button XSR 1800/1200 Series Only Resetting the Configuration to Factory Default Downloading the Configuration Configuration Save OptionsBulk Configuration Management Using File System Commands Uploading the Configuration/Crash Report Creating Alternate Configuration FilesFull-config Backup Creating Alternate Software Image Files BootRom Upgrade ChoicesPre-upgrade Procedures Managing the Software Image Using the Bootrom Update Utility Using TFTP, transfer updateBootrom.fls from the network Local Bootrom Upgrade XSR1800 bU bootromuncmp.fls Loading Software Images Using EOS Fallback to Upgrade the Image Configuring EOS Fallback via Snmp Configuring EOS Fallback on the CLI Set the operation to imageSetSelected Software Image CommandsConfiguration Change Hashing Downloading with Fips Security Memory Management Displaying System Status and StatisticsCreating Resources Network Management through Snmp Snmp Informs Shaping Trap TrafficStatistics Alarm Management Traps Network Monitoring via Service Level Agreement AgentMeasuring Performance Metrics Create a Measurement to Ping Via CLI Create an OwnerVia CLI Via Snmp Schedule a measurement Via CLI Following command schedules a measurement immediately Cabletron CTdownload MIB Full Configuration Backup/RestoreUsing the SLA Agent in Snmp Enterasys Configuration Management MIB CLI Translator Software Image Download using NetSightAppending CLI Commands to Configuration Files via Snmp Snmp Download with Auto-Reboot Option Network Management Tools Accessing the XSR Through the WebNetSight Atlas Router Services Manager Firmware Upgrade Procedures Auto-discovery Fault ReportingUsing the CLI for Downloads Using Snmp for Downloads LAN Features XSR supports the following LAN interface featuresOverview of LAN Interfaces MIB Statistics Configuring the LAN WAN Features XSR supports the following WAN interface featuresOverview of WAN Interfaces Configuring the WAN Following example configures the XSR to dial-out async Configuring the WAN Managing LAN/WAN Interfaces T1/E1 Functionality FeaturesT1/E1 Mode Overview E3 Mode T3 Mode T3/E3 Subsystem Configuration T1/E1 Subsystem Configuration Drop and Insert Features D&I NIM does not support channelized mode nor PRIT1 Drop & Insert One-to-One DS0 Bypassing Specify the controllers framing type Configuring Channelized T1/E1 InterfacesEnter the no shutdown command to enable the line Specify the clock source for the controller Enable the Serial line Configuring Un-channelized T3/E3 InterfacesEnable the Controller line Optionally, if you prefer to configure internal clocking T1/E1 & T3/E3 Physical Layer Troubleshooting Troubleshooting T1/E1 & T3/E3 Links XSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0# T1/E1 & T3/E3 Alarm Analysis Receive Alarm Indication Signal AIS Blue AlarmRestart the controller Transmit Alarm Indication Signal AIS Blue Alarm Receive Remote Alarm Indication RAI Yellow AlarmTransmit Remote Alarm Indication RAI Yellow Alarm Transmit Sending Remote Alarm Red Alarm XSR T1/E1 & T3/E3 Error Events Analysis Controller Slip Seconds Counter Increasing Configuring the D&I NIM Framing Loss Seconds IncreasingLine Code Violations Increasing Page General IP Features Configuring IP Secondary IP Telnet RIP Troubleshooting Tools Ping Traceroute IP Routing BOOTP/DHCP Relay ARP and Proxy ARPProxy DNS Broadcast Directed BroadcastLocal Broadcast Telnet TCP Interface & Secondary IP Trivial File Transfer Protocol TftpIP Interface Secondary IP Icmp & Secondary IP ARP & Secondary IP Unnumbered Interface & Secondary IP Routing Table Manager & Secondary IPOspf & Secondary IP RIP & Secondary IP Traceroute IP Routing ProtocolsMaximum Transmission Unit MTU Ping RIPv1 How Triggered-on-Demand RIP Works Triggered-on-Demand RIP IP Routing Protocols Ospf Ospf Database Overflow LSA Type 3 and 5 Summarization Ospf Passive Interfaces Following is a high priority Overflow Entered log reportFollowing is a high priority Overflow Exited log report Ospf Troubleshooting Null InterfaceRoute Preference Vlan Routing Static Routes 802.1Q Vlan Tag Forwarding VLAN, PPPoE over Vlan IP Routing Table Vlan Processing Over the XSR’s Ethernet Interfaces Vlan Ethernet to Fast/GigabitEthernet Topology Vlan Processing VLAN-enabled Ethernet to WAN Interfaces Accessing the Global Routing Policy Table Policy Based RoutingQoS with Vlan Match Clauses Set ClausesPBR Cache Default Network Classless Inter-Domain Routing CidrRouter ID Real Time Protocol RTP Header Compression Network Address Translation Features Virtual Router Redundancy Protocol XSR1 XSR2 Vrrp Definitions Different States of a Vrrp Router How the Vrrp Works Multiple VRs Per Router Vrrp FeaturesAuthentication Multiple Virtual IP Addresses per VR Proxy ARP Load BalancingARP Process on a Vrrp Router Host ARP Interface Monitoring Icmp Ping Watch Group Monitoring Equal-Cost Multi-Path Ecmp Configuration Considerations Central XSR Configuring RIP Examples Configuring RIP Examples Configuring Ospf Example Configuring Unnumbered IP Serial Interface Example Configuring NAT Examples Configuring Static TranslationBasic One-to-One Static NAT Dynamic Pool Configuration Configuring Dynamic Pool TranslationRegister the global NAT pool Bind the interface and optional ACL to the NAT pool Configuring NaptEnable an interface F1, for example Network Address and Port Translation 14 Multiple NAT Pools within Interface Multiple NAT Pools within an Interface Static NAT within an Interface 15 Static NAT within Interface Inside Outside Configuring Policy Based Routing Example Enter the following commands to enable NAT Port ForwardingNAT Port Forwarding Configuring Vrrp Example Router XSRaRouter XSRb Configuring Vlan Examples Following example configures a Vlan interface for PPPoEFor a QoS with Vlan example, refer to QoS with Vlan on Configuring the Border Gateway Protocol Open Describing BGP Messages Notification UpdateDefining BGP Path Attributes Keepalive Origin AS Path Local Preference Next Hop Local Preference Applied to Direct Egress Traffic from AS Atomic Aggregate Weight Multi-Exit Discriminator Aggregator Aspath Communities Community Application of Community Attribute BGP Routing Policy BGP Path Selection Process Route Maps Access Control ListsFilter Lists Community Lists Regular Expressions Regular Expression CharactersRegular Expression Examples Display all routes with any AS path Peer GroupsCreating a Peer Group Assigning Peer Group Options Adding BGP Neighbors Initial BGP ConfigurationResetting BGP Connections For an example, refer to Configuring BGP Neighbors on Synchronization Address AggregationRoute Flap Dampening Capability Advertisement Route RefreshRecommendations for Route Flap Dampening 10 Fully Meshed BGP Scaling BGP 11 Route Reflector Applied to Minimize Ibgp Mesh Route Reflectors Confederations 12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302 Displaying System and Network Statistics Configuring BGP Route Maps BGP Path Filtering by Neighbor Example Configuring BGP Neighbors BGP Aggregate Route Examples Configuring BGP Confederations This section details Ibgp and an Ebgp peer group examples Configuring BGP Peer GroupsTCP MD5 Authentication for BGP Example Ibgp Peer Group Example BGP Community with Route Maps Examples Ebgp Peer Group Example XSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask Configuring BGP Peer Groups Differences with Industry-Standard Approach Configuring PIM-SM and Igmp Defining Multicast Group Addressing IP Multicast Overview Comparing Multicast Distribution Trees Outlining Igmp Versions Forwarding Multicast Traffic Describing the XSR’s IP Multicast Features Group Membership Actions Sending and Receiving Queries and ReportsSending a Query Interoperating with Older Igmp Versions Describing the XSR’s PIM-SM v2 Features Behavior of Group Members Among Older Version Group MembersBehavior of Multicast Routers Among Older Version Queriers Phase 2 Building Shortest Path Tree Between Sender & RP Phase 1 Building a Shared Tree Phase 2 Topology Shortest Path Tree Between Sender and RP Neighbor Discovery and DR Election Assert Processing Bootstrap & Rendezvous PointPIM Register Message PIM Join/Prune Message PIM SM over Frame Relay Source-Specific Multicast PIM Configuration Examples PIM Configuration Examples Configuring PIM-SM and Igmp PPP Features Configuring PPP Network Control Protocol NCP Link Control Protocol LCP Microsoft Challenge Handshake Protocol MS-CHAP AuthenticationPassword Authentication Protocol PAP Challenge Handshake Authentication Protocol Chap Multilink PPP Mlppp Link Quality Monitoring LQM Multi-Class Mlppp Multilink Header Option Format Multilink Head Format Negotiation Fragment Interleaving Over the Link Multi-Class Receiving Packet Events and AlarmsIP Control Protocol Ipcp Multi-Class Option Negotiation IP Address Assignment PPP Bandwidth Allocation/Control Protocols BAP/BAPC Enter encapsulation ppp to enable PPP encapsulation Configuring PPP with a Dialed Backup LineConfiguring a Synchronous Serial Interface Enter the media-type for the interface default RS232 Enter no shutdown to enable this interface Configuring a Dialed Backup LineConfiguring the Dialer Interface Configuring the Physical Interface for the Dialer Interface Configure interface dialer 1 to use dial pool Configuring the Interface as the Backup Dialer Interface Configuring Mlppp on a Multilink/Dialer interface Multilink ExampleDialer Example Configuring BAP Dual XSRs One Router Using DoD with Call RequestXSR1 Configuration XSR2 Configuration Configure the Dialer 1 interface with a dialer poolConfigure the dialer list and ACL for DoD Dual XSRs BAP Using Call/Callback Request Configuring BAP Configuring BAP Configuring PPP DLCIs Virtual Circuits DCEs DTEs Multi-Protocol Encapsulation Frame Relay Features Rate Enforcement CIR Generic Traffic Shaping Address ResolutionDynamic Resolution Using Inverse ARP Controlling Congestion in Frame Relay Networks Discard Eligibility DE Bit Forward Explicit Congestion Notification FecnBackward Explicit Congestion Notification Becn Controlling Congestion in Frame Relay Networks Sub-interfaces Link Management Information LMI User Configuration Commands FRF.12 FragmentationEnd-to-End Fragmentation Clear Statistics Reports and AlarmsMap-Class Configuration Show Running Configuration Minneapolis Houston Memphis Interconnecting via Frame Relay Network Multi-point to Point-to-Point Example Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Dial Services Features Overview of Dial Services AT Commands on Asynchronous Ports Asynchronous and Synchronous Support25bis over Synchronous Interfaces DTR Dialing for Synchronous Interfaces Time of Day featureTypical Use for Dial Services Ethernet Backup Dialer Profiles Implementing Dial Services Addressing Dialer Resources Dialer InterfaceDialer Strings Dialer Pool Isdn Callback Configuring Encapsulation Logical View of Dialer Profiles Sample Dialer Topology Dialer Profile of Destination 416 Dialer Profile of Destination 987 Creating and Configuring the Dialer Interface Configure a backup link for dial purposes with priority Sample Dialer ConfigurationConfiguring the Map Class Configuring the Physical Interface for the Dialer Interface Point-to-Multipoint with One Neighbor Configuring Isdn CallbackPoint-to-Point with Matched Calling/Called Numbers Point-to-Point with Different Calling/Called Numbers Overview of Dial Backup Sequence of Backup EventsDial Backup Features Backup Link Failure Example Link Failure Backup Example Configure backup serial port for dialing purposes Configuring Interface as the Backup Dialer Interface Sample Configuration Configure interface dialer 2 to use dial poolDialer Overview of Dial on Demand/Bandwidth on Demand Dialer Watch Dialer Interface Spoofing Dialer Watch Topology Dialer Watch Behavior Caveat Answering Incoming Isdn Calls Node a Calling Node Configuration Following command maps ACL 101 to dialer groupIncoming Call Mapping Example Node D Calling Node Configuration Node B Called Node Configuration Following command maps ACL 1061 to dialer group Configuring DoD/BoD 11 Dial on Demand Topology PPP Point-to-Multipoint Configuration Node a Configuration PPP Multipoint-to-Multipoint Configuration PPP Point-to-Point Configurations Node B ConfigurationFollowing command maps ACL 105 to dialer group Following commands configure dialer interface Dial-in Routing for Dial on Demand ExampleDial-out Routing for Dial on Demand Example 13 PPP Point-to-Multipoint Topology PPP Point-to-Multipoint Configurations Dial-in Router Example Dial-out Router Example Following command sets remote user authentication Mlppp Point-to-Multipoint Configuration 14 Mlppp Point-to-Point Topology Mlppp Point-to-Point Configurations Mlppp Point-to-Multipoint Configurations 15 Mlppp Point-to-Multipoint Topology Mlppp Multipoint-to-Multipoint Configuration Bandwidth-on-Demand Switched PPP Multilink Configuration Following command maps ACL 106 to dialer group Node C Called Node Configuration Backup Configuration Backup Using IsdnNode a Backed-up Node Configuration XSRconfig#username toronto privilege 0 password cleartext z Configuration for Backup with Mlppp Bundle Following command configures Serial sub-interface 2/00Following command configures Serial sub-interface 2/01 Following commands configure Serial sub-interface 2/00 Configuration for Ethernet Failover Configuration for Frame Relay Encapsulation Backup Configuration Configuring Dialer Services Leased line Isdn configuration examples T1 PRI E1 PRI Isdn Features BRI Features PRI FeaturesUnderstanding Isdn Channel Basic Rate InterfacePrimary Rate Interface Channels Channel Signaling and Carrier Networks Isdn Equipment ConfigurationsChannel Standards Security Bandwidth Optimization Q921 Decoding Call MonitoringIsdn Trace Trace Decoding Reference Parameters Q931 Decoding Status + Next line 04 Bearer capability BRI NI-1, DMS100 & 5ESS Spid Registration Isdn ConfigurationTerminal Endpoint Identifier TEI Management Procedures Decoded IEs BRI Switched Configuration Model Switched BRI Configuration Model PRI Configuration Model PRI Configuration Model Interface BRI 0/1/21 Leased-Line Configuration Model Following example configures a switched line BRI connection More Configuration ExamplesFollowing example configures a PRI connection on a T1 card Following example configures a PRI connection on an E1 card BRI Leased PPP Following example configures a leased-line BRI connectionIsdn ITU Standard Q.931 Call Status Cause Codes BRI Leased Line Call Status Cause Codes Code Cause Incoming calls barred Configuring Quality of Service Traffic Classification Mechanisms Providing QoS Describing the Policy Map Describing the Class Map Describing Class-Based Weight Fair Queuing Queuing and Services Describing Priority Queues Configuring CbwfqConfiguring Priority Queues Measuring Bandwidth Utilization Configuring Traffic Policing Describing Traffic PolicingAssign the class frost to the priority queue Class-based Traffic Shaping Traffic Shaping per Policy-Map Traffic Shaping and Queue Limit Differences Between Traffic Policing and Traffic Shaping Congestion Control & Avoidance Describing Queue Size Control Drop TailDescribing Random Early Detection RED Drop Probability Calculation Describing Weighted Random Early Detection VPN Configuration per Interface Suggestions for Using QoS on the XSR Configuring QoS with Mlppp Multi-ClassQoS and Link Fragmentation and Interleaving LFI QoS with Vlan Configuring QoS with FRF.12 Vlan Packet with Priority Routed out a Serial Interface Describing Vlan QoS Packet Flow LAN/QoS Serial Scenario QoS with Vlan Configuration Process QoS on VPN QoS on Input QoS over VPN Features Configuring QoS on a Physical InterfaceConfiguring QoS on a Virtual Tunnel Interface QoS on a Virtual Interface Example Configure the output policy map Ser classes RTP1 and FTP1 Configure the input policy map Vpn classes RTP and FTP Configure ACLs Configure the IKE policy foo for pre-share keysConfigure the IPSec SA Route QoS and VPN Interaction AH Hmac ESP+3DES Configuring the Shaper on the VPN Interface QoS Policy Configuration Examples Simple QoS on Physical Interface PolicyCreate the policy map QoS for Frame Relay Policy Apply the configuration to the interface QoS with Mlppp Multi-Class Policy QoS with FRF.12 Policy Input and Output QoS Policy QoS with Vlan Policy Input QoS on Ingress to the Diffserv Domain Policy QoS Policy Configuration Examples Configuring Adsl PPP over ATM PDU Encapsulation Choices PPP over Ethernet over ATM Routed PPPoA Network Diagram Routed IP over ATM PPPoE Network Diagram Adsl Limitations Adsl HardwareNIM Card DSP Firmware Adsl Data FramingATM Support Adsl on the Motherboard OAM Cells Access Concentrator RestrictionsClass of Service Dslam Compatibility PPPoE Configuration ExamplesInverse ARP QoS Following optional commands configure two default routes Following optional commands configure NATPPPoA IPoA Enter the following commands to configure a IPoA topology VPN Overview Internet Security Issues How a Virtual Private Network Works Ensuring VPN Security with IPSec/IKE/GRE Transport Mode Processing GRE over IPSec Tunnel Mode Processing Describing Public-Key Infrastructure PKI Defining VPN EncryptionDigital Signatures Machine Certificates for the XSR Certificates Certificate Chains CA Hierarchies Certificate Chain Example RA Mode CRL Retrieval Pending ModeEnroll Password DF Bit Functionality VPN Applications Site-to-Site Networks Site-to-Central-Site NetworksNAT Traversal Internet Client Mode Network Extension Mode NEM Remote Access Networks Using Ospf Over a VPN Network Ospf CommandsConfiguring Ospf Over Site-to-Central Site in Client Mode Client ServerServer Client Internet Interfaces Fast/GigabitEthernet 1 and VPN Configuring Ospf with Fail Over RedundancyServer Client XSR VPN Features LimitationsInterfaces Fast/GigabitEthernet 1, VPN 1 and VPN Napt Master Encryption Key Generation VPN Configuration Overview Configuring ACLs ACL Configuration Rules SA lifetimes Selecting Policies IKE/IPSec Transform-Sets Security Policy Considerations Configuring Policy Creating Crypto Maps Configuring Crypto Maps User-Name Authentication, Authorization and Accounting Configuration Configuring AAA AAA Commands PKI Configuration Options PKI Certificate Enrollment Example Configuring PKI CA-AUTHENTICATED XSRconfig#ip domain acme.com Interface VPN Options Configuring a Simple VPN Site-to-Site Application VPN Interface Sub-CommandsFollowing sub-commands are available at VPN Interface mode XSRconfig#crypto isakmp proposal Test XSRconfig-crypto-m#description external interface Configuring the VPN Using EZ-IPSec XSRconfig#interface vpn 1 point-to-point EZ-IPSec Configuration XSR with VPN Central Gateway Configure IKE policy for the remote peer Configure the following four IPSec SAsAdd ACLs to permit IP and UDP traffic Add a default route to the next hop Internet gateway Configure and enable the FastEthernet 1 interface Clear the DF bit globally Create a group for NEM and Client mode users Tunnel a XSR-3250 VPN GRE Site-to-Site Tunnel GRE Tunnel for Ospf XSRconfig-isakmp-peer#proposal shared Tunnel B XSR-1805 VPN GRE Site-to-Site Tunnel Enable Ospf on the trusted and VPN interfaces Enable Ospf on the trusted and VPN interfaces XSR/Cisco Site-to-Site Example Cisco Configuration XSR Configuration Scenario 1 Gateway-to-Gateway with Pre-Shared Secrets Interoperability Profile for the XSR Configure the Gateway a external LAN network AW Configure a default routeConfigure IKE Phase 1 policy Interoperability Profile for the XSR 14 Gateway-to Gateway with Certificates Topology Scenario 2 Gateway-to-Gateway with Certificates XSR#clock timezone -7 State CA-AUTHENTICATED Overview of Dhcp Configuring Dhcp Dhcp Server Standards How Dhcp Works Temporary or Permanent Network Address Allocation Dhcp ServicesAssigned Network Configuration Values to Clients Options Persistent Storage of Network Parameters for Clients Pool subnet Bootp Legacy SupportProvisioning Differentiated Network Values by Client Class Nested Scopes IP Pool Subsets Manual Bindings Scope Caveat Dhcp Client Interaction Dhcp Client ServicesRouter Option Parameter Request List Option Interaction with Remote Auto Install RAI Dhcp Client Timeouts Dhcp CLI Commands Configuring Dhcp Network Configuration Parameters Dhcp Set Up OverviewConfiguration Steps Configuring Dhcp Address Pools Optional Configure a Dhcp Manual Binding Configure Dhcp Network ParametersEnable the Dhcp Server Optional Set Up a Dhcp Nested Scope Manual Binding with Class Example Dhcp Server Configuration ExamplesPool with Hybrid Servers Example Manual Binding Example Dhcp Option Examples Bootp Client Support Example Access Control Lists Configuring Security on the XSR LANd Attack ACL Violations Alarm ExampleFirst alarms logged will display as follows Packet Filtering Spoofed Address Check Smurf AttackFraggle Attack IP Packet with Multicast/Broadcast Source Address Ping of Death Attack General Security PrecautionsSpurious State Transition Large Icmp Packets AAA Services Connecting Remotely via SSH or Telnet with AAA Service PuTTY Exit Option PuTTY Alert Message Reasons for Installing a Firewall Firewall Feature Set Overview ACL and Packet Filter Firewalls Types of Firewalls ALG and Proxy Firewalls Filtering non-TCP/UDP Packets XSR Firewall Feature Set FunctionalityStateful Inspection Firewalls Stateful Firewall Inspection SFI Application Level Gateway Application Level Commands Enabling URL Filtering in Firewall Policy On Board URL FilteringImporting URL Lists from an Ascii File Writing URL List Entries Configuring URL Redirection Denial of Service DoS Attack Protection Alarms Alarm Logging 12 Authentication Process Authentication ACLs and Firewall Dynamic ReconfigurationFirewall and NAT Firewall and VPN Firewall CLI Commands Firewall CLI Commands 13 Sample Telnet Screen Firewall Limitations Steps to Configure the Firewall Pre-configuring the Firewall XSR with Firewall Log only critical events Complete LAN and WAN interface configuration 15 XSR Firewall with PPPoE DSL and Dhcp XSR with Firewall, PPPoE and Dhcp XSR with Firewall and VPN Configure the Dhcp pool, DNS server and related settings Add four ACLs to permit IP pool, L2TP and NEM traffic XP PC NEM Configure the following IPSec SAs XSRconfig#ip local pool test 10.120.70.0 Define the local pool network used for tunnel IP addresses Define the Internet as all possible IP addressesDefine the public VPN interface crypto map Define three trusted networks in the enterprise Define service for Radius accounting Define service for IsakmpDefine service for L2TP tunnels Define service for Radius authentication Firewall Configuration for Vrrp Load the firewall configurationConfigure Radius network objects Configuring Simple Security RPC Policy Configuration Configuration Examples Configuring Security on the XSR Recommended System Limits Alarms/Events, System Limits Standard Ascii Table Snmp views Table A-5 Alarm Behavior System Alarms and Events Driv ETH1 ETH0 Table A-6 High Severity Alarms/Events Table A-7 Medium Severity Alarms/Events Sntp PPP MS-CHAP authentication failed while Shutdown command Portchannel Corrected the problem by resetting itself Table A-9 Firewall and NAT Alarms Firewall and NAT Alarms and Reports NAT TCP reset, NAT port %d, %IPP2 UDP Detected UDP Flood attack %IPP2 Deny Icmp unsupported packet %IP2ICMP UDP Request Entry pool is empty Space Standard Ascii Character Table Standard Ascii Character Table Service Level Reporting MIB Tables EtsysSrvcLvlMetricTableVPN MIB Tables on page B-12 EtsysSrvcLvlHistoryTable EtsysSrvcLvlOwnerTable EtsysSrvcLvlNetMeasureTable Field Example CLI command Rtr schedule aliased to EtsysSrvcLvlAggrMeasureTable BGP v4 MIB Tables General Variables TableBGP v4 Peer Table BgpPeerAdminStatus Bgp4PathAttrIpAddrPrefix BGP-4 Received Path Attribute Table BGP-4 Traps Global Interface Operations Firewall MIB Tables Session Totals Counters Monitoring ObjectsPolicy Rule Table Totals Counters Policy Rule True Table IP Session Table Authenticated Address CountersAuthenticated Addresses Table IP Session Counters VPN MIB Tables DOS Attacks Blocked CountersDOS Attacks Blocked Table EtsysVpnIkePeerProposals Table EtsysVpnIkePeer Table EtsysVpnIkeProposal Table EtsysVpnIpsecPolicy TableEtsysVpnIntfPolicy Table EtsysVpnIpsecPolProposals Table EtsysVpnIpsecPolicyRule Table EtsysVpnIpsecProposal Table EtsysVpnIpsecPropTransforms TableEtsysVpnAhTransform Table EtsysVpnIpcompTransform Table EtsysVpnEspTransform Table Host Resources MIB Objects IpCidrRouteTable for Static Routes Field Description ConfigMgmtOperations Enterasys Configuration Management MIB Field Description EtsysConfigChangeNonVolatile Group Enterasys Configuration Change MIB Enterasys Snmp Persistence MIB Field Description EtsysSyslogClient Group Enterasys Syslog Client MIB Table B-46 Enterasys Syslog Client MIB Compliance Statements