Enterasys Networks X-PeditionTM Client Mode, Network Extension Mode

VPN Applications

14-12 Configuring the Virtual Private Network

If you filter traffic with ACLs, you will need to write an ACL similar to this example: access-

list 101 permit udp any host 192.168.57.4 eq 4500. If you enable the XSR firewall,

refer to “Configuring Security on the XSR” on page 16-1 for more information. You can verify

traffic is passing the NAT device by entering the show crypto ipsec sa command. It displays

the following sample output, citing Port 4500 and UDP-encaps(ulation).

63.81.64.58/32, UDP, 1701 ==> 63.81.64.89/32, UDP, 1701 : 490 packets

ESP: SPI=6723a3c3, Transform=3DES/HMAC-SHA, Life=2384S/249895KB

Local crypto endpt.=63.81.64.89:4500, Remote crypto endpt.=63.81.64.58:20002

Encapsulation=Transport UDP-Encaps

Depending on the type of IP address management configured on the connecting site of this

application, site-to-central-site networks can be built two ways, as shown in Figure 14-6.

Figure 14-6 Site-to-Central-Site Topology

Client Mode and Network Extension Mode tunnels require the use of EZ-IPSec on the client XSR,

placing the majority of the configuration effort on the central site XSR.

Client Mode

When the XSR connects to the central site tunnel server, the tunnel server assigns the client XSR an

IP address, which can be chosen from an internal pool kept by the tunnel server. Hosts residing on

the private LAN obtain IP addresses from the DHCP server running in the XSR.

Each session between a host on the private LAN and a server on the corporate network is NAT-ed.

From the corporate perspective, the entire private LAN is represented as a single IP address. Since

hosts on the private LAN are not visible from the corporate network, traffic must be initiated from

Routing

VPN tunnel

Internet

updates

DHCP server

ISP NAT

Private LAN

XSR/Central site tunnel server

Addressing on this LAN segment

is hidden from the corporate

network by NAT in the XSR

Routing

VPN tunnel

Internet

XSR/VPN Gateway

updates

DHCP server

ISP NAT

Branch LAN

DHCP relay

DHCP server

Addressing in this LAN segment

is an extension of the

corporate network

Client ModeNetwork Extension Mode

Corporate network

Corporate network

Internal NAT/

DHCP server

XSR/VPN Gateway

XSR/Central site tunnel server

Contents

Main Page Notice Regulatory Compliance Information Federal Communications Commission (FCC) Notice Industry Canada Notices R & TTE Directive Declaration Class A ITE Notice Clase A. Aviso de ITE Klasse A ITE Anmerkung Page Declaration of Conformity N826 Australian Telecom Federal Information Processing Standard (FIPS) Certification Independent Communications Authority of South Africa SS/366.01 APPROVED VPN Consortium Interoperability Enterasys Networks, Inc. Firmware License Agreement Page Page Page Contents Preface Chapter 1: Overview Chapter 2: Managing the XSR Page Chapter 3: Managing LAN/WAN Interfaces Chapter 4: Configuring T1/E1 & T3/E3 Interfaces Chapter 5: Configuring IP Page Chapter 6: Configuring the Border Gateway Protocol Chapter 7: Configuring PIM-SM and IGMP Chapter 8: Configuring PPP Chapter 9: Configuring Frame Relay Chapter 10: Configuring Dialer Services Page Chapter 11: Configuring Integrated Services Digital Network Chapter 12: Configuring Quality of Service Chapter 13: Configuring ADSL Chapter 14: Configuring the Virtual Private Network Chapter 15: Configuring DHCP Chapter 16: Configuring Security on the XSR Appendix A: Alarms/Events, System Limits, and Standard ASCII Table Appendix B: XSR SNMP Proprietary and Associated Standard MIBs Page Preface Contents of the Guide Conventions Used in This Guide + Getting Help Overview Page Page Page Managing the XSR Utilizing the Command Line Interface Connecting via the Console Port on XSR Series Using the Console Port for Dial Backup on the XSR 1800 Series Using the Console Port to Remotely Control the XSR Connecting a Serial Interface to a Modem Terminal Commands Connecting via Telnet Connecting via SSH Accessing the Initial Prompt Synchronizing the Clock Managing the Session Remote Auto Install RAI Features and Requirements Page RAI Requirements on the XSR How RAI Components Work Frame Relay (Remote Router) Bootp Client Reverse DNS Client TFTP Client Frame Relay (Central Site) DHCP over LAN (RAI over Ethernet) PPP RAI over a Leased Line PPP RAI over a Dial-in Line PPP RAI over ADSL CLI Editing Rules Setting CLI Configuration Modes Table 2-3 CLI Configuration Modes Mode Function Access Method Prompt User EXEC Mode Privileged EXEC Mode Global Configuration Mode Exiting From the Current Mode Mode Examples Observing Command Syntax and Conventions CLI Command Limits Describing Ports and Interfaces Supported Physical Interfaces Supported Virtual Interfaces Supported Ports Numbering XSR Slots, Cards, and Ports Setting Port Configuration Mode Setting Interface Type and Numbering Configuration Examples Page Entering Commands that Control Tables Adding Table Entries Deleting Table Entries Modifying Table Entries Displaying Table Entries Managing XSR Interfaces Enabling an Interface Disabling an Interface Configuring an Interface Displaying Interface Attributes Managing Message Logs Logging Commands Performing Fault Management Fault Report Commands Capturing Fault Report Data Using the Real-Time Clock RTC/Network Clock Options RTC Commands Managing the System Configuration Resetting the Configuration to Factory Default Using the Default Button (XSR 1800/1200 Series Only) Configuration Save Options Using File System Commands Bulk Configuration Management Downloading the Configuration Uploading the Configuration/Crash Report Full-config Backup Creating Alternate Configuration Files Managing the Software Image Creating Alternate Software Image Files BootRom Upgrade Choices Upgrading from Version 2.xx to 3.xx code on the XSR 1800 Series Upgrading from Version 1.xx to 2.xx code on the XSR 1800 Series Using the Bootrom Update Utility Page Local Bootrom Upgrade Page Loading Software Images Using EOS Fallback to Upgrade the Image Configuring EOS Fallback on the CLI Configuring EOS Fallback via SNMP Downloading with FIPS Security Software Image Commands Configuration Change Hashing Displaying System Status and Statistics Memory Management Creating Resources Network Management through SNMP SNMP Informs Shaping Trap Traffic Statistics Alarm Management (Traps) Network Monitoring via Service Level Agreement Agent Measuring Performance Metrics Configuration Examples Create an Owner Via SNMP Create a Measurement to Ping Page Query a Measurement Via SNMP Using the SLA Agent in SNMP Full Configuration Backup/Restore Cabletron CTdownload MIB Enterasys Configuration Management MIB Software Image Download using NetSight SNMP Download with Auto-Reboot Option CLI Translator Appending CLI Commands to Configuration Files via SNMP Accessing the XSR Through the Web Network Management Tools NetSight Atlas Router Services Manager v2.0 Firmware Upgrade Procedures Using the CLI for Downloads Fault Reporting Auto-discovery Managing LAN/WAN Interfaces Overview of LAN Interfaces LAN Features Configuring the LAN MIB Statistics Overview of WAN Interfaces WAN Features Configuring the WAN Page Page Configuring T1/E1 & T3/E3 Interfaces T1/E1 Functionality T3/E3 Functionality T1/E1 Mode T3 Mode E3 Mode T1/E1 Subsystem Configuration T3/E3 Subsystem Configuration T1 Drop & Insert One-to-One DS0 Bypassing Drop and Insert Features PSTN Frame Relay Configuring Channelized T1/E1 Interfaces Configuring Un-channelized T3/E3 Interfaces Troubleshooting T1/E1 & T3/E3 Links T1/E1 & T3/E3 Physical Layer Troubleshooting Page T1/E1 & T3/E3 Alarm Analysis Receive Alarm Indication Signal (AIS - Blue Alarm) Receive Remote Alarm Indication (RAI - Yellow Alarm) Transmit Remote Alarm Indication (RAI - Yellow Alarm) Transmit Sending Remote Alarm (Red Alarm) Transmit Alarm Indication Signal (AIS - Blue Alarm) Figure 4-5 T1/E1 & T3/E3 Alarm Analysis Troubleshooting Actions Flow (Part 2) T1/E1 & T3/E3 Error Events Analysis displaying troubleshooting actions. controller output. Here are some troubleshooting steps you can perform with a flowchart Figure 4-6 T1/E1 & T3/E3 Error Events Analysis Troubleshooting Flowchart Slip Seconds Counter Increasing Framing Loss Seconds Increasing Line Code Violations Increasing Configuring the D&I NIM Page Configuring IP General IP Features Page Page ARP and Proxy ARP Proxy DNS BOOTP/DHCP Relay Broadcast Directed Broadcast Local Broadcast ICMP TCP UDP Tel net SSH Trivial File Transfer Protocol (TFTP) IP Interface Secondary IP Interface & Secondary IP ARP & Secondary IP ICMP & Secondary IP Routing Table Manager & Secondary IP OSPF & Secondary IP RIP & Secondary IP Unnumbered Interface & Secondary IP NAT & Secondary IP IP Routing Protocols RIPv1 and v2 Triggered-on-Demand RIP How Triggered-on-Demand RIP Works Page OSPF LSA Type 3 and 5 Summarization OSPF Database Overflow OSPF Passive Interfaces OSPF Troubleshooting Null Interface Route Preference Static Routes VLAN Routing Forwarding VLAN, PPPoE over VLAN WAN XSR VLAN Processing Over the XSRs Ethernet Interfaces VLAN Processing: VLAN-enabled Ethernet to Standard LAN Interfaces Figure 5-5 VLAN Ethernet to Fast/GigabitEthernet Topology VLAN Processing: VLAN-enabled Ethernet to WAN Interfaces VLAN Processing: WAN Interface to a VLAN-enabled Ethernet Interface QoS with VLAN Policy Based Routing Accessing the Global Routing Policy Table Match Clauses Set Clauses PBR Cache Default Network Classless Inter-Domain Routing (CIDR) Router ID Real Time Protocol (RTP) Header Compression Network Address Translation Features Virtual Router Redundancy Protocol VRRP Definitions How the VRRP Works Different States of a VRRP Router VRRP Features Multiple Virtual IP Addresses per VR Multiple VRs Per Router Authentication Load Balancing ARP Process on a VRRP Router Host ARP Proxy ARP Gratuitous ARP ICMP Ping Interface Monitoring Watch Group Monitoring Physical Interface and Physical IP Address Change on a VRRP Router Equal-Cost Multi-Path (ECMP) Configuration Considerations Figure 5-10 ECMP VPN Load Balancing Topology Configuring RIP Examples Central XSR Remote XSR1 Remote XSR2 Page Configuring Unnumbered IP Serial Interface Example Configuring OSPF Example Configuring NAT Examples Basic One-to-One Static NAT Configuring Static Translation Dynamic Pool Configuration Configuring Dynamic Pool Translation Network Address and Port Translation Configuring NAPT Multiple NAT Pools within an Interface Static NAT within an Interface Page NAT Port Forwarding Configuring Policy Based Routing Example Configuring VRRP Example Router XSRa Router XSRb Configuring VLAN Examples The following example configures a VLAN interface on FastEthernet sub-interfaces 2.1 and 2.2: For a QoS with VLAN example, refer to QoS with VLAN on page 14. The following example configures a VLAN interface for PPPoE: Configuring the Border Gateway Protocol Describing BGP Messages Open Update Keepalive Notification Defining BGP Path Attributes AS Path Origin Next Hop Local Preference Page Weight Atomic Aggregate Aggregator Multi-Exit Discriminator Community Page Page Access Control Lists Filter Lists Community Lists Route Maps Regular Expressions Regular Expression Characters Regular Expression Examples Peer Groups Creating a Peer Group Assigning Peer Group Options Initial BGP Configuration Adding BGP Neighbors Resetting BGP Connections Synchronization Address Aggregation Route Flap Dampening Recommendations for Route Flap Dampening Capability Advertisement Route Refresh Scaling BGP Route Reflectors Confederations Displaying System and Network Statistics Configuring BGP Route Maps Configuring BGP Neighbors BGP Path Filtering by Neighbor Example BGP Aggregate Route Examples Configuring BGP Confederations TCP MD5 Authentication for BGP Example Configuring BGP Peer Groups IBGP Peer Group Example EBGP Peer Group Example BGP Community with Route Maps Examples Page Page Configuring PIM-SM and IGMP Differences with Industry-Standard Approach IP Multicast Overview Defining Multicast Group Addressing Outlining IGMP Versions Comparing Multicast Distribution Trees Forwarding Multicast Traffic Describing the XSRs IP Multicast Features Group Membership Actions Sending and Receiving Queries and Reports Sending a Query Receiving a Query Receiving a Report Interoperating with Older IGMP Versions Query Version Distinctions Behavior of Group Members Among Older Version Queriers Behavior of Group Members Among Older Version Group Members Behavior of Multicast Routers Among Older Version Queriers Describing the XSRs PIM-SM v2 Features Phase 1: Building a Shared Tree Phase 2: Building Shortest Path Tree Between Sender & RP Phase 3: Building Shortest Path Tree Between Sender & Receiver Neighbor Discovery and DR Election PIM Register Message PIM Join/Prune Message Bootstrap & Rendezvous Point Assert Processing Source-Specific Multicast PIM SM over Frame Relay PIM Configuration Examples Page Configuring PPP PPP Features Link Control Protocol (LCP) Network Control Protocol (NCP) Authentication Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Protocol (MS-CHAP) Link Quality Monitoring (LQM) Multilink PPP (MLPPP) Multi-Class MLPPP MLPPP Packet Fragmentation and Serialization Transmission Latency Fragment Interleaving Over the Link Multilink Head Format Negotiation Events and Alarms Multi-Class Option Negotiation Multi-Class Receiving Packet IP Control Protocol (IPCP) IP Address Assignment PPP Bandwidth Allocation/Control Protocols (BAP/BAPC) Configuring PPP with a Dialed Backup Line Configuring a Synchronous Serial Interface Configuring a Dialed Backup Line Configuring the Physical Interface for the Dialer Interface Configuring the Interface as the Backup Dialer Interface Configuring MLPPP on a Multilink/Dialer interface Multilink Example Dialer Example Configuring BAP Dual XSRs: One Router Using DoD with Call Request XSR1 Configuration XSR2 Configuration 3. Configure the Dialer 1 interface with a dialer pool: 4. Set up BAP on Dialer 1 by enabling BAP and adding BAP phone numbers for XSR1 to call. Dual XSRs: BAP Using Call/Callback Request XSR1 Configuration XSR2 Configuration Page Page Configuring Frame Relay Virtual Circuits DLCIs Page Frame Relay Features Multi-Protocol Encapsulation Address Resolution Dynamic Resolution Using Inverse ARP Controlling Congestion in Frame Relay Networks Rate Enforcement (CIR) - Generic Traffic Shaping Discard Eligibility (DE) Bit Forward Explicit Congestion Notification (FECN) Backward Explicit Congestion Notification (BECN) Page Link Management Information (LMI) Sub-interfaces FRF.12 Fragmentation End-to-End Fragmentation User Configuration Commands Map-Class Configuration Show Running Configuration Reports and Alarms Clear Statistics Interconnecting via Frame Relay Network Frame Relay Central Sites Branch Sites Network Configuring Frame Relay Multi-point to Point-to-Point Example New York Andover Montreal Frame Relay Network Configure Serial sub-interface 2/0.1 for a multi-point connection with DLCIs 980 and 960: On the Andover XSR, create the QoS class maps similar to those on the New York XSR: Configure the policy map frf12 with criteria similar to those on the New York XSR: Configure Serial sub-interface 2/0.1 for a point-to-point connection with DLCI 980: On the Montreal XSR, create the QoS class maps similar to those on the New York XSR: Configure the policy map frf12 with criteria similar to those on the New York XSR: Configure Serial sub-interface 2/0.1 for a point-to-point connection with DLCI 960: Page Configuring Dialer Services Overview of Dial Services Dial Services Features Asynchronous and Synchronous Support AT Commands on Asynchronous Ports V.25bis over Synchronous Interfaces DTR Dialing for Synchronous Interfaces Time of Day feature Typical Use for Dial Services Ethernet Backup Implementing Dial Services Dialer Profiles Dialer Profile Dialer Interface Dialer Strings Dialer Pool Addressing Dialer Resources Configuring Encapsulation ISDN Callback XSR Users Guide 10-7 Figure 10-3 Logical View of Dialer Profiles 10-8 Configuring Dialer Services Figure 10-4 Sample Dialer Topology XSR Users Guide 10-9 Figure 10-5 Dialer Profile of Destination (416) 123-4456 Creating and Configuring the Dialer Interface Configuring the Map Class Configuring the Physical Interface for the Dialer Interface Sample Dialer Configuration Configuring ISDN Callback Point-to-Point with Matched Calling/Called Numbers Point-to-Point with Different Calling/Called Numbers Point-to-Multipoint with One Neighbor Point-to-Multipoint with Multiple Neighbors Overview of Dial Backup Dial Backup Features Sequence of Backup Events Link Failure Backup Example Configuring a Dialed Backup Line Configuring the Physical Interface for the Dialer Interface Configuring Interface as the Backup Dialer Interface Sample Configuration Overview of Dial on Demand/Bandwidth on Demand Dialer Interface Spoofing Dialer Watch Dialer Watch Behavior Caveat Answering Incoming ISDN Calls Incoming Call Mapping Example Node A [XSR] Node D [XSR] Node D (Calling Node) Configuration Configuring DoD/BoD Figure 10-11 Dial on Demand Topology PPP Point-to-Multipoint Configuration [XSR] PPP Multipoint-to-Multipoint Configuration Node A Configuration Node B Configuration PPP Point-to-Point Configurations Dial-in Routing for Dial on Demand Example + Dial-out Routing for Dial on Demand Example + The following command maps ACL 101 to dialer group 1: PPP Point-to-Multipoint Configurations + MLPPP Point-to-Multipoint Configuration MLPPP Point-to-Point Configurations + MLPPP Point-to-Multipoint Configurations Figure 10-15 MLPPP Point-to-Multipoint Topology The following commands add a pool member and configure the primary-ni switch on T1 interface 2/3: The following command maps ACL 101 to dialer group 1: MLPPP Multipoint-to-Multipoint Configuration Node A Configuration Node B Configuration Switched PPP Multilink Configuration Bandwidth-on-Demand [XSR] Page Backup Configuration Backup Using ISDN [XSR] Node A (Backed-up Node) Configuration Page Configuration for Backup with MLPPP Bundle Node A (Backed-up Node) Configuration Configuration for Ethernet Failover Configuration for Frame Relay Encapsulation Page Configuring Integrated Services Digital Network ISDN Features BRI Features PRI Features Understanding ISDN Basic Rate Interface Primary Rate Interface B-Channels D-Channel D-Channel Standards D-Channel Signaling and Carrier Networks ISDN Equipment Configurations Bandwidth Optimization Security Call Monitoring ISDN Trace Trace Decoding Q921 Decoding Reference Parameters Q931 Decoding + Next line: 04 Bearer capability 8890 Decoded IEs BRI NI-1, DMS100 & 5ESS SPID Registration Terminal Endpoint Identifier (TEI) Management Procedures ISDN Configuration BRI (Switched) Configuration Model ISDN Configuration XSR XSR Users Guide 11-11 Figure 11-1 .Switched BRI Configuration Model PRI Configuration Model Figure 11-2 .PRI Configuration Model XSR Leased-Line Configuration Model IP More Configuration Examples T1 PRI E1 PRI ISDN BRI BRI Leased Line ISDN (ITU Standard Q.931) Call Status Cause Codes Page Table 11-2 Call Status Cause Codes (continued) Code Cause Configuring Quality of Service Mechanisms Providing QoS Traffic Classification Describing the Class Map Describing the Policy Map Queuing and Services Describing Class-Based Weight Fair Queuing Configuring CBWFQ Measuring Bandwidth Utilization Describing Priority Queues Configuring Priority Queues Describing Traffic Policing Configuring Traffic Policing Class-based Traffic Shaping Traffic Shaping per Policy-Map Differences Between Traffic Policing and Traffic Shaping Traffic Shaping and Queue Limit Congestion Control & Avoidance Describing Queue Size Control (Drop Tail) Describing Random Early Detection Describing Weighted Random Early Detection Configuration per Interface Suggestions for Using QoS on the XSR QoS and Link Fragmentation and Interleaving (LFI) Configuring QoS with MLPPP Multi-Class Configuring QoS with FRF.12 QoS with VLAN Traffic Classification Describing VLAN QoS Packet Flow VLAN Packet with Priority Routed out a Fast/GigabitEthernet Interface VLAN Packet with Priority Routed out a Serial Interface Figure 12-4 LAN/QoS Serial Scenario Non-VLAN IP Packet Routed Out a Fast/GigabitEthernet Interface QoS with VLAN Configuration Process Follow the steps below to configure the XSR for QoS with VLAN routing. 1. Configure a sub-interface. interface <Interface name> <slot/card/number> 2. Stipulate a VLAN ID on the su b-interface. vlan <number> QoS on Input QoS on VPN QoS over VPN Features Configuring QoS on a Physical Interface Configuring QoS on a Virtual Tunnel Interface QoS on a Virtual Interface Example Page Configure ACLs: Configure the IKE policy foo for pre-share keys: Configure output VPN interface 1 for ToS byte copying, GRE, and other values: Configure the IPSec SA: Configure GigabitEthernet interface 2 and Serial sub-interface 1/0:0 QoS and VPN Interaction ` route Configuring the Shaper on the VPN Interface QoS Policy Configuration Examples Simple QoS on Physical Interface Policy QoS for Frame Relay Policy Configure map class parameters and apply the policy to the ports: QoS with MLPPP Multi-Class Policy QoS with FRF.12 Policy QoS with VLAN Policy Input and Output QoS Policy Input QoS on Ingress to the Diffserv Domain Policy Page Configuring ADSL PDU Encapsulation Choices PPP over ATM PPP over Ethernet over ATM (Routed) Routed IP over ATM ADSL Limitations ADSL Hardware NIM Card ADSL on the Motherboard DSP Firmware ADSL Data Framing ATM Support Virtual Circuits OAM Cells Performance Monitoring DSLAM Compatibility Access Concentrator Restrictions Inverse ARP QoS SNMP PPPoE PPPoA problems, add the crypto ipsec df-bit clear command to your configuration. IPoA Configuring the Virtual Private Network VPN Overview Internet Security Issues How a Virtual Private Network Works Ensuring VPN Security with IPSec/IKE/GRE Page GRE over IPSec Defining VPN Encryption Describing Public-Key Infrastructure (PKI) Digital Signatures Certificates Machine Certificates for the XSR CA Hierarchies Certificate Chains RA Mode Pending Mode Enroll Password CRL Retrieval Renewing and Revoking Certificates DF Bit Functionality VPN Applications Site-to-Site Networks Site-to-Central-Site Networks NAT Traversal Client Mode Client Mode Network Extension Mode Network Extension Mode (NEM) Remote Access Networks Using OSPF Over a VPN Network OSPF Commands Configuring OSPF Over Site-to-Central Site in Client Mode INTERNET Server VPN tunnel Client INTERNET Configuring OSPF over Site-to-Central Site in Network Extension Mode VPN tunnel Configuring OSPF with Fail Over (Redundancy) Server 1 Server 2 INTERNET Limitations XSR VPN Features Page VPN Configuration Overview Master Encryption Key Generation ACL Configuration Rules Configuring ACLs Selecting Policies: IKE/IPSec Transform-Sets Security Policy Considerations Configuring Policy Creating Crypto Maps Configuring Crypto Maps Authentication, Authorization and Accounting Configuration AAA Commands Configuring AAA PKI Configuration Options Configuring PKI PKI Certificate Enrollment Example 5. Set the CRL retrieval rate and download the latest CRL (optional). 6. Add a static host to store IP addresses for use by the CRL mechanism. Page Interface VPN Options VPN Interface Sub-Commands Configuring a Simple VPN Site-to-Site Application Central Site Branch Office configuration, permit means protect or encrypt, and deny indicates dont encrypt or allow as is. 4. Set up IKE Phase 1 protection by entering the following commands: + + + Configuring the VPN Using EZ-IPSec EZ-IPSec Configuration + XSR with VPN - Central Gateway Figure 14-12 EZ-IPSec Client, XP Client and Gateway Topology Add ACLs to permit IP and UDP traffic: Add ACLs for IP local pool/EZ-IPSec, Network Extension address and L2TP: Define IKE Phase I security parameters with the following two policies: Branch Office EZ-IPSec client Remote Access Windows XP - L2TP/IPSec or PPTP Client Central Site Configure the following four crypto maps to match ACLs 150, 140, 120, and 110: Configure and enable the FastEthernet 1 interface: Configure FastEthernet interface 2 with the attached crypto map test: Add a default route to the next hop Internet gateway: Define an IP pool for distribution of tunnel addresses to all client types: Clear the DF bit globally: Enable the OSPF engine, VPN and FastEthernet 1 interfaces for routing: Create a group for NEM and Client mode users: Configure the RADIUS AAA method to authenticate remote access users: Set branch office EZ-IPSec on the PPPoE, FastEthernet sub-interface 2.2, using certificates: GRE Tunnel for OSPF Tunnel A: XSR-3250 VPN GRE Site-to-Site Tunnel Page Tunnel B: XSR-1805 VPN GRE Site-to-Site Tunnel Page XSR/Cisco Site-to-Site Example Cisco Configuration XSR Configuration Interoperability Profile for the XSR Scenario 1: Gateway-to-Gateway with Pre-Shared Secrets Page Page Scenario 2: Gateway-to-Gateway with Certificates Page Page Page Configuring DHCP Overview of DHCP DHCP Server Standards How DHCP Works DHCP Services Persistent Storage of Network Parameters for Clients Temporary or Permanent Network Address Allocation Lease Assigned Network Configuration Values to Clients: Options Provisioning Differentiated Network Values by Client Class BOOTP Legacy Support Nested Scopes: IP Pool Subsets Pool (subnet) Client Class Host Values are inherited from outer scopes Scope Caveat Manual Bindings DHCP Client Services Router Option Parameter Request List Option DHCP Client Interaction Secondary Address Caveats DHCP Client Timeouts DHCP CLI Commands DHCP Set Up Overview Configuring DHCP Address Pools Configuring DHCP - Network Configuration Parameters Configuration Steps Create an IP Local Client Pool Create a Corresponding DHCP Pool Configure DHCP Network Parameters Enable the DHCP Server Optional: Set Up a DHCP Nested Scope Optional: Configure a DHCP Manual Binding DHCP Server Configuration Examples Pool with Hybrid Servers Example Manual Binding Example Manual Binding with Class Example BOOTP Client Support Example DHCP Option Examples Configuring Security on the XSR Access Control Lists ACL Violations Alarm Example Packet Filtering LANd Attack Smurf Attack Fraggle Attack IP Packet with Multicast/Broadcast Source Address Spoofed Address Check SYN Flood Attack Mitigation General Security Precautions AAA Services Connecting Remotely via SSH or Telnet with AAA Service Page Page Firewall Feature Set Overview Reasons for Installing a Firewall Types of Firewalls ACL and Packet Filter Firewalls DMZ Router Internal HTTP server ALG and Proxy Firewalls Stateful Inspection Firewalls XSR Firewall Feature Set Functionality Stateful Firewall Inspection (SFI) Filtering non-TCP/UDP Packets Application Level Commands Application Level Gateway On Board URL Filtering Importing URL Lists from an ASCII File Writing URL List Entries Enabling URL Filtering in Firewall Policy Configuring URL Redirection Denial of Service (DoS) Attack Protection Alarm Logging Alarms Authentication Firewall and NAT Firewall and VPN ACLs and Firewall Dynamic Reconfiguration Firewall CLI Commands Page Page Firewall Limitations Pre-configuring the Firewall Steps to Configure the Firewall XSR with Firewall DMZ Internal XSR with Firewall, PPPoE and DHCP PPPoE/NAT/Firewall 10.10.10.1 FE2 FE1 XSR with Firewall and VPN 172.16.1.0 router SSR FE2 FE1 141.154.196.106 Configure the following IPSec SAs: Configure the following four crypto maps to match ACLs 150, 140, 120, and 110: Add a default route to the next hop Internet gateway: Configure FastEthernet interface 1 to permit multicast packets in and out: Configure FastEthernet interface 2 with the attached crypto map test: Page Page Page Firewall Configuration for VRRP Firewall Configuration for RADIUS Authentication and Accounting Configuring Simple Security RPC Policy Configuration Page A Alarms/Events, System Limits, and Standard ASCII Table Recommended System Limits Table A-4 XSR Limits (continued) System Alarms and Events The XSR exhibits the following logging behavior for all except firewall and NAT alarms: Table A-4 XSR Limits (continued) Table A-5 Alarm Behavior Table A-6 High Severity Alarms/Events Page Page Page Page Table A-7 Medium Severity Alarms/Events Page Page Table A-8 Low Severity Alarms/Events Page Table A-8 Low Severity Alarms/Events (continued) Firewall and NAT Alarms and Reports Page Page Page Page Standard ASCII Character Table Page B XSR SNMP Proprietary and Associated Standard MIBs Service Level Reporting MIB Tables etsysSrvcLvlMetricTable etsysSrvcLvlOwnerTable etsysSrvcLvlHistoryTable etsysSrvcLvlNetMeasureTable etsysSrvcLvlAggrMeasureTable BGP v4 MIB Tables General Variables Table BGP v4 Peer Table Table B-16 BGP v4 Peer Table (continued) BGP-4 Received Path Attribute Table Table B-17 BGP-4 Received Path Attribute Table Table B-16 BGP v4 Peer Table (continued) BGP-4 Traps Table B-18 BGP-4 Traps Table B-17 BGP-4 Received Path Attribute Table (continued) Firewall MIB Tables Global Interface Operations Monitoring Objects Policy Rule Table Totals Counters Ses sio n Tota ls Tab le Policy Rule True Table Session Totals Counters IP Session Counters IP Session Table Authenticated Address Counters Authenticated Addresses Table DOS Attacks Blocked Counters VPN MIB Tables etsysVpnIkePeer Table etsysVpnIkePeerProposals Table etsysVpnIkeProposal Table etsysVpnIpsecPolicy Table etsysVpnIntfPolicy Table etsysVpnIpsecPolicyRule Table etsysVpnIpsecPolProposals Table etsysVpnIpsecProposal Table etsysVpnIpsecPropTransforms Table etsysVpnAhTransform Table etsysVpnEspTransform Table etsysVpnIpcompTransform Table ipCidrRouteTable for Static Routes Host Resources MIB Objects Enterasys Configuration Management MIB Enterasys Configuration Change MIB Enterasys SNMP Persistence MIB Table B-44 etsysConfigurationChange MIB (continued) Table B-45 etsysSnmpPersistenceMIB Enterasys Syslog Client MIB Syslog Server Defaults Units of Conformance Table B-46 Enterasys Syslog Client MIB (continued) Compliance Statements Table B-46 Enterasys Syslog Client MIB (continued)