Configuration Examples | Enterasys Networks X-PeditionTM specs

Configuration Examples

XSR(config-tms-tunnel)#set peer 200.10.20.30

+Specifies the IP address of the remote peer

XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode + Selects IPSec to initiate a

NEM tunnel connection

Note: Pre-shared key proposals are used if a user name is supplied with a tunnel. If no user name is supplied, EZ-IPSec verifies the XSR has one or more valid certificates and it uses RSA signature authentication.

Most of the parameters shown below have been automatically entered by EZ-IPSec. Be aware that they do not appear in the running-configfile.

crypto isakmp peer 200.10.20.30/32

proposal ez-ike-3des-sha-psk ez-ike-3des-md5-psk config-mode client

exchange-mode aggressive nat-traversal automatic crypto map ez-ipsec 100 match address 100

set peer 200.10.20.30 mode tunnel

set transform-set ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs set transform-set ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs

set transform-set ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs set transform-set ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs crypto map ez-ipsec 101

match address 101 set peer 200.10.20.30

Configuration Examples

XSR with VPN - Central Gateway

In this scenario, as shown in Figure 14-12, a Central VPN gateway is set to perform the following:

•Terminate NEM and Client mode tunnels

•Terminate remote access L2TP/IPSec tunnels

•Terminate PPTP remote access tunnels

•OSPF routing with the next hop corporate router on the trusted VPN interface

•DF bit clear on the public VPN interface to handle large non-fragmentable IP frames

•OSPF routing over the multi-point VPN interface for other site-to-site tunnels

•Assign the first IP address of the pool to the multi-point VPN interface.

14-36 Configuring the Virtual Private Network

Image 358

Enterasys Networks X-PeditionTM manual Configuration Examples, XSR with VPN Central Gateway

Contents

PeditionSecurity Router VersionPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Federal Communications Commission FCC Notice TTE Directive Declaration Product SafetyIndustry Canada Notices Class a ITE Notice Clase A. Aviso de ITE Elektro- magnetische Kompatibilität EMC Electromagnetic Compatibility EMCCompatibilidad Electromágnetica EMC Vcci Notice Declaration of Conformity USA Approved Enterasys Networks, Inc Firmware License Agreement Viii Page Page Contents Configuring an Interface Displaying Interface Attributes Configuring IP Configuring T1/E1 & T3/E3 InterfacesManaging LAN/WAN Interfaces How Triggered-on-Demand RIP Works Configuring the Border Gateway Protocol Configuration Considerations Configuring PIM-SM and Igmp Route Reflectors Confederations Configuring PPP Configuring Frame Relay Configuring Dialer Services 10-13 Configuring Integrated Services Digital Network Configuring Quality of Service Configuring Adsl Configuring the Virtual Private Network Configuring Dhcp Configuring Security on the XSR Appendix B XSR Snmp Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters DOS Attacks Blocked Table Contents of the Guide Preface Conventions Used in This Guide Following conventions are used in this guide Bold/En negrilla Getting Help FTP Overview Overview XSR User’s Guide Overview Utilizing the Command Line Interface Connecting via the Console Port on XSR Series Using the Console Port to Remotely Control the XSR Connecting a Serial Interface to a Modem Connecting via SSH Connecting via TelnetTerminal Commands Accessing the Initial Prompt Synchronizing the Clock RAI Features and Requirements Remote Auto InstallManaging the Session Utilizing the Command Line Interface How RAI Components Work RAI Requirements on the XSRFrame Relay Remote Router Tftp Client Bootp ClientReverse DNS Client Frame Relay Central Site Dhcp over LAN RAI over Ethernet PPP RAI over a Dial-in Line PPP RAI over a Leased LinePPP RAI over Adsl CLI Editing Rules Setting CLI Configuration Modes CLI Shortcuts Command Description CLI Configuration Modes Function Access Method Prompt Refer to -1for a graphic example of configuration modes User Exec Mode Global Configuration ModeExiting From the Current Mode Privileged Exec Mode Observing Command Syntax and Conventions Mode ExamplesFollowing example Supported Physical Interfaces CLI Command LimitsDescribing Ports and Interfaces Supported Virtual Interfaces Numbering XSR Slots, Cards, and Ports Setting Interface Type and NumberingSetting Port Configuration Mode Supported Ports T1-PRI Isdn Example Configuration ExamplesT1 Example Dialer Example BRI-Dialer Idsn Example Following interfaces are added Following sub-interfaces are added Entering Commands that Control TablesAdding Table Entries You may type Modifying Table Entries Managing XSR InterfacesDeleting Table Entries Displaying Table Entries Enabling an Interface Configuring an InterfaceFollowing command enables an interface Disabling an Interface Logging Commands Performing Fault ManagementManaging Message Logs Fault Report Commands Capturing Fault Report Data RTC Commands Using the Real-Time ClockManaging the System Configuration RTC/Network Clock Options Resetting the Configuration to Factory Default Using the Default Button XSR 1800/1200 Series Only Using File System Commands Configuration Save OptionsBulk Configuration Management Downloading the Configuration Creating Alternate Configuration Files Uploading the Configuration/Crash ReportFull-config Backup Managing the Software Image BootRom Upgrade ChoicesPre-upgrade Procedures Creating Alternate Software Image Files Using the Bootrom Update Utility Using TFTP, transfer updateBootrom.fls from the network Local Bootrom Upgrade XSR1800 bU bootromuncmp.fls Using EOS Fallback to Upgrade the Image Loading Software Images Configuring EOS Fallback on the CLI Configuring EOS Fallback via Snmp Downloading with Fips Security Software Image CommandsConfiguration Change Hashing Set the operation to imageSetSelected Displaying System Status and Statistics Memory ManagementCreating Resources Network Management through Snmp Shaping Trap Traffic Snmp InformsStatistics Network Monitoring via Service Level Agreement Agent Alarm Management TrapsMeasuring Performance Metrics Via Snmp Create an OwnerVia CLI Create a Measurement to Ping Via CLI Following command schedules a measurement immediately Schedule a measurement Via CLI Enterasys Configuration Management MIB Full Configuration Backup/RestoreUsing the SLA Agent in Snmp Cabletron CTdownload MIB Snmp Download with Auto-Reboot Option Software Image Download using NetSightAppending CLI Commands to Configuration Files via Snmp CLI Translator Firmware Upgrade Procedures Accessing the XSR Through the WebNetSight Atlas Router Services Manager Network Management Tools Using Snmp for Downloads Fault ReportingUsing the CLI for Downloads Auto-discovery XSR supports the following LAN interface features LAN FeaturesOverview of LAN Interfaces Configuring the LAN MIB Statistics XSR supports the following WAN interface features WAN FeaturesOverview of WAN Interfaces Configuring the WAN Following example configures the XSR to dial-out async Configuring the WAN Managing LAN/WAN Interfaces Overview FeaturesT1/E1 Mode T1/E1 Functionality T3 Mode E3 Mode T1/E1 Subsystem Configuration T3/E3 Subsystem Configuration D&I NIM does not support channelized mode nor PRI Drop and Insert FeaturesT1 Drop & Insert One-to-One DS0 Bypassing Specify the clock source for the controller Configuring Channelized T1/E1 InterfacesEnter the no shutdown command to enable the line Specify the controllers framing type Optionally, if you prefer to configure internal clocking Configuring Un-channelized T3/E3 InterfacesEnable the Controller line Enable the Serial line Troubleshooting T1/E1 & T3/E3 Links T1/E1 & T3/E3 Physical Layer Troubleshooting XSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0# Receive Alarm Indication Signal AIS Blue Alarm T1/E1 & T3/E3 Alarm AnalysisRestart the controller Transmit Sending Remote Alarm Red Alarm Receive Remote Alarm Indication RAI Yellow AlarmTransmit Remote Alarm Indication RAI Yellow Alarm Transmit Alarm Indication Signal AIS Blue Alarm T1/E1 & T3/E3 Error Events Analysis XSR Slip Seconds Counter Increasing Controller Framing Loss Seconds Increasing Configuring the D&I NIMLine Code Violations Increasing Page Configuring IP General IP Features Telnet Secondary IP Troubleshooting Tools Ping Traceroute IP Routing RIP ARP and Proxy ARP BOOTP/DHCP RelayProxy DNS Directed Broadcast BroadcastLocal Broadcast TCP Telnet Secondary IP Trivial File Transfer Protocol TftpIP Interface Interface & Secondary IP ARP & Secondary IP Icmp & Secondary IP RIP & Secondary IP Routing Table Manager & Secondary IPOspf & Secondary IP Unnumbered Interface & Secondary IP Ping IP Routing ProtocolsMaximum Transmission Unit MTU Traceroute RIPv1 Triggered-on-Demand RIP How Triggered-on-Demand RIP Works IP Routing Protocols Ospf LSA Type 3 and 5 Summarization Ospf Database Overflow Following is a high priority Overflow Entered log report Ospf Passive InterfacesFollowing is a high priority Overflow Exited log report Null Interface Ospf TroubleshootingRoute Preference Static Routes Vlan Routing Forwarding VLAN, PPPoE over Vlan 802.1Q Vlan Tag Vlan Processing Over the XSR’s Ethernet Interfaces IP Routing Table Vlan Processing VLAN-enabled Ethernet to WAN Interfaces Vlan Ethernet to Fast/GigabitEthernet Topology Policy Based Routing Accessing the Global Routing Policy TableQoS with Vlan Set Clauses Match ClausesPBR Cache Classless Inter-Domain Routing Cidr Default NetworkRouter ID Real Time Protocol RTP Header Compression Features Network Address Translation Virtual Router Redundancy Protocol Vrrp Definitions XSR1 XSR2 How the Vrrp Works Different States of a Vrrp Router Multiple Virtual IP Addresses per VR Vrrp FeaturesAuthentication Multiple VRs Per Router Host ARP Load BalancingARP Process on a Vrrp Router Proxy ARP Icmp Ping Interface Monitoring Watch Group Monitoring Configuration Considerations Equal-Cost Multi-Path Ecmp Configuring RIP Examples Central XSR Configuring RIP Examples Configuring Unnumbered IP Serial Interface Example Configuring Ospf Example Configuring Static Translation Configuring NAT ExamplesBasic One-to-One Static NAT Configuring Dynamic Pool Translation Dynamic Pool ConfigurationRegister the global NAT pool Network Address and Port Translation Configuring NaptEnable an interface F1, for example Bind the interface and optional ACL to the NAT pool Multiple NAT Pools within an Interface 14 Multiple NAT Pools within Interface Static NAT within an Interface Inside Outside 15 Static NAT within Interface Enter the following commands to enable NAT Port Forwarding Configuring Policy Based Routing ExampleNAT Port Forwarding Router XSRa Configuring Vrrp ExampleRouter XSRb Following example configures a Vlan interface for PPPoE Configuring Vlan ExamplesFor a QoS with Vlan example, refer to QoS with Vlan on Configuring the Border Gateway Protocol Describing BGP Messages Open Keepalive UpdateDefining BGP Path Attributes Notification AS Path Origin Next Hop Local Preference Local Preference Applied to Direct Egress Traffic from AS Weight Atomic Aggregate Aggregator Multi-Exit Discriminator Community Aspath Communities Application of Community Attribute BGP Path Selection Process BGP Routing Policy Community Lists Access Control ListsFilter Lists Route Maps Regular Expression Characters Regular ExpressionsRegular Expression Examples Assigning Peer Group Options Peer GroupsCreating a Peer Group Display all routes with any AS path For an example, refer to Configuring BGP Neighbors on Initial BGP ConfigurationResetting BGP Connections Adding BGP Neighbors Address Aggregation SynchronizationRoute Flap Dampening Route Refresh Capability AdvertisementRecommendations for Route Flap Dampening Scaling BGP 10 Fully Meshed BGP Route Reflectors 11 Route Reflector Applied to Minimize Ibgp Mesh Confederations Displaying System and Network Statistics 12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302 Configuring BGP Route Maps Configuring BGP Neighbors BGP Path Filtering by Neighbor Example Configuring BGP Confederations BGP Aggregate Route Examples Ibgp Peer Group Example Configuring BGP Peer GroupsTCP MD5 Authentication for BGP Example This section details Ibgp and an Ebgp peer group examples Ebgp Peer Group Example BGP Community with Route Maps Examples XSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask Configuring BGP Peer Groups Configuring PIM-SM and Igmp Differences with Industry-Standard Approach IP Multicast Overview Defining Multicast Group Addressing Outlining Igmp Versions Comparing Multicast Distribution Trees Describing the XSR’s IP Multicast Features Forwarding Multicast Traffic Sending and Receiving Queries and Reports Group Membership ActionsSending a Query Interoperating with Older Igmp Versions Behavior of Group Members Among Older Version Group Members Describing the XSR’s PIM-SM v2 FeaturesBehavior of Multicast Routers Among Older Version Queriers Phase 1 Building a Shared Tree Phase 2 Building Shortest Path Tree Between Sender & RP Phase 2 Topology Shortest Path Tree Between Sender and RP Neighbor Discovery and DR Election PIM Join/Prune Message Bootstrap & Rendezvous PointPIM Register Message Assert Processing Source-Specific Multicast PIM SM over Frame Relay PIM Configuration Examples PIM Configuration Examples Configuring PIM-SM and Igmp Configuring PPP PPP Features Link Control Protocol LCP Network Control Protocol NCP Challenge Handshake Authentication Protocol Chap AuthenticationPassword Authentication Protocol PAP Microsoft Challenge Handshake Protocol MS-CHAP Link Quality Monitoring LQM Multilink PPP Mlppp Multi-Class Mlppp Multilink Header Option Format Fragment Interleaving Over the Link Multilink Head Format Negotiation Multi-Class Option Negotiation Events and AlarmsIP Control Protocol Ipcp Multi-Class Receiving Packet PPP Bandwidth Allocation/Control Protocols BAP/BAPC IP Address Assignment Enter the media-type for the interface default RS232 Configuring PPP with a Dialed Backup LineConfiguring a Synchronous Serial Interface Enter encapsulation ppp to enable PPP encapsulation Configuring the Physical Interface for the Dialer Interface Configuring a Dialed Backup LineConfiguring the Dialer Interface Enter no shutdown to enable this interface Configuring the Interface as the Backup Dialer Interface Configure interface dialer 1 to use dial pool Multilink Example Configuring Mlppp on a Multilink/Dialer interfaceDialer Example Dual XSRs One Router Using DoD with Call Request Configuring BAPXSR1 Configuration Configure the Dialer 1 interface with a dialer pool XSR2 ConfigurationConfigure the dialer list and ACL for DoD Dual XSRs BAP Using Call/Callback Request Configuring BAP Configuring BAP Configuring PPP Virtual Circuits DLCIs DTEs DCEs Frame Relay Features Multi-Protocol Encapsulation Controlling Congestion in Frame Relay Networks Address ResolutionDynamic Resolution Using Inverse ARP Rate Enforcement CIR Generic Traffic Shaping Forward Explicit Congestion Notification Fecn Discard Eligibility DE BitBackward Explicit Congestion Notification Becn Controlling Congestion in Frame Relay Networks Link Management Information LMI Sub-interfaces FRF.12 Fragmentation User Configuration CommandsEnd-to-End Fragmentation Show Running Configuration Reports and AlarmsMap-Class Configuration Clear Statistics Interconnecting via Frame Relay Network Minneapolis Houston Memphis Configuring Frame Relay Multi-point to Point-to-Point Example Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Overview of Dial Services Dial Services Features Asynchronous and Synchronous Support AT Commands on Asynchronous Ports25bis over Synchronous Interfaces Ethernet Backup Time of Day featureTypical Use for Dial Services DTR Dialing for Synchronous Interfaces Implementing Dial Services Dialer Profiles Dialer Pool Dialer InterfaceDialer Strings Addressing Dialer Resources Configuring Encapsulation Isdn Callback Logical View of Dialer Profiles Sample Dialer Topology Dialer Profile of Destination 416 Creating and Configuring the Dialer Interface Dialer Profile of Destination 987 Configuring the Physical Interface for the Dialer Interface Sample Dialer ConfigurationConfiguring the Map Class Configure a backup link for dial purposes with priority Point-to-Point with Different Calling/Called Numbers Configuring Isdn CallbackPoint-to-Point with Matched Calling/Called Numbers Point-to-Multipoint with One Neighbor Sequence of Backup Events Overview of Dial BackupDial Backup Features Link Failure Backup Example Backup Link Failure Example Configuring Interface as the Backup Dialer Interface Configure backup serial port for dialing purposes Configure interface dialer 2 to use dial pool Sample ConfigurationDialer Overview of Dial on Demand/Bandwidth on Demand Dialer Interface Spoofing Dialer Watch Dialer Watch Behavior Dialer Watch Topology Answering Incoming Isdn Calls Caveat Following command maps ACL 101 to dialer group Node a Calling Node ConfigurationIncoming Call Mapping Example Node B Called Node Configuration Node D Calling Node Configuration Configuring DoD/BoD Following command maps ACL 1061 to dialer group PPP Point-to-Multipoint Configuration 11 Dial on Demand Topology PPP Multipoint-to-Multipoint Configuration Node a Configuration Node B Configuration PPP Point-to-Point ConfigurationsFollowing command maps ACL 105 to dialer group Dial-in Routing for Dial on Demand Example Following commands configure dialer interfaceDial-out Routing for Dial on Demand Example PPP Point-to-Multipoint Configurations 13 PPP Point-to-Multipoint Topology Dial-out Router Example Dial-in Router Example Mlppp Point-to-Multipoint Configuration Following command sets remote user authentication Mlppp Point-to-Point Configurations 14 Mlppp Point-to-Point Topology Mlppp Point-to-Multipoint Configurations 15 Mlppp Point-to-Multipoint Topology Mlppp Multipoint-to-Multipoint Configuration Switched PPP Multilink Configuration Bandwidth-on-Demand Node C Called Node Configuration Following command maps ACL 106 to dialer group Backup Using Isdn Backup ConfigurationNode a Backed-up Node Configuration XSRconfig#username toronto privilege 0 password cleartext z Following command configures Serial sub-interface 2/00 Configuration for Backup with Mlppp BundleFollowing command configures Serial sub-interface 2/01 Configuration for Ethernet Failover Following commands configure Serial sub-interface 2/00 Configuration for Frame Relay Encapsulation Backup Configuration Configuring Dialer Services Isdn Features Leased line Isdn configuration examples T1 PRI E1 PRI PRI Features BRI FeaturesUnderstanding Isdn Channels Basic Rate InterfacePrimary Rate Interface Channel Isdn Equipment Configurations Channel Signaling and Carrier NetworksChannel Standards Bandwidth Optimization Security Trace Decoding Call MonitoringIsdn Trace Q921 Decoding Q931 Decoding Reference Parameters + Next line 04 Bearer capability Status Decoded IEs Isdn ConfigurationTerminal Endpoint Identifier TEI Management Procedures BRI NI-1, DMS100 & 5ESS Spid Registration BRI Switched Configuration Model Switched BRI Configuration Model PRI Configuration Model PRI Configuration Model Leased-Line Configuration Model Interface BRI 0/1/21 Following example configures a PRI connection on an E1 card More Configuration ExamplesFollowing example configures a PRI connection on a T1 card Following example configures a switched line BRI connection BRI Leased Line Following example configures a leased-line BRI connectionIsdn ITU Standard Q.931 Call Status Cause Codes BRI Leased PPP Call Status Cause Codes Code Cause Incoming calls barred Configuring Quality of Service Mechanisms Providing QoS Traffic Classification Describing the Class Map Describing the Policy Map Queuing and Services Describing Class-Based Weight Fair Queuing Measuring Bandwidth Utilization Configuring CbwfqConfiguring Priority Queues Describing Priority Queues Describing Traffic Policing Configuring Traffic PolicingAssign the class frost to the priority queue Class-based Traffic Shaping Traffic Shaping per Policy-Map Differences Between Traffic Policing and Traffic Shaping Traffic Shaping and Queue Limit Describing Queue Size Control Drop Tail Congestion Control & AvoidanceDescribing Random Early Detection Describing Weighted Random Early Detection RED Drop Probability Calculation Configuration per Interface VPN Configuring QoS with Mlppp Multi-Class Suggestions for Using QoS on the XSRQoS and Link Fragmentation and Interleaving LFI Configuring QoS with FRF.12 QoS with Vlan Describing Vlan QoS Packet Flow Vlan Packet with Priority Routed out a Serial Interface QoS with Vlan Configuration Process LAN/QoS Serial Scenario QoS on Input QoS on VPN Configuring QoS on a Physical Interface QoS over VPN FeaturesConfiguring QoS on a Virtual Tunnel Interface QoS on a Virtual Interface Example Configure the input policy map Vpn classes RTP and FTP Configure the output policy map Ser classes RTP1 and FTP1 Configure the IKE policy foo for pre-share keys Configure ACLsConfigure the IPSec SA QoS and VPN Interaction Route Configuring the Shaper on the VPN Interface AH Hmac ESP+3DES Simple QoS on Physical Interface Policy QoS Policy Configuration ExamplesCreate the policy map Apply the configuration to the interface QoS for Frame Relay Policy QoS with Mlppp Multi-Class Policy QoS with FRF.12 Policy QoS with Vlan Policy Input and Output QoS Policy Input QoS on Ingress to the Diffserv Domain Policy QoS Policy Configuration Examples Configuring Adsl PDU Encapsulation Choices PPP over ATM PPPoA Network Diagram PPP over Ethernet over ATM Routed PPPoE Network Diagram Routed IP over ATM Adsl Hardware Adsl LimitationsNIM Card Adsl on the Motherboard Adsl Data FramingATM Support DSP Firmware Dslam Compatibility Access Concentrator RestrictionsClass of Service OAM Cells QoS Configuration ExamplesInverse ARP PPPoE Following optional commands configure NAT Following optional commands configure two default routesPPPoA Enter the following commands to configure a IPoA topology IPoA Internet Security Issues VPN Overview Ensuring VPN Security with IPSec/IKE/GRE How a Virtual Private Network Works Transport Mode Processing Tunnel Mode Processing GRE over IPSec Defining VPN Encryption Describing Public-Key Infrastructure PKIDigital Signatures Certificates Machine Certificates for the XSR CA Hierarchies Certificate Chains RA Mode Certificate Chain Example DF Bit Functionality Pending ModeEnroll Password CRL Retrieval VPN Applications Site-to-Central-Site Networks Site-to-Site NetworksNAT Traversal Client Mode Internet Remote Access Networks Network Extension Mode NEM Ospf Commands Using Ospf Over a VPN NetworkConfiguring Ospf Over Site-to-Central Site in Client Mode Server ClientServer Internet Client Client Configuring Ospf with Fail Over RedundancyServer Interfaces Fast/GigabitEthernet 1 and VPN Limitations XSR VPN FeaturesInterfaces Fast/GigabitEthernet 1, VPN 1 and VPN Napt VPN Configuration Overview Master Encryption Key Generation ACL Configuration Rules Configuring ACLs Selecting Policies IKE/IPSec Transform-Sets SA lifetimes Configuring Policy Security Policy Considerations Configuring Crypto Maps Creating Crypto Maps Authentication, Authorization and Accounting Configuration User-Name AAA Commands Configuring AAA PKI Configuration Options Configuring PKI PKI Certificate Enrollment Example CA-AUTHENTICATED XSRconfig#ip domain acme.com Interface VPN Options VPN Interface Sub-Commands Configuring a Simple VPN Site-to-Site ApplicationFollowing sub-commands are available at VPN Interface mode XSRconfig#crypto isakmp proposal Test Configuring the VPN Using EZ-IPSec XSRconfig-crypto-m#description external interface EZ-IPSec Configuration XSRconfig#interface vpn 1 point-to-point XSR with VPN Central Gateway Configure the following four IPSec SAs Configure IKE policy for the remote peerAdd ACLs to permit IP and UDP traffic Configure and enable the FastEthernet 1 interface Add a default route to the next hop Internet gateway Create a group for NEM and Client mode users Clear the DF bit globally GRE Tunnel for Ospf Tunnel a XSR-3250 VPN GRE Site-to-Site Tunnel XSRconfig-isakmp-peer#proposal shared Enable Ospf on the trusted and VPN interfaces Tunnel B XSR-1805 VPN GRE Site-to-Site Tunnel Enable Ospf on the trusted and VPN interfaces Cisco Configuration XSR/Cisco Site-to-Site Example XSR Configuration Interoperability Profile for the XSR Scenario 1 Gateway-to-Gateway with Pre-Shared Secrets Configure a default route Configure the Gateway a external LAN network AWConfigure IKE Phase 1 policy Interoperability Profile for the XSR Scenario 2 Gateway-to-Gateway with Certificates 14 Gateway-to Gateway with Certificates Topology XSR#clock timezone -7 State CA-AUTHENTICATED Configuring Dhcp Overview of Dhcp How Dhcp Works Dhcp Server Standards Persistent Storage of Network Parameters for Clients Dhcp ServicesAssigned Network Configuration Values to Clients Options Temporary or Permanent Network Address Allocation Nested Scopes IP Pool Subsets Bootp Legacy SupportProvisioning Differentiated Network Values by Client Class Pool subnet Scope Caveat Manual Bindings Parameter Request List Option Dhcp Client ServicesRouter Option Dhcp Client Interaction Dhcp Client Timeouts Interaction with Remote Auto Install RAI Dhcp CLI Commands Configuring Dhcp Address Pools Dhcp Set Up OverviewConfiguration Steps Configuring Dhcp Network Configuration Parameters Optional Set Up a Dhcp Nested Scope Configure Dhcp Network ParametersEnable the Dhcp Server Optional Configure a Dhcp Manual Binding Manual Binding Example Dhcp Server Configuration ExamplesPool with Hybrid Servers Example Manual Binding with Class Example Bootp Client Support Example Dhcp Option Examples Configuring Security on the XSR Access Control Lists Packet Filtering ACL Violations Alarm ExampleFirst alarms logged will display as follows LANd Attack IP Packet with Multicast/Broadcast Source Address Smurf AttackFraggle Attack Spoofed Address Check Large Icmp Packets General Security PrecautionsSpurious State Transition Ping of Death Attack AAA Services Connecting Remotely via SSH or Telnet with AAA Service PuTTY Exit Option PuTTY Alert Message Firewall Feature Set Overview Reasons for Installing a Firewall Types of Firewalls ACL and Packet Filter Firewalls ALG and Proxy Firewalls Stateful Firewall Inspection SFI XSR Firewall Feature Set FunctionalityStateful Inspection Firewalls Filtering non-TCP/UDP Packets Application Level Commands Application Level Gateway Writing URL List Entries On Board URL FilteringImporting URL Lists from an Ascii File Enabling URL Filtering in Firewall Policy Denial of Service DoS Attack Protection Configuring URL Redirection Alarm Logging Alarms Authentication 12 Authentication Process Firewall and VPN Dynamic ReconfigurationFirewall and NAT ACLs and Firewall Firewall CLI Commands Firewall CLI Commands 13 Sample Telnet Screen Firewall Limitations Pre-configuring the Firewall Steps to Configure the Firewall XSR with Firewall Complete LAN and WAN interface configuration Log only critical events XSR with Firewall, PPPoE and Dhcp 15 XSR Firewall with PPPoE DSL and Dhcp Configure the Dhcp pool, DNS server and related settings XSR with Firewall and VPN XP PC NEM Add four ACLs to permit IP pool, L2TP and NEM traffic Configure the following IPSec SAs XSRconfig#ip local pool test 10.120.70.0 Define three trusted networks in the enterprise Define the Internet as all possible IP addressesDefine the public VPN interface crypto map Define the local pool network used for tunnel IP addresses Define service for Radius authentication Define service for IsakmpDefine service for L2TP tunnels Define service for Radius accounting Load the firewall configuration Firewall Configuration for VrrpConfigure Radius network objects Configuring Simple Security RPC Policy Configuration Configuration Examples Configuring Security on the XSR Alarms/Events, System Limits Standard Ascii Table Recommended System Limits Snmp views System Alarms and Events Table A-5 Alarm Behavior Driv ETH1 ETH0 Table A-6 High Severity Alarms/Events Table A-7 Medium Severity Alarms/Events Sntp PPP MS-CHAP authentication failed while Shutdown command Portchannel Corrected the problem by resetting itself Firewall and NAT Alarms and Reports Table A-9 Firewall and NAT Alarms NAT TCP reset, NAT port %d, %IPP2 UDP Detected UDP Flood attack %IPP2 Deny Icmp unsupported packet %IP2ICMP UDP Request Entry pool is empty Standard Ascii Character Table Space Standard Ascii Character Table EtsysSrvcLvlMetricTable Service Level Reporting MIB TablesVPN MIB Tables on page B-12 EtsysSrvcLvlOwnerTable EtsysSrvcLvlHistoryTable Field Example CLI command EtsysSrvcLvlNetMeasureTable EtsysSrvcLvlAggrMeasureTable Rtr schedule aliased to General Variables Table BGP v4 MIB TablesBGP v4 Peer Table BgpPeerAdminStatus BGP-4 Received Path Attribute Table Bgp4PathAttrIpAddrPrefix BGP-4 Traps Firewall MIB Tables Global Interface Operations Policy Rule True Table Monitoring ObjectsPolicy Rule Table Totals Counters Session Totals Counters IP Session Counters Authenticated Address CountersAuthenticated Addresses Table IP Session Table DOS Attacks Blocked Counters VPN MIB TablesDOS Attacks Blocked Table EtsysVpnIkePeer Table EtsysVpnIkePeerProposals Table EtsysVpnIpsecPolicy Table EtsysVpnIkeProposal TableEtsysVpnIntfPolicy Table EtsysVpnIpsecPolicyRule Table EtsysVpnIpsecPolProposals Table EtsysVpnIpsecPropTransforms Table EtsysVpnIpsecProposal TableEtsysVpnAhTransform Table EtsysVpnEspTransform Table EtsysVpnIpcompTransform Table IpCidrRouteTable for Static Routes Host Resources MIB Objects Enterasys Configuration Management MIB Field Description ConfigMgmtOperations Enterasys Configuration Change MIB Field Description EtsysConfigChangeNonVolatile Group Enterasys Snmp Persistence MIB Enterasys Syslog Client MIB Field Description EtsysSyslogClient Group Table B-46 Enterasys Syslog Client MIB Compliance Statements