PeditionSecurity Router
Version
Page
Enterasys Networks, Inc Minuteman Road Andover, MA
Regulatory Compliance Information
Federal Communications Commission FCC Notice
TTE Directive Declaration
Product Safety
Industry Canada Notices
Class a ITE Notice Clase A. Aviso de ITE
Elektro- magnetische Kompatibilität EMC
Electromagnetic Compatibility EMC
Compatibilidad Electromágnetica EMC
Vcci Notice
Declaration of Conformity
USA
Approved
Enterasys Networks, Inc Firmware License Agreement
Viii
Page
Page
Contents
Configuring an Interface Displaying Interface Attributes
Managing LAN/WAN Interfaces
Configuring T1/E1 & T3/E3 Interfaces
Configuring IP
How Triggered-on-Demand RIP Works
Configuring the Border Gateway Protocol
Configuration Considerations
Configuring PIM-SM and Igmp
Route Reflectors Confederations
Configuring PPP
Configuring Frame Relay
Configuring Dialer Services
10-13
Configuring Integrated Services Digital Network
Configuring Quality of Service
Configuring Adsl
Configuring the Virtual Private Network
Configuring Dhcp
Configuring Security on the XSR
Appendix B XSR Snmp Proprietary and Associated Standard MIBs
DOS Attacks Blocked Counters DOS Attacks Blocked Table
Contents of the Guide
Preface
Conventions Used in This Guide
Following conventions are used in this guide
Bold/En negrilla
Getting Help
FTP
Overview
Overview
XSR User’s Guide
Overview
Utilizing the Command Line Interface
Connecting via the Console Port on XSR Series
Using the Console Port to Remotely Control the XSR
Connecting a Serial Interface to a Modem
Terminal Commands
Connecting via Telnet
Connecting via SSH
Accessing the Initial Prompt
Synchronizing the Clock
Managing the Session
Remote Auto Install
RAI Features and Requirements
Utilizing the Command Line Interface
Frame Relay Remote Router
RAI Requirements on the XSR
How RAI Components Work
Tftp Client
Bootp Client
Reverse DNS Client
Frame Relay Central Site
Dhcp over LAN RAI over Ethernet
PPP RAI over Adsl
PPP RAI over a Leased Line
PPP RAI over a Dial-in Line
CLI Editing Rules
Setting CLI Configuration Modes
CLI Shortcuts Command Description
CLI Configuration Modes Function Access Method Prompt
Refer to -1for a graphic example of configuration modes
User Exec Mode
Global Configuration Mode
Exiting From the Current Mode
Privileged Exec Mode
Following example
Mode Examples
Observing Command Syntax and Conventions
Supported Physical Interfaces
CLI Command Limits
Describing Ports and Interfaces
Supported Virtual Interfaces
Numbering XSR Slots, Cards, and Ports
Setting Interface Type and Numbering
Setting Port Configuration Mode
Supported Ports
T1-PRI Isdn Example
Configuration Examples
T1 Example
Dialer Example
BRI-Dialer Idsn Example
Following interfaces are added
Following sub-interfaces are added
Entering Commands that Control Tables
Adding Table Entries
You may type
Modifying Table Entries
Managing XSR Interfaces
Deleting Table Entries
Displaying Table Entries
Enabling an Interface
Configuring an Interface
Following command enables an interface
Disabling an Interface
Managing Message Logs
Performing Fault Management
Logging Commands
Fault Report Commands
Capturing Fault Report Data
RTC Commands
Using the Real-Time Clock
Managing the System Configuration
RTC/Network Clock Options
Resetting the Configuration to Factory Default
Using the Default Button XSR 1800/1200 Series Only
Using File System Commands
Configuration Save Options
Bulk Configuration Management
Downloading the Configuration
Full-config Backup
Uploading the Configuration/Crash Report
Creating Alternate Configuration Files
Managing the Software Image
BootRom Upgrade Choices
Pre-upgrade Procedures
Creating Alternate Software Image Files
Using the Bootrom Update Utility
Using TFTP, transfer updateBootrom.fls from the network
Local Bootrom Upgrade
XSR1800 bU bootromuncmp.fls
Using EOS Fallback to Upgrade the Image
Loading Software Images
Configuring EOS Fallback on the CLI
Configuring EOS Fallback via Snmp
Downloading with Fips Security
Software Image Commands
Configuration Change Hashing
Set the operation to imageSetSelected
Creating Resources
Memory Management
Displaying System Status and Statistics
Network Management through Snmp
Statistics
Snmp Informs
Shaping Trap Traffic
Measuring Performance Metrics
Alarm Management Traps
Network Monitoring via Service Level Agreement Agent
Via Snmp
Create an Owner
Via CLI
Create a Measurement to Ping Via CLI
Following command schedules a measurement immediately
Schedule a measurement Via CLI
Enterasys Configuration Management MIB
Full Configuration Backup/Restore
Using the SLA Agent in Snmp
Cabletron CTdownload MIB
Snmp Download with Auto-Reboot Option
Software Image Download using NetSight
Appending CLI Commands to Configuration Files via Snmp
CLI Translator
Firmware Upgrade Procedures
Accessing the XSR Through the Web
NetSight Atlas Router Services Manager
Network Management Tools
Using Snmp for Downloads
Fault Reporting
Using the CLI for Downloads
Auto-discovery
Overview of LAN Interfaces
LAN Features
XSR supports the following LAN interface features
Configuring the LAN
MIB Statistics
Overview of WAN Interfaces
WAN Features
XSR supports the following WAN interface features
Configuring the WAN
Following example configures the XSR to dial-out async
Configuring the WAN Managing LAN/WAN Interfaces
Overview
Features
T1/E1 Mode
T1/E1 Functionality
T3 Mode
E3 Mode
T1/E1 Subsystem Configuration
T3/E3 Subsystem Configuration
T1 Drop & Insert One-to-One DS0 Bypassing
Drop and Insert Features
D&I NIM does not support channelized mode nor PRI
Specify the clock source for the controller
Configuring Channelized T1/E1 Interfaces
Enter the no shutdown command to enable the line
Specify the controllers framing type
Optionally, if you prefer to configure internal clocking
Configuring Un-channelized T3/E3 Interfaces
Enable the Controller line
Enable the Serial line
Troubleshooting T1/E1 & T3/E3 Links
T1/E1 & T3/E3 Physical Layer Troubleshooting
XSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0#
Restart the controller
T1/E1 & T3/E3 Alarm Analysis
Receive Alarm Indication Signal AIS Blue Alarm
Transmit Sending Remote Alarm Red Alarm
Receive Remote Alarm Indication RAI Yellow Alarm
Transmit Remote Alarm Indication RAI Yellow Alarm
Transmit Alarm Indication Signal AIS Blue Alarm
T1/E1 & T3/E3 Error Events Analysis
XSR
Slip Seconds Counter Increasing
Controller
Line Code Violations Increasing
Configuring the D&I NIM
Framing Loss Seconds Increasing
Page
Configuring IP
General IP Features
Telnet
Secondary IP
Troubleshooting Tools Ping Traceroute IP Routing
RIP
Proxy DNS
BOOTP/DHCP Relay
ARP and Proxy ARP
Local Broadcast
Broadcast
Directed Broadcast
TCP
Telnet
Secondary IP
Trivial File Transfer Protocol Tftp
IP Interface
Interface & Secondary IP
ARP & Secondary IP
Icmp & Secondary IP
RIP & Secondary IP
Routing Table Manager & Secondary IP
Ospf & Secondary IP
Unnumbered Interface & Secondary IP
Ping
IP Routing Protocols
Maximum Transmission Unit MTU
Traceroute
RIPv1
Triggered-on-Demand RIP
How Triggered-on-Demand RIP Works
IP Routing Protocols
Ospf
LSA Type 3 and 5 Summarization
Ospf Database Overflow
Following is a high priority Overflow Exited log report
Ospf Passive Interfaces
Following is a high priority Overflow Entered log report
Route Preference
Ospf Troubleshooting
Null Interface
Static Routes
Vlan Routing
Forwarding VLAN, PPPoE over Vlan
802.1Q Vlan Tag
Vlan Processing Over the XSR’s Ethernet Interfaces
IP Routing Table
Vlan Processing VLAN-enabled Ethernet to WAN Interfaces
Vlan Ethernet to Fast/GigabitEthernet Topology
QoS with Vlan
Accessing the Global Routing Policy Table
Policy Based Routing
PBR Cache
Match Clauses
Set Clauses
Router ID
Default Network
Classless Inter-Domain Routing Cidr
Real Time Protocol RTP Header Compression
Features
Network Address Translation
Virtual Router Redundancy Protocol
Vrrp Definitions
XSR1 XSR2
How the Vrrp Works
Different States of a Vrrp Router
Multiple Virtual IP Addresses per VR
Vrrp Features
Authentication
Multiple VRs Per Router
Host ARP
Load Balancing
ARP Process on a Vrrp Router
Proxy ARP
Icmp Ping
Interface Monitoring
Watch Group Monitoring
Configuration Considerations
Equal-Cost Multi-Path Ecmp
Configuring RIP Examples
Central XSR
Configuring RIP Examples
Configuring Unnumbered IP Serial Interface Example
Configuring Ospf Example
Basic One-to-One Static NAT
Configuring NAT Examples
Configuring Static Translation
Register the global NAT pool
Dynamic Pool Configuration
Configuring Dynamic Pool Translation
Network Address and Port Translation
Configuring Napt
Enable an interface F1, for example
Bind the interface and optional ACL to the NAT pool
Multiple NAT Pools within an Interface
14 Multiple NAT Pools within Interface
Static NAT within an Interface
Inside Outside
15 Static NAT within Interface
NAT Port Forwarding
Configuring Policy Based Routing Example
Enter the following commands to enable NAT Port Forwarding
Router XSRb
Configuring Vrrp Example
Router XSRa
For a QoS with Vlan example, refer to QoS with Vlan on
Configuring Vlan Examples
Following example configures a Vlan interface for PPPoE
Configuring the Border Gateway Protocol
Describing BGP Messages
Open
Keepalive
Update
Defining BGP Path Attributes
Notification
AS Path
Origin
Next Hop
Local Preference
Local Preference Applied to Direct Egress Traffic from AS
Weight
Atomic Aggregate
Aggregator
Multi-Exit Discriminator
Community
Aspath Communities
Application of Community Attribute
BGP Path Selection Process
BGP Routing Policy
Community Lists
Access Control Lists
Filter Lists
Route Maps
Regular Expression Examples
Regular Expressions
Regular Expression Characters
Assigning Peer Group Options
Peer Groups
Creating a Peer Group
Display all routes with any AS path
For an example, refer to Configuring BGP Neighbors on
Initial BGP Configuration
Resetting BGP Connections
Adding BGP Neighbors
Route Flap Dampening
Synchronization
Address Aggregation
Recommendations for Route Flap Dampening
Capability Advertisement
Route Refresh
Scaling BGP
10 Fully Meshed BGP
Route Reflectors
11 Route Reflector Applied to Minimize Ibgp Mesh
Confederations
Displaying System and Network Statistics
12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302
Configuring BGP Route Maps
Configuring BGP Neighbors
BGP Path Filtering by Neighbor Example
Configuring BGP Confederations
BGP Aggregate Route Examples
Ibgp Peer Group Example
Configuring BGP Peer Groups
TCP MD5 Authentication for BGP Example
This section details Ibgp and an Ebgp peer group examples
Ebgp Peer Group Example
BGP Community with Route Maps Examples
XSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask
Configuring BGP Peer Groups
Configuring PIM-SM and Igmp
Differences with Industry-Standard Approach
IP Multicast Overview
Defining Multicast Group Addressing
Outlining Igmp Versions
Comparing Multicast Distribution Trees
Describing the XSR’s IP Multicast Features
Forwarding Multicast Traffic
Sending a Query
Group Membership Actions
Sending and Receiving Queries and Reports
Interoperating with Older Igmp Versions
Behavior of Multicast Routers Among Older Version Queriers
Describing the XSR’s PIM-SM v2 Features
Behavior of Group Members Among Older Version Group Members
Phase 1 Building a Shared Tree
Phase 2 Building Shortest Path Tree Between Sender & RP
Phase 2 Topology Shortest Path Tree Between Sender and RP
Neighbor Discovery and DR Election
PIM Join/Prune Message
Bootstrap & Rendezvous Point
PIM Register Message
Assert Processing
Source-Specific Multicast
PIM SM over Frame Relay
PIM Configuration Examples
PIM Configuration Examples Configuring PIM-SM and Igmp
Configuring PPP
PPP Features
Link Control Protocol LCP
Network Control Protocol NCP
Challenge Handshake Authentication Protocol Chap
Authentication
Password Authentication Protocol PAP
Microsoft Challenge Handshake Protocol MS-CHAP
Link Quality Monitoring LQM
Multilink PPP Mlppp
Multi-Class Mlppp
Multilink Header Option Format
Fragment Interleaving Over the Link
Multilink Head Format Negotiation
Multi-Class Option Negotiation
Events and Alarms
IP Control Protocol Ipcp
Multi-Class Receiving Packet
PPP Bandwidth Allocation/Control Protocols BAP/BAPC
IP Address Assignment
Enter the media-type for the interface default RS232
Configuring PPP with a Dialed Backup Line
Configuring a Synchronous Serial Interface
Enter encapsulation ppp to enable PPP encapsulation
Configuring the Physical Interface for the Dialer Interface
Configuring a Dialed Backup Line
Configuring the Dialer Interface
Enter no shutdown to enable this interface
Configuring the Interface as the Backup Dialer Interface
Configure interface dialer 1 to use dial pool
Dialer Example
Configuring Mlppp on a Multilink/Dialer interface
Multilink Example
XSR1 Configuration
Configuring BAP
Dual XSRs One Router Using DoD with Call Request
Configure the dialer list and ACL for DoD
XSR2 Configuration
Configure the Dialer 1 interface with a dialer pool
Dual XSRs BAP Using Call/Callback Request
Configuring BAP
Configuring BAP Configuring PPP
Virtual Circuits
DLCIs
DTEs
DCEs
Frame Relay Features
Multi-Protocol Encapsulation
Controlling Congestion in Frame Relay Networks
Address Resolution
Dynamic Resolution Using Inverse ARP
Rate Enforcement CIR Generic Traffic Shaping
Backward Explicit Congestion Notification Becn
Discard Eligibility DE Bit
Forward Explicit Congestion Notification Fecn
Controlling Congestion in Frame Relay Networks
Link Management Information LMI
Sub-interfaces
End-to-End Fragmentation
User Configuration Commands
FRF.12 Fragmentation
Show Running Configuration
Reports and Alarms
Map-Class Configuration
Clear Statistics
Interconnecting via Frame Relay Network
Minneapolis Houston Memphis
Configuring Frame Relay
Multi-point to Point-to-Point Example
Configuring Frame Relay
Configuring Frame Relay
Configuring Frame Relay
Overview of Dial Services
Dial Services Features
25bis over Synchronous Interfaces
AT Commands on Asynchronous Ports
Asynchronous and Synchronous Support
Ethernet Backup
Time of Day feature
Typical Use for Dial Services
DTR Dialing for Synchronous Interfaces
Implementing Dial Services
Dialer Profiles
Dialer Pool
Dialer Interface
Dialer Strings
Addressing Dialer Resources
Configuring Encapsulation
Isdn Callback
Logical View of Dialer Profiles
Sample Dialer Topology
Dialer Profile of Destination 416
Creating and Configuring the Dialer Interface
Dialer Profile of Destination 987
Configuring the Physical Interface for the Dialer Interface
Sample Dialer Configuration
Configuring the Map Class
Configure a backup link for dial purposes with priority
Point-to-Point with Different Calling/Called Numbers
Configuring Isdn Callback
Point-to-Point with Matched Calling/Called Numbers
Point-to-Multipoint with One Neighbor
Dial Backup Features
Overview of Dial Backup
Sequence of Backup Events
Link Failure Backup Example
Backup Link Failure Example
Configuring Interface as the Backup Dialer Interface
Configure backup serial port for dialing purposes
Dialer
Sample Configuration
Configure interface dialer 2 to use dial pool
Overview of Dial on Demand/Bandwidth on Demand
Dialer Interface Spoofing
Dialer Watch
Dialer Watch Behavior
Dialer Watch Topology
Answering Incoming Isdn Calls
Caveat
Incoming Call Mapping Example
Node a Calling Node Configuration
Following command maps ACL 101 to dialer group
Node B Called Node Configuration
Node D Calling Node Configuration
Configuring DoD/BoD
Following command maps ACL 1061 to dialer group
PPP Point-to-Multipoint Configuration
11 Dial on Demand Topology
PPP Multipoint-to-Multipoint Configuration
Node a Configuration
Following command maps ACL 105 to dialer group
PPP Point-to-Point Configurations
Node B Configuration
Dial-out Routing for Dial on Demand Example
Following commands configure dialer interface
Dial-in Routing for Dial on Demand Example
PPP Point-to-Multipoint Configurations
13 PPP Point-to-Multipoint Topology
Dial-out Router Example
Dial-in Router Example
Mlppp Point-to-Multipoint Configuration
Following command sets remote user authentication
Mlppp Point-to-Point Configurations
14 Mlppp Point-to-Point Topology
Mlppp Point-to-Multipoint Configurations
15 Mlppp Point-to-Multipoint Topology
Mlppp Multipoint-to-Multipoint Configuration
Switched PPP Multilink Configuration
Bandwidth-on-Demand
Node C Called Node Configuration
Following command maps ACL 106 to dialer group
Node a Backed-up Node Configuration
Backup Configuration
Backup Using Isdn
XSRconfig#username toronto privilege 0 password cleartext z
Following command configures Serial sub-interface 2/01
Configuration for Backup with Mlppp Bundle
Following command configures Serial sub-interface 2/00
Configuration for Ethernet Failover
Following commands configure Serial sub-interface 2/00
Configuration for Frame Relay Encapsulation
Backup Configuration Configuring Dialer Services
Isdn Features
Leased line Isdn configuration examples T1 PRI E1 PRI
Understanding Isdn
BRI Features
PRI Features
Channels
Basic Rate Interface
Primary Rate Interface
Channel
Channel Standards
Channel Signaling and Carrier Networks
Isdn Equipment Configurations
Bandwidth Optimization
Security
Trace Decoding
Call Monitoring
Isdn Trace
Q921 Decoding
Q931 Decoding
Reference Parameters
+ Next line 04 Bearer capability
Status
Decoded IEs
Isdn Configuration
Terminal Endpoint Identifier TEI Management Procedures
BRI NI-1, DMS100 & 5ESS Spid Registration
BRI Switched Configuration Model
Switched BRI Configuration Model
PRI Configuration Model
PRI Configuration Model
Leased-Line Configuration Model
Interface BRI 0/1/21
Following example configures a PRI connection on an E1 card
More Configuration Examples
Following example configures a PRI connection on a T1 card
Following example configures a switched line BRI connection
BRI Leased Line
Following example configures a leased-line BRI connection
Isdn ITU Standard Q.931 Call Status Cause Codes
BRI Leased PPP
Call Status Cause Codes Code Cause
Incoming calls barred
Configuring Quality of Service
Mechanisms Providing QoS
Traffic Classification
Describing the Class Map
Describing the Policy Map
Queuing and Services
Describing Class-Based Weight Fair Queuing
Measuring Bandwidth Utilization
Configuring Cbwfq
Configuring Priority Queues
Describing Priority Queues
Assign the class frost to the priority queue
Configuring Traffic Policing
Describing Traffic Policing
Class-based Traffic Shaping
Traffic Shaping per Policy-Map
Differences Between Traffic Policing and Traffic Shaping
Traffic Shaping and Queue Limit
Describing Random Early Detection
Congestion Control & Avoidance
Describing Queue Size Control Drop Tail
Describing Weighted Random Early Detection
RED Drop Probability Calculation
Configuration per Interface
VPN
QoS and Link Fragmentation and Interleaving LFI
Suggestions for Using QoS on the XSR
Configuring QoS with Mlppp Multi-Class
Configuring QoS with FRF.12
QoS with Vlan
Describing Vlan QoS Packet Flow
Vlan Packet with Priority Routed out a Serial Interface
QoS with Vlan Configuration Process
LAN/QoS Serial Scenario
QoS on Input
QoS on VPN
Configuring QoS on a Virtual Tunnel Interface
QoS over VPN Features
Configuring QoS on a Physical Interface
QoS on a Virtual Interface Example
Configure the input policy map Vpn classes RTP and FTP
Configure the output policy map Ser classes RTP1 and FTP1
Configure the IPSec SA
Configure ACLs
Configure the IKE policy foo for pre-share keys
QoS and VPN Interaction
Route
Configuring the Shaper on the VPN Interface
AH Hmac ESP+3DES
Create the policy map
QoS Policy Configuration Examples
Simple QoS on Physical Interface Policy
Apply the configuration to the interface
QoS for Frame Relay Policy
QoS with Mlppp Multi-Class Policy
QoS with FRF.12 Policy
QoS with Vlan Policy
Input and Output QoS Policy
Input QoS on Ingress to the Diffserv Domain Policy
QoS Policy Configuration Examples
Configuring Adsl
PDU Encapsulation Choices
PPP over ATM
PPPoA Network Diagram
PPP over Ethernet over ATM Routed
PPPoE Network Diagram
Routed IP over ATM
NIM Card
Adsl Limitations
Adsl Hardware
Adsl on the Motherboard
Adsl Data Framing
ATM Support
DSP Firmware
Dslam Compatibility
Access Concentrator Restrictions
Class of Service
OAM Cells
QoS
Configuration Examples
Inverse ARP
PPPoE
PPPoA
Following optional commands configure two default routes
Following optional commands configure NAT
Enter the following commands to configure a IPoA topology
IPoA
Internet Security Issues
VPN Overview
Ensuring VPN Security with IPSec/IKE/GRE
How a Virtual Private Network Works
Transport Mode Processing
Tunnel Mode Processing
GRE over IPSec
Digital Signatures
Describing Public-Key Infrastructure PKI
Defining VPN Encryption
Certificates
Machine Certificates for the XSR
CA Hierarchies
Certificate Chains
RA Mode
Certificate Chain Example
DF Bit Functionality
Pending Mode
Enroll Password
CRL Retrieval
VPN Applications
NAT Traversal
Site-to-Site Networks
Site-to-Central-Site Networks
Client Mode
Internet
Remote Access Networks
Network Extension Mode NEM
Configuring Ospf Over Site-to-Central Site in Client Mode
Using Ospf Over a VPN Network
Ospf Commands
Server
Client
Server
Internet
Client
Client
Configuring Ospf with Fail Over Redundancy
Server
Interfaces Fast/GigabitEthernet 1 and VPN
Interfaces Fast/GigabitEthernet 1, VPN 1 and VPN
XSR VPN Features
Limitations
Napt
VPN Configuration Overview
Master Encryption Key Generation
ACL Configuration Rules
Configuring ACLs
Selecting Policies IKE/IPSec Transform-Sets
SA lifetimes
Configuring Policy
Security Policy Considerations
Configuring Crypto Maps
Creating Crypto Maps
Authentication, Authorization and Accounting Configuration
User-Name
AAA Commands
Configuring AAA
PKI Configuration Options
Configuring PKI
PKI Certificate Enrollment Example
CA-AUTHENTICATED
XSRconfig#ip domain acme.com
Interface VPN Options
Following sub-commands are available at VPN Interface mode
Configuring a Simple VPN Site-to-Site Application
VPN Interface Sub-Commands
XSRconfig#crypto isakmp proposal Test
Configuring the VPN Using EZ-IPSec
XSRconfig-crypto-m#description external interface
EZ-IPSec Configuration
XSRconfig#interface vpn 1 point-to-point
XSR with VPN Central Gateway
Add ACLs to permit IP and UDP traffic
Configure IKE policy for the remote peer
Configure the following four IPSec SAs
Configure and enable the FastEthernet 1 interface
Add a default route to the next hop Internet gateway
Create a group for NEM and Client mode users
Clear the DF bit globally
GRE Tunnel for Ospf
Tunnel a XSR-3250 VPN GRE Site-to-Site Tunnel
XSRconfig-isakmp-peer#proposal shared
Enable Ospf on the trusted and VPN interfaces
Tunnel B XSR-1805 VPN GRE Site-to-Site Tunnel
Enable Ospf on the trusted and VPN interfaces
Cisco Configuration
XSR/Cisco Site-to-Site Example
XSR Configuration
Interoperability Profile for the XSR
Scenario 1 Gateway-to-Gateway with Pre-Shared Secrets
Configure IKE Phase 1 policy
Configure the Gateway a external LAN network AW
Configure a default route
Interoperability Profile for the XSR
Scenario 2 Gateway-to-Gateway with Certificates
14 Gateway-to Gateway with Certificates Topology
XSR#clock timezone -7
State
CA-AUTHENTICATED
Configuring Dhcp
Overview of Dhcp
How Dhcp Works
Dhcp Server Standards
Persistent Storage of Network Parameters for Clients
Dhcp Services
Assigned Network Configuration Values to Clients Options
Temporary or Permanent Network Address Allocation
Nested Scopes IP Pool Subsets
Bootp Legacy Support
Provisioning Differentiated Network Values by Client Class
Pool subnet
Scope Caveat
Manual Bindings
Parameter Request List Option
Dhcp Client Services
Router Option
Dhcp Client Interaction
Dhcp Client Timeouts
Interaction with Remote Auto Install RAI
Dhcp CLI Commands
Configuring Dhcp Address Pools
Dhcp Set Up Overview
Configuration Steps
Configuring Dhcp Network Configuration Parameters
Optional Set Up a Dhcp Nested Scope
Configure Dhcp Network Parameters
Enable the Dhcp Server
Optional Configure a Dhcp Manual Binding
Manual Binding Example
Dhcp Server Configuration Examples
Pool with Hybrid Servers Example
Manual Binding with Class Example
Bootp Client Support Example
Dhcp Option Examples
Configuring Security on the XSR
Access Control Lists
Packet Filtering
ACL Violations Alarm Example
First alarms logged will display as follows
LANd Attack
IP Packet with Multicast/Broadcast Source Address
Smurf Attack
Fraggle Attack
Spoofed Address Check
Large Icmp Packets
General Security Precautions
Spurious State Transition
Ping of Death Attack
AAA Services
Connecting Remotely via SSH or Telnet with AAA Service
PuTTY Exit Option
PuTTY Alert Message
Firewall Feature Set Overview
Reasons for Installing a Firewall
Types of Firewalls
ACL and Packet Filter Firewalls
ALG and Proxy Firewalls
Stateful Firewall Inspection SFI
XSR Firewall Feature Set Functionality
Stateful Inspection Firewalls
Filtering non-TCP/UDP Packets
Application Level Commands
Application Level Gateway
Writing URL List Entries
On Board URL Filtering
Importing URL Lists from an Ascii File
Enabling URL Filtering in Firewall Policy
Denial of Service DoS Attack Protection
Configuring URL Redirection
Alarm Logging
Alarms
Authentication
12 Authentication Process
Firewall and VPN
Dynamic Reconfiguration
Firewall and NAT
ACLs and Firewall
Firewall CLI Commands
Firewall CLI Commands
13 Sample Telnet Screen
Firewall Limitations
Pre-configuring the Firewall
Steps to Configure the Firewall
XSR with Firewall
Complete LAN and WAN interface configuration
Log only critical events
XSR with Firewall, PPPoE and Dhcp
15 XSR Firewall with PPPoE DSL and Dhcp
Configure the Dhcp pool, DNS server and related settings
XSR with Firewall and VPN
XP PC NEM
Add four ACLs to permit IP pool, L2TP and NEM traffic
Configure the following IPSec SAs
XSRconfig#ip local pool test 10.120.70.0
Define three trusted networks in the enterprise
Define the Internet as all possible IP addresses
Define the public VPN interface crypto map
Define the local pool network used for tunnel IP addresses
Define service for Radius authentication
Define service for Isakmp
Define service for L2TP tunnels
Define service for Radius accounting
Configure Radius network objects
Firewall Configuration for Vrrp
Load the firewall configuration
Configuring Simple Security
RPC Policy Configuration
Configuration Examples Configuring Security on the XSR
Alarms/Events, System Limits Standard Ascii Table
Recommended System Limits
Snmp views
System Alarms and Events
Table A-5 Alarm Behavior
Driv
ETH1
ETH0
Table A-6 High Severity Alarms/Events
Table A-7 Medium Severity Alarms/Events
Sntp
PPP MS-CHAP authentication failed while
Shutdown command
Portchannel
Corrected the problem by resetting itself
Firewall and NAT Alarms and Reports
Table A-9 Firewall and NAT Alarms
NAT TCP reset, NAT port %d, %IPP2
UDP Detected UDP Flood attack %IPP2
Deny Icmp unsupported packet %IP2ICMP
UDP Request Entry pool is empty
Standard Ascii Character Table
Space
Standard Ascii Character Table
VPN MIB Tables on page B-12
Service Level Reporting MIB Tables
EtsysSrvcLvlMetricTable
EtsysSrvcLvlOwnerTable
EtsysSrvcLvlHistoryTable
Field Example CLI command
EtsysSrvcLvlNetMeasureTable
EtsysSrvcLvlAggrMeasureTable
Rtr schedule aliased to
BGP v4 Peer Table
BGP v4 MIB Tables
General Variables Table
BgpPeerAdminStatus
BGP-4 Received Path Attribute Table
Bgp4PathAttrIpAddrPrefix
BGP-4 Traps
Firewall MIB Tables
Global Interface Operations
Policy Rule True Table
Monitoring Objects
Policy Rule Table Totals Counters
Session Totals Counters
IP Session Counters
Authenticated Address Counters
Authenticated Addresses Table
IP Session Table
DOS Attacks Blocked Table
VPN MIB Tables
DOS Attacks Blocked Counters
EtsysVpnIkePeer Table
EtsysVpnIkePeerProposals Table
EtsysVpnIntfPolicy Table
EtsysVpnIkeProposal Table
EtsysVpnIpsecPolicy Table
EtsysVpnIpsecPolicyRule Table
EtsysVpnIpsecPolProposals Table
EtsysVpnAhTransform Table
EtsysVpnIpsecProposal Table
EtsysVpnIpsecPropTransforms Table
EtsysVpnEspTransform Table
EtsysVpnIpcompTransform Table
IpCidrRouteTable for Static Routes
Host Resources MIB Objects
Enterasys Configuration Management MIB
Field Description ConfigMgmtOperations
Enterasys Configuration Change MIB
Field Description EtsysConfigChangeNonVolatile Group
Enterasys Snmp Persistence MIB
Enterasys Syslog Client MIB
Field Description EtsysSyslogClient Group
Table B-46 Enterasys Syslog Client MIB
Compliance Statements
