Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks X-PeditionTM manual XSR/Cisco Site-to-Site Example, Cisco Configuration

Models: X-PeditionTM

1 466

Download 466 pages 52.77 Kb

Page 366

Configuration Examples

XSR/Cisco Site-to-Site Example

The following Site-to-Site configuration connects a Cisco 2600 router with internal/external IP addresses of 192.168.3.5/192.168.2.5 to a XSR with internal/external IP addresses of 192.168.1.2/ 192.168.2.2. The commands are displayed as they would appear when displayed in the configuration file.

Cisco Configuration

version 12.2

service timestamps debug uptime service timestamps log uptime no service password-encryption

hostname Cisco2600

enable secret 5 $1$9ljt$kg86F7Y1vsa2Np0Zj5wDf1 enable password welcome

ip subnet-zero

ip host spatel 192.168.1.1

crypto isakmp policy 1 hash md5 authentication pre-share group 2

lifetime 1200

crypto isakmp policy 20 hash md5 authentication pre-share lifetime 1200

crypto isakmp key welcome address 192.168.2.2

crypto ipsec security-association lifetime seconds 1800

crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac

crypto map regular 1 ipsec-isakmp set peer 192.168.2.2

set security-association lifetime kilobytes 10000 set security-association lifetime seconds 7200 set transform-set esp-des-md5

set pfs group2 match address 110

fax interface-type fax-mail

mta receive maximum-recipients 0

14-44 Configuring the Virtual Private Network

Image 366

Enterasys Networks X-PeditionTM manual XSR/Cisco Site-to-Site Example, Cisco Configuration

Contents

PeditionSecurity Router VersionPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Federal Communications Commission FCC NoticeTTE Directive Declaration Product SafetyIndustry Canada Notices Class a ITE Notice Clase A. Aviso de ITEElektro- magnetische Kompatibilität EMC Electromagnetic Compatibility EMCCompatibilidad Electromágnetica EMC Vcci NoticeDeclaration of Conformity USAApproved Enterasys Networks, Inc Firmware License Agreement Viii Page Page Contents Configuring an Interface Displaying Interface Attributes Configuring T1/E1 & T3/E3 Interfaces Configuring IPManaging LAN/WAN Interfaces How Triggered-on-Demand RIP Works Configuring the Border Gateway Protocol Configuration ConsiderationsConfiguring PIM-SM and Igmp Route Reflectors ConfederationsConfiguring PPP Configuring Frame Relay Configuring Dialer Services10-13 Configuring Integrated Services Digital Network Configuring Quality of ServiceConfiguring Adsl Configuring the Virtual Private Network Configuring Dhcp Configuring Security on the XSR Appendix B XSR Snmp Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters DOS Attacks Blocked Table Contents of the Guide PrefaceConventions Used in This Guide Following conventions are used in this guideBold/En negrilla Getting Help FTPOverview Overview XSR User’s Guide Overview Utilizing the Command Line Interface Connecting via the Console Port on XSR SeriesUsing the Console Port to Remotely Control the XSR Connecting a Serial Interface to a ModemConnecting via Telnet Connecting via SSHTerminal Commands Accessing the Initial Prompt Synchronizing the ClockRemote Auto Install RAI Features and RequirementsManaging the Session Utilizing the Command Line Interface RAI Requirements on the XSR How RAI Components WorkFrame Relay Remote Router Tftp Client Bootp ClientReverse DNS Client Frame Relay Central SiteDhcp over LAN RAI over Ethernet PPP RAI over a Leased Line PPP RAI over a Dial-in LinePPP RAI over Adsl CLI Editing Rules Setting CLI Configuration Modes CLI Shortcuts Command DescriptionCLI Configuration Modes Function Access Method Prompt Refer to -1for a graphic example of configuration modesUser Exec Mode Global Configuration ModeExiting From the Current Mode Privileged Exec ModeMode Examples Observing Command Syntax and ConventionsFollowing example Supported Physical Interfaces CLI Command LimitsDescribing Ports and Interfaces Supported Virtual InterfacesNumbering XSR Slots, Cards, and Ports Setting Interface Type and NumberingSetting Port Configuration Mode Supported PortsT1-PRI Isdn Example Configuration ExamplesT1 Example Dialer ExampleBRI-Dialer Idsn Example Following interfaces are addedFollowing sub-interfaces are added Entering Commands that Control TablesAdding Table Entries You may typeModifying Table Entries Managing XSR InterfacesDeleting Table Entries Displaying Table EntriesEnabling an Interface Configuring an InterfaceFollowing command enables an interface Disabling an InterfacePerforming Fault Management Logging CommandsManaging Message Logs Fault Report Commands Capturing Fault Report DataRTC Commands Using the Real-Time ClockManaging the System Configuration RTC/Network Clock OptionsResetting the Configuration to Factory Default Using the Default Button XSR 1800/1200 Series OnlyUsing File System Commands Configuration Save OptionsBulk Configuration Management Downloading the ConfigurationUploading the Configuration/Crash Report Creating Alternate Configuration FilesFull-config Backup Managing the Software Image BootRom Upgrade ChoicesPre-upgrade Procedures Creating Alternate Software Image FilesUsing the Bootrom Update Utility Using TFTP, transfer updateBootrom.fls from the network Local Bootrom Upgrade XSR1800 bU bootromuncmp.fls Using EOS Fallback to Upgrade the Image Loading Software ImagesConfiguring EOS Fallback on the CLI Configuring EOS Fallback via SnmpDownloading with Fips Security Software Image CommandsConfiguration Change Hashing Set the operation to imageSetSelectedMemory Management Displaying System Status and StatisticsCreating Resources Network Management through Snmp Snmp Informs Shaping Trap TrafficStatistics Alarm Management Traps Network Monitoring via Service Level Agreement AgentMeasuring Performance Metrics Via Snmp Create an OwnerVia CLI Create a Measurement to Ping Via CLIFollowing command schedules a measurement immediately Schedule a measurement Via CLIEnterasys Configuration Management MIB Full Configuration Backup/RestoreUsing the SLA Agent in Snmp Cabletron CTdownload MIBSnmp Download with Auto-Reboot Option Software Image Download using NetSightAppending CLI Commands to Configuration Files via Snmp CLI TranslatorFirmware Upgrade Procedures Accessing the XSR Through the WebNetSight Atlas Router Services Manager Network Management ToolsUsing Snmp for Downloads Fault ReportingUsing the CLI for Downloads Auto-discoveryLAN Features XSR supports the following LAN interface featuresOverview of LAN Interfaces Configuring the LAN MIB StatisticsWAN Features XSR supports the following WAN interface featuresOverview of WAN Interfaces Configuring the WAN Following example configures the XSR to dial-out async Configuring the WAN Managing LAN/WAN Interfaces Overview FeaturesT1/E1 Mode T1/E1 FunctionalityT3 Mode E3 ModeT1/E1 Subsystem Configuration T3/E3 Subsystem ConfigurationDrop and Insert Features D&I NIM does not support channelized mode nor PRIT1 Drop & Insert One-to-One DS0 Bypassing Specify the clock source for the controller Configuring Channelized T1/E1 InterfacesEnter the no shutdown command to enable the line Specify the controllers framing typeOptionally, if you prefer to configure internal clocking Configuring Un-channelized T3/E3 InterfacesEnable the Controller line Enable the Serial lineTroubleshooting T1/E1 & T3/E3 Links T1/E1 & T3/E3 Physical Layer TroubleshootingXSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0# T1/E1 & T3/E3 Alarm Analysis Receive Alarm Indication Signal AIS Blue AlarmRestart the controller Transmit Sending Remote Alarm Red Alarm Receive Remote Alarm Indication RAI Yellow AlarmTransmit Remote Alarm Indication RAI Yellow Alarm Transmit Alarm Indication Signal AIS Blue AlarmT1/E1 & T3/E3 Error Events Analysis XSRSlip Seconds Counter Increasing ControllerConfiguring the D&I NIM Framing Loss Seconds IncreasingLine Code Violations Increasing Page Configuring IP General IP FeaturesTelnet Secondary IPTroubleshooting Tools Ping Traceroute IP Routing RIPBOOTP/DHCP Relay ARP and Proxy ARPProxy DNS Broadcast Directed BroadcastLocal Broadcast TCP TelnetSecondary IP Trivial File Transfer Protocol TftpIP Interface Interface & Secondary IPARP & Secondary IP Icmp & Secondary IPRIP & Secondary IP Routing Table Manager & Secondary IPOspf & Secondary IP Unnumbered Interface & Secondary IPPing IP Routing ProtocolsMaximum Transmission Unit MTU TracerouteRIPv1 Triggered-on-Demand RIP How Triggered-on-Demand RIP WorksIP Routing Protocols Ospf LSA Type 3 and 5 Summarization Ospf Database OverflowOspf Passive Interfaces Following is a high priority Overflow Entered log reportFollowing is a high priority Overflow Exited log report Ospf Troubleshooting Null InterfaceRoute Preference Static Routes Vlan RoutingForwarding VLAN, PPPoE over Vlan 802.1Q Vlan TagVlan Processing Over the XSR’s Ethernet Interfaces IP Routing TableVlan Processing VLAN-enabled Ethernet to WAN Interfaces Vlan Ethernet to Fast/GigabitEthernet TopologyAccessing the Global Routing Policy Table Policy Based RoutingQoS with Vlan Match Clauses Set ClausesPBR Cache Default Network Classless Inter-Domain Routing CidrRouter ID Real Time Protocol RTP Header Compression Features Network Address TranslationVirtual Router Redundancy Protocol Vrrp Definitions XSR1 XSR2How the Vrrp Works Different States of a Vrrp RouterMultiple Virtual IP Addresses per VR Vrrp FeaturesAuthentication Multiple VRs Per RouterHost ARP Load BalancingARP Process on a Vrrp Router Proxy ARPIcmp Ping Interface MonitoringWatch Group Monitoring Configuration Considerations Equal-Cost Multi-Path EcmpConfiguring RIP Examples Central XSRConfiguring RIP Examples Configuring Unnumbered IP Serial Interface Example Configuring Ospf ExampleConfiguring NAT Examples Configuring Static TranslationBasic One-to-One Static NAT Dynamic Pool Configuration Configuring Dynamic Pool TranslationRegister the global NAT pool Network Address and Port Translation Configuring NaptEnable an interface F1, for example Bind the interface and optional ACL to the NAT poolMultiple NAT Pools within an Interface 14 Multiple NAT Pools within InterfaceStatic NAT within an Interface Inside Outside 15 Static NAT within InterfaceConfiguring Policy Based Routing Example Enter the following commands to enable NAT Port ForwardingNAT Port Forwarding Configuring Vrrp Example Router XSRaRouter XSRb Configuring Vlan Examples Following example configures a Vlan interface for PPPoEFor a QoS with Vlan example, refer to QoS with Vlan on Configuring the Border Gateway Protocol Describing BGP Messages OpenKeepalive UpdateDefining BGP Path Attributes NotificationAS Path OriginNext Hop Local PreferenceLocal Preference Applied to Direct Egress Traffic from AS Weight Atomic AggregateAggregator Multi-Exit DiscriminatorCommunity Aspath CommunitiesApplication of Community Attribute BGP Path Selection Process BGP Routing PolicyCommunity Lists Access Control ListsFilter Lists Route MapsRegular Expressions Regular Expression CharactersRegular Expression Examples Assigning Peer Group Options Peer GroupsCreating a Peer Group Display all routes with any AS pathFor an example, refer to Configuring BGP Neighbors on Initial BGP ConfigurationResetting BGP Connections Adding BGP NeighborsSynchronization Address AggregationRoute Flap Dampening Capability Advertisement Route RefreshRecommendations for Route Flap Dampening Scaling BGP 10 Fully Meshed BGPRoute Reflectors 11 Route Reflector Applied to Minimize Ibgp MeshConfederations Displaying System and Network Statistics 12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302Configuring BGP Route Maps Configuring BGP Neighbors BGP Path Filtering by Neighbor ExampleConfiguring BGP Confederations BGP Aggregate Route ExamplesIbgp Peer Group Example Configuring BGP Peer GroupsTCP MD5 Authentication for BGP Example This section details Ibgp and an Ebgp peer group examplesEbgp Peer Group Example BGP Community with Route Maps ExamplesXSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask Configuring BGP Peer Groups Configuring PIM-SM and Igmp Differences with Industry-Standard ApproachIP Multicast Overview Defining Multicast Group AddressingOutlining Igmp Versions Comparing Multicast Distribution TreesDescribing the XSR’s IP Multicast Features Forwarding Multicast TrafficGroup Membership Actions Sending and Receiving Queries and ReportsSending a Query Interoperating with Older Igmp Versions Describing the XSR’s PIM-SM v2 Features Behavior of Group Members Among Older Version Group MembersBehavior of Multicast Routers Among Older Version Queriers Phase 1 Building a Shared Tree Phase 2 Building Shortest Path Tree Between Sender & RPPhase 2 Topology Shortest Path Tree Between Sender and RP Neighbor Discovery and DR Election PIM Join/Prune Message Bootstrap & Rendezvous PointPIM Register Message Assert ProcessingSource-Specific Multicast PIM SM over Frame RelayPIM Configuration Examples PIM Configuration Examples Configuring PIM-SM and Igmp Configuring PPP PPP FeaturesLink Control Protocol LCP Network Control Protocol NCPChallenge Handshake Authentication Protocol Chap AuthenticationPassword Authentication Protocol PAP Microsoft Challenge Handshake Protocol MS-CHAPLink Quality Monitoring LQM Multilink PPP MlpppMulti-Class Mlppp Multilink Header Option Format Fragment Interleaving Over the Link Multilink Head Format NegotiationMulti-Class Option Negotiation Events and AlarmsIP Control Protocol Ipcp Multi-Class Receiving PacketPPP Bandwidth Allocation/Control Protocols BAP/BAPC IP Address AssignmentEnter the media-type for the interface default RS232 Configuring PPP with a Dialed Backup LineConfiguring a Synchronous Serial Interface Enter encapsulation ppp to enable PPP encapsulationConfiguring the Physical Interface for the Dialer Interface Configuring a Dialed Backup LineConfiguring the Dialer Interface Enter no shutdown to enable this interfaceConfiguring the Interface as the Backup Dialer Interface Configure interface dialer 1 to use dial poolConfiguring Mlppp on a Multilink/Dialer interface Multilink ExampleDialer Example Configuring BAP Dual XSRs One Router Using DoD with Call RequestXSR1 Configuration XSR2 Configuration Configure the Dialer 1 interface with a dialer poolConfigure the dialer list and ACL for DoD Dual XSRs BAP Using Call/Callback Request Configuring BAP Configuring BAP Configuring PPP Virtual Circuits DLCIsDTEs DCEsFrame Relay Features Multi-Protocol EncapsulationControlling Congestion in Frame Relay Networks Address ResolutionDynamic Resolution Using Inverse ARP Rate Enforcement CIR Generic Traffic ShapingDiscard Eligibility DE Bit Forward Explicit Congestion Notification FecnBackward Explicit Congestion Notification Becn Controlling Congestion in Frame Relay Networks Link Management Information LMI Sub-interfacesUser Configuration Commands FRF.12 FragmentationEnd-to-End Fragmentation Show Running Configuration Reports and AlarmsMap-Class Configuration Clear StatisticsInterconnecting via Frame Relay Network Minneapolis Houston MemphisConfiguring Frame Relay Multi-point to Point-to-Point ExampleConfiguring Frame Relay Configuring Frame Relay Configuring Frame Relay Overview of Dial Services Dial Services FeaturesAT Commands on Asynchronous Ports Asynchronous and Synchronous Support25bis over Synchronous Interfaces Ethernet Backup Time of Day featureTypical Use for Dial Services DTR Dialing for Synchronous InterfacesImplementing Dial Services Dialer ProfilesDialer Pool Dialer InterfaceDialer Strings Addressing Dialer ResourcesConfiguring Encapsulation Isdn CallbackLogical View of Dialer Profiles Sample Dialer Topology Dialer Profile of Destination 416 Creating and Configuring the Dialer Interface Dialer Profile of Destination 987Configuring the Physical Interface for the Dialer Interface Sample Dialer ConfigurationConfiguring the Map Class Configure a backup link for dial purposes with priorityPoint-to-Point with Different Calling/Called Numbers Configuring Isdn CallbackPoint-to-Point with Matched Calling/Called Numbers Point-to-Multipoint with One NeighborOverview of Dial Backup Sequence of Backup EventsDial Backup Features Link Failure Backup Example Backup Link Failure ExampleConfiguring Interface as the Backup Dialer Interface Configure backup serial port for dialing purposesSample Configuration Configure interface dialer 2 to use dial poolDialer Overview of Dial on Demand/Bandwidth on Demand Dialer Interface Spoofing Dialer WatchDialer Watch Behavior Dialer Watch TopologyAnswering Incoming Isdn Calls CaveatNode a Calling Node Configuration Following command maps ACL 101 to dialer groupIncoming Call Mapping Example Node B Called Node Configuration Node D Calling Node ConfigurationConfiguring DoD/BoD Following command maps ACL 1061 to dialer groupPPP Point-to-Multipoint Configuration 11 Dial on Demand TopologyPPP Multipoint-to-Multipoint Configuration Node a ConfigurationPPP Point-to-Point Configurations Node B ConfigurationFollowing command maps ACL 105 to dialer group Following commands configure dialer interface Dial-in Routing for Dial on Demand ExampleDial-out Routing for Dial on Demand Example PPP Point-to-Multipoint Configurations 13 PPP Point-to-Multipoint TopologyDial-out Router Example Dial-in Router ExampleMlppp Point-to-Multipoint Configuration Following command sets remote user authenticationMlppp Point-to-Point Configurations 14 Mlppp Point-to-Point TopologyMlppp Point-to-Multipoint Configurations 15 Mlppp Point-to-Multipoint Topology Mlppp Multipoint-to-Multipoint Configuration Switched PPP Multilink Configuration Bandwidth-on-DemandNode C Called Node Configuration Following command maps ACL 106 to dialer groupBackup Configuration Backup Using IsdnNode a Backed-up Node Configuration XSRconfig#username toronto privilege 0 password cleartext z Configuration for Backup with Mlppp Bundle Following command configures Serial sub-interface 2/00Following command configures Serial sub-interface 2/01 Configuration for Ethernet Failover Following commands configure Serial sub-interface 2/00Configuration for Frame Relay Encapsulation Backup Configuration Configuring Dialer Services Isdn Features Leased line Isdn configuration examples T1 PRI E1 PRIBRI Features PRI FeaturesUnderstanding Isdn Channels Basic Rate InterfacePrimary Rate Interface ChannelChannel Signaling and Carrier Networks Isdn Equipment ConfigurationsChannel Standards Bandwidth Optimization SecurityTrace Decoding Call MonitoringIsdn Trace Q921 DecodingQ931 Decoding Reference Parameters+ Next line 04 Bearer capability StatusDecoded IEs Isdn ConfigurationTerminal Endpoint Identifier TEI Management Procedures BRI NI-1, DMS100 & 5ESS Spid RegistrationBRI Switched Configuration Model Switched BRI Configuration Model PRI Configuration Model PRI Configuration Model Leased-Line Configuration Model Interface BRI 0/1/21Following example configures a PRI connection on an E1 card More Configuration ExamplesFollowing example configures a PRI connection on a T1 card Following example configures a switched line BRI connectionBRI Leased Line Following example configures a leased-line BRI connectionIsdn ITU Standard Q.931 Call Status Cause Codes BRI Leased PPPCall Status Cause Codes Code Cause Incoming calls barred Configuring Quality of Service Mechanisms Providing QoS Traffic ClassificationDescribing the Class Map Describing the Policy MapQueuing and Services Describing Class-Based Weight Fair QueuingMeasuring Bandwidth Utilization Configuring CbwfqConfiguring Priority Queues Describing Priority QueuesConfiguring Traffic Policing Describing Traffic PolicingAssign the class frost to the priority queue Class-based Traffic Shaping Traffic Shaping per Policy-Map Differences Between Traffic Policing and Traffic Shaping Traffic Shaping and Queue LimitCongestion Control & Avoidance Describing Queue Size Control Drop TailDescribing Random Early Detection Describing Weighted Random Early Detection RED Drop Probability CalculationConfiguration per Interface VPNSuggestions for Using QoS on the XSR Configuring QoS with Mlppp Multi-ClassQoS and Link Fragmentation and Interleaving LFI Configuring QoS with FRF.12 QoS with VlanDescribing Vlan QoS Packet Flow Vlan Packet with Priority Routed out a Serial InterfaceQoS with Vlan Configuration Process LAN/QoS Serial ScenarioQoS on Input QoS on VPNQoS over VPN Features Configuring QoS on a Physical InterfaceConfiguring QoS on a Virtual Tunnel Interface QoS on a Virtual Interface Example Configure the input policy map Vpn classes RTP and FTP Configure the output policy map Ser classes RTP1 and FTP1Configure ACLs Configure the IKE policy foo for pre-share keysConfigure the IPSec SA QoS and VPN Interaction RouteConfiguring the Shaper on the VPN Interface AH Hmac ESP+3DESQoS Policy Configuration Examples Simple QoS on Physical Interface PolicyCreate the policy map Apply the configuration to the interface QoS for Frame Relay PolicyQoS with Mlppp Multi-Class Policy QoS with FRF.12 Policy QoS with Vlan Policy Input and Output QoS PolicyInput QoS on Ingress to the Diffserv Domain Policy QoS Policy Configuration Examples Configuring Adsl PDU Encapsulation Choices PPP over ATMPPPoA Network Diagram PPP over Ethernet over ATM RoutedPPPoE Network Diagram Routed IP over ATMAdsl Limitations Adsl HardwareNIM Card Adsl on the Motherboard Adsl Data FramingATM Support DSP FirmwareDslam Compatibility Access Concentrator RestrictionsClass of Service OAM CellsQoS Configuration ExamplesInverse ARP PPPoEFollowing optional commands configure two default routes Following optional commands configure NATPPPoA Enter the following commands to configure a IPoA topology IPoAInternet Security Issues VPN OverviewEnsuring VPN Security with IPSec/IKE/GRE How a Virtual Private Network WorksTransport Mode Processing Tunnel Mode Processing GRE over IPSecDescribing Public-Key Infrastructure PKI Defining VPN EncryptionDigital Signatures Certificates Machine Certificates for the XSRCA Hierarchies Certificate ChainsRA Mode Certificate Chain ExampleDF Bit Functionality Pending ModeEnroll Password CRL RetrievalVPN Applications Site-to-Site Networks Site-to-Central-Site NetworksNAT Traversal Client Mode InternetRemote Access Networks Network Extension Mode NEMUsing Ospf Over a VPN Network Ospf CommandsConfiguring Ospf Over Site-to-Central Site in Client Mode Client ServerServer Internet ClientClient Configuring Ospf with Fail Over RedundancyServer Interfaces Fast/GigabitEthernet 1 and VPNXSR VPN Features LimitationsInterfaces Fast/GigabitEthernet 1, VPN 1 and VPN Napt VPN Configuration Overview Master Encryption Key GenerationACL Configuration Rules Configuring ACLsSelecting Policies IKE/IPSec Transform-Sets SA lifetimesConfiguring Policy Security Policy ConsiderationsConfiguring Crypto Maps Creating Crypto MapsAuthentication, Authorization and Accounting Configuration User-NameAAA Commands Configuring AAAPKI Configuration Options Configuring PKI PKI Certificate Enrollment ExampleCA-AUTHENTICATED XSRconfig#ip domain acme.com Interface VPN Options Configuring a Simple VPN Site-to-Site Application VPN Interface Sub-CommandsFollowing sub-commands are available at VPN Interface mode XSRconfig#crypto isakmp proposal Test Configuring the VPN Using EZ-IPSec XSRconfig-crypto-m#description external interfaceEZ-IPSec Configuration XSRconfig#interface vpn 1 point-to-pointXSR with VPN Central Gateway Configure IKE policy for the remote peer Configure the following four IPSec SAsAdd ACLs to permit IP and UDP traffic Configure and enable the FastEthernet 1 interface Add a default route to the next hop Internet gatewayCreate a group for NEM and Client mode users Clear the DF bit globallyGRE Tunnel for Ospf Tunnel a XSR-3250 VPN GRE Site-to-Site TunnelXSRconfig-isakmp-peer#proposal shared Enable Ospf on the trusted and VPN interfaces Tunnel B XSR-1805 VPN GRE Site-to-Site TunnelEnable Ospf on the trusted and VPN interfaces Cisco Configuration XSR/Cisco Site-to-Site ExampleXSR Configuration Interoperability Profile for the XSR Scenario 1 Gateway-to-Gateway with Pre-Shared SecretsConfigure the Gateway a external LAN network AW Configure a default routeConfigure IKE Phase 1 policy Interoperability Profile for the XSR Scenario 2 Gateway-to-Gateway with Certificates 14 Gateway-to Gateway with Certificates TopologyXSR#clock timezone -7 State CA-AUTHENTICATED Configuring Dhcp Overview of DhcpHow Dhcp Works Dhcp Server StandardsPersistent Storage of Network Parameters for Clients Dhcp ServicesAssigned Network Configuration Values to Clients Options Temporary or Permanent Network Address AllocationNested Scopes IP Pool Subsets Bootp Legacy SupportProvisioning Differentiated Network Values by Client Class Pool subnetScope Caveat Manual BindingsParameter Request List Option Dhcp Client ServicesRouter Option Dhcp Client InteractionDhcp Client Timeouts Interaction with Remote Auto Install RAIDhcp CLI Commands Configuring Dhcp Address Pools Dhcp Set Up OverviewConfiguration Steps Configuring Dhcp Network Configuration ParametersOptional Set Up a Dhcp Nested Scope Configure Dhcp Network ParametersEnable the Dhcp Server Optional Configure a Dhcp Manual BindingManual Binding Example Dhcp Server Configuration ExamplesPool with Hybrid Servers Example Manual Binding with Class ExampleBootp Client Support Example Dhcp Option ExamplesConfiguring Security on the XSR Access Control ListsPacket Filtering ACL Violations Alarm ExampleFirst alarms logged will display as follows LANd AttackIP Packet with Multicast/Broadcast Source Address Smurf AttackFraggle Attack Spoofed Address CheckLarge Icmp Packets General Security PrecautionsSpurious State Transition Ping of Death AttackAAA Services Connecting Remotely via SSH or Telnet with AAA Service PuTTY Exit Option PuTTY Alert Message Firewall Feature Set Overview Reasons for Installing a FirewallTypes of Firewalls ACL and Packet Filter FirewallsALG and Proxy Firewalls Stateful Firewall Inspection SFI XSR Firewall Feature Set FunctionalityStateful Inspection Firewalls Filtering non-TCP/UDP PacketsApplication Level Commands Application Level GatewayWriting URL List Entries On Board URL FilteringImporting URL Lists from an Ascii File Enabling URL Filtering in Firewall PolicyDenial of Service DoS Attack Protection Configuring URL RedirectionAlarm Logging AlarmsAuthentication 12 Authentication ProcessFirewall and VPN Dynamic ReconfigurationFirewall and NAT ACLs and FirewallFirewall CLI Commands Firewall CLI Commands 13 Sample Telnet Screen Firewall Limitations Pre-configuring the Firewall Steps to Configure the FirewallXSR with Firewall Complete LAN and WAN interface configuration Log only critical eventsXSR with Firewall, PPPoE and Dhcp 15 XSR Firewall with PPPoE DSL and DhcpConfigure the Dhcp pool, DNS server and related settings XSR with Firewall and VPNXP PC NEM Add four ACLs to permit IP pool, L2TP and NEM trafficConfigure the following IPSec SAs XSRconfig#ip local pool test 10.120.70.0 Define three trusted networks in the enterprise Define the Internet as all possible IP addressesDefine the public VPN interface crypto map Define the local pool network used for tunnel IP addressesDefine service for Radius authentication Define service for IsakmpDefine service for L2TP tunnels Define service for Radius accountingFirewall Configuration for Vrrp Load the firewall configurationConfigure Radius network objects Configuring Simple Security RPC Policy Configuration Configuration Examples Configuring Security on the XSR Alarms/Events, System Limits Standard Ascii Table Recommended System LimitsSnmp views System Alarms and Events Table A-5 Alarm BehaviorDriv ETH1 ETH0 Table A-6 High Severity Alarms/Events Table A-7 Medium Severity Alarms/Events Sntp PPP MS-CHAP authentication failed while Shutdown command Portchannel Corrected the problem by resetting itself Firewall and NAT Alarms and Reports Table A-9 Firewall and NAT AlarmsNAT TCP reset, NAT port %d, %IPP2 UDP Detected UDP Flood attack %IPP2 Deny Icmp unsupported packet %IP2ICMP UDP Request Entry pool is empty Standard Ascii Character Table SpaceStandard Ascii Character Table Service Level Reporting MIB Tables EtsysSrvcLvlMetricTableVPN MIB Tables on page B-12 EtsysSrvcLvlOwnerTable EtsysSrvcLvlHistoryTableField Example CLI command EtsysSrvcLvlNetMeasureTableEtsysSrvcLvlAggrMeasureTable Rtr schedule aliased toBGP v4 MIB Tables General Variables TableBGP v4 Peer Table BgpPeerAdminStatus BGP-4 Received Path Attribute Table Bgp4PathAttrIpAddrPrefixBGP-4 Traps Firewall MIB Tables Global Interface OperationsPolicy Rule True Table Monitoring ObjectsPolicy Rule Table Totals Counters Session Totals CountersIP Session Counters Authenticated Address CountersAuthenticated Addresses Table IP Session TableVPN MIB Tables DOS Attacks Blocked CountersDOS Attacks Blocked Table EtsysVpnIkePeer Table EtsysVpnIkePeerProposals TableEtsysVpnIkeProposal Table EtsysVpnIpsecPolicy TableEtsysVpnIntfPolicy Table EtsysVpnIpsecPolicyRule Table EtsysVpnIpsecPolProposals TableEtsysVpnIpsecProposal Table EtsysVpnIpsecPropTransforms TableEtsysVpnAhTransform Table EtsysVpnEspTransform Table EtsysVpnIpcompTransform TableIpCidrRouteTable for Static Routes Host Resources MIB ObjectsEnterasys Configuration Management MIB Field Description ConfigMgmtOperationsEnterasys Configuration Change MIB Field Description EtsysConfigChangeNonVolatile GroupEnterasys Snmp Persistence MIB Enterasys Syslog Client MIB Field Description EtsysSyslogClient GroupTable B-46 Enterasys Syslog Client MIB Compliance Statements