Types of Firewalls | Enterasys Networks X-PeditionTM instruction

Firewall Feature Set Overview

Figure 16-10 XSR Firewall Topology

	Internet
	External	SMTP server
		SMTP server
Firewall	Policy DB
inspection
enabled
	XSR	DMZ
	XSR
	Router
	Firewall
	inspection
	enabled
Internal		HTTP server
Internal
	Client

There are many possible network configurations for a firewall. The figure above shows a scenario with the firewall connected to the trusted network (internal) and servers that can be accessed externally (via the DMZ).

The XSR firewall feature set inspects packets coming in from open ports and either passes them on to the router or drops them based on policies defined in the policy database which is configured using the XSR’s CLI.

In this example, the firewall acts as a shield for traffic coming in and out of the external and DMZ networks. The internal interface does not have nor does it need firewall inspection enabled because it is a trusted network.

While this flexibility is useful, it emphasizes the fact that the shield is only as effective as the intelligence of the policies. Functionally, the XSR’s policy database defines the configuration and retains information about the sessions currently allowed through the firewall.

Types of Firewalls

Generally speaking, there are three types of firewalls: Access Control List (ACL) or Packet Filter, Application Level Gateway (ALG) or Proxy, and Stateful Inspection. Each of these firewall types operate at different layers of the TCP/IP network model, using different criteria to restrict traffic.

ACL and Packet Filter Firewalls

ACL and packet filter firewalls statically apply security policy to a packet’s contents according to pre-configured rules you specify such as permitted or denied source and destination addresses

16-10 Configuring Security on the XSR

Image 396

Enterasys Networks X-PeditionTM manual Types of Firewalls, ACL and Packet Filter Firewalls

Contents

PeditionSecurity Router VersionPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Federal Communications Commission FCC Notice Product Safety Industry Canada NoticesTTE Directive Declaration Class a ITE Notice Clase A. Aviso de ITE Electromagnetic Compatibility EMC Compatibilidad Electromágnetica EMCElektro- magnetische Kompatibilität EMC Vcci Notice Declaration of Conformity USA Approved Enterasys Networks, Inc Firmware License Agreement Viii Page Page Contents Configuring an Interface Displaying Interface Attributes Configuring T1/E1 & T3/E3 Interfaces Configuring IPManaging LAN/WAN Interfaces How Triggered-on-Demand RIP Works Configuring the Border Gateway Protocol Configuration Considerations Configuring PIM-SM and Igmp Route Reflectors Confederations Configuring PPP Configuring Frame Relay Configuring Dialer Services 10-13 Configuring Integrated Services Digital Network Configuring Quality of Service Configuring Adsl Configuring the Virtual Private Network Configuring Dhcp Configuring Security on the XSR Appendix B XSR Snmp Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters DOS Attacks Blocked Table Contents of the Guide Preface Conventions Used in This Guide Following conventions are used in this guide Bold/En negrilla Getting Help FTP Overview Overview XSR User’s Guide Overview Utilizing the Command Line Interface Connecting via the Console Port on XSR Series Using the Console Port to Remotely Control the XSR Connecting a Serial Interface to a Modem Connecting via Telnet Connecting via SSHTerminal Commands Accessing the Initial Prompt Synchronizing the Clock Remote Auto Install RAI Features and RequirementsManaging the Session Utilizing the Command Line Interface RAI Requirements on the XSR How RAI Components WorkFrame Relay Remote Router Bootp Client Reverse DNS ClientTftp Client Frame Relay Central Site Dhcp over LAN RAI over Ethernet PPP RAI over a Leased Line PPP RAI over a Dial-in LinePPP RAI over Adsl CLI Editing Rules Setting CLI Configuration Modes CLI Shortcuts Command Description CLI Configuration Modes Function Access Method Prompt Refer to -1for a graphic example of configuration modes Global Configuration Mode Exiting From the Current ModeUser Exec Mode Privileged Exec Mode Mode Examples Observing Command Syntax and ConventionsFollowing example CLI Command Limits Describing Ports and InterfacesSupported Physical Interfaces Supported Virtual Interfaces Setting Interface Type and Numbering Setting Port Configuration ModeNumbering XSR Slots, Cards, and Ports Supported Ports Configuration Examples T1 ExampleT1-PRI Isdn Example Dialer Example BRI-Dialer Idsn Example Following interfaces are added Entering Commands that Control Tables Adding Table EntriesFollowing sub-interfaces are added You may type Managing XSR Interfaces Deleting Table EntriesModifying Table Entries Displaying Table Entries Configuring an Interface Following command enables an interfaceEnabling an Interface Disabling an Interface Performing Fault Management Logging CommandsManaging Message Logs Fault Report Commands Capturing Fault Report Data Using the Real-Time Clock Managing the System ConfigurationRTC Commands RTC/Network Clock Options Resetting the Configuration to Factory Default Using the Default Button XSR 1800/1200 Series Only Configuration Save Options Bulk Configuration ManagementUsing File System Commands Downloading the Configuration Uploading the Configuration/Crash Report Creating Alternate Configuration FilesFull-config Backup BootRom Upgrade Choices Pre-upgrade ProceduresManaging the Software Image Creating Alternate Software Image Files Using the Bootrom Update Utility Using TFTP, transfer updateBootrom.fls from the network Local Bootrom Upgrade XSR1800 bU bootromuncmp.fls Using EOS Fallback to Upgrade the Image Loading Software Images Configuring EOS Fallback on the CLI Configuring EOS Fallback via Snmp Software Image Commands Configuration Change HashingDownloading with Fips Security Set the operation to imageSetSelected Memory Management Displaying System Status and StatisticsCreating Resources Network Management through Snmp Snmp Informs Shaping Trap TrafficStatistics Alarm Management Traps Network Monitoring via Service Level Agreement AgentMeasuring Performance Metrics Create an Owner Via CLIVia Snmp Create a Measurement to Ping Via CLI Following command schedules a measurement immediately Schedule a measurement Via CLI Full Configuration Backup/Restore Using the SLA Agent in SnmpEnterasys Configuration Management MIB Cabletron CTdownload MIB Software Image Download using NetSight Appending CLI Commands to Configuration Files via SnmpSnmp Download with Auto-Reboot Option CLI Translator Accessing the XSR Through the Web NetSight Atlas Router Services ManagerFirmware Upgrade Procedures Network Management Tools Fault Reporting Using the CLI for DownloadsUsing Snmp for Downloads Auto-discovery LAN Features XSR supports the following LAN interface featuresOverview of LAN Interfaces Configuring the LAN MIB Statistics WAN Features XSR supports the following WAN interface featuresOverview of WAN Interfaces Configuring the WAN Following example configures the XSR to dial-out async Configuring the WAN Managing LAN/WAN Interfaces Features T1/E1 ModeOverview T1/E1 Functionality T3 Mode E3 Mode T1/E1 Subsystem Configuration T3/E3 Subsystem Configuration Drop and Insert Features D&I NIM does not support channelized mode nor PRIT1 Drop & Insert One-to-One DS0 Bypassing Configuring Channelized T1/E1 Interfaces Enter the no shutdown command to enable the lineSpecify the clock source for the controller Specify the controllers framing type Configuring Un-channelized T3/E3 Interfaces Enable the Controller lineOptionally, if you prefer to configure internal clocking Enable the Serial line Troubleshooting T1/E1 & T3/E3 Links T1/E1 & T3/E3 Physical Layer Troubleshooting XSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0# T1/E1 & T3/E3 Alarm Analysis Receive Alarm Indication Signal AIS Blue AlarmRestart the controller Receive Remote Alarm Indication RAI Yellow Alarm Transmit Remote Alarm Indication RAI Yellow AlarmTransmit Sending Remote Alarm Red Alarm Transmit Alarm Indication Signal AIS Blue Alarm T1/E1 & T3/E3 Error Events Analysis XSR Slip Seconds Counter Increasing Controller Configuring the D&I NIM Framing Loss Seconds IncreasingLine Code Violations Increasing Page Configuring IP General IP Features Telnet Secondary IP Troubleshooting Tools Ping Traceroute IP Routing RIP BOOTP/DHCP Relay ARP and Proxy ARPProxy DNS Broadcast Directed BroadcastLocal Broadcast TCP Telnet Trivial File Transfer Protocol Tftp IP InterfaceSecondary IP Interface & Secondary IP ARP & Secondary IP Icmp & Secondary IP Routing Table Manager & Secondary IP Ospf & Secondary IPRIP & Secondary IP Unnumbered Interface & Secondary IP IP Routing Protocols Maximum Transmission Unit MTUPing Traceroute RIPv1 Triggered-on-Demand RIP How Triggered-on-Demand RIP Works IP Routing Protocols Ospf LSA Type 3 and 5 Summarization Ospf Database Overflow Ospf Passive Interfaces Following is a high priority Overflow Entered log reportFollowing is a high priority Overflow Exited log report Ospf Troubleshooting Null InterfaceRoute Preference Static Routes Vlan Routing Forwarding VLAN, PPPoE over Vlan 802.1Q Vlan Tag Vlan Processing Over the XSR’s Ethernet Interfaces IP Routing Table Vlan Processing VLAN-enabled Ethernet to WAN Interfaces Vlan Ethernet to Fast/GigabitEthernet Topology Accessing the Global Routing Policy Table Policy Based RoutingQoS with Vlan Match Clauses Set ClausesPBR Cache Default Network Classless Inter-Domain Routing CidrRouter ID Real Time Protocol RTP Header Compression Features Network Address Translation Virtual Router Redundancy Protocol Vrrp Definitions XSR1 XSR2 How the Vrrp Works Different States of a Vrrp Router Vrrp Features AuthenticationMultiple Virtual IP Addresses per VR Multiple VRs Per Router Load Balancing ARP Process on a Vrrp RouterHost ARP Proxy ARP Icmp Ping Interface Monitoring Watch Group Monitoring Configuration Considerations Equal-Cost Multi-Path Ecmp Configuring RIP Examples Central XSR Configuring RIP Examples Configuring Unnumbered IP Serial Interface Example Configuring Ospf Example Configuring NAT Examples Configuring Static TranslationBasic One-to-One Static NAT Dynamic Pool Configuration Configuring Dynamic Pool TranslationRegister the global NAT pool Configuring Napt Enable an interface F1, for exampleNetwork Address and Port Translation Bind the interface and optional ACL to the NAT pool Multiple NAT Pools within an Interface 14 Multiple NAT Pools within Interface Static NAT within an Interface Inside Outside 15 Static NAT within Interface Configuring Policy Based Routing Example Enter the following commands to enable NAT Port ForwardingNAT Port Forwarding Configuring Vrrp Example Router XSRaRouter XSRb Configuring Vlan Examples Following example configures a Vlan interface for PPPoEFor a QoS with Vlan example, refer to QoS with Vlan on Configuring the Border Gateway Protocol Describing BGP Messages Open Update Defining BGP Path AttributesKeepalive Notification AS Path Origin Next Hop Local Preference Local Preference Applied to Direct Egress Traffic from AS Weight Atomic Aggregate Aggregator Multi-Exit Discriminator Community Aspath Communities Application of Community Attribute BGP Path Selection Process BGP Routing Policy Access Control Lists Filter ListsCommunity Lists Route Maps Regular Expressions Regular Expression CharactersRegular Expression Examples Peer Groups Creating a Peer GroupAssigning Peer Group Options Display all routes with any AS path Initial BGP Configuration Resetting BGP ConnectionsFor an example, refer to Configuring BGP Neighbors on Adding BGP Neighbors Synchronization Address AggregationRoute Flap Dampening Capability Advertisement Route RefreshRecommendations for Route Flap Dampening Scaling BGP 10 Fully Meshed BGP Route Reflectors 11 Route Reflector Applied to Minimize Ibgp Mesh Confederations Displaying System and Network Statistics 12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302 Configuring BGP Route Maps Configuring BGP Neighbors BGP Path Filtering by Neighbor Example Configuring BGP Confederations BGP Aggregate Route Examples Configuring BGP Peer Groups TCP MD5 Authentication for BGP ExampleIbgp Peer Group Example This section details Ibgp and an Ebgp peer group examples Ebgp Peer Group Example BGP Community with Route Maps Examples XSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask Configuring BGP Peer Groups Configuring PIM-SM and Igmp Differences with Industry-Standard Approach IP Multicast Overview Defining Multicast Group Addressing Outlining Igmp Versions Comparing Multicast Distribution Trees Describing the XSR’s IP Multicast Features Forwarding Multicast Traffic Group Membership Actions Sending and Receiving Queries and ReportsSending a Query Interoperating with Older Igmp Versions Describing the XSR’s PIM-SM v2 Features Behavior of Group Members Among Older Version Group MembersBehavior of Multicast Routers Among Older Version Queriers Phase 1 Building a Shared Tree Phase 2 Building Shortest Path Tree Between Sender & RP Phase 2 Topology Shortest Path Tree Between Sender and RP Neighbor Discovery and DR Election Bootstrap & Rendezvous Point PIM Register MessagePIM Join/Prune Message Assert Processing Source-Specific Multicast PIM SM over Frame Relay PIM Configuration Examples PIM Configuration Examples Configuring PIM-SM and Igmp Configuring PPP PPP Features Link Control Protocol LCP Network Control Protocol NCP Authentication Password Authentication Protocol PAPChallenge Handshake Authentication Protocol Chap Microsoft Challenge Handshake Protocol MS-CHAP Link Quality Monitoring LQM Multilink PPP Mlppp Multi-Class Mlppp Multilink Header Option Format Fragment Interleaving Over the Link Multilink Head Format Negotiation Events and Alarms IP Control Protocol IpcpMulti-Class Option Negotiation Multi-Class Receiving Packet PPP Bandwidth Allocation/Control Protocols BAP/BAPC IP Address Assignment Configuring PPP with a Dialed Backup Line Configuring a Synchronous Serial InterfaceEnter the media-type for the interface default RS232 Enter encapsulation ppp to enable PPP encapsulation Configuring a Dialed Backup Line Configuring the Dialer InterfaceConfiguring the Physical Interface for the Dialer Interface Enter no shutdown to enable this interface Configuring the Interface as the Backup Dialer Interface Configure interface dialer 1 to use dial pool Configuring Mlppp on a Multilink/Dialer interface Multilink ExampleDialer Example Configuring BAP Dual XSRs One Router Using DoD with Call RequestXSR1 Configuration XSR2 Configuration Configure the Dialer 1 interface with a dialer poolConfigure the dialer list and ACL for DoD Dual XSRs BAP Using Call/Callback Request Configuring BAP Configuring BAP Configuring PPP Virtual Circuits DLCIs DTEs DCEs Frame Relay Features Multi-Protocol Encapsulation Address Resolution Dynamic Resolution Using Inverse ARPControlling Congestion in Frame Relay Networks Rate Enforcement CIR Generic Traffic Shaping Discard Eligibility DE Bit Forward Explicit Congestion Notification FecnBackward Explicit Congestion Notification Becn Controlling Congestion in Frame Relay Networks Link Management Information LMI Sub-interfaces User Configuration Commands FRF.12 FragmentationEnd-to-End Fragmentation Reports and Alarms Map-Class ConfigurationShow Running Configuration Clear Statistics Interconnecting via Frame Relay Network Minneapolis Houston Memphis Configuring Frame Relay Multi-point to Point-to-Point Example Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Overview of Dial Services Dial Services Features AT Commands on Asynchronous Ports Asynchronous and Synchronous Support25bis over Synchronous Interfaces Time of Day feature Typical Use for Dial ServicesEthernet Backup DTR Dialing for Synchronous Interfaces Implementing Dial Services Dialer Profiles Dialer Interface Dialer StringsDialer Pool Addressing Dialer Resources Configuring Encapsulation Isdn Callback Logical View of Dialer Profiles Sample Dialer Topology Dialer Profile of Destination 416 Creating and Configuring the Dialer Interface Dialer Profile of Destination 987 Sample Dialer Configuration Configuring the Map ClassConfiguring the Physical Interface for the Dialer Interface Configure a backup link for dial purposes with priority Configuring Isdn Callback Point-to-Point with Matched Calling/Called NumbersPoint-to-Point with Different Calling/Called Numbers Point-to-Multipoint with One Neighbor Overview of Dial Backup Sequence of Backup EventsDial Backup Features Link Failure Backup Example Backup Link Failure Example Configuring Interface as the Backup Dialer Interface Configure backup serial port for dialing purposes Sample Configuration Configure interface dialer 2 to use dial poolDialer Overview of Dial on Demand/Bandwidth on Demand Dialer Interface Spoofing Dialer Watch Dialer Watch Behavior Dialer Watch Topology Answering Incoming Isdn Calls Caveat Node a Calling Node Configuration Following command maps ACL 101 to dialer groupIncoming Call Mapping Example Node B Called Node Configuration Node D Calling Node Configuration Configuring DoD/BoD Following command maps ACL 1061 to dialer group PPP Point-to-Multipoint Configuration 11 Dial on Demand Topology PPP Multipoint-to-Multipoint Configuration Node a Configuration PPP Point-to-Point Configurations Node B ConfigurationFollowing command maps ACL 105 to dialer group Following commands configure dialer interface Dial-in Routing for Dial on Demand ExampleDial-out Routing for Dial on Demand Example PPP Point-to-Multipoint Configurations 13 PPP Point-to-Multipoint Topology Dial-out Router Example Dial-in Router Example Mlppp Point-to-Multipoint Configuration Following command sets remote user authentication Mlppp Point-to-Point Configurations 14 Mlppp Point-to-Point Topology Mlppp Point-to-Multipoint Configurations 15 Mlppp Point-to-Multipoint Topology Mlppp Multipoint-to-Multipoint Configuration Switched PPP Multilink Configuration Bandwidth-on-Demand Node C Called Node Configuration Following command maps ACL 106 to dialer group Backup Configuration Backup Using IsdnNode a Backed-up Node Configuration XSRconfig#username toronto privilege 0 password cleartext z Configuration for Backup with Mlppp Bundle Following command configures Serial sub-interface 2/00Following command configures Serial sub-interface 2/01 Configuration for Ethernet Failover Following commands configure Serial sub-interface 2/00 Configuration for Frame Relay Encapsulation Backup Configuration Configuring Dialer Services Isdn Features Leased line Isdn configuration examples T1 PRI E1 PRI BRI Features PRI FeaturesUnderstanding Isdn Basic Rate Interface Primary Rate InterfaceChannels Channel Channel Signaling and Carrier Networks Isdn Equipment ConfigurationsChannel Standards Bandwidth Optimization Security Call Monitoring Isdn TraceTrace Decoding Q921 Decoding Q931 Decoding Reference Parameters + Next line 04 Bearer capability Status Isdn Configuration Terminal Endpoint Identifier TEI Management ProceduresDecoded IEs BRI NI-1, DMS100 & 5ESS Spid Registration BRI Switched Configuration Model Switched BRI Configuration Model PRI Configuration Model PRI Configuration Model Leased-Line Configuration Model Interface BRI 0/1/21 More Configuration Examples Following example configures a PRI connection on a T1 cardFollowing example configures a PRI connection on an E1 card Following example configures a switched line BRI connection Following example configures a leased-line BRI connection Isdn ITU Standard Q.931 Call Status Cause CodesBRI Leased Line BRI Leased PPP Call Status Cause Codes Code Cause Incoming calls barred Configuring Quality of Service Mechanisms Providing QoS Traffic Classification Describing the Class Map Describing the Policy Map Queuing and Services Describing Class-Based Weight Fair Queuing Configuring Cbwfq Configuring Priority QueuesMeasuring Bandwidth Utilization Describing Priority Queues Configuring Traffic Policing Describing Traffic PolicingAssign the class frost to the priority queue Class-based Traffic Shaping Traffic Shaping per Policy-Map Differences Between Traffic Policing and Traffic Shaping Traffic Shaping and Queue Limit Congestion Control & Avoidance Describing Queue Size Control Drop TailDescribing Random Early Detection Describing Weighted Random Early Detection RED Drop Probability Calculation Configuration per Interface VPN Suggestions for Using QoS on the XSR Configuring QoS with Mlppp Multi-ClassQoS and Link Fragmentation and Interleaving LFI Configuring QoS with FRF.12 QoS with Vlan Describing Vlan QoS Packet Flow Vlan Packet with Priority Routed out a Serial Interface QoS with Vlan Configuration Process LAN/QoS Serial Scenario QoS on Input QoS on VPN QoS over VPN Features Configuring QoS on a Physical InterfaceConfiguring QoS on a Virtual Tunnel Interface QoS on a Virtual Interface Example Configure the input policy map Vpn classes RTP and FTP Configure the output policy map Ser classes RTP1 and FTP1 Configure ACLs Configure the IKE policy foo for pre-share keysConfigure the IPSec SA QoS and VPN Interaction Route Configuring the Shaper on the VPN Interface AH Hmac ESP+3DES QoS Policy Configuration Examples Simple QoS on Physical Interface PolicyCreate the policy map Apply the configuration to the interface QoS for Frame Relay Policy QoS with Mlppp Multi-Class Policy QoS with FRF.12 Policy QoS with Vlan Policy Input and Output QoS Policy Input QoS on Ingress to the Diffserv Domain Policy QoS Policy Configuration Examples Configuring Adsl PDU Encapsulation Choices PPP over ATM PPPoA Network Diagram PPP over Ethernet over ATM Routed PPPoE Network Diagram Routed IP over ATM Adsl Limitations Adsl HardwareNIM Card Adsl Data Framing ATM SupportAdsl on the Motherboard DSP Firmware Access Concentrator Restrictions Class of ServiceDslam Compatibility OAM Cells Configuration Examples Inverse ARPQoS PPPoE Following optional commands configure two default routes Following optional commands configure NATPPPoA Enter the following commands to configure a IPoA topology IPoA Internet Security Issues VPN Overview Ensuring VPN Security with IPSec/IKE/GRE How a Virtual Private Network Works Transport Mode Processing Tunnel Mode Processing GRE over IPSec Describing Public-Key Infrastructure PKI Defining VPN EncryptionDigital Signatures Certificates Machine Certificates for the XSR CA Hierarchies Certificate Chains RA Mode Certificate Chain Example Pending Mode Enroll PasswordDF Bit Functionality CRL Retrieval VPN Applications Site-to-Site Networks Site-to-Central-Site NetworksNAT Traversal Client Mode Internet Remote Access Networks Network Extension Mode NEM Using Ospf Over a VPN Network Ospf CommandsConfiguring Ospf Over Site-to-Central Site in Client Mode Client ServerServer Internet Client Configuring Ospf with Fail Over Redundancy ServerClient Interfaces Fast/GigabitEthernet 1 and VPN XSR VPN Features LimitationsInterfaces Fast/GigabitEthernet 1, VPN 1 and VPN Napt VPN Configuration Overview Master Encryption Key Generation ACL Configuration Rules Configuring ACLs Selecting Policies IKE/IPSec Transform-Sets SA lifetimes Configuring Policy Security Policy Considerations Configuring Crypto Maps Creating Crypto Maps Authentication, Authorization and Accounting Configuration User-Name AAA Commands Configuring AAA PKI Configuration Options Configuring PKI PKI Certificate Enrollment Example CA-AUTHENTICATED XSRconfig#ip domain acme.com Interface VPN Options Configuring a Simple VPN Site-to-Site Application VPN Interface Sub-CommandsFollowing sub-commands are available at VPN Interface mode XSRconfig#crypto isakmp proposal Test Configuring the VPN Using EZ-IPSec XSRconfig-crypto-m#description external interface EZ-IPSec Configuration XSRconfig#interface vpn 1 point-to-point XSR with VPN Central Gateway Configure IKE policy for the remote peer Configure the following four IPSec SAsAdd ACLs to permit IP and UDP traffic Configure and enable the FastEthernet 1 interface Add a default route to the next hop Internet gateway Create a group for NEM and Client mode users Clear the DF bit globally GRE Tunnel for Ospf Tunnel a XSR-3250 VPN GRE Site-to-Site Tunnel XSRconfig-isakmp-peer#proposal shared Enable Ospf on the trusted and VPN interfaces Tunnel B XSR-1805 VPN GRE Site-to-Site Tunnel Enable Ospf on the trusted and VPN interfaces Cisco Configuration XSR/Cisco Site-to-Site Example XSR Configuration Interoperability Profile for the XSR Scenario 1 Gateway-to-Gateway with Pre-Shared Secrets Configure the Gateway a external LAN network AW Configure a default routeConfigure IKE Phase 1 policy Interoperability Profile for the XSR Scenario 2 Gateway-to-Gateway with Certificates 14 Gateway-to Gateway with Certificates Topology XSR#clock timezone -7 State CA-AUTHENTICATED Configuring Dhcp Overview of Dhcp How Dhcp Works Dhcp Server Standards Dhcp Services Assigned Network Configuration Values to Clients OptionsPersistent Storage of Network Parameters for Clients Temporary or Permanent Network Address Allocation Bootp Legacy Support Provisioning Differentiated Network Values by Client ClassNested Scopes IP Pool Subsets Pool subnet Scope Caveat Manual Bindings Dhcp Client Services Router OptionParameter Request List Option Dhcp Client Interaction Dhcp Client Timeouts Interaction with Remote Auto Install RAI Dhcp CLI Commands Dhcp Set Up Overview Configuration StepsConfiguring Dhcp Address Pools Configuring Dhcp Network Configuration Parameters Configure Dhcp Network Parameters Enable the Dhcp ServerOptional Set Up a Dhcp Nested Scope Optional Configure a Dhcp Manual Binding Dhcp Server Configuration Examples Pool with Hybrid Servers ExampleManual Binding Example Manual Binding with Class Example Bootp Client Support Example Dhcp Option Examples Configuring Security on the XSR Access Control Lists ACL Violations Alarm Example First alarms logged will display as followsPacket Filtering LANd Attack Smurf Attack Fraggle AttackIP Packet with Multicast/Broadcast Source Address Spoofed Address Check General Security Precautions Spurious State TransitionLarge Icmp Packets Ping of Death Attack AAA Services Connecting Remotely via SSH or Telnet with AAA Service PuTTY Exit Option PuTTY Alert Message Firewall Feature Set Overview Reasons for Installing a Firewall Types of Firewalls ACL and Packet Filter Firewalls ALG and Proxy Firewalls XSR Firewall Feature Set Functionality Stateful Inspection FirewallsStateful Firewall Inspection SFI Filtering non-TCP/UDP Packets Application Level Commands Application Level Gateway On Board URL Filtering Importing URL Lists from an Ascii FileWriting URL List Entries Enabling URL Filtering in Firewall Policy Denial of Service DoS Attack Protection Configuring URL Redirection Alarm Logging Alarms Authentication 12 Authentication Process Dynamic Reconfiguration Firewall and NATFirewall and VPN ACLs and Firewall Firewall CLI Commands Firewall CLI Commands 13 Sample Telnet Screen Firewall Limitations Pre-configuring the Firewall Steps to Configure the Firewall XSR with Firewall Complete LAN and WAN interface configuration Log only critical events XSR with Firewall, PPPoE and Dhcp 15 XSR Firewall with PPPoE DSL and Dhcp Configure the Dhcp pool, DNS server and related settings XSR with Firewall and VPN XP PC NEM Add four ACLs to permit IP pool, L2TP and NEM traffic Configure the following IPSec SAs XSRconfig#ip local pool test 10.120.70.0 Define the Internet as all possible IP addresses Define the public VPN interface crypto mapDefine three trusted networks in the enterprise Define the local pool network used for tunnel IP addresses Define service for Isakmp Define service for L2TP tunnelsDefine service for Radius authentication Define service for Radius accounting Firewall Configuration for Vrrp Load the firewall configurationConfigure Radius network objects Configuring Simple Security RPC Policy Configuration Configuration Examples Configuring Security on the XSR Alarms/Events, System Limits Standard Ascii Table Recommended System Limits Snmp views System Alarms and Events Table A-5 Alarm Behavior Driv ETH1 ETH0 Table A-6 High Severity Alarms/Events Table A-7 Medium Severity Alarms/Events Sntp PPP MS-CHAP authentication failed while Shutdown command Portchannel Corrected the problem by resetting itself Firewall and NAT Alarms and Reports Table A-9 Firewall and NAT Alarms NAT TCP reset, NAT port %d, %IPP2 UDP Detected UDP Flood attack %IPP2 Deny Icmp unsupported packet %IP2ICMP UDP Request Entry pool is empty Standard Ascii Character Table Space Standard Ascii Character Table Service Level Reporting MIB Tables EtsysSrvcLvlMetricTableVPN MIB Tables on page B-12 EtsysSrvcLvlOwnerTable EtsysSrvcLvlHistoryTable Field Example CLI command EtsysSrvcLvlNetMeasureTable EtsysSrvcLvlAggrMeasureTable Rtr schedule aliased to BGP v4 MIB Tables General Variables TableBGP v4 Peer Table BgpPeerAdminStatus BGP-4 Received Path Attribute Table Bgp4PathAttrIpAddrPrefix BGP-4 Traps Firewall MIB Tables Global Interface Operations Monitoring Objects Policy Rule Table Totals CountersPolicy Rule True Table Session Totals Counters Authenticated Address Counters Authenticated Addresses TableIP Session Counters IP Session Table VPN MIB Tables DOS Attacks Blocked CountersDOS Attacks Blocked Table EtsysVpnIkePeer Table EtsysVpnIkePeerProposals Table EtsysVpnIkeProposal Table EtsysVpnIpsecPolicy TableEtsysVpnIntfPolicy Table EtsysVpnIpsecPolicyRule Table EtsysVpnIpsecPolProposals Table EtsysVpnIpsecProposal Table EtsysVpnIpsecPropTransforms TableEtsysVpnAhTransform Table EtsysVpnEspTransform Table EtsysVpnIpcompTransform Table IpCidrRouteTable for Static Routes Host Resources MIB Objects Enterasys Configuration Management MIB Field Description ConfigMgmtOperations Enterasys Configuration Change MIB Field Description EtsysConfigChangeNonVolatile Group Enterasys Snmp Persistence MIB Enterasys Syslog Client MIB Field Description EtsysSyslogClient Group Table B-46 Enterasys Syslog Client MIB Compliance Statements