Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks X-PeditionTM manual XSRconfig#ip local pool test 10.120.70.0

Models: X-PeditionTM

1 466

Download 466 pages 52.77 Kb

Page 416

Configuration Examples

XSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93

Define an IP pool for distribution of tunnel addresses to all client types:

XSR(config)#ip local pool test 10.120.70.0 255.255.255.0

Create hosts to resolve hostnames for the certificate servers for CRL retrieval:

XSR(config)#ip host parentca 141.154.196.89

XSR(config)#ip host childca2 141.154.196.81

XSR(config)#ip host childca1 141.154.196.83

Clear the DF bit globally:

XSR(config)#crypto ipsec df-bit clear

Enable the OSPF engine, VPN and FastEthernet 1 interfaces for routing:

XSR(config)#router ospf 1

XSR(config-router)#network 10.120.70.0 0.0.0.255 area 5.5.5.5 XSR(config-router)#network 96.96.96.0 0.0.0.255 area 5.5.5.5

Create a group for NEM and Client mode users:

XSR(config)#aaa group sohoclient

XSR(aaa-group)#dns server primary 10.120.112.220

XSR(aaa-group)#dns server secondary 0.0.0.0

XSR(aaa-group)#wins server primary 10.120.112.220

XSR(aaa-group)#wins server secondary 0.0.0.0

XSR(aaa-group)#ip pool test

XSR(aaa-group)#pptp compression

XSR(aaa-group)#pptp encrypt mppe 128

XSR(aaa-group)#l2tp compression

XSR(aaa-group)#policy vpn

Configure DEFAULT group parameters including DNS and WINs servers, an IP pool, PPTP and L2TP values, and client VPN permission:

XSR(config)#aaa group DEFAULT

XSR(aaa-group)#dns server primary 0.0.0.0

XSR(aaa-group)#dns server secondary 0.0.0.0

XSR(aaa-group)#wins server primary 0.0.0.0

XSR(aaa-group)#wins server secondary 0.0.0.0

XSR(aaa-group)#ip pool test

XSR(aaa-group)#pptp compression

XSR(aaa-group)#pptp encrypt mppe 128

XSR(aaa-group)#l2tp compression

XSR(aaa-group)#policy vpn

Define a group for remote access XP users including DNS and WINs servers, an IP pool, PPTP and L2TP values, and client VPN permission:

XSR(config)#aaa group XPusers

XSR(aaa-group)#dns server primary 10.120.112.220

XSR(aaa-group)#dns server secondary 0.0.0.0

XSR(aaa-group)#wins server primary 10.120.112.220

XSR(aaa-group)#wins server secondary 0.0.0.0

XSR(aaa-group)#ip pool test

XSR(aaa-group)#pptp compression

XSR(aaa-group)#pptp encrypt mppe 128

16-30 Configuring Security on the XSR

Image 416

Enterasys Networks X-PeditionTM manual XSRconfig#ip local pool test 10.120.70.0

Contents

PeditionSecurity Router VersionPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Federal Communications Commission FCC NoticeProduct Safety Industry Canada NoticesTTE Directive Declaration Class a ITE Notice Clase A. Aviso de ITEElectromagnetic Compatibility EMC Compatibilidad Electromágnetica EMCElektro- magnetische Kompatibilität EMC Vcci NoticeDeclaration of Conformity USAApproved Enterasys Networks, Inc Firmware License Agreement Viii Page Page Contents Configuring an Interface Displaying Interface Attributes Managing LAN/WAN Interfaces Configuring T1/E1 & T3/E3 InterfacesConfiguring IP How Triggered-on-Demand RIP Works Configuring the Border Gateway Protocol Configuration ConsiderationsConfiguring PIM-SM and Igmp Route Reflectors ConfederationsConfiguring PPP Configuring Frame Relay Configuring Dialer Services10-13 Configuring Integrated Services Digital Network Configuring Quality of ServiceConfiguring Adsl Configuring the Virtual Private Network Configuring Dhcp Configuring Security on the XSR Appendix B XSR Snmp Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters DOS Attacks Blocked Table Contents of the Guide PrefaceConventions Used in This Guide Following conventions are used in this guideBold/En negrilla Getting Help FTPOverview Overview XSR User’s Guide Overview Utilizing the Command Line Interface Connecting via the Console Port on XSR SeriesUsing the Console Port to Remotely Control the XSR Connecting a Serial Interface to a ModemTerminal Commands Connecting via TelnetConnecting via SSH Accessing the Initial Prompt Synchronizing the ClockManaging the Session Remote Auto InstallRAI Features and Requirements Utilizing the Command Line Interface Frame Relay Remote Router RAI Requirements on the XSRHow RAI Components Work Bootp Client Reverse DNS ClientTftp Client Frame Relay Central SiteDhcp over LAN RAI over Ethernet PPP RAI over Adsl PPP RAI over a Leased LinePPP RAI over a Dial-in Line CLI Editing Rules Setting CLI Configuration Modes CLI Shortcuts Command DescriptionCLI Configuration Modes Function Access Method Prompt Refer to -1for a graphic example of configuration modesGlobal Configuration Mode Exiting From the Current ModeUser Exec Mode Privileged Exec ModeFollowing example Mode ExamplesObserving Command Syntax and Conventions CLI Command Limits Describing Ports and InterfacesSupported Physical Interfaces Supported Virtual InterfacesSetting Interface Type and Numbering Setting Port Configuration ModeNumbering XSR Slots, Cards, and Ports Supported PortsConfiguration Examples T1 ExampleT1-PRI Isdn Example Dialer ExampleBRI-Dialer Idsn Example Following interfaces are addedEntering Commands that Control Tables Adding Table EntriesFollowing sub-interfaces are added You may typeManaging XSR Interfaces Deleting Table EntriesModifying Table Entries Displaying Table EntriesConfiguring an Interface Following command enables an interfaceEnabling an Interface Disabling an InterfaceManaging Message Logs Performing Fault ManagementLogging Commands Fault Report Commands Capturing Fault Report DataUsing the Real-Time Clock Managing the System ConfigurationRTC Commands RTC/Network Clock OptionsResetting the Configuration to Factory Default Using the Default Button XSR 1800/1200 Series OnlyConfiguration Save Options Bulk Configuration ManagementUsing File System Commands Downloading the ConfigurationFull-config Backup Uploading the Configuration/Crash ReportCreating Alternate Configuration Files BootRom Upgrade Choices Pre-upgrade ProceduresManaging the Software Image Creating Alternate Software Image FilesUsing the Bootrom Update Utility Using TFTP, transfer updateBootrom.fls from the network Local Bootrom Upgrade XSR1800 bU bootromuncmp.fls Using EOS Fallback to Upgrade the Image Loading Software ImagesConfiguring EOS Fallback on the CLI Configuring EOS Fallback via SnmpSoftware Image Commands Configuration Change HashingDownloading with Fips Security Set the operation to imageSetSelectedCreating Resources Memory ManagementDisplaying System Status and Statistics Network Management through Snmp Statistics Snmp InformsShaping Trap Traffic Measuring Performance Metrics Alarm Management TrapsNetwork Monitoring via Service Level Agreement Agent Create an Owner Via CLIVia Snmp Create a Measurement to Ping Via CLIFollowing command schedules a measurement immediately Schedule a measurement Via CLIFull Configuration Backup/Restore Using the SLA Agent in SnmpEnterasys Configuration Management MIB Cabletron CTdownload MIBSoftware Image Download using NetSight Appending CLI Commands to Configuration Files via SnmpSnmp Download with Auto-Reboot Option CLI TranslatorAccessing the XSR Through the Web NetSight Atlas Router Services ManagerFirmware Upgrade Procedures Network Management ToolsFault Reporting Using the CLI for DownloadsUsing Snmp for Downloads Auto-discoveryOverview of LAN Interfaces LAN FeaturesXSR supports the following LAN interface features Configuring the LAN MIB StatisticsOverview of WAN Interfaces WAN FeaturesXSR supports the following WAN interface features Configuring the WAN Following example configures the XSR to dial-out async Configuring the WAN Managing LAN/WAN Interfaces Features T1/E1 ModeOverview T1/E1 FunctionalityT3 Mode E3 ModeT1/E1 Subsystem Configuration T3/E3 Subsystem ConfigurationT1 Drop & Insert One-to-One DS0 Bypassing Drop and Insert FeaturesD&I NIM does not support channelized mode nor PRI Configuring Channelized T1/E1 Interfaces Enter the no shutdown command to enable the lineSpecify the clock source for the controller Specify the controllers framing typeConfiguring Un-channelized T3/E3 Interfaces Enable the Controller lineOptionally, if you prefer to configure internal clocking Enable the Serial lineTroubleshooting T1/E1 & T3/E3 Links T1/E1 & T3/E3 Physical Layer TroubleshootingXSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0# Restart the controller T1/E1 & T3/E3 Alarm AnalysisReceive Alarm Indication Signal AIS Blue Alarm Receive Remote Alarm Indication RAI Yellow Alarm Transmit Remote Alarm Indication RAI Yellow AlarmTransmit Sending Remote Alarm Red Alarm Transmit Alarm Indication Signal AIS Blue AlarmT1/E1 & T3/E3 Error Events Analysis XSRSlip Seconds Counter Increasing ControllerLine Code Violations Increasing Configuring the D&I NIMFraming Loss Seconds Increasing Page Configuring IP General IP FeaturesTelnet Secondary IPTroubleshooting Tools Ping Traceroute IP Routing RIPProxy DNS BOOTP/DHCP RelayARP and Proxy ARP Local Broadcast BroadcastDirected Broadcast TCP TelnetTrivial File Transfer Protocol Tftp IP InterfaceSecondary IP Interface & Secondary IPARP & Secondary IP Icmp & Secondary IPRouting Table Manager & Secondary IP Ospf & Secondary IPRIP & Secondary IP Unnumbered Interface & Secondary IPIP Routing Protocols Maximum Transmission Unit MTUPing TracerouteRIPv1 Triggered-on-Demand RIP How Triggered-on-Demand RIP WorksIP Routing Protocols Ospf LSA Type 3 and 5 Summarization Ospf Database OverflowFollowing is a high priority Overflow Exited log report Ospf Passive InterfacesFollowing is a high priority Overflow Entered log report Route Preference Ospf TroubleshootingNull Interface Static Routes Vlan RoutingForwarding VLAN, PPPoE over Vlan 802.1Q Vlan TagVlan Processing Over the XSR’s Ethernet Interfaces IP Routing TableVlan Processing VLAN-enabled Ethernet to WAN Interfaces Vlan Ethernet to Fast/GigabitEthernet TopologyQoS with Vlan Accessing the Global Routing Policy TablePolicy Based Routing PBR Cache Match ClausesSet Clauses Router ID Default NetworkClassless Inter-Domain Routing Cidr Real Time Protocol RTP Header Compression Features Network Address TranslationVirtual Router Redundancy Protocol Vrrp Definitions XSR1 XSR2How the Vrrp Works Different States of a Vrrp RouterVrrp Features AuthenticationMultiple Virtual IP Addresses per VR Multiple VRs Per RouterLoad Balancing ARP Process on a Vrrp RouterHost ARP Proxy ARPIcmp Ping Interface MonitoringWatch Group Monitoring Configuration Considerations Equal-Cost Multi-Path EcmpConfiguring RIP Examples Central XSRConfiguring RIP Examples Configuring Unnumbered IP Serial Interface Example Configuring Ospf ExampleBasic One-to-One Static NAT Configuring NAT ExamplesConfiguring Static Translation Register the global NAT pool Dynamic Pool ConfigurationConfiguring Dynamic Pool Translation Configuring Napt Enable an interface F1, for exampleNetwork Address and Port Translation Bind the interface and optional ACL to the NAT poolMultiple NAT Pools within an Interface 14 Multiple NAT Pools within InterfaceStatic NAT within an Interface Inside Outside 15 Static NAT within InterfaceNAT Port Forwarding Configuring Policy Based Routing ExampleEnter the following commands to enable NAT Port Forwarding Router XSRb Configuring Vrrp ExampleRouter XSRa For a QoS with Vlan example, refer to QoS with Vlan on Configuring Vlan ExamplesFollowing example configures a Vlan interface for PPPoE Configuring the Border Gateway Protocol Describing BGP Messages OpenUpdate Defining BGP Path AttributesKeepalive NotificationAS Path OriginNext Hop Local PreferenceLocal Preference Applied to Direct Egress Traffic from AS Weight Atomic AggregateAggregator Multi-Exit DiscriminatorCommunity Aspath CommunitiesApplication of Community Attribute BGP Path Selection Process BGP Routing PolicyAccess Control Lists Filter ListsCommunity Lists Route MapsRegular Expression Examples Regular ExpressionsRegular Expression Characters Peer Groups Creating a Peer GroupAssigning Peer Group Options Display all routes with any AS pathInitial BGP Configuration Resetting BGP ConnectionsFor an example, refer to Configuring BGP Neighbors on Adding BGP NeighborsRoute Flap Dampening SynchronizationAddress Aggregation Recommendations for Route Flap Dampening Capability AdvertisementRoute Refresh Scaling BGP 10 Fully Meshed BGPRoute Reflectors 11 Route Reflector Applied to Minimize Ibgp MeshConfederations Displaying System and Network Statistics 12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302Configuring BGP Route Maps Configuring BGP Neighbors BGP Path Filtering by Neighbor ExampleConfiguring BGP Confederations BGP Aggregate Route ExamplesConfiguring BGP Peer Groups TCP MD5 Authentication for BGP ExampleIbgp Peer Group Example This section details Ibgp and an Ebgp peer group examplesEbgp Peer Group Example BGP Community with Route Maps ExamplesXSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask Configuring BGP Peer Groups Configuring PIM-SM and Igmp Differences with Industry-Standard ApproachIP Multicast Overview Defining Multicast Group AddressingOutlining Igmp Versions Comparing Multicast Distribution TreesDescribing the XSR’s IP Multicast Features Forwarding Multicast TrafficSending a Query Group Membership ActionsSending and Receiving Queries and Reports Interoperating with Older Igmp Versions Behavior of Multicast Routers Among Older Version Queriers Describing the XSR’s PIM-SM v2 FeaturesBehavior of Group Members Among Older Version Group Members Phase 1 Building a Shared Tree Phase 2 Building Shortest Path Tree Between Sender & RPPhase 2 Topology Shortest Path Tree Between Sender and RP Neighbor Discovery and DR Election Bootstrap & Rendezvous Point PIM Register MessagePIM Join/Prune Message Assert ProcessingSource-Specific Multicast PIM SM over Frame RelayPIM Configuration Examples PIM Configuration Examples Configuring PIM-SM and Igmp Configuring PPP PPP FeaturesLink Control Protocol LCP Network Control Protocol NCPAuthentication Password Authentication Protocol PAPChallenge Handshake Authentication Protocol Chap Microsoft Challenge Handshake Protocol MS-CHAPLink Quality Monitoring LQM Multilink PPP MlpppMulti-Class Mlppp Multilink Header Option Format Fragment Interleaving Over the Link Multilink Head Format NegotiationEvents and Alarms IP Control Protocol IpcpMulti-Class Option Negotiation Multi-Class Receiving PacketPPP Bandwidth Allocation/Control Protocols BAP/BAPC IP Address AssignmentConfiguring PPP with a Dialed Backup Line Configuring a Synchronous Serial InterfaceEnter the media-type for the interface default RS232 Enter encapsulation ppp to enable PPP encapsulationConfiguring a Dialed Backup Line Configuring the Dialer InterfaceConfiguring the Physical Interface for the Dialer Interface Enter no shutdown to enable this interfaceConfiguring the Interface as the Backup Dialer Interface Configure interface dialer 1 to use dial poolDialer Example Configuring Mlppp on a Multilink/Dialer interfaceMultilink Example XSR1 Configuration Configuring BAPDual XSRs One Router Using DoD with Call Request Configure the dialer list and ACL for DoD XSR2 ConfigurationConfigure the Dialer 1 interface with a dialer pool Dual XSRs BAP Using Call/Callback Request Configuring BAP Configuring BAP Configuring PPP Virtual Circuits DLCIsDTEs DCEsFrame Relay Features Multi-Protocol EncapsulationAddress Resolution Dynamic Resolution Using Inverse ARPControlling Congestion in Frame Relay Networks Rate Enforcement CIR Generic Traffic ShapingBackward Explicit Congestion Notification Becn Discard Eligibility DE BitForward Explicit Congestion Notification Fecn Controlling Congestion in Frame Relay Networks Link Management Information LMI Sub-interfacesEnd-to-End Fragmentation User Configuration CommandsFRF.12 Fragmentation Reports and Alarms Map-Class ConfigurationShow Running Configuration Clear StatisticsInterconnecting via Frame Relay Network Minneapolis Houston MemphisConfiguring Frame Relay Multi-point to Point-to-Point ExampleConfiguring Frame Relay Configuring Frame Relay Configuring Frame Relay Overview of Dial Services Dial Services Features25bis over Synchronous Interfaces AT Commands on Asynchronous PortsAsynchronous and Synchronous Support Time of Day feature Typical Use for Dial ServicesEthernet Backup DTR Dialing for Synchronous InterfacesImplementing Dial Services Dialer ProfilesDialer Interface Dialer StringsDialer Pool Addressing Dialer ResourcesConfiguring Encapsulation Isdn CallbackLogical View of Dialer Profiles Sample Dialer Topology Dialer Profile of Destination 416 Creating and Configuring the Dialer Interface Dialer Profile of Destination 987Sample Dialer Configuration Configuring the Map ClassConfiguring the Physical Interface for the Dialer Interface Configure a backup link for dial purposes with priorityConfiguring Isdn Callback Point-to-Point with Matched Calling/Called NumbersPoint-to-Point with Different Calling/Called Numbers Point-to-Multipoint with One NeighborDial Backup Features Overview of Dial BackupSequence of Backup Events Link Failure Backup Example Backup Link Failure ExampleConfiguring Interface as the Backup Dialer Interface Configure backup serial port for dialing purposesDialer Sample ConfigurationConfigure interface dialer 2 to use dial pool Overview of Dial on Demand/Bandwidth on Demand Dialer Interface Spoofing Dialer WatchDialer Watch Behavior Dialer Watch TopologyAnswering Incoming Isdn Calls CaveatIncoming Call Mapping Example Node a Calling Node ConfigurationFollowing command maps ACL 101 to dialer group Node B Called Node Configuration Node D Calling Node ConfigurationConfiguring DoD/BoD Following command maps ACL 1061 to dialer groupPPP Point-to-Multipoint Configuration 11 Dial on Demand TopologyPPP Multipoint-to-Multipoint Configuration Node a ConfigurationFollowing command maps ACL 105 to dialer group PPP Point-to-Point ConfigurationsNode B Configuration Dial-out Routing for Dial on Demand Example Following commands configure dialer interfaceDial-in Routing for Dial on Demand Example PPP Point-to-Multipoint Configurations 13 PPP Point-to-Multipoint TopologyDial-out Router Example Dial-in Router ExampleMlppp Point-to-Multipoint Configuration Following command sets remote user authenticationMlppp Point-to-Point Configurations 14 Mlppp Point-to-Point TopologyMlppp Point-to-Multipoint Configurations 15 Mlppp Point-to-Multipoint Topology Mlppp Multipoint-to-Multipoint Configuration Switched PPP Multilink Configuration Bandwidth-on-DemandNode C Called Node Configuration Following command maps ACL 106 to dialer groupNode a Backed-up Node Configuration Backup ConfigurationBackup Using Isdn XSRconfig#username toronto privilege 0 password cleartext z Following command configures Serial sub-interface 2/01 Configuration for Backup with Mlppp BundleFollowing command configures Serial sub-interface 2/00 Configuration for Ethernet Failover Following commands configure Serial sub-interface 2/00Configuration for Frame Relay Encapsulation Backup Configuration Configuring Dialer Services Isdn Features Leased line Isdn configuration examples T1 PRI E1 PRIUnderstanding Isdn BRI FeaturesPRI Features Basic Rate Interface Primary Rate InterfaceChannels ChannelChannel Standards Channel Signaling and Carrier NetworksIsdn Equipment Configurations Bandwidth Optimization SecurityCall Monitoring Isdn TraceTrace Decoding Q921 DecodingQ931 Decoding Reference Parameters+ Next line 04 Bearer capability StatusIsdn Configuration Terminal Endpoint Identifier TEI Management ProceduresDecoded IEs BRI NI-1, DMS100 & 5ESS Spid RegistrationBRI Switched Configuration Model Switched BRI Configuration Model PRI Configuration Model PRI Configuration Model Leased-Line Configuration Model Interface BRI 0/1/21More Configuration Examples Following example configures a PRI connection on a T1 cardFollowing example configures a PRI connection on an E1 card Following example configures a switched line BRI connectionFollowing example configures a leased-line BRI connection Isdn ITU Standard Q.931 Call Status Cause CodesBRI Leased Line BRI Leased PPPCall Status Cause Codes Code Cause Incoming calls barred Configuring Quality of Service Mechanisms Providing QoS Traffic ClassificationDescribing the Class Map Describing the Policy MapQueuing and Services Describing Class-Based Weight Fair QueuingConfiguring Cbwfq Configuring Priority QueuesMeasuring Bandwidth Utilization Describing Priority QueuesAssign the class frost to the priority queue Configuring Traffic PolicingDescribing Traffic Policing Class-based Traffic Shaping Traffic Shaping per Policy-Map Differences Between Traffic Policing and Traffic Shaping Traffic Shaping and Queue LimitDescribing Random Early Detection Congestion Control & AvoidanceDescribing Queue Size Control Drop Tail Describing Weighted Random Early Detection RED Drop Probability CalculationConfiguration per Interface VPNQoS and Link Fragmentation and Interleaving LFI Suggestions for Using QoS on the XSRConfiguring QoS with Mlppp Multi-Class Configuring QoS with FRF.12 QoS with VlanDescribing Vlan QoS Packet Flow Vlan Packet with Priority Routed out a Serial InterfaceQoS with Vlan Configuration Process LAN/QoS Serial ScenarioQoS on Input QoS on VPNConfiguring QoS on a Virtual Tunnel Interface QoS over VPN FeaturesConfiguring QoS on a Physical Interface QoS on a Virtual Interface Example Configure the input policy map Vpn classes RTP and FTP Configure the output policy map Ser classes RTP1 and FTP1Configure the IPSec SA Configure ACLsConfigure the IKE policy foo for pre-share keys QoS and VPN Interaction RouteConfiguring the Shaper on the VPN Interface AH Hmac ESP+3DESCreate the policy map QoS Policy Configuration ExamplesSimple QoS on Physical Interface Policy Apply the configuration to the interface QoS for Frame Relay PolicyQoS with Mlppp Multi-Class Policy QoS with FRF.12 Policy QoS with Vlan Policy Input and Output QoS PolicyInput QoS on Ingress to the Diffserv Domain Policy QoS Policy Configuration Examples Configuring Adsl PDU Encapsulation Choices PPP over ATMPPPoA Network Diagram PPP over Ethernet over ATM RoutedPPPoE Network Diagram Routed IP over ATMNIM Card Adsl LimitationsAdsl Hardware Adsl Data Framing ATM SupportAdsl on the Motherboard DSP FirmwareAccess Concentrator Restrictions Class of ServiceDslam Compatibility OAM CellsConfiguration Examples Inverse ARPQoS PPPoEPPPoA Following optional commands configure two default routesFollowing optional commands configure NAT Enter the following commands to configure a IPoA topology IPoAInternet Security Issues VPN OverviewEnsuring VPN Security with IPSec/IKE/GRE How a Virtual Private Network WorksTransport Mode Processing Tunnel Mode Processing GRE over IPSecDigital Signatures Describing Public-Key Infrastructure PKIDefining VPN Encryption Certificates Machine Certificates for the XSRCA Hierarchies Certificate ChainsRA Mode Certificate Chain ExamplePending Mode Enroll PasswordDF Bit Functionality CRL RetrievalVPN Applications NAT Traversal Site-to-Site NetworksSite-to-Central-Site Networks Client Mode InternetRemote Access Networks Network Extension Mode NEMConfiguring Ospf Over Site-to-Central Site in Client Mode Using Ospf Over a VPN NetworkOspf Commands Server ClientServer Internet ClientConfiguring Ospf with Fail Over Redundancy ServerClient Interfaces Fast/GigabitEthernet 1 and VPNInterfaces Fast/GigabitEthernet 1, VPN 1 and VPN XSR VPN FeaturesLimitations Napt VPN Configuration Overview Master Encryption Key GenerationACL Configuration Rules Configuring ACLsSelecting Policies IKE/IPSec Transform-Sets SA lifetimesConfiguring Policy Security Policy ConsiderationsConfiguring Crypto Maps Creating Crypto MapsAuthentication, Authorization and Accounting Configuration User-NameAAA Commands Configuring AAAPKI Configuration Options Configuring PKI PKI Certificate Enrollment ExampleCA-AUTHENTICATED XSRconfig#ip domain acme.com Interface VPN Options Following sub-commands are available at VPN Interface mode Configuring a Simple VPN Site-to-Site ApplicationVPN Interface Sub-Commands XSRconfig#crypto isakmp proposal Test Configuring the VPN Using EZ-IPSec XSRconfig-crypto-m#description external interfaceEZ-IPSec Configuration XSRconfig#interface vpn 1 point-to-pointXSR with VPN Central Gateway Add ACLs to permit IP and UDP traffic Configure IKE policy for the remote peerConfigure the following four IPSec SAs Configure and enable the FastEthernet 1 interface Add a default route to the next hop Internet gatewayCreate a group for NEM and Client mode users Clear the DF bit globallyGRE Tunnel for Ospf Tunnel a XSR-3250 VPN GRE Site-to-Site TunnelXSRconfig-isakmp-peer#proposal shared Enable Ospf on the trusted and VPN interfaces Tunnel B XSR-1805 VPN GRE Site-to-Site TunnelEnable Ospf on the trusted and VPN interfaces Cisco Configuration XSR/Cisco Site-to-Site ExampleXSR Configuration Interoperability Profile for the XSR Scenario 1 Gateway-to-Gateway with Pre-Shared SecretsConfigure IKE Phase 1 policy Configure the Gateway a external LAN network AWConfigure a default route Interoperability Profile for the XSR Scenario 2 Gateway-to-Gateway with Certificates 14 Gateway-to Gateway with Certificates TopologyXSR#clock timezone -7 State CA-AUTHENTICATED Configuring Dhcp Overview of DhcpHow Dhcp Works Dhcp Server StandardsDhcp Services Assigned Network Configuration Values to Clients OptionsPersistent Storage of Network Parameters for Clients Temporary or Permanent Network Address AllocationBootp Legacy Support Provisioning Differentiated Network Values by Client ClassNested Scopes IP Pool Subsets Pool subnetScope Caveat Manual BindingsDhcp Client Services Router OptionParameter Request List Option Dhcp Client InteractionDhcp Client Timeouts Interaction with Remote Auto Install RAIDhcp CLI Commands Dhcp Set Up Overview Configuration StepsConfiguring Dhcp Address Pools Configuring Dhcp Network Configuration ParametersConfigure Dhcp Network Parameters Enable the Dhcp ServerOptional Set Up a Dhcp Nested Scope Optional Configure a Dhcp Manual BindingDhcp Server Configuration Examples Pool with Hybrid Servers ExampleManual Binding Example Manual Binding with Class ExampleBootp Client Support Example Dhcp Option ExamplesConfiguring Security on the XSR Access Control ListsACL Violations Alarm Example First alarms logged will display as followsPacket Filtering LANd AttackSmurf Attack Fraggle AttackIP Packet with Multicast/Broadcast Source Address Spoofed Address CheckGeneral Security Precautions Spurious State TransitionLarge Icmp Packets Ping of Death AttackAAA Services Connecting Remotely via SSH or Telnet with AAA Service PuTTY Exit Option PuTTY Alert Message Firewall Feature Set Overview Reasons for Installing a FirewallTypes of Firewalls ACL and Packet Filter FirewallsALG and Proxy Firewalls XSR Firewall Feature Set Functionality Stateful Inspection FirewallsStateful Firewall Inspection SFI Filtering non-TCP/UDP PacketsApplication Level Commands Application Level GatewayOn Board URL Filtering Importing URL Lists from an Ascii FileWriting URL List Entries Enabling URL Filtering in Firewall PolicyDenial of Service DoS Attack Protection Configuring URL RedirectionAlarm Logging AlarmsAuthentication 12 Authentication ProcessDynamic Reconfiguration Firewall and NATFirewall and VPN ACLs and FirewallFirewall CLI Commands Firewall CLI Commands 13 Sample Telnet Screen Firewall Limitations Pre-configuring the Firewall Steps to Configure the FirewallXSR with Firewall Complete LAN and WAN interface configuration Log only critical eventsXSR with Firewall, PPPoE and Dhcp 15 XSR Firewall with PPPoE DSL and DhcpConfigure the Dhcp pool, DNS server and related settings XSR with Firewall and VPNXP PC NEM Add four ACLs to permit IP pool, L2TP and NEM trafficConfigure the following IPSec SAs XSRconfig#ip local pool test 10.120.70.0 Define the Internet as all possible IP addresses Define the public VPN interface crypto mapDefine three trusted networks in the enterprise Define the local pool network used for tunnel IP addressesDefine service for Isakmp Define service for L2TP tunnelsDefine service for Radius authentication Define service for Radius accountingConfigure Radius network objects Firewall Configuration for VrrpLoad the firewall configuration Configuring Simple Security RPC Policy Configuration Configuration Examples Configuring Security on the XSR Alarms/Events, System Limits Standard Ascii Table Recommended System LimitsSnmp views System Alarms and Events Table A-5 Alarm BehaviorDriv ETH1 ETH0 Table A-6 High Severity Alarms/Events Table A-7 Medium Severity Alarms/Events Sntp PPP MS-CHAP authentication failed while Shutdown command Portchannel Corrected the problem by resetting itself Firewall and NAT Alarms and Reports Table A-9 Firewall and NAT AlarmsNAT TCP reset, NAT port %d, %IPP2 UDP Detected UDP Flood attack %IPP2 Deny Icmp unsupported packet %IP2ICMP UDP Request Entry pool is empty Standard Ascii Character Table SpaceStandard Ascii Character Table VPN MIB Tables on page B-12 Service Level Reporting MIB TablesEtsysSrvcLvlMetricTable EtsysSrvcLvlOwnerTable EtsysSrvcLvlHistoryTableField Example CLI command EtsysSrvcLvlNetMeasureTableEtsysSrvcLvlAggrMeasureTable Rtr schedule aliased toBGP v4 Peer Table BGP v4 MIB TablesGeneral Variables Table BgpPeerAdminStatus BGP-4 Received Path Attribute Table Bgp4PathAttrIpAddrPrefixBGP-4 Traps Firewall MIB Tables Global Interface OperationsMonitoring Objects Policy Rule Table Totals CountersPolicy Rule True Table Session Totals CountersAuthenticated Address Counters Authenticated Addresses TableIP Session Counters IP Session TableDOS Attacks Blocked Table VPN MIB TablesDOS Attacks Blocked Counters EtsysVpnIkePeer Table EtsysVpnIkePeerProposals TableEtsysVpnIntfPolicy Table EtsysVpnIkeProposal TableEtsysVpnIpsecPolicy Table EtsysVpnIpsecPolicyRule Table EtsysVpnIpsecPolProposals TableEtsysVpnAhTransform Table EtsysVpnIpsecProposal TableEtsysVpnIpsecPropTransforms Table EtsysVpnEspTransform Table EtsysVpnIpcompTransform TableIpCidrRouteTable for Static Routes Host Resources MIB ObjectsEnterasys Configuration Management MIB Field Description ConfigMgmtOperationsEnterasys Configuration Change MIB Field Description EtsysConfigChangeNonVolatile GroupEnterasys Snmp Persistence MIB Enterasys Syslog Client MIB Field Description EtsysSyslogClient GroupTable B-46 Enterasys Syslog Client MIB Compliance Statements