Configuration Examples

Load the firewall configuration:

XSR(config)#ip firewall load

Globally enable the firewall. Even though you have configured and loaded the firewall, only invoking the following command “turns on” the firewall. Once enabled, if you are remotely connected, the firewall will close your session. Simply login again.

XSR(config)#ip firewall enable

Firewall Configuration for VRRP

This example briefly configures VRRP advertisements to be sent and received on a FastEthernet interface. You must configure two networks and a filter for the VRRP protocol (# 112). It is assumed you have already configured the VR and backup VR within the specified IP address range. Enable multicasting in both directions on FastEthernet interface 2:

XSR(config-if<F2>)#ip firewall ip-multicast both

Configure the IP address of the firewall networks internal2 and vrrp, specifying a range between

80.0.0.1and 80.255.255.254 and a multicasting host at 224.0.0.18/32, respectively. Finally, add a policy allowing VRRP advertisements to pass between private and external networks.

XSR(config-ifF2>)#ip address 80.0.0.1/8

XSR(config)#ip firewall network internal2 80.0.0.0 mask 255.0.0.0 internal XSR(config)#ip firewall network vrrp 224.0.0.18 mask 255.255.255.255 internal XSR(config)#ip firewall filter mult2 internal2 vrrp protocol-id 112

Firewall Configuration for RADIUS Authentication and Accounting

The following sample configuration employs the RADIUS method for AAA authentication. The commands in the section below configure Steel Belted RADIUS (SBR) as the RADIUS method, the server’s IP address and encryption key, its RDIUS authentication and accounting ports (per IANA), and all four client services. Also configured are the backup RADIUS server msradius with one login attempt specified before the backup is accessed and five retransmit requests specified for service, and reconfigured queue and timeout values.

XSR(config)#aaa method radius sbr default

XSR(aaa-method-radius)#backup msradius

XSR(aaa-method-radius)#address ip-address 10.10.10.1

XSR(aaa-method-radius)#key acevpnfqwe

XSR(aaa-method-radius)#client vpn

XSR(aaa-method-radius)#client telnet

XSR(aaa-method-radius)#client firewall

XSR(aaa-method-radius)#client ssh

XSR(aaa-method-radius)#auth-port 1812

XSR(aaa-method-radius)#acct-port 1813

XSR(aaa-method-radius)#attempts 1

XSR(aaa-method-radius)#retransmit 5

XSR(aaa-method-radius)#timeout 10

XSR(aaa-method-radius)#qtimeout 0

Configure RADIUS network objects:

XSR(config)#ip firewall network internal 10.10.10.0 mask 255.255.255.0 internal

Configure policies allowing RADIUS authentication and accounting:

XSR User’s Guide 16-33

Page 419
Image 419
Enterasys Networks X-PeditionTM manual Firewall Configuration for Vrrp, Load the firewall configuration