Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks XSR-3020 manual Firewall Sample Configuration, IPoA

Models: XSR-3020

1 110

Download 110 pages 4.16 Kb

Page 56

IPoA

Firewall Sample Configuration

The commands below configure the ATM interface and sub-interface with a negotiated IP address, CHAP username and password, and bans keepalives.

XSR(config)#interface ATM 0

XSR(config-if<ATM0/0>)#no shutdown

XSR(config-if<ATM0/0.1>)#interface ATM 0.1

XSR(config-if<ATM0/0.1>)#no shutdown

XSR(config-if<ATM0/0.1>)#encapsulation snap pppoa

XSR(config-if<ATM0/0.1>)#ip address negotiated

XSR(config-if<ATM0/0.1>)#ip mtu 1492

XSR(config-if<ATM0/0.1>)#ip tcp adjust-mss 1400

XSR(config-if<ATM0/0.1>)#ppp chap hostname red password sox

XSR(config-if<ATM0/0.1>)#no ppp keepalive

Note: If you have configured a VPN tunnel and wish to avoid intermittent Web browser problems, add the crypto ipsec df-bit clear command to your configuration.

IPoA

Enter the following commands to configure a IPoA topology:

XSR(config)#interface ATM 0

XSR(config-if<ATM0/0>)#no shutdown

XSR(config-if<ATM0/0>)#interface ATM 0.1

XSR(config-if<ATM0/0.1>)#encapsulation snap ipoa

XSR(config-if<ATM0/0.1>)#ip address 192.168.1.1 255.255.255.0

XSR(config-if<ATM0/0.1>)#ip mtu 1492

XSR(config-if<ATM0/0.1>)#exit

XSR(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.10

XSR(config)#ip route 30.0.0.10 255.255.255.255 ATM 0.1

Firewall Sample Configuration

In this scenario, the XSR acts as a router connecting a branch office to the Internet, as illustrated in Figure 3-1. The branch office has two servers (Web and Mail) accessible from the external world and an internal network of hosts which are protected from the external world by the firewall. The Web and Mail servers are part of the DMZ and considered internal by the XSR. Note that some commands have been abbreviated.

3-12 Software Configuration

Image 56

Enterasys Networks XSR-3020 manual Firewall Sample Configuration, IPoA

Contents

XSR-3020 Getting Started Guide VersionX-Pedition Security Router Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Regulatory Compliance Information Federal Communications Commission FCC NoticeIndustry Canada Notices R & TTE Directive DeclarationClass A ITE Notice Clase A. Aviso de ITEProduct Safety Seguridad del ProductoProduktsicherheit Electromagnetic Compatibility EMCSupplement to Product Instructions VCCI Notice BSMI EMC Statement - TaiwanDeclaration of Conformity Manufacturer’s Name Enterasys Networks, IncAustralian Telecom Federal Information Processing Standard FIPS CertificationIndependent Communications Authority of South Africa VPN Consortium InteroperabilityEnterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCTCAREFULLY READ THIS LICENSE AGREEMENT You and Enterasys agree as follows5. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program i was developed solely at private expense ii contains “restricted computer software” submitted with restricted rights in accordance with section 52.227‐19 a through d of the Commercial Computer Software‐Restricted Rights Clause and its successors, and iii in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202‐3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein 11. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement. Any attempted assignment, transfer or sublicense in violation of the terms of this Agreement shall be void and a breach of this Agreement Contents Chapter 2 Hardware InstallationChapter 3 Software Configuration About This GuideConfiguring the WAN Ports Appendix A Specifications IndexPage Conventions Used in This Guide Contents of the GuideAbout This Guide Bold/En negrilla Italics/It áli caGetting Help Page Overview System DescriptionHardware Features Figure 1-1 Typical XSR-3020 TopologyFigure 1-2 XSR-3020 Software Features Operating SystemIndustry-common CLI IP ProtocolIP Routing SNMP and Statistics GatheringSecurity Frame RelayDynamic Host Configuration Protocol DHCP Integrated Services Digital Network ISDN - BRI/PRIQuality of Service QoS Virtual Private Network VPNGRE over IPSec Dial Service Dial BackupAsynchronous Digital Subscriber Line ADSL Dial-on-Demand/Bandwidth-on-Demand DoD/BoDInstallation Overview Installation Overview 1-12 OverviewHardware Installation Installation Site SuggestionsIntroduction Verifying Your ShipmentInstalling NIM Cards and Rack Mounting Figure 2-1 Removing XSR CoverFigure 2-2 Removing NIM Slot Cover Figure 2-3 Attaching NIM card to MotherboardFigure 2-4 Fastening Rack Brackets Figure 2-5 Attaching XSR to Rack3020 3020Installing a CompactFlash Memory Card CompactFlash Card InstallationFigure 2-6 Typical CompactFlash Card Figure 2-7 Removing CompactFlash Cover PlateFigure 2-8 Installing CompactFlash Card CompactFlash Card for the ADSL NIMFormatting the CompactFlash Card Figure 2-10 Attaching T1/PRI or BRI Port Connector Connecting CablesFigure 2-9 Connecting Serial COM Console Cable Figure 2-11 Connecting High Speed Serial Connector Figure 2-12 Attaching T3/E3 BNC ConnectorsALARM ENABLEFigure 2-13 Connecting ADSL Connector Figure 2-14 Attaching T1 Drop & Insert Connector3020 NIM1Figure 2-15 Attaching Ethernet Connector Figure 2-16 Inserting Mini-GBIC ModuleLink TX G ETH3Figure 2-17 Attaching Ethernet LAN NIM Connector Figure 2-18 Attaching Ethernet Fiber LAN NIM Connector3020 3020Figure 2-19 Connecting Power Supply Cord 100~125V~1LINE 200~240V~0.25ASoftware Configuration Initializing XSR SoftwareETHERNET Activity LEDs blink when frames pass on the LAN Optional Configuring Remote Auto Install Configuring RAI for Frame RelayOpening a COM Console Session Characteristics” on pageXSRconfig-ifS1/0.1#exit XSRconfigexit Configuring RAI for DHCP over LAN Configuring RAI over ADSLPage Configuring the XSR Name and User Information Setting the ClockSetting User Name, Privilege and Password 3. Enter hostname your XSR designationPRI Configuration Configuring the LAN PortsConfiguring the WAN Ports BRI Leased Frame Relay BRI ConfigurationBRI Leased Line BRI Switched Line PPPoA ADSL ConfigurationPPPoE Firewall Sample Configuration IPoAFigure 3-1 XSR with Firewall Topology 3-14 Software Configuration Setting Up RIP RoutingSetting Up RIP Routing Configure OSPF Routing Configuring Frame Relay Point to Point NetworksSetting Up an SNMP Community String, Traps and V3 Values 7. Optional. For SNMPv3, enter snmp-server user username group name Configuring Message Logging and Severity LevelViewing Your Configuration Connecting Remotely via the Web Figure 3-2 Initial Web Access WindowProduct Version X-Pedition ProductsFigure 3-3 Web Product Version Window Backup Site Hostname branch2 LAN-PPP Services Sample ConfigurationFigure 3-4 Sample LAN-PPP Services Configuration Frame Relay WAN Link with PPP Backup Sample Configuration Configure Quality of Service Configure Users and PasswordsConfigure LAN Interface Configure WAN/Frame Relay Port Apply QoS Configure OSPF RoutingConfigure More Access Lists Configure DHCP/BOOTP Relay Configure the Dial Backup ConnectionVPN Site-to-Site Sample Configuration Configure SNMPCentral Site Branch SitesConfigure Access Control Lists Set Up IKE Phase I SecurityConfigure IKE Policy for Remote Peer Generate Master Encryption KeyCreate a Transform Set Configure Crypto MapsConfiguring VPN at Interface Mode and Setting Up RIP VPN Sample Configuration with Network Extension Mode Configuring Authentication AAAFigure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access GigabitEthernet 1 172.16.10/24eth0 10.11.11.1/24 Gigabitethernet 2 26.26.26.10/24Create the ISAKMP IKE global peer XSR Rebooting Characteristics Initialization OutputReboot Triggers Table 1 Reboot TriggersBoot Type CausePower-up Error Conditions Table 1 Reboot Triggers continuedPower-Up Reboot Reload Command from the CLIBootrom Monitor Mode Commands Page copy Page remove renameThis command shows network values with the following sample output This command shows the bootrom version with sample output below Bootrom Monitor Mode Commands 3-42 Software ConfigurationSpecifications System SpecificationsTable A-1 XSR Hardware Specifications CategoryCable, CompactFlash and Accessory Specifications Table A-1 XSR Hardware Specifications continuedTable A-2 XSR Cabling/Accessory Guide ConnectorTable A-2 XSR Cabling/Accessory Guide continued ConnectorCable, CompactFlash and Accessory Specifications Part DescriptionFigure A-1 COM Port Pinouts COM Console PortSignal GigabitEthernet Ports Mini-GBIC Fiber, Copper PortSignal Figure A-2 GigaBitEthernet Port Pinouts EthRegulatory/Safety Compliance Copper/Fiber-optic Ethernet NIMsSignal Figure A-3 Copper Ethernet NIM2/4-Port Serial NIM Card Port J1 68-pin male SCSI II type connectorJ2 - J5 DB-15 type male connector Figure A-6 High Speed Serial NIM PortJ1 68-pin male SCSI II type connector J2 - J5 DB-25 type male RxD2+connectorFigure A-8 EIA-232/530 DTE Pin AssignmentsJ2 - J5 DB-37 type male connector J1 68-pin male SCSI RD2+II type connectorFigure A-9 EIA-449 DTE Pin AssignmentsJ1 68-pin male SCSI III-type connector J3, J5 V.35-type male connectorJ2. J4 DB-25-type male connector Pins not shown are unused Figure A-10 Combined V.35/EIA-232/530 DTE Pin AssignmentsJ1 68-pin male SCSI II type connector J2 - J5 V.35 type male connectorFigure A-11 V.35 DTE Pin AssignmentsT1/E1/ISDN PRI NIM Card Ports Regulatory/Safety ComplianceSignal Figure A-12 4-Port T1/E1/ISDN PRI NIM Card RJ-48C ports shownBalun for E1 or PRI NIM Cards Grounding Shunt for E1 NIM CardsFigure A-14 Balun for E1 or PRI Connection Figure A-15 Sample Grounding ShuntInstalling Shunt/Terminal Strip Figure A-16 Installing a Grounding Shunt on the E1 NIM CardFigure A-17 1-Port T3/E3 NIM Card T3/E3 NIM CardRegulatory/Safety Compliance 1/2-Port BRI-S/T NIM Card Ports SignalFigure A-18 ISDN BRI-S/T NIM Card RJ-45 ports shown Figure A-19 ISDN BRI-S/T -NIM PinoutsTermination Shunt for the ISDN BRI-S/T NIM Card Installing Shunt/Terminal StripFigure A-20 Installing a Termination Shunt on BRI-S/T NIM Card Receive Pair Termination1/2-Port BRI-U NIM Card Ports Regulatory/Safety ComplianceSignal Figure A-21 ISDN BRI-U NIM Card RJ-49C ports shown1-Port ADSL NIM Card Port Regulatory/Safety ComplianceSignal Figure A-23 ADSL NIM CardT1/E1 Drop & Insert D&I NIM Regulatory/Safety ComplianceSignal Figure A-25 T1/E1 D&I NIM CardCompactFlash Memory Card LED BehaviorFigure A-27 CompactFlash Memory Card Figure A-28 XSR LEDsFunction Table A-3 LED Description continuedState Index how to attach the Ethernet serial cable