VPN Sample Configuration with Network Extension Mode

Figure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access

GigabitEthernet 1: 172.16.10/24

eth0: 10.11.11.1/24

Gigabitethernet 2: 26.26.26.10/24

eth1: 26.26.26.11/24

Virtual IP Pool: 172.16.10.0/24

 

26.26.26.0/24

XSR 3020

XSR 3020

 

 

eth0: 10.12.12.1/24

172.16.10.0

eth1: 26.26.26.12/24

 

 

XSR 3020

If you have not already generated a master encryption key, you must do so now to configure the VPN. A master key need only be generated once.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable you may have to return to factory defaults, which erases the master key forcing you to generate a new one.

Generate the master key. Refer to the following sample key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5 163b 4bdf fe92 dbc1 1232 ffe0 f8d9 3649

Apply the following ACLs to the public interface of the XSR before creating the VPN configuration. These ACLs are applied only to an XSR configured to terminate Network Extension Mode (NEM) tunnels initiated from ANG-1100s. These ACLs allow all outbound IP traffic and established inbound TCP traffic and employ well-known protocol numbers for IKE UDP (500) and ICMP to and from the public interface (if preferred).

XSR(config)#access-list 1 deny 26.26.26.0 0.0.0.255 XSR(config)#access-list 1 permit any XSR(config)#access-list 110 permit udp any any eq 500 XSR(config)#access-list 110 permit icmp any host 26.26.26.10 XSR(config)#access-list 110 deny ip any any

XSR(config)#access-list 111 permit udp any any eq 500 XSR(config)#access-list 111 permit icmp host 26.26.26.10 any XSR(config)#access-list 111 deny ip any any

XSR(config)#interface gigabitethernet 2

XSR(config-if<G2>)#ip access-group 110 in

XSR(config-if<G2>)#ip access-group 111 out

Enable Network Address Translation:

XSR(config-if<G2>)#ip nat source assigned overload

Create the VPN virtual subnet:

XSR(config)#ip local pool virtual_subnet 10.10.10.0 255.255.255.248

3-30 Software Configuration

Page 73 Page 75
Page 74
Image 74
Enterasys Networks XSR-3020 manual VPN Topology with NEM, EZ-IPSec and Internet Access
Page 73 Page 75

XSR-3020 specifications

Enterasys Networks XSR-3020 is a sophisticated Layer 2 and Layer 3 switch designed to meet the demands of modern networking environments. Known for its robust performance and versatility, the XSR-3020 is an ideal solution for enterprises that require high efficiency, comprehensive security, and network reliability.

This switch supports a variety of advanced technologies, making it suitable for both data center and edge deployments. One of its standout features is its scalability. The XSR-3020 can accommodate growing network demands by allowing for easy integration of additional modules. This capacity for expansion ensures that organizations can adapt their networks without the need for complete hardware replacements.

The XSR-3020 offers high-speed connectivity through its multiple gigabit Ethernet ports, providing up to 48 10/100/1000BASE-T ports in a single chassis. This high-density design optimizes the physical space and ensures that organizations can connect numerous devices simultaneously without sacrificing performance. Additionally, it supports Power over Ethernet (PoE), allowing users to power network devices, such as IP cameras and access points, directly through the switch. This feature streamlines installations and reduces the clutter of electrical wiring.

Security is a critical consideration in today’s network landscape, and the XSR-3020 addresses this need with robust security features. It incorporates advanced access control capabilities, enabling administrators to segment traffic and enforce policies effectively. The switch also supports 802.1X authentication, ensuring that only authorized devices can connect to the network.

In terms of management, the XSR-3020 is designed to simplify operations through its user-friendly interface and extensive support for management protocols. It offers native support for Simple Network Management Protocol (SNMP) and can be easily integrated with various network management systems, allowing for efficient monitoring and troubleshooting.

Another key characteristic of the XSR-3020 is its reliability. With features such as redundant power supplies and fans, the switch ensures high availability, minimizing downtime for critical applications. It is also built to withstand harsh conditions, making it suitable for diverse environments.

Overall, the Enterasys Networks XSR-3020 combines high performance, scalability, and security, making it an excellent choice for organizations looking to enhance their network infrastructure. Its comprehensive set of features positions it as a reliable backbone for any modern enterprise network, ensuring that businesses can operate efficiently and securely.
Top Page Image Contents