Riverstone Networks WICT1-12 25 SECURITY CONFIGURATION

Riverstone Networks RS Switch Router User Guide Release 8.0 25-1

25 SECURITY CONFIGURATION

The RS provides security features that help control access to the RS and filter traffic going through the RS. Access

to the RS can be controlled by:

•Enabling RADIUS

•Enabling TACACS

•Enabling TACACS+

•Password authentication

•Secure shell protocol

Traffic filtering on the RS enables:

•Layer-2 security filters - Perform filtering on source or destination MAC addresses.

•Layer-3/4 Access Control Lists - Perform filtering on source or destination IP address, source

or destination TCP/UDP port, TOS or protocol type for IP traffic. Perform filtering on source

or destination IPX address, or source or destination IPX socket. Perform access control to

services provided on the RS, for example, Telnet server and HTTP server.

Note Currently, Source Filtering is available on RS WAN cards; however,

application must take place on the entire WAN card.

25.1 CONFIGURING RS ACCESS SECURITY

This section describes the following methods of controlling access to the RS:

•RADIUS

•TACA CS

•TACA CS+

•Passwords

•Secure shell

25.1.1 Configuring RADIUS

You can secure login or Enable mode access to the RS by enabling a Remote Authentication Dial-In Service

(RADIUS) client. A RADIUS server responds to the RS RADIUS client to provide authentication.

Contents

Main COPYRIGHT NOTICES Page INDUSTRY CANADA COMPLIANCE STATEMENT Page SAFETY INFORMATION: WICT1-12 T1 CARD CONSUMER INFORMATION AND FCC REQUIREMENTS EQUIPMENT ATTACHMENT LIMITATIONS NOTICE Page Page Page Page Page DECLARATION OF CONFORMITY ADDENDUM TABLE OF CONTENTS 4 Hot Swapping Line Cards and Control Modules. . . . . . . . . . . . . . . . . . . . . .4-1 6 SmartTRUNK Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 9 Packet-over-SONET Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . .9-1 Page Page Page Page 20 IP Policy-Based Forwarding Configuration. . . . . . . . . . . . . . . . . . . . . . . . . 20-1 21 Network Address Translation Configuration . . . . . . . . . . . . . . . . . . . . . . . .21-1 Page Page Page Page LIST OF FIGURES Page Page Page LIST OF TABLES Page 1 INTRODUCTION 1.1 RELATED DOCUMENTATION 1.2 DOCUMENT CONVENTIONS 2 MAINTAINING CONFIGURATION FILES 2.1 CONFIGURATION FILES 2.1.1 Changing Configuration Information 2.1.2 Displaying Configuration Information 2.1.3 Activating the Configuration Commands in the Scratchpad 2.1.4 Saving the Active Configuration to the Startup Configuration File 2.1.5 Viewing the Current Configuration - - - 2.1.6 Backing Up and Restoring Configuration Files 2.2 BACKING UP AND RESTORING SYSTEM IMAGE FILES 2.3 CONFIGURING SYSTEM SETTINGS 2.3.1 Setting Daylight Saving Time 2.3.2 Configuring a Log-in Banner 3 CLI AND RS BASICS 3.1 STARTING THE CLI 3.2 UNDERSTANDING CLI COMMAND MODES 3.2.3 Configure Mode 3.2.4 BootPROM Mode 3.3 UNDERSTANDING CLI COMMANDS 3.4 USING LINE EDITING COMMANDS Page 3.5 GETTING HELP WITH CLI COMMANDS Invoking Help While Entering a Command Invoking Help Option by Option 3.6 SETTING CLI PARAMETERS Command Completion Command History 3.7 NAMING RS PORTS 3.7.1 Port Type 3.7.2 Slot Number 3.7.3 Port Number Page 3.7.4 Channel Number 3.8 CLI AND RS CONFIGURATION EXAMPLE Page Page 4 HOT SWAPPING LINE CARDS AND CONTROL MODULES 4.1 HOT SWAPPING OVERVIEW 4.2 HOT SWAPPING LINE CARDS 4.2.1 Deactivating the Line Card 4.2.2 Removing the Line Card 4.2.3 Installing a New Line Card 4.3 HOT SWAPPING ONE TYPE OF LINE CARD WITH ANOTHER 4.4 HOT SWAPPING A SECONDARY CONTROL MODULE 4.4.1 Deactivating the Control Module G8M-CM2-128 CONTROL MODULE 4.4.2 Removing the Control Module 4.4.3 Installing a Control Module - - 4.5 HOT SWAPPING A SWITCHING FABRIC MODULE (RS 8600 ONLY) 4.5.1 Removing the Switching Fabric Module 4.5.2 Installing a Switching Fabric Module 4.6 HOT SWAPPING A GBIC (RS 32000 AND RS 38000 ONLY) 4.6.1 Removing a GBIC from the Line Card 4.6.2 Installing a GBIC into the Line Card 4.7 HOT SWAPPING A WIC 5 BRIDGING CONFIGURATION GUIDE 5.1 SPANNING TREE (IEEE 802.1D) 5.2 BRIDGING MODES (FLOW-BASED AND ADDRESS-BASED) 5.3 VLAN OVERVIEW Port-based VLANs MAC-address-based VLANs Protocol-based VLANs 5.3.1 RS VLAN Support VLANs and the RS Ports, VLANs, and L3 Interfaces 5.3.2 Configuration Examples Creating an IP or IPX VLAN Creating a non-IP/non-IPX VLAN 5.4 ACCESS PORTS AND TRUNK PORTS (802.1P AND 802.1Q SUPPORT) Explicit and Implicit VLANs 5.5 CONFIGURING RS BRIDGING FUNCTIONS 5.5.1 Configuring Address-based or Flow-based Bridging 5.6 CONFIGURING SPANNING TREE 5.6.1 Using Rapid STP 5.6.2 Adjusting Spanning-Tree Parameters Setting the Bridge Priority Setting a Port Priority Assigning Port Costs Adjusting Bridge Protocol Data Unit (BPDU) Intervals Adjusting the Interval between Hello Times Defining the Forward Delay Interval Defining the Maximum Age 5.6.3 STP Dampening 5.7 CONFIGURING A PORT- OR PROTOCOL-BASED VLAN 5.7.1 Creating a Port or Protocol Based VLAN 5.7.2 Adding Ports to a VLAN 5.7.3 Configuring VLAN Trunk Ports 5.8 CONFIGURING VLANS FOR BRIDGING 5.9 CONFIGURING LAYER-2 FILTERS 5.10 MONITORING BRIDGING 5.11 GARP/GVRP 5.11.1 Running GARP/GVRP with STP Page 5.11.3 Configuration Example Page 5.12 TUNNELING VLAN PACKETS ACROSS MANS 5.12.1 Stackable VLAN Components 5.12.2 Configuration Examples Multiple Customer VLANs Page Multiple Customers with Common VLANs Page R3 R4 Page Single VLAN with Multiple Tunnel Entry Ports Page R3 R4 Page STP/GVRP in Customer VLANs Tunneled over Backbone VLAN R2R1 C1R1 C1R2 Page Multiple VLANs on a Single Tunnel Entry Port Page Page 5.12.3 Displaying Stackable VLAN Information Page 6 SMARTTRUNK CONFIGURATION GUIDE 6.1 CONFIGURING SMARTTRUNKS - - 6.1.1 Creating a SmartTRUNK 6.1.2 Adding Physical Ports to the SmartTRUNK SmartTRUNK Port Limitations 6.1.3 Specifying Traffic Load Policy 6.2 SMARTTRUNK EXAMPLE CONFIGURATION Page 6.3 CONFIGURING THE LINK AGGREGATION CONTROL PROTOCOL (LACP) 6.3.1 Configuring SmartTRUNKs for LACP 6.3.2 LACP Configuration Example st.12 R3 R4 st.14 st.23 st.24 Page Configuration for R2: Configuration for R3: Configuration for R4: the corresponding ports on the RS at the other end of the SmartTRUNK. 6.4 SMARTTRUNK LOAD REDISTRIBUTION 6.4.1 SLR Water-marks 6.4.2 Polling intervals Creating an SLR Enabled SmartTRUNK 6.4.3 Additional Controls Provided by SLR Redistribution of IP Flows Using Low Water-Mark Events 7 CMTS CONFIGURATION GUIDE 7.1 HFC CABLE NETWORK ARCHITECTURE 7.2 CMTS MODULE DESCRIPTION 7.3 PROVISIONING THE HEADEND 7.3.1 Headend Certification 7.3.2 IF-RF-Upconverter 7.3.3 Diplex Filters 7-4 Riverstone Networks RS Switch Router User Guide Release 8.0 Provisioning the Headend CMTS Configuration Guide Figure 7-2 CMTS Connection Overview Test setup for transmission Node 1 Node 2 Node n Test setup for transmission 7.3.4 DHCP Servers 7.4 CONNECTING AND CONFIGURING THE DOWNSTREAM 7.4.1 Installing and Configuring the Upconverter 7.4.2 Setting the Upconverter Input Level 7.4.3 Setting the Upconverter Output Level 7.4.4 Setting the Upconverter Output Frequency 7.4.5 Completing the Downstream Configuration 7.5 CONNECTING THE UPSTREAM TO THE LASER RECEIVER 7.6 CONFIGURING THE CMTS MODULE 7.6.1 Configuring the CMTS Module in a Bridged Network 7.6.2 Configuring the CMTS Module in a Routed Network 7.7 CMTS CONFIGURATION EXAMPLES 7.7.1 Example One: Multiple ISPs Share a Single DHCP Server Page Following, is the configuration for the DHCP server: Page 7.7.2 Example Two: Multiple ISPs with multiple DHCP servers Following, is the AMERILINK DHCP configuration: Following, is the MOONLINK DHCP configuration: 7.7.3 Example Three: Overlapping VLANs with Multiple DHCP Servers and Client-VLAN Bindings TFTP Configuration Files 7.8 ANTI-SPOOFING 7.8.1 Anti-DHCP Spoofing 7.8.2 Anti-IP-spoofing Static and Dynamic Anti-IP Spoofing Static Anti-IP Spoofing Dynamic Configuration of Anti-IP Spoofing 8 ATM CONFIGURATION GUIDE 8.1 CONFIGURING ATM PORTS 8.1.1 Configuring SONET Parameters Configuring Automatic Protection Switching (APS) on the ATM OC-12 Line Card 8.1.2 Setting Parameters for the Multi-Rate Line Card Cell Scrambling Cell Mapping VPI Bit Allocation 8.1.3 Displaying Port Information 8.2 CONFIGURING VIRTUAL CHANNELS 8.2.1 Gathering Traffic Statistics (OC-12) 8.3 TRAFFIC SHAPING Page 8.4 TRAFFIC MANAGEMENT 8.4.1 Configuring QoS (Multi-Rate Line Card) Relative Latency Controlling Buffers for Each VC 8.4.2 Configuring Virtual Channel Groups (OC-12) Creating a Virtual Channel Group Applying Service Profiles to VC Groups 8.4.3 Traffic Management Configuration Example Configuring QoS Policies (Multi-Rate Line Card) Page Configuring Virtual Channels Groups (OC-12) Page 8.5 BRIDGING ATM TRAFFIC Page 8.5.1 Enabling Forced Bridging on a Virtual Channel 8.5.2 Configuring Cross-Connects 8.5.3 Limiting MAC Addresses Learned on a VC 8.6 ROUTING ATM TRAFFIC Page Page 8.6.1 Peer Address Mapping ATM Cloud 8.7 CONFIGURING PPP (OC-12) Page Page Page 9 PACKET-OVER-SONET CONFIGURATION GUIDE 9.1 CONFIGURING IP INTERFACES FOR POS LINKS 9.2 CONFIGURING PACKET-OVER-SONET LINKS 9.3 CONFIGURING AUTOMATIC PROTECTION SWITCHING 9.3.1 Configuring Working and Protecting Ports 9.4 SPECIFYING BIT ERROR RATE THRESHOLDS 9.5 MONITORING POS PORTS 9.6 EXAMPLE CONFIGURATIONS 9.6.1 APS PoS Links Between RSs 9.6.2 PoS Link Between the RS and a Cisco Router 9.6.3 PoS Link Between the RS and a Juniper Router 9.6.4 Bridging and Routing Traffic Over a PoS Link 9.6.5 PoS Link Through a Layer 2 Cloud Page 10 DHCP CONFIGURATION GUIDE 10.1 CONFIGURING DHCP 10.1.1 Configuring an IP Address Pool 10.1.2 Configuring Client Parameters 10.1.3 Configuring a Static IP Address 10.1.4 Grouping Scopes with a Common Interface 10.1.5 Configuring DHCP Server Parameters 10.2 UPDATING THE LEASE DATABASE 10.3 MONITORING THE DHCP SERVER 10.4 DHCP CONFIGURATION EXAMPLES 10.5 CONFIGURING SECONDARY SUBNETS 10.6 SECONDARY SUBNETS AND DIRECTLY-CONNECTED CLIENTS 10.7 INTERACTING WITH RELAY AGENTS Page 11 IP ROUTING CONFIGURATION GUIDE 11.1 IP ROUTING PROTOCOLS 11.2 CONFIGURING IP INTERFACES AND 11.2.1 Configuring IP Interfaces to Ports 11.2.2 Configuring IP Interfaces for a VLAN 11.2.3 Specifying Ethernet Encapsulation Method 11.2.4 Unnumbered Interfaces 11.3 CONFIGURING JUMBO FRAMES 11.4 CONFIGURING ADDRESS RESOLUTION PROTOCOL (ARP) 11.4.1 Configuring ARP Cache En tries 11.4.2 Unresolved MAC Addresses for ARP Entries 11.4.3 Configuring Proxy ARP 11.5 CONFIGURING REVERSE ADDRESS RESOLUTION PROTOCOL (RARP) 11.5.1 Specifying IP Interfaces for RARP 11.5.2 Defining MAC-to-IP Address Mappings 11.5.3 Monitoring RARP 11.6 CONFIGURING DNS PARAMETERS 11.7 CONFIGURING IP SERVICES (ICMP) 11.8 CONFIGURING IP HELPER 11.9 CONFIGURING DIRECT BROADCAST 11.10 CONFIGURING DENIAL OF SERVICE (DOS) 11.11 MONITORING IP PARAMETERS To display additional IP information, enter the following command in Enable mode: Show ARP table entries. Show IP interface configuration. Show DNS parameters. 11.12 CONFIGURING IP FORWARDING 11.13 HARDWARE ROUTING TABLE 11.14 CONFIGURING ICMP REDIRECT 11.15 FORWARDING MODE Defining a Profile Applying a Profile Enabling a Port 11.15.3 Monitoring Custom Forwarding Profiles 11.16 CONFIGURING ROUTER DISCOVERY Page 11.17 SETTING MEMORY THRESHOLDS Page 11.18 CONFIGURATION EXAMPLES 11.18.1 Assigning IP/IPX Interfaces 12 VRRP CONFIGURATION GUIDE 12.1 CONFIGURING VRRP 12.1.1 Basic VRRP Configuration Configuration for Router R2 12.1.2 Symmetrical Configuration Page Configuration of Router R2 12.1.3 Multi-Backup Configuration Configuration of Router R2 Configuration of Router R3 12.2 ADDITIONAL CONFIGURATION 12.2.1 Setting the Backup Priority 12.2.2 Setting the Warmup Period 12.2.3 Setting the Advertisement Interval 12.2.4 Setting Pre-empt Mode 12.3 MONITORING VRRP 12.3.1 ip-redundancy trace 12.3.2 ip-redundancy show To display information about all virtual routers on interface int1: 12.4 VRRP CONFIGURATION NOTES Page 13 RIP CONFIGURATION GUIDE 13.1 CONFIGURING RIP 13.1.1 Enabling and Disabling RIP 13.1.2 Configuring RIP Interfaces 13.2 CONFIGURING RIP PARAMETERS Configuring RIP Route Preference 13.2.1 Configuring RIP Route Default-Metric 13.3 MONITORING RIP 13.4 CONFIGURATION EXAMPLE Show detailed information of request packets sent by the router. Show RIP timer information. Page 14 OSPF CONFIGURATION GUIDE 14.1 OSPF MULTIPATH 14.2 CONFIGURING OSPF 14.3 SETTING THE ROUTER ID 14.4 ENABLING OSPF 14.5 CONFIGURING OSPF AREAS 14.5.1 Configuring Summary Ranges 14.5.2 Configuring Stub Areas 14.5.3 Configuring Not-So-Stubby Areas (NSSA) 14.6 CONFIGURING OSPF INTERFACES 14.6.1 Configuring Interfaces for NBMA Networks 14.6.2 Configuring Interfaces for Point-to-Multipoint Networks 14.6.3 Configuring Interfaces for Point-to-Point Networks 14.7 CONFIGURING OSPF INTERFACE PARAMETERS 14.7.1 Setting the Interface State 14.7.2 Setting the Default Cost of an OSPF Interface 14.8 CREATING VIRTUAL LINKS 14.9 CONFIGURING OSPF PARAMETERS 14.9.1 Configuring OSPF Global Parameters Configuring the Routing Table Recalculation Configuring Autonomous System External (ASE) Link Advertisements Configuring Support for Opaque LSAs Setting Route Preference Setting the Reference Bandwidth 14.10 MONITORING OSPF Following is an example of the ospf show virtual-links command: 14.11 OSPF CONFIGURATION EXAMPLES 14.11.1 Exporting All Interface & Static Routes to OSPF 14.11.2 Exporting All RIP, Interface & Static Routes to OSPF Page into RIP. Page 15 IS-IS CONFIGURATION GUIDE 15.1 DEFINING AN IS-IS AREA 15.2 CONFIGURING IS-IS INTERFACES 15.3 ENABLING IS-IS ON THE RS 15.4 SETTING IS-IS GLOBAL PARAMETERS 15.4.1 Setting the IS Operating Level 15.4.2 Setting the PSN Interval 15.4.3 Setting the System ID 15.4.4 Setting the SPF Interval 15.4.5 Setting the Overload Bit 15.4.6 Setting IS-IS Authentication Authentication Between Neighbors Authentication Within an Area Authentication Within a Routing Domain SNP Authentication 15.5 SETTING IS-IS INTERFACE PARAMETERS 15.5.1 Setting the Interface Operating Level Page 15.6 DISPLAYING IS-IS INFORMATION 15.6.1 IS-IS Sample Configuration Network Topology Overview R2 R1 IS-IS Area 1 R3 R4 R5 R6 Area 49.da02 R7 IS-IS Area 2 R8 R9 IS-IS Area 3 C10 R11 Area 49.da04 IS-IS Area 4 R1 Configuration R2 Configuration The following is the configuration for router R2 in Area 1: R3 Configuration The following is the configuration for router R3 in Area 1: R4 Configuration The following is the configuration for R4 in Area 1: R5 Configuration The following is the configuration for R5 in Area 2: R6 Configuration The following is the configuration for R6 in Area 2: R7 Configuration The following is the configuration for R7 in Area 2: The following is the configuration for R8 in Area 3: R8 Configuration R9 Configuration The following is the configuration for R9 in Area 3: C10 Configuration The following is the configuration for the C10 Cisco router in Area 4: C10 Configuration (continued) R11 Configuration The following is the configuration for R11 in Area 4: Page 16 BGP CONFIGURATION GUIDE 16.1 THE RS BGP IMPLEMENTATION 16.2 BASIC BGP TASKS 16.2.3 Configuring a BGP Peer Group 16.2.4 Adding a BGP Peer 16.2.5 Starting BGP 16.2.6 Using AS-Path Regular Expressions AS Path Regular Expression Examples 16.2.7 Using the AS Path Prepend Feature Notes on Using the AS Path Prepend Feature 16.2.8 Creating BGP Confederations BGP Confederation 16.2.9 Creating Community Lists 16.2.10 Using Route Maps Defining Match Criteria in Route Map Conditions Page Displaying BGP Accounting Information 16.3 BGP CONFIGURATION EXAMPLES 16.3.1 BGP Peering Session Example Page 16.3.2 IBGP Configuration Example IBGP Routing Group Example The following lines in the Cisco router configure OSPF: The following lines in the R6 set up peering with the Cisco router using the routing group type. 16.3.3 EBGP Multihop Configuration Example The CLI configuration for router R1 is as follows: The gated.conf file for router R1 is as follows: The CLI configuration for router R2 is as follows: The gated.conf file for router R2 is as follows: The CLI configuration for router R3 is as follows: The CLI configuration for router R4 is as follows: The gated.conf file for router R3 is as follows: 16.3.4 Community Attribute Example Riverstone Networks RS Switch Router User Guide Release 8.0 16-23 BGP Configuration Guide BGP Configuration Examples Figure 16-5 Sample BGP configuration (specific community) AS-64902 Physical Link CS1 CS2 AS-64900 AS-64899 Page In Figure 16-5, router R11 has the following configuration: Page In Figure16-5, router R10 has the following configuration: In Figure16-5, router R14 has the following configuration: Notes on Using Communities 16.3.5 Local Preference Examples Page Using the local-pref Option Using the set-pref Option 16.3.6 Multi-Exit Discriminator Attribute Example 16.3.7 EBGP Aggregation Example 16.3.8 Route Reflection Example Page Page Page R10 has the following CLI configuration: R12 has the following CLI configuration: R13 has the following CLI configuration: R8 has the following CLI configuration: Page 16.3.10 Route Map Example 16.3.11 BGP Accounting Examples EBGP Accounting Example Page IBGP Accounting Example R1 has the following configuration: R2 has the following configuration: BGP DSCP Accounting Router R2 has the following CLI configuration: Router R8 has the following CLI configuration: To enable BGP accounting on the interface int1 on R8: To view the BGP accounting information collected on R8: Page 17 MPLS CONFIGURATION 17.1 MPLS ARCHITECTURE OVERVIEW 17.1.1 Labels - - Experimental Bottom of Stack - Page Label Distribution Protocols 2 1 34 Label Advertising Mode 17.1.6 MPLS Table Information Output Tag Table (OTT) R1 R2 R4R3 RC Tunnel LSP RA RB Page 17.2 ENABLING AND STARTING MPLS ON THE RS Page 17.3 RSVP CONFIGURATION 17.3.1 Establishing RSVP Sessions 1 2 17.3.2 RSVP Refresh Intervals 17.3.3 RSVP Hello Packets 17.3.4 Authentication 17.3.5 Blockade Aging Interval 17.3.6 RSVP Refresh Reduction RSVP Message Aggregation Message ID Extensions 17.3.7 Displaying RSVP Information 17.4 LDP CONFIGURATION 17.4.1 Establishing LDP Sessions 17.4.2 Monitoring LDP Sessions 17.4.3 Remote Peers 17.4.4 Loop Detection 17.4.5 MD5 Password Protection 17.4.6 Using LDP Filters Page 17.4.7 Displaying LDP Information 17.5 CONFIGURING L3 LABEL SWITCHED PATHS PHP LSR Configuration L3 Static Path Configuration Example Page Page 17.5.2 Configuring L3 Dynamic LSPs 17.5.3 Configuring an Explicit LSP Configuring an Explicit Path Configuring the LSP Page Adaptive LSP Bandwidth CoS Value Hop Limit LSP Metric Disabling CSPF Disabling TTL Decrementing Disabling Path Route Recording Preference Connection Retries Standby Policies Dynamic L3 LSP Configuration Example R7 secondary path primary path Page Page Page Page Page Page Page The secondary path dp2l is now used for the LSP, as shown by the configured secondary path dp2l is now both up and active. Page Page Page Page Page Page MPLS with CMTS for Multiple ISPs Configuration Example Page Page Page DHCP Configuration Configuring Shared Networks with Cisco Network Registrar Page 17.6 CONFIGURING L2 TUNNELS 17.6.1 Configuring L2 Static Labels Ingress LSR Configuration - - - - Page R2 R3 Page 17.6.2 Configuring Dynamic L2 Labels Virtual Circuit Signaling Tunnel LSP Signaling FEC-Label Bindings Ingress and Egress LSR Configuration for L2 Dynamic Labels - Transit LSR Configuration for L2 Dynamic Labels L2 Tunneling Based on VLAN ID Configuration Examples Page Page Page Page Page Page ! Configure RSVP ! Configure VLANs and interfaces ! Configure OSPF Page Page Page Page L2 Tunneling Based on Ports Configuration Examples Page Page Page Page Page Page Page Page Page Page L2 Tunneling Based on VLAN ID and Port Configuration Examples Page Page Page Page Page Page Page Page Page Page 17.7 TRAFFIC ENGINEERING 17.7.1 Administrative Groups Page 17.7.2 Constrained Shortest Path First Constrained Path Selection Configuration Example for OSPF Traffic Engineering Page Page Page Page The following is the configuration for R2: The following is the configuration for R3: The following is the configuration for R4: The following is the configuration for R5: ! Configure RSVP Page Page The following command shows the IS-IS adjacencies on R1: The following command shows the IS-IS traffic engineering database on R1: Page Page 17.7.3 IGP Shortcuts IS-IS IGP Shortcuts Example To enable IGP shortcuts on the router R1, enter the following command: R1(config)# ip-router global set install-lsp-routes on R1(config)# isis set igp-shortcuts enable Page Advertising IGP Shortcuts 18 ROUTING POLICY CONFIGURATION 18.1 PREFERENCE 18.1.1 Import Policies Import-Source 18.1.2 Export Policies Export-Destination Export-Source 18.1.3 Specifying a Route Filter 18.1.4 Aggr egates and Generates Aggregate-Destination Aggregate-Source 18.1.5 Authentication Authentication Methods Authentication Keys and Key Management 18.2 CONFIGURING SIMPLE ROUTING POLICIES 18.2.1 Redistributing Static Routes 18.2.2 Redistributing Directly Attached Networks 18.2.3 Redistributing RIP into RIP 18.2.4 Redistributing RIP into OSPF 18.2.5 Redistributing OSPF to RIP 18.2.6 Redistributing Aggregate Routes 18.2.7 Simple Route Redistribution Example: Redistribution into RIP Exporting a Given Static Route to All RIP Interfaces Exporting All Static Routes to All RIP Interfaces Router R1 has several static routes. We would export these routes over all RIP interfaces. Exporting All Static Routes Except the Default Route to All RIP Interfaces 18.2.8 Simple Route Redistribution Example: Redistribution into OSPF Exporting All Interface & Static Routes to OSPF Exporting All RIP, Interface & Static Routes to OSPF 18.3 CONFIGURING ADVANCED ROUTING POLICIES 18.3.1 Export Policies - 18.3.2 Creating an Export Destination 18.3.3 Creating an Export Source 18.3.4 Import Policies - 18.3.5 Creating an Import Source 18.3.6 Creating a Route Filter 18.3.7 Creating an Aggregate Route - - Page Page Importing a Selected Subset of Routes from One RIP Trusted Gateway Importing a Selected Subset of Routes from All RIP Peers Accessible Over a Certain Interface 18.3.11 Import Policies Example: Importing from OSPF Page Importing a Selected Subset of OSPF-ASE Routes importation. route. 18.3.12 Export Policies Example: Exporting to RIP Exporting a Given Static Route to All RIP Interfaces Exporting a Given Static Route to a Specific RIP Interface Exporting All Static Routes Reachable Over a Given Interface to a Specific RIP Interface Exporting Aggregate-Routes into RIP 18.3.13 Export Policies Example: Exporting to OSPF Exporting All Interface & Static Routes to OSPF Page Page Page Page 19 MULTICAST ROUTING 19.1 IGMP OVERVIEW 19.2 DVMRP OVERVIEW 19.3 CONFIGURING IGMP 19.3.1 Configuring IGMP on an IP Interface 19.3.2 Configuring IGMP Query Interval 19.3.3 Configuring IGMP Response Wait Time 19.3.4 Configuring Per-Interface Control of IGMP Membership 19.3.5 Configuring Static IGMP Groups 19.4 CONFIGURING DVMRP 19.4.4 Configuring the DVMRP Routing Metric 19.4.5 Configuring DVMRP TTL & Scope 19.4.6 Configuring a DVMRP Tunnel 19.5 MONITORING IGMP & DVMRP 19.6 CONFIGURATION EXAMPLE Page 20 IP POLICY-BASED FORWARDING 20.1 CONFIGURING IP POLICIES 20.1.1 Defining an ACL Profile 20.1.2 Associating the Profile with an IP Policy Creating Multi-Statement IP Policies Setting the IP Policy Action Setting Load Distribution for Next-Hop Gateways Verifying Next-Hop Gateways 20.1.3 Applying an IP Policy to an Interface 20.2 IP POLICY CONFIGURATION EXAMPLES 20.2.1 Routing Traffic to Different ISPs 20.2.2 Prioritizing Service to Customers 20.2.3 Authenticating Users through a Firewall 20.2.4 Firewall Load Balancing Page 20.3 MONITORING IP POLICIES Page Page Page 21 NETWORK ADDRESS TRANSLATION CONFIGURATION 21.1 CONFIGURING NAT 21.1.1 Setting Inside and Outside Interfaces 21.1.2 Setting NAT Rules Static 21.2 FORCING FLOWS THROUGH NAT 21.3 MANAGING DYNAMIC BINDINGS 21.4 NAT AND DNS 21.5 NAT AND ICMP PACKETS 21.6 NAT AND FTP 21.7 MONITORING NAT 21.8 CONFIGURATION EXAMPLES 21.8.1 Static Configuration Using Static NAT 21.8.2 Dynamic Configuration Using Dynamic NAT 21.8.3 Dynamic NAT with IP Overload (PAT) Configuration Using Dynamic NAT with IP Overload 21.8.4 Dynamic NAT with DNS Using Dynamic NAT with DNS 21.8.5 Dynamic NAT with Outside Interface Redundancy Using Dynamic NAT with Matching Interface Redundancy 22 WEB HOSTING CONFIGURATION 22.1 LOAD BALANCING 22.1.1 Creating the Server Group Specifying a Protocol Intrinsic Persistence Checking 22.1.2 Adding Servers to the Load Balancing Group 22.1.3 Setting Timeouts for Load Balancing Mappings 22.1.4 Optional Group or Server Operating Parameters Specifying a Load Balancing Policy Specifying a Connection Threshold Checking Servers and Applications 22.1.7 Load Balancing and FTP 22.1.8 Allowing Load Balancing Servers to Ac cess the Internet 22.1.9 Allowing Access to Load Balancing Se rvers 22.1.10 Virtual State Replication Protocol (VSRP) VSRP Example www.fast.net RS B RS A 22.1.11 Displaying Load Balancing Information 22.1.12 Configuration Examples Web Hosting with One Virtual Group and Multiple Destination Servers Web Hosting with Multiple Virtual Groups and Multiple Destination Servers Virtual IP Address Ranges Page Session and Netmask Persistence Load Balancing with NAT 22.2 WEB CACHING 22.2.1 Configuring Web Cachi ng Creating the Cache Group Specifying the Client(s) for the Cache Group (Optional) Redirecting HTTP Traffic on an Interface or Port 22.2.2 Configuration Example 22.2.3 Other Web-Cache Options Bypassing Cache Servers Proxy Server Redundancy Disabling Redirection on an Inbound Interface or Port Specifying Protocol for Redirected Traffic Distributing Frequently-Accessed Sites Across Cache Servers Specifying a Connection Threshold 22.2.4 Monitoring Web-Caching 23 IPX ROUTING CONFIGURATION 23.1 RIP (ROUTING INFORMATION PROTOCOL) 23.2 SAP (SERVICE ADVERTISING PROTOCOL) 23.3 CONFIGURING IPX RIP & SAP 23.3.4 IPX Addresses 23.4 CONFIGURING IPX INTERFACES AND 23.4.1 Configuring IPX Addresses to Ports 23.4.2 Configuring Secondary Addresses on an IPX Interface 23.4.3 Configuring IPX Interfaces for a VLAN 23.4.4 Specifying IPX Encapsulation Method 23.5 CONFIGURING IPX ROUTING 23.5.1 Enabling IPX RIP 23.5.2 Enabling SAP 23.5.3 Configuring Static Routes 23.5.4 Configuring Static SAP Table Entries 23.5.5 Controlling Access to IPX Networks Creating an IPX Access Control List Creating an IPX Type 20 Access Control List Creating an IPX SAP Access Control List Creating an IPX GNS Access Control List Creating an IPX RIP Access Control List 23.6 MONITORING AN IPX NETWORK 23.7 CONFIGURATION EXAMPLES Page 24 ACCESS CONTROL LIST 24.1 ACL BASICS 24.1.1 Defining Selection Criteria in ACL Rules 24.1.2 How ACL Rules are Evaluated 24.1.3 Implicit Deny Rule 24.1.4 Allowing External Responses to Established TCP Connections 24.2 CREATING AND MODIFYING ACLS 24.2.1 Editing ACLs Offline 24.2.2 Maintaining ACLs Using the ACL Editor 24.3 USING ACLS 24.3.1 Applying ACLs to Interfaces 24.3.2 Applying ACLs to Services 24.3.3 Applying ACLs to Layer-4 Bridging Ports 24.3.4 Using ACLs as Profiles Using Profile ACLs with the IP Policy Facility Using Profile ACLs with the Traffic Rate Limiting Fa cility Using Profile ACLs with Dynamic NAT Using Profile ACLs with the Port Mirroring Facility Using Profile ACLs with the Web Caching Facility 24.4 ENABLING ACL LOGGING 24.5 MONITORING ACLS Page 25 SECURITY CONFIGURATION 25.1 CONFIGURING RS ACCESS SECURITY Monitoring RADIUS 25.1.2 Configuring TACACS Monitoring TACACS 25.1.3 Configuring TACACS+ Monitoring TACACS+ 25.1.4 Configuring Passwords 25.1.5 Configuring SSH Establishing SSH Sessions Monitoring SSH Sessions 25.2 LAYER-2 SECURITY FILTERS 25.2.1 Configuring Layer-2 Address Filters 25.2.2 Configuring Layer-2 Port-to-Address Lock Filters 25.2.3 Configuring Layer-2 Static Entry Filters 25.2.4 Configuring Layer-2 Secure Port Filters 25.2.5 Monitoring Layer-2 Security Filters 25.2.6 Layer-2 Filter Examples Example 1: Address Filters Static Entries Example Port-to-Address Lock Examples Example 2 : Secure Ports 25.3 LAYER-3 ACCESS CONTROL LISTS (ACLS) 25.4 LAYER-4 BRIDGING AND FILTERING 25.4.1 Creating an IP or IPX VLAN for Layer-4 Bridging 25.4.2 Placing the Ports on the Same VLAN 25.4.3 Enabling Layer-4 Bridging on th e VLAN 25.4.4 Creating ACLs to Specify Selection Criteria for Layer-4 Bridging 25.4.5 Applying a Layer-4 Bridging ACL to a Port 25.4.6 Notes Page 26 QOS CONFIGURATION 26.1 LAYER-2, LAYER-3 AND LAYER-4 FLOW SPECIFICATION 26.2 PRECEDENCE FOR LAYER-3 FLOWS 26.3 RS QUEUING POLICIES 26.4 TRAFFIC PRIORITIZATION FOR LAYER-2 FLOWS 26.4.1 Configuring Layer-2 QoS 26.4.2 802.1p Class of Service Priority Mapping Creating and Applying a New Priority Map Removing or Disabling Per-Port Priority Map Displaying Priority Map Information 26.5 TRAFFIC PRIORITIZATION FOR LAYER-3 & LAYER-4 FLOWS 26.5.1 Configuring IP QoS Policies Setting an IP QoS Policy Specifying Precedence for an IP QoS Policy 26.5.2 Configuring IPX QoS Policies 26.6 CONFIGURING RS QUEUEING POLICY 26.6.1 Allocating Bandwidth for a Weighted-Fair Queuing Policy 26.7 WEIGHTED RANDOM EARLY DETECTION (WRED) 26.7.1 WREDs Effect on the Network 26.7.2 Weighting Algorithms in WRED Queue Time 26.8 TOS REWRITE 26.8.1 Configuring ToS Rewrite for IP Packets 26.9 MONITORING QOS 26.10 LIMITING TRAFFIC RATE 26.10.1 Rate Limiting Modes 26.10.2 Per-Flow Rate Limiting 26.10.3 Software-Based Flow-Aggregate Rate Limiting 26.10.4 Port Rate Limiting 26.10.5 Aggregate Rate Limiting Page 26.10.6 Example Configurations This section includes examples of rate limiting policy configurations. Per-Flow Rate Limiting The following is an example of configuring per-flow rate limiting on the RS. Flow-Aggregate Rate Limiting 26.10.7 Displaying Rate Limit Information Page 27 PERFORMANCE MONITORING 27.1 CONFIGURING THE RS FOR PORT MIRRORING 27.2 MONITORING BROADCAST TRAFFIC Page 28 RMON CONFIGURATION 28.1 CONFIGURING AND ENABLING RMON 28.1.1 Example of RMON Configuration Commands 28.1.2 RMON Groups Lite RMON Groups Standard RMON Groups Professional RMON Groups 28.1.3 Control Tables 28.2 USING RMON 28.3 CONFIGURING RMON GROUPS Page 28.3.1 Configuration Examples 28.4 DISPLAYING RMON INFORMATION 28.4.1 RMON CLI Filters Creating RMON CLI Filters Using RMON CLI Filters 28.5 TROUBLESHOOTING RMON 28.6 ALLOCATING MEMORY TO RMON Page 29 LFAP CONFIGURATION GUIDE 29.1 OVERVIEW 29.2 REQUIREMENTS 29.3 TRAFFIC ACCOUNTING SERVICES 29.4 CONFIGURING THE LFAP AGENT ON THE RS 29.5 MONITORING THE LFAP AGENT ON THE RS Page 30 WAN CONFIGURATION 30.1 HIGH-SPEED SERIAL INTERFACE (HSSI) AND STANDARD SERIAL INTERFACES 30.2 CONFIGURING WAN INTERFACES 30.2.1 Primary and Secondary Addresses 30.2.2 Static, Mapped, and Dynamic Peer IP/IPX Addresses Static Addresses Mapped Addresses Dynamic Addresses 30.2.3 Forcing Bridged Encapsulation 30.2.4 Packet Compression Average Packet Size Nature of the Data 30.2.5 Packet Encryption 30.2.6 WAN Quality of Service Source Filtering and ACLs Weighted-Fair Queueing Congestion Management Random Early Discard (RED) Adaptive Shaping 30.3 FRAME RELAY OVERVIEW 30.3.1 Virtual Circuits 30.3.2 Permanent Virtual Circuits (PVCs) 30.4 CONFIGURING FRAME RELAY INTERFACES FOR THE RS 30.4.1 Defining the Type and Location of a Frame Relay and VC Interface 30.4.2 Setting up a Frame Relay Service Profile 30.4.3 Applying a Service Profile to an Active Frame Relay WAN Port 30.5 MONITORING FRAME RELAY WAN PORTS 30.6 FRAME RELAY PORT CONFIGURATION 30.7 POINT-TO-POINT PROTOCOL (PPP) OVERVIEW 30.7.1 Use of LCP Magic Numbers 30.8 CONFIGURING PPP INTERFACES 30.8.1 Defining the Type and Location of a PPP Interface 30.8.2 Setting up a PPP Service Profile 30.8.3 Applying a Service Profile to an Active PPP Port 30.8.4 Configuring Multilink PPP Bundles Compression on MLP Bundles or Links 30.9 MONITORING PPP WAN PORTS 30.10 PPP PORT CONFIGURATION 30.11 CISCO HDLC WAN PORT CONFIGURATION 30.11.3 Assigning IP Addresses to a Cisco HDLC WAN Port 30.11.4 Monitoring Cisco HDLC Port Configuration 30.12 CISCO HDLC CONFIGURATION EXAMPLE 30.13 WAN RATE SHAPING 30.13.2 The WAN Rate Shaping Algorithm 1 2 4 5 6 7 3 30.13.3 WAN Rate Shaping Example Page 30.13.4 Using WAN Rate Shaping Using Multiple Rate Shaping Templates Rate Shaping by Best Effort Page 30.14 INVERSE MULTIPLEXER OVERVIEW 30.14.1 Bit Error Rate Testing an IMUX Group 30.15 WAN CONFIGURATION EXAMPLES 30.15.1 Simple Configuration File 30.15.2 Multi-Router WAN Configuration 30-26 Riverstone Networks RS Switch Router User Guide Release 8.0 WAN Configuration Examples WAN Configuration R5 R3 R4 R2 R1 R6 Legend Router R1 Configuration File The following configuration file applies to Router R1. The following configuration file applies to Router R2. Router R2 Configuration File Router R3 Configuration File The following configuration applies to Router 3. The following configuration file applies to Router R4 Router R4 Configuration File Router R5 Configuration File The following configuration file applies to Router R5 The following configuration file applies to Router R6 Router R6 Configuration File 30.16 CHANNELIZED T1, E1 AND T3 SERVICES OVERVIEW 30.16.1 T1 and E1 WAN Interface Cards Page Page Page Basic Channelized T1, E1 and T3 Interface Functions Configuring Frame Relay over Channelized T1, E1 and T3 Interfaces 30.16.4 Bit Error Rate Testing Example: Configuring Loopbacks and Using BERT Testing on a DS1 Interface This example shows the use of BERT to test a structured DS1 interface for a duration of one hour. Example: Configuring Loopbacks and Using BERT Testing on a DS3 Interface Example: Configuring Loopbacks and Using BERT Testing on a Channelized E1 Interface This example shows the use of BERT to test a structured E1 interface for a duration of one hour. 30.16.5 Configuring a Test using External Test Equipment 30.17 CLEAR CHANNEL T3 AND E3 SERVICES OVERVIEW 30.18 SCENARIOS FOR DEPLOYING CHANNELIZED T1, E1 AND T3 Figure 30-5 Bridged MSP MTU/MDU Aggregation Metropolitan Sevice Provider Page hqsite RS 3000 Configuration The following configuration applies to the RS 3000 router at the head office, hqsite. The following configuration applies to router RS 3000 at the remote site, rsite2. 30.18.2 Scenario 2: Routed Inter-Office Connections with Only T1 on RS 8x00 Page ISP RS 32000 Configuration The following configuration applies to the RS 32000 router at the ISP. Page Page Page 30.18.3 Scenario 3: Routed Inter-Office Connections with T1 and T3 on RS 8x00 Page ISP RS 32000 Configuration The following configuration applies to the RS 32000 router at the ISP. Page Page Page Page 30.18.4 Scenario 4: Routed Metropolitan Backbone with Only T1 on RS 8x00 Page Page Page Page Internet Service Provider B RS 32000 Configuration The following configuration applies to the RS 32000 router at Internet Service Provider B. Page 30.18.5 Scenario 5: Routed Metropolitan Backbone with T1 and T3 on RS 8x00 Figure 30-9 Routed Metropolitan Backbone with T1 and T3 on RS 8x00 Page Page Page Page Internet Service Provider B RS 32000 Configuration The following configuration applies to the RS 32000 router at Internet Service Provider B. Page 30.18.6 Scenario 6: Routed Inter-Office Connections with E1 on RS8x00 Page Page Page 30.18.7 Scenario 7: Transatlantic Connection using T1 and E1 on RS 8x00 T1 E1 RS 8600 Configuration (USA) RS 8000 Configuration (Europe) The following configuration applies to the RS 8000 router. 30.18.8 Scenario 8: Configuring Frame Relay over Channelized T1 Interfaces Figure 30-12 Frame Relay over Channelized T1 rsite1 RS 3000 Configuration rsite4 RS 3000 Configuration rsite5 RS 3000 Configuration rsite6 RS 3000 Configuration 30.19 SCENARIOS FOR DEPLOYING CLEAR CHANNEL T3 AND E3 30.19.1 Scenario 1: Routed Inter-Office Connections through and ISP Page ISP RS 8000 Configuration The following configuration applies to the RS 8000 router at the ISP. hqsite RS 8000 Configuration The following configuration applies to the RS 8000 router at the head office, hqsite. Page Page Page 30.19.2 Scenario 2: Routed Metropolitan Backbone Page Metropolitan Service Provider RS 8000 Configuration The following configuration applies to the RS 8000 router at the Metropolitan Service Provider. hqsite RS 8000 Configuration The following configuration applies to the RS 8000 router at the head office, hqsite. Page Page Internet Service Provider A RS 8000 Configuration The following configuration applies to the RS 8000 router at Internet Service Provider A. Internet Service Provider B RS 8000 Configuration The following configuration applies to the RS 8000 router at Internet Service Provider B. Page Page Page 31 SERVICE CONFIGURATION 31.1 SERVICE FACILITY RATE LIMITING TYPES 31.2 CREATING A SERVICE 31.2.1 Aggregate Rate Limiting Service Hardware Credit Buckets 31.2.2 Flow-Aggregate Rate Limiting Service 31.2.3 Per-Flow Rate Limiting Service 31.2.4 Burst-Safe Rate Limiting Service 31.3 APPLYING A SERVICE 31.3.1 Applying Services With ACLs 31.3.2 Applying Services Using the MF-Classifier Command 31.4 SHOWING A SERVICE 31.4.1 Aggregate, Flow-Aggregate, Per-Flow, and Burst-Safe Show Commands 31.4.2 Show All Command 31.5 PORT-LEVEL RATE LIMITING 31.6 SERVICE CONFIGURATION EXAMPLES 31.6.1 Applying a Service to Multiple Servers Page 31-12 Riverstone Networks RS Switch Router User Guide Release 8.0 Service Configuration Examples Service Configuration Following is the configuration: MAN Figure 31-3 Burst-Safe Configuration Customers 31.7 RATE LIMITING CONFIGURATION EXAMPLES Per-Flow Rate Limiting Flow-Aggregate Rate Limiting The following is an example of configuring flow-aggregate rate limiting. Network Subnetwork 122.132.0.0/16 256 Kbps 64 Kbps