Enterasys-networks Security Router X-PeditionTM Manual de usuario

X-Pedition™ Security RouterXSR User’s GuideVersion 7.6P/N 9033837-09

viii4. EXPORTRESTRICTIONS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagenciesoftheU.S.Government,includingt

Troubleshooting T1/E1 & T3/E3 Links4-12 Configuring T1/E1 & T3/E3 InterfacesFigure 4-6 T1/E1 & T3/E3 Error Events Analysis Troubleshootin

Troubleshooting T1/E1 & T3/E3 LinksXSR User’s Guide 4-13Framing Loss Seconds IncreasingIf framing loss seconds are present on the T1/E1 line, usua

Troubleshooting T1/E1 & T3/E3 Links4-14 Configuring T1/E1 & T3/E3 Interfaces

XSR User’s Guide 5-15Configuring IPOverviewThis document describes the XSR’s IP protocol suite functionality including:• General IP features (ARP, ICM

General IP Features5-2 Configuring IP• The Router ID can be configured with the ip router-id command or, if not configured, automatically generated fr

General IP FeaturesXSR User’s Guide 5-3• Troubleshooting Tools–Ping–Traceroute•IP Routing–RIP– Triggered-on-Demand RIP updates– OSPF including Databas

General IP Features5-4 Configuring IP• Virtual Router Redundancy Protocol (VRRP): RFC-2338 and Definitions of Managed Objects for the Virtual Router R

General IP FeaturesXSR User’s Guide 5-5When a BOOTP/DHCP response is received, the packet is sent to the requester as a unicast IP packet, according t

General IP Features5-6 Configuring IPdoes not actually examine or store full routing tables sent by routing devices, it merely keeps track of which sy

General IP FeaturesXSR User’s Guide 5-7hostkey.dat file unless none have been generated or the content of the file is corrupted in which case default

ix10. ENFORCEMENT. YouacknowledgeandagreethatanybreachofSections2,4,or9ofthisAgreementbyYoumaycauseEnterasysirreparabledamagefo

General IP Features5-8 Configuring IPAn XSR interface can support one primary IP address and multiple secondary IP addresses. Including all XSR interf

General IP FeaturesXSR User’s Guide 5-9Routing Table Manager & Secondary IPIf the interface is up, each primary and secondary IP address will have

IP Routing Protocols5-10 Configuring IPVRRP & Secondary IPMultiple virtual IP addresses per Virtual Router (VR) are available to support multiple

IP Routing ProtocolsXSR User’s Guide 5-11•Static routes• Route redistribution• Default network• CIDR (classless IP)•Configurable Router ID• Route Pref

IP Routing Protocols5-12 Configuring IP• Offset metric parameters - route metrics via RIP. Adding an offset to an interface might force a route throug

IP Routing ProtocolsXSR User’s Guide 5-13• The latest changes are sent when:– The routing database is modified by new data. The latest changes are sen

IP Routing Protocols5-14 Configuring IP• Dial-on-demand connections.Retransmissions are governed by the following conditions, among others:• The retra

IP Routing ProtocolsXSR User’s Guide 5-15• Incremental SPF is always enabled. SPF calculation can be changed with timers spf• Hello wait intervals wit

IP Routing Protocols5-16 Configuring IPEach LSA type configurable for database overflow can generate a log to reflect pending overflow, overflow enter

IP Routing ProtocolsXSR User’s Guide 5-17OSPF TroubleshootingXSR commands provide debugging of OSPF Version 2 control information including:• Monitori

x

IP Routing Protocols5-18 Configuring IP–Static routes: 1– BGP external routes: 20–OSPF intra-area routes: 108– OSPF inter-area routes: 110– OSPF exter

IP Routing ProtocolsXSR User’s Guide 5-19Figure 5-1 802.1Q VLAN TagThe reserved Tag Type denotes the associated Ethernet frame type of the VLAN Tag w

IP Routing Protocols5-20 Configuring IPFigure 5-3 Topology of Ethernet/PPPoE/VLAN/PPPoE over VLANVLAN Processing Over the XSR’s Ethernet InterfacesTh

IP Routing ProtocolsXSR User’s Guide 5-21Figure 5-5 VLAN Ethernet to Fast/GigabitEthernet TopologyVLAN Processing: VLAN-enabled Ethernet to WAN Inter

IP Routing Protocols5-22 Configuring IPFigure 5-7 WAN Interface to VLAN Ethernet TopologyFor sample configurations, refer to “Configuring VLAN Exampl

IP Routing ProtocolsXSR User’s Guide 5-232. When a policy entry is found for a packet, the table search ends and the packet is processed according to

IP Routing Protocols5-24 Configuring IPDefault NetworkThe default network is used to specify candidates for the default route when a default route is

IP Routing ProtocolsXSR User’s Guide 5-25Leaving the Router ID unconfigured or allowing it to be assigned by default to a physical IP interface can be

IP Routing Protocols5-26 Configuring IPRTP_compression TX reached maximum allowed connections, RTP compression received un-expected 8 bit CID RTP comp

IP Routing ProtocolsXSR User’s Guide 5-27• Application Level Gateway (ALG) for FTP, ICMP, Netbios over TCP and UDP– PPTP/GRE ALG for NAPT - allows PPT

xiContentsPrefaceContents of the Guide ...

IP Routing Protocols5-28 Configuring IPFigure 5-8 Simple VRRP TopologyBecause the VR uses the IP address of the physical Ethernet interface of XSR1,

IP Routing ProtocolsXSR User’s Guide 5-29• Virtual Router - An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN

IP Routing Protocols5-30 Configuring IP• Broadcasts an ARP message with the VR’s MAC address to all the IP addresses associated with the VR’s IP addre

IP Routing ProtocolsXSR User’s Guide 5-31Load BalancingThe XSR provides load balancing according to the following rules:• Load balancing depends on ho

IP Routing Protocols5-32 Configuring IP• Master VR - all traffic, including locally generated or forwarding traffic, uses one of the virtual MAC addre

IP Routing ProtocolsXSR User’s Guide 5-33When the actual IP address owner of the Virtual IP address releases the master state of the VR, it will no lo

IP Routing Protocols5-34 Configuring IPEqual-Cost Multi-Path (ECMP)Equal-Cost Multi-Path (ECMP) is a technique to forward packets along multiple paths

Configuring RIP ExamplesXSR User’s Guide 5-35Figure 5-10 ECMP VPN Load Balancing TopologyConfiguring RIP ExamplesThe following example enables RIP on

Configuring RIP Examples5-36 Configuring IPXSR(config-if<F1>)#ip address 192.168.1.100 255.255.255.0XSR(config-if<F1>)#ip access-group 1 i

Configuring Unnumbered IP Serial Interface ExampleXSR User’s Guide 5-37Configuring Unnumbered IP Serial Interface ExampleThe following example configu

xii Configuring an Interface ... 2-22

Configuring NAT Examples5-38 Configuring IPConfiguring NAT ExamplesBasic One-to-One Static NATThe following example illustrates inside source address

Configuring NAT ExamplesXSR User’s Guide 5-39Dynamic Pool ConfigurationThe following example illustrates dynamic pool translation on the XSR, as shown

Configuring NAT Examples5-40 Configuring IP3. Optional. Add an ACL to permit NAT traffic from the 10.1.1.0 network. All other traffic is implicitly de

Configuring NAT ExamplesXSR User’s Guide 5-413. Host 172.20.2.1 receives the packet and responds to address 200.2.2.1.4. When the XSR receives the pac

Configuring NAT Examples5-42 Configuring IP2. The first packet the XSR receives from 10.1.1.1 is checked against its ACLs. ACL 101 matches and pool Na

Configuring NAT ExamplesXSR User’s Guide 5-43Figure 5-15 Static NAT within InterfaceAs shown in Figure 5-15, packets from the PC at 10.1.1.1 are stat

Configuring Policy Based Routing Example5-44 Configuring IP+ The above optional NAPT commands use ACL 101 for the 200.2.2.0 network and ACL 102 for th

Configuring VRRP ExampleXSR User’s Guide 5-45XSR(config-if<G1>)#ip policyThese commands create the PBR, map it to ACL 101, and set the forwardin

Configuring VLAN Examples5-46 Configuring IPXSRb(config-if<F1>)#vrrp 5 priority 200XSRb(config-if<F1>)#vrrp 5 adver-int 30XSRb(config-if&l

XSR User’s Guide 6-16Configuring the Border Gateway ProtocolFeaturesThe XSR supports the following the Border Gateway Protocol (BGP-4) features:• Full

xiiiChapter 3: Managing LAN/WAN InterfacesOverview of LAN Interfaces ...

Overview6-2 Configuring the Border Gateway ProtocolFigure 6-1 Differentiating EBGP from IBGPBGP can be categorized as a path vector routing protocol

OverviewXSR User’s Guide 6-3• Hold time: Number of seconds that the sender proposes for the value of the Hold Timer. The hold time defines the interva

Overview6-4 Configuring the Border Gateway ProtocolAS PathThe AS_PATH attribute, as shown in Figure 6-2, is the sequence of AS numbers a route has tra

OverviewXSR User’s Guide 6-5BGP considers the ORIGIN attribute in its decision-making process to set a preference ranking among multiple routes. Namel

Overview6-6 Configuring the Border Gateway ProtocolFigure 6-3 Local Preference Applied to Direct Egress Traffic from AS.

OverviewXSR User’s Guide 6-7WeightWeight, as shown in Figure 6-4, and LOCAL_PREF attributes are similar except that weight is not exchanged between ro

Overview6-8 Configuring the Border Gateway ProtocolAggregatorThe AGGREGATOR attribute, as shown in Figure 6-5, is added by the BGP speaker that formed

OverviewXSR User’s Guide 6-9Figure 6-6 MED Applied to Direct Ingress Traffic Flow to an AS CommunityA BGP community, as shown in Figure 6-7, is defin

Overview6-10 Configuring the Border Gateway Protocollearn, advertise, or redistribute routes. When routes are aggregated, the resulting aggregate has

OverviewXSR User’s Guide 6-11BGP Path Selection ProcessBGP routers usually consider multiple paths to a destination. The BGP best path selection proce

xiv Secondary IP ...

Overview6-12 Configuring the Border Gateway ProtocolAccess Control ListsAccess Control Lists (ACLs) are filters which permit or deny access to one or

OverviewXSR User’s Guide 6-13• Set community attributes for a specific route with set community• Set the origin for a specific route with set origin•

Overview6-14 Configuring the Border Gateway Protocol• Display all routes with any AS path:–show ip bgp “.*”• Display all routes having at least two AS

OverviewXSR User’s Guide 6-15• Permit a local BGP speaker to send the default route 0.0.0.0 to a neighbor as the default route: neighbor default-origi

Overview6-16 Configuring the Border Gateway ProtocolSynchronizationWhen an AS provides transit service to other ASs and if there are non-BGP routers i

OverviewXSR User’s Guide 6-17prefix is suppressed for a calculated period (a penalty) which is further incremented with every subsequent flap. The pen

Overview6-18 Configuring the Border Gateway ProtocolScaling BGPBGP requires that all BGP speakers with a single AS (IBGP) be fully meshed, as shown in

OverviewXSR User’s Guide 6-19Route ReflectorsRoute reflectors are an alternative to the requirement of a fully meshed network within an AS, as illustr

Overview6-20 Configuring the Border Gateway ProtocolIt is typical for a client cluster to have one route reflector and be identified by the reflector’

OverviewXSR User’s Guide 6-21Figure 6-12 Figure 12 Use of Confederations to Reduce IBGP Mesh Displaying System and Network StatisticsThe XSR supports

xvLoad Balancing... 5-31

Configuring BGP Route Maps6-22 Configuring the Border Gateway Protocol• Show BGP peer group data: show ip bgp peer-group• Show routes matching regular

Configuring BGP Route MapsXSR User’s Guide 6-23XSR(config-router)#neighbor 192.168.57.4 remote-as 200XSR(config-router)#neighbor 192.168.57.4 route-ma

Configuring BGP Route Maps6-24 Configuring the Border Gateway ProtocolXSR(config-router)#neighbor 192.168.57.69 filter-list 3 outXSR(config-router)#ne

Configuring BGP Peer GroupsXSR User’s Guide 6-25XSR(config-router)#neighbor 130.32.32.1 remote-as 37In a BGP speaker in AS 2, configure the peers from

Configuring BGP Peer Groups6-26 Configuring the Border Gateway ProtocolXSR(config-router)#neighbor IBGP filter-list 1 outXSR(config-router)#neighbor I

Configuring BGP Peer GroupsXSR User’s Guide 6-27XSR(config-router)#neighbor 192.168.57.90 send-communityXSR(config-router)#neighbor 192.168.57.90 rout

Configuring BGP Peer Groups6-28 Configuring the Border Gateway ProtocolXSR(config-router)#bgp confederation identifier 100XSR(config-router)#bgp confe

XSR User’s Guide 7-17Configuring PIM-SM and IGMPThis chapter describes Protocol Independent Multicast - Sparse Mode (PIM-SM) and Internet Group Manage

IP Multicast Overview7-2 Configuring PIM-SM and IGMPcalculates the checksum based on the whole Register packet including the data portion. When the XS

IP Multicast OverviewXSR User’s Guide 7-3• Addresses between 239.0.0.0 and 239.255.255.255 should not be forwarded beyond an organization's intra

xvi Filter Lists ...

Describing the XSR’s IP Multicast Features7-4 Configuring PIM-SM and IGMPTwo basic types of MDTs are source and shared trees, described as follows:•A

Describing the XSR’s IP Multicast FeaturesXSR User’s Guide 7-5IGMP is an asymmetric protocol, so there are separate behaviors for group members (hosts

Describing the XSR’s IP Multicast Features7-6 Configuring PIM-SM and IGMPReceiving a QueryWhen a LAN contains multiple multicast routers, IGMPv3 choos

Describing the XSR’s PIM-SM v2 FeaturesXSR User’s Guide 7-7Behavior of Group Members Among Older Version Group MembersAn IGMPv3 host may be situated i

Describing the XSR’s PIM-SM v2 Features7-8 Configuring PIM-SM and IGMPPhase 1: Building a Shared TreeDuring phase one, PIM-SM builds a shared tree roo

Describing the XSR’s PIM-SM v2 FeaturesXSR User’s Guide 7-9interconnects with a router which is already on the shortest path tree from S to the same m

Describing the XSR’s PIM-SM v2 Features7-10 Configuring PIM-SM and IGMPFigure 7-4 Phase 3 Topology: Shortest Path Tree Between Sender and ReceiverNei

Describing the XSR’s PIM-SM v2 FeaturesXSR User’s Guide 7-11PIM Register MessageBy the end of PIM-SM phase one, the DR for the sender will encapsulate

Describing the XSR’s PIM-SM v2 Features7-12 Configuring PIM-SM and IGMPAssert messages are used to negotiate which router will forward the multicast p

PIM Configuration ExamplesXSR User’s Guide 7-13PIM Configuration ExamplesThe following is a simple PIM configuration using the virtual Loopback interf

xviiDescribing the XSR’s PIM-SM v2 Features ... 7-7Ph

PIM Configuration Examples7-14 Configuring PIM-SM and IGMP

XSR User’s Guide 8-18Configuring PPPOverviewThe Point-to-Point Protocol (PPP), referenced in RFC-1616, is a standard method for transporting multi-pro

PPP Features8-2 Configuring PPP– Challenge Handshake Authentication Protocol (CHAP)– Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)•

PPP FeaturesXSR User’s Guide 8-3AuthenticationAuthentication protocols, as referenced in RFC-1334, are used primarily by hosts and routers to connect

PPP Features8-4 Configuring PPPThe MS-CHAP challenge, response and success packet formats are identical in format to the standard CHAP challenge, resp

PPP FeaturesXSR User’s Guide 8-5• Fragmentation/reassembly• Detection of fragment loss• Optimal buffer usage• MTU size determination• Management of ML

PPP Features8-6 Configuring PPPMLPPP Packet Fragmentation and Serialization Transmission LatencyMLPPP’s packet transport method over multiple member l

PPP FeaturesXSR User’s Guide 8-7The overall serialization latency for a fragment over a synchronous/ asynchronous Serial or T1 link should be multipli

PPP Features8-8 Configuring PPPThe class number is defaulted to five for both short and the long sequence numbers. That includes four suspendable leve

PPP FeaturesXSR User’s Guide 8-9IP Address Assignment In PPP, IPCP configuration option type 3 corresponds to IP address negotiation. This configurati

xviii Chapter 9: Configuring Frame RelayOverview ...

Configuring PPP with a Dialed Backup Line8-10 Configuring PPPConfiguring PPP with a Dialed Backup LineYou can configure PPP on the following types of

Configuring a Dialed Backup LineXSR User’s Guide 8-115. Enter no shutdown to enable this interface.XSR(config-if<S1/0>)#no shutdownConfiguring a

Configuring a Dialed Backup Line8-12 Configuring PPPConfiguring the Interface as the Backup Dialer Interface1. Enter interface serial card/port to spe

Configuring MLPPP on a Multilink/Dialer interfaceXSR User’s Guide 8-13Configuring MLPPP on a Multilink/Dialer interfaceMultilink ExampleThe following

Configuring BAP8-14 Configuring PPPXSR(config-if<D255>)#multilink min-links 37XSR(config-if<D255>)#ppp multilink bapXSR(config-if<D255&

Configuring BAPXSR User’s Guide 8-15XSR1(config-controller<T1-1/0>)#isdn bchan-number-order ascendingXSR1(config-controller<T1-1/0>)#no sh

Configuring BAP8-16 Configuring PPP3. Configure the Dialer 1 interface with a dialer pool:XSR2(config)#interface Dialer1XSR2(config-if<D1>)#no s

Configuring BAPXSR User’s Guide 8-17XSR1(config-if<D1>)#dialer pool 1XSR1(config-if<D1>)#encapsulation pppXSR1(config-if<D1>)#ppp mu

Configuring BAP8-18 Configuring PPP

XSR User’s Guide 9-19Configuring Frame RelayOverviewFrame Relay (FR) is a simple, bit-oriented protocol that offers fast-packet switching for wide-are

xixConfiguring ISDN Callback ... 10-12

Overview9-2 Configuring Frame RelayFigure 9-1 Frame Relay Network TopologyFrom the perspective of the OSI reference model, Frame Relay is a high-perf

Frame Relay FeaturesXSR User’s Guide 9-3Frame Relay FeaturesThe XSR supports the following FR features:• The XSR acts as a DTE/DCE device in the UNI (

Controlling Congestion in Frame Relay Networks9-4 Configuring Frame RelayAddress ResolutionThe XSR supports dynamic resolution via Inverse ARP to map

Controlling Congestion in Frame Relay NetworksXSR User’s Guide 9-5Several other parameters work hand-in-hand with CIR in controlling traffic flow. Com

Controlling Congestion in Frame Relay Networks9-6 Configuring Frame RelayUsing BECN bits to control the outbound dataflow is known as adaptive shaping

Link Management Information (LMI)XSR User’s Guide 9-7Link Management Information (LMI)A FR UNI-DCE device communicates with an attached FR DTE device

FRF.12 Fragmentation9-8 Configuring Frame RelayFRF.12 FragmentationGenerally speaking, it is difficult to deliver good end-to-end quality of service f

FRF.12 FragmentationXSR User’s Guide 9-9until you enter the copy running config startup config command to copy the running configuration into the star

Interconnecting via Frame Relay Network9-10 Configuring Frame RelayInterconnecting via Frame Relay NetworkThe following typical application uses FR to

Configuring Frame RelayXSR User’s Guide 9-11Configuring Frame RelayMulti-point to Point-to-Point ExampleThe following example configures the XSR in Ne

xx Backup Using ISDN ... 1

Configuring Frame Relay9-12 Configuring Frame RelayNewYork(config-map-class<frf12>)#frame-relay bc out 4000NewYork(config-map-class<frf12>

Configuring Frame RelayXSR User’s Guide 9-13Andover(config-if<S2/0>)#frame-relay lmi-type ANSIAndover(config-if<S2/0>)#frame-relay traffic

Configuring Frame Relay9-14 Configuring Frame Relay

XSR User’s Guide 10-110Configuring Dialer ServicesThis chapter details information about the XSR’s suite of dialer functionality:•Dial• Ethernet Failo

Asynchronous and Synchronous Support10-2 Configuring Dialer ServicesAsynchronous and Synchronous SupportSynchronous and asynchronous interfaces can be

Asynchronous and Synchronous SupportXSR User’s Guide 10-3Table 10-1 lists V.25bis options. By default, the synchronous port will use V25bis. The funct

Implementing Dial Services10-4 Configuring Dialer ServicesImplementing Dial ServicesDial services are provided by dialer interfaces, which are defined

Implementing Dial ServicesXSR User’s Guide 10-5to support point-to-point or point-to-multi-point connections and can be non-spoofed for backup purpose

Implementing Dial Services10-6 Configuring Dialer ServicesConfiguring EncapsulationWhen a clear data link is established between two peers, traffic mu

Implementing Dial ServicesXSR User’s Guide 10-7Figure 10-3 Logical View of Dialer ProfilesFigure 10-4 on page 10-8 illustrates three Dialer Interface

xxiMeasuring Bandwidth Utilization ... 12-5Describi

Implementing Dial Services10-8 Configuring Dialer ServicesFigure 10-4 Sample Dialer TopologyAs illustrated in Figure 10-5 on page 10-9 and Figure 10-

Implementing Dial ServicesXSR User’s Guide 10-9Figure 10-5 Dialer Profile of Destination (416) 123-4456Interface dialer 0ip address 10.1.1.1 255.0.0.

Implementing Dial Services10-10 Configuring Dialer ServicesFigure 10-6 Dialer Profile of Destination (987) 231-2345Configuring the Dialer InterfaceTh

Implementing Dial ServicesXSR User’s Guide 10-11Configuring the Map Class1. Enter map-class dialer classname to create a map-class identifier.This val

Implementing Dial Services10-12 Configuring Dialer ServicesConfiguring ISDN CallbackThe following CLI commands configure point-to-point and point-to-m

Overview of Dial BackupXSR User’s Guide 10-13XSR(config-if<D1>)#dialer idle-timer 0XSR(config-if<D1>)#dialer map ip 10.10.10.2 9053617921X

Link Failure Backup Example10-14 Configuring Dialer Services8. Backup link is up, triggering the next action.9. Static Backup route configured - the r

Configuring a Dialed Backup LineXSR User’s Guide 10-15Configuring the Physical Interface for the Dialer InterfacePerform the following steps to set up

Configuring a Dialed Backup Line10-16 Configuring Dialer ServicesSample ConfigurationFigure 10-8 on page 10-16 shows an example of two dialer interfac

Overview of Dial on Demand/Bandwidth on DemandXSR User’s Guide 10-17XSR(config-if<D2>)#encapsulation pppXSR(config-if<D2>)#dialer pool 5XS

xxii ADSL Hardware ...

Dialer Interface Spoofing10-18 Configuring Dialer ServicesFor more information on ISDN fundamentals, refer “Configuring Integrated Services Digital Ne

Dialer WatchXSR User’s Guide 10-19A watch group can also be specified for use by the Virtual Router Redundancy Protocol (VRRP) with the vrrp <numbe

Answering Incoming ISDN Calls10-20 Configuring Dialer ServicesCaveatThe following caveat applies to Dialer Watch functionality:The dialer will not dis

Answering Incoming ISDN CallsXSR User’s Guide 10-21Incoming Call Mapping ExampleThis example, as shown in Figure 10-10, configures a node capable of h

Answering Incoming ISDN Calls10-22 Configuring Dialer ServicesNode B (Called Node) ConfigurationThe following commands add two users to validate calls

Configuring DoD/BoDXSR User’s Guide 10-23XSR(config-if<BRI-1/0>)#dialer pool-member 2XSR(config-if<BRI-1/0>)#no shutdownThe following comm

Configuring DoD/BoD10-24 Configuring Dialer ServicesFigure 10-11 Dial on Demand TopologyPPP Point-to-Multipoint ConfigurationIn this configuration, o

Configuring DoD/BoDXSR User’s Guide 10-25! XSR(config-if<D2>)#dialer map ip 20.20.20.2 2401! XSR(config-if<D2>)#ip address 20.20.20.1 255.

Configuring DoD/BoD10-26 Configuring Dialer ServicesXSR(config)#interface dialer 1XSR(config-if<D1>)#no shutdownXSR(config-if<D1>)#dialer

Configuring DoD/BoDXSR User’s Guide 10-27Figure 10-12 Point-to-Point TopologyDial-in Routing for Dial on Demand ExampleThe following commands configu

xxiiiServer 1 ...

Configuring DoD/BoD10-28 Configuring Dialer ServicesXSR(config)#interface dialer 1XSR(config-if<D1>)#encapsulation pppXSR(config-if<D1>)#i

Configuring DoD/BoDXSR User’s Guide 10-29Dial-out Router ExampleThe following commands add a dialer pool and dialer group, specify a secret password t

Configuring DoD/BoD10-30 Configuring Dialer ServicesXSR(config-if<D2>)#no shutdownXSR(config-if<D2>)#dialer remote-name XSR-BostonThe foll

Configuring DoD/BoDXSR User’s Guide 10-31Node B (Called Node) ConfigurationThe following commands add a dialer pool member with the Central Office swi

Configuring DoD/BoD10-32 Configuring Dialer ServicesXSR(config-if<D1>)#dialer pool 1XSR(config-if<D1>)#no shutdownThe following commands a

Configuring DoD/BoDXSR User’s Guide 10-33Figure 10-15 MLPPP Point-to-Multipoint TopologyDial-out Router ExampleThe following commands add a dialer po

Configuring DoD/BoD10-34 Configuring Dialer ServicesThe following command defines interesting packets for the dial out trigger by configuring ACL 101

Switched PPP Multilink ConfigurationXSR User’s Guide 10-35XSR(config)#access-list 101 permit icmp any any 8The following command maps ACL 101 to diale

Switched PPP Multilink Configuration10-36 Configuring Dialer ServicesNode A (Calling Node) ConfigurationThe following commands add a dialer pool membe

Backup ConfigurationXSR User’s Guide 10-37Backup ConfigurationBackup Using ISDNThis example configures ISDN NIM cards (either BRI or T1/E1 configured

xxiv DHCP Client Services ...

Backup Configuration10-38 Configuring Dialer ServicesXSR(config-if<D2>)#dialer pool 22XSR(config-if<D2>)#dialer string 2501XSR(config-if&l

Backup ConfigurationXSR User’s Guide 10-39XSR(config-if<D2>)#no shutdownXSR(config-if<D2>)#dialer pool 28XSR(config-if<D2>)#encapsul

Backup Configuration10-40 Configuring Dialer ServicesXSR(config-if<S2/0:0>)#backup interface dialer1XSR(config-if<S2/0:0>)#encapsulation p

Backup ConfigurationXSR User’s Guide 10-41Configuration for Frame Relay EncapsulationThis backup dial-out example configures FR encapsulation and typi

Backup Configuration10-42 Configuring Dialer Services

XSR User’s Guide 11-111Configuring Integrated Services Digital NetworkThis chapter outlines how to configure the Integrated Services Digital Network (

Understanding ISDN11-2 Configuring Integrated Services Digital NetworkBRI Features• Circuit Mode Data (CMD): Channels (DS0s or B’s) are switched by th

Understanding ISDNXSR User’s Guide 11-3which provides access to 23 B-channels in North America and Japan and 30 B-channels in Europe and most of Asia,

Understanding ISDN11-4 Configuring Integrated Services Digital NetworkD-Channel StandardsThe XSR supports several D-channel standards, which are enabl

Understanding ISDNXSR User’s Guide 11-5reference point represents the customer premises’ wiring. S/T is a point-to-multipoint wiring configuration, th

xxvApplication Level Commands ... 16-13Applicati

Understanding ISDN11-6 Configuring Integrated Services Digital NetworkCall MonitoringCall monitoring is also an vital element of the XSR’s ISDN servic

Understanding ISDNXSR User’s Guide 11-7Rx ISDN-BRI 1/0 03:13:47:676 Q921 UI p 0 sapi 63 tei 127 c/r 1• + 2nd line:info:0F 00 00 06 FFTx ISDN-BRI 1/0 0

Understanding ISDN11-8 Configuring Integrated Services Digital Network– + Next line: 04 Bearer capability 889018 Channel Id. 816C Calling number N0:28

ISDN ConfigurationXSR User’s Guide 11-9Decoded IEsOnly IEs referring to data calls are supported and decoded by the XSR, as shown in the following exa

ISDN Configuration11-10 Configuring Integrated Services Digital Network•The channel-group command for point-to-point connections.The above commands ar

ISDN ConfigurationXSR User’s Guide 11-11Figure 11-1 .Switched BRI Configuration ModelThe following example adds a dialer pool and group, and two phon

ISDN Configuration11-12 Configuring Integrated Services Digital NetworkXSR(config)#interface dialer 1XSR(config-if<D1>)#ip address 2.2.2.2 255.2

ISDN ConfigurationXSR User’s Guide 11-13Figure 11-2 .PRI Configuration ModelThe following T1 example configures the interface for ISDN PRI operation,

ISDN Configuration11-14 Configuring Integrated Services Digital NetworkBe aware that the isdn bchan-number-order command forces the PRI interface to m

More Configuration ExamplesXSR User’s Guide 11-15XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0XSR(config-if<BRI-1/1:2>)#encap

xxvi DOS Attacks Blocked Counters...B-12DOS Atta

ISDN (ITU Standard Q.931) Call Status Cause Codes11-16 Configuring Integrated Services Digital NetworkXSR(config-if<BRI-1/1>)#no shutdownXSR(con

ISDN (ITU Standard Q.931) Call Status Cause CodesXSR User’s Guide 11-177 Call awarded and being delivered in an established channel8 Prefix 0 dialed b

ISDN (ITU Standard Q.931) Call Status Cause Codes11-18 Configuring Integrated Services Digital Network54 Incoming calls barred55 Incoming calls barred

XSR User’s Guide 12-112Configuring Quality of ServiceOverviewIn a typical network, there are often many users and applications competing for limited s

Mechanisms Providing QoS12-2 Configuring Quality of Service• QoS on the dialer interfaces is directly applied to the dialer interface and inherited by

Mechanisms Providing QoSXSR User’s Guide 12-3features in the traffic policy determine how to treat the classified traffic. Traffic policy cannot be ap

Mechanisms Providing QoS12-4 Configuring Quality of Service•The priority command assigns traffic from this class a Priority Queue (PQ) and sets the pa

Mechanisms Providing QoSXSR User’s Guide 12-5Configuring CBWFQCBWFQ is configured using the bandwidth command. It provides a minimum bandwidth guarant

Mechanisms Providing QoS12-6 Configuring Quality of Serviceexcess bandwidth may be used by CBWFQ. A rule of thumb for configuring PQs is to assign tim

Mechanisms Providing QoSXSR User’s Guide 12-7This is how the policer works. It maintains two token buckets, one holding tokens for normal burst and th

XSR User’s Guide xxviiPrefaceThis guide provides a general overview of the XSR hardware and software features. It describes how to configure and maint

Mechanisms Providing QoS12-8 Configuring Quality of ServiceClass-based traffic shaping can be configured on any class and applied to any data path (in

Mechanisms Providing QoSXSR User’s Guide 12-9XSR(config-pmap-c<d32>)#exitXSR(config-pmap<cbts>)#class fooXSR(config-pmap-c<foo>)#sha

Mechanisms Providing QoS12-10 Configuring Quality of Servicequeue-limit value for the queue size. Be aware that by setting the queue size smaller than

Mechanisms Providing QoSXSR User’s Guide 12-11Figure 12-1 RED Drop Probability CalculationIn the following example, class bus has a minimum threshold

Mechanisms Providing QoS12-12 Configuring Quality of ServiceWRED. Traffic marked with a lower drop probability is assigned a higher MaxP, and bigger t

QoS and Link Fragmentation and Interleaving (LFI)XSR User’s Guide 12-13the dialer interface is pushed to binded serial and, when disconnected, is remo

QoS with VLAN12-14 Configuring Quality of ServiceQoS with MLPPP multi-class regulates the output queue in such a way that, ideally, there is at most o

QoS with VLANXSR User’s Guide 12-15Describing VLAN QoS Packet FlowThe following scenarios illustrate how prioritized VLAN and non-VLAN packets behave

QoS with VLAN12-16 Configuring Quality of ServiceFigure 12-4 LAN/QoS Serial ScenarioNon-VLAN IP Packet Routed Out a Fast/GigabitEthernet InterfaceIn

QoS on InputXSR User’s Guide 12-17Priority levels range from 0 (lowest) to 7.6. Create a traffic policy.policy-map <policy-map-name>7. Optional.

iNoticeEnterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentanditswebsitewitho

Conventions Used in This Guidexxviii Preface• Chapter 11, Configuring ISDN, outlines how to set up the Integrated Services Digital Network protocol on

QoS on VPN12-18 Configuring Quality of ServiceThe XSR offers you two choices in applying QoS service policy:• before encryption on the VPN tunnel (vir

QoS on VPNXSR User’s Guide 12-19outer header. In this scenario, all QoS-related parameters are attached to the VPN interface. Note that the VPN interf

QoS on VPN12-20 Configuring Quality of ServiceFigure 12-6 QoS on a Virtual Interface ExampleThe following commands configure Ser and Vpn policy maps

QoS on VPNXSR User’s Guide 12-21XSR(config)#policy-map SerXSR(config-pmap-Ser>)#class RTP1XSR(config-pmap-c<RTP1>)#priority high 100XSR(confi

QoS on VPN12-22 Configuring Quality of ServiceXSR(config)#interface vpn 1XSR(config-int-vpn)#ip address 20.20.20.1/24XSR(config-int-vpn)#copy-tosXSR(c

QoS on VPNXSR User’s Guide 12-23This situation can cause unexpected results when QoS is applied to VPN interfaces. If the rate of traffic traversing t

QoS Policy Configuration Examples12-24 Configuring Quality of ServiceAs an example, tunnels with ESP and 3DES encoding will add 44 bytes (or more) ove

QoS Policy Configuration ExamplesXSR User’s Guide 12-25XSR(config-pmap-c<class1>)#queue-limit 40XSR(config-pmap-c<class1>)#exitXSR(config-

QoS Policy Configuration Examples12-26 Configuring Quality of ServiceCreate a policy map consisting of one or more traffic classes and specify QoS cha

QoS Policy Configuration ExamplesXSR User’s Guide 12-27XSR(config-pmap<QoS-Policy>)#class VoIP-RTPXSR(config-pmap-c<class VoIP-RTP>)#prior

Conventions Used in This GuideXSR User’s Guide xxixWarning: Warns against an action that could result in personal injury or death.Advertencia: Adviert

QoS Policy Configuration Examples12-28 Configuring Quality of ServiceXSR(config)#map-class frame-relay VoIPXSR(config-map-class<VoIP>)#frame-rel

QoS Policy Configuration ExamplesXSR User’s Guide 12-29XSR(config)#interface multilink 1XSR(config-if<M1>)#service-policy input InOutXSR(config-

QoS Policy Configuration Examples12-30 Configuring Quality of ServiceXSR(config)#interface fastethernet 2XSR(config-if<F2>)#service-policy input

XSR User’s Guide 13-113Configuring ADSLThis chapter details the background, features, implementation and configuration of Asymmetric Digital Subscribe

Features13-2 Configuring ADSLFigure 13-1 RFC Encapsulation LayersPDU Encapsulation ChoicesThe XSR’s Protocol Data Unit (PDU) encapsulation choices ar

FeaturesXSR User’s Guide 13-3Figure 13-2 PPPoA Network DiagramThis implementation is restricted as follows:• Maximum MTU of 1500 bytes• ATM SVCs are

Features13-4 Configuring ADSLFigure 13-3 PPPoE Network DiagramThe limitations of this configuration are as follows:• Maximum MTU of 1492 bytes• ARP i

FeaturesXSR User’s Guide 13-5Figure 13-4 IP over ATM Network DiagramRestrictions of this implementation are as follows:• Maximum MTU of 1500 bytes• N

Features13-6 Configuring ADSLADSL on the MotherboardTwo versions of ADSL are provided by the XSR Series 1200 routers:• Annex A over POTS on the XSR-12

FeaturesXSR User’s Guide 13-7OAM CellsOAM cells are messages used to operate, administer, and maintain ATM networks. They provide in-band control func

Getting Helpxxx PrefaceGetting HelpFor additional support related to the XSR, contact Enterasys Networks by one of these methods:Before contacting Ent

Configuration Examples13-8 Configuring ADSLInverse ARPThe XSR employs Inverse ARP as defined in RFC-1293 with modifications specified by RFC-2225 (Cla

Configuration ExamplesXSR User’s Guide 13-9VCI values to those requested by the DSL provider. Notice that the Maximum Segment Size (MSS) is set to 140

Configuration Examples13-10 Configuring ADSLThe following optional command configures a universal default route:XSR(config)#ip route 0.0.0.0 0.0.0.0 a

XSR User’s Guide 14-114Configuring the Virtual Private NetworkVPN OverviewAs it is most commonly defined, a Virtual Private Network (VPN) allows two o

Ensuring VPN Security with IPSec/IKE/GRE14-2 Configuring the Virtual Private Network• Encryption and decryption promote confidentiality by allowing tw

Ensuring VPN Security with IPSec/IKE/GREXSR User’s Guide 14-3Since IPSec is the standard security protocol, the XSR can establish IPSec connections wi

Ensuring VPN Security with IPSec/IKE/GRE14-4 Configuring the Virtual Private NetworkFigure 14-2 Tunnel Mode ProcessingAs shown above, AH authenticate

Describing Public-Key Infrastructure (PKI)XSR User’s Guide 14-5Defining VPN EncryptionTo ensure that the VPN is secure, limiting user access is only o

Describing Public-Key Infrastructure (PKI)14-6 Configuring the Virtual Private Networkdata. Instead of encrypting the data itself, the signing softwar

Describing Public-Key Infrastructure (PKI)XSR User’s Guide 14-7CRL checking is not optional. CRLs are collected automatically by the XSR using informa

XSR User’s Guide 1-11OverviewThis chapter briefly describes the functionality of the XSR. Refer to the following chapters in this manual for details o

Describing Public-Key Infrastructure (PKI)14-8 Configuring the Virtual Private NetworkFigure 14-4 Certificate Chain ExampleA certificate chain traces

DF Bit FunctionalityXSR User’s Guide 14-9Pending ModeOnce you have authenticated against the parent CA in your XSR certificate chain, you then enroll

VPN Applications14-10 Configuring the Virtual Private NetworkThis feature specifies whether the router can clear, set, or copy the DF bit in the encap

VPN ApplicationsXSR User’s Guide 14-11Site-to-Site NetworksSite-to-site tunnels run as point-to-point links. They are useful when connecting geographi

VPN Applications14-12 Configuring the Virtual Private NetworkIf you filter traffic with ACLs, you will need to write an ACL similar to this example: a

VPN ApplicationsXSR User’s Guide 14-13the hosts on the private LAN. The XSR's internal NAT operates only on Layer-4 protocols such as TCP and UDP

VPN Applications14-14 Configuring the Virtual Private Networkbehind the XSR. After a tunnel has been built, the XSR may advertise routing information

VPN ApplicationsXSR User’s Guide 14-15From the server’s point of view, connected tunnels are point-to-multipoint links. The VPN interface serving as t

VPN Applications14-16 Configuring the Virtual Private NetworkClient• Fast/GigabitEthernet 1 interface: This is private, non-routable segment, usually

VPN ApplicationsXSR User’s Guide 14-17The VPN interface on the server may terminate a mix of connections - some of which may be Client-type connection

1-2 Overviewand data-compression negotiation. Also supported: PPPoE client and sub-interface monitoring, and Multilink PPP protocols as well as Dial o

XSR VPN Features14-18 Configuring the Virtual Private NetworkServer 2Interfaces Fast/GigabitEthernet 1 and VPN 1ClientInterfaces Fast/GigabitEthernet

XSR VPN FeaturesXSR User’s Guide 14-19- Client mode• Remote Access application–Clients- Windows XP, 2000 (L2TP); NT 4.0, 98, 98 SE, ME, and CE. PPTP a

VPN Configuration Overview14-20 Configuring the Virtual Private Network• Authentication, Authorization, and Accounting (AAA) support including AAA per

VPN Configuration OverviewXSR User’s Guide 14-21•Enter crypto key master generate in Global configuration mode.ACL Configuration RulesConsider a few g

VPN Configuration Overview14-22 Configuring the Virtual Private NetworkXSR(config-if<F2>)#ip address 141.154.196.87 255.255.255.192If an XSR is

VPN Configuration OverviewXSR User’s Guide 14-23More than one IKE proposal can be specified on each node. When IKE negotiation begins, it seeks a comm

VPN Configuration Overview14-24 Configuring the Virtual Private NetworkConfigure IKE policy for the remote peer, assuming that two other IKE proposals

VPN Configuration OverviewXSR User’s Guide 14-25Authentication, Authorization and Accounting ConfigurationThe XSR’s AAA implementation handles all aut

VPN Configuration Overview14-26 Configuring the Virtual Private NetworkAAA CommandsThe following XSR AAA commands useful for VPN configuration include

VPN Configuration OverviewXSR User’s Guide 14-27XSR(aaa-user)#aaa password ThISisMYShaREDsecRETThe following sample configuration creates user Jeremia

XSR User’s Guide 1-3• Quality of Service - The XSR provides traffic classification using IP Precedence and DSCP bits, bandwidth control via metered, p

VPN Configuration Overview14-28 Configuring the Virtual Private Network– crypto ca certificate chain– no certificate - The serial number can be found

VPN Configuration OverviewXSR User’s Guide 14-29Certificate has the following attributes:Fingerprint: D423E129 81904CE0 1E6D0FE0 A123A302Do you accept

VPN Configuration Overview14-30 Configuring the Virtual Private NetworkXSR(config)#ip domain acme.com8. Enroll in an end-entity certificate from a CA

VPN Configuration OverviewXSR User’s Guide 14-31 Issuer: C=US, O=sml, CN=ldapca Valid From: 2002 Aug 5th, 12:40:46 GMT Valid To: 200

Configuring a Simple VPN Site-to-Site Application14-32 Configuring the Virtual Private NetworkVPN Interface Sub-CommandsThe following sub-commands are

Configuring a Simple VPN Site-to-Site ApplicationXSR User’s Guide 14-33configuration, permit means protect or encrypt, and deny indicates don’t encryp

Configuring the VPN Using EZ-IPSec14-34 Configuring the Virtual Private NetworkXSR(config-crypto-m)#match address 140+ Applies map to ACL 140 and rend

Configuring the VPN Using EZ-IPSecXSR User’s Guide 14-35EZ-IPSec is invoked using the crypto ezipsec command in Interface mode to create a set of stan

Configuration Examples14-36 Configuring the Virtual Private NetworkXSR(config-tms-tunnel)#set peer 200.10.20.30+ Specifies the IP address of the remot

Configuration ExamplesXSR User’s Guide 14-37Figure 14-12 EZ-IPSec Client, XP Client and Gateway TopologyBegin by setting the XSR system time via SNTP

1-4 Overview

Configuration Examples14-38 Configuring the Virtual Private NetworkXSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmacXSR(cfg-cr

Configuration ExamplesXSR User’s Guide 14-39Clear the DF bit globally:XSR(config)#crypto ipsec df-bit clearEnable the OSPF engine, VPN and FastEtherne

Configuration Examples14-40 Configuring the Virtual Private NetworkXSR(config-if)#encapsulation pppXSR(config-if)#ip address negotiatedXSR(config-if)#

Configuration ExamplesXSR User’s Guide 14-41XSR(config-isakmp-peer)#proposal shared4. Configure a set of three IPSec quick mode security parameters th

Configuration Examples14-42 Configuring the Virtual Private NetworkXSR(config-tms-tunnel)#ip ospf dead-interval 4XSR(config-tms-tunnel)#ip ospf hello-

Configuration ExamplesXSR User’s Guide 14-43XSR(config-if<F2>)#ip address 63.81.64.200 255.255.255.0XSR(config-if<F2>)#no shutdown7. Add a

Configuration Examples14-44 Configuring the Virtual Private NetworkXSR/Cisco Site-to-Site ExampleThe following Site-to-Site configuration connects a C

Configuration ExamplesXSR User’s Guide 14-45interface FastEthernet0/0ip address 192.168.3.5 255.255.255.0speed autohalf-duplexno cdp enableinterface F

Interoperability Profile for the XSR14-46 Configuring the Virtual Private NetworkXSR(config)#crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hm

Interoperability Profile for the XSRXSR User’s Guide 14-47•Main mode•Triple DES•SHA-1• MODP group 2 (1024 bits)• Pre-shared secret of “hr5xb84l6aa9r6”

XSR User’s Guide 2-12Managing the XSRThe XSR can be managed via three interfaces with varying levels of control: the Command Line Interface (CLI) for

Interoperability Profile for the XSR14-48 Configuring the Virtual Private NetworkXSR(config-isakmp-peer)#config-mode gatewayXSR(config-isakmp-peer)#ex

Interoperability Profile for the XSRXSR User’s Guide 14-49Scenario 2: Gateway-to-Gateway with CertificatesThe following is a typical gateway-to-gatewa

Interoperability Profile for the XSR14-50 Configuring the Virtual Private Network1. Begin by asking your CA administrator for your CA name and URL. Th

Interoperability Profile for the XSRXSR User’s Guide 14-51 State: CA-AUTHENTICATED Version: V3 Serial Number: 45812872951515

Interoperability Profile for the XSR14-52 Configuring the Virtual Private Network Valid To: 2003 Aug 29th, 16:01:58 GMT Subject: unstructure

XSR User’s Guide 15-115Configuring DHCPOverview of DHCPThe Dynamic Host Configuration Protocol (DHCP) allocates and delivers configuration values, inc

How DHCP Works15-2 Configuring DHCP XSR User’s Guide• Provisioning of differentiated network values by Client Class.• Persistent and user-controllable

DHCP ServicesXSR User’s Guide 15-3client used a client ID when it got the lease, it will use the same identifier in the message. Alternately, when a l

DHCP Services15-4 Configuring DHCP XSR User’s Guidecontrol data are carried in tagged data items which are stored in the options field of the DHCP mes

DHCP ServicesXSR User’s Guide 15-5When DHCP Server surveys its clients using the manual bindings of a client-identifier or hardware-address, and host

Utilizing the Command Line Interface2-2 Managing the XSRUsing the Console Port to Remotely Control the XSRThe XSR’s Console port can also be connected

DHCP Client Services15-6 Configuring DHCP XSR User’s Guide4. Optionally, specify the client name using any standard ASCII character. Enter client-name

DHCP Client ServicesXSR User’s Guide 15-7Primary and secondary IP addresses on the same interface are not permitted within the same subnet nor are the

DHCP CLI Commands15-8 Configuring DHCP XSR User’s GuideDHCP CLI CommandsThe XSR offers CLI commands to provide the following functionality:• DHCP Serv

DHCP Set Up OverviewXSR User’s Guide 15-9addresses are offered to the client. Show ip dhcp server statistics is a useful catch-all command. Show ip lo

Configuration Steps15-10 Configuring DHCP XSR User’s Guide1. Add global pool local_clients including the starting IP address of the range and addresse

DHCP Server Configuration ExamplesXSR User’s Guide 15-118. Add to the host scope by specifying the NetBIOS-node-type for this particular host:XSR(conf

DHCP Server Configuration Examples15-12 Configuring DHCP XSR User’s GuideThe domain name for this host is specified as indusriver.com (this will overr

XSR User’s Guide 16-116Configuring Security on the XSRThis chapter describes the security options available on the XSR including the firewall feature

Features16-2 Configuring Security on the XSRTo configure ACLs, you define them by number only then apply them to an interface. Any number of entries c

FeaturesXSR User’s Guide 16-3Smurf AttackA “smurf” attack involves an attacker sending ICMP echo requests from a falsified source (a spoofed address)

Utilizing the Command Line InterfaceXSR User’s Guide 2-3Terminal CommandsIf you want to display identification information about the current terminal

General Security Precautions16-4 Configuring Security on the XSRLarge ICMP PacketsThis protection is triggered for ICMP packets larger than a size you

AAA ServicesXSR User’s Guide 16-5• If you must enable PPP on the WAN, use CHAP authentication• Disable all unnecessary router services (e.g., HTTP, if

AAA Services16-6 Configuring Security on the XSRThe method to perform AAA is configured globally by the aaa method command, which provides additional

AAA ServicesXSR User’s Guide 16-72. Enter crypto key master generate to create a master key.3. Enter crypto key dsa generate to create a host key pair

AAA Services16-8 Configuring Security on the XSRFigure 16-8 PuTTY Alert Message7. The SSH login screen will appear as shown in Figure 16-9. Login wit

Firewall Feature Set OverviewXSR User’s Guide 16-918. Optionally, if you want to tighten security on the XSR, enter ip ssh server disable to deactivat

Firewall Feature Set Overview16-10 Configuring Security on the XSRFigure 16-10 XSR Firewall Topology There are many possible network configurations f

Firewall Feature Set OverviewXSR User’s Guide 16-11and port numbers. These firewalls are scalable, easy to implement and widely deployed for simple Ne

XSR Firewall Feature Set Functionality16-12 Configuring Security on the XSRStateful Inspection FirewallsA stateful inspection firewall combines the as

XSR Firewall Feature Set FunctionalityXSR User’s Guide 16-13Application Level CommandsA special action option - Command Level Security (CLS) - to filt

iiRegulatory Compliance InformationFederal Communications Commission (FCC) NoticeTheXSRcomplieswithTitle47,Part15,ClassAofFCCrules.Operat

Utilizing the Command Line Interface2-4 Managing the XSRPuTTY and other shareware programs are compatible with the XSR’s SSH server.Refer to the XSR G

XSR Firewall Feature Set Functionality16-14 Configuring Security on the XSROn Board URL FilteringThis features lets you block access to a list of Unif

XSR Firewall Feature Set FunctionalityXSR User’s Guide 16-15Figure 16-11 Blocked Web Site ScreenYou must include the re-direct URL in the white URL l

XSR Firewall Feature Set Functionality16-16 Configuring Security on the XSRagainst the routing table. If a packet is received from an interface with a

XSR Firewall Feature Set FunctionalityXSR User’s Guide 16-17• Flooding attacks (TCP, UDP, ICMP) logs• Firewall start and restart• Failures (out of mem

XSR Firewall Feature Set Functionality16-18 Configuring Security on the XSRFigure 16-12 illustrates the process by which a user accesses a server afte

Firewall CLI CommandsXSR User’s Guide 16-19Firewall CLI CommandsThe XSR provides configuration objects which, used in policy rules, can be specified a

Firewall CLI Commands16-20 Configuring Security on the XSR– Non-Unicast packet handling - Packets with broadcast or multicast destination addresses ar

Firewall CLI CommandsXSR User’s Guide 16-21• Event Logging - Defines the event threshold for firewall values logged to the Console or Syslog with ip f

Firewall Limitations16-22 Configuring Security on the XSRFirewall LimitationsConsider the following caveats regarding firewall operations:• Gating Rul

Pre-configuring the FirewallXSR User’s Guide 16-23cache will not automatically switch over. If the firewall is enabled on a slave router, then all ses

Utilizing the Command Line InterfaceXSR User’s Guide 2-5Managing the SessionA first-time CLI session is set up with default attributes; e.g., the sess

Configuration Examples16-24 Configuring Security on the XSR– Multicast or broadcast filtering for routing and communications protocol filtering• Perfo

Configuration ExamplesXSR User’s Guide 16-25Figure 16-14 XSR with Firewall TopologyBegin by configuring network objects for private, dmz and Mgmt net

Configuration Examples16-26 Configuring Security on the XSRXSR(config)#interface fastethernet 2XSR(config-if<F2>)#ip address 220.150.2.17 255.25

Configuration ExamplesXSR User’s Guide 16-27XSR(config-if)#ip address negotiatedXSR(config-if)#ip mtu 1492XSR(config-if)#ip nat source assigned overlo

Configuration Examples16-28 Configuring Security on the XSR– Terminate Network Extension Mode (NEM) and Client mode tunnels– Terminate remote access L

Configuration ExamplesXSR User’s Guide 16-29XSR(config-isakmp-peer)#proposal xp soho p2pXSR(config-isakmp-peer)#config-mode gatewayXSR(config-isakmp-p

Configuration Examples16-30 Configuring Security on the XSRXSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93Define an IP pool for distribution of tu

Configuration ExamplesXSR User’s Guide 16-31XSR(aaa-group)#l2tp compressionXSR(aaa-group)#policy vpnConfigure the local AAA method for shared secret t

Configuration Examples16-32 Configuring Security on the XSRDefine service to support IPSec NAT traversal (Release 7.0 or later):XSR(config)#ip firewal

Configuration ExamplesXSR User’s Guide 16-33Load the firewall configuration:XSR(config)#ip firewall loadGlobally enable the firewall. Even though you

Utilizing the Command Line Interface2-6 Managing the XSR• Backwardly compatible/transparent to those not requiring RAI.• Console display of RAI prog

Configuration Examples16-34 Configuring Security on the XSRXSR(config)#ip firewall policy radius internal internal Radius allow bidirectionalXSR(confi

Configuration ExamplesXSR User’s Guide 16-35RPC Policy ConfigurationThe following configuration creates policies which permit TCP RPC-based applicatio

Configuration Examples16-36 Configuring Security on the XSR

XSR User’s Guide A-1AAlarms/Events, System Limits,and Standard ASCII TableThis appendix describes the configuration and memory limits of the XSR as we

Recommended System LimitsA-2 Alarms/Events, System Limits, and Standard ASCII TableSNMP read-only communities 20 20 20SNMP read-write communities 20

System Alarms and EventsXSR User’s Guide A-3System Alarms and EventsThe XSR exhibits the following logging behavior for all except firewall and NAT al

System Alarms and EventsA-4 Alarms/Events, System Limits, and Standard ASCII TableT1E1 Receiver has Loss of Frame (Yellow Alarm).T1/E1 physical port

System Alarms and EventsXSR User’s Guide A-5ISDN Incoming Call <BRI | Serial card/port:channel> Connected to <calling no.> Unknown CallAn

System Alarms and EventsA-6 Alarms/Events, System Limits, and Standard ASCII TableETH1_DRIVThe ISR could not be connected This is internal configurat

System Alarms and EventsXSR User’s Guide A-7CLI User: <username> logged in from address <IP address>Login process failure due to invalid u

Utilizing the Command Line InterfaceXSR User’s Guide 2-7DHCP client over the LAN:• Operational over an Ethernet interface only on the lowest slot/car

System Alarms and EventsA-8 Alarms/Events, System Limits, and Standard ASCII TableRefer to the table below for all Medium severity alarms and events

System Alarms and EventsXSR User’s Guide A-9T1 ERROR: Shared memory allocation failed for Receive Descriptors.Error in allocating memory for T1E1 HW c

System Alarms and EventsA-10 Alarms/Events, System Limits, and Standard ASCII TablePPP PPP MS-CHAP authentication failed while being authenticated by

System Alarms and EventsXSR User’s Guide A-11Refer to the table below for all Low severity alarms and events reported by the XSR. All of the following

System Alarms and EventsA-12 Alarms/Events, System Limits, and Standard ASCII TableT1E1 Receive Remote Alarm Indication (Yellow Alarm).Indicates that

System Alarms and EventsXSR User’s Guide A-13SYNC_DRIVPackets lost > 255 (RX overrun) Sum of packets lost due to RX FIFO overrun exceeded 255.PP Ou

Firewall and NAT Alarms and ReportsA-14 Alarms/Events, System Limits, and Standard ASCII TableFirewall and NAT Alarms and ReportsThe XSR reports logg

Firewall and NAT Alarms and ReportsXSR User’s Guide A-153 - ERROR NAT: No NAT entry found, %IP_P23 - ERROR NAT: TCP reset, NAT port %d, %IP_P23 - ERRO

Firewall and NAT Alarms and ReportsA-16 Alarms/Events, System Limits, and Standard ASCII Table1 - ALERT UDP: Detected UDP Flood attack %IP_P21 - ALER

Firewall and NAT Alarms and ReportsXSR User’s Guide A-173 - ERROR Deny: ICMP unsupported packet %IP2_ICMP3 - ERROR Deny: java applet %CMD, %IP_P23 - E

Utilizing the Command Line Interface2-8 Managing the XSRRAI checks each DLCI, up to 30, on a given interface for a Bootp response, an rDNS server and

Firewall and NAT Alarms and ReportsA-18 Alarms/Events, System Limits, and Standard ASCII Table3 - ERROR TCP: Non-empty ACK packet in TCP three-way ha

Standard ASCII Character TableXSR User’s Guide A-19Standard ASCII Character TableThe following table displays standard ASCII characters for referencin

Standard ASCII Character TableA-20 Alarms/Events, System Limits, and Standard ASCII Table107: k 108: l 109: m 110: n 112: p 113: q114: r 115: s 116:

XSR User’s Guide B-1BXSR SNMP Proprietary andAssociated Standard MIBsThis appendix lists and describes XSR-supported SNMP tables and objects for the f

Service Level Reporting MIB TablesB-2 XSR SNMP Proprietary and Associated Standard MIBsetsysSrvcLvlOwnerTableA management entity interested in creati

Service Level Reporting MIB TablesXSR User’s Guide B-3etsysSrvcLvlNetMeasureTableEntries in the Service Level Network Measurement Table display severa

Service Level Reporting MIB TablesB-4 XSR SNMP Proprietary and Associated Standard MIBsetsysSrvcLvlAggrMeasureTableEntries in the Service Level Aggre

BGP v4 MIB TablesXSR User’s Guide B-5BGP v4 MIB TablesThe XSR supports the following BGP v4 tables, whose fields are described in the following pages:

BGP v4 MIB TablesB-6 XSR SNMP Proprietary and Associated Standard MIBsbgpPeerAdminStatus The desired state of the BGP connection. A transition from s

BGP v4 MIB TablesXSR User’s Guide B-7BGP-4 Received Path Attribute TablebgpPeerKeepAlive Interval for the KeepAlive timer established with the peer, r

Utilizing the Command Line InterfaceXSR User’s Guide 2-9With bootp enabled, DHCP relay and server functionality is disabled on this DLCI for broadcast

BGP v4 MIB TablesB-8 XSR SNMP Proprietary and Associated Standard MIBsBGP-4 Trapsbgp4PathAttrASPathSegment The sequence of AS path segments. Each AS

Firewall MIB TablesXSR User’s Guide B-9Firewall MIB TablesThe firewall MIB contains the following tables, most of which are detailed in this section:

Firewall MIB TablesB-10 XSR SNMP Proprietary and Associated Standard MIBsMonitoring ObjectsThis section describes counters and statistics that are av

Firewall MIB TablesXSR User’s Guide B-11IP Session CountersThese counters track the activities of IP sessions.IP Session TableThis table contains info

VPN MIB TablesB-12 XSR SNMP Proprietary and Associated Standard MIBsDOS Attacks Blocked CountersThese elements reflect the DOS attack summaries store

VPN MIB TablesXSR User’s Guide B-13• etsysVpnIpsecProposalTable• etsysVpnIpsecPropTransformsTable• etsysVpnAhTransformTable• etsysVpnEspTransformTable

VPN MIB TablesB-14 XSR SNMP Proprietary and Associated Standard MIBsetsysVpnIkeProposal TableThis table contains the IKE proposals used during IKE ne

VPN MIB TablesXSR User’s Guide B-15etsysVpnIpsecPolicyRule TableThis table defines the IPSec policy rules. The table index is {etsysVpnIpsecPolicyName

VPN MIB TablesB-16 XSR SNMP Proprietary and Associated Standard MIBsetsysVpnIpsecProposal TableThis table contains the IPSec proposals. The table ind

VPN MIB TablesXSR User’s Guide B-17etsysVpnEspTransform TableThis table lists all the ESP transforms created by adding ESP rows to the etsysVpnIpsecPr

Utilizing the Command Line Interface2-10 Managing the XSRPPP RAI over a Leased LinePPP over a leased line performs similarly to Frame Relay RAI over a

ipCidrRouteTable for Static RoutesB-18 XSR SNMP Proprietary and Associated Standard MIBsipCidrRouteTable for Static RoutesVPN configuration on the XS

Enterasys Configuration Management MIBXSR User’s Guide B-19Enterasys Configuration Management MIBThe Enterasys Configuration Management MIB supports p

Enterasys Configuration Change MIBB-20 XSR SNMP Proprietary and Associated Standard MIBsEnterasys Configuration Change MIBThe Enterasys Configuration

Enterasys SNMP Persistence MIBXSR User’s Guide B-21Enterasys SNMP Persistence MIBThis MIB permits management applications to commit persistent SNMP co

Enterasys Syslog Client MIBB-22 XSR SNMP Proprietary and Associated Standard MIBsEnterasys Syslog Client MIBThis Enterasys MIB module defines a porti

Enterasys Syslog Client MIBXSR User’s Guide B-23• etsysSyslogServerAddressType The type of Internet address by which the Syslog server is specified in

Enterasys Syslog Client MIBB-24 XSR SNMP Proprietary and Associated Standard MIBsetsysSyslogServerGroup A collection of objects providing descriptio

Utilizing the Command Line InterfaceXSR User’s Guide 2-11The first phase establishes a physical connection (training) on the ADLS line. RAI ADSL attem

Utilizing the Command Line Interface2-12 Managing the XSR• Command Recall: Non-help commands are stored in the command history list buffer up to the l

Utilizing the Command Line InterfaceXSR User’s Guide 2-13Refer to Figure 2-1 for a graphic example of configuration modes.Figure 2-1 Partial Configur

iiiIndustry Canada NoticesThisdigitalapparatusdoesnotexceedtheclassAlimitsforradionoiseemissionsfromdigitalapparatussetoutintheRa

Utilizing the Command Line Interface2-14 Managing the XSR4. Some attributes can be set at this level without acquiring other modes. For example: acces

Utilizing the Command Line InterfaceXSR User’s Guide 2-15Mode ExamplesConsider the following examples to change configuration mode:XSR>enable + Acq

Utilizing the Command Line Interface2-16 Managing the XSRCLI Command LimitsCLI commands on the XSR are bounded by the following:• Total number of cha

Utilizing the Command Line InterfaceXSR User’s Guide 2-17Supported PortsThe XSR supports the following port types:• Single-channel ports: Fast- and G

Utilizing the Command Line Interface2-18 Managing the XSR• Virtual Interfaces:– Loopback - Range 0 to 15. Interface type: Internal Loopback.– Dialer -

Utilizing the Command Line InterfaceXSR User’s Guide 2-19• BRI-Dialer (IDSN) Exampleinterface dialer 0 + Configures dialer interface 0ip address 2.2.2

Utilizing the Command Line Interface2-20 Managing the XSR– Switched: When configuring a switched BRI connection, three serial sub-interfaces are autom

Utilizing the Command Line InterfaceXSR User’s Guide 2-21Deleting Table EntriesThere are two ways to delete an entry from a table depending on the tab

Utilizing the Command Line Interface2-22 Managing the XSRPorts can be enabled or disabled, configured for default settings, associated tables, clock r

Utilizing the Command Line InterfaceXSR User’s Guide 2-23Managing Message LogsMessages produced by the XSR, whether alarms or events, as well as link

ivElectromagnetic Compatibility (EMC)Thisproductcomplieswiththefollowing:47 CFRParts2and15,CSA C108.8,89/336/EEC,EN 55022,EN55024,EN 6

Utilizing the Command Line Interface2-24 Managing the XSR• Contents of stacks (task stacks, interrupt stack)• Status of one special task (packet proce

Utilizing the Command Line InterfaceXSR User’s Guide 2-25Using the Real-Time ClockThe XSR’s Real-Time Clock (RTC) is employed by other system software

Utilizing the Command Line Interface2-26 Managing the XSRResetting the Configuration to Factory DefaultIn situations where the XSR has invalid softwar

Utilizing the Command Line InterfaceXSR User’s Guide 2-27Configuration Save OptionsThere are several options available regarding configuration:• If yo

Utilizing the Command Line Interface2-28 Managing the XSRFor more command details, refer to the XSR CLI Reference Guide.Uploading the Configuration/Cr

Utilizing the Command Line InterfaceXSR User’s Guide 2-29Managing the Software ImageThe XSR can store more than one software image in Flash.Creating A

Utilizing the Command Line Interface2-30 Managing the XSR• Optionally, if you have CompactFlash installed, you can download the firmware file to cflas

Utilizing the Command Line InterfaceXSR User’s Guide 2-314. Using TFTP, transfer updateBootrom.fls from the network:XSR-1805#copy tftp://192.168.27.95

Utilizing the Command Line Interface2-32 Managing the XSRLocal Bootrom UpgradeDue to the change in the format of the Bootrom file between version 1.x

Utilizing the Command Line InterfaceXSR User’s Guide 2-33– DOS-style full path (without the file name) of the site of the Bootrom file on the host PC.

vDeclaration of ConformityApplicationofCouncilDirective(s): 89/336/EEC73/23/EECManufacturer’sName: Enterasys Networks, Inc.Manufacturer’sAddress:

Utilizing the Command Line Interface2-34 Managing the XSRProgramming 131072(0x20000) bytes at address 0xfffa0000Programming 48299(0xbcab) bytes at add

Utilizing the Command Line InterfaceXSR User’s Guide 2-35• If the power to XSR fails, try another reload• If a syntax error is indicated, examine your

Utilizing the Command Line Interface2-36 Managing the XSR5. Set the operation to imageSetSelected:set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.3.1 01006

Memory ManagementXSR User’s Guide 2-37When the XSR boots up, the checksum of these files is calculated and stored in volatile memory. From then on any

Network Management through SNMP2-38 Managing the XSRWhen the memory governor is asked to allow or deny a new resource, the decision is based on:• memo

Network Management through SNMPXSR User’s Guide 2-39SNMP InformsSNMP Informs were first introduced in SNMPv2. An Inform is essentially nothing more th

Network Management through SNMP2-40 Managing the XSRAlarm Management (Traps)The following events are supported by SNMP traps: snmpTrapColdStart, snmpT

Network Management through SNMPXSR User’s Guide 2-41Latency (network delay) is measured with the formula: D(i)=(Ri-Si), which is the round-trip interv

Network Management through SNMP2-42 Managing the XSRVia SNMPThe following example creates a row in the aggregate measure table with owner userA. If th

Network Management through SNMPXSR User’s Guide 2-43Query a MeasurementNow that you have performed the previous actions, you can query the measurement

viIndependent Communications Authority of South AfricaThisproductcomplieswiththetermsoftheprovisionsofsection54(1)oftheTelecommunication

Network Management through SNMP2-44 Managing the XSRSoftware Image Download using NetSightThe NetSight Remote Administrator application can download a

Accessing the XSR Through the WebXSR User’s Guide 2-451. Write a plain ASCII file containing the CLI commands you want entered. For example:interface

Network Management Tools2-46 Managing the XSRUsing the CLI for DownloadsTFTP can be used to transfer system firmware to the XSR remotely. A TFTP serve

XSR User’s Guide 3-13Managing LAN/WAN InterfacesOverview of LAN InterfacesThe XSR supports two 10/100 Base-T FastEthernet ports on the XSR 1800 Series

Configuring the LAN3-2 Managing LAN/WAN Interfaces• Maximum Transmission Unit (MTU) - all frames less than or equal to 1518 bytes are accepted. MTU si

Overview of WAN InterfacesXSR User’s Guide 3-3Overview of WAN InterfacesThe XSR supports as many as six serial cards (in an XSR-3250), each of which c

Configuring the WAN3-4 Managing LAN/WAN Interfaces• Clocking speed - For Sync interfaces, an external clock must be provided. Acceptable clock values

Configuring the WANXSR User’s Guide 3-5The following example configures the asynchronous serial interface on NIM 2, port 0 with the following non-defa

Configuring the WAN3-6 Managing LAN/WAN Interfaces

XSR User’s Guide 4-14Configuring T1/E1 & T3/E3 InterfacesOverviewThe XSR provides Frame Relay and PPP service via T1/E1 and T3/E3 functionality as

viiEnterasys Networks, Inc.Firmware License AgreementBEFOREOPENINGORUTILIZINGTHEENCLOSEDPRODUCT,CAREFULLYREADTHISLICENSEAGREEMENT.Thisdocum

Features4-2 Configuring T1/E1 & T3/E3 Interfaces• Support for local and remote loopback• Support for an IP interface as a loopback (refer to the C

FeaturesXSR User’s Guide 4-3• Line rate - 34.368 Mbps• Full rate - 34.0995 Mbps (G751)• Sub-rate - approximately 3 Mbps increments up to 33 Mbps• Comp

Features4-4 Configuring T1/E1 & T3/E3 Interfaces• Clear Channel service is similar to the full rate service except that the data stream rate is sl

Configuring Channelized T1/E1 InterfacesXSR User’s Guide 4-5• The D&I NIM supports different framing and line coding on the CO T1 and PBX T1 ports

Configuring Un-channelized T3/E3 Interfaces4-6 Configuring T1/E1 & T3/E3 Interfaces9. Add any additional configuration commands required to enable

Troubleshooting T1/E1 & T3/E3 LinksXSR User’s Guide 4-7Troubleshooting T1/E1 & T3/E3 LinksThis section describes general procedures for troubl

Troubleshooting T1/E1 & T3/E3 Links4-8 Configuring T1/E1 & T3/E3 InterfacesFigure 4-3 T1/E1 & T3/E3 Physical Layer (Layer 1) Troubleshoot

Troubleshooting T1/E1 & T3/E3 LinksXSR User’s Guide 4-92. Restart the controller:XSR(config-controller<T1/0>)#no shutdownIf the T1/E1or T3/E

Troubleshooting T1/E1 & T3/E3 Links4-10 Configuring T1/E1 & T3/E3 InterfacesReceive Remote Alarm Indication (RAI - Yellow Alarm)1. Insert an e

Troubleshooting T1/E1 & T3/E3 LinksXSR User’s Guide 4-11Figure 4-5 T1/E1 & T3/E3 Alarm Analysis Troubleshooting Actions Flow (Part 2)T1/E1 &a