SmartSwitch Router User Reference Manual 9032578-05
Copyright © 2000 by Cabletron Systems, Inc. All rights reserved. Cabletron Systems, Inc. 35 Industrial Way Rochester, NH 03867-5005 Printed in the United States of America Changes Cabletron Systems, Inc., reserves the right to make changes in specifications and other information contained in this document without prior notice. The reader should in all cases consult Cabletron Systems, Inc., to determine whether any such changes have been made.
Regulatory Compliance Information Regulatory Compliance Information This product complies with the following: Safety UL 1950; CSA C22.2, No. 950; 73/23/EEC; EN 60950; IEC 950 Electromagnetic FCC Part 15; CSA C108.8; 89/336/EEC; EN 55022; EN 61000-3-2 Compatibility (EMC) EN 61000-3-3; EN 50082-1, AS/NZS 3548; VCCI V-3 Regulatory Compliance Statements FCC Compliance Statement This device complies with Part 15 of the FCC rules.
Regulatory Compliance Statements Industry Canada Compliance Statement This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications.
Safety Information: Class 1 Laser Transceivers Safety Information: Class 1 Laser Transceivers This product may use Class 1 laser transceivers. Read the following safety information before installing or operating this product. The Class 1 laser transceivers use an optical feedback loop to maintain Class 1 operation limits. This control loop eliminates the need for maintenance checks or adjustments. The output is factory set and does not allow any user adjustment.
Cabletron Systems, Inc. Program License Agreement Cabletron Systems, Inc. Program License Agreement IMPORTANT: THIS LICENSE APPLIES FOR USE OF PRODUCT IN THE FOLLOWING GEOGRAPHICAL REGIONS: CANADA MEXICO CENTRAL AMERICA SOUTH AMERICA BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between You, the end user, and Cabletron Systems, Inc.
Cabletron Systems, Inc. Program License Agreement If the Program is exported from the United States pursuant to the License Exception TSR under the U.S.
Cabletron Systems Sales and Service, Inc. Program License Agreement Cabletron Systems Sales and Service, Inc. Program License Agreement IMPORTANT: THIS LICENSE APPLIES FOR USE OF PRODUCT IN THE UNITED STATES OF AMERICA AND BY UNITED STATES OF AMERICA GOVERNMENT END USERS. BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between You, the end user, and Cabletron Systems Sales and Service, Inc.
Cabletron Systems Sales and Service, Inc. Program License Agreement If the Program is exported from the United States pursuant to the License Exception TSR under the U.S.
Cabletron Systems Limited Program License Agreement Cabletron Systems Limited Program License Agreement IMPORTANT: THIS LICENSE APPLIES FOR THE USE OF THE PRODUCT IN THE FOLLOWING GEOGRAPHICAL REGIONS: EUROPE MIDDLE EAST AFRICA ASIA AUSTRALIA PACIFIC RIM BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT.
Cabletron Systems Limited Program License Agreement If the Program is exported from the United States pursuant to the License Exception TSR under the U.S.
Declaration of Conformity Addendum Declaration of Conformity Addendum Application of Council Directive(s) 89/336/EEC 73/23/EEC Manufacturer’s Name Manufacturer’s Address Cabletron Systems, Inc. 35 Industrial Way PO Box 5005 Rochester, NH 03867 European Representative’s Name European Representative’s Address Mr. J.
Contents About This Manual ................................................................................... 1 Related Documentation.......................................................................................................... .1 Document Conventions...........................................................................................................1 Chapter 1: Introduction ............................................................................ 3 Configuration Files ...............
Contents MAC-address-based VLANs................................................................................. 23 Protocol-based VLANs........................................................................................... 23 Subnet-based VLANs ............................................................................................. 23 Multicast-based VLANs......................................................................................... 24 Policy-based VLANs ..............................
Contents Enabling Cell Scrambling ..............................................................................................45 Cell Mapping ..........................................................................................................................46 Selecting the Cell Mapping Format..............................................................................46 Creating a Non-Zero VPI ......................................................................................................
Contents Specifying Ethernet Encapsulation Method............................................................... 79 Configuring Jumbo Frames .......................................................................................... 80 Configuring Address Resolution Protocol (ARP) ..................................................... 81 Configuring ARP Cache Entries ........................................................................... 81 Unresolved MAC Addresses for ARP Entries .......................
Contents Configuring RIP Route Preference .............................................................................108 Configuring RIP Route Default-Metric......................................................................108 Monitoring RIP .....................................................................................................................108 Configuration Example .......................................................................................................
Contents Notes on Using Route Reflection........................................................................ 160 Chapter 13: Routing Policy Configuration Guide................................ 161 Route Import and Export Policy Overview..................................................................... 161 Preference ...................................................................................................................... 162 Import Policies................................................
Contents Importing a Selected Subset of Routes from All RIP Peers Accessible Over a Certain Interface ...................................................................................183 Example 2: Importing from OSPF .......................................................................184 Importing a Selected Subset of OSPF-ASE Routes ....................................186 Examples of Export Policies ........................................................................................
Contents Firewall Load Balancing.............................................................................................. 214 Monitoring IP Policies ........................................................................................................ 215 Chapter 16: Network Address Translation Configuration Guide ...... 219 Overview .............................................................................................................................. 219 Configuring NAT ....................
Contents Virtual IP Address Ranges ...................................................................................242 Session and Netmask Persistence........................................................................243 Web Caching.........................................................................................................................244 Configuring Web Caching ...........................................................................................244 Creating the Cache Group...
Contents Editing ACLs Offline ................................................................................................... 264 Maintaining ACLs Using the ACL Editor ................................................................ 265 Using ACLs .......................................................................................................................... 266 Applying ACLs to Interfaces......................................................................................
Contents Layer-2 and Layer-3 & Layer-4 Flow Specification..................................................292 Precedence for Layer-3 Flows .....................................................................................293 SSR Queuing Policies....................................................................................................293 Traffic Prioritization for Layer-2 Flows ............................................................................293 Configuring Layer-2 QoS..............
Contents Configuration Examples ............................................................................................. 321 Displaying RMON Information ........................................................................................ 322 RMON CLI Filters ........................................................................................................ 323 Creating RMON CLI Filters.................................................................................
Contents Defining the Type and Location of a PPP Interface .................................................346 Setting up a PPP Service Profile..................................................................................346 Applying a Service Profile to an Active PPP Port....................................................347 Configuring Multilink PPP Bundles ..........................................................................347 Compression on MLP Bundles or Links..............................
Contents xxvi SmartSwitch Router User Reference Manual
About This Manual This manual provides information and procedures for configuring the SmartSwitch Router (SSR) software. If you have not yet installed the SSR, use the instructions in the SmartSwitch Router Getting Started Guide to install the chassis and perform basic setup tasks, then return to this manual for more detailed configuration information. Related Documentation The SmartSwitch Router documentation set includes the following items.
Preface 2 Convention Description [x] or [] or [x ] Keywords and arguments within a set of square brackets are optional. x|y|z| or [x|y|z|] Keywords or arguments separated by vertical bars indicate a choice. Select one keyword or argument. {x|y|z|} Braces group required choices. Select one keyword or argument.
Chapter 1 Introduction This chapter provides information that you need to know before configuring the SmartSwitch Router (SSR). If you have not yet installed the SSR, use the instructions in the SmartSwitch Router Getting Started Guide to install the chassis and perform basic setup tasks, then return to this manual for more detailed configuration information.
Chapter 1: Introduction Using the Command Line Interface Note: The SSR provides both a graphical user interface (CoreWatch) and a command line interface (CLI) to configure and manage the SSR. In this manual, example configurations show how to use the CLI commands to configure the SSR. Using CoreWatch is described in the CoreWatch User’s Manual. The CLI allows you to enter and execute commands from the SSR Console or from Telnet sessions. Up to four simultaneous Telnet sessions are allowed.
Chapter 1: Introduction The Enable mode command prompt consists of the SSR name followed by the pound sign(#): ssr# To exit Enable mode and return to User mode, either type exit and press Return, or press Ctrl+Z. Configure Mode Configure mode provides the capabilities to configure all features and functions on the SSR. These include router configuration, access control lists and spanning tree. To enter Configure mode, enter the command config from Enable mode.
Chapter 1: Introduction you are.
Chapter 1: Introduction without typing the subsystem name in each time. For example, if you are configuring several entries for the IP routing table, you can simply enter ip at the CLI Configure prompt. The prompt changes to indicate that the context for the commands to be entered has changed to that of the IP subsystem. If you type a ?, only those commands that are valid for the IP subsystem are displayed.
Chapter 1: Introduction Table 1.
Chapter 1: Introduction Table 1. CLI Line Editing Commands Command “” Resulting Action Opaque strings may be specified using double quotes. This prevents interpretation of otherwise special CLI characters. Displaying and Changing Configuration Information The SSR provides many commands for displaying and changing configuration information. For example, the CLI allows for the “disabling” of a command in the active configuration.
Chapter 1: Introduction Table 2. Commands to Display and Change Configuration Information Task Command Erase commands in scratchpad. erase scratchpad Erase startup configuration. erase startup Negate one or more commands by line numbers. negate Negate commands that match a specified command string. no Save scratchpad to active configuration. save active Save active configuration to startup.
Chapter 1: Introduction Port Names The term port refers to a physical connector on a line card installed in the SSR. The figure below shows eight 10 Base-T/100 Base-TX ports on a line card. SSR-HTX12-08 1 10/100BASE-TX 2 3 4 5 6 7 8 Offline Hot Swap Online 10 BASE-T/100 BASE-TX ports 10 BASE-T/100 BASE-TX ports Each port in the SSR is referred to in the following manner: ..
Chapter 1: Introduction Table 3. Port Numbers for Line Cards Port Number Arrangement (Left to Right) Line Card 1000 Base LLX 1 Quad Serial WAN 1,2 HSSI WAN 1 2 SONET (OC-3c) 1 2 SONET (OC-12c) 1 2 ATM (OC-3) 1 2 16-slot 100 Base TX 5 1 6 2 3,4 3 4 7 3 8 4 13 9 14 15 16 10 11 12 For example, the port name et.2.8 refers to the port on the Ethernet line card located in slot 2, connector 8, while the port name gi.3.
Chapter 2 Hot Swapping Line Cards and Control Modules Hot Swapping Overview This chapter describes the hot swapping functionality of the SSR. Hot swapping is the ability to replace a line card or Control Module while the SSR is operating. Hot swapping allows you to remove or install line cards without switching off or rebooting the SSR. Swapped-in line cards are recognized by the SSR and begin functioning immediately after they are installed.
Chapter 2: Hot Swapping Line Cards and Control Modules Hot Swapping Line Cards The procedure for hot swapping a line card consists of deactivating the line card, removing it from its slot in the SSR chassis, and installing a new line card in the slot. Deactivating the Line Card To deactivate the line card, do one of the following: • Press the Hot Swap button on the line card. The Hot Swap button is recessed in the line card's front panel. Use a pen or similar object to reach it.
Chapter 2: Hot Swapping Line Cards and Control Modules Removing the Line Card To remove a line card from the SSR: 1. Make sure the Offline LED on the line card is lit. Warning: Do not remove the line card unless the Offline LED is lit. Doing so can cause the SSR to crash. 2. Loosen the captive screws on each side of the line card. 3. Carefully remove the line card from its slot in the SSR chassis. Installing a New Line Card To install a new line card: 1.
Chapter 2: Hot Swapping Line Cards and Control Modules Hot Swapping a Secondary Control Module If you have a secondary Control Module installed on the SSR, you can hot swap it with another Control Module or line card. Warning: You can only hot swap an inactive Control Module. You should never remove the active Control Module from the SSR. Doing so will crash the system. The procedure for hot swapping a Control Module is similar to the procedure for hot swapping a line card.
Chapter 2: Hot Swapping Line Cards and Control Modules You can also use the system hotswap out command in the CLI to deactivate the Control Module. For example, to deactivate the secondary Control Module in slot CM/1, enter the following command in Enable mode: ssr# system hotswap out slot 1 After you enter this command, the Offline LED on the Control Module lights, and messages appear on the console indicating the Control Module is inoperative.
Chapter 2: Hot Swapping Line Cards and Control Modules Hot Swapping a Switching Fabric Module (SSR 8600 only) The SSR 8600 has slots for two Switching Fabric Modules. While the SSR 8600 is operating, you can install a second Switching Fabric Module. If two Switching Fabric Modules are installed, you can hot swap one of them. When you remove one of the Switching Fabric Modules, the other goes online and stays online until it is removed or the SSR 8600 is powered off.
Chapter 2: Hot Swapping Line Cards and Control Modules Removing the Switching Fabric Module To remove the Switching Fabric Module: 1. Loosen the captive screws on each side of the Switching Fabric Module. 2. Pull the metal tabs on the Switching Fabric Module to free it from the connectors holding it in place in the chassis. 3. Carefully remove the Switching Fabric Module from its slot. Installing a Switching Fabric Module To install a Switching Fabric Module: 1.
Chapter 2: Hot Swapping Line Cards and Control Modules 20 SmartSwitch Router User Reference Manual
Chapter 3 Bridging Configuration Guide Bridging Overview The SmartSwitch Router provides the following bridging functions: • Compliance with the IEEE 802.
Chapter 3: Bridging Configuration Guide Bridging Modes (Flow-Based and Address-Based) The SSR provides the following types of wire-speed bridging: Address-based bridging - The SSR performs this type of bridging by looking up the destination address in an L2 lookup table on the line card that receives the bridge packet from the network. The L2 lookup table indicates the exit port(s) for the bridged packet. If the packet is addressed to the SSR's own MAC address, the packet is routed rather than bridged.
Chapter 3: Bridging Configuration Guide • Multicast based • Policy based Detailed information about these types of VLANs is beyond the scope of this manual. Each type of VLAN is briefly explained in the following subsections. Port-based VLANs Ports of L2 devices (switches, bridges) are assigned to VLANs. Any traffic received by a port is classified as belonging to the VLAN to which the port belongs.
Chapter 3: Bridging Configuration Guide Multicast-based VLANs Multicast-based VLANs are created dynamically for multicast groups. Typically, each multicast group corresponds to a different VLAN. This ensures that multicast frames are received only by those ports that are connected to members of the appropriate multicast group. Policy-based VLANs Policy-based VLANs are the most general definition of VLANs.
Chapter 3: Bridging Configuration Guide the SSR as a result of creating L3 interfaces for IP and/or IPX. However, these implicit VLANs do not need to be created or configured manually. The implicit VLANs created by the SSR are subnet-based VLANs. Most commonly, an SSR is used as a combined switch and router. For example, it may be connected to two subnets S1 and S2. Ports 1-8 belong to S1 and ports 9-16 belong to S2.
Chapter 3: Bridging Configuration Guide For example, if port 1 belongs to VLAN IPX_VLAN for IPX, VLAN IP_VLAN for IP and VLAN OTHER_VLAN for any other protocol, then an IP frame received by port 1 is classified as belonging to VLAN IP_VLAN. Trunk ports (802.1Q) are usually used to connect one VLAN-aware switch to another. They carry traffic belonging to several VLANs. For example, suppose that SSR A and B are both configured with VLANs V1 and V2.
Chapter 3: Bridging Configuration Guide SSR A B C The corresponding bridge tables for address-based and flow-based bridging are shown below. As shown, the bridge table contains more information on the traffic patterns when flow-based bridging is enabled compared to address-based bridging.
Chapter 3: Bridging Configuration Guide Configuring Spanning Tree Note: Some commands in this facility require updated SSR hardware. Please refer to Appendix A for details. The SSR supports per VLAN spanning tree. By default, all the VLANs defined belong to the default spanning tree. You can create a separate instance of spanning tree using the following command: Create spanning tree for a VLAN. pvst create spanningtree vlan-name By default, spanning tree is disabled on the SSR.
Chapter 3: Bridging Configuration Guide Setting the Bridge Priority You can globally configure the priority of an individual bridge when two bridges tie for position as the root bridge, or you can configure the likelihood that a bridge will be selected as the root bridge. The lower the bridge's priority, the more likely the bridge will be selected as the root bridge. This priority is determined by default; however, you can change it.
Chapter 3: Bridging Configuration Guide Adjusting Bridge Protocol Data Unit (BPDU) Intervals You can adjust BPDU intervals as described in the following sections: • Adjust the Interval between Hello BPDUs • Define the Forward Delay Interval • Define the Maximum Idle Interval Adjusting the Interval between Hello Times You can specify the interval between hello time.
Chapter 3: Bridging Configuration Guide To change the default interval setting, enter the following command in Configure mode: Change the amount of time a bridge will wait to hear BPDUs from the root bridge for default spanning tree. stp set bridging max-age Change the amount of time a bridge will wait to hear BPDUs from the root bridge for a particular instance of spanning tree.
Chapter 3: Bridging Configuration Guide Configuring VLANs for Bridging The SSR allows you to create VLANs for AppleTalk, DECnet, SNA, and IPv6 traffic as well as for IP and IPX traffic. You can create a VLAN for handling traffic for a single protocol, such as a DECnet VLAN. Or, you can create a VLAN that supports several specific protocols, such as SNA and IP traffic. Note: Some commands in this facility require updated SSR hardware. Please refer to Appendix A for details.
Chapter 3: Bridging Configuration Guide Monitoring Bridging The SSR provides display of bridging statistics and configurations contained in the SSR. To display bridging information, enter the following commands in Enable mode. Show IP routing table. ip show routes Show all MAC addresses currently in the l2 tables. l2-tables show all-macs Show l2 table information on a specific port. l2-tables show port-macs Show information the master MAC table.
Chapter 3: Bridging Configuration Guide Creating a non-IP/non-IPX VLAN In this example, SNA, DECnet, and AppleTalk hosts are connected to et.1.1 and et.2.(1-4). You can associate all the ports containing these hosts to a VLAN called ‘RED’ with the VLAN ID 5. First, create a VLAN named ‘RED’ ssr(config)# vlan create RED sna dec appletalk id 5 Next, assign ports to the ‘RED’ VLAN. ssr(config)# vlan add ports et.1.1, et.2.
Chapter 4 SmartTRUNK Configuration Guide Overview This chapter explains how to configure and monitor SmartTRUNKs on the SSR. A SmartTRUNK is Cabletron Systems’ technology for load balancing and load sharing. For a description of the SmartTRUNK commands, see the “smarttrunk commands” section of the SmartSwitch Router Command Line Interface Reference Manual. On the SSR, aSmartTRUNK is a group of two or more ports that have been logically combined into a single port.
Chapter 4: SmartTRUNK Configuration Guide Configuring SmartTRUNKs To create a SmartTRUNK: 1. Create a SmartTRUNK and specify a control protocol for it. 2. Add physical ports to the SmartTRUNK. 3. Specify the policy for distributing traffic across SmartTRUNK ports. This step is optional; by default, the SSR distributes traffic to ports in a round-robin (sequential) manner.
Chapter 4: SmartTRUNK Configuration Guide To add ports to a SmartTRUNK, enter the following command in Configure mode:: Create a SmartTRUNK that will be connected to a device that supports the DEC Hunt Group control protocol. smarttrunk add ports to Specify Traffic Distribution Policy (Optional) The default policy for distributing traffic across the ports in a SmartTRUNK is “roundrobin,” where the SSR selects the port on a rotating basis.
Chapter 4: SmartTRUNK Configuration Guide Example Configurations The following shows a network design based on SmartTRUNKs. R1 is an SSR operating as a router, while S1 and S2 are SSRs operating as switches. Cisco 7500 Router st.1 10.1.1.1/24 st.2 10.1.1.2/24 to-cisco Router R1 11.1.1.2/24 to-s1 st.4 Switch S1 Server 12.1.1.2/24 to-s2 st.3 Switch S2 st.5 Cisco Catalyst 5K Switch The following is the configuration for the Cisco 7500 router: interface port-channel 1 ip address 10.1.1.1 255.255.
Chapter 4: SmartTRUNK Configuration Guide The following is the SmartTRUNK configuration for the SSR labeled ‘R1’ in the diagram: smarttrunk create st.1 protocol no-protocol smarttrunk create st.2 protocol huntgroup smarttrunk create st.3 protocol huntgroup smarttrunk add ports et.1(1-2) to st.1 smarttrunk add ports et.2(1-2) to st.2 smarttrunk add ports et.3(1-2) to st.3 interface create ip to-cisco address-netmask 10.1.1.2/24 port st.1 interface create ip to-s1 address-netmask 11.1.1.2/24 port st.
Chapter 4: SmartTRUNK Configuration Guide 40 SmartSwitch Router User Reference Manual
Chapter 5 ATM Configuration Guide ATM Overview This chapter provides an overview of the Asynchronous Transfer Mode (ATM) features available for the SmartSwitch Router. ATM is a cell switching technology used to establish multiple connections over a physical link, and configure each of these connections with its own traffic parameters. This provides more control over specific connections within a network.
Service Class Definition channel having its own traffic parameters. The name “virtual” implies that the connection is located in silicon instead of a physical wire. Refer to “Creating a Service Class Definition” on page 43 for information about defining a set of traffic parameters for a virtual channel. Creating a Virtual Channel To create a virtual channel, enter the following command in Configure mode: Creates a virtual channel.
Service Class Definition Creating a Service Class Definition To create a service class definition, enter the following command in Configure mode: Creates a service class definition. atm define service [srv-cat cbr| ubr| rtvbr| nrt-vbr] [pcr] [pcr-kbits] [scr] [scr-kbits] [mbs] [encap routed-llc| routed-vcmux] [oam on| off] The following is a description of the parameters used to create a service class definition: service Specifies a name for the service class definition.
Service Class Definition cells/sec). This is the same as PCR, but is expressed in kbits/sec, and therefore may be a more convenient form. However, since the natural unit for ATM is cells/sec, there may be a difference in the actual rate because the kbit/sec value may not be an integral number of cells. This parameter is valid for CBR, rtVBR, and nrtVBR service categories. This parameter is optional for UBR. scr Specifies the Sustainable Cell Rate which defines the average cell rate.
Cell Scrambling port Specifies the port, in the format: media.slot.port.vpi.vci media Specifies the media type. This is at for ATM ports. slot Specifies the slot number where the module is installed. port Specifies the port number. vpi Specifies the Virtual Path Identifier. This parameter identifies the virtual path. This parameter is optional. vci Specifies the Virtual Channel Identifier. This parameter identifies the virtual channel. This parameter is optional.
Cell Mapping The following is a description of the parameters used to enable cell scrambling: port Specifies the port, in the format: media.slot.port. Specify all-ports to enable cell scrambling on all ports. media Specifies the media type. This is at for ATM ports. slot Specifies the slot number where the module is installed. port Specifies the port number. pdh-cell-scramble on|off Specify on to enable cell scrambling. Specify off to disable cell scrambling.
Creating a Non-Zero VPI Creating a Non-Zero VPI The Virtual Path Identifier defines a virtual path, a grouping of virtual channels transmitting across the same physical connection. The actual number of virtual paths and virtual channels available on an ATM port depends upon how many bits are allocated for the VPI and VCI, respectively. By default, there are 0 bits allocated for VPI and 12 bits allocated for VCI. You can specify a different allocation of bits for VPI and VCI for a port.
Displaying ATM Port Information Displaying ATM Port Information There are a variety of ATM statistics that can be accessed through the command line interface. The atm show commands can only be used in Enable mode. To display information about the VPL configurations on an ATM port: Displays the VPL configurations on an ATM port. atm show vpl port | all-ports The following is an example of the information that is displayed with the command listed above: ssr(atm-show)# vpl port at.9.
Displaying ATM Port Information To display information about the service definition on an ATM port: Displays the service definition on an ATM port.
Displaying ATM Port Information To display information about the port settings on an ATM port: Displays the port setting configurations on an ATM port. atm show port-settings | all-ports The following is an example of the information that is displayed with the command listed above (for a PDH PHY interface): ssr(atm-show)# port-settings at.9.
Displaying ATM Port Information esf indicates extended super frame and is used for T1 framing. g832 is used for E3 framing. g751 is used for E3 framing. • VC Mode Shows the bit allocation for vpi and vci. • Service Definition Shows the name of the defined service on the port and its traffic parameters. The following is an example of the information that is displayed with the command listed above (for a SONET PHY interface): ssr(atm-show)# port-settings at.8.
ATM Sample Configuration 1 ATM Sample Configuration 1 Consider the following network configuration: VLAN B Subnet 11.1.2.0 11.1.2.1/24 SSR 1 et.1.1 11.1.100.1/24 at.1.1 et.2.1 11.1.2.1/24 at.2.1 SSR 2 11.1.1.1/24 VLAN A Subnet 11.1.1.0 The network shown consists of two SmartSwitch Routers, VLAN A, and VLAN B. Both SSRs have an ATM module with two ATM ports. Also both SSRs contain a 10/100 TX Ethernet module. SSR1 is connected to VLAN A through Ethernet port et.2.
ATM Sample Configuration 1 Configuring an Interface on an Ethernet Port There are two separate VLANs in this network, VLAN A and VLAN B. VLAN A is connected to Ethernet port et.2.1 on SSR1, and VLAN B is connected to Ethernet port et.1.1 on SSRSSR2. Apply an interface on both Ethernet ports. Creating an interface on an Ethernet port assigns a network IP address and submask on that port. Creating a Virtual Channel Create a VC to connect ATM port at.1.1 on SSR1 to ATM port at.2.1 on SSR2.
ATM Sample Configuration 1 Applying an ATM Service Class After defining a service class on SSR1 and SSR2, apply them to the VC connection we created earlier. The following command line applies the service class ‘cbr1m’ to the VC (vpi=0, vci=100) on ATM port at.1.1 of SSR1: ssr1(config)# atm apply service cbr1m port at.1.1.0.100 The following command line applies the service class ‘cbr1m’ to the VC (vpi=0, vci=100) on ATM port at.2.1 of SSR2: ssr2(config)# atm apply service cbr1m port at.2.1.0.
ATM Sample Configuration 1 Creating an IP route allows the interfaces on the ATM ports to act as gateways to any subnet. Traffic from VLAN A reaches the Ethernet port on SSR1 and is automatically directed to the gateway address (interface on the ATM port for SSR2). Then the traffic travels through the VC and arrives at the Ethernet port connected to VLAN B. Add the IP route for the subnet 11.1.2.0. The following command line configures the route on SSR1: ssr1(config)# ip add route 11.1.2.0/24 gateway 11.1.
ATM Sample Configuration 1 56 SmartSwitch Router User Reference Manual
Chapter 6 Packet-over-SONET Configuration Guide Overview This chapter explains how to configure and monitor packet-over-SONET (PoS) on the SSR. See the sonet commands section of the SmartSwitch Router Command Line Interface Reference Manual for a description of each command. PoS requires installation of the OC-3c or OC-12c PoS line cards in an SSR 8000 or an SSR 8600. The OC-3c line card has four PoS ports, while the OC-12c line card has two PoS ports. You must use the “so.” prefix for PoS interface ports.
Chapter 6: Packet-over-SONET Configuration Guide Configuring IP Interfaces for PoS Links Configuring IP interfaces for PoS links is generally the same as for WANs and for LANs. You assign an IP address to each interface and define routing mechanisms such as OSPF or RIP as with any IP network. You can configure the IP interface on the physical port or you can configure the interface as part of a VLAN for PoS links.
Chapter 6: Packet-over-SONET Configuration Guide 2. Create a point-to-point interface with the interface create command, specifying the IP address and netmask for the interface on the SSR and the peer address of the other end of the connection: interface create ip pos11 address-netmask 20.11.11.20/24 peer-address 20.11.11.21 port so.13.1 When you create the point-to-point interface as shown above, the SSR creates an implicit VLAN called “SYS_L3_.
Chapter 6: Packet-over-SONET Configuration Guide Note: In APS terminology, bridge means to transmit identical traffic on both the working and protecting lines, while switch means to select traffic from either the protecting line or the working line. • Unidirectional switching, where one set of line terminating equipment (LTE) can switch the line independent of the other LTE. Bidirectional switching (where both sets of LTEs perform a coordinated switch) is not supported. • Revertive switching.
Chapter 6: Packet-over-SONET Configuration Guide To manage the working and protecting PoS interfaces, enter the following commands in Configure mode: Prevent a working interface from switching to a protecting port. This command can only be applied to a port configured as a protecting port. sonet set protection-switch lockoutprot Force a switch to the specified port. This command can be applied to either the working or protecting port.
Chapter 6: Packet-over-SONET Configuration Guide • Signal failure BER threshold of 10-3 (1 out of 1,000 bits transmitted is in error). Signal failure is associated with a “hard” failure. Signal fail is determined when any of the following conditions are detected: loss of signal (LOS), loss of frame (LOF), line alarm indication bridge and selector signal (AIS-L), or the BER threshold exceeds the configured rate.
Chapter 6: Packet-over-SONET Configuration Guide Example Configurations This section shows example configurations for PoS links. APS PoS Links Between SSRs The following example shows APS PoS links between two SSRs, router A and router B. Router A so.7.1 pos21 20.11.11.21/24 so.7.2 Router B (working) (protecting) pos11 20.11.11.20/24 so.13.1 so.13.2 The following is the configuration for router A: interface create ip pos21 address-netmask 20.11.11.21/24 peer-address 20.11.11.
Chapter 6: Packet-over-SONET Configuration Guide PoS Link Between the SSR and a Cisco Router The following example shows a PoS link between an SSR, router A, and a Cisco 12000 series Gigabit Switch Router, router B. The MTU on both routers is configured for same size of 9216 octets. Router A so.6.1 Router B so-1 40.1.1.1/16 POS1/0 The following is the configuration for router A: port set so.6.1 mtu 9216 interface create ip so-1 address-netmask 40.1.1.1/16 port so.6.
Chapter 6: Packet-over-SONET Configuration Guide Bridging and Routing Traffic Over a PoS Link The following example shows how to configure a VLAN ‘v1’ that includes the PoS ports on two connected SSRs, router A and router B. Bridged or routed traffic is transmitted over the PoS link. Router A so.7.1 int1 1.1.1.1/8 2.1.1.1/8 peer 2.1.1.2 int1 1.1.1.2/8 2.1.1.2/8 peer 2.1.1.1 Router B so.6.1 The following is the configuration for router A: port set so.7.1 mtu 65535 stp enable port so.7.
Chapter 6: Packet-over-SONET Configuration Guide 66 SmartSwitch Router User Reference Manual
Chapter 7 DHCP Configuration Guide DHCP Overview The Dynamic Host Configuration Protocol (DHCP) server on the SSR provides dynamic address assignment and configuration to DHCP capable end-user systems, such as Windows 95/98/NT and Apple Macintosh systems. You can configure the server to provide a dynamic IP address from a pre-allocated pool of IP addresses or a static IP address.
Chapter 7: DHCP Configuration Guide Configuring DHCP By default, the DHCP server is not enabled on the SSR. You can selectively enable DHCP service on particular interfaces and not others. To enable DHCP service on an interface, you must first define a DHCP scope. A scope consists of a pool of IP addresses and a set of parameters for a DHCP client. The parameters are used by the client to configure its network environment, for example, the default gateway and DNS domain name.
Chapter 7: DHCP Configuration Guide Table 5. Client Parameters Parameter Value netbios-name-server IP address of NetBIOS Name Server (WINS server) netbios-node-type NetBIOS node type of the client netbios-scope NetBIOS scope of the client To define the parameters that the DHCP server gives the clients, enter the following command in Configure mode: Define client parameters. dhcp define parameters ...
Chapter 7: DHCP Configuration Guide Configuring DHCP Server Parameters You can configure several “global” parameters that affect the behavior of the DHCP server itself. To configure global DHCP server parameters, enter the following commands in Configure mode: Specify a remote location to back up the lease database. dhcp global set lease-database Specify the intervals at which the lease database is updated.
Chapter 7: DHCP Configuration Guide DHCP Configuration Examples The following configuration describes DHCP configuration for a simple network with just one interface on which DHCP service is enabled to provide both dynamic and static IP addresses. 1. Create an IP VLAN called ‘client_vlan’. vlan create client_vlan ip 2. Add all Fast Ethernet ports in the SSR to the VLAN ‘client_vlan’. vlan add port et.*.* to client_vlan 3. Create an IP interface called ‘clients’ with the address 10.1.1.
Chapter 7: DHCP Configuration Guide 9. Specify a remote lease database on the TFTP server 10.1.89.88. dhcp global set lease-database tftp://10.1.89.88/lease.db 10. Specify a database update interval of every 15 minutes. dhcp global set commit-interval 15 Configuring Secondary Subnets In some network environments, multiple logical subnets can be imposed on a single physical segment. These logical subnets are sometimes referred to as “secondary subnets” or “secondary networks.
Chapter 7: DHCP Configuration Guide 6. Include ‘scope2’ in the superscope ‘super1’. dhcp scope2 attach superscope super1 Since there are multiple pools of IP addresses, the pool associated with ‘scope1’ is used first since ‘scope1’ is applied to the interface before ‘scope2’. Clients that are given an address from ‘scope1’ will also be given parameters from ‘scope1,’ which includes the default gateway 10.1.1.1 that resides on the 10.1.x.x subnet.
Chapter 7: DHCP Configuration Guide 6. Define the address pool for ‘scope2’. dhcp scope2 define pool 10.2.1.40-10.2.1.50 7. Create a superscope ‘super1’ that includes ‘scope1’. dhcp scope1 attach superscope super1 8. Include ‘scope2’ in the superscope ‘super1’. dhcp scope2 attach superscope super1 For clients on the secondary subnet, the default gateway is 10.2.1.1, which is also the secondary address for the interface ‘clients’.
Chapter 7: DHCP Configuration Guide 4. Define the address pool for ‘scope1’. dhcp scope1 define pool 10.5.1.10-10.5.1.
Chapter 7: DHCP Configuration Guide 76 SmartSwitch Router User Reference Manual
Chapter 8 IP Routing Configuration Guide The SSR supports standards-based TCP, UDP, and IP. This chapter describes how to configure IP interfaces and general non-protocol-specific routing parameters. IP Routing Protocols The SSR supports standards-based unicast and multicast routing. Unicast routing protocol support includes Interior Gateway Protocols and Exterior Gateway Protocols. Multicast routing protocols are used to determine how multicast data is transferred in a routed environment.
Chapter 8: IP Routing Configuration Guide Exterior Gateway Protocols are used to transfer information between different “autonomous systems”. The SSR supports the following Exterior Gateway Protocol: • Border Gateway Protocol (BGP) Version 3, 4 (RFC 1267, 1771). Configuring BGP for the SSR is described in Chapter 12. Multicast Routing Protocols IP multicasting allows a host to send traffic to a subset of all hosts.
Chapter 8: IP Routing Configuration Guide Configuring IP Interfaces to Ports You can configure an IP interface directly to a physical port. Each port can be assigned multiple IP addresses representing multiple subnets connected to the physical port. For example, to assign an IP interface ‘RED’ to physical port et.3.4, enter the following: ssr(config)# interface create ip RED address-netmask 10.50.0.0/255.255.0.0 port et.3.4 To configure a secondary address of 10.23.4.36 with a 24-bit netmask (255.255.255.
Chapter 8: IP Routing Configuration Guide Configuring Jumbo Frames Certain SSR line cards support jumbo frames (frames larger than the standard Ethernet frame size of 1518 bytes). See Appendix A for more information about features supported on line cards. To transmit frames of up to 65535 octets, you increase the maximum transmission unit (MTU) size from the default of 1500. You must set the MTU at the port level with the port set mtu command.
Chapter 8: IP Routing Configuration Guide Configuring Address Resolution Protocol (ARP) The SSR allows you to configure Address Resolution Protocol (ARP) table entries and parameters. ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated MAC address. Once a media or MAC address is determined, the IP address/media address association is stored in an ARP cache for rapid retrieval.
Chapter 8: IP Routing Configuration Guide When you enable packets to be dropped for hosts with unresolved MAC addresses, the SSR will still attempt to periodically resolve these MAC addresses. By default, the SSR sends ARP requests at 30-second intervals to try to resolve up to 50 dropped entries.
Chapter 8: IP Routing Configuration Guide Specifying IP Interfaces for RARP The rarpd set interface command allows you to specify which interfaces the SSR’s RARP server responds to when sent RARP requests. You can specify individual interfaces or all interfaces. To cause the SSR’s RARP server to respond to RARP requests from interface int1: ssr(config)# rarpd set interface int1 Defining MAC-to-IP Address Mappings The rarpd add command allows you to map a MAC address to an IP address for use with RARP.
Chapter 8: IP Routing Configuration Guide Monitoring RARP You can use the following commands to obtain information about the SSR’s RARP configuration: Display the interfaces to which the RARP server responds. rarpd show interface Display the existing MAC-to-IP address mappings rarpd show mappings Display RARP statistics. statistics show rarp |all Configuring DNS Parameters The SSR can be configured to specify DNS servers, which supply name services for DNS requests.
Chapter 8: IP Routing Configuration Guide • BOOTP/DHCP (port 67 and 68) • DNS (port 37) • NetBIOS Name Server (port 137) • NetBIOS Datagram Server (port 138) • TACACS Server (port 49) • Time Service (port 37) To forward UDP broadcast packets received on interface int1 to the host 10.1.4.5 for the six default UDP services: ssr(config)# ip helper-address interface int1 10.1.4.5 To forward UDP broadcast packets received on interface int2 to the host 10.2.48.
Chapter 8: IP Routing Configuration Guide Configuring Denial of Service (DOS) By default, the SSR installs flows in the hardware so that packets sent as directed broadcasts are dropped in hardware, if directed broadcast is not enabled on the interface where the packet is received. You can disable this feature, causing directed broadcast packets to be processed on the SSR even if directed broadcast is not enabled on the interface receiving the packet.
Chapter 8: IP Routing Configuration Guide The following example displays the contents of the routing table. It shows that some of the route entries are for locally connected interfaces (“directly connected”), while some of the other routes are learned from RIP. ssr# ip show routes Destination ----------10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 10.4.0.0/16 14.3.2.1 21.0.0.0/8 30.1.0.0/16 50.1.0.0/16 61.1.0.0/16 62.1.0.0/16 68.1.0.0/16 69.1.0.0/16 127.0.0.0/8 127.0.0.1 210.11.99.0/24 Gateway ------50.1.1.2 50.1.
Chapter 8: IP Routing Configuration Guide To start router discovery on the SSR, enter the following command in Configure mode: ssr(config)# rdisc start The rdisc start command lets you start router discovery on the SSR. When router discovery is started, the SSR multicasts or broadcasts periodic router advertisements on each configured interface. The router advertisements contain a list of addresses on a given interface and the preference of each address for use as the default route on the interface.
Chapter 8: IP Routing Configuration Guide To display router discovery information: ssr# rdisc show all Task State: 1 Send buffer size 2048 at 812C68F8 Recv buffer size 2048 at 812C60D0 Timers: RouterDiscoveryServer Priority 30 RouterDiscoveryServer_SSR2_SSR3_IP 2 last: 10:17:21 next: 10:25:05 Task RouterDiscoveryServer: Interfaces: Interface SSR2_SSR3_IP: 3 Group 224.0.0.1: 4 minadvint 7:30 maxadvint 10:00 lifetime 30:00 Address 10.10.5.
Chapter 8: IP Routing Configuration Guide Configuration Examples Assigning IP/IPX Interfaces To enable routing on the SSR, you must assign an IP or IPX interface to a VLAN. To assign an IP or IPX interface named ‘RED’ to the ‘BLUE’ VLAN, enter the following command: ssr(config)# interface create ip RED address-netmask 10.50.0.1/255.255.0.0 vlan BLUE You can also assign an IP or IPX interface directly to a physical port.
Chapter 9 VRRP Configuration Guide VRRP Overview This chapter explains how to set up and monitor the Virtual Router Redundancy Protocol (VRRP) on the SSR. VRRP is defined in RFC 2338. End host systems on a LAN are often configured to send packets to a statically configured default router. If this default router becomes unavailable, all the hosts that use it as their first hop router become isolated on the network. VRRP provides a way to ensure the availability of an end host’s default router.
Chapter 9: VRRP Configuration Guide Basic VRRP Configuration Figure 5 shows a basic VRRP configuration with a single virtual router. Routers R1 and R2 are both configured with one virtual router (VRID=1). Router R1 serves as the Master and Router R2 serves as the Backup. The four end hosts are configured to use 10.0.0.1/16 as the default route. IP address 10.0.0.1/16 is associated with virtual router VRID=1. Master Backup R1 R2 VRID=1 Interface Addr. = 10.0.0.1/16 VRID=1; Addr. = 10.0.0.
Chapter 9: VRRP Configuration Guide In VRRP, the router that owns the IP address associated with the virtual router is the Master. Any other routers that participate in this virtual router are Backups. In this configuration, Router R1 is the Master for virtual router VRID=1 because it owns 10.0.0.1/16, the IP address associated with virtual router VRID=1. Configuration for Router R2 The following is the configuration file for Router R2 in Figure 5. 1: 2: 3: 4: interface create ip test address-netmask 10.
Chapter 9: VRRP Configuration Guide Master for VRID=1 Backup for VRID=2 Master for VRID=2 Backup for VRID=1 R1 R2 Interface Addr. = 10.0.0.1/16 VRID=1; Addr. = 10.0.0.1/16 VRID=2; Addr. = 10.0.0.2/16 H1 VRID=1 10.0.0.1/16 H2 Default Route = 10.0.0.1/16 VRID=2 10.0.0.2/16 Interface Addr. = 10.0.0.2/16 VRID=1; Addr. = 10.0.0.1/16 VRID=2; Addr. = 10.0.0.2/16 H3 H4 Default Route = 10.0.0.2/16 Figure 6. Symmetrical VRRP Configuration In this configuration, half the hosts use 10.0.0.
Chapter 9: VRRP Configuration Guide On line 5, Router R1 associates IP address 10.0.0.2/16 with virtual router VRID=2. However, since Router R1 does not own IP address 10.0.0.2/16, it is not the default Master for virtual router VRID=2. Configuration of Router R2 The following is the configuration file for Router R2 in Figure 6. 1: interface create ip test address-netmask 10.0.0.2/16 port et.1.
Chapter 9: VRRP Configuration Guide Master for VRID=1 1st Backup for VRID=2 1st Backup for VRID=3 Master for VRID=2 1st Backup for VRID=1 2nd Backup for VRID=3 Master for VRID=3 2nd Backup for VRID=1 2nd Backup for VRID=2 R1 R2 R3 VRID=1 10.0.0.1/16 H1 H2 Default Route = 10.0.0.1/16 VRID=3 VRID=2 10.0.0.3/16 10.0.0.2/16 H3 H4 Default Route = 10.0.0.2/16 H5 H6 Default Route = 10.0.0.3/16 Figure 7.
Chapter 9: VRRP Configuration Guide Configuration of Router R1 The following is the configuration file for Router R1 in Figure 7. 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 ! 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test 4: ip-redundancy create vrrp 3 interface test ! 5: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 6: ip-redundancy associate vrrp 2 interface test address 10.0.0.
Chapter 9: VRRP Configuration Guide The following table shows the priorities for each virtual router configured on Router R1. Virtual Router Default Priority Configured Priority VRID=1 – IP address=10.0.0.1/16 255 (address owner) 255 (address owner) VRID=2 – IP address=10.0.0.2/16 100 200 (see line 8) VRID=3 – IP address=10.0.0.3/16 100 200 (see line 9) Configuration of Router R2 The following is the configuration file for Router R2 in Figure 7. 1: interface create ip test address-netmask 10.
Chapter 9: VRRP Configuration Guide Note: Since 100 is the default priority, line 9, which sets the priority to 100, is actually unnecessary. It is included for illustration purposes only. Configuration of Router R3 The following is the configuration file for Router R3 in Figure 7. 1: interface create ip test address-netmask 10.0.0.3/16 port et.1.
Chapter 9: VRRP Configuration Guide Setting the Backup Priority As described in “Multi-Backup Configuration” on page 95, you can specify which Backup router takes over when the Master router goes down by setting the priority for the Backup routers.
Chapter 9: VRRP Configuration Guide Setting an Authentication Key By default, no authentication of VRRP packets is performed on the SSR. You can specify a clear-text password to be used to authenticate VRRP exchanges.
Chapter 9: VRRP Configuration Guide ip-redundancy show The ip-redundancy show command reports information about a VRRP configuration. To display information about all virtual routers on interface int1: ssr# ip-redundancy show vrrp interface int1 VRRP Virtual Router 100 - Interface int1 -----------------------------------------Uptime 0 days, 0 hours, 0 minutes, 17 seconds.
Chapter 9: VRRP Configuration Guide To display VRRP statistics for virtual router 100 on interface int1: ssr# ip-redundancy show vrrp 1 interface int1 verbose VRRP Virtual Router 100 - Interface int1 -----------------------------------------Uptime 0 days, 0 hours, 0 minutes, 17 seconds. State Backup Priority 100 (default value) Virtual MAC address 00005E:000164 Advertise Interval 1 sec(s) (default value) Preempt Mode Enabled (default value) Authentication None (default value) Primary Address 10.8.0.
Chapter 9: VRRP Configuration Guide The skew-time depends on the Backup router's configured priority: Skew-time = ( (256 - Priority) / 256 ) Therefore, the higher the priority, the faster a Backup router will detect that the Master is down. For example: – Default advertisement-interval = 1 second – Default Backup router priority = 100 – Master-down-interval = time it takes a Backup to detect the Master is down = (3 * adv-interval) + skew-time = (3 * 1 second) + ((256 - 100) / 256) = 3.
Chapter 10 RIP Configuration Guide RIP Overview This chapter describes how to configure the Routing Information Protocol (RIP) on the SmartSwitch Router. RIP is a distance-vector routing protocol for use in small networks. RIP is described in RFC 1723. A router running RIP broadcasts updates at set intervals. Each update contains paired values where each pair consists of an IP network address and an integer distance to that network. RIP uses a hop count metric to measure the distance to a destination.
Chapter 10: RIP Configuration Guide Enabling and Disabling RIP To enable or disable RIP, enter one of the following commands in Configure mode. Enable RIP. rip start Disable RIP. rip stop Configuring RIP Interfaces To configure RIP in the SSR, you must first add interfaces to inform RIP about attached interfaces. To add RIP interfaces, enter the following commands in Configure mode. Add interfaces to the RIP process.
Chapter 10: RIP Configuration Guide RIP Parameter Default Value Authentication None Update interval 30 seconds To change RIP parameters, enter the following commands in Configure mode. Set RIP Version on an interface to RIP V1. rip set interface |all version 1 Set RIP Version on an interface to RIP V2. rip set interface |all version 2 Specify that RIP V2 packets should be multicast on this interface.
Chapter 10: RIP Configuration Guide Enable acceptance of RIP routes that have a metric of zero. rip set check-zero-metric disable|enable Enable poison revers, as specified by RFC 1058. rip set poison-reverse disable|enable Configuring RIP Route Preference You can set the preference of routes learned from RIP. To configure RIP route preference, enter the following command in Configure mode. Set the preference of routes learned from RIP.
Chapter 10: RIP Configuration Guide Show RIP information on the specified interface. rip show interface Show RIP interface policy information. rip show interface-policy Show detailed information of all RIP packets. rip trace packets detail Show detailed information of all packets received by the router. rip trace packets receive Show detailed information of all packets sent by the router. rip trace packets send Show detailed information of all request received by the router.
Chapter 10: RIP Configuration Guide ! ! Change default metric-out rip set interface SSR1-if1 metric-out 3 110 SmartSwitch Router User Reference Manual
Chapter 11 OSPF Configuration Guide OSPF Overview Open Shortest Path First Routing (OSPF) is a shortest path first or link-state protocol. The SSR supports OSPF Version 2.0, as defined in RFC 1583. OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system. OSPF chooses the least-cost path as the best path.
Chapter 11: OSPF Configuration Guide • Type 1 ASE • Type 2 ASE Intra-area paths have destinations within the same area. Inter-area paths have destinations in other OSPF areas. Both types of Autonomous System External (ASE) routes are routes to destinations external to OSPF (and usually external to the AS). Routes exported into OSPF ASE as type 1 ASE routes are supposed to be from interior gateway protocols (e.g., RIP) whose external metrics are directly comparable to OSPF metrics.
Chapter 11: OSPF Configuration Guide • Add IP interfaces to OSPF areas. • Configure OSPF interface parameters, if necessary. • Add IP networks to OSPF areas. • Create virtual links, if necessary. Enabling OSPF OSPF is disabled by default on the SSR. To enable or disable OSPF, enter one of the following commands in Configure mode. Enable OSPF. ospf start Disable OSPF. ospf stop Configuring OSPF Interface Parameters You can configure the OSPF interface parameters shown in the table below.
Chapter 11: OSPF Configuration Guide Default Cost of an OSPF Interface The default cost of an OSPF interface is calculated using its bandwidth. A VLAN that is attached to an interface could have several ports of differing speeds. The bandwidth of an interface is represented by the highest bandwidth port that is part of the associated VLAN. The cost of an OSPF interface is inversely proportional to this bandwidth.
Chapter 11: OSPF Configuration Guide Specify the number of seconds required to transmit a link state update on an OSPF interface. ospf set interface |all transit-delay Specify the time a neighbor router will listen for OSPF hello packets before declaring the router down. ospf set interface |all router-dead-interval Disable IP multicast for sending OSPF packets to neighbors on an OSPF interface.
Chapter 11: OSPF Configuration Guide Add a stub host to an OSPF area. ospf add stub-host to-area |backbone cost Add a network to an OSPF area for summarization. ospf add network|summary-range to-area | backbone [restrict] [host-net] Configuring OSPF Area Parameters The SSR allows configuration of various OSPF area parameters, including stub areas, stub cost and authentication method.
Chapter 11: OSPF Configuration Guide To configure virtual links, enter the following commands in the Configure mode. Create a virtual link. ospf add virtual-link neighbor transit-area Set virtual link parameters.
Chapter 11: OSPF Configuration Guide • Point-to-Point. A point-to-point interface can be a serial line using PPP. By default, an IP interface associated with a serial line that is using PPP is treated as an OSPF pointto-point network. If an IP interface that is using PPP is to be treated as an OSPF broadcast network, then use the type broadcast option of the interface create command. • Non-Broadcast Multiple Access (NBMA).
Chapter 11: OSPF Configuration Guide • ospf show commands allow you to display detailed versions of the various OSPF tables. The ospf show commands can only display OSPF tables for the router on which the commands are being entered. To display OSPF information, enter the following commands in Enable mode. Show IP routing table. ip show table routing Monitor OSPF error conditions. ospf monitor errors [destination ] Show information about all interfaces configured for OSPF.
Chapter 11: OSPF Configuration Guide Shows information about all valid next hops mostly derived from the SPF calculation. ospf show next-hop-list Show OSPF statistics. ospf show statistics Shows information about OSPF Border Routes. ospf show summary-asb Show OSPF timers. ospf show timers Show OSPF virtual-links. ospf show virtual-links OSPF Configuration Examples For all examples in this section, refer to the configuration shown in Figure 8 on page 124.
Chapter 11: OSPF Configuration Guide ospf add interface 140.1.3.1 to-area 140.1.0.0 ospf add interface 130.1.1.1 to-area backbone Exporting All Interface & Static Routes to OSPF Router R1 has several static routes. We would export these static routes as type-2 OSPF routes. The interface routes would be redistributed as type-1 OSPF routes. 1. Create a OSPF export destination for type-1 routes since we would like to redistribute certain routes into OSPF as type 1 OSPF-ASE routes.
Chapter 11: OSPF Configuration Guide Router R1 would like to redistribute its OSPF, OSPF-ASE, RIP, Static and Interface/Direct routes into RIP. 1. Enable RIP on interface 120.190.1.1/16. rip add interface 120.190.1.1 rip set interface 120.190.1.1 version 2 type multicast 2. Create a OSPF export destination for type-1 routes. ip-router policy create ospf-export-destination ospfExpDstType1 type 1 metric 1 3. Create a OSPF export destination for type-2 routes.
Chapter 11: OSPF Configuration Guide 9. Create a RIP export destination. ip-router policy create rip-export-destination ripExpDst 10. Create OSPF export source. ip-router policy create ospf-export-source ospfExpSrc type OSPF 11. Create OSPF-ASE export source. ip-router policy create ospf-export-source ospfAseExpSrc type OSPFASE 12. Create the Export-Policy for redistributing all interface, RIP, static, OSPF and OSPFASE routes into RIP.
SmartSwitch Router User Reference Manual Figure 8. Exporting to OSPF R6 140.1.5/24 BGP R41 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 A r e a 150.20.3.1/16 140.1.1.1/24 140.1.3.1/24 140.1.2.1/24 R42 B a c k b o n e 130.1.1.1/16 R3 R1 190.1.1.1/16 R5 130.1.1.3/16 R7 R8 150.20.3.2/16 (RIP V2) R11 A r e a 150.20.0.0 120.190.1.2/16 202.1.2.2/16 R2 160.1.5.2/24 R10 160.1.5.2/24 124 Chapter 11: OSPF Configuration Guide 120.190.1.
Chapter 12 BGP Configuration Guide BGP Overview The Border Gateway Protocol (BGP) is an exterior gateway protocol that allows IP routers to exchange network reachability information. BGP became an internet standard in 1989 (RFC 1105) and the current version, BGP-4, was published in 1994 (RFC 1771). BGP is typically run between Internet Service Providers. It is also frequently used by multihomed ISP customers, as well as in large commercial networks.
Chapter 12: BGP Configuration Guide The SSR BGP Implementation The SSR routing protocol implementation is based on GateD 4.0.3 code (http://www.gated.org). GateD is a modular software program consisting of core services, a routing database, and protocol modules supporting multiple routing protocols (RIP versions 1 and 2, OSPF version 2, BGP version 2 through 4, and Integrated IS-IS). Since the SSR IP routing code is based upon GateD, BGP can also be configured using a GateD configuration file (gated.
Chapter 12: BGP Configuration Guide Setting the Autonomous System Number An autonomous system number identifies your autonomous system to other routers. To set the SSR’s autonomous system number, enter the following command in Configure mode. Set the SSR’s autonomous system number. ip-router global set autonomous-system loops The autonomous-system parameter sets the AS number for the router. Specify a number from 1–65534.
Chapter 12: BGP Configuration Guide where: peer-group Is a group ID, which can be a number or a character string. type Specifies the type of BGP group you are adding. You can specify one of the following: external In the classic external BGP group, full policy checking is applied to all incoming and outgoing advertisements. The external neighbors must be directly reachable through one of the machine's local interfaces.
Chapter 12: BGP Configuration Guide Adding and Removing a BGP Peer There are two ways to add BGP peers to peer groups. You can explicitly add a peer host, or you can add a network. Adding a network allows for peer connections from any addresses in the range of network and mask pairs specified in the bgp add network command. To add BGP peers to BGP peer groups, enter one of the following commands in Configure mode. Add a host to a BGP peer group.
Chapter 12: BGP Configuration Guide ( aspath_regexp ) Parentheses group subexpressions. An operator, such as * or ? works on a single element or on a regular expression enclosed in parentheses. An AS-path operator is one of the following: aspath_term {m,n} A regular expression followed by {m,n} (where m and n are both non-negative integers and m <= n) means at least m and at most n repetitions. aspath_term {m} A regular expression followed by {m} (where m is a positive integer) means exactly m repetitions.
Chapter 12: BGP Configuration Guide AS-Path Regular Expression Examples To import MCI routes with a preference of 165: ip-router policy create bgp-import-source mciRoutes aspath-regularexpression "(.* 3561 .*)" origin any sequence-number 10 ip-router policy import source mciRoutes network all preference 165 To import all routes (.* matches all AS paths) with the default preference: ip-router policy create bgp-import-source allOthers aspath-regularexpression "(.
Chapter 12: BGP Configuration Guide The following is an example: # # insert two instances of the AS when advertising the route to this peer # bgp set peer-host 194.178.244.33 group nlnet as-count 2 # # insert three instances of the AS when advertising the route to this # peer # bgp set peer-host 194.109.86.5 group webnet as-count 3 Notes on Using the AS Path Prepend Feature • Use the as-count option for external peer-hosts only.
Chapter 12: BGP Configuration Guide • BGP Multi-Exit Discriminator (MED) attribute • EBGP aggregation • Route reflection BGP Peering Session Example The router process used for a specific BGP peering session is known as a BGP speaker. A single router can have several BGP speakers. Successful BGP peering depends on the establishment of a neighbor relationship between BGP speakers.
Chapter 12: BGP Configuration Guide Figure 9 illustrates a sample BGP peering session. AS-1 SSR1 AS-2 1.1 1.1 10.0.0.1/16 SSR2 10.0.0.2/16 Legend: Physical Link Peering Relationship Figure 9. Sample BGP Peering Session The CLI configuration for router SSR1 is as follows: interface create ip et.1.1 address-netmask 10.0.0.1/16 port et.1.1 # # Set the AS of the router # ip-router global set autonomous-system 1 # # Set the router ID # ip-router global set router-id 10.0.0.
Chapter 12: BGP Configuration Guide The gated.conf file for router SSR1 is as follows: autonomoussystem 1 ; routerid 10.0.0.1 ; bgp yes { group type external peeras 2 { peer 10.0.0.2 ; }; }; The CLI configuration for router SSR2 is as follows: interface create ip et.1.1 address-netmask 10.0.0.2/16 port et.1.1 ip-router global set autonomous-system 2 ip-router global set router-id 10.0.0.2 bgp create peer-group pg2w1 type external autonomous-system 1 bgp add peer-host 10.0.0.
Chapter 12: BGP Configuration Guide An IGP, like OSPF, could possibly be used instead of IBGP to exchange routing information between EBGP speakers within an AS. However, injecting full Internet routes (50,000+ routes) into an IGP puts an expensive burden on the IGP routers. Additionally, IGPs cannot communicate all of the BGP attributes for a given route. It is, therefore, recommended that an IGP not be used to propagate full Internet routes between EBGP speakers. IBGP should be used instead.
Chapter 12: BGP Configuration Guide Figure 10 shows a sample BGP configuration that uses the Routing group type. AS-64801 10.12.1.1/30 Cisco 10.12.1.6/30 lo0 172.23.1.25/30 OSPF 10.12.1.5/30 10.12.1.2/30 SSR4 SSR1 IBGP 172.23.1.10/30 172.23.1.5/30 lo0 172.23.1.26/30 172.23.1.6/30 SSR6 172.23.1.9/30 Figure 10.
Chapter 12: BGP Configuration Guide In this example, OSPF is configured as the IGP in the autonomous system. The following lines in the router SSR6 configuration file configure OSPF: # # Create a secondary address for the loopback interface # interface add ip lo0 address-netmask 172.23.1.26/30 ospf create area backbone ospf add interface to-SSR4 to-area backbone ospf add interface to-SSR1 to-area backbone # # This line is necessary because we want CISCO to peer with our loopback # address.
Chapter 12: BGP Configuration Guide The following lines on the Cisco router set up IBGP peering with router SSR6. router bgp 64801 ! ! Disable synchronization between BGP and IGP ! no synchronization neighbor 172.23.1.26 remote-as 64801 ! ! Allow internal BGP sessions to use any operational interface for TCP ! connections ! neighbor 172.23.1.
Chapter 12: BGP Configuration Guide Figure 11 illustrates a sample IBGP Internal group configuration. C2 C1 16.122.128.8/24 16.122.128.9/24 16.122.128.1/24 16.122.128.1/24 AS-1 SSR1 SSR2 17.122.128.1/24 17.122.128.2/24 Legend: Physical Link Peering Relationship Figure 11.
Chapter 12: BGP Configuration Guide The gated.conf file for router SSR1 is as follows: autonomoussystem 1 ; routerid 16.122.128.1 ; bgp yes { traceoptions aspath detail packets detail open detail update ; group type internal peeras 1 { peer 16.122.128.2 ; peer 16.122.128.8 ; peer 16.122.128.9 ; }; }; The CLI configuration for router SSR2 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.
Chapter 12: BGP Configuration Guide The configuration for router C1 (a Cisco router) is as follows: router bgp 1 no synchronization network 16.122.128.0 mask 255.255.255.0 network 17.122.128.0 mask 255.255.255.0 neighbor 16.122.128.1 remote-as 1 neighbor 16.122.128.1 next-hop-self neighbor 16.122.128.1 soft-reconfiguration inbound neighbor 16.122.128.2 remote-as 1 neighbor 16.122.128.2 next-hop-self neighbor 16.122.128.2 soft-reconfiguration inbound neighbor 16.122.128.9 remote-as 1 neighbor 16.122.128.
Chapter 12: BGP Configuration Guide This sample configuration shows External BGP peers, SSR1 and SSR4, which are not connected to the same subnet. AS-64800 16.122.128.3/16 SSR1 17.122.128.4/16 SSR2 16.122.128.1/16 SSR3 17.122.128.3/16 18.122.128.3/16 AS-64801 18.122.128.2/16 Legend: Physical Link SSR4 Peering Relationship The CLI configuration for router SSR1 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.
Chapter 12: BGP Configuration Guide The gated.conf file for router SSR1 is as follows: autonomoussystem 64800 ; routerid 0.0.0.1 ; bgp yes { traceoptions state ; group type external peeras 64801 { peer 18.122.128.2 gateway 16.122.128.3 ; }; }; static { 18.122.0.0 masklen 16 gateway 16.122.128.3 ; }; The CLI configuration for router SSR2 is as follows: interface create ip to-R1 address-netmask 16.122.128.3/16 port et.1.1 interface create ip to-R3 address-netmask 17.122.128.3/16 port et.1.
Chapter 12: BGP Configuration Guide The gated.conf file for router SSR3 is as follows: static { 16.122.0.0 masklen 16 gateway 17.122.128.3 ; }; The CLI configuration for router SSR4 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! ! Specify the gateway option, which indicates EBGP multihop. Set the ! gateway option to the address of the router that has a route to the ! peer. ! bgp set peer-host 18.122.128.
Chapter 12: BGP Configuration Guide AS-64901 AS-64902 ISP2 ISP1 R11 1.6 172.25.1.1/16 172.25.1.2/16 1.1 1.1 1.6 192.168.20.2/16 AS-64900 100.200.13.1/24 172.26.1.2/16 AS-64899 192.168.20.1/16 100.200.12.1/24 R13 1.1 R10 1.3 192.169.20.1/16 1.6 1.8 CS1 172.26.1.1/16 192.169.20.2/16 1.8 1.6 CS2 10.200.14.1/24 1.1 R14 1.3 10.200.15.1/24 Legend: Physical Link Peering Relationship Information Flow Figure 12.
Chapter 12: BGP Configuration Guide AS-64901 AS-64902 ISP2 SSR11 172.25.1.1/16 172.25.1.2/16 SSR13 10.220.1.1/16 192.168.20.2/16 AS-64900 192.168.20.1/16 Legend: 100.200.12.20/24 100.200.13.1/24 Physical Link SSR10 Peering Relationship Information Flow Figure 13. Sample BGP Configuration (Well-Known Community) The Community attribute can be used in three ways: 1.
Chapter 12: BGP Configuration Guide In Figure 13, router SSR11 has the following configuration: # # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64901) # ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64901 # # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64901) # ip-router policy create optional-attributes-list color2 community-id 155 autonom
Chapter 12: BGP Configuration Guide In Figure 13, router SSR13 has the following configuration: ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64902 ip-router policy create optional-attributes-list color2 community-id 155 autonomous-system 64902 ip-router policy create bgp-import-source 902color1 optional-attributes-list color1 autonomous-system 64899 sequence-number 1 ip-router policy create bgp-import-source 902color2 optional-attributes-list color2 autonomous-
Chapter 12: BGP Configuration Guide In Figure 13, router SSR10 has the following configuration: # # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64902) # ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64902 # # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64902) # ip-router policy create optional-attributes-list color2 community-id 155 autonom
Chapter 12: BGP Configuration Guide The community attribute may be a single community or a set of communities. A maximum of 10 communities may be specified. The community attribute can take any of the following forms: • Specific community The specific community consists of the combination of the AS-value and community ID.
Chapter 12: BGP Configuration Guide Notes on Using Communities When originating BGP communities, the set of communities that is actually sent is the union of the communities received with the route (if any), those specified in group policy (if any), and those specified in export policy (if any). When receiving BGP communities, the update is only matched if all communities specified in the optional-attributes-list option of the ip-router policy create command are present in the BGP update.
Chapter 12: BGP Configuration Guide SSR12. Because local preference is exchanged between the routers within the AS, all traffic from AS 64901 is sent to SSR13 as the exit point. 10.200.12.1/24 10.200.13.1/24 10.200.14.1/24 10.200.15.1/24 AS-64900 1.1 1.3 1.1 SSR10 192.169.20.2/16 192.169.20.1/16 1.6 1.6 192.168.20.1/16 172.28.1.1/16 EBGP EBGP 192.168.20.2/16 172.28.1.2/16 1.1 SSR12 1.3 SSR11 AS-64901 1.1 1.3 SSR13 1.3 172.25.1.1/16 172.25.1.2/16 1.6 1.6 172.27.1.1/16 172.26.1.
Chapter 12: BGP Configuration Guide Using the local-pref Option For router SSR12’s CLI configuration file, local-pref is set to 194: bgp set peer-group as901 local-pref 194 For router SSR13, local-pref is set to 204. bgp set peer-group as901 local-pref 204 Using the set-pref Option The formula used to compute the local preference is as follows: Local_Pref = 254 – (global protocol preference for this route) + set-pref metric Note: A value greater than 254 will be reset to 254.
Chapter 12: BGP Configuration Guide For example, in Figure 14, routers SSR12, SSR13, and SSR14 have the following line in their CLI configuration files: bgp set peer-group as901 set-pref 100 • The value of the set-pref option should be consistent with the import policy in the network. The metric value should be set high enough to avoid conflicts between BGP routes and IGP or static routes.
Chapter 12: BGP Configuration Guide Routers SSR4 and SSR6 inform router C1 about network 172.16.200.0/24 through External BGP (EBGP). Router SSR6 announced the route with a MED of 10, whereas router SSR4 announces the route with a MED of 20. Of the two EBGP routes, router C1 chooses the one with a smaller MED. Thus router C1 prefers the route from router SSR6, which has a MED of 10.
Chapter 12: BGP Configuration Guide Router SSR8 has the following CLI configuration: interface add ip xleapnl address-netmask 212.19.192.2/24 interface create ip hobbygate address-netmask 212.19.199.62/24 port et.1.2 interface create ip xenosite address-netmask 212.19.198.1/24 port et.1.7 interface add ip lo0 address-netmask 212.19.192.1/30 bgp create peer-group webnet type external autonomous system 64901 bgp add peer-host 194.109.86.5 group webnet # # Create an aggregate route for 212.19.192.
Chapter 12: BGP Configuration Guide Figure 17 shows a sample configuration that uses route reflection. AS-64902 AS-64900 192.68.222.1 SSR14 SSR8 192.68.20.2 EBGP Peer EBGP Peer AS-64901 192.68.20.1 SSR12 SSR9 SSR13 172.16.30.2 IBGP Cluster Client IBGP Cluster Client IBGP Cluster Client SSR11 SSR10 IBGP Non-Cluster Client Figure 17. Sample BGP Configuration (Route Reflection) In this example, there are two clusters.
Chapter 12: BGP Configuration Guide Router SSR11 has router SSR12 and router SSR13 as client peers and router SSR10 as nonclient peer. The following line in router SSR11’s configuration file specifies it to be a route reflector bgp set peer-group rtr11 reflector-client Even though the IBGP Peers are not fully meshed in AS 64901, the direct routes of router SSR14, that is, 192.68.222.
Chapter 12: BGP Configuration Guide Notes on Using Route Reflection • Two types of route reflection are supported: – By default, all routes received by the route reflector from a client are sent to all internal peers (including the client’s group, but not the client itself). – If the no-client-reflect option is enabled, routes received from a route reflection client are sent only to internal peers that are not members of the client's group. In this case, the client's group must itself be fully meshed.
Chapter 13 Routing Policy Configuration Guide Route Import and Export Policy Overview The SSR family of routers supports extremely flexible routing policies.
Chapter 13: Routing Policy Configuration Guide Preference Preference is the value the SSR routing process uses to order preference of routes from one protocol or peer over another. Preference can be set using several different configuration commands. Preference can be set based on one network interface over another, from one protocol over another, or from one remote gateway over another. Preference may not be used to control the selection of routes within an Interior Gateway Protocol (IGP).
Chapter 13: Routing Policy Configuration Guide Import Policies Import policies control the importation of routes from routing protocols and their installation in the routing databases (Routing Information Base and Forwarding Information Base). Import Policies determine which routes received from other systems are used by the SSR routing process. Every import policy can have up to two components: • Import-Source • Route-Filter Import-Source This component specifies the source of the imported routes.
Chapter 13: Routing Policy Configuration Guide It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router. Like the other interior protocols, preference cannot be used to choose between OSPF ASE routes. That is done by the OSPF costs. Route-Filter This component specifies the individual routes which are to be imported or restricted. The preference to be associated with these routes can also be explicitly specified using this component.
Chapter 13: Routing Policy Configuration Guide The routes to be exported can be identified by their associated attributes: • Their protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate). • Interface or the gateway from which the route was received. • Autonomous system from which the route was learned. • AS path associated with a route. When BGP is configured, all routes are assigned an AS path when they are added to the routing table.
Chapter 13: Routing Policy Configuration Guide A route will match the most specific filter that applies. Specifying more than one filter with the same destination, mask, and modifiers generates an error. There are three possible formats for a route filter. Not all of these formats are available in all places. In most cases, it is possible to associate additional options with a filter.
Chapter 13: Routing Policy Configuration Guide Route aggregation is also used by regional and national networks to reduce the amount of routing information passed around. With careful allocation of network addresses to clients, regional networks can just announce one route to regional networks instead of hundreds. Aggregate routes are not actually used for packet forwarding by the originator of the aggregate route, but only by the receiver (if it wishes).
Chapter 13: Routing Policy Configuration Guide Route-Filter This component specifies the individual routes that are to be aggregated or summarized. The preference to be associated with these routes can also be explicitly specified using this component. The contributing routes are ordered according to the aggregation preference that applies to them. If there is more than one contributing route with the same aggregating preference, the route's own preferences are used to order the routes.
Chapter 13: Routing Policy Configuration Guide Many protocols allow the specification of two authentication keys per interface. Packets are always sent using the primary keys, but received packets are checked with both the primary and secondary keys before being discarded. Authentication Keys and Key Management An authentication key permits the generation and verification of the authentication field in protocol packets.
Chapter 13: Routing Policy Configuration Guide The from-proto parameter specifies the protocol of the source routes. The values for the from-proto parameter can be rip, ospf, bgp, direct, static, aggregate and ospf-ase. The toproto parameter specifies the destination protocol where the routes are to be exported. The values for the to-proto parameter can be rip, ospf and bgp. The network parameter provides a means to define a filter for the routes to be distributed.
Chapter 13: Routing Policy Configuration Guide Redistributing RIP into RIP The SSR routing process requires RIP redistribution into RIP if a protocol is redistributed into RIP. To redistribute RIP into RIP, enter the following command in Configure mode: To redistribute RIP into RIP. ip-router policy redistribute from-proto rip to-proto rip Redistributing RIP into OSPF RIP routes may be redistributed to OSPF.
Chapter 13: Routing Policy Configuration Guide To redistribute aggregate routes, enter one of the following commands in Configure mode: To redistribute aggregate routes into RIP. ip-router policy redistribute from-proto aggregate to-proto rip To redistribute aggregate routes into OSPF.
Chapter 13: Routing Policy Configuration Guide !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! RIP Box Level Configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rip start rip set default-metric 2 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! RIP Interface Configuration. Create a RIP interfaces, and set ! their type to (version II, multicast).
Chapter 13: Routing Policy Configuration Guide • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.2 interface create ip to-r3 address-netmask 130.1.1.1/16 port et.1.3 interface create ip to-r41 address-netmask 140.1.1.
Chapter 13: Routing Policy Configuration Guide In the configuration shown in Figure 19 on page 185, suppose we decide to run RIP Version 2 on network 120.190.0.0/16, connecting routers R1 and R2. Router R1 would like to export all RIP, interface, and static routes to OSPF.
Chapter 13: Routing Policy Configuration Guide routes to be exported can be identified by their associated attributes, such as protocol type, interface or the gateway from which the route was received, and so on. • Route Filter - This component provides the means to define a filter for the routes to be distributed. Routes that match a filter are considered as eligible for redistribution. This can be done using one of two methods: – Creating a route-filter and associating an identifier with it.
Chapter 13: Routing Policy Configuration Guide Creating an Export Destination To create an export destination, enter one the following commands in Configure mode: Create a RIP export destination. ip-router policy create rip-exportdestination Create an OSPF export destination. ip-router policy create ospf-exportdestination Creating an Export Source To create an export source, enter one of the following commands in Configure mode: Create a RIP export source.
Chapter 13: Routing Policy Configuration Guide To create route import policies, enter the following command in Configure mode: Create an import policy. ip-router policy import source [filter |[network [exact|refines|between ] [preference |restrict]]] The is the identifier of the import-source that determines the source of the imported routes.
Chapter 13: Routing Policy Configuration Guide Creating an Aggregate Route Route aggregation is a method of generating a more general route, given the presence of a specific route. The routing process does not perform any aggregation unless explicitly requested. Aggregate-routes can be constructed from one or more of the following building blocks: • Aggregate-Destination - This component specifies the aggregate/summarized route. It also specifies the attributes associated with the aggregate route.
Chapter 13: Routing Policy Configuration Guide The is the identifier of the route-filter associated with this aggregate. If there is more than one route-filter for any aggregate-destination and aggregate-source combination, then the ip-router policy aggr-gen destination source command should be repeated for each .
181 R6 R41 10.51.0.0/16 140.1.1.4/24 RIP V2 R42 RIP v2 140.1.2.1/24 R1 130.1.1.1/16 (RIP V1) 130.1.1.3/16 170.1.1.1/16 120.190.1.1/16 R3 135.3.2.1/24 135.3.3.1/24 de fa ul t 120.190.1.2/16 202.1.0.0/10 135.3.1.1/24 140.1.1.1/24 160.1.1.1/16 R2 160.1.5.0/24 R7 170.1.1.7/16 Internet SmartSwitch Router User Reference Manual Chapter 13: Routing Policy Configuration Guide Figure 18.
Chapter 13: Routing Policy Configuration Guide The following configuration commands for router R1: • Determine the IP address for each interface. • Specify the static routes configured on the router. • Determine its RIP configuration. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Chapter 13: Routing Policy Configuration Guide Importing a Selected Subset of Routes from One RIP Trusted Gateway Router R1 has several RIP peers. Router R41 has an interface on the network 10.51.0.0. By default, router R41 advertises network 10.51.0.0/16 in its RIP updates. Router R1 would like to import all routes except the 10.51.0.0/16 route from its peer R41. 1. Add the peer 140.1.1.41 to the list of trusted and source gateways. rip add source-gateways 140.1.1.41 rip add trusted-gateways 140.1.1.
Chapter 13: Routing Policy Configuration Guide Example 2: Importing from OSPF Due to the nature of OSPF, only the importation of ASE routes may be controlled. OSPF intra-and inter-area routes are always imported into the SSR routing table with a preference of 10. If a tag is specified, the import clause will only apply to routes with the specified tag. It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router.
R6 140.1.5/24 185 BGP R41 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 A r e a 150.20.3.1/16 140.1.1.1/24 140.1.3.1/24 140.1.2.1/24 R42 B a c k b o n e 130.1.1.1/16 R3 R1 190.1.1.1/16 R5 130.1.1.3/16 R8 R7 150.20.3.2/16 120.190.1.1/16 (RIP V2) R11 A r e a 150.20.0.0 120.190.1.2/16 202.1.2.2/16 R2 160.1.5.2/24 160.1.5.2/24 R10 SmartSwitch Router User Reference Manual Chapter 13: Routing Policy Configuration Guide Figure 19.
Chapter 13: Routing Policy Configuration Guide The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Chapter 13: Routing Policy Configuration Guide Examples of Export Policies Example 1: Exporting to RIP Exporting to RIP is controlled by any of protocol, interface or gateway. If more than one is specified, they are processed from most general (protocol) to most specific (gateway). It is not possible to set metrics for exporting RIP routes into RIP. Attempts to do this are silently ignored. If no export policy is specified, RIP and interface routes are exported into RIP.
Chapter 13: Routing Policy Configuration Guide !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 135.3.1.0/24 gateway 130.1.1.3 ip add route 135.3.2.0/24 gateway 130.1.1.3 ip add route 135.3.3.0/24 gateway 130.1.1.3 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.190.1.
Chapter 13: Routing Policy Configuration Guide 4. Create a Direct export source since we would like to export direct/interface routes. ip-router policy create direct-export-source directExpSrc 5. Create the export-policy redistributing the statically created default route, and all (RIP, Direct) routes into RIP.
Chapter 13: Routing Policy Configuration Guide Exporting All Static Routes Reachable Over a Given Interface to a Specific RIPInterface In this case, router R1 would export/redistribute all static routes accessible through its interface 130.1.1.1 to its RIP-interface 140.1.1.1 only. 1. Create a RIP export destination for interface with address 140.1.1.1, since we intend to change the rip export policy for interface 140.1.1.1 ip-router policy create rip-export-destination ripExpDst141 interface 140.1.1.
Chapter 13: Routing Policy Configuration Guide Exporting Aggregate-Routes into RIP In the configuration shown in Figure 18 on page 181, suppose you decide to run RIP Version 1 on network 130.1.0.0/16, connecting routers R1 and R3. Router R1 desires to announce the 140.1.1.0/24 and 140.1.2.0/24 networks to router R3. RIP Version 1 does not carry any information about subnet masks in its packets. Thus it would not be possible to announce the subnets (140.1.1.0/24 and 140.1.2.
Chapter 13: Routing Policy Configuration Guide 8. Create the Export-Policy redistributing all (RIP, Direct) routes and the aggregate route 140.1.0.0/16 into RIP. ip-router policy export destination ripExpDst130 source aggrExpSrc network 140.1.0.
Chapter 13: Routing Policy Configuration Guide !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.2 interface create ip to-r3 address-netmask 130.1.1.1/16 port et.1.3 interface create ip to-r41 address-netmask 140.1.1.1/24 port et.1.4 interface create ip to-r42 address-netmask 140.1.2.1/24 port et.1.
Chapter 13: Routing Policy Configuration Guide 4. Create a Direct export source since we would like to export interface/direct routes. ip-router policy create direct-export-source directExpSrc 5. Create the Export-Policy for redistributing all interface routes and static routes into OSPF.
Chapter 13: Routing Policy Configuration Guide 5. Create a RIP export source. ip-router policy export destination ripExpDst source ripExpSrc network all 6. Create a Static export source. ip-router policy create static-export-source statExpSrc 7. Create a Direct export source. ip-router policy create direct-export-source directExpSrc 8. Create the Export-Policy for redistributing all interface, RIP and static routes into OSPF.
Chapter 13: Routing Policy Configuration Guide 12. Create the Export-Policy for redistributing all interface, RIP, static, OSPF and OSPFASE routes into RIP.
Chapter 14 Multicast Routing Configuration Guide IP Multicast Overview Multicast routing on the SSR is supported through DVMRP and IGMP. IGMP is used to determine host membership on directly attached subnets. DVMRP is used to determine forwarding of multicast traffic between SSRs.
Chapter 14: Multicast Routing Configuration Guide The SSR allows per-interface control of the host query interval and response time. Query interval defines the time between IGMP queries. Response time defines the time the SSR will wait for host responses to IGMP queries. The SSR can be configured to deny or accept group membership filters. DVMRP Overview DVMRP is an IP multicast routing protocol. On the SSR, DVMRP routing is implemented as specified in the draft-ietf-idmr-dvmrp-v3-06.
Chapter 14: Multicast Routing Configuration Guide Configuring IGMP You configure IGMP on the SSR by performing the following configuration tasks: • Creating IP interfaces • Setting global parameters that will be used for all the interfaces on which DVMRP is enabled • Configuring IGMP on individual interfaces. You do so by enabling and disabling IGMP on interfaces and then setting IGMP parameters on the interfaces on which IGMP is enabled • Start the multicast routing protocol (i.e.
Chapter 14: Multicast Routing Configuration Guide To configure the host response wait time, enter the following command in Configure mode: Configure the IGMP host response wait time. igmp set responsetime Configuring Per-Interface Control of IGMP Membership You can configure the SSR to control IGMP membership on a per-interface basis. An interface can be configured to be allowed or not allowed membership to a particular group.
Chapter 14: Multicast Routing Configuration Guide • Configuring DVMRP on individual interfaces. You do so by enabling and disabling DVMRP on interfaces and then setting DVMRP parameters on the interfaces on which DVMRP is disabled • Defining DVMRP tunnels, which IP uses to send multicast traffic between two end points Starting and Stopping DVMRP DVMRP is disabled by default on the SSR. To start or stop DVMRP, enter one of the following commands in Configure mode: Start DVMRP. dvmrp start Stop DVMRP.
Chapter 14: Multicast Routing Configuration Guide Configuring the DVMRP Routing Metric You can configure the DVMRP routing metric associated with a set of destinations for DVMRP reports. The default metric is 1. To configure the DVMRP routing metric, enter the following command in Configure mode: Configure the DVMRP routing metric.
Chapter 14: Multicast Routing Configuration Guide To prevent the SSR from forwarding any data destined to a scoped group on an interface, enter the following command in the Configure mode: Configure the DVMRP scope. dvmrp set interface scope Configuring a DVMRP Tunnel The SSR supports DVMRP tunnels to the MBONE (the multicast backbone of the Internet). You can configure a DVMRP tunnel on a router if the other end is running DVMRP.
Chapter 14: Multicast Routing Configuration Guide Shows all IGMP group memberships on a port basis. igmp show memberships Show all IGMP timers. igmp show timers Show information about multicasts registered by IGMP. l2-tables show igmp-mcast-registration Show IGMP status on a VLAN. l2-tables show vlan-igmp-status Show all multicast Source, Group entries. mulitcast show cache Show all interfaces running multicast protocols (IGMP, DVMRP). multicast show interfaces Show all multicast routes.
Chapter 14: Multicast Routing Configuration Guide dvmrp enable interface 172.1.1.10 dvmrp enable interface 207.135.122.11 dvmrp enable interface 207.135.89.64 dvmrp enable interface 10.40.1.10 ! ! Set DVMRP parameters ! dvmrp set interface 172.1.1.
Chapter 14: Multicast Routing Configuration Guide 206 SmartSwitch Router User Reference Manual
Chapter 15 IP Policy-Based Forwarding Configuration Guide Overview You can configure the SSR to route IP packets according to policies that you define. IP policy-based routing allows network managers to engineer traffic to make the most efficient use of their network resources. IP policies forward packets based on layer-3 or layer-4 IP header information.
Chapter 15: IP Policy-Based Forwarding Configuration Guide ISPs. You can also create IP policies to select service providers based on various traffic types. Configuring IP Policies To implement an IP policy, you first create a profile for the packets to be forwarded using an IP policy. For example, you can create a profile defined as “all telnet packets going from network 9.1.0.0/16 to network 15.1.0.0/16”. You then associate the profile with an IP policy.
Chapter 15: IP Policy-Based Forwarding Configuration Guide For example, the following command creates an IP policy called “p1” and specifies that packets matching profile “prof1” are forwarded to next-hop gateway 10.10.10.10: ssr(config)# ip-policy p1 permit acl prof1 next-hop-list 10.10.10.10 You can also set up a policy to prevent packets from being forwarded by an IP policy.
Chapter 15: IP Policy-Based Forwarding Configuration Guide Setting Load Distribution for Next-Hop Gateways You can specify up to four next-hop gateways in an ip-policy statement. If you specify more than one next-hop gateway, you can use the ip-policy set command to control how the load is distributed among them and to check the availability of the next-hop gateways. By default, each new flow uses the first available next-hop gateway.
Chapter 15: IP Policy-Based Forwarding Configuration Guide IP Policy Configuration Examples This section presents some examples of IP policy configurations.
Chapter 15: IP Policy-Based Forwarding Configuration Guide The following is the IP policy configuration for the Policy Router in Figure 20: interface create ip user-a address-netmask 10.50.1.1/16 port et.1.1 interface create ip user-b address-netmask 11.50.1.1/16 port et.1.2 acl user-a-http permit ip 10.50.0.0/16 207.31.0.0/16 any http 0 acl user-a permit ip 10.50.0.0/16 207.31.0.0/16 any any 0 acl user-b permit ip 11.50.0.0/16 any any any 0 ip-policy net-a permit acl user-a-http next-hop-list 100.1.1.
Chapter 15: IP Policy-Based Forwarding Configuration Guide Traffic from the premium customer is load balanced across two next-hop gateways in the high-cost, high-availability network. If neither of these gateways is available, then packets are forwarded based on dynamic routes learned via routing protocols. Traffic from the standard customer always uses one gateway (200.1.1.1). If for some reason that gateway is not available, packets from the standard customer are dropped.
Chapter 15: IP Policy-Based Forwarding Configuration Guide Packets from users defined in the “contractors” group are sent through a firewall. If the firewall cannot be reached packets from the contractors group are dropped. Packets from users defined in the “full-timers” group do not have to go through the firewall. The following is the IP policy configuration for the Policy Router in Figure 22: interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1 acl contractors permit ip 10.50.1.
Chapter 15: IP Policy-Based Forwarding Configuration Guide The following is the configuration for Policy Router 1 in Figure 23. vlan create firewall vlan add ports et.1.(1-5) to firewall interface create ip firewall address-netmask 1.1.1.5/16 vlan firewall acl firewall permit ip any any any 0 ip-policy p1 permit acl firewall next-hop-list “1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.
Chapter 15: IP Policy-Based Forwarding Configuration Guide For example, to display information about an active IP policy called “p1”, enter the following command in Enable mode: ssr# ip-policy show policy-name p1 -------------------------------------------------------------------------------IP Policy name : p1 1 2 Applied Interfaces : int1 3 Load Policy : first available 4 5 ACL --prof1 prof2 everything 6 Source IP/Mask -------------9.1.1.5/32 2.2.2.2/32 anywhere 7 Dest. IP/Mask ------------15.1.1.
Chapter 15: IP Policy-Based Forwarding Configuration Guide 11. The sequence in which the statement is evaluated. IP policy statements are listed in the order they are evaluated (lowest sequence number to highest). 12. The rule to apply to the packets matching the profile: either permit or deny 13. The name of the profile (ACL) of the packets to be forwarded using an IP policy. 14.
Chapter 15: IP Policy-Based Forwarding Configuration Guide 218 SmartSwitch Router User Reference Manual
Chapter 16 Network Address Translation Configuration Guide Overview Note: Some commands in this facility require updated SSR hardware. Please refer to Appendix A for details. Network Address Translation (NAT) allows an IP address used within one network to be translated into a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet.
Chapter 16: Network Address Translation Configuration Guide The SSR allows you to create the following NAT address bindings: • Static, one-to-one binding of inside, local address or address pool to outside, global address or address pool. A static address binding does not expire until the command that defines the binding is negated. IP addresses defined for static bindings cannot be reassigned. For static address bindings, PAT allows TCP or UDP port numbers to be translated along with the IP addresses.
Chapter 16: Network Address Translation Configuration Guide Setting NAT Rules Static You create NAT static bindings by entering the following command in Configure mode. Enable NAT with static address binding. nat create static protocol ip|tcp|udp local-ip global-ip [local-port |any] [global-port |any] Dynamic You create NAT dynamic bindings by entering the following command in Configure mode.
Chapter 16: Network Address Translation Configuration Guide Managing Dynamic Bindings As mentioned previously, dynamic address bindings expire only after a period of non-use or when they are manually deleted. The default timeout for dynamic address bindings is 1440 minutes (24 hours). You can manually delete dynamic address bindings for a specific address pool or delete all dynamic address bindings. To set the timeout for dynamic address bindings, enter the following command in Configure mode.
Chapter 16: Network Address Translation Configuration Guide The default timeout for DNS dynamic address bindings is 30 minutes. You can change this timeout by entering the following command in Configure mode: Specify the timeout for DNS bindings.
Chapter 16: Network Address Translation Configuration Guide Monitoring NAT To display NAT information, enter the following command in Enable mode. Display NAT information. nat show [translations all|] [timeouts] [statistics] Configuration Examples This section shows examples of NAT configurations. Static Configuration The following example configures a static address binding for inside address 10.1.1.2 to outside address 192.50.20.2: Outbound: Translate source 10.1.1.2 to 192.50.20.
Chapter 16: Network Address Translation Configuration Guide Using Static NAT Static NAT can be used when the local and global IP addresses are to be bound in a fixed manner. These bindings never get removed nor time out until the static NAT command itself is negated. Static binding is recommended when you have a need for a permanent type of binding. The other use of static NAT is when the out to in traffic is the first to initialize a connection, i.e., the first packet is coming from outside to inside.
Chapter 16: Network Address Translation Configuration Guide Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.0/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.
Chapter 16: Network Address Translation Configuration Guide Dynamic NAT with IP Overload (PAT) Configuration The following example configures a dynamic address binding for inside addresses 10.1.1.0/24 to outside address 192.50.20.0/24: Outbound: Translate source pool 10.1.1.0/24 to global pool 192.50.20.1-192.50.20.3 10.1.1.4 Router IP network 10.1.1.0/24 10.1.1.3 10.1.1.2 et.2.1 Global Internet et.2.2 interface 10-net (10.1.1.1/24) interface 192-net (192.50.20.
Chapter 16: Network Address Translation Configuration Guide the pools and the SSR automatically chooses a free global IP from the global pool for the local IP. Dynamic bindings are removed when the flow count goes to zero or the timeout has been reached. The removal of bindings frees the port for that global and the port is available for reuse. When all the ports for that global are used, then ports are assigned from the next free global.
Chapter 16: Network Address Translation Configuration Guide Using Dynamic NAT with DNS When a client from outside sends a query to the static global IP address of the DNS server, NAT will translate the global IP address to the local IP address of the DNS server. The DNS server will resolve the query and respond with a reply. The reply can include the local IP address of a host inside the local network (for example, 10.1.1.
Chapter 16: Network Address Translation Configuration Guide Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.0/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.0/24 matchingif 192-net nat create dynamic local-acl-pool lcl global-pool 210.50.20.
Chapter 17 Web Hosting Configuration Guide Overview Accessing information on websites for both work or personal purposes is becoming a normal practice for an increasing number of people. For many companies, fast and efficient web access is important for both external customers who need to access the company websites, as well as for users on the corporate intranet who need to access Internet websites.
Chapter 17: Web Hosting Configuration Guide Load Balancing Note: Load balancing requires updated SSR hardware. Please refer to Appendix A for details. You can use the load balancing feature on the SSR to distribute session load across a group of servers. If you configure the SSR to provide load balancing, client requests that go through the SSR can be redirected to any one of several predefined hosts. With load balancing, clients access servers through a virtual IP.
Chapter 17: Web Hosting Configuration Guide redirects the request to the actual server address and port. Server selection is done according to the specified policy. To add servers to the server group, enter the following command in Configure mode: Add load balancing servers to a specific server group. load-balance add host-to-group group-name port [weight ] Add range of load balancing servers to a range of server groups.
Chapter 17: Web Hosting Configuration Guide directed to the same load balancing server (for example, the server with IP address 10.1.1.1). • Sticky persistence: a binding is determined by matching the source and destination IP addresses only. This allows all requests from a client to the same virtual address to be directed to the same load balancing server. For example, both HTTP and HTTPS requests from the client address 134.141.176.10 to the virtual destination address 207.135.89.
Chapter 17: Web Hosting Configuration Guide Optional Group or Server Operating Parameters There are several commands you can specify that affect the operating parameters of individual servers or the entire group of load balancing servers. In many cases, there are default parameter values and you only need to specify a command if you wish to change the default operation. For example, you can specify the policy to be used for distributing the workload for a group of load balancing servers.
Chapter 17: Web Hosting Configuration Guide Verifying Servers and Applications The SSR automatically performs the following types of verification for the attached load balancing servers/applications: • Verifies the state of the server by sending a ping to the server at 5-second intervals. If the SSR does not receive a reply from a server after four ping requests, the server is considered to be “down.
Chapter 17: Web Hosting Configuration Guide Verifying Extended Content You can also have the SSR verify the content of an application on one or more load balancing servers. For this type of verification, you specify the following: • A string that the SSR sends to a single server or to the group of load balancing servers. The string can be a simple HTTP command to get a specific HTML page. Or, it can be a command to execute a user-defined CGI script that tests the operation of the application.
Chapter 17: Web Hosting Configuration Guide To set the status of a load balancing server, enter the following command in Enable mode: Set status of load balancing server. load-balance set server-status server-ip server-port group-name status up|down Load Balancing and FTP File Transfer Protocol (FTP) packets require special handling with load balancing, because the FTP PORT command packets contain IP address information within the data portion of the packet.
Chapter 17: Web Hosting Configuration Guide To specify the timeout for load balancing mappings, enter the following command in Configure mode: Specify the timeout for sourcedestination mappings. load-balance set aging-for-src-maps aging-time Displaying Load Balancing Information To display load balancing information, enter the following commands in Enable mode: Show the groups of load balancing servers.
Chapter 17: Web Hosting Configuration Guide Web Hosting with One Virtual Group and Multiple Destination Servers In the following example, a company web site is established with a URL of www.ctron.com. The system administrator configures the networks so that the SSR forwards web requests among four separate servers, as shown below. Web requests forwarded to one of the servers 10.1.1.1 Internet Router Web requests to www.ctron.com Virtual IP Address: 207.135.89.16 10.1.1.2 10.1.1.3 10.1.1.4 www.ctron.
Chapter 17: Web Hosting Configuration Guide Web Hosting with Multiple Virtual Groups and Multiple Destination Servers In the following example, three different servers are used to provide different services for a site. 10.1.1.1 Web requests forwarded to the server Internet Router www.quick.com User Queries: 10.1.1.2 10.1.1.3 www.quick.com ftp.quick.com smtp.quick.com ftp.quick.com smtp.quick.com Domain Name Virtual IP TCP Port Real Server IP TCP Port www.quick.com 207.135.89.16 80 10.1.1.
Chapter 17: Web Hosting Configuration Guide Virtual IP Address Ranges ISPs who provide web hosting services for their clients require a large number of virtual IP addresses (VIPs). The load-balance create vip-range-name and load-balance add hostto-vip-range commands were created specifically for this. An ISP can create a range of VIPs for up to an entire class C network with the load-balance create vip-range-name command.
Chapter 17: Web Hosting Configuration Guide The network shown in the previous example can be created with the following loadbalance commands: load-balance virtual-port load-balance port 80 load-balance port 80 create vip-range-name mywwwrange 207.135.89.16-207.135.89.50 80 protocol tcp add host-to-vip-range 10.1.1.16-10.1.1.50 vip-range-name mywwwrange add host-to-vip-range 10.1.2.16-10.1.2.
Chapter 17: Web Hosting Configuration Guide Web Caching Web caching provides a way to store frequently accessed Web objects on a cache of local servers. Each HTTP request is transparently redirected by the SSR to a configured cache server. When a user first accesses a Web object, that object is stored on a cache server. Each subsequent request for the object uses this cached object.
Chapter 17: Web Hosting Configuration Guide Specifying the Client(s) for the Cache Group (Optional) You can explicitly specify the hosts whose HTTP requests are or are not redirected to the cache servers. If you do not explicitly specify these hosts, then all HTTP requests are redirected to the cache servers. To specify the clients or non-clients for the cache group, enter the following commands in Configure mode: Define hosts whose requests are redirected to cache servers.
Chapter 17: Web Hosting Configuration Guide Configuration Example In the following example, a cache group of seven local servers is configured to store Web objects for users in the local network: Cache1 s2 Servers: s1 Servers: 186.89.10.51 186.89.10.55 176.89.10.50 176.89.10.51 176.89.10.52 176.89.10.53 176.89.10.
Chapter 17: Web Hosting Configuration Guide which HTTP requests are not redirected to the cache servers, enter the following command in Configure mode: Define destination sites to which HTTP requests are sent directly. web-cache create bypass-list range |list |acl Proxy Server Redundancy Some networks use proxy servers that receive HTTP requests on a non-standard port number (i.e., not port 80).
Chapter 17: Web Hosting Configuration Guide 248 Show caching policy information. web-cache show cache-name |all Show cache server information.
Chapter 18 IPX Routing Configuration Guide IPX Routing Overview The Internetwork Packet Exchange (IPX) is a datagram connectionless protocol for the Novell NetWare environment. You can configure the SSR for IPX routing and SAP. Routers interconnect different network segments and by definitions are network layer devices. Thus routers receive their instructions for forwarding a packet from one segment to another from a network layer protocol.
Chapter 18: IPX Routing Configuration Guide this information is immediately broadcast to any neighboring routers. Routers also send periodic RIP broadcast packets containing all routing information known to the router. The SSR uses IPX RIP to create and maintain a database of internetwork routing information. The SSR's implementation of RIP allows the following exchanges of information: • Workstations locate the fastest route to a network number by broadcasting a route request.
Chapter 18: IPX Routing Configuration Guide Configuring IPX RIP & SAP This section provides an overview of configuring various IPX parameters and setting up IPX interfaces. IPX RIP On the SSR, RIP automatically runs on all IPX interfaces. The SSR will keep multiple routes to the same network having the lowest ticks and hop count. Static routes can be configured on the SSR using the CLI’s ipx add route command.
Chapter 18: IPX Routing Configuration Guide Configuring IPX Interfaces and Parameters This section provides an overview of configuring various IPX parameters and setting up IPX interfaces. Configuring IPX Addresses to Ports You can configure one IPX interface directly to a physical port. To configure an IPX interface to a port, enter the following command in Configure mode: Configure an IPX interface to a physical port.
Chapter 18: IPX Routing Configuration Guide Specifying IPX Encapsulation Method The SmartSwitch Router supports four encapsulation types for IPX. You can configure encapsulation type on a per-interface basis. • Ethernet II: The standard ARPA Ethernet Version 2.0 encapsulation, which uses a 16bit protocol type code (the default encapsulation method) • 802.3 SNAP: SNAP IEEE 802.3 encapsulation, in which the type code becomes the frame length for the IEEE 802.
Chapter 18: IPX Routing Configuration Guide Configuring Static Routes In a Novell NetWare network, the SSR uses RIP to determine the best paths for routing IPX. However, you can add static RIP routes to RIP routing table to explicitly specify a route. To add a static RIP route, enter the following command in Configure mode: Add a static RIP route.
Chapter 18: IPX Routing Configuration Guide To create an IPX access control list, perform the following task in the Configure mode: Create an IPX access control list. acl permit|deny ipx Once an IPX access control list has been created, you must apply the access control list to an IPX interface. To apply an IPX access control list, enter the following command in Configure mode: Apply an IPX access control list.
Chapter 18: IPX Routing Configuration Guide Creating an IPX GNS Access Control List IPX GNS access control lists control which SAP services the SSR can reply with to a get nearest server (GNS) request. To create an IPX GNS access control list, enter the following command in Configure mode: Create an IPX GNS access control list.
Chapter 18: IPX Routing Configuration Guide Monitoring an IPX Network The SSR reports IPX interface information and RIP or SAP routing information. To display IPX information, enter the following command in Enable mode: Show a RIP entry in the IPX RIP table. ipx find rip Show a SAP entry in the IPX SAP table. ipx find sap Show IPX interface information. ipx show interfaces Show IPX RIP table.
Chapter 18: IPX Routing Configuration Guide !Add static sap ipx add sap 0004 FILESERVER1 9.03:04:05:06:07:08 452 1 AAAAAAAA ! !RIP Access List acl 100 deny ipxrip 1 2 ! !RIP inbound filter acl 100 apply interface ipx1 input ! !SAP Access List acl 200 deny ipxsap A.
Chapter 19 Access Control List Configuration Guide This chapter explains how to configure and use Access Control Lists (ACLs) on the SSR. ACLs are lists of selection criteria for specific types of packets. When used in conjunction with certain SSR functions, ACLs allow you to restrict Layer-3/4 traffic going through the router. This chapter contains the following sections: • “ACL Basics” on page 260 explains how ACLs are defined and how the SSR evaluates them.
Chapter 19: Access Control List Configuration Guide ACL Basics An ACL consists of one or more rules describing a particular type of IP or IPX traffic. ACLs can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the SSR to either permit or deny packets that match selection criteria specified in the rule. Each ACL is identified by a name. The name can be a meaningful string, such as denyftp or noweb or it can be a number such as 100 or 101.
Chapter 19: Access Control List Configuration Guide These selection criteria are specified as fields of an ACL rule. The following syntax description shows the fields of an IP ACL rule: acl permit|deny ip [accounting] Note: The acl permit|deny ip command restricts traffic for all IP-based protocols, such as TCP, UDP, ICMP, and IGMP.
Chapter 19: Access Control List Configuration Guide How ACL Rules are Evaluated For an ACL with multiple rules, the ordering of the rules is important. When the SSR checks a packet against an ACL, it goes through each rule in the ACL sequentially. If a packet matches a rule, it is forwarded or dropped based on the permit or deny keyword in the rule. All subsequent rules are ignored. That is, a first-match algorithm is used.
Chapter 19: Access Control List Configuration Guide With the implicit deny rule, this ACL actually has three rules: acl 101 permit ip 1.2.3.4/24 any any any acl 101 permit ip 4.3.2.1/24 any nntp any acl 101 deny any any any any any If a packet comes in and doesn't match the first two rules, the packet is dropped. This is because the third rule (the implicit deny rule) matches all packets. Although the implicit deny rule may seem obvious in the above example, this is not always the case.
Chapter 19: Access Control List Configuration Guide you would have to create an ACL to allow responses from each specific outside host. If the number of outside hosts that internal users need to access is large or changes frequently, this can be difficult to maintain. To address this problem, the SSR can be configured to accept outside TCP responses into the internal network, provided that the TCP connection was initiated internally. Otherwise, it will be rejected.
Chapter 19: Access Control List Configuration Guide Suppose the following ACL commands are stored in a file on some hosts: no acl * acl 101 deny tcp 10.11.0.0/16 10.12.0.0/16 acl 101 permit tcp 10.11.0.0 any acl 101 apply interface int12 input The first command, no acl *, negates all commands that start with the keyword, “acl”. This tells the SSR to remove the application and the definition of any ACL.
Chapter 19: Access Control List Configuration Guide If you edit and save changes to an ACL that is currently being used or applied to an interface, the changes will take effect immediately. There is no need to remove the ACL from the interface before making changes and reapply it after changes are made. The process is automatic. Using ACLs It is important to understand that an ACL is simply a definition of packet characteristics specified in a set of rules.
Chapter 19: Access Control List Configuration Guide application). Note that for an external agent to modify or remove an applied ACL from an interface, the acl-policy enable external command must be in the configuration. In general, you should try to apply ACLs at the inbound interfaces instead of the outbound interfaces. If a packet is to be denied, you want to drop the packet as early as possible, at the inbound interface.
Chapter 19: Access Control List Configuration Guide Like ACLs that are applied to interfaces, ACLs that are applied to Layer 4 bridging ports can be applied to either inbound or outbound traffic. For each port, only one ACL can be applied for the inbound direction and one for the outbound direction. You can apply two ACLs to the same port if one is for inbound traffic and one is for outbound traffic.
Chapter 19: Access Control List Configuration Guide • Unlike with other kinds of ACLs, there is no implicit deny rule for Profile ACLs. • Only certain ACL rule parameters are relevant for each configuration command. For example, the configuration command to create NAT address pools for dynamic bindings (the nat create dynamic command) only looks at the source IP address in the specified ACL rule. The destination IP address, ports, and TOS parameters, if specified, are ignored.
Chapter 19: Access Control List Configuration Guide criteria (in this case, flows from source address 1.2.2.2). Then you use a rate-limit command to specify what happens to packets that match the selection criteria (in this example, drop them if their bandwidth usage exceeds 10 Mbps). The following commands illustrate this example. This command creates a Profile ACL called prof2 that uses as its selection criteria all packets originating from source address 1.2.2.2: ssr(config)# acl prof2 permit ip 1.2.2.
Chapter 19: Access Control List Configuration Guide Once you have defined a Profile ACL, you can then use the nat create dynamic command to bind the range of IP addresses defined in the local profile to a range in network 192.50.20.0/24. ssr(config)# nat create dynamic local-acl-pool local global-pool 192.50.20.10/24 See “Network Address Translation Configuration Guide” on page 219 for more information on using dynamic NAT.
Chapter 19: Access Control List Configuration Guide Redirecting HTTP Traffic to Cache Servers You can use a Profile ACL to specify which HTTP traffic should always (or never) be redirected to the cache servers. (By default, when Web caching is enabled, all HTTP traffic from all hosts is redirected to the cache servers unless you specify otherwise.) For example, you can specify that packets with a source address of 10.10.10.10 and a destination address of 1.2.3.
Chapter 19: Access Control List Configuration Guide Enabling ACL Logging To see whether incoming packets are permitted or denied because of an ACL, you can enable ACL logging. You can enable logging when applying the ACL or you can enable logging for a specific ACL rule. The following commands define an ACL and apply the ACL to an interface, with logging enabled for the ACL: acl 101 deny ip 10.2.0.
Chapter 19: Access Control List Configuration Guide Monitoring ACLs The SSR provides a display of ACL configurations active in the system. To display ACL information, enter the following commands in Enable mode. 274 Show all ACLs. acl show all Show a specific ACL. acl show aclname | all Show an ACL on a specific interface. acl show interface Show ACLs on all IP interfaces. acl show interface all-ip Show static entry filters.
Chapter 20 Security Configuration Guide Security Overview The SSR provides security features that help control access to the SSR and filter traffic going through the SSR. Access to the SSR can be controlled by: • Enabling RADIUS • Enabling TACACS • Enabling TACACS Plus • Password authentication Traffic filtering on the SSR enables: • Layer-2 security filters - Perform filtering on source or destination MAC addresses.
Chapter 20: Security Configuration Guide Configuring SSR Access Security This section describes the following methods of controlling access to the SSR: • RADIUS • TACACS • TACACS Plus • Passwords Configuring RADIUS You can secure login or Enable mode access to the SSR by enabling a Remote Authentication Dial-In Service (RADIUS) client. A RADIUS server responds to the SSR RADIUS client to provide authentication. You can configure up to five RADIUS server targets on the SSR.
Chapter 20: Security Configuration Guide Monitoring RADIUS You can monitor RADIUS configuration and statistics within the SSR. To monitor RADIUS, enter the following commands in Enable mode: Show RADIUS server statistics. radius show stats Show all RADIUS parameters. radius show all Configuring TACACS In addition, Enable mode access to the SSR can be made secure by enabling a Terminal Access Controller Access Control System (TACACS) client.
Chapter 20: Security Configuration Guide Configuring TACACS Plus You can secure login or Enable mode access to the SSR by enabling a TACACS Plus client. A TACACS Plus server responds to the SSR TACACS Plus client to provide authentication. You can configure up to five TACACS Plus server targets on the SSR. A timeout is set to tell the SSR how long to wait for a response from TACACS Plus servers.
Chapter 20: Security Configuration Guide Monitoring TACACS Plus You can monitor TACACS Plus configuration and statistics within the SSR. To monitor TACACS Plus, enter the following commands in Enable mode: Show TACACS Plus server statistics. tacacs-plus show stats Show all TACACS Plus parameters. tacacs-plus show all Configuring Passwords The SSR provides password authentication for accessing the User and Enable modes.
Chapter 20: Security Configuration Guide A secure filter shuts down access to the SSR based on MAC addresses. All packets received by a port are dropped. When combined with static entries, however, these filters can be used to drop all received traffic but allow some frames to go through. Configuring Layer-2 Address Filters If you want to control access to a source or destination on a per-MAC address basis, you can configure an address filter.
Chapter 20: Security Configuration Guide Configuring Layer-2 Port-to-Address Lock Filters Port address lock filters allow you to bind or “lock” specific source MAC addresses to a port or set of ports. Once a port is locked, only the specified source MAC address is allowed to connect to the locked port and the specified source MAC address is not allowed to connect to any other ports.
Chapter 20: Security Configuration Guide Configuring Layer-2 Secure Port Filters Secure port filters block access to a specified port. You can use a secure port filter by itself to secure unused ports. Secure port filters can be configured as source or destination port filters. A secure port filter applied to a source port forces all incoming packets to be dropped on a port. A secure port filter applied to a destination port prevents packets from going out a certain port.
Chapter 20: Security Configuration Guide Monitoring Layer-2 Security Filters The SSR provides display of Layer-2 security filter configurations contained in the routing table. To display security filter information, enter the following commands in Enable mode. Show address filters. filters show address-filter [all-source|all-destination|all-flow] [source-mac dest-mac ] [ports ] [vlan ] Show port address lock filters.
Chapter 20: Security Configuration Guide Destination filter: No one from the engineering group (port et.1.1) should be allowed to access the finance server. All traffic destined to the finance server's MAC will be dropped. filters add address-filter name finance dest-mac AABBCC:DDEEFF vlan 1 in-port-list et.1.1 Flow filter: Only the consultant is restricted access to one of the finance file servers. Note that port et.1.1 should be operating in flow-bridging mode for this filter to work.
Chapter 20: Security Configuration Guide Note: If the consultant’s MAC is detected on a different port, all of its traffic will be blocked. Example 2 : Secure Ports Source secure port: To block all engineers on port 1 from accessing all other ports, enter the following command: filters add secure-port name engineers direction source vlan 1 in-port-list et.1.1 To allow ONLY the engineering manager access to the engineering servers, you must "punch" a hole through the secure-port wall.
Chapter 20: Security Configuration Guide Layer-4 Bridging and Filtering Layer-4 bridging is the SSR’s ability to use layer-3/4 information to perform filtering or QoS during bridging. As described in “Layer-2 Security Filters” above, you can configure ports to filter traffic using MAC addresses. Layer-4 bridging adds the ability to use IP addresses, layer-4 protocol type, and port number to filter traffic in a bridged network.
Chapter 20: Security Configuration Guide Creating a Port-Based VLAN for Layer-4 Bridging The ports to be used in Layer-4 Bridging must all be on the same VLAN. To create a portbased VLAN, enter the following command in Configure mode: Create a port-based VLAN.
Chapter 20: Security Configuration Guide In the example in Figure 25 on page 286, to allow the consultants access to the file server for e-mail (SMTP) traffic, but not for Web (HTTP) traffic — and allow e-mail, Web, and FTP traffic between the engineers and the file server, you would create ACLs that allow only SMTP traffic on the port to which the consultants are connected and allow SMTP, HTTP, and FTP traffic on the ports to which the engineers are connected.
Chapter 20: Security Configuration Guide • If you use a SmartTRUNK in a with Layer-4 Bridging VLAN, the SSR maintains the packet order on a per-flow basis, rather than per-MAC pair. This means that for traffic between a MAC pair consisting of more than one flow, the packets may be disordered if they go through a SmartTRUNK. For traffic that doesn’t go through a SmartTRUNK, the per-MAC pair packet order is kept.
Chapter 20: Security Configuration Guide 290 SmartSwitch Router User Reference Manual
Chapter 21 QoS Configuration Guide QoS & Layer-2/Layer-3/Layer-4 Flow Overview The SSR allows network managers to identify traffic and set Quality of Service (QoS) policies without compromising wire speed performance. The SSR can guarantee bandwidth on an application by application basis, thus accommodating high-priority traffic even during peak periods of usage.
Chapter 21: QoS Configuration Guide Within the SSR, QoS policies are used to classify Layer-2, Layer-3, and Layer-4 traffic into the following priority queues (in order from highest priority to lowest): • Control (for router control traffic; the remaining classes are for normal data flows) • High • Medium • Low Separate buffer space is allocated to each of these four priority queues.
Chapter 21: QoS Configuration Guide Precedence for Layer-3 Flows A precedence from 1 - 7 is associated with each field in a flow. The SSR uses the precedence value associated with the fields to break ties if packets match more than one flow. The highest precedence is 1 and the lowest is 7.
Chapter 21: QoS Configuration Guide If a port operates in flow-bridging mode, you can be more specific and configure priorities for frames that match both a source AND a destination MAC address and a VLAN ID. You can also specify a list of ports to apply the policy. The VLAN ID in the QoS configuration must match the VLAN ID assigned to the list of ports to which the QoS policy is applied.
Chapter 21: QoS Configuration Guide You can create one or more priority maps that are different from the default priority map and then apply these maps to some or all ports of the SSR. The new priority mapping replaces the default mappings for those ports to which they are applied. Creating and Applying a New Priority Map To specify a priority map on a per-port basis, enter the following commands in Configure mode: Create a new priority mapping.
Chapter 21: QoS Configuration Guide configured to use the default priority map only. If the commands to create and apply priority maps exist in the active configuration, they will remain in the configuration but be ineffective. To disable the use of priority maps, enter the following command in Configure mode: Disable use of perport priority maps on the SSR. qos priority-map off If the above command is negated, ports on the SSR can use per-port priority maps.
Chapter 21: QoS Configuration Guide Setting an IP QoS Policy To set a QoS policy on an IP traffic flow, enter the following command in Configure mode: Set an IP QoS policy. qos set ip |any |any |any |any |any ||any |any |any |any |any For example, the following command assigns control priority to any traffic coming from the 10.10.11.
Chapter 21: QoS Configuration Guide Specifying Precedence for an IPX QoS Policy To specify the precedence for an IPX QoS policy, enter the following command in Configure mode: Specify precedence for an IPX QoS policy. qos precedence ipx [srcnet ] [srcnode ] [srcport ] [dstnet ] [dstnode ] [dstport ] [intf ] Configuring SSR Queueing Policy The SSR queuing policy is set on a system-wide basis. The SSR default queuing policy is strict priority.
Chapter 21: QoS Configuration Guide Weighted Random Early Detection (WRED) Random Early Detection (WRED) alleviates traffic congestion issues by selectively dropping packets before the queue becomes completely flooded. WRED parameters allow you to set conditions and limits for dropping packets in the queue. To enable WRED on input or output queues of specific ports, enter the following command in Configure mode: Enable WRED on input or output queue of specified ports.
Chapter 21: QoS Configuration Guide For example, setting the ToS field to 0010 specifies that a packet will be routed on the most reliable paths. Setting the ToS field to 1000 specifies that a packet will be routed on the paths with the least delay. (Refer to RFC 1349 for the specification of the ToS field value.) With the ToS rewrite command, you can access the value in the ToS octet (which includes both the Precedence and ToS fields) in each packet.
Chapter 21: QoS Configuration Guide are rewritten to the value and the lower five bits are rewritten to the value.
Chapter 21: QoS Configuration Guide Monitoring QoS The SSR provides display of QoS statistics and configurations contained in the SSR. To display QoS information, enter the following commands in Enable mode: 302 Show all IP QoS flows. qos show ip Show all IPX QoS flows. qos show ipx Show all Layer-2 QoS flows. qos show l2 all-destination all-flow ports vlan source-mac dest-mac Show RED parameters for each port.
Chapter 21: QoS Configuration Guide Limiting Traffic Rate Note: Some commands in this facility require updated SSR hardware. Please refer to Appendix A for details. Rate limiting provides the ability to control the usage of a fundamental network resource, bandwidth. It allows you to limit the rate of traffic that flows through the specified interfaces, thus reserving bandwidth for critical applications. The SSR supports two modes of rate limiting; only one mode can be in effect at a time.
Chapter 21: QoS Configuration Guide To enable aggregate rate limiting mode on the SSR, enter the following command in Configure mode: Enable aggregate rate limiting mode on the SSR. system enable aggregate-rate-limiting To change the rate limiting mode on the SSR back to per-flow mode, negate the above command. Per-Flow Rate Limiting Use a per-flow rate limiting policy if an individual traffic flow needs to be limited to a particular rate.
Chapter 21: QoS Configuration Guide To define a port rate limit policy, enter one of the following commands in Configure mode: Define a port rate limit policy to limit incoming traffic on a port. rate-limit port-level input rate port { drop-packets|noaction|lower-priority|lower-priorityexcept-control|tos-precedence-rewrite |tos-precedence-rewrite-lowerpriority } Define a port rate limit policy to limit outgoing traffic on a port.
Chapter 21: QoS Configuration Guide To define an aggregate rate limit policy and apply the policy to an interface, enter the following commands in Configure mode: Define an aggregate rate limit policy.
Chapter 21: QoS Configuration Guide Traffic from two interfaces, ‘ipclient1’ with IP address 1.2.2.2 and ‘ipclient2’ with IP address 3.1.1.1, is restricted to 10 Mbps for each flow with the following configuration: vlan create client1 ip vlan create backbone ip vlan create client2 ip vlan add ports et.1.1 to client1 vlan add ports et.1.2 to client2 vlan add ports et.1.8 to backbone interface create ip ipclient1 vlan client1 address-netmask 1.1.1.
Chapter 21: QoS Configuration Guide Displaying Rate Limit Information To show information about rate limit policies, enter the following command in Enable mode: Show rate limit policy information.
Chapter 22 Performance Monitoring Guide Performance Monitoring Overview The SSR is a full wire-speed layer-2, 3 and 4 switching router. As packets enter the SSR, layer-2, 3, and 4 flow tables are populated on each line card. The flow tables contain information on performance statistics and traffic forwarding. Thus the SSR provides the capability to monitor performance at Layer 2, 3, and 4.
Chapter 22: Performance Monitoring Guide 310 Show information about the master MAC table. l2-tables show mac-table-stats Show information about a particular MAC address. l2-tables show mac Show info about multicasts registered by IGMP. l2-tables show igmp-mcast-registrations Show whether IGMP is on or off on a VLAN. l2-tables show vlan-igmp-status Show info about MACs registered by the system. l2-tables show bridge-management Show SNMP statistics. snmp show statistics Show ICMP statistics.
Chapter 22: Performance Monitoring Guide Configuring the SSR for Port Mirroring The SSR allows you to monitor activity with port mirroring. Port mirroring allows you to monitor the performance and activities of ports on the SSR or for traffic defined by an ACL through just a single, separate port. While in Configure mode, you can configure your SSR for port mirroring with a simple command line like the following: Configure Port Mirroring.
Chapter 22: Performance Monitoring Guide 312 SmartSwitch Router User Reference Manual
Chapter 23 RMON Configuration Guide RMON Overview You can employ Remote Network Monitoring (RMON) in your network to help monitor traffic at remote points on the network. With RMON, data collection and processing is done with a remote probe, namely the SSR. The SSR also includes RMON agent software that communicates with a network management station via SNMP.
Chapter 23: RMON Configuration Guide Configuring and Enabling RMON By default, RMON is disabled on the SSR. To configure and enable RMON on the SSR, follow these steps: 1. Turn on the Lite, Standard, or Professional RMON groups by entering the rmon set lite|standard|professional command. You can also configure default control tables for the Lite, Standard, or Professional RMON groups by including the default-tables yes parameter. 2. Enable RMON on specified ports with the rmon set ports command. 3.
Chapter 23: RMON Configuration Guide RMON Groups The RMON MIB groups are defined in RFCs 1757 (RMON 1) and 2021 (RMON 2). On the SSR, you can configure one or more levels of RMON support for a set of ports. Each level—Lite, Standard, or Professional—enables different sets of RMON groups (described later in this section). You need to configure at least one level before you can enable RMON on the SSR.
Chapter 23: RMON Configuration Guide Standard RMON Groups This section describes the RMON groups that are enabled when you specify the Standard support level. The Standard RMON groups are shown in the table below. Table 11. Standard RMON Groups Group Function Host Records statistics about the hosts discovered on the network. Host Top N Gathers the top n hosts, based on a specified rate-based statistic. This group requires the hosts group.
Chapter 23: RMON Configuration Guide Table 12. Professional RMON Groups Group Function Application Layer Matrix (and Top N) Monitors traffic at the application layer for protocols defined in the Protocol Directory. Top N gathers the top n application layer matrix entries. Network Layer Matrix (and Top N) Monitors traffic at the network layer for protocols defined in the Protocol Directory. Top N gathers the top n network layer matrix entries.
Chapter 23: RMON Configuration Guide A row in the control table is created for each port on the SSR, with the owner set to “monitor”. If you want, you can change the owner by using the appropriate rmon command. See the section “Configuring RMON Groups” in this chapter for more the command to configure a specific group. Note: Control tables other than the default control tables must be configured with CLI commands, as described in “Configuring RMON Groups”.
Chapter 23: RMON Configuration Guide following command: ssr# rmon show al-matrix et.5.5 RMON II Application Layer Host Table Index: 500, Port: et.5.5, Inserts: 4, Deletes: SrcAddr DstAddr Packets ------------------10.50.89.88 15.15.15.3 1771 10.50.89.88 15.15.15.3 1125 10.50.89.88 15.15.15.3 1122 10.50.89.88 15.15.15.3 3 0, Owner: monitor Octets Protocol ------ -------272562 *ether2.ip-v4 211192 *ether2.ip-v4.tcp 210967 *ether2.ip-v4.tcp.telnet 225 *ether2.ip-v4.tcp.
Chapter 23: RMON Configuration Guide To configure the Filter group, you must configure both the Channel and Filter control tables.
Chapter 23: RMON Configuration Guide To configure the Protocol Distribution group. rmon protocol-distribution index port [owner ] [status enable|disable] To configure the User History group, you must configure the group of objects to be monitored and apply the objects in the group to the User History control table.
Chapter 23: RMON Configuration Guide • Samples taken at 300 second (5 minute) intervals. • A “Startup” alarm generation condition instructing the SSR to generate an alarm if the sample is greater than or equal to the rising threshold or less than or equal to the falling threshold. • Compare value at time of sampling (absolute value) to the specified thresholds. • Rising and falling threshold values are 1.
Chapter 23: RMON Configuration Guide To display the RMON 2 Address Map table. rmon show address-map |all-ports To show Network Layer Host logs. rmon show nl-host|all-ports [summary] To show Application Layer Host logs. rmon show al-host|all-ports [summary] To show Network Layer Matrix logs. rmon show nl-matrix|all-ports [order-by srcdst|dstsrc] [summary] To show Application Layer Matrix logs.
Chapter 23: RMON Configuration Guide The following shows Host table output without a CLI filter: ssr# rmon show hosts et.5.4 RMON I Host Table Index: 503, Port: et.5.
Chapter 23: RMON Configuration Guide Creating RMON CLI Filters To create RMON CLI filters, use the following CLI command in Configure mode: Creates an RMON CLI filter. rmon set cli-filter Using RMON CLI Filters To see and use RMON CLI filters, use the following CLI command in User or Enable mode: Displays RMON CLI filters. rmon show cli-filters Applies a CLI filter on current Telnet or Console session.
Chapter 23: RMON Configuration Guide Check the following fields on the rmon show status command output: ssr# rmon show status RMON Status ----------* RMON is ENABLED 1 * RMON initialization successful.
Chapter 23: RMON Configuration Guide Allocating Memory to RMON RMON allocates memory depending on the number of ports enabled for RMON, the RMON groups that have been configured, and whether or not default tables have been turned on or off. Enabling RMON with all groups (Lite, Standard, and Professional) with default tables uses approximately 300 Kbytes per port. If necessary, you can dynamically allocate additional memory to RMON.
Chapter 23: RMON Configuration Guide To set the amount of memory allocated to RMON, use the following CLI command in User or Enable mode: Specifies the total amount of Mbytes of memory allocated to RMON.
Chapter 24 LFAP Configuration Guide Overview The Lightweight Flow Accounting Protocol (LFAP) agent, defined in RFC 2124, is a TCPoriented protocol used to push accounting information collected on the SSR to a Flow Accounting Server (FAS). The LFAP agent uses ACLs to determine the IP traffic on which accounting information will be collected.
Chapter 24: LFAP Configuration Guide Cabletron’s Traffic Accounting Services Cabletron’s Accounting Services consists of the following components: • LFAP agent on the SSR that collects application flow accounting information and sends it to the Cabletron FAS. You can configure the SSR to collect information on an entire interface or on a specific host-to-host application flow. Configuring the LFAP agent on the SSR is described in this chapter.
Chapter 24: LFAP Configuration Guide attempts to connect to it via TCP first. If the connection fails, then the next configured FAS is tried. A FAS can be configured as the primary FAS for one group of SSRs and the secondary FAS for another group of SSRs. Note: The Traffic Accountant is not designed to reconcile duplicate data records.
Chapter 24: LFAP Configuration Guide Monitoring the LFAP Agent on the SSR The lfap show commands display information about the configuration of the LFAP agent on the SSR and its current status. Use the following commands in Enable mode to view LFAP agent information: 332 Command Displays lfap show configuration Configuration of the LFAP agent on the SSR. lfap show servers Configured FAS system(s) to which the LFAP agent could connect. lfap show statistics Statistics collected by the LFAP agent.
Chapter 25 WAN Configuration Guide This chapter provides an overview of Wide Area Network (WAN) applications as well as an overview of both Frame Relay and PPP configuration for the SSR. In addition, you can view an example of a multi-router WAN configuration complete with diagram and configuration files in “WAN Configuration Examples” on page 350.
Chapter 25: WAN Configuration Guide Using the same approach, a PPP high-speed serial interface (HSSI) WAN port located at router slot 3, port 2 would be identified as “hs.3.2”. Configuring WAN Interfaces Configuring IP & IPX interfaces for the WAN is generally the same as for the LAN. You can configure IP/IPX interfaces on the physical port or you can configure the interface as part of a VLAN for WAN interfaces.
Chapter 25: WAN Configuration Guide The following command line displays an example for a VLAN: interface create ip IPWAN address-netmask 10.50.1.1/16 peer-address 10.50.1.2 vlan BLUE Mapped Addresses Mapped peer IP/IPX addresses are very similar to static addresses in that InArp is disabled for Frame Relay and the address negotiated in IPCP/IPXCP is ignored for PPP. Mapped addresses are most useful when you do not want to specify the peer address using the interface create command.
Chapter 25: WAN Configuration Guide The following command line displays an example for a VLAN: interface create ip IPWAN address-netmask 10.50.1.1/16 vlan BLUE Forcing Bridged Encapsulation WAN for the SSR has the ability to force bridged packet encapsulation. This feature has been provided to facilitate seamless compatibility with Cisco routers, which expect bridged encapsulation in certain operating modes.
Chapter 25: WAN Configuration Guide Average Packet Size In most cases, the larger the packet size, the better the potential compression ratio. This is due to the overhead involved with compression, as well as the compression algorithm. For example a link which always deals with minimum size packets may not perform as well as a link whose average packet size is much larger. Nature of the Data In general, data that is already compressed cannot be compressed any further.
Chapter 25: WAN Configuration Guide The following command line displays an example for PPP: ppp set payload-compress port se.4.2 Packet Encryption Packet encryption allows data to travel through unsecured networks. You can enable packet encryption for PPP ports, however, both ends of a link must be configured to use packet encryption. The following command line displays an example: ppp set payload-encrypt transmit-key 0x123456789abcdef receive-key 0xfedcba987654321 port se.4.2, mp.
Chapter 25: WAN Configuration Guide Source Filtering and ACLs Source filtering and ACLs can be applied to a WAN interface; however, they affect the entire module, not an individual port. For example, if you want to apply a source MAC address filter to a WAN serial card located in slot 5, port 2, your configuration command line would look like the following: ssr(config)# filters add address-filter name wan1 source-mac 000102:030405 vlan 2 in-port-list se.5 Port se.5 is specified instead of se.5.
Chapter 25: WAN Configuration Guide works with IP Precedence or priority, as defined in the qos configuration command line, to provide preferential traffic handling for higher-priority traffic. The CLI commands related to RED in both the Frame Relay and PPP protocol environments allow you to set maximum and minimum threshold values for each of the low-, medium-, and high-priority categories of WAN traffic.
Chapter 25: WAN Configuration Guide Permanent Virtual Circuits (PVCs) WAN interfaces can take advantage of connections that assure a minimum level of available bandwidth at all times. These standing connections, called Permanent Virtual Circuits (PVCs), allow you to route critical packet transmissions from host to peer without concern for network congestion significantly slowing, let alone interrupting, your communications.
Chapter 25: WAN Configuration Guide Setting up a Frame Relay Service Profile Once you have defined the type and location of your Frame Relay WAN interface(s), you can configure your SSR to more efficiently utilize available bandwidth for Frame Relay communications.
Chapter 25: WAN Configuration Guide Monitoring Frame Relay WAN Ports Once you have configured your frame relay WAN interface(s), you can use the CLI to monitor status and statistics for your WAN ports.
Chapter 25: WAN Configuration Guide • Committed information rate (CIR) of 20 million bits per second • Leave high-, low-, and medium-priority queue depths set to factory defaults • Random Early Discard (RED) disabled • RMON enabled The command line necessary to set up a service profile with the above attributes would be as follows: ssr(config)# frame-relay define service profile1 Bc 2000000 Be 10000000 becn-adaptive-shaping 65 cir 20000000 red off rmon on To assign the above service profile to the
Chapter 25: WAN Configuration Guide Point-to-Point Protocol (PPP) Overview Because of its ability to quickly and easily accommodate IP and IPX protocol traffic, Pointto-Point Protocol (PPP) routing has become a very important aspect of WAN configuration. Using PPP, you can set up router-to-router, host-to-router, and host-to-host connections.
Chapter 25: WAN Configuration Guide WAN interfaces, then apply a service profile to the desired interface(s). Examples of this process are displayed in “PPP Port Configuration” on page 348. Defining the Type and Location of a PPP Interface To configure a PPP WAN port, you need to first define the type and location of one or more PPP WAN ports on your SSR. The following command line displays a simplified example of a PPP WAN port definition: Define the type and location of a PPP WAN port.
Chapter 25: WAN Configuration Guide Note: If it is necessary to specify a value for Bridging, IP, and/or IPX, you must specify all three of these values at the same time. You cannot specify just one or two of them in the command line without the other(s). Applying a Service Profile to an Active PPP Port Once you have created one or more PPP service profiles, you can specify their use on one or more active PPP ports on the SSR.
Chapter 25: WAN Configuration Guide processing by MLP. If compression is enabled on a link, the packets will be compressed after the MLP processing. In general, choose bundle compression over link compression whenever possible. Compressing packets before they are “split” by MLP is much more efficient for both the compression algorithm and the WAN card. Link compression is supported to provide the widest range of compatibility with other vendors’ equipment.
Chapter 25: WAN Configuration Guide Suppose you wish to set up a service profile called “profile2” that includes the following characteristics: • Bridging enabled • Leave high-, low-, and medium-priority queue depths set to factory defaults • IP and IPX enabled • Sending of LCP Echo Requests disabled • Use of LCP magic numbers disabled • The maximum allowable number of unanswered requests set to 8 • The maximum allowable number of negative-acknowledgment transmissions set to 5 • The maximum
Chapter 25: WAN Configuration Guide WAN Configuration Examples Simple Configuration File The following is an example of a simple configuration file used to test frame relay and PPP WAN ports: port set hs.5.1 wan-encapsulation frame-relay speed 45000000 port set hs.5.2 wan-encapsulation ppp speed 45000000 interface create ip fr1 address-netmask 10.1.1.1/16 port hs.5.1.100 interface create ip ppp2 address-netmask 10.2.1.1/16 port hs.5.2 interface create ip lan1 address-netmask 10.20.1.1/16 port et.1.
Chapter 25: WAN Configuration Guide Multi-Router WAN Configuration The following is a diagram of a multi-router WAN configuration encompassing three subnets. From the diagram, you can see that R1 is part of both Subnets 1 and 2; R2 is part of both Subnets 2 and 3; and R3 is part of subnets 1 and 3. You can click on the router label (in blue) to jump to the actual text configuration file for that router: et.1.1 50.50.50.15 50.50.50.5 R5 100.100.100.5 se.4.1 100.100.100.4 se.6.
Chapter 25: WAN Configuration Guide Router R1 Configuration File The following configuration file applies to Router R1. ---------------------------------------------------------------------Configuration for ROUTER R1 ---------------------------------------------------------------------port set hs.7.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.2 wan-encapsulation ppp speed 45000000 port set et.1.
Chapter 25: WAN Configuration Guide rip rip rip rip add interface all set interface all version 2 set auto-summary enable start system set name R2 arp add 20.20.20.12 exit-port et.1.1 mac-addr 000202:020200 Router R3 Configuration File The following configuration file applies to Router R3. ---------------------------------------------------------------------Configuration for ROUTER R3 ---------------------------------------------------------------------port set se.2.
Chapter 25: WAN Configuration Guide port set et.1.* duplex full frame-relay create vc port se.6.1.304 vlan create s1 id 200 vlan add ports se.6.1.304,se.6.3 to s1 interface create ip s1 address-netmask 100.100.100.4/16 vlan s1 rip rip rip rip rip rip add interface all set interface all version 2 set interface all xmt-actual enable set broadcast-state always set auto-summary enable start system set name R4 Router R5 Configuration File The following configuration file applies to Router R5.
Chapter 25: WAN Configuration Guide port set hs.3.1 wan-encapsulation frame-relay speed 45000000 frame-relay create vc port hs.3.1.106 frame-relay define service CIRforR1toR6 cir 45000000 bc 450000 frame-relay apply service CIRforR1toR6 ports hs.3.1.106 vlan create BridgeforR1toR6 port-based id 106 interface create ip FRforR1toR6 address-netmask 100.100.100.6/16 vlan BridgeforR1toR6 interface create ip lan1 address-netmask 60.60.60.6/16 port et.15.1 vlan add ports hs.3.1.
Chapter 25: WAN Configuration Guide 356 SmartSwitch Router User Reference Manual
Appendix A New Features Supported on Line Cards Introduction Some of the features in firmware versions 3.0 and 3.1 are only supported on certain line cards. The following sections list SSR line cards and the firmware features that are supported on each card. SSR 8000/8600 Line Cards This section describes the following categories of SSR line cards: • line cards available prior to the 3.0 firmware release • line cards introduced with the 3.
Appendix A: New Features Supported on Line Cards The following table lists the line cards available for the SSR 8000/8600 prior to the 3.0 firmware release and the supported features. Line Card Part Number Pre-3.
Appendix A: New Features Supported on Line Cards In addition, these cards support all pre-3.0 firmware features. All cards, except for the gigabit Ethernet cards, also support WFQ. The following table lists the line cards introduced for the SSR 8000/8600 with the 3.0 firmware release and the supported features. Pre-3.0 SSR Firmware Features WFQ Listed 3.
Appendix A: New Features Supported on Line Cards Pre-3.0 SSR Firmware Features WFQ Listed 3.
Appendix A: New Features Supported on Line Cards SSR 2000 Line Cards The following table lists the line cards available for the SSR 2000 and the supported features: Line Card Part Number Pre-3.0 SSR Firmware Features WFQ Listed 3.0 Features Standard Chassis Configurations: SSR-2-B X X SSR-2-PKG X X SSR-2-WAN X X SSR-2-GSX X X Line Cards Available Prior to the 3.
Appendix A: New Features Supported on Line Cards SSR-2-SX-AA X X SSR-2-LX-AA X X SSR-2-LX70-AA X X SSR-2-SER-AA X X X SSR-2-SERC-AA X X X SSR-2-SERCE-AA X X X New Features that Require Specific Line Cards T-series line cards, -AA revision line cards, and non -AA revision line cards can be used in the same chassis. Version 3.
Appendix A: New Features Supported on Line Cards SmartSwitch Router User Reference Manual 363
Appendix A: New Features Supported on Line Cards When multiple routers are connected together, only the router using Network Address Translation requires the -AA or T-series line card. In Diagram 2, only Router W requires the -AA or T-series line card since it is the only router performing translation to the global Internet. Note that Routers A and B are connected to the -AA or T-series line card on Router W.
Appendix A: New Features Supported on Line Cards When load balancing is implemented in a single system, the ports that attach to both incoming and outgoing interfaces must reside on -AA or T-series line cards. If the servers are load-sharing across multiple networks, ports assigned to the interfaces must also reside on -AA or T-series line cards.
Appendix A: New Features Supported on Line Cards When a VLAN spans across multiple SSRs with 802.1Q trunk ports, the requirements for -AA or T-series line cards depend on how layer 4 bridging is deployed. In Diagram 4, yellow and blue VLANs are created across multiple SSRs and are interconnected through an 802.1Q trunk port. Layer 4 bridging is enabled on both SSR A and B, but since SSR C does not have a -AA or T-series line card, no layer 4 bridging can be configured.
Appendix A: New Features Supported on Line Cards on SSR C since SSR C does not have a -AA or T-series line card. SSR C would drop all SNA traffic since its module would not recognize SNA traffic. QoS Rate Limiting There are three types of rate limiting supported on the SSR: • Per-flow rate limiting • Aggregate rate limiting • Port rate limiting Per-Flow Rate Limiting Per-flow rate limiting allows a network administrator to specify a bandwidth limit on an IP flow.
Appendix A: New Features Supported on Line Cards ToS Rewrite The ToS rewrite command allows a network administrator to change the value in the ToS octet (which includes both the Precedence or ToS fields) in each IP packet. The SSR looks at every IP packet coming into the interface, and if a packet matches the defined parameters (Source IP, Destination IP, Source Port, Destination Port, or ToS Octet), the SSR rewrites the ToS Octet to a specific value.
Appendix A: New Features Supported on Line Cards Weighted Random Early Detection (WRED) Weighted Random Early Detection (WRED) algorithms can alleviate traffic congestion. WRED allows you to set conditions and limits for the selective dropping of packets on input or output queues of specific ports before the queues become completely flooded. The ports on which WRED are enabled must reside on T-series line cards.
Appendix A: New Features Supported on Line Cards Multiple IPX Encapsulation Interface AA/T-series — WRED Port T-series — Aggregate rate limiting Interface T-series — Port rate limiting Port T-series T-series Jumbo frame support Port/ Interface T-series* T-series* *. 10/100 T-series line cards do not support jumbo frames. Identifying a Line Card ATM, packet-over-SONET, and 16-port 10/100 BASE-TX line cards are T-series line cards introduced with the 3.1 firmware release.
Appendix A: New Features Supported on Line Cards “Non -AA” Line Card “-AA” Line Card D1.2 or less D1.3 or greater G2.1.1 or less G2.2 or greater I2.0 or less I3.0 or greater O2.0 or less O2.1 or greater Example 2: ssr# system show hardware verbose : : Slot CM/1, Module: 10/100-TX Rev. 1.0 Service String: 2_D1.2_0.512_I2.0_2_O2.0_0.512 : : The above Service String shows a “non -AA” 10/100 Base TX line card. Example 3: ssr# system show hardware verbose : : Slot CM/1, Module: 10/100-TX Rev. 1.
Appendix A: New Features Supported on Line Cards 372 SmartSwitch Router User Reference Manual
