8VHU 5HIHUHQFH 0DQXDO
Copyright Notices © 2001 by Enterasys Networks. All rights reserved. Enterasys Networks is a subsidiary of Cabletron Systems, Inc. Enterasys Networks 35 Industrial Way Rochester, NH 03867-5005 Printed in the United States of America This product includes software developed by the University of California, Berkeley, and its contributors. © 1979 – 1994 by The Regents of the University of California. All rights reserved.
ENTERASYS NETWORKS, INC. PROGRAM LICENSE AGREEMENT BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between You, the end user, and Enterasys Networks, Inc. (“Enterasys”) that sets forth your rights and obligations with respect to the Enterasys software program (“Program”) in the package. The Program may be contained in firmware, chips or other media.
ENTERASYS DISCLAIMS ALL WARRANTIES, OTHER THAN THOSE SUPPLIED TO YOU BY ENTERASYS IN WRITING, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PROGRAM, THE ACCOMPANYING WRITTEN MATERIALS, AND ANY ACCOMPANYING HARDWARE. 7. NO LIABILITY FOR CONSEQUENTIAL DAMAGES.
DECLARATION OF CONFORMITY Application of Council Directive(s): Manufacturer’s Name: Manufacturer’s Address: European Representative Name: European Representative Address: Conformance to Directive(s)/Product Standards: Equipment Type/Environment: 89/336/EEC 73/23/EEC Enterasys Networks, Inc. 35 Industrial Way PO Box 5005 Rochester, NH 03867 Mr. Jim Sims Enterasys Networks Ltd.
vi Enterasys Xpedition User Reference Manual
Contents Chapter 1: Introduction ........................................................................................1 What’s New...............................................................................................................................1 Related Documentation...........................................................................................................1 Document Conventions....................................................................................................
Contents Hot Swapping One Type of Line Card With Another.............................................. 27 Hot Swapping a Secondary Control Module .................................................................... 28 Deactivating the Control Module ................................................................................ 28 Removing the Control Module .................................................................................... 29 Installing a Control Module .................................
Contents Chapter 6: SmartTRUNK Configuration Guide ..............................................47 Overview .................................................................................................................................47 Configuring SmartTRUNKs .................................................................................................48 Creating a SmartTRUNK ...............................................................................................
Contents Configuring IP Interfaces for PoS Links ..................................................................... 75 Configuring Packet-over-SONET Links............................................................................. 76 Configuring Automatic Protection Switching .................................................................. 77 Configuring Working and Protecting Ports ............................................................... 78 Specifying Bit Error Rate Thresholds ...............
Contents Monitoring IP Parameters............................................................................................104 Configuring Router Discovery ...........................................................................................105 Configuration Examples .....................................................................................................108 Assigning IP/IPX Interfaces........................................................................................
Contents Creating Virtual Links ................................................................................................. 136 Configuring Autonomous System External (ASE) Link Advertisements ........... 137 Configuring OSPF for Different Types of Interfaces............................................... 137 Monitoring OSPF................................................................................................................. 138 OSPF Configuration Examples..................................
Contents Aggregate-Destination ..........................................................................................187 Aggregate-Source ..................................................................................................187 Route-Filter .............................................................................................................188 Authentication...............................................................................................................
Contents Chapter 16: Multicast Routing Configuration Guide ....................................217 IP Multicast Overview ........................................................................................................ 217 IGMP Overview ........................................................................................................... 217 DVMRP Overview ....................................................................................................... 218 Configuring IGMP ...............
Contents Dynamic ..................................................................................................................241 Forcing Flows through NAT ..............................................................................................241 Managing Dynamic Bindings.............................................................................................242 NAT and DNS ......................................................................................................................
Contents Proxy Server Redundancy ................................................................................... 267 Distributing Frequently-Accessed Sites Across Cache Servers...................... 267 Monitoring Web-Caching ........................................................................................... 268 Chapter 20: IPX Routing Configuration Guide..............................................269 IPX Routing Overview.......................................................................
Contents Using Profile ACLs with the Port Mirroring Facility .......................................291 Using Profile ACLs with the Web Caching Facility .........................................292 Redirecting HTTP Traffic to Cache Servers................................................292 Preventing Web Objects From Being Cached.............................................292 Enabling ACL Logging........................................................................................................
Contents Configuring IP QoS Policies ....................................................................................... 316 Setting an IP QoS Policy....................................................................................... 317 Specifying Precedence for an IP QoS Policy ..................................................... 317 Configuring IPX QoS Policies..................................................................................... 317 Setting an IPX QoS Policy .....................
Contents Chapter 26: LFAP Configuration Guide.........................................................349 Overview ...............................................................................................................................349 Enterasys’ Traffic Accounting Services.............................................................................350 Configuring the LFAP Agent on the XP ...........................................................................
Contents Simple Configuration File........................................................................................... 369 Multi-Router WAN Configuration ............................................................................ 370 Router R1 Configuration File .............................................................................. 371 Router R2 Configuration File .............................................................................. 371 Router R3 Configuration File ................
Chapter 1 Introduction This manual provides information for configuring the Enterasys Xpedition (XP) software. It details the procedures and provides configuration examples. If you have not yet installed the XP, use the instructions in the XP Getting Started Guide to install the chassis and perform basic setup tasks, then return to this manual for more detailed configuration information. What’s New The content of this manual is representative of the features and capabilities found in the 3.
Document Conventions Document Conventions Commands shown in this manual use the following conventions: Convention Description boldface Indicates commands and keywords that you enter as shown. Indicates arguments for which you supply values. [x] or [] or [x ] Keywords and arguments within a set of square brackets are optional. x|y|z| or [x|y|z|] Keywords or arguments separated by vertical bars indicate a choice. Select one keyword or argument.
Getting Help • The serial and revision numbers of all involved Enterasys Networks products in the network • A description of your network environment (layout, cable type, etc.
Getting Help 4 Enterasys Xpedition User Reference Manual
Chapter 2 Maintaining Configuration Files This chapter provides information about configuration files in the Enterasys Xpedition (XP). It explains the different types of configuration files and the different procedures involved in changing, displaying, saving, and backing up the files. Configuration Files The XP Getting Started Guide introduced the following configuration files used by the XP: • Startup – The configuration file that the XP uses to configure itself when the system is powered on.
Changing Configuration Information Because some commands depend on other commands for successful execution, the XP scratchpad simplifies system configuration by allowing you to enter configuration commands in any order, even when dependencies exist. When you activate the commands in the scratchpad, the XP sorts out the dependencies and executes the command in the proper sequence.
Changing Configuration Information To enter comments in the configuration file, specify the comment line command with the line number and the actual comments. To display the comments in the active configuration file, specify the show active command. Comments are displayed with a C before the comment. The following example shows a comment entered in line 2 of the active configuration file.
Displaying Configuration Information Table 1. Commands to Change Configuration Information Task Command Negate one or more commands by line numbers. negate Negate commands that match a specified command string. no Save scratchpad to active configuration. save active Save active configuration to startup. save startup Displaying Configuration Information The following table lists the commands that are useful for displaying the XP’s configuration information. Table 2.
Activating the Configuration Changes and Saving the Configuration File The show and system show commands display the commands in the order they were executed. You can change this sequence to alphabetical order by using the system set show-config command.
Activating the Configuration Changes and Saving the Configuration File 2. Enter the following command to copy the configuration changes in the Active configuration to the Startup configuration: copy active to startup 3. When the CLI displays the following message, enter yes to save the changes. Are you sure you want to overwrite the Startup configuration? [n] Note: You also can save active changes to the Startup configuration file from within Configure mode by entering the save startup command.
Backing up and Restoring the Startup Configuration File If a command that was originally configured to encompass all of the available modules on the XP becomes only partially active (after a hotswap or some such chassis reconfiguration), then the status of that command line automatically changes to indicate a partial completion status, complete with “P:”. Note: Commands with no annotation or annotated with a “P:” are not in error.
Backing up and Restoring the System Image Backing up and Restoring the System Image When you boot up the system, the XP boots up the system image off the PC flash card. The PC flash card contains the run-time image (as of 3.1, the PC flash can store up to two images) and the startup configuration file. It is recommended that a backup of the system image be stored on a central server in the unlikely event that the system image becomes corrupted or deleted from the PC flash card.
Configuring System Settings List system software images on the PC flash card. system image list primary-cm|backup-cm|all Delete a system software image file from the PC flash card. system image delete primanycm|backup-cm Configuring System Settings In addition to the initial settings described in the Getting Started Guide, there are additional system features which you can set on the XP.
Configuring System Settings When you set DST by setting the time forward by an hour, saving it to the active configuration file automatically activates the command, causing the time to immediately change forward one hour. Use the negate command to set the time back. Enter the following command in Configure mode to move the time forward by an hour: Set the time forward by one hour. system set dst-manual Configuring a Log-in Banner Configure the XP to display a banner when it is booted up.
Chapter 3 Using the CLI This chapter provides information about the XP’s Command Line Interface (CLI). The XP provides both a graphical user interface and a command line interface (CLI) to configure and manage the XP. In this manual, example configurations show how to use the CLI commands to configure the XP. CLI commands are grouped by subsystems. For example, the set of commands that let you configure and display IP routing table information all start with ip.
Command Modes The default name is XP unless it has been changed during initial configuration. Refer to the XP Getting Started Guide for the procedures for changing the system name. Enable Mode Enable mode provides more facilities than User mode. You can display critical features within Enable mode including router configuration, access control lists, and SNMP statistics. To enter Enable mode from the User mode, enter the command enable (or en), then supply the password when prompted.
Establishing Telnet Sessions Establishing Telnet Sessions You can establish a management connection to the XP by connecting a terminal to the management port of the XP and by establishing a telnet connection to a remote host. To establish a telnet connection, connect your network to the 10/100 MDI port on the XP. The XP allows up to four simultaneous telnet sessions. There are commands that allow you to monitor telnet use and to end a specific telnet session.
Getting Help with CLI Commands To set command completion, enter the following command in either Configure mode or Enable mode. In Configure mode, the command turns on or off command completion for the entire system. In Enable mode, the command affects the current login session of the user issuing the command. Turn on or turn off command completion. cli set command completion on|off The cli set history command specifies the number of commands that will be stored in the command history buffer.
Getting Help with CLI Commands dvmrp enable exit file help igmp ip-redundancy ipx l2-tables logout multicast ping pvst - Show DVMRP related parameters - Enable privileged user mode - Exit current mode - File manipulation commands - Describe online help facility - Show IGMP related parameters - Show IP Redundancy information (VRRP) - Show IPX related parameters - Show L2 Tables information - Log off the system - Configure Multicast related parameters - Ping utility - Show Per Vlan Spanning Tree Protocol (P
Getting Help with CLI Commands If you are entering several commands for the same subsystem, you can enter the subsystem name from CLI. Then, execute individual commands for the subsystem without typing the subsystem name in each time. For example, if you are configuring several entries for the IP routing table, you can simply enter ip at the CLI Configure prompt. The prompt changes to indicate that the context for the commands to be entered has changed to that of the IP subsystem.
Getting Help with CLI Commands Table 3.
Port Names Table 3. CLI Line Editing Commands Command Resulting Action !# Recall a specific history command. ‘#’ is the number of the history command to be recalled as shown via the ‘!*’ command. “” Opaque strings may be specified using double quotes. This prevents interpretation of otherwise special CLI characters. Port Names The term port refers to a physical connector on a line card installed in the XP. The figure below shows eight 10 Base-T/100 Base-TX ports on a line card.
Port Names is the number assigned to the connector on the line card. The range and assignment of port numbers varies by the type of line card. The assignment of port numbers by line card is shown in the table below: Table 4.
Port Names 24 Enterasys Xpedition User Reference Manual
Chapter 4 Hot Swapping Line Cards and Control Modules Hot Swapping Overview Hot swapping is the ability to replace a line card, Control Module, or GBIC (in the ER16 only) while the XP is operating.Hot swapping allows you to remove or install line cards without switching off or rebooting the XP. Swapped-in line cards are recognized by the XP and begin functioning immediately after they are installed. On the XP-8000 and XP-8600, you can hot swap line cards and secondary control modules.
Hot Swapping Line Cards This chapter provides instructions for the following tasks: • Hot swapping line cards • Hot swapping secondary Control Modules • Hot swapping the secondary Switching Fabric Module (XP-8600 only) • Hot swapping the GBIC (ER16 only) Hot Swapping Line Cards The procedure for hot swapping a line card consists of deactivating the line card, removing it from its slot in the XP chassis, and installing a new line card in the slot.
Hot Swapping Line Cards Alternately, if you have not removed a line card you deactivated with the system hotswap out command, you can reactivate it with the system hotswap in command. For example, to reactivate a line card in slot 7, enter the following command in Enable mode: ssr# system hotswap in slot 7 Removing the Line Card To remove a line card from the XP: 1. Make sure the Offline LED on the line card is lit. Warning: Do not remove the line card unless the Offline LED is lit.
Hot Swapping a Secondary Control Module To set this up, you must include configuration statements for both line cards in the XP configuration file. The XP determines which line card is installed in the slot and uses the appropriate configuration statements. For example, you may have an XP with a 10/100Base-TX line card in slot 7 and want to hot swap it with a 1000Base-SX line card.
Hot Swapping a Secondary Control Module When you press the Hot Swap button, all the LEDs on the Control Module (including the Offline LED) are deactivated. Figure 3 shows the location of the Offline LED and Hot Swap button on a Control Module. SSR-CM2 SYS RST Console CONTROL MODULE 10/100 Mgmt Offline LED Online Offline OK HBT Hot Swap ERR DIAG Hot Swap Button Figure 3.
Hot Swapping a Switching Fabric Module (XP-8600 only) 2. Tighten the captive screws on each side of the Control Module or line card to secure it to the chassis. On a line card, the Online LED lights, indicating it is now active. On a secondary Control Module, the Offline LED lights, indicating it is standing by to take over as the primary Control Module if necessary. Hot Swapping a Switching Fabric Module (XP-8600 only) The XP-8600 has slots for two Switching Fabric Modules.
Hot Swapping a GBIC (ER16 only) Removing the Switching Fabric Module To remove the Switching Fabric Module: 1. Loosen the captive screws on each side of the Switching Fabric Module. 2. Pull the metal tabs on the Switching Fabric Module to free it from the connectors holding it in place in the chassis. 3. Carefully remove the Switching Fabric Module from its slot. Installing a Switching Fabric Module To install a Switching Fabric Module: 1.
Hot Swapping a GBIC (ER16 only) 3. Using thumb and forefinger, compress the extractor tabs on both sides of the GBIC and pull it out of the line card. See Figure 5 on page 32. 4. If storing or shipping the GBIC, insert the rubber dust protector into the GBIC to protect the fiber ports. Insert GBIC into opening. GBIC is keyed, and will only fit in correct orientation To remove, press tabs on top and bottom of GBIC and pull. Figure 5. Installing and removing a GBIC.
Chapter 5 Bridging Configuration Guide Bridging Overview The Enterasys Xpedition provides the following bridging functions: • Compliance with the IEEE 802.
VLAN Overview Address-based bridging - The XP performs this type of bridging by looking up the destination address in an L2 lookup table on the line card that receives the bridge packet from the network. The L2 lookup table indicates the exit port(s) for the bridged packet. If the packet is addressed to the XP’s own MAC address, the packet is routed rather than bridged.
VLAN Overview Detailed information about these types of VLANs is beyond the scope of this manual. Each type of VLAN is briefly explained in the following subsections. Port-based VLANs Ports of L2 devices (switches, bridges) are assigned to VLANs. Any traffic received by a port is classified as belonging to the VLAN to which the port belongs. For example, if ports 1, 2, and 3 belong to the VLAN named “Marketing”, then a broadcast frame received by port 1 is transmitted on ports 2 and 3.
VLAN Overview Policy-based VLANs Policy-based VLANs are the most general definition of VLANs. Each incoming (untagged) frame is looked up in a policy database, which determines the VLAN to which the frame belongs. For example, you could set up a policy which creates a special VLAN for all E-mail traffic between the management officers of a company, so that this traffic will not be seen anywhere else.
VLAN Overview The XP can also be used purely as a router, i.e., each physical port of the XP is a separate routing interface. Packets received at any interface are routed and not bridged. In this case, no VLAN configuration is required. Note that VLANs are still created implicitly by the XP as a result of creating L3 interfaces for IP and/or IPX. However, these implicit VLANs do not need to be created or configured manually. The implicit VLANs created by the XP are subnet-based VLANs.
VLAN Overview Access Ports and Trunk Ports (802.1P and 802.1Q support) The ports of an XP can be classified into two types, based on VLAN functionality: access ports and trunk ports. By default, a port is an access port. An access port can belong to at most one VLAN of the following types: IP, IPX or bridged protocols. The XP can automatically determine whether a received frame is an IP frame, an IPX frame or neither. Based on this, it selects a VLAN for the frame.
Configuring XP Bridging Functions Configuring XP Bridging Functions Configuring Address-based or Flow-based Bridging The XP ports perform address-based bridging by default but can be configured to perform flow-based bridging instead of address-based bridging, on a per-port basis. A port cannot be configured to perform both types of bridging at the same time. The XP performance is equivalent when performing flow-based bridging or addressbased bridging.
Configuring XP Bridging Functions To change a port from flow-based bridging to address-based bridging, enter the following command in Configure mode: Change a port from flowbased bridging to addressbased bridging. negate : port flow-bridging |all-ports Configuring Spanning Tree Note: Some commands in this facility require updated XP hardware. The XP supports per VLAN spanning tree.
Configuring XP Bridging Functions Setting the Bridge Priority You can globally configure the priority of an individual bridge when two bridges tie for position as the root bridge, or you can configure the likelihood that a bridge will be selected as the root bridge. The lower the bridge’s priority, the more likely the bridge will be selected as the root bridge. This priority is determined by default; however, you can change it.
Configuring XP Bridging Functions Adjusting Bridge Protocol Data Unit (BPDU) Intervals You can adjust BPDU intervals as described in the following sections: • Adjust the Interval between Hello BPDUs • Define the Forward Delay Interval • Define the Maximum Idle Interval Adjusting the Interval between Hello Times You can specify the interval between hello time. To adjust this interval, enter the following command in Configure mode: Specify the interval between hello time for default spanning tree.
Configuring a Port- or Protocol-Based VLAN To change the default interval setting, enter the following command in Configure mode: Change the amount of time a bridge will wait to hear BPDUs from the root bridge for default spanning tree. stp set bridging max-age Change the amount of time a bridge will wait to hear BPDUs from the root bridge for a particular instance of spanning tree.
Configuring a Port- or Protocol-Based VLAN Configuring VLANs for Bridging The XP allows you to create VLANs for AppleTalk, DECnet, SNA, and IPv6 traffic as well as for IP and IPX traffic. You can create a VLAN for handling traffic for a single protocol, such as a DECnet VLAN. Or, you can create a VLAN that supports several specific protocols, such as SNA and IP traffic. Note: Some commands in this facility require updated XP hardware.
Monitoring Bridging Monitoring Bridging The XP provides display of bridging statistics and configurations contained in the XP. To display bridging information, enter the following commands in Enable mode. Show IP routing table. ip show routes Show all MAC addresses currently in the l2 tables. l2-tables show all-macs Show l2 table information on a specific port. l2-tables show port-macs Show information the master MAC table. l2-tables show mac-table-stats Show information on a specific MAC address.
Configuration Examples Creating a non-IP/non-IPX VLAN In this example, SNA, DECnet, and AppleTalk hosts are connected to et.1.1 and et.2.(1-4). You can associate all the ports containing these hosts to a VLAN called ‘RED’ with the VLAN ID 5. First, create a VLAN named ‘RED’ ssr(config)# vlan create RED sna dec appletalk id 5 Next, assign ports to the ‘RED’ VLAN. ssr(config)# vlan add ports et.1.1, et.2.
Chapter 6 SmartTRUNK Configuration Guide Overview This chapter explains how to configure and monitor SmartTRUNKs on the XP. A SmartTRUNK is Enterasys Networks’ technology for load balancing and load sharing. For a description of the SmartTRUNK commands, see the “smarttrunk commands” section of the Enterasys Xpedition Command Line Interface Reference Manual. On the XP, a SmartTRUNK is a group of two or more ports that have been logically combined into a single port.
Configuring SmartTRUNKs Configuring SmartTRUNKs To create a SmartTRUNK: 1. Create a SmartTRUNK and specify a control protocol for it. 2. Add physical ports to the SmartTRUNK. 3. Specify the policy for distributing traffic across SmartTRUNK ports. This step is optional; by default, the XP distributes traffic to ports in a round-robin (sequential) manner.
Monitoring SmartTRUNKs To add ports to a SmartTRUNK, enter the following command in Configure mode: Create a SmartTRUNK that will be connected to a device that supports the DEC Hunt Group control protocol. smarttrunk add ports to Specify Traffic Distribution Policy (Optional) The default policy for distributing traffic across the ports in a SmartTRUNK is “roundrobin,” where the XP selects the port on a rotating basis.
Example Configurations Example Configurations The following shows a network design based on SmartTRUNKs. R1 is an XP operating as a router, while S1 and S2 are XPs operating as switches. Cisco 7500 Router st.1 10.1.1.1/24 st.2 10.1.1.2/24 to-cisco Router R1 11.1.1.2/24 to-s1 st.4 Switch S1 Server 12.1.1.2/24 to-s2 st.3 Switch S2 st.5 Cisco Catalyst 5K Switch The following is the configuration for the Cisco 7500 router: interface port-channel 1 ip address 10.1.1.1 255.255.255.
Example Configurations The following is the SmartTRUNK configuration for the XP labeled ‘R1’ in the diagram: smarttrunk create st.1 protocol no-protocol smarttrunk create st.2 protocol huntgroup smarttrunk create st.3 protocol huntgroup smarttrunk add ports et.1(1-2) to st.1 smarttrunk add ports et.2(1-2) to st.2 smarttrunk add ports et.3(1-2) to st.3 interface create ip to-cisco address-netmask 10.1.1.2/24 port st.1 interface create ip to-s1 address-netmask 11.1.1.2/24 port st.
Example Configurations 52 Enterasys Xpedition User Reference Manual
Chapter 7 ATM Configuration Guide ATM Overview This chapter provides an overview of the Asynchronous Transfer Mode (ATM) features available for the Enterasys Xpedition. ATM is a cell switching technology used to establish multiple connections over a physical link, and configure each of these connections with its own traffic parameters. This provides more control over specific connections within a network.
Virtual Channels Virtual Channels A virtual channel is a point-to-point connection that exists within a physical connection. You can create multiple virtual channels within one physical connection, with each virtual channel having its own traffic parameters. The name “virtual” implies that the connection is located in silicon instead of a physical wire. Refer to “Creating a Service Profile Definition” on page 55 for information about defining a set of traffic parameters for a virtual channel.
Service Profile Definition Creating a Service Profile Definition To create a service profile definition, enter the following command in Configure mode: Creates a service profile definition. atm define service [srv-cat cbr| ubr| rtvbr| nrt-vbr] [pcr] [pcr-kbits] [scr] [scr-kbits] [mbs] [encap routed-llc| routed-vcmux] [oam on| off] The following is a description of the parameters used to create a service profile definition: service Specifies a name for the service profile definition.
Service Profile Definition pcr-kbits Specifies the Peak Cell Rate, which defines the maximum cell transmission rate, expressed in kbits/sec. The default is 149759 kbits/sec (353207 cells/sec). This is the same as PCR, but is expressed in kbits/sec, and therefore may be a more convenient form. However, since the natural unit for ATM is cells/sec, there may be a difference in the actual rate because the kbit/sec value may not be an integral number of cells.
Cell Scrambling service Specifies the name of the service profile definition which you want to apply. The maximum length is 32 characters. port Specifies the port, in the format: media.slot.port.vpi.vci media Specifies the media type. This is at for ATM ports. slot Specifies the slot number where the module is installed. port Specifies the port number. vpi Specifies the Virtual Path Identifier. This parameter identifies the virtual path. This parameter is optional.
Cell Scrambling To enable cell scrambling on an ATM port, enter the following command in Configure mode: Enables cell scrambling on an ATM port.
Cell Mapping The following is a description of the parameters used to enable cell scrambling: port Specifies the port, in the format: media.slot.port. Specify all-ports to enable cell scrambling on all ports. media Specifies the media type. This is at for ATM ports. slot Specifies the slot number where the module is installed. port Specifies the port number. pdh-cell-scramble on|off Specify on to enable cell scrambling. Specify off to disable cell scrambling.
Creating a Non-Zero VPI Creating a Non-Zero VPI The Virtual Path Identifier defines a virtual path, a grouping of virtual channels transmitting across the same physical connection. The actual number of virtual paths and virtual channels available on an ATM port depends upon how many bits are allocated for the VPI and VCI, respectively. By default, there is 1 bit allocated for VPI and 11 bits allocated for VCI. You can specify a different allocation of bits for VPI and VCI for a port.
Displaying ATM Port Information Displaying ATM Port Information There are a variety of ATM statistics that can be accessed through the command line interface. The atm show commands can only be used in Enable mode. To display information about the VPL configurations on an ATM port: Displays the VPL configurations on an ATM port. atm show vpl port | all-ports The following is an example of the information that is displayed with the command listed above: ssr(atm-show)# vpl port at.9.
Displaying ATM Port Information To display information about the service definition on an ATM port: Displays the service definition on an ATM port.
Displaying ATM Port Information To display information about the port settings on an ATM port: Displays the port setting configurations on an ATM port. atm show port-settings | all-ports The following is an example of the information that is displayed with the command listed above (for a PDH PHY interface): ssr(atm-show)# port-settings at.9.
Displaying ATM Port Information • Framing Shows the type of framing scheme. cbit-parity is used for T3 framing. m23 is used for T3 framing. esf indicates extended super frame and is used for T1 framing. g832 is used for E3 framing. g751 is used for E3 framing. • VC Mode Shows the bit allocation for vpi and vci. • Service Definition Shows the name of the defined service on the port and its traffic parameters.
ATM Sample Configuration 1 ATM Sample Configuration 1 Consider the following network configuration: VLAN B Subnet 11.1.2.0 11.1.2.1/24 XP 1 et.1.1 11.1.100.1/24 at.1.1 11.1.2.1/24 at.2.1 XP 2 et.2.1 11.1.1.1/24 VLAN A Subnet 11.1.1.0 The network shown consists of two XPs, VLAN A, and VLAN B. Both XPs have an ATM module with two ATM ports. Also both XPs contain a 10/100 TX Ethernet module. XP1 is connected to VLAN A through Ethernet port et.2.
ATM Sample Configuration 1 Configuring an Interface on each Ethernet Port There are two separate VLANs in this network, VLAN A and VLAN B. VLAN A is connected to Ethernet port et.2.1 on XP1, and VLAN B is connected to Ethernet port et.1.1 on XP2. Apply an interface on both Ethernet ports. Creating an interface on an Ethernet port assigns a network IP address and submask on that port. Creating a Virtual Channel Create a VC to connect ATM port at.1.1 on XP1 to ATM port at.2.1 on XP2.
ATM Sample Configuration 1 Applying an ATM Service Profile After defining a service profile on XP1 and XP2, apply them to the VC connection we created earlier. The following command line applies the service profile ‘cbr1m’ to the VC (vpi=0, vci=100) on ATM port at.1.1 of XP1: ssr1(config)# atm apply service cbr1m port at.1.1.0.100 The following command line applies the service profile ‘cbr1m’ to the VC (vpi=0, vci=100) on ATM port at.2.1 of XP2: ssr2(config)# atm apply service cbr1m port at.2.1.0.
ATM Sample Configuration 1 Creating an IP route allows the interfaces on the ATM ports to act as gateways to any subnet. Traffic from VLAN A reaches the Ethernet port on XP1 and is automatically directed to the gateway address (interface on the ATM port for XP2). Then the traffic travels through the VC and arrives at the Ethernet port connected to VLAN B. Add the IP route for the subnet 11.1.2.0. The following command line configures the route on XP1: ssr1(config)# ip add route 11.1.2.0/24 gateway 11.1.
ATM Sample Configuration 2 ATM Sample Configuration 2 Consider the following network configuration: Subnet A 10.1.1.X/24 Subnet B 20.1.1.X/24 et 2.4 10.1.1.130/24 et 2.3 20.1.1.130/24 SSR1 at 4.2 30.1.1.127/24 VPI = 0, VCI =100 CBR, 100 Mbit 40.1.1.127/24 VPI = 0, VCi = 101 UBR, 20 Mbit ATM Network 40.1.1.128/24 VPI = 0, VCi = 101 UBR, 20 Mbit 30.1.1.128/24 VPI = 0, VCI =100 CBR, 100 Mbit at 3.1 SSR2 50.1.1.130/24 et 5.1 Subnet C 50.1.1.
ATM Sample Configuration 2 Subnet B consists of users who require less stringent requirements and are mainly concerned with email and server backup type of traffic. As the network administrator, you can accommodate both client groups using only one ATM physical connection. This is accomplished by setting up two VCs on the ATM port, each with its own service profile definitions. This example shows how to configure this network. The following sections will lead you through the configuration process.
ATM Sample Configuration 2 The following command creates a virtual channel on port at.3.1 with VPI=0 and VCI=100: ssr2(config)# atm create vcl port at.3.1.0.100 The following command creates a virtual channel on port at.3.1 with VPI=0 and VCI=101: ssr2(config)# atm create vcl port at.3.1.0.101 Configuring an Interface on Each ATM Port The following command assigns an IP address of 40.1.1.127/24 on port at.4.2.0.101: ssr1(config)# interface create ip ubrservice address-netmask 40.1.1.
ATM Sample Configuration 2 ssr2(config)# atm define service cbrservice srv-cat cbr pcr-kbits 100000 Applying an ATM Service Profile The following command applies the ‘ubrservice’ service profile on at.4.2.0.101: ssr1(config)# atm apply service ubrservice port at.4.2.0.101 The following command applies the ‘cbrservice’ service profile on at.4.2.0.100: ssr1(config)# atm apply service ubrservice port at.4.2.0.100 The following command applies the ‘ubrservice’ service profile on at.3.1.0.
ATM Sample Configuration 2 The following command specifies 30.1.1.128/24 as the gateway for the IP ACL ‘subnetBacl’: ssr1(config)# ip-policy subnetBtoCpolicy permit acl subnetBtoCacl next-hop-list 30.1.1.128/24 action policy-first Apply the IP Policy to the Ethernet Ports The following command applies the IP policy ‘subnetApolicy’ to port et.2.4: ssr1(config)# ip-policy subnetAtoCpolicy apply interface subnetA The following command applies the IP policy ‘subnetBpolicy’ to port et.2.
ATM Sample Configuration 2 Apply the IP Policy to the Ethernet Port The following command applies the IP policy ‘subnetCtoApolicy’ to port et.5.1: ssr2(config)# ip-policy subnetCtoApolicy apply interface subnetC The following command applies the IP policy ‘subnetCtoBpolicy’ to port et.5.
Chapter 8 Packet-over-SONET Configuration Guide Overview This chapter explains how to configure and monitor packet-over-SONET (PoS) on the XP. See the sonet commands section of the Enterasys Xpedition Command Line Interface Reference Manual for a description of each command. PoS requires installation of the OC-3c or OC-12c PoS line cards in an XP-8000 or an XP8600. The OC-3c line card has four PoS ports, while the OC-12c line card has two PoS ports. You must use the “so.” prefix for PoS interface ports.
Configuring Packet-over-SONET Links you can configure the interface as part of a VLAN for PoS links. You can also configure multiple IP addresses for each interface, as described in Configuring IP Interfaces and Parameters on page 96. When creating the IP interface for a PoS link, you can either specify the peer address if it is known (static address), or allow the peer address to be automatically discovered via IPCP negotiation (dynamic address).
Configuring Automatic Protection Switching When you create the point-to-point interface as shown above, the XP creates an implicit VLAN called “SYS_L3_.” In the above example, the XP creates the VLAN ‘SYS_L3_pos11.’ 3. If you want to increase the MTU size on a port, specify the parameter mtu with the ‘port set’ command and define a value up to 65535 (octets). See Configuring Jumbo Frames on page 98 for more information. 4. Specify the bit error rate thresholds, if necessary.
Configuring Automatic Protection Switching If the working circuit is disrupted or the bit error rates on the working circuit exceed the configured thresholds, traffic is automatically switched over to the protecting circuit. Any physical or logical characteristics configured for the working port are applied to the protecting port. This includes the IP address and netmask configured for the interface, spanning tree protocol (STP), per-VLAN spanning tree (PVST), etc.
Specifying Bit Error Rate Thresholds Force a switch to the specified port. This command can be applied to either the working or protecting port. sonet set protection-switch forced Manually switch the line to the specified port. This command can be applied to either the working or protecting port. sonet set protection-switch manual Note: You can only specify one option, lockoutprot, forced or manual, for a port.
Monitoring PoS Ports To specify different BER thresholds, enter the following commands in Enable mode: Specify signal degrade BER threshold. sonet set sd-ber Specify signal failure BER threshold. sonet set sf-ber Monitoring PoS Ports To display PoS port configuration information, enter one of the following commands in Enable mode: Show framing status, line type, and circuit ID of the optical link.
Example Configurations Example Configurations This section shows example configurations for PoS links. APS PoS Links Between XPs The following example shows APS PoS links between two XPs, router A and router B. Router A so.7.1 pos21 20.11.11.21/24 so.7.2 Router B (working) (protecting) pos11 20.11.11.20/24 so.13.1 so.13.2 The following is the configuration for router A: interface create ip pos21 address-netmask 20.11.11.21/24 peer-address 20.11.11.20 type point-to-point port so.7.1 sonet set so.7.
Example Configurations The following is the configuration for router A: port set so.6.1 mtu 9216 interface create ip so-1 address-netmask 40.1.1.1/16 port so.6.1 The following is the configuration for router B: interface POS1/0 mtu 9216 ip address 40.1.1.2 255.255.0.
Example Configurations The following is the configuration for router B: port set so.6.1 mtu 65535 stp enable port so.6.1 vlan create v1 port-based id 10 vlan add ports so.6.1 to v1 interface create ip int1 address-netmask 1.1.1.2/8 vlan v1 interface add ip int1 address-netmask 2.1.1.2/8 peer-address 2.1.1.
Example Configurations 84 Enterasys Xpedition User Reference Manual
Chapter 9 DHCP Configuration Guide DHCP Overview The Dynamic Host Configuration Protocol (DHCP) server on the XP provides dynamic address assignment and configuration to DHCP capable end-user systems, such as Windows 95/98/NT and Apple Macintosh systems. You can configure the server to provide a dynamic IP address from a pre-allocated pool of IP addresses or a static IP address.
Configuring DHCP parameters for a DHCP client. The parameters are used by the client to configure its network environment, for example, the default gateway and DNS domain name. To configure DHCP on the XP, you must configure an IP address pool, client parameters, and optional static IP address for a specified scope. Where several subnets are accessed through a single port, you can also define multiple scopes on the same interface and group the scopes together into a “superscope.
Configuring DHCP To define the parameters that the DHCP server gives the clients, enter the following command in Configure mode: Define client parameters. dhcp define parameters ... Configuring a Static IP Address To define a static IP address that the DHCP server can assign to a client with a specific MAC address, enter the following command in Configure mode: Define static IP address for a particular MAC address.
Updating the Lease Database Configuring DHCP Server Parameters You can configure several “global” parameters that affect the behavior of the DHCP server itself. To configure global DHCP server parameters, enter the following commands in Configure mode: Specify a remote location to back up the lease database. dhcp global set lease-database Specify the intervals at which the lease database is updated.
DHCP Configuration Examples DHCP Configuration Examples The following configuration describes DHCP configuration for a simple network with just one interface on which DHCP service is enabled to provide both dynamic and static IP addresses. 1. Create an IP VLAN called ‘client_vlan’. vlan create client_vlan ip 2. Add all Fast Ethernet ports in the XP to the VLAN ‘client_vlan’. vlan add port et.*.* to client_vlan 3. Create an IP interface called ‘clients’ with the address 10.1.1.
DHCP Configuration Examples 10. Specify a database update interval of every 15 minutes. dhcp global set commit-interval 15 Configuring Secondary Subnets In some network environments, multiple logical subnets can be imposed on a single physical segment. These logical subnets are sometimes referred to as “secondary subnets” or “secondary networks.” For these environments, the DHCP server may need to give out addresses on different subnets.
DHCP Configuration Examples default gateway 10.1.1.1 that resides on the 10.1.x.x subnet. When all the addresses for ‘scope1’ are assigned, the server will start giving out addresses from ‘scope2’ which will include the default gateway parameter 10.2.1.1 on subnet 10.2.x.x.
DHCP Configuration Examples 7. Create a superscope ‘super1’ that includes ‘scope1’. dhcp scope1 attach superscope super1 8. Include ‘scope2’ in the superscope ‘super1’. dhcp scope2 attach superscope super1 For clients on the secondary subnet, the default gateway is 10.2.1.1, which is also the secondary address for the interface ‘clients’.
DHCP Configuration Examples Enterasys Xpedition User Reference Manual 93
DHCP Configuration Examples 94 Enterasys Xpedition User Reference Manual
Chapter 10 IP Routing Configuration Guide The XP supports standards-based TCP, UDP, and IP. This chapter describes how to configure IP interfaces and general non-protocol-specific routing parameters. IP Routing Protocols The XP supports standards-based unicast and multicast routing. Unicast routing protocol support includes Interior Gateway Protocols and Exterior Gateway Protocols. Multicast routing protocols are used to determine how multicast data is transferred in a routed environment.
Configuring IP Interfaces and Parameters • Border Gateway Protocol (BGP) Version 3, 4 (RFC 1267, 1771). Configuring BGP for the XP is described in Chapter 14. Multicast Routing Protocols IP multicasting allows a host to send traffic to a subset of all hosts. These hosts subscribe to group membership, thus notifying the XP of participation in a multicast transmission.
Configuring IP Interfaces and Parameters Configuring IP Interfaces to Ports You can configure an IP interface directly to a physical port. Each port can be assigned multiple IP addresses representing multiple subnets connected to the physical port. For example, to assign an IP interface ‘RED’ to physical port et.3.4, enter the following: ssr(config)# interface create ip RED address-netmask 10.50.0.0/255.255.0.0 port et.3.4 To configure a secondary address of 10.23.4.36 with a 24-bit netmask (255.255.255.
Configuring IP Interfaces and Parameters Configuring Jumbo Frames Certain XP line cards support jumbo frames (frames larger than the standard Ethernet frame size of 1518 bytes). To transmit frames of up to 65535 octets, you increase the maximum transmission unit (MTU) size from the default of 1500. You must set the MTU at the port level with the port set mtu command.
Configuring IP Interfaces and Parameters Configuring Address Resolution Protocol (ARP) The XP allows you to configure Address Resolution Protocol (ARP) table entries and parameters. ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated MAC address. Once a media or MAC address is determined, the IP address/media address association is stored in an ARP cache for rapid retrieval.
Configuring IP Interfaces and Parameters When you enable packets to be dropped for hosts with unresolved MAC addresses, the XP will still attempt to periodically resolve these MAC addresses. By default, the XP sends ARP requests at 30-second intervals to try to resolve up to 50 dropped entries.
Configuring IP Interfaces and Parameters Specifying IP Interfaces for RARP The rarpd set interface command allows you to specify which interfaces the XP’s RARP server responds to when sent RARP requests. You can specify individual interfaces or all interfaces. To cause the XP’s RARP server to respond to RARP requests from interface int1: ssr(config)# rarpd set interface int1 Defining MAC-to-IP Address Mappings The rarpd add command allows you to map a MAC address to an IP address for use with RARP.
Configuring IP Interfaces and Parameters Monitoring RARP You can use the following commands to obtain information about the XP’s RARP configuration: Display the interfaces to which the RARP server responds. rarpd show interface Display the existing MAC-to-IP address mappings rarpd show mappings Display RARP statistics. statistics show rarp |all Configuring DNS Parameters The XP can be configured to specify DNS servers, which supply name services for DNS requests.
Configuring IP Interfaces and Parameters • DNS (port 37) • NetBIOS Name Server (port 137) • NetBIOS Datagram Server (port 138) • TACACS Server (port 49) • Time Service (port 37) To forward UDP broadcast packets received on interface int1 to the host 10.1.4.5 for the six default UDP services: ssr(config)# ip helper-address interface int1 10.1.4.5 To forward UDP broadcast packets received on interface int2 to the host 10.2.48.
Configuring IP Interfaces and Parameters where the packet is received. You can disable this feature, causing directed broadcast packets to be processed on the XP even if directed broadcast is not enabled on the interface receiving the packet. Similarly, the XP installs flows to drop packets destined for the XP for which service is not provided by the XP. This prevents packets for unknown services from slowing the CPU. You can disable this behavior, causing these packets to be processed by the CPU.
Configuring Router Discovery The following example displays the contents of the routing table. It shows that some of the route entries are for locally connected interfaces (“directly connected”), while some of the other routes are learned from RIP. ssr# ip show routes Destination Gateway Owner Netif --------------------- ----10.1.0.0/16 50.1.1.2 RIP to-linux2 10.2.0.0/16 50.1.1.2 RIP to-linux2 10.3.0.0/16 50.1.1.2 RIP to-linux2 10.4.0.0/16 50.1.1.2 RIP to-linux2 14.3.2.1 61.1.4.32 Static int61 21.0.0.
Configuring Router Discovery To start router discovery on the XP, enter the following command in Configure mode: ssr(config)# rdisc start The rdisc start command lets you start router discovery on the XP. When router discovery is started, the XP multicasts or broadcasts periodic router advertisements on each configured interface. The router advertisements contain a list of addresses on a given interface and the preference of each address for use as the default route on the interface.
Configuring Router Discovery To display router discovery information: ssr# rdisc show all Task State: 1 Send buffer size 2048 at 812C68F8 Recv buffer size 2048 at 812C60D0 Timers: RouterDiscoveryServer Priority 30 RouterDiscoveryServer_XP2_XP3_IP last: 10:17:21 next: 10:25:05 2 Task RouterDiscoveryServer: Interfaces: Interface XP2_XP3_IP: 3 Group 224.0.0.1: 4 minadvint 7:30 maxadvint 10:00 lifetime 30:00 Address 10.10.5.
Configuration Examples Configuration Examples Assigning IP/IPX Interfaces To enable routing on the XP, you must assign an IP or IPX interface to a VLAN. To assign an IP or IPX interface named ‘RED’ to the ‘BLUE’ VLAN, enter the following command: ssr(config)# interface create ip RED address-netmask 10.50.0.1/255.255.0.0 vlan BLUE You can also assign an IP or IPX interface directly to a physical port.
Chapter 11 VRRP Configuration Guide VRRP Overview This chapter explains how to set up and monitor the Virtual Router Redundancy Protocol (VRRP) on the XP. VRRP is defined in RFC 2338. End host systems on a LAN are often configured to send packets to a statically configured default router. If this default router becomes unavailable, all the hosts that use it as their first hop router become isolated on the network. VRRP provides a way to ensure the availability of an end host’s default router.
Configuring VRRP Basic VRRP Configuration Figure 6 shows a basic VRRP configuration with a single virtual router. Routers R1 and R2 are both configured with one virtual router (VRID=1). Router R1 serves as the Master and Router R2 serves as the Backup. The four end hosts are configured to use 10.0.0.1/16 as the default route. IP address 10.0.0.1/16 is associated with virtual router VRID=1. Master Backup R1 R2 VRID=1 Interface Addr. = 10.0.0.1/16 VRID=1; Addr. = 10.0.0.1/16 Interface Addr. = 10.0.0.
Configuring VRRP In VRRP, the router that owns the IP address associated with the virtual router is the Master. Any other routers that participate in this virtual router are Backups. In this configuration, Router R1 is the Master for virtual router VRID=1 because it owns 10.0.0.1/16, the IP address associated with virtual router VRID=1. Configuration for Router R2 The following is the configuration file for Router R2 in Figure 6. 1: interface create ip test address-netmask 10.0.0.2/16 port et.1.
Configuring VRRP Master for VRID=1 Backup for VRID=2 Master for VRID=2 Backup for VRID=1 R1 R2 Interface Addr. = 10.0.0.1/16 VRID=1; Addr. = 10.0.0.1/16 VRID=2; Addr. = 10.0.0.2/16 H1 VRID=1 VRID=2 10.0.0.1/16 H2 Default Route = 10.0.0.1/16 10.0.0.2/16 Interface Addr. = 10.0.0.2/16 VRID=1; Addr. = 10.0.0.1/16 VRID=2; Addr. = 10.0.0.2/16 H3 H4 Default Route = 10.0.0.2/16 Figure 7. Symmetrical VRRP Configuration In this configuration, half the hosts use 10.0.0.
Configuring VRRP On line 5, Router R1 associates IP address 10.0.0.2/16 with virtual router VRID=2. However, since Router R1 does not own IP address 10.0.0.2/16, it is not the default Master for virtual router VRID=2. Configuration of Router R2 The following is the configuration file for Router R2 in Figure 7. 1: interface create ip test address-netmask 10.0.0.2/16 port et.1.
Configuring VRRP Master for VRID=1 1st Backup for VRID=2 1st Backup for VRID=3 Master for VRID=2 1st Backup for VRID=1 2nd Backup for VRID=3 Master for VRID=3 2nd Backup for VRID=1 2nd Backup for VRID=2 R1 R2 R3 VRID=1 10.0.0.1/16 H1 H2 Default Route = 10.0.0.1/16 VRID=3 VRID=2 10.0.0.3/16 10.0.0.2/16 H3 H4 Default Route = 10.0.0.2/16 H5 H6 Default Route = 10.0.0.3/16 Figure 8.
Configuring VRRP Configuration of Router R1 The following is the configuration file for Router R1 in Figure 8. 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 ! 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test 4: ip-redundancy create vrrp 3 interface test ! 5: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 6: ip-redundancy associate vrrp 2 interface test address 10.0.0.
Configuring VRRP The following table shows the priorities for each virtual router configured on Router R1. Virtual Router Default Priority Configured Priority VRID=1 – IP address=10.0.0.1/16 255 (address owner) 255 (address owner) VRID=2 – IP address=10.0.0.2/16 100 200 (see line 8) VRID=3 – IP address=10.0.0.3/16 100 200 (see line 9) Configuration of Router R2 The following is the configuration file for Router R2 in Figure 8. 1: interface create ip test address-netmask 10.0.0.2/16 port et.1.
Configuring VRRP Note: Since 100 is the default priority, line 9, which sets the priority to 100, is actually unnecessary. It is included for illustration purposes only. Configuration of Router R3 The following is the configuration file for Router R3 in Figure 8. 1: interface create ip test address-netmask 10.0.0.3/16 port et.1.
Configuring VRRP Additional Configuration This section covers settings you can modify in a VRRP configuration, including backup priority, advertisement interval, pre-empt mode, and authentication key. Setting the Backup Priority As described in Multi-Backup Configuration on page 113, you can specify which Backup router takes over when the Master router goes down by setting the priority for the Backup routers.
Monitoring VRRP To set the advertisement interval to 3 seconds: ssr(config)# ip-redundancy set vrrp 1 interface int1 adv-interval 3 Setting Pre-empt Mode When a Master router goes down, the Backup with the highest priority takes over the IP addresses associated with the Master. By default, when the original Master comes back up again, it takes over from the Backup router that assumed its role as Master. When a VRRP router does this, it is said to be in pre-empt mode.
Monitoring VRRP ip-redundancy trace The ip-redundancy trace command is used for troubleshooting purposes. This command causes messages to be displayed when certain VRRP events occur on the XP. To trace VRRP events, enter the following commands in Enable mode: 120 Display a message when any VRRP event occurs. (Disabled by default.) ip-redundancy trace vrrp events enabled Display a message when a VRRP router changes from one state to another; for example Backup to Master. (Enabled by default.
Monitoring VRRP ip-redundancy show The ip-redundancy show command reports information about a VRRP configuration. To display information about all virtual routers on interface int1: ssr# ip-redundancy show vrrp interface int1 VRRP Virtual Router 100 - Interface int1 -----------------------------------------Uptime 0 days, 0 hours, 0 minutes, 17 seconds.
VRRP Configuration Notes To display VRRP statistics for virtual router 100 on interface int1: ssr# ip-redundancy show vrrp 1 interface int1 verbose VRRP Virtual Router 100 - Interface int1 -----------------------------------------Uptime 0 days, 0 hours, 0 minutes, 17 seconds. State Backup Priority 100 (default value) Virtual MAC address 00005E:000164 Advertise Interval 1 sec(s) (default value) Preempt Mode Enabled (default value) Authentication None (default value) Primary Address 10.8.0.
VRRP Configuration Notes The skew-time depends on the Backup router’s configured priority: Skew-time = ((256 - Priority) / 256) Therefore, the higher the priority, the faster a Backup router will detect that the Master is down. For example: – Default advertisement-interval = 1 second – Default Backup router priority = 100 – Master-down-interval = time it takes a Backup to detect the Master is down = (3 * adv-interval) + skew-time = (3 * 1 second) + ((256 - 100) / 256) = 3.
VRRP Configuration Notes 124 Enterasys Xpedition User Reference Manual
Chapter 12 RIP Configuration Guide RIP Overview This chapter describes how to configure the Routing Information Protocol (RIP) on the Enterasys Xpedition. RIP is a distance-vector routing protocol for use in small networks. RIP is described in RFC 1723. A router running RIP broadcasts updates at set intervals. Each update contains paired values where each pair consists of an IP network address and an integer distance to that network. RIP uses a hop count metric to measure the distance to a destination.
Configuring RIP Enabling and Disabling RIP To enable or disable RIP, enter one of the following commands in Configure mode. Enable RIP. rip start Disable RIP. rip stop Configuring RIP Interfaces To configure RIP in the XP, you must first add interfaces to inform RIP about attached interfaces. To add RIP interfaces, enter the following commands in Configure mode. Add interfaces to the RIP process. rip add interface Add gateways from which the XP will accept RIP updates.
Configuring RIP RIP Parameter Default Value Authentication None Update interval 30 seconds To change RIP parameters, enter the following commands in Configure mode. Set RIP Version on an interface to RIP V1. rip set interface |all version 1 Set RIP Version on an interface to RIP V2. rip set interface |all version 2 Specify that RIP V2 packets should be multicast on this interface.
Monitoring RIP Enable acceptance of RIP routes that have a metric of zero. rip set check-zero-metric disable|enable Enable poison reverse, as specified by RFC 1058. rip set poison-reverse disable|enable Specify the maximum number of RIP routes maintained in the routing information base (RIB). The default is 4. rip set max-routes Disable multipath route calculation for RIP routes. Rip set multipath off Configuring RIP Route Preference You can set the preference of routes learned from RIP.
Configuration Example To monitor RIP information, enter the following commands in Enable mode. Show all RIP information. rip show all Show RIP export policies. rip show export-policy Show RIP global information. rip show globals Show RIP import policies. rip show import-policy Show RIP information on the specified interface. rip show interface Show RIP interface policy information. rip show interface-policy Show detailed information of all RIP packets.
Configuration Example rip add interface XP1-if1 rip set interface XP1-if1 version 2 rip start ! ! ! Set authentication method to md5 rip set interface XP1-if1 authentication-method md5 ! ! Change default metric-in rip set interface XP1-if1 metric-in 2 ! ! Change default metric-out rip set interface XP1-if1 metric-out 3 130 Enterasys Xpedition User Reference Manual
Chapter 13 OSPF Configuration Guide OSPF Overview Open Shortest Path First Routing (OSPF) is a shortest path first or link-state protocol. The XP supports OSPF Version 2.0, as defined in RFC 1583. OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system. OSPF chooses the least-cost path as the best path.
Configuring OSPF Intra-area paths have destinations within the same area. Inter-area paths have destinations in other OSPF areas. Both types of Autonomous System External (ASE) routes are routes to destinations external to OSPF (and usually external to the AS). Routes exported into OSPF ASE as type 1 ASE routes are supposed to be from interior gateway protocols (e.g., RIP) whose external metrics are directly comparable to OSPF metrics.
Configuring OSPF • Add IP networks to OSPF areas. • Create virtual links, if necessary. Enabling OSPF OSPF is disabled by default on the XP. To enable or disable OSPF, enter one of the following commands in Configure mode. Enable OSPF. ospf start Disable OSPF. ospf stop Configuring OSPF Interface Parameters You can configure the OSPF interface parameters shown in the table below. Table 7.
Configuring OSPF interface is represented by the highest bandwidth port that is part of the associated VLAN. The cost of an OSPF interface is inversely proportional to this bandwidth. The cost is calculated using the following formula: Cost = 2000000000 / speed (in bps) The following is a table of the port types and the OSPF default cost associated with each type: Table 8.
Configuring OSPF Disable IP multicast for sending OSPF packets to neighbors on an OSPF interface. ospf set interface |all nomulticast Specify the poll interval on an OSPF interface. ospf set interface |all poll-interval Specify the identifier of the key chain containing the authentication keys. ospf set interface |all key-chain Specify the authentication method to be used on this interface.
Configuring OSPF routing domain is not sent into a stub area. Instead, there is a default external route generated by the ABR into the stub area for destinations outside the OSPF routing domain. To further reduce the number of link state advertisements sent into a stub area, you can specify the no-summary keyword with the stub option on the ABR to prevent it from sending summary link advertisement (link state advertisements type 3) into the stub area.
Configuring OSPF Configuring Autonomous System External (ASE) Link Advertisements Because of the nature of OSPF, the rate at which ASEs are flooded may need to be limited. The following parameters can be used to adjust those rate limits. These parameters specify the defaults used when importing OSPF ASE routes into the routing table and exporting routes from the routing table into OSPF ASEs.
Monitoring OSPF networks, a list of neighboring routers reachable over a PMP network should be configured so that the router can discover its neighbors. To configure OSPF for NBMA networks, enter the following command in Configure mode: Specify an OSPF NBMA neighbor. Note: ospf add nbma-neighbor tointerface [eligible] When you assign an interface with the ospf add interface command, you must specify type non-broadcast.
Monitoring OSPF Display link state advertisement information. ospf monitor lsa [destination Display the link state database. ospf monitor lsdb [destination ] Shows information about all OSPF routing neighbors. ospf monitor neighbors [destination ] Show information on valid next hops. ospf monitor next-hop-list [destination ] Display OSPF routing table.
OSPF Configuration Examples OSPF Configuration Examples For all examples in this section, refer to the configuration shown in Figure 9 on page 143. The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces.
OSPF Configuration Examples 2. Create a OSPF export destination for type-2 routes since we would like to redistribute certain routes into OSPF as type 2 OSPF-ASE routes. ip-router policy create ospf-export-destination ospfExpDstType2 type 2 metric 4 3. Create a Static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc 4. Create a Direct export source since we would like to export interface/direct routes.
OSPF Configuration Examples 4. Create a OSPF export destination for type-2 routes with a tag of 100. ip-router policy create ospf-export-destination ospfExpDstType2t100 type 2 tag 100 metric 4 5. Create a RIP export source. ip-router policy create rip-export-source ripExpSrc 6. Create a Static export source. ip-router policy create static-export-source statExpSrc 7. Create a Direct export source. ip-router policy create direct-export-source directExpSrc 8.
143 R6 140.1.5/24 BGP R41 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 A r e a 150.20.3.1/16 140.1.1.1/24 140.1.3.1/24 140.1.2.1/24 R42 B a c k b o n e 130.1.1.1/16 R3 R1 190.1.1.1/16 R5 130.1.1.3/16 R7 R8 150.20.3.2/16 120.190.1.1/16 (RIP V2) R11 A r e a 150.20.0.0 120.190.1.2/16 202.1.2.2/16 R2 160.1.5.2/24 160.1.5.2/24 R10 Enterasys Xpedition User Reference Manual OSPF Configuration Examples Figure 9.
OSPF Configuration Examples 144 Enterasys Xpedition User Reference Manual
Chapter 14 BGP Configuration Guide BGP Overview The Border Gateway Protocol (BGP) is an exterior gateway protocol that allows IP routers to exchange network reachability information. BGP became an internet standard in 1989 (RFC 1105) and the current version, BGP-4, was published in 1994 (RFC 1771). BGP is typically run between Internet Service Providers. It is also frequently used by multihomed ISP customers, as well as in large commercial networks.
Basic BGP Tasks The XP BGP Implementation The XP routing protocol implementation is based on GateD 4.0.3 code (http://www.gated.org). GateD is a modular software program consisting of core services, a routing database, and protocol modules supporting multiple routing protocols (RIP versions 1 and 2, OSPF version 2, BGP version 2 through 4, and Integrated IS-IS). Since the XP IP routing code is based upon GateD, BGP can also be configured using a GateD configuration file (gated.
Basic BGP Tasks Setting the Autonomous System Number An autonomous system number identifies your autonomous system to other routers. To set the XP’s autonomous system number, enter the following command in Configure mode. Set the XP’s autonomous system number. ip-router global set autonomous-system loops The autonomous-system parameter sets the AS number for the router. Specify a number from 1–65534.
Basic BGP Tasks where: peer-group Is a group ID, which can be a number or a character string. type Specifies the type of BGP group you are adding. You can specify one of the following: external In the classic external BGP group, full policy checking is applied to all incoming and outgoing advertisements. The external neighbors must be directly reachable through one of the machine’s local interfaces.
Basic BGP Tasks Adding and Removing a BGP Peer There are two ways to add BGP peers to peer groups. You can explicitly add a peer host, or you can add a network. Adding a network allows for peer connections from any addresses in the range of network and mask pairs specified in the bgp add network command. To add BGP peers to BGP peer groups, enter one of the following commands in Configure mode. Add a host to a BGP peer group.
Basic BGP Tasks (aspath_regexp) Parentheses group subexpressions. An operator, such as * or ? works on a single element or on a regular expression enclosed in parentheses. An AS-path operator is one of the following: aspath_term {m,n} A regular expression followed by {m,n} (where m and n are both non-negative integers and m <= n) means at least m and at most n repetitions. aspath_term {m} A regular expression followed by {m} (where m is a positive integer) means exactly m repetitions.
Basic BGP Tasks AS-Path Regular Expression Examples To import MCI routes with a preference of 165: ip-router policy create bgp-import-source mciRoutes aspath-regular-expression “(.* 3561 .*)” origin any sequence-number 10 ip-router policy import source mciRoutes network all preference 165 To import all routes (.* matches all AS paths) with the default preference: ip-router policy create bgp-import-source allOthers aspath-regular-expression “(.
BGP Configuration Examples The following is an example: # # insert two instances of the AS when advertising the route to this peer # bgp set peer-host 194.178.244.33 group nlnet as-count 2 # # insert three instances of the AS when advertising the route to this # peer # bgp set peer-host 194.109.86.5 group webnet as-count 3 Notes on Using the AS Path Prepend Feature • Use the as-count option for external peer-hosts only.
BGP Configuration Examples • BGP Multi-Exit Discriminator (MED) attribute • EBGP aggregation • Route reflection BGP Peering Session Example The router process used for a specific BGP peering session is known as a BGP speaker. A single router can have several BGP speakers. Successful BGP peering depends on the establishment of a neighbor relationship between BGP speakers. The first step in creating a BGP neighbor relationship is the establishment of a TCP connection (using TCP port 179) between peers.
BGP Configuration Examples Figure 10 illustrates a sample BGP peering session. AS-1 AS-2 XP1 1.1 1.1 10.0.0.1/16 XP2 10.0.0.2/16 Legend: Physical Link Peering Relationship Figure 10. Sample BGP Peering Session The CLI configuration for router XP1 is as follows: interface create ip et.1.1 address-netmask 10.0.0.1/16 port et.1.1 # # Set the AS of the router # ip-router global set autonomous-system 1 # # Set the router ID # ip-router global set router-id 10.0.0.
BGP Configuration Examples The gated.conf file for router XP1 is as follows: autonomoussystem 1 ; routerid 10.0.0.1 ; bgp yes { group type external peeras 2 { peer 10.0.0.2 ; }; }; The CLI configuration for router XP2 is as follows: interface create ip et.1.1 address-netmask 10.0.0.2/16 port et.1.1 ip-router global set autonomous-system 2 ip-router global set router-id 10.0.0.2 bgp create peer-group pg2w1 type external autonomous-system 1 bgp add peer-host 10.0.0.1 group pg2w1 bgp start The gated.
BGP Configuration Examples An IGP, like OSPF, could possibly be used instead of IBGP to exchange routing information between EBGP speakers within an AS. However, injecting full Internet routes (50,000+ routes) into an IGP puts an expensive burden on the IGP routers. Additionally, IGPs cannot communicate all of the BGP attributes for a given route. It is, therefore, recommended that an IGP not be used to propagate full Internet routes between EBGP speakers. IBGP should be used instead.
BGP Configuration Examples Figure 11 shows a sample BGP configuration that uses the Routing group type. AS-64801 10.12.1.1/30 Cisco 10.12.1.6/30 lo0 172.23.1.25/30 OSPF 10.12.1.5/30 10.12.1.2/30 XP4 XP1 IBGP 172.23.1.10/30 172.23.1.5/30 lo0 172.23.1.26/30 172.23.1.6/30 XP6 172.23.1.9/30 Figure 11.
BGP Configuration Examples In this example, OSPF is configured as the IGP in the autonomous system. The following lines in the router XP6 configuration file configure OSPF: # # Create a secondary address for the loopback interface # interface add ip lo0 address-netmask 172.23.1.26/30 ospf create area backbone ospf add interface to-XP4 to-area backbone ospf add interface to-XP1 to-area backbone # # This line is necessary because we want CISCO to peer with our loopback # address.
BGP Configuration Examples The following lines on the Cisco router set up IBGP peering with router XP6. router bgp 64801 ! ! Disable synchronization between BGP and IGP ! no synchronization neighbor 172.23.1.26 remote-as 64801 ! ! Allow internal BGP sessions to use any operational interface for TCP ! connections ! neighbor 172.23.1.
BGP Configuration Examples Figure 12 illustrates a sample IBGP Internal group configuration. C2 C1 16.122.128.8/24 16.122.128.9/24 16.122.128.1/24 16.122.128.1/24 XP1 XP2 17.122.128.1/24 17.122.128.2/24 AS-1 Legend: Physical Link Peering Relationship Figure 12. Sample IBGP Configuration (Internal Group Type) The CLI configuration for router XP1 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.
BGP Configuration Examples The gated.conf file for router XP1 is as follows: autonomoussystem 1 ; routerid 16.122.128.1 ; bgp yes { traceoptions aspath detail packets detail open detail update ; group type internal peeras 1 { peer 16.122.128.2 ; peer 16.122.128.8 ; peer 16.122.128.9 ; }; }; The CLI configuration for router XP2 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.
BGP Configuration Examples The configuration for router C1 (a Cisco router) is as follows: router bgp 1 no synchronization network 16.122.128.0 mask 255.255.255.0 network 17.122.128.0 mask 255.255.255.0 neighbor 16.122.128.1 remote-as 1 neighbor 16.122.128.1 next-hop-self neighbor 16.122.128.1 soft-reconfiguration inbound neighbor 16.122.128.2 remote-as 1 neighbor 16.122.128.2 next-hop-self neighbor 16.122.128.2 soft-reconfiguration inbound neighbor 16.122.128.9 remote-as 1 neighbor 16.122.128.
BGP Configuration Examples This sample configuration shows External BGP peers, XP1 and XP4, which are not connected to the same subnet. AS-64800 16.122.128.3/16 XP1 17.122.128.4/16 XP2 16.122.128.1/16 XP3 17.122.128.3/16 18.122.128.3/16 AS-64801 18.122.128.2/16 Legend: Physical Link XP4 Peering Relationship The CLI configuration for router XP1 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.
BGP Configuration Examples The gated.conf file for router XP1 is as follows: autonomoussystem 64800 ; routerid 0.0.0.1 ; bgp yes { traceoptions state ; group type external peeras 64801 { peer 18.122.128.2 gateway 16.122.128.3 ; }; }; static { 18.122.0.0 masklen 16 gateway 16.122.128.3 ; }; The CLI configuration for router XP2 is as follows: interface create ip to-R1 address-netmask 16.122.128.3/16 port et.1.1 interface create ip to-R3 address-netmask 17.122.128.3/16 port et.1.
BGP Configuration Examples The gated.conf file for router XP3 is as follows: static { 16.122.0.0 masklen 16 gateway 17.122.128.3 ; }; The CLI configuration for router XP4 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! ! Specify the gateway option, which indicates EBGP multihop. Set the ! gateway option to the address of the router that has a route to the ! peer. ! bgp set peer-host 18.122.128.2 gateway 16.122.
BGP Configuration Examples AS-64901 AS-64902 ISP2 ISP1 R11 1.6 172.25.1.1/16 172.25.1.2/16 1.1 1.1 1.6 192.168.20.2/16 AS-64900 100.200.13.1/24 172.26.1.2/16 AS-64899 192.168.20.1/16 100.200.12.1/24 R13 1.1 R10 1.3 192.169.20.1/16 1.6 172.26.1.1/16 192.169.20.2/16 1.8 1.8 1.6 CS1 CS2 10.200.14.1/24 1.1 R14 1.3 10.200.15.1/24 Legend: Physical Link Peering Relationship Information Flow Figure 13.
BGP Configuration Examples AS-64901 AS-64902 ISP2 XP11 172.25.1.1/16 172.25.1.2/16 XP13 10.220.1.1/16 192.168.20.2/16 AS-64900 192.168.20.1/16 Legend: 100.200.12.20/24 100.200.13.1/24 Physical Link XP10 Peering Relationship Information Flow Figure 14. Sample BGP Configuration (Well-Known Community) The Community attribute can be used in three ways: 1.
BGP Configuration Examples In Figure 14, router XP11 has the following configuration: # # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64901) # ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64901 # # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64901) # ip-router policy create optional-attributes-list color2 community-id 155 autonomous-system
BGP Configuration Examples attribute. Any communities specified with the optional-attributes-list option are sent in addition to any received in the route or specified with the group.
BGP Configuration Examples The specific community consists of the combination of the AS-value and community ID. • Well-known-community no-export Well-known-community no-export is a special community which indicates that the routes associated with this attribute must not be advertised outside a BGP confederation boundary. Since the XP’s implementation does not support Confederations, this boundary is an AS boundary.
BGP Configuration Examples Local Preference Examples There are two methods of specifying the local preference with the bgp set peer-group command: • Setting the local-pref option. This option can only be used for the internal, routing, and IGP group types and is not designed to be sent outside of the AS. • Setting the set-pref option, which allows GateD to set the local preference to reflect GateD’s own internal preference for the route, as given by the global protocol preference value.
BGP Configuration Examples 10.200.12.1/24 10.200.13.1/24 10.200.14.1/24 10.200.15.1/24 AS-64900 1.1 1.3 1.1 XP10 192.169.20.2/16 192.169.20.1/16 1.6 1.6 192.168.20.1/16 172.28.1.1/16 EBGP EBGP 192.168.20.2/16 172.28.1.2/16 1.1 XP12 1.3 XP11 AS-64901 1.1 1.3 1.3 172.25.1.1/16 XP13 172.25.1.2/16 1.6 1.6 172.27.1.1/16 172.26.1.1/16 172.26.1.2/16 172.27.1.2/16 XP14 1.3 1.1 Legend: Physical Link Peering Relationship Information Flow Figure 15.
BGP Configuration Examples Using the local-pref Option For router XP12’s CLI configuration file, local-pref is set to 194: bgp set peer-group as901 local-pref 194 For router XP13, local-pref is set to 204. bgp set peer-group as901 local-pref 204 Using the set-pref Option The formula used to compute the local preference is as follows: Local_Pref = 254 – (global protocol preference for this route) + set-pref metric Note: A value greater than 254 will be reset to 254.
BGP Configuration Examples For example, in Figure 15, routers XP12, XP13, and XP14 have the following line in their CLI configuration files: bgp set peer-group as901 set-pref 100 • The value of the set-pref option should be consistent with the import policy in the network. The metric value should be set high enough to avoid conflicts between BGP routes and IGP or static routes. For example, if the import policy sets GateD preferences ranging from 170 to 200, a set-pref metric of 170 would make sense.
BGP Configuration Examples Routers XP4 and XP6 inform router C1 about network 172.16.200.0/24 through External BGP (EBGP). Router XP6 announced the route with a MED of 10, whereas router XP4 announces the route with a MED of 20. Of the two EBGP routes, router C1 chooses the one with a smaller MED. Thus router C1 prefers the route from router XP6, which has a MED of 10.
BGP Configuration Examples Router XP8 has the following CLI configuration: interface add ip xleapnl address-netmask 212.19.192.2/24 interface create ip hobbygate address-netmask 212.19.199.62/24 port et.1.2 interface create ip xenosite address-netmask 212.19.198.1/24 port et.1.7 interface add ip lo0 address-netmask 212.19.192.1/30 bgp create peer-group webnet type external autonomous system 64901 bgp add peer-host 194.109.86.5 group webnet # # Create an aggregate route for 212.19.192.
BGP Configuration Examples Figure 18 shows a sample configuration that uses route reflection. AS-64900 AS-64902 192.68.222.1 XP14 XP8 192.68.20.2 EBGP Peer EBGP Peer AS-64901 192.68.20.1 XP12 XP9 XP13 172.16.30.2 IBGP Cluster Client IBGP Cluster Client IBGP Cluster Client XP11 XP10 IBGP Non-Cluster Client Figure 18. Sample BGP Configuration (Route Reflection) In this example, there are two clusters.
BGP Configuration Examples Router XP11 has router XP12 and router XP13 as client peers and router XP10 as non-client peer. The following line in router XP11’s configuration file specifies it to be a route reflector bgp set peer-group rtr11 reflector-client Even though the IBGP Peers are not fully meshed in AS 64901, the direct routes of router XP14, that is, 192.68.222.
BGP Configuration Examples Notes on Using Route Reflection • Two types of route reflection are supported: – By default, all routes received by the route reflector from a client are sent to all internal peers (including the client’s group, but not the client itself). – If the no-client-reflect option is enabled, routes received from a route reflection client are sent only to internal peers that are not members of the client's group. In this case, the client's group must itself be fully meshed.
BGP Configuration Examples 180 Enterasys Xpedition User Reference Manual
Chapter 15 Routing Policy Configuration Guide Route Import and Export Policy Overview The XP family of routers supports extremely flexible routing policies.
Route Import and Export Policy Overview Preference Preference is the value the XP routing process uses to order preference of routes from one protocol or peer over another. Preference can be set using several different configuration commands. Preference can be set based on one network interface over another, from one protocol over another, or from one remote gateway over another. Preference may not be used to control the selection of routes within an Interior Gateway Protocol (IGP).
Route Import and Export Policy Overview Import Policies Import policies control the importation of routes from routing protocols and their installation in the routing databases (Routing Information Base and Forwarding Information Base). Import Policies determine which routes received from other systems are used by the XP routing process. Every import policy can have up to two components: • Import-Source • Route-Filter Import-Source This component specifies the source of the imported routes.
Route Import and Export Policy Overview It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router. Like the other interior protocols, preference cannot be used to choose between OSPF ASE routes. That is done by the OSPF costs. Route-Filter This component specifies the individual routes which are to be imported or restricted. The preference to be associated with these routes can also be explicitly specified using this component.
Route Import and Export Policy Overview The routes to be exported can be identified by their associated attributes: • Their protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate). • Interface or the gateway from which the route was received. • Autonomous system from which the route was learned. • AS path associated with a route. When BGP is configured, all routes are assigned an AS path when they are added to the routing table.
Route Import and Export Policy Overview A route will match the most specific filter that applies. Specifying more than one filter with the same destination, mask, and modifiers generates an error. There are three possible formats for a route filter. Not all of these formats are available in all places. In most cases, it is possible to associate additional options with a filter.
Route Import and Export Policy Overview Route aggregation is also used by regional and national networks to reduce the amount of routing information passed around. With careful allocation of network addresses to clients, regional networks can just announce one route to regional networks instead of hundreds. Aggregate routes are not actually used for packet forwarding by the originator of the aggregate route, but only by the receiver (if it wishes).
Route Import and Export Policy Overview Route-Filter This component specifies the individual routes that are to be aggregated or summarized. The preference to be associated with these routes can also be explicitly specified using this component. The contributing routes are ordered according to the aggregation preference that applies to them. If there is more than one contributing route with the same aggregating preference, the route’s own preferences are used to order the routes.
Configuring Simple Routing Policies Many protocols allow the specification of two authentication keys per interface. Packets are always sent using the primary keys, but received packets are checked with both the primary and secondary keys before being discarded. Authentication Keys and Key Management An authentication key permits the generation and verification of the authentication field in protocol packets.
Configuring Simple Routing Policies The from-proto parameter specifies the protocol of the source routes. The values for the from-proto parameter can be rip, ospf, bgp, direct, static, aggregate and ospf-ase. The toproto parameter specifies the destination protocol where the routes are to be exported. The values for the to-proto parameter can be rip, ospf and bgp. The network parameter provides a means to define a filter for the routes to be distributed.
Configuring Simple Routing Policies Redistributing RIP into RIP The XP routing process requires RIP redistribution into RIP if a protocol is redistributed into RIP. To redistribute RIP into RIP, enter the following command in Configure mode: To redistribute RIP into RIP. ip-router policy redistribute from-proto rip to-proto rip Redistributing RIP into OSPF RIP routes may be redistributed to OSPF. To redistribute RIP into OSPF, enter the following command in Configure mode: To redistribute RIP into OSPF.
Configuring Simple Routing Policies To redistribute aggregate routes, enter one of the following commands in Configure mode: To redistribute aggregate routes into RIP. ip-router policy redistribute from-proto aggregate to-proto rip To redistribute aggregate routes into OSPF.
Configuring Simple Routing Policies !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! RIP Box Level Configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rip start rip set default-metric 2 !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! RIP Interface Configuration. Create a RIP interfaces, and set ! their type to (version II, multicast).
Configuring Simple Routing Policies • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.2 interface create ip to-r3 address-netmask 130.1.1.1/16 port et.1.3 interface create ip to-r41 address-netmask 140.1.1.1/24 port et.1.4 interface create ip to-r42 address-netmask 140.1.2.
Configuring Advanced Routing Policies Router R1 would like to export all RIP, interface, and static routes to OSPF. ip-router policy redistribute from-proto rip to-proto ospf ip-router policy redistribute from-proto direct to-proto ospf ip-router policy redistribute from-proto static to-proto ospf Router R1 would also like to export interface, static, RIP, OSPF, and OSPF-ASE routes into RIP.
Configuring Advanced Routing Policies • Export Sources - This component specifies the source of the exported routes. It can also specify the metric to be associated with the routes exported from this source. The routes to be exported can be identified by their associated attributes, such as protocol type, interface or the gateway from which the route was received, and so on. • Route Filter - This component provides the means to define a filter for the routes to be distributed.
Configuring Advanced Routing Policies Creating an Export Destination To create an export destination, enter one the following commands in Configure mode: Create a RIP export destination. ip-router policy create rip-export-destination Create an OSPF export destination. ip-router policy create ospf-export-destination Creating an Export Source To create an export source, enter one of the following commands in Configure mode: Create a RIP export source.
Configuring Advanced Routing Policies To create route import policies, enter the following command in Configure mode: Create an import policy. ip-router policy import source [filter |[network [exact|refines|between ] [preference |restrict]]] The is the identifier of the import-source that determines the source of the imported routes. If no routes from a particular source are to be imported, then no additional parameters are required.
Configuring Advanced Routing Policies Creating an Aggregate Route Route aggregation is a method of generating a more general route, given the presence of a specific route. The routing process does not perform any aggregation unless explicitly requested. Aggregate-routes can be constructed from one or more of the following building blocks: • Aggregate-Destination - This component specifies the aggregate/summarized route. It also specifies the attributes associated with the aggregate route.
Configuring Advanced Routing Policies The is the identifier of the route-filter associated with this aggregate. If there is more than one route-filter for any aggregate-destination and aggregate-source combination, then the ip-router policy aggr-gen destination source command should be repeated for each . Creating an Aggregate Destination To create an aggregate destination, enter the following command in Configure mode: Create an aggregate destination.
201 R6 R41 10.51.0.0/16 140.1.1.4/24 RIP V2 R42 RIP v2 140.1.2.1/24 135.3.1.1/24 140.1.1.1/24 160.1.1.1/16 R1 130.1.1.1/16 (RIP V1) 130.1.1.3/16 170.1.1.1/16 120.190.1.1/16 202.1.0.0/10 fa u lt R2 160.1.5.0/24 135.3.2.1/24 135.3.3.1/24 de 120.190.1.2/16 R3 R7 170.1.1.7/16 Internet Enterasys Xpedition User Reference Manual Configuring Advanced Routing Policies Figure 19.
Configuring Advanced Routing Policies The following configuration commands for router R1: • Determine the IP address for each interface. • Specify the static routes configured on the router. • Determine its RIP configuration. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Configuring Advanced Routing Policies Importing a Selected Subset of Routes from One RIP Trusted Gateway Router R1 has several RIP peers. Router R41 has an interface on the network 10.51.0.0. By default, router R41 advertises network 10.51.0.0/16 in its RIP updates. Router R1 would like to import all routes except the 10.51.0.0/16 route from its peer R41. 1. Add the peer 140.1.1.41 to the list of trusted and source gateways. rip add source-gateways 140.1.1.41 rip add trusted-gateways 140.1.1.41 2.
Configuring Advanced Routing Policies preference of 10. If a tag is specified, the import clause will only apply to routes with the specified tag. It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router. Like the other interior protocols, preference cannot be used to choose between OSPF ASE routes. That is done by the OSPF costs. Routes that are rejected by policy are stored in the table with a negative preference.
R6 140.1.5/24 205 BGP R41 140.1.1.2/24 A r e a 140.1.0.0 140.1.4/24 A r e a 150.20.3.1/16 140.1.1.1/24 140.1.3.1/24 140.1.2.1/24 R42 B a c k b o n e 130.1.1.1/16 R3 R1 190.1.1.1/16 R5 130.1.1.3/16 R8 R7 150.20.3.2/16 120.190.1.1/16 (RIP V2) R11 A r e a 150.20.0.0 120.190.1.2/16 202.1.2.2/16 R2 160.1.5.2/24 160.1.5.2/24 R10 Enterasys Xpedition User Reference Manual Configuring Advanced Routing Policies Figure 20.
Configuring Advanced Routing Policies The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Configuring Advanced Routing Policies Examples of Export Policies Example 1: Exporting to RIP Exporting to RIP is controlled by any of protocol, interface or gateway. If more than one is specified, they are processed from most general (protocol) to most specific (gateway). It is not possible to set metrics for exporting RIP routes into RIP. Attempts to do this are silently ignored. If no export policy is specified, RIP and interface routes are exported into RIP.
Configuring Advanced Routing Policies !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 135.3.1.0/24 gateway 130.1.1.3 ip add route 135.3.2.0/24 gateway 130.1.1.3 ip add route 135.3.3.0/24 gateway 130.1.1.3 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.190.1.
Configuring Advanced Routing Policies 4. Create a Direct export source since we would like to export direct/interface routes. ip-router policy create direct-export-source directExpSrc 5. Create the export-policy redistributing the statically created default route, and all (RIP, Direct) routes into RIP.
Configuring Advanced Routing Policies 1. Create a RIP export destination for interface with address 140.1.1.1, since we intend to change the rip export policy for interface 140.1.1.1 ip-router policy create rip-export-destination ripExpDst141 interface 140.1.1.1 2. Create a Static export source since we would like to export static routes. ip-router policy create static-export-source statExpSrc130 interface 130.1.1.1 3. Create a RIP export source since we would like to export RIP routes.
Configuring Advanced Routing Policies Exporting Aggregate-Routes into RIP In the configuration shown in Figure 19 on page 201, suppose you decide to run RIP Version 1 on network 130.1.0.0/16, connecting routers R1 and R3. Router R1 desires to announce the 140.1.1.0/24 and 140.1.2.0/24 networks to router R3. RIP Version 1 does not carry any information about subnet masks in its packets. Thus it would not be possible to announce the subnets (140.1.1.0/24 and 140.1.2.
Configuring Advanced Routing Policies 8. Create the Export-Policy redistributing all (RIP, Direct) routes and the aggregate route 140.1.0.0/16 into RIP. ip-router policy export destination ripExpDst130 source aggrExpSrc network 140.1.0.
Configuring Advanced Routing Policies !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.2 interface create ip to-r3 address-netmask 130.1.1.1/16 port et.1.3 interface create ip to-r41 address-netmask 140.1.1.1/24 port et.1.4 interface create ip to-r42 address-netmask 140.1.2.1/24 port et.1.
Configuring Advanced Routing Policies 4. Create a Direct export source since we would like to export interface/direct routes. ip-router policy create direct-export-source directExpSrc 5. Create the Export-Policy for redistributing all interface routes and static routes into OSPF.
Configuring Advanced Routing Policies 6. Create a Static export source. ip-router policy create static-export-source statExpSrc 7. Create a Direct export source. ip-router policy create direct-export-source directExpSrc 8. Create the Export-Policy for redistributing all interface, RIP and static routes into OSPF.
Configuring Advanced Routing Policies 216 Enterasys Xpedition User Reference Manual
Chapter 16 Multicast Routing Configuration Guide IP Multicast Overview Multicast routing on the XP is supported through DVMRP and IGMP. IGMP is used to determine host membership on directly attached subnets. DVMRP is used to determine forwarding of multicast traffic between XPs.
IP Multicast Overview will wait for host responses to IGMP queries. The XP can be configured to deny or accept group membership filters. DVMRP Overview DVMRP is an IP multicast routing protocol. On the XP, DVMRP routing is implemented as specified in the draft-ietf-idmr-dvmrp-v3-06.txt file, which is an Internet Engineering Task Force (IETF) document. The XP’s implementation of DVMRP supports the following: • The mtrace utility, which racks the multicast path from a source to a receiver.
Configuring IGMP Configuring IGMP You configure IGMP on the XP by performing the following configuration tasks: • Creating IP interfaces • Setting global parameters that will be used for all the interfaces on which DVMRP is enabled • Configuring IGMP on individual interfaces. You do so by enabling and disabling IGMP on interfaces and then setting IGMP parameters on the interfaces on which IGMP is enabled • Start the multicast routing protocol (i.e.
Configuring DVMRP To configure the host response wait time, enter the following command in Configure mode: Configure the IGMP host response wait time. igmp set responsetime Configuring Per-Interface Control of IGMP Membership You can configure the XP to control IGMP membership on a per-interface basis. An interface can be configured to be allowed or not allowed membership to a particular group.
Configuring DVMRP • Configuring DVMRP on individual interfaces. You do so by enabling and disabling DVMRP on interfaces and then setting DVMRP parameters on the interfaces on which DVMRP is disabled • Defining DVMRP tunnels, which IP uses to send multicast traffic between two end points Starting and Stopping DVMRP DVMRP is disabled by default on the XP. To start or stop DVMRP, enter one of the following commands in Configure mode: Start DVMRP. dvmrp start Stop DVMRP.
Configuring DVMRP Configuring the DVMRP Routing Metric You can configure the DVMRP routing metric associated with a set of destinations for DVMRP reports. The default metric is 1. To configure the DVMRP routing metric, enter the following command in Configure mode: Configure the DVMRP routing metric. dvmrp set interface metric Configuring DVMRP TTL & Scope For control over internet traffic, per-interface control is allowed through Scopes and TTL thresholds.
Monitoring IGMP & DVMRP To prevent the XP from forwarding any data destined to a scoped group on an interface, enter the following command in the Configure mode: Configure the DVMRP scope. dvmrp set interface scope Configuring a DVMRP Tunnel The XP supports DVMRP tunnels to the MBONE (the multicast backbone of the Internet). You can configure a DVMRP tunnel on a router if the other end is running DVMRP. The XP then sends and receives multicast packets over the tunnel.
Configuration Examples Shows all IGMP group memberships on a port basis. igmp show memberships Show all IGMP timers. igmp show timers Show information about multicasts registered by IGMP. l2-tables show igmp-mcast-registration Show IGMP status on a VLAN. l2-tables show vlan-igmp-status Show all multicast Source, Group entries. mulitcast show cache Show all interfaces running multicast protocols (IGMP, DVMRP). multicast show interfaces Show all multicast routes.
Configuration Examples dvmrp enable interface 172.1.1.10 dvmrp enable interface 207.135.122.11 dvmrp enable interface 207.135.89.64 dvmrp enable interface 10.40.1.10 ! ! Set DVMRP parameters ! dvmrp set interface 172.1.1.
Configuration Examples 226 Enterasys Xpedition User Reference Manual
Chapter 17 IP Policy-Based Forwarding Configuration Guide Overview You can configure the XP to route IP packets according to policies that you define. IP policy-based routing allows network managers to engineer traffic to make the most efficient use of their network resources. IP policies forward packets based on layer-3 or layer-4 IP header information.
Configuring IP Policies For example, you can set up an IP policy to send packets originating from a certain network through a firewall, while letting other packets bypass the firewall. Sites that have multiple Internet service providers can use IP policies to assign user groups to particular ISPs. You can also create IP policies to select service providers based on various traffic types.
Configuring IP Policies For example, the following command creates an IP policy called “p1” and specifies that packets matching profile “prof1” are forwarded to next-hop gateway 10.10.10.10: ssr(config)# ip-policy p1 permit acl prof1 next-hop-list 10.10.10.10 You can also set up a policy to prevent packets from being forwarded by an IP policy.
Configuring IP Policies Setting Load Distribution for Next-Hop Gateways You can specify up to four next-hop gateways in an ip-policy statement. If you specify more than one next-hop gateway, you can use the ip-policy set command to control how the load is distributed among them and to check the availability of the next-hop gateways. By default, each new flow uses the first available next-hop gateway.
IP Policy Configuration Examples IP Policy Configuration Examples This section presents some examples of IP policy configurations. The following uses of IP policies are demonstrated: • Routing traffic to different ISPs • Prioritizing service to customers • Authenticating users through a firewall • Firewall load balancing Routing Traffic to Different ISPs Sites that have multiple Internet service providers can create IP policies that cause different user groups to use different ISPs.
IP Policy Configuration Examples The following is the IP policy configuration for the Policy Router in Figure 21: interface create ip user-a address-netmask 10.50.1.1/16 port et.1.1 interface create ip user-b address-netmask 11.50.1.1/16 port et.1.2 acl user-a-http permit ip 10.50.0.0/16 207.31.0.0/16 any http 0 acl user-a permit ip 10.50.0.0/16 207.31.0.0/16 any any 0 acl user-b permit ip 11.50.0.0/16 any any any 0 ip-policy net-a permit acl user-a-http next-hop-list 100.1.1.
IP Policy Configuration Examples Traffic from the premium customer is load balanced across two next-hop gateways in the high-cost, high-availability network. If neither of these gateways is available, then packets are forwarded based on dynamic routes learned via routing protocols. Traffic from the standard customer always uses one gateway (200.1.1.1). If for some reason that gateway is not available, packets from the standard customer are dropped.
IP Policy Configuration Examples The following is the IP policy configuration for the Policy Router in Figure 23: interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1 acl contractors permit ip 10.50.1.0/24 any any any 0 acl full-timers permit ip 10.50.2.0/24 any any any 0 ip-policy access permit acl contractors next-hop-list 11.1.1.1 action policy-only ip-policy access permit acl full-timers next-hop-list 12.1.1.
Monitoring IP Policies The following is the configuration for Policy Router 1 in Figure 24. vlan create firewall vlan add ports et.1.(1-5) to firewall interface create ip firewall address-netmask 1.1.1.5/16 vlan firewall acl firewall permit ip any any any 0 ip-policy p1 permit acl firewall next-hop-list “1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4” action policy-only ip-policy p1 set load-policy ip-hash both ip-policy p1 apply interface mls1 The following is the configuration for Policy Router 2 in Figure 24.
Monitoring IP Policies For example, to display information about an active IP policy called “p1”, enter the following command in Enable mode: ssr# ip-policy show policy-name p1 -------------------------------------------------------------------------------IP Policy name : p1 1 Applied Interfaces : int1 2 Load Policy : first available 3 4 5 6 7 8 9 10 ACL Source IP/Mask Dest. IP/Mask SrcPort DstPort TOS Prot ---------------- ------------- --------- --------- --- ---prof1 9.1.1.5/32 15.1.1.
Monitoring IP Policies 11. The sequence in which the statement is evaluated. IP policy statements are listed in the order they are evaluated (lowest sequence number to highest). 12. The rule to apply to the packets matching the profile: either permit or deny 13. The name of the profile (ACL) of the packets to be forwarded using an IP policy. 14. The number of packets that have matched the profile since the IP policy was applied (or since the ip-policy clear command was last used) 15.
Monitoring IP Policies 238 Enterasys Xpedition User Reference Manual
Chapter 18 Chapter 19 Network Address Translation Configuration Guide Overview Note: Some commands in this facility require updated XP hardware. Network Address Translation (NAT) allows an IP address used within one network to be translated into a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet.
Configuring NAT The XP allows you to create the following NAT address bindings: • Static, one-to-one binding of inside, local address or address pool to outside, global address or address pool. A static address binding does not expire until the command that defines the binding is negated. IP addresses defined for static bindings cannot be reassigned. For static address bindings, PAT allows TCP or UDP port numbers to be translated along with the IP addresses.
Forcing Flows through NAT Setting NAT Rules Static You create NAT static bindings by entering the following command in Configure mode. Enable NAT with static address binding. nat create static protocol ip|tcp|udp local-ip global-ip [local-port |any] [global-port |any] Dynamic You create NAT dynamic bindings by entering the following command in Configure mode. Enable NAT with dynamic address binding.
Managing Dynamic Bindings Managing Dynamic Bindings As mentioned previously, dynamic address bindings expire only after a period of non-use or when they are manually deleted. The default timeout for dynamic address bindings is 1440 minutes (24 hours). You can manually delete dynamic address bindings for a specific address pool or delete all dynamic address bindings. To set the timeout for dynamic address bindings, enter the following command in Configure mode. Set timeout for dynamic address bindings.
NAT and ICMP Packets The default timeout for DNS dynamic address bindings is 30 minutes. You can change this timeout by entering the following command in Configure mode: Specify the timeout for DNS bindings.
Monitoring NAT Monitoring NAT To display NAT information, enter the following command in Enable mode. nat show [translations all|] [timeouts] [statistics] Display NAT information. Configuration Examples This section shows examples of NAT configurations. Static Configuration The following example configures a static address binding for inside address 10.1.1.2 to outside address 192.50.20.2: Outbound: Translate source 10.1.1.2 to 192.50.20.2 Inbound: Translate destination 192.50.20.2 to 10.1.1.
Configuration Examples Using Static NAT Static NAT can be used when the local and global IP addresses are to be bound in a fixed manner. These bindings never get removed nor time out until the static NAT command itself is negated. Static binding is recommended when you have a need for a permanent type of binding. The other use of static NAT is when the out to in traffic is the first to initialize a connection, i.e., the first packet is coming from outside to inside.
Configuration Examples Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.0/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.0/24 Using Dynamic NAT Dynamic NAT can be used when the local network (inside network) is going to initialize the connections.
Configuration Examples Dynamic NAT with IP Overload (PAT) Configuration The following example configures a dynamic address binding for inside addresses 10.1.1.0/24 to outside address 192.50.20.0/24: Outbound: Translate source pool 10.1.1.0/24 to global pool 192.50.20.1-192.50.20.3 10.1.1.4 Router IP network 10.1.1.0/24 10.1.1.3 10.1.1.2 et.2.1 Global Internet et.2.2 interface 10-net (10.1.1.1/24) interface 192-net (192.50.20.
Configuration Examples Using Dynamic NAT with IP Overload Dynamic NAT with IP overload can be used when the local network (inside network) will be initializing the connections using TCP or UDP protocols. It creates a binding at run time when the packet comes from a local network defined in the NAT dynamic local ACL pool. The difference between the dynamic NAT and dynamic NAT with PAT is that PAT uses port (layer 4) information to do the translation.
Configuration Examples Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.0/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.2-192.50.20.9 nat create static local-ip 10.1.1.10 global-ip 192.50.20.
Configuration Examples The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.0/24 port et.2.2 interface create ip 201-net address-netmask 201.50.20.0/24 port et.2.
Chapter 20 Web Hosting Configuration Guide Overview Accessing information on websites for both work or personal purposes is becoming a normal practice for an increasing number of people. For many companies, fast and efficient web access is important for both external customers who need to access the company websites, as well as for users on the corporate intranet who need to access Internet websites.
Load Balancing Load Balancing Note: Load balancing requires updated XP hardware. You can use the load balancing feature on the XP to distribute session load across a group of servers. If you configure the XP to provide load balancing, client requests that go through the XP can be redirected to any one of several predefined hosts. With load balancing, clients access servers through a virtual IP.
Load Balancing Adding Servers to the Load Balancing Group Once a logical server group is created, you specify the servers that can handle client requests. When the XP receives a client request directed to the virtual server address, it redirects the request to the actual server address and port. Server selection is done according to the specified policy. To add servers to the server group, enter the following command in Configure mode: Add load balancing servers to a specific server group.
Load Balancing • SSL persistence: a binding is determined by matching the source IP address and the virtual destination IP/port address. Note that requests from any source socket with the client IP address are considered part of the same session. For example, requests from the client IP address of 134.141.176.10:1024 or 134.141.176.10:1025 to the virtual destination address 207.135.89.
Load Balancing This feature allows a range of source IP addresses (with different port numbers) to be sent to the same load balancing server. This is useful where client requests may go through a proxy that uses Network Address Translation or Port Address Translation or multiple proxy servers. During a session, the source IP address can change to one of several sequential addresses in the translation pool; the netmask allows client requests to be sent to the same server.
Load Balancing To specify the connection threshold for servers in the group, enter the following command in Configure mode: Specify maximum number of connections for all servers in the group. Note: load-balance set group-conn-threshold limit This limits the number of connections for each server in the group, not the total number of connections for the group.
Load Balancing You can change the handshake intervals and the number of retries by entering the following Configure mode commands: Set handshake interval for all servers in specified group. load-balance set group-options app-int Set handshake interval for specified server. load-balance set server-options app-int port Set number of handshake retries for all servers in specified group.
Load Balancing You can verify an application by entering the following Configure mode commands: Specify application verification for all servers in specified group. load-balance set group-options acvcommand acv-reply read-till-index [check-port ][acv-quit ] Specify application verification for specified server.
Load Balancing data is to be updated on an individual server. Specified hosts can be allowed to directly access servers in the load balancing group without address translation. Note, however, that such hosts cannot use the virtual IP address and port number to access the load balancing group of servers.
Load Balancing Show load balance hash table statistics. load-balance show hash-stats Show load balance options for verifying the application. load-balance show acv-options [group-name ][destination-host-ip ][destination-host-port ] Configuration Examples This section shows examples of load balancing configurations.
Load Balancing The network shown above can be created with the following load-balance commands: load-balance create group-name enterasys-www virtual-ip 207.135.89.16 virtual-port 80 protocol tcp load-balance add host-to-group 10.1.1.1-10.1.1.
Load Balancing The network shown above can be created with the following load-balance commands: load-balance create group-name quick-www virtual-ip 207.135.89.16 virtual-port 80 protocol tcp load-balance create group-name quick-ftp virtual-ip 207.135.89.16 virtual-port 21 protocol tcp load-balance create group-name quick-smtp virtual-ip 207.135.89.16 virtual-port 25 protocol tcp load-balance add host-to-group 10.1.1.1 group-name quick-www port 80 load-balance add host-to-group 10.1.1.
Load Balancing TCP Port Destination Server IP Group Name Virtual IP TCP Port www.computers.com 207.135.89.16 80 S1: 10.1.1.16 S2: 10.1.2.16 80 www.dvd.com 207.135.89.17 80 S1: 10.1.1.17 S2: 10.1.2.17 80 www.vcr.com 207.135.89.18 80 S1: 10.1.1.18 S2: 10.1.2.18 80 www.toys.com 207.135.89.50 80 S1: 10.1.1.50 S2: 10.1.2.50 80 The network shown in the previous example can be created with the following loadbalance commands: load-balance create vip-range-name mywwwrange 207.135.89.16-207.
Web Caching Client IP Address 20.20.10.1 - 20.20.10.254 Domain Name Virtual IP www.enterasys.com 207.135.89.16 30.30.10.1 - 30.30.10.254 Real Server IP TCP Port 10.1.1.1 80 10.1.1.2 80 The network shown above can be created with the following load-balance commands: load-balance create group-name enterasys-sec virtual-ip 207.135.89.16 protocol tcp persistence-level ssl virtual-port 443 load-balance add host-to-group 10.1.1.1-10.1.1.
Web Caching To create the cache group, enter the following command in Configure mode: Create the cache group. Note: web-cache create server-list range |list If a range of IP addresses is specified, the range must be contiguous and contain no more than 256 IP addresses. Specifying the Client(s) for the Cache Group (Optional) You can explicitly specify the hosts whose HTTP requests are or are not redirected to the cache servers.
Web Caching Configuration Example In the following example, a cache group of seven local servers is configured to store Web objects for users in the local network: Cache1 s2 Servers: s1 Servers: 186.89.10.51 186.89.10.55 176.89.10.50 176.89.10.51 176.89.10.52 176.89.10.53 176.89.10.
Web Caching Bypassing Cache Servers Some Web sites require source IP address authentication for user access, therefore HTTP requests for these sites cannot be redirected to the cache servers. To specify the sites for which HTTP requests are not redirected to the cache servers, enter the following command in Configure mode: Define destination sites to which HTTP requests are sent directly.
Web Caching Monitoring Web-Caching To display Web-caching information, enter the following commands in Enable mode. 268 Show information for all caching policies and all server lists. web-cache show all Show caching policy information. web-cache show cache-name |all Show cache server information.
Chapter 21 IPX Routing Configuration Guide IPX Routing Overview The Internetwork Packet Exchange (IPX) is a datagram connectionless protocol for the Novell NetWare environment. You can configure the XP for IPX routing and SAP. Routers interconnect different network segments and by definition are network layer devices. Thus routers receive their instructions for forwarding a packet from one segment to another from a network layer protocol. IPX, with the help of RIP and SAP, perform these Network Layer Task.
IPX Routing Overview RIP (Routing Information Protocol) IPX routers use RIP to create and dynamically maintain a database of internetwork routing information. RIP allows a router to exchange routing information with a neighboring router. As a router becomes aware of any change in the internetwork layout, this information is immediately broadcast to any neighboring routers. Routers also send periodic RIP broadcast packets containing all routing information known to the router.
Configuring IPX RIP & SAP • Routers make periodic broadcasts to make sure all other routers are aware of the internetwork configuration • Routers perform broadcasting whenever they detect a change in the internetwork configurations Configuring IPX RIP & SAP This section provides an overview of configuring various IPX parameters and setting up IPX interfaces. IPX RIP On the XP, RIP automatically runs on all IPX interfaces.
Configuring IPX Interfaces and Parameters IPX Addresses The IPX address is a 12-byte number divided into three parts. The first part is the 4-byte (8-character) IPX external network number. The second part is the 6-byte (12-character) node number. The third part is the 2-byte (4-character) socket number. Configuring IPX Interfaces and Parameters This section provides an overview of configuring various IPX parameters and setting up IPX interfaces.
Configuring IPX Routing To configure a VLAN with an IPX interface, enter the following command in Configure mode: Create an IPX interface for a VLAN. interface create ipx address-mask vlan Specifying IPX Encapsulation Method The Enterasys Xpedition supports four encapsulation types for IPX. You can configure encapsulation type on a per-interface basis. • Ethernet II: The standard ARPA Ethernet Version 2.
Configuring IPX Routing Enabling SAP IPX SAP is enabled by default on the XP. You must first create an IPX interface or assign an IPX interface to a VLAN before SAP will start learning services. Configuring Static Routes In a Novell NetWare network, the XP uses RIP to determine the best paths for routing IPX. However, you can add static RIP routes to RIP routing table to explicitly specify a route. To add a static RIP route, enter the following command in Configure mode: Add a static RIP route.
Configuring IPX Routing Creating an IPX Access Control List IPX access control lists control which IPX traffic is received from or sent to an interface based on source address, destination address, source socket, destination socket, source network mask or destination network mask. This is used to permit or deny traffic from one IPX end node to another. To create an IPX access control list, perform the following task in the Configure mode: Create an IPX access control list.
Configuring IPX Routing Once an IPX SAP access control list has been created, you must apply the access control list to an IPX interface. To apply an IPX SAP access control list, enter the following command in Configure mode: Apply an IPX SAP access control list. acl apply interface input|output [logging [on|off]] Creating an IPX GNS Access Control List IPX GNS access control lists control which SAP services the XP can reply with to a get nearest server (GNS) request.
Monitoring an IPX Network Monitoring an IPX Network The XP reports IPX interface information and RIP or SAP routing information. To display IPX information, enter the following command in Enable mode: Show a RIP entry in the IPX RIP table. ipx find rip Show a SAP entry in the IPX SAP table. ipx find sap Show IPX interface information. ipx show interfaces Show IPX RIP table. ipx show tables rip Show IPX routing table.
Configuration Examples !RIP Access List acl 100 deny ipxrip 1 2 ! !RIP inbound filter acl 100 apply interface ipx1 input ! !SAP Access List acl 200 deny ipxsap A.01:03:05:07:02:03 0004 FILESERVER2 ! !SAP outbound filter to interface ipx2 acl 200 apply interface ipx2 output ! !IPX type 20 access list acl 300 deny ipxtype20 ! !IPX type 20 inbound filter to interface ipx2 acl 300 apply interface ipx2 input ! !GNS Access List acl 300 deny ipxgns A.
Chapter 22 Access Control List Configuration Guide This chapter explains how to configure and use Access Control Lists (ACLs) on the XP. ACLs are lists of selection criteria for specific types of packets. When used in conjunction with certain XP functions, ACLs allow you to restrict Layer-3/4 traffic going through the router. This chapter contains the following sections: • ACL Basics on page 280 explains how ACLs are defined and how the XP evaluates them.
ACL Basics ACL Basics An ACL consists of one or more rules describing a particular type of IP or IPX traffic. ACLs can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the XP to either permit or deny packets that match selection criteria specified in the rule. Each ACL is identified by a name. The name can be a meaningful string, such as denyftp or noweb or it can be a number such as 100 or 101.
ACL Basics These selection criteria are specified as fields of an ACL rule. The following syntax description shows the fields of an IP ACL rule: acl permit|deny ip [accounting] Note: The acl permit|deny ip command restricts traffic for all IP-based protocols, such as TCP, UDP, ICMP, and IGMP.
ACL Basics How ACL Rules are Evaluated For an ACL with multiple rules, the ordering of the rules is important. When the XP checks a packet against an ACL, it goes through each rule in the ACL sequentially. If a packet matches a rule, it is forwarded or dropped based on the permit or deny keyword in the rule. All subsequent rules are ignored. That is, a first-match algorithm is used. There is no hidden or implied ordering of ACL rules, nor is there precedence attached to each field.
ACL Basics With the implicit deny rule, this ACL actually has three rules: acl 101 permit ip 1.2.3.4/24 any any any acl 101 permit ip 4.3.2.1/24 any nntp any acl 101 deny any any any any any If a packet comes in and doesn’t match the first two rules, the packet is dropped. This is because the third rule (the implicit deny rule) matches all packets. Although the implicit deny rule may seem obvious in the above example, this is not always the case.
Creating and Modifying ACLs Allowing External Responses to Established TCP Connections Typically organizations that are connected to the outside world implement ACLs to deny access to the internal network. If an internal user wishes to connect to the outside world, the request is sent; however any incoming replies may be denied because ACLs prevent them from going through.
Creating and Modifying ACLs Editing ACLs Offline You can create and edit ACLs on a remote host and then upload them to the XP with TFTP or RCP. With this method, you use a text editor on a remote host to edit, delete, replace, or reorder ACL rules in a file. Once the changes are made, you can then upload the ACLs to the XP using TFTP or RCP and make them take effect on the running system. The following example describes how you can use TFTP to help maintain ACLs on the XP.
Using ACLs For example, to edit ACL 101, you issue the command acl-edit 101. The only restriction is that when you edit a particular ACL, you cannot add rules for a different ACL. You can only add new rules for the ACL that you are currently editing. When the editing session is over, that is, when you are done making changes to the ACL, you can save the changes and make them take effect immediately.
Using ACLs out of another interface (that is, the packet is to be routed) then a second ACL check is possible. At the output interface, if an outbound ACL is applied, the packet will be compared to the rules specified in this outbound ACL. Consequently, it is possible for a packet to go through two separate checks, once at the inbound interface and once more at the outbound interface.
Using ACLs Applying ACLs to Layer-4 Bridging Ports ACLs can also be created to permit or deny access to one or more ports operating in Layer4 bridging mode. Traffic that is switched at Layer 2 through the XP can have ACLs applied on the Layer 3/4 information contained in the packet. The ACLs that are applied to Layer4 Bridging ports are only used with bridged traffic. The ACLs that are applied to the interface are still used for routed traffic.
Using ACLs Note the following about using Profile ACLs: • Only IP ACLs can be used as Profile ACLs. ACLs for non-IP protocols cannot be used as Profile ACLs. • The permit/deny keywords, while required in the ACL rule definition, are disregarded in the configuration commands for the above-mentioned features. In other words, the configuration commands will act upon a specified Profile ACL whether or not the Profile ACL rule contains the permit or deny keyword.
Using ACLs Using Profile ACLs with the Traffic Rate Limiting Facility Traffic rate limiting is a mechanism that allows you to control bandwidth usage of incoming traffic on a per-flow basis. A flow meeting certain criteria can have its packets re-prioritized or dropped if its bandwidth usage exceeds a specified limit. For example, you can cause packets in flows from source address 1.2.2.2 to be dropped if their bandwidth usage exceeds 10 Mbps.
Using ACLs The following command creates a Profile ACL called local. The local profile specifies as its selection criteria the range of IP addresses in network 10.1.1.0/24. ssr(config)# acl local permit ip 10.1.1.0/24 Note: When a Profile ACL is defined for dynamic NAT, only the source IP address field in the acl statement is evaluated. All other fields in the acl statement are ignored.
Using ACLs Using Profile ACLs with the Web Caching Facility Web caching is the XP’s ability to direct HTTP requests for frequently accessed Web objects to local cache servers, rather than to the Internet. Since the HTTP requests are handled locally, response time is faster than if the Web objects were retrieved from the Internet.
Enabling ACL Logging This command creates a Profile ACL called prof5 that uses as its selection criteria all packets with a source address of 1.2.3.4 and a destination address of 10.10.10.10: ssr(config)# acl prof5 permit ip 1.2.3.4 10.10.10.
Monitoring ACLs Before enabling ACL logging, you should consider its impact on performance. With ACL logging enabled, the router prints out a message at the console before the packet is actually forwarded or dropped. Even if the console is connected to the router at a high baud rate, the delay caused by the console message is still significant. This can get worse if the console is connected at a low baud rate, for example, 1200 baud.
Chapter 23 Security Configuration Guide Security Overview The XP provides security features that help control access to the XP and filter traffic going through the XP. Access to the XP can be controlled by: • Enabling RADIUS • Enabling TACACS • Enabling TACACS Plus • Password authentication Traffic filtering on the XP enables: • Layer-2 security filters - Perform filtering on source or destination MAC addresses.
Configuring XP Access Security • RADIUS • TACACS • TACACS Plus • Passwords Configuring RADIUS You can secure login or Enable mode access to the XP by enabling a Remote Authentication Dial-In Service (RADIUS) client. A RADIUS server responds to the XP RADIUS client to provide authentication. You can configure up to five RADIUS server targets on the XP. A timeout is set to tell the XP how long to wait for a response from RADIUS servers.
Configuring XP Access Security To monitor RADIUS, enter the following commands in Enable mode: Show RADIUS server statistics. radius show stats Show all RADIUS parameters. radius show all Configuring TACACS In addition, Enable mode access to the XP can be made secure by enabling a Terminal Access Controller Access Control System (TACACS) client. Without TACACS, TACACS Plus, or RADIUS enabled, only local password authentication is performed on the XP.
Configuring XP Access Security You can configure up to five TACACS Plus server targets on the XP. A timeout is set to tell the XP how long to wait for a response from TACACS Plus servers. To configure TACACS Plus security, enter the following commands in Configure mode: 298 Specify a TACACS Plus server. tacacs-plus set server Set the TACACS Plus time to wait for a TACACS Plus server reply. tacacs-plus set timeout Determine the XP action if no server responds.
Layer-2 Security Filters Monitoring TACACS Plus You can monitor TACACS Plus configuration and statistics within the XP. To monitor TACACS Plus, enter the following commands in Enable mode: Show TACACS Plus server statistics. tacacs-plus show stats Show all TACACS Plus parameters. tacacs-plus show all Configuring Passwords The XP provides password authentication for accessing the User and Enable modes. If TACACS is not enabled on the XP, only local password authentication is performed.
Layer-2 Security Filters A secure filter shuts down access to the XP based on MAC addresses. All packets received by a port are dropped. When combined with static entries, however, these filters can be used to drop all received traffic but allow some frames to go through. Configuring Layer-2 Address Filters If you want to control access to a source or destination on a per-MAC address basis, you can configure an address filter. Address filters are always configured and applied to the input port.
Layer-2 Security Filters Configuring Layer-2 Port-to-Address Lock Filters Port address lock filters allow you to bind or “lock” specific source MAC addresses to a port or set of ports. Once a port is locked, only the specified source MAC address is allowed to connect to the locked port and the specified source MAC address is not allowed to connect to any other ports. To configure Layer-2 port address lock filters, enter the following commands in Configure mode: Configure a port address lock filter.
Layer-2 Security Filters Configuring Layer-2 Secure Port Filters Secure port filters block access to a specified port. You can use a secure port filter by itself to secure unused ports. Secure port filters can be configured as source or destination port filters. A secure port filter applied to a source port forces all incoming packets to be dropped on a port. A secure port filter applied to a destination port prevents packets from going out a certain port.
Layer-2 Security Filters Monitoring Layer-2 Security Filters The XP provides display of Layer-2 security filter configurations contained in the routing table. To display security filter information, enter the following commands in Enable mode. Show address filters. filters show address-filter [all-source|all-destination|all-flow] [source-mac dest-mac ] [ports ] [vlan ] Show port address lock filters.
Layer-2 Security Filters Destination filter: No one from the engineering group (port et.1.1) should be allowed to access the finance server. All traffic destined to the finance server’s MAC will be dropped. filters add address-filter name finance dest-mac AABBCC:DDEEFF vlan 1 in-port-list et.1.1 Flow filter: Only the consultant is restricted access to one of the finance file servers. Note that port et.1.1 should be operating in flow-bridging mode for this filter to work.
Layer-3 Access Control Lists (ACLs) Note: If the consultant’s MAC is detected on a different port, all of its traffic will be blocked. Example 2: Secure Ports Source secure port: To block all engineers on port 1 from accessing all other ports, enter the following command: filters add secure-port name engineers direction source vlan 1 in-port-list et.1.1 To allow ONLY the engineering manager access to the engineering servers, you must “punch” a hole through the secure-port wall.
Layer-4 Bridging and Filtering Layer-4 Bridging and Filtering Layer-4 bridging is the XP’s ability to use layer-3/4 information to perform filtering or QoS during bridging. As described in Layer-2 Security Filters above, you can configure ports to filter traffic using MAC addresses. Layer-4 bridging adds the ability to use IP addresses, layer-4 protocol type, and port number to filter traffic in a bridged network.
Layer-4 Bridging and Filtering Creating a Port-Based VLAN for Layer-4 Bridging The ports to be used in Layer-4 Bridging must all be on the same VLAN. To create a portbased VLAN, enter the following command in Configure mode: Create a port-based VLAN.
Layer-4 Bridging and Filtering Creating ACLs to Specify Selection Criteria for Layer-4 Bridging Access control lists (ACLs) specify the kind of filtering to be done for Layer-4 Bridging.
Layer-4 Bridging and Filtering Notes • Layer-4 Bridging works for IP and IPX traffic only. The XP will drop non-IP/IPX traffic on a Layer-4 Bridging VLAN. For Appletalk and DECnet packets, a warning is issued before the first packet is dropped. • If you use a SmartTRUNK in a with Layer-4 Bridging VLAN, the XP maintains the packet order on a per-flow basis, rather than per-MAC pair.
Layer-4 Bridging and Filtering 310 Enterasys Xpedition User Reference Manual
Chapter 24 QoS Configuration Guide QoS & Layer-2/Layer-3/Layer-4 Flow Overview The XP allows network managers to identify traffic and set Quality of Service (QoS) policies without compromising wire speed performance. The XP can guarantee bandwidth on an application by application basis, thus accommodating high-priority traffic even during peak periods of usage. QoS policies can be broad enough to encompass all the applications in the network, or relate specifically to a single host-to-host application flow.
QoS & Layer-2/Layer-3/Layer-4 Flow Overview Within the XP, QoS policies are used to classify Layer-2, Layer-3, and Layer-4 traffic into the following priority queues (in order from highest priority to lowest): • Control (for router control traffic; the remaining classes are for normal data flows) • High • Medium • Low Separate buffer space is allocated to each of these four priority queues.
Traffic Prioritization for Layer-2 Flows Precedence for Layer-3 Flows A precedence from 1 - 7 is associated with each field in a flow. The XP uses the precedence value associated with the fields to break ties if packets match more than one flow. The highest precedence is 1 and the lowest is 7.
Traffic Prioritization for Layer-2 Flows The VLAN ID in the QoS configuration must match the VLAN ID assigned to the list of ports to which the QoS policy is applied. In a layer-2 only configuration, each port has only one VLAN ID associated with it and the QoS policy should have the same VLAN ID. When different VLANs are assigned to the same port using different protocol VLANs, the layer-2 QoS policy must match the VLAN ID of the protocol VLAN.
Traffic Prioritization for Layer-2 Flows Creating and Applying a New Priority Map To specify a priority map on a per-port basis, enter the following commands in Configure mode: Create a new priority mapping. qos create priority-map control|high|medium|low Apply new priority mapping to ports. qos apply priority-map ports For example, the following command creates the priority map “all-low” which maps all 802.
Traffic Prioritization for Layer-3 & Layer-4 Flows The ability to specify per-port priority maps is enabled on the XP by default. You can disable use of per-port priority maps on the XP; all ports on the XP will then be configured to use the default priority map only. If the commands to create and apply priority maps exist in the active configuration, they will remain in the configuration but be ineffective.
Traffic Prioritization for Layer-3 & Layer-4 Flows Setting an IP QoS Policy To set a QoS policy on an IP traffic flow, enter the following command in Configure mode: Set an IP QoS policy. qos set ip |any |any |any |any |any ||any |any |any |any |any For example, the following command assigns control priority to any traffic coming from the 10.10.11.
Configuring XP Queueing Policy Specifying Precedence for an IPX QoS Policy To specify the precedence for an IPX QoS policy, enter the following command in Configure mode: Specify precedence for an IPX QoS policy. qos precedence ipx [srcnet ] [srcnode ] [srcport ] [dstnet ] [dstnode ] [dstport ] [intf ] Configuring XP Queueing Policy The XP queuing policy is set on a system-wide basis. The XP default queuing policy is strict priority.
Weighted Random Early Detection (WRED) Weighted Random Early Detection (WRED) Random Early Detection (WRED) alleviates traffic congestion issues by selectively dropping packets before the queue becomes completely flooded. WRED parameters allow you to set conditions and limits for dropping packets in the queue. To enable WRED on input queues of specific ports, enter the following command in Configure mode: Enable WRED on input or output queue of specified ports.
ToS Rewrite For example, setting the ToS field to 0010 specifies that a packet will be routed on the most reliable paths. Setting the ToS field to 1000 specifies that a packet will be routed on the paths with the least delay. (Refer to RFC 1349 for the specification of the ToS field value.) With the ToS rewrite command, you can access the value in the ToS octet (which includes both the Precedence and ToS fields) in each packet.
ToS Rewrite The ToS byte rewrite is part of the QoS priority classifier group. The entire ToS byte can be rewritten or only the precedence part of the ToS byte can be rewritten. If you specify a value for , then only the upper three bits of the ToS byte are changed. If you set to any and specify a value for , then the upper three bits remain unchanged and the lower five bits are rewritten.
Monitoring QoS Monitoring QoS The XP provides display of QoS statistics and configurations contained in the XP. To display QoS information, enter the following commands in Enable mode: 322 Show all IP QoS flows. qos show ip Show all IPX QoS flows. qos show ipx Show all Layer-2 QoS flows. qos show l2 all-destination all-flow ports vlan source-mac dest-mac Show RED parameters for each port.
Limiting Traffic Rate Limiting Traffic Rate Note: Some commands in this facility require updated XP hardware. Rate limiting provides the ability to control the usage of a fundamental network resource, bandwidth. It allows you to limit the rate of traffic that flows through the specified interfaces, thus reserving bandwidth for critical applications. The XP supports two modes of rate limiting; only one mode can be in effect at a time.
Limiting Traffic Rate To enable aggregate rate limiting mode on the XP, enter the following command in Configure mode: Enable aggregate rate limiting mode on the XP. system enable aggregate-rate-limiting To change the rate limiting mode on the XP back to per-flow mode, negate the above command. Per-Flow Rate Limiting Use a per-flow rate limiting policy if an individual traffic flow needs to be limited to a particular rate.
Limiting Traffic Rate To define a port rate limit policy, enter one of the following commands in Configure mode: Define a port rate limit policy to limit incoming traffic on a port. rate-limit port-level input rate port {drop-packets|no-action|lower-priority|lowerpriority-except-control|tos-precedence-rewrite |tosprecedence-rewrite-lower-priority } Define a port rate limit policy to limit outgoing traffic on a port.
Limiting Traffic Rate To define an aggregate rate limit policy and apply the policy to an interface, enter the following commands in Configure mode: Define an aggregate rate limit policy. rate-limit aggregate acl rate {drop-packets|no-action|lower-priority|lowerpriority-except-control|tos-precedence-rewrite |tosprecedence-rewrite-lower-priority } [allocateresources during-apply|during-traffic] Apply an aggregate rate limit policy to an interface.
Limiting Traffic Rate Traffic from two interfaces, ‘ipclient1’ with IP address 1.2.2.2 and ‘ipclient2’ with IP address 3.1.1.1, is restricted to 10 Mbps for each flow with the following configuration: vlan create client1 ip vlan create backbone ip vlan create client2 ip vlan add ports et.1.1 to client1 vlan add ports et.1.2 to client2 vlan add ports et.1.8 to backbone interface create ip ipclient1 vlan client1 address-netmask 1.1.1.1/8 interface create ip ipclient2 vlan client2 address-netmask 3.3.3.
Limiting Traffic Rate 328 Enterasys Xpedition User Reference Manual
Chapter 25 Performance Monitoring Guide Performance Monitoring Overview The XP is a full wire-speed layer-2, 3 and 4 switching router. As packets enter the XP, layer-2, 3, and 4 flow tables are populated on each line card. The flow tables contain information on performance statistics and traffic forwarding. Thus the XP provides the capability to monitor performance at Layer 2, 3, and 4.
Performance Monitoring Overview 330 Show information about the master MAC table. l2-tables show mac-table-stats Show information about a particular MAC address. l2-tables show mac Show info about multicasts registered by IGMP. l2-tables show igmp-mcast-registrations Show whether IGMP is on or off on a VLAN. l2-tables show vlan-igmp-status Show info about MACs registered by the system. l2-tables show bridge-management Show SNMP statistics. snmp show statistics Show ICMP statistics.
Configuring the XP for Port Mirroring Configuring the XP for Port Mirroring The XP allows you to monitor activity with port mirroring. Port mirroring allows you to monitor the performance and activities of ports on the XP or for traffic defined by an ACL through just a single, separate port. While in Configure mode, you can configure your XP for port mirroring with a simple command line like the following: Configure Port Mirroring.
Monitoring Broadcast Traffic 332 Enterasys Xpedition User Reference Manual
Chapter 26 RMON Configuration Guide RMON Overview You can employ Remote Network Monitoring (RMON) in your network to help monitor traffic at remote points on the network. With RMON, data collection and processing is done with a remote probe, namely the XP. The XP also includes RMON agent software that communicates with a network management station via SNMP.
Configuring and Enabling RMON Configuring and Enabling RMON By default, RMON is disabled on the XP. To configure and enable RMON on the XP, follow these steps: 1. Turn on the Lite, Standard, or Professional RMON groups by entering the rmon set lite|standard|professional command. You can also configure default control tables for the Lite, Standard, or Professional RMON groups by including the default-tables yes parameter. 2. Enable RMON on specified ports with the rmon set ports command. 3.
Configuring and Enabling RMON RMON Groups The RMON MIB groups are defined in RFCs 1757 (RMON 1) and 2021 (RMON 2). On the XP, you can configure one or more levels of RMON support for a set of ports. Each level— Lite, Standard, or Professional—enables different sets of RMON groups (described later in this section). You need to configure at least one level before you can enable RMON on the XP.
Configuring and Enabling RMON Standard RMON Groups This section describes the RMON groups that are enabled when you specify the Standard support level. The Standard RMON groups are shown in the table below. Table 12. Standard RMON Groups Group Function Host Records statistics about the hosts discovered on the network. Host Top N Gathers the top n hosts, based on a specified rate-based statistic. This group requires the hosts group. Matrix Records statistics for source and destination address pairs.
Configuring and Enabling RMON Table 13. Professional RMON Groups Group Function Application Layer Matrix (and Top N) Monitors traffic at the application layer for protocols defined in the Protocol Directory. Top N gathers the top n application layer matrix entries. Network Layer Matrix (and Top N) Monitors traffic at the network layer for protocols defined in the Protocol Directory. Top N gathers the top n network layer matrix entries.
Using RMON A row in the control table is created for each port on the XP, with the owner set to “monitor”. If you want, you can change the owner by using the appropriate rmon command. See the section Configuring RMON Groups in this chapter for more the command to configure a specific group. Note: Control tables other than the default control tables must be configured with CLI commands, as described in Configuring RMON Groups.
Configuring RMON Groups To find out which host or user is using these applications/protocols on this port, use the following command: ssr# rmon show al-matrix et.5.5 RMON II Application Layer Host Table Index: 500, Port: et.5.5, Inserts: 4, Deletes: 0, Owner: monitor SrcAddr DstAddr Packets Octets Protocol ------------------- ------ -------10.50.89.88 15.15.15.3 1771 272562 *ether2.ip-v4 10.50.89.88 15.15.15.3 1125 211192 *ether2.ip-v4.tcp 10.50.89.88 15.15.15.3 1122 210967 *ether2.ip-v4.tcp.telnet 10.50.
Configuring RMON Groups To configure the Filter group, you must configure both the Channel and Filter control tables.
Configuring RMON Groups To configure the Protocol Distribution group. rmon protocol-distribution index port [owner ] [status enable|disable] To configure the User History group, you must configure the group of objects to be monitored and apply the objects in the group to the User History control table.
Displaying RMON Information • Samples taken at 300 second (5 minute) intervals. • A “Startup” alarm generation condition instructing the XP to generate an alarm if the sample is greater than or equal to the rising threshold or less than or equal to the falling threshold. • Compare value at time of sampling (absolute value) to the specified thresholds. • Rising and falling threshold values are 1. • Rising and falling event index values are 15, which will trigger the previouslyconfigured Event.
Displaying RMON Information To display the RMON 2 Address Map table. rmon show address-map |all-ports To show Network Layer Host logs. rmon show nl-host|all-ports [summary] To show Application Layer Host logs. rmon show al-host|all-ports [summary] To show Network Layer Matrix logs. rmon show nl-matrix|all-ports [order-by srcdst|dstsrc] [summary] To show Application Layer Matrix logs.
Displaying RMON Information The following shows Host table output without a CLI filter: ssr# rmon show hosts et.5.4 RMON I Host Table Index: 503, Port: et.5.
Troubleshooting RMON Creating RMON CLI Filters To create RMON CLI filters, use the following CLI command in Configure mode: Creates an RMON CLI filter. rmon set cli-filter Using RMON CLI Filters To see and use RMON CLI filters, use the following CLI command in User or Enable mode: Displays RMON CLI filters. rmon show cli-filters Applies a CLI filter on current Telnet or Console session. rmon apply cli-filters Clears the currently-selected CLI filter.
Troubleshooting RMON Check the following fields on the rmon show status command output: ssr# rmon show status RMON Status ----------* RMON is ENABLED 1 * RMON initialization successful. 2 +--------------------------+ | RMON Group Status | +-------+--------+---------+ | Group | Status | Default | +-------+--------+---------+ | Lite | On | Yes | 4 +-------+--------+---------+ | Std | On | Yes | +-------+--------+---------+ | Pro | On | Yes | +-------+--------+---------+ RMON is enabled on: et.5.1, et.5.
Allocating Memory to RMON Allocating Memory to RMON RMON allocates memory depending on the number of ports enabled for RMON, the RMON groups that have been configured, and whether or not default tables have been turned on or off. Enabling RMON with all groups (Lite, Standard, and Professional) with default tables uses approximately 300 Kbytes per port. If necessary, you can dynamically allocate additional memory to RMON.
Allocating Memory to RMON To set the amount of memory allocated to RMON, use the following CLI command in User or Enable mode: Specifies the total amount of Mbytes of memory allocated to RMON.
Chapter 27 LFAP Configuration Guide Overview The Lightweight Flow Accounting Protocol (LFAP) agent, defined in RFC 2124, is a TCPoriented protocol used to push accounting information collected on the XP to a Flow Accounting Server (FAS). The LFAP agent uses ACLs to determine the IP traffic on which accounting information will be collected.
Enterasys’ Traffic Accounting Services Enterasys’ Traffic Accounting Services Enterasys’s Accounting Services consists of the following components: • LFAP agent on the XP that collects application flow accounting information and sends it to the Enterasys FAS. You can configure the XP to collect information on an entire interface or on a specific host-to-host application flow. Configuring the LFAP agent on the XP is described in this chapter.
Configuring the LFAP Agent on the XP Up to three FAS systems can be configured on an XP, although the XP can only send LFAP messages to a single FAS at a time. The first configured FAS is the primary, so the XP attempts to connect to it via TCP first. If the connection fails, then the next configured FAS is tried. A FAS can be configured as the primary FAS for one group of XPs and the secondary FAS for another group of XPs. Note: The Traffic Accountant is not designed to reconcile duplicate data records.
Monitoring the LFAP Agent on the XP Monitoring the LFAP Agent on the XP The lfap show commands display information about the configuration of the LFAP agent on the XP and its current status. Use the following commands in Enable mode to view LFAP agent information: 352 Command Displays lfap show configuration Configuration of the LFAP agent on the XP. lfap show servers Configured FAS system(s) to which the LFAP agent could connect. lfap show statistics Statistics collected by the LFAP agent.
Chapter 28 WAN Configuration Guide This chapter provides an overview of Wide Area Network (WAN) applications as well as an overview of both Frame Relay and PPP configuration for the XP. In addition, you can view an example of a multi-router WAN configuration complete with diagram and configuration files in WAN Configuration Examples on page 369.
WAN Overview Configuring WAN Interfaces Configuring IP & IPX interfaces for the WAN is generally the same as for the LAN. You can configure IP/IPX interfaces on the physical port or you can configure the interface as part of a VLAN for WAN interfaces. However, in the case of IP interfaces, you can configure multiple IP addresses for each interface. Please refer to Configuring IP Interfaces and Parameters on page 96 and Configuring IPX Interfaces and Parameters on page 272 for more specific information.
WAN Overview Mapped Addresses Mapped peer IP/IPX addresses are very similar to static addresses in that InArp is disabled for Frame Relay and the address negotiated in IPCP/IPXCP is ignored for PPP. Mapped addresses are most useful when you do not want to specify the peer address using the interface create command. This would be the case if the interface is created for a VLAN and there are many peer addresses on the VLAN.
WAN Overview Forcing Bridged Encapsulation WAN for the XP has the ability to force bridged packet encapsulation. This feature has been provided to facilitate seamless compatibility with Cisco routers, which expect bridged encapsulation in certain operating modes. The following command line displays an example for Frame Relay: frame-relay set fr-encaps-bgd ports hs.5.2.19 The following command line displays an example for PPP: ppp set ppp-encaps-bgd ports hs.5.
WAN Overview Nature of the Data In general, data that is already compressed cannot be compressed any further. In fact, packets that are already compressed will grow even larger. For example, if you have a link devoted to streaming MPEG videos, you should not enable compression as the MPEG video data is already compressed. Link Integrity Links with high packet loss or links that are extremely over-subscribed may not perform as well with compression enabled.
WAN Overview Packet Encryption Packet encryption allows data to travel through unsecured networks. You can enable packet encryption for PPP ports, however, both ends of a link must be configured to use packet encryption. The following command line displays an example: ppp set payload-encrypt transmit-key 0x123456789abcdef receive-key 0xfedcba987654321 port se.4.2, mp.
WAN Overview For example, if you want to apply a source MAC address filter to a WAN serial card located in slot 5, port 2, your configuration command line would look like the following: ssr(config)# filters add address-filter name wan1 source-mac 000102:030405 vlan 2 in-port-list se.5 Port se.5 is specified instead of se.5.2 because source filters affect the entire WAN module. Hence, in this example, source-mac 000102:030405 would be filtered from ports se.5.1, se.5.2, se.5.3, and se.5.
Frame Relay Overview Random Early Discard (RED) RED allows network operators to manage traffic during periods of congestion based on policies. Random Early Discard (RED) works with TCP to provide fair reductions in traffic proportional to the bandwidth being used. Weighted Random Early Discard (WRED) works with IP Precedence or priority, as defined in the qos configuration command line, to provide preferential traffic handling for higher-priority traffic.
Configuring Frame Relay Interfaces for the XP Virtual Circuits You can think of a Virtual Circuit (VC) as a “virtual interface” (sometimes referred to as “sub-interfaces”) over which Frame Relay traffic travels. Frame Relay interfaces on the XP use one or more VCs to establish bidirectional, end-to-end connections with remote end points throughout the WAN. For example, you can connect a series of multi-protocol routers in various locations using a Frame Relay network.
Configuring Frame Relay Interfaces for the XP Then, you must set up a frame relay virtual circuit (VC). The following command line displays a simplified example of a VC definition: Define the type and location of a frame relay VC. frame-relay create vc Setting up a Frame Relay Service Profile Once you have defined the type and location of your Frame Relay WAN interface(s), you can configure your XP to more efficiently utilize available bandwidth for Frame Relay communications.
Monitoring Frame Relay WAN Ports Monitoring Frame Relay WAN Ports Once you have configured your frame relay WAN interface(s), you can use the CLI to monitor status and statistics for your WAN ports.
Point-to-Point Protocol (PPP) Overview • Committed information rate (CIR) of 20 million bits per second • Leave high-, low-, and medium-priority queue depths set to factory defaults • Random Early Discard (RED) disabled • RMON enabled The command line necessary to set up a service profile with the above attributes would be as follows: ssr(config)# frame-relay define service profile1 Bc 2000000 Be 10000000 becn-adaptive-shaping 65 cir 20000000 red off rmon on To assign the above service profile to
Configuring PPP Interfaces Use of LCP Magic Numbers LCP magic numbers enable you to detect situations where PPP LCP packets are looped back from the remote system, resulting in an error message. The use of LCP magic numbers is enabled on the XP by default; however, should you employ a service profile in which the use of LCP magic numbers has been disabled, undetected “loopback” behavior may become a problem.
Configuring PPP Interfaces After you configure one or more service profiles for your PPP interface(s), you can then apply a service profile to active PPP WAN ports, specifying their behavior when handling PPP traffic. The following command line displays all of the possible attributes used to define a PPP service profile: Define a PPP service profile.
Monitoring PPP WAN Ports Set the size of frames that fragmented for transmission on an MLP bundle. ppp set mlp-frag-size ports size Set the depth of the queue used to hold MLP packets for preserving the packet order. ppp set mlp-orderq-depth ports qdepth Set the depth of the queue used to hold packet fragments for reassembly.
PPP Port Configuration PPP Port Configuration To configure PPP WAN ports, you must first define the type and location of the WAN interface, optionally “set up” a library of configuration settings, then apply those settings to the desired interface(s). The following examples are designed to give you a small model of the steps necessary for a typical PPP WAN interface specification.
WAN Configuration Examples WAN Configuration Examples Simple Configuration File The following is an example of a simple configuration file used to test frame relay and PPP WAN ports: port set hs.5.1 wan-encapsulation frame-relay speed 45000000 port set hs.5.2 wan-encapsulation ppp speed 45000000 interface create ip fr1 address-netmask 10.1.1.1/16 port hs.5.1.100 interface create ip ppp2 address-netmask 10.2.1.1/16 port hs.5.2 interface create ip lan1 address-netmask 10.20.1.1/16 port et.1.
WAN Configuration Examples Multi-Router WAN Configuration The following is a diagram of a multi-router WAN configuration encompassing three subnets. From the diagram, you can see that R1 is part of both Subnets 1 and 2; R2 is part of both Subnets 2 and 3; and R3 is part of subnets 1 and 3. You can click on the router label (in blue) to jump to the actual text configuration file for that router: et.1.1 50.50.50.5 R 100.100.100.5 se.4.1 100.100.100.4 se.6.3 50.50.50.
WAN Configuration Examples Router R1 Configuration File The following configuration file applies to Router R1. ---------------------------------------------------------------------Configuration for ROUTER R1 ---------------------------------------------------------------------port set hs.7.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.2 wan-encapsulation ppp speed 45000000 port set et.1.* duplex full frame-relay create vc port hs.
WAN Configuration Examples rip set interface all version 2 rip set auto-summary enable rip start system set name R2 arp add 20.20.20.12 exit-port et.1.1 mac-addr 000202:020200 Router R3 Configuration File The following configuration file applies to Router R3. ---------------------------------------------------------------------Configuration for ROUTER R3 ---------------------------------------------------------------------port set se.2.1 wan-encapsulation frame-relay speed 1500000 port set et.1.
WAN Configuration Examples frame-relay create vc port se.6.1.304 vlan create s1 id 200 vlan add ports se.6.1.304,se.6.3 to s1 interface create ip s1 address-netmask 100.100.100.4/16 vlan s1 rip add interface all rip set interface all version 2 rip set interface all xmt-actual enable rip set broadcast-state always rip set auto-summary enable rip start system set name R4 Router R5 Configuration File The following configuration file applies to Router R5.
WAN Configuration Examples frame-relay create vc port hs.3.1.106 frame-relay define service CIRforR1toR6 cir 45000000 bc 450000 frame-relay apply service CIRforR1toR6 ports hs.3.1.106 vlan create BridgeforR1toR6 port-based id 106 interface create ip FRforR1toR6 address-netmask 100.100.100.6/16 vlan BridgeforR1toR6 interface create ip lan1 address-netmask 60.60.60.6/16 port et.15.1 vlan add ports hs.3.1.106 to BridgeforR1toR6 vlan add ports et.15.2 to BridgeforR1toR6 qos set ip VideoFromNT high 100.100.100.
