X-Pedition™ Security Router XSR-1850 Getting Started Guide Version 7.
Electrical Hazard: Only qualified personnel should perform installation procedures. Riesgo Electrico: Solamente personal calificado debe realizar procedimientos de instalacion. Elektrischer Gefahrenhinweis: Installationen sollten nur durch ausgebildetes und qualifiziertes Personal vorgenommen werden. Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice.
Product Product Identifier NIM-T1/E1-xx, NIM-CT1E1/PRI-xx US: 5N5DENANET1 NIM-BRI-U-xx US: 5N5DENANEBU NIM-ADSL-AC-xx US: 5N5DL02NEAA NIM-DIRELAY-xx US: 5N5DENANEDI NIM-TE1-xx, NIM-CTE1-PRI-xx US: 5N5DENANECT A plug and jack used to connect the XSR to the premises wiring and telephone network must comply with the applicable FCC Part 68 rules and requirements adopted by ACTA. Refer to the following table and installation instructions for details.
Users should ensure for their own protection that the electrical ground connections of the power utility, telephone lines and internal metallic water pipe system, if present, are connected together. This precaution may be particularly important in rural areas. Caution: Users should not attempt to make such connections themselves, but should contact the appropriate electric inspection authority, or electrician, as appropriate.
European Waste Electrical and Electronic Equipment (WEEE) Notice In accordance with Directive 2002/96/EC of the European Parliament on waste electrical and electronic equipment (WEEE): 1. The symbol above indicates that separate collection of electrical and electronic equipment is required and that this product was placed on the European market after August 13, 2005, the date of enforcement for Directive 2002/96/EC. 2.
Declaration of Conformity Application of Council Directive(s): Manufacturer’s Name: Manufacturer’s Address: European Representative Address: Conformance to Directive(s)/Product Standards: Equipment Type/Environment: 89/336/EEC 73/23/EEC Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810 USA Enterasys Networks, Ltd.
Independent Communications Authority of South Africa This product complies with the terms of the provisions of section 54(1) of the Telecommunications Act (Act 103 of 1996) and the Telecommunications Regulation prescribed under the Post Office Act (Act 44 of 1958). TE-2002/195 TE-2002/190 APPROVED APPROVED TE-2003/112 TE-2003/113 APPROVED APPROVED SS/366.
Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
If the Program is exported from the United States pursuant to the License Exception TSR under the U.S.
. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock or assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement.
x
Contents Preface Contents of the Guide .......................................................................................................................................xv Conventions Used in This Guide (Convenciones Usadas en Esta Guía) .........................................................xv Getting Help .................................................................................................................................................... xvii Chapter 1: Overview System Description ..
PRI Configuration ..................................................................................................................................... 3-8 BRI Configuration ..................................................................................................................................... 3-9 BRI Leased Line ................................................................................................................................. 3-9 BRI Leased Frame Relay ...........................
bu ........................................................................................................................................................... 3-37 bU ........................................................................................................................................................... 3-38 cd ........................................................................................................................................................... 3-38 copy ...............
xiv
Preface This guide provides a general overview of the XSR-1850 hardware and software features and describes how to quickly install and configure the XSR. Refer to the XSR-1850 CLI Reference Guide and XSR-1850 User’s Guide for information not contained in this document. This guide is written for administrators who want to configure the X-Pedition Security Router or experienced users who are knowledgeable of basic networking principles.
Electrical Hazard: Warns against an action that could result in personal injury or death due to an electrical hazard. Riesgo Electrico: Advierte contra una acción que pudiera resultar en lesión corporal o la muerte debido a un riesgo eléctrico. Elektrischer Gefahrenhinweis: Installationen sollten nur durch ausgebildetes und qualifiziertes. Personal vorgenommen werden. Warning: Warns against an action that could result in personal injury or death.
Getting Help For additional support related to the XSR, contact Enterasys Networks by one of these methods: World Wide Web http://www.enterasys.com Phone (978) 684-1000 1-800-872-8440 (toll-free in U.S. and Canada) For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support/gtac-all.html Internet mail support@enterasys.com To expedite your message, please type [xsr] in the subject line. FTP ftp://ftp.enterasys.
xviii
1 Overview This chapter introduces key features of the XSR-1850 and briefly describes hardware installation. System Description The XSR is a desktop networking device designed for enterprise branch offices that provides IP routing over FastEthernet LAN and T1/E1, Serial (RS232, X.21, V.35, RS422/530, RS449), Dial Services via POTS, ISDN (BRI, PRI), or Frame Relay WAN connections. Virtual Private Network (VPN) and Firewall support is also provided in Site-to-Site or Remote Access applications.
System Description Hardware Features The semi-modular XSR, shown in Figure 1-2, comes equipped with the following features: • Standard 1.5U chassis (2 1/16” high by 17“ wide by 10“ deep) that you can mount in a standard 19” rack. • One internal 90 - 265 VAC power supply with country-specific line cords. Optionally, an external power supply and cord is available. • IBM PowerPC 405GP embedded processor (440 MIPS) with integrated memory controller.
System Description Note: The third NIM card slot is not used at this time. • Two 10/100BaseT FastEthernet LAN connectors. • Console interface including modem control signals for remote debugging, out-of-band configuration or dial backup. • 64 MBytes of SDRAM/DIMM memory upgradable to 128 MBytes, 8 MBytes of Onboard Flash, and 8, 16, 32, or 64 Mbyte optional, plug-in CompactFlash card. • VPN accelerator for encryption/decryption (DES/3DES), Message Digest (MD-5, SHA-1) and public key acceleration.
System Description • Telnet & TFTP for device management and configuration • Debugging tools Ping & TraceRoute • Secondary IP addressing • PPP and OSPF debugging • Internet Group Management Protocol (IGMP) • Remote Auto Install over Ethernet • Simple Network Time Protocol (SNTP) server • OS fallback IP Routing • Static and multiple routes to the same destination • Redistribution of routes from RIP, OSPF, BGP, connected, or static into RIP, OSPF, and BGP • RIP-1 & RIP-2 • Open Shortes
System Description • Service Level Agreement (SLA) agents • SNMP-TFTP on-the-fly running configuration • Hostname in the Syslog message header • Multiple Syslog servers Security • Stateful inspection firewall engine • FTP, H.
System Description • Rate enforcement (CIR) with automatic rate fallback via traffic/adaptive shaping when the network is congested.
System Description • BRI: TEI auto-negotiated • Q.921/Q.
System Description SecurID (third-party plug-in) Certificates (embedded/smart cards) – Microsoft only – PPTP protocol MS-ChapV2, EAP user authentication Local Database & RADIUS SecurID (third-party plug-in) Certificates (embedded/smart cards) – Microsoft only • Encryption • Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), Data Encryption Standard (DES) • 3DES/DES acceleration • Data Integrity • MD5 & SHA-1 algorithms • Internet Protocol Security (IPsec) • Encapsulating Sec
System Description GRE over IPSec • ToS bit preservation • IP helper on VPN interfaces • IETF/Microsoft-compatible NAT traversal for L2TP • QoS over VPN Asynchronous Digital Subscriber Line (ADSL) • POTS and ISDN circuit support • ATM Frame UNI (FUNI) data framing format • OAM cells: AIS, RDI, CC, Loopback over F4 and F5 flows • Up to 30 ATM Permanent Virtual Circuits (PVCs) • ATM UBR traffic class • ATM Adaption Layers 0, 5 • PDU encapsulation types: • PPP over ATM (PPPoA) (routed) •
Installation Overview Dial Backup • IP Interfaces backup Dial-on-Demand/Bandwidth-on-Demand (DoD/BoD) • PPP Point-to-Multipoint & Multi-to-Multipoint connections • MLPPP Point -to-Multipoint & Multi-to-Multipoint connections • Incoming Call Mapping connections • Switched PPP Multilink connections • Backup using ISDN & MLPPP connections • Dialer interface spoofing • Dialer watch Installation Overview Installing the XSR consists of performing the following general steps.
2 Hardware Installation Introduction This chapter provides a checklist to verify your shipment, suggestions for the installation site, and describes how to install the following XSR hardware: • NIM cards • Connecting cables • Optional - CompactFlash card • Optional - Redundant power supply(s), passive power chassis and harness Note: For instructions on installing a balun and grounding shunt/terminal strip on E1 NIM cards only, refer to Appendix A: Specifications on page A-1.
Installing NIM Cards and Rack Mounting • If installing the XSR chassis in an equipment rack, ensure that the rack can support and remain stable with the chassis installed. • Each XSR AC power supply requires a three-pronged power receptacle capable of delivering the current and voltage specified in Appendix A. An AC outlet on a separately fused circuit is required for each XSR to provide power redundancy, and must be located within 182 centimeters (6 feet) from the site.
Installing NIM Cards and Rack Mounting 4. Unfasten the screws securing the NIM blank/grounding plates and remove them as shown in Figure 2-2.
Installing NIM Cards and Rack Mounting 5. Fasten the NIM to the NIM brace and screws supplied in the shipping box, as shown in Figure 2-3.
Installing NIM Cards and Rack Mounting 6. Position the NIM atop the open slot (NIM 2) pin holding assembly on the chassis and gently press into place. Fasten the back end of the NIM/brace to the chassis with the screws supplied, as shown in Figure 2-4. Figure 2-4 Installing NIM Card NIM 2 NIM 1 NIM 3 7. Reattach the bottom access cover to the chassis. 8. Attach the rack brackets to the chassis with the screws supplied, as shown in Figure 2-5.
Installing NIM Cards and Rack Mounting Figure 2-5 SE CU RITY XS RO R-1 UT 85 ER 0 S PO WER 10 /100 BT SY S VP N AC T ET HE PO RNET RT 1 10 /100 BT AC T ET HE PO RNET RT 2 CONS OLE NI M 1 NI M 9. Fastening Rack Brackets 2 Mount the bracketed XSR to your rack, as shown in Figure 2-6.
Connecting XSR Cables Connecting XSR Cables Perform the following steps to connect your cabling: 1. Connect the serial Console cable provided in the packing box to your PC connector, as shown in Figure 2-7. Figure 2-7 Connecting Serial Console Cable SN WE R SU PP LY R ET EQ UI H1 RE ME ET NT H2 S CO M 2. Connect your WAN cables to the T1/PRI or BRI port(s) to your WAN connectors, as shown in Figure 2-8.
Connecting XSR Cables Figure 2-9 Connecting High Speed Serial Connector NIM NIM 1 3 NIM 3. 2 Optionally, you can connect WAN cables to a T3/E3 NIM, as shown in Figure 2-10, or an ADSL NIM, as shown in Figure 2-11, or a T1 Drop & Insert NIM, as shown in Figure 2-12.
Connecting XSR Cables Figure 2-12 NIM Tx NIM Connecting T1 Drop & Insert Connector 1 3 NIM 4. 2 Connect the FastEthernet port(s) to your LAN connectors with a cable, as shown in Figure 2-13. Figure 2-13 Attaching FastEthernet Connectors SN WE R SU PP LY R ET EQ UI H1 RE ME NT S ET H2 CO M 5. Attach the power supply cord to the power connector at the rear of the router, as shown in Figure 2-14, and plug in the country-sprecific power cord to a wall socket.
Installing a CompactFlash Memory Card Figure 2-14 Connecting Internal Power Supply Cord AC IN LE POEXTE WE RN R SO AL UR C E T/S WI TC H DE PU FA UL 5V T PO T D W 12 C, E V D 5. R -12 C 0A ,1 V RE DC .5A FE , 0 R T .5A O MA NU AL FO R PO WE IN R You are now ready to configure the software and initialize the XSR. Continue with “Software Configuration” on page 3-1.
Installing a CompactFlash Memory Card CompactFlash Card Installation Follow the steps below to install the CompactFlash card: 1. If your CF is formatted, first remove the cover plate as shown in Figure 2-16. If it is not formatted, jump to “Formatting the CompactFlash Card” on page 2-12. Figure 2-16 SE CU RIT XS YR OU R-1 TE 85 0 RS PO WE 10 R SY /100 BT S VP AC T N ETH E PO RN E RT T 1 10 /100 BT AC T ETH E PO R NE RT T 2 C ON 2.
Installing the Redundant Power System Be sure the CF’s wider grooved edge fits into the wider groove of the PCMCIA interface in the front of the XSR. Note that the XSR-1805’s CF eject mechanism pops out when you install the card for easy removal.
Installing the Redundant Power System Figure 2-18 Redundant Power System BUPS_06 Up to four power systems can be installed in the 1U Passive Power Chassis, as shown in Figure 2-19, which can be rack mounted. Two-foot long DC power harnesses are provided to attach XSRs and the chassis, as well as a standard, 2-meter shielded power cord for the chassis-towall outlet connection.
Installing the Redundant Power System Figure 2-20 2. Inserting Power System in Passive Power Chassis Mount the power chassis in a standard 19” rack, as shown in Figure 2-21.
Installing the Redundant Power System Figure 2-22 Connecting DC Cable Harness AC IN LE T/S PO EXTE WE RN R S AL OU RC E WI TC H DE IN PU FA UL 5V T PO T 12 DC, WE V D 5. R -12 C 0A , RE V DC 1.5A FE , 0 R T .5A O MA NU AL FO R PO WE R 4. When connecting cable harnesses, be careful to attach them with a minimum of stretching, as shown in Figure 2-23.
Installing the Redundant Power System Figure 2-23 AC EX PO TE WER RN AL SO UR INLE T/S WITC CE H DE INP FA UT UL 5V PO T WE 12VDC, 5.0 R -12 DC, A V 1.5 RE DC, A 0.
3 Software Configuration This chapter describes how to initialize, quickly set up and verify your configuration for the XSR. Refer to the XSR CLI Reference Guide for a more thorough explanation of commands and parameter options. Also included are sample configuration scripts, detailed XSR rebooting characteristics, and Remote Auto Install (RAI) and Bootrom Monitor mode instructions.
Powering On and Initializing XSR Software • ETH 10/100 LEDs turn ON and OFF a few times during initialization as the XSR proceeds from bootrom to power up diagnostics to software image, then they remain ON or OFF depending on the LAN type. • ETHERNET Activity LEDs blink when frames pass on the LAN. • Console Activity LED is OFF until the CLI comes up. Then it blinks ON/OFF during console keyboard input or output. • NIM LEDs are OFF until the CLI comes up.
Opening a Console Session only the first error will be reported, along with a count of the sum of errors incurred. In the case of a single error, only the error line will be reported. Error messages will be logged as well. Because the result of continuing to process a flawed startup-config is not predictable, the nature and position of the syntax error may cause erroneous configuration of the XSR. • Router ports and protocol stacks are initialized based on startup configuration.
Optional: Configuring Remote Auto Install to IP addresses 133.133.1.2 and 133.133.1.3. If the DLCI will onnect to a remote XSR running RAI, then add the bootp parameter after the static IP address. This configuration supports two remote XSRs connected on DLCIs 16 and 18. Make sure with your Frame Relay provider that these DLCIs terminate at the location of the remote XSRs. To add more remote XSRs, you will need additional DLCIs.
Optional: Configuring Remote Auto Install Phase 6 - getting hostname xsrnode-confg from tftp server into flash: startupconfig + rDNS has responded with the hostname xsrnode which will be used in the TFTP transfer. RAI will try several file names if this file is not available from the server. Phase 7 - preparing node to execute startup-config + TFTP transfer succeeded in copying the hostname file to the Flash: startup-config file.
Optional: Configuring Remote Auto Install The following is a CISCO configuration at the the central site: vpdn enable + Enables a virtual private dial-up network configuration on the router. vpdn-group 1 + Creates a VPDN session group and links it to a virtual template. accept-dialin protocol pppoe virtual-template 1 pppoe limit per-mac 10 + This is an optional command. pppoe limit max-sessions 32000 + This is an optional command.
Configuring the XSR Name and User Information Phase 2 - ADSL - searching for pvc's ...vpi/vci (0/0) + The XSR looks for PVC 0/0 and higher. Phase 2 - ADSL - searching for pvc's ...vpi/vci (0/38) + The XSR looks for PVC 0/38 and higher. Phase 3 - ADSL - trying to connect on 0/35 with snap PPPoE + PVC 0/35 is found, SNAP PPPoE encapsulation is applied and authentication tried if required. Phase 3 - ADSL - waiting for IP to connect (54 sec) + The XSR waits one minute for the PPPoE connection to come up.
Setting the Clock Setting the Clock XSR 1800 and 3000 Series routers have an on-board Real Time Clock (RTC) chip with which to keep accurate time across the network. As an alternative to accessing a public time server, you can utilize the RTC as a time reference and propagate it by configuring XSRs as Simple Network Time Protocol (SNTP) servers or clients.
Configuring the WAN Ports This command allows multiple logical WAN interfaces to be created on a single channelized T1/E1/ISDN-PRI port, ranging from 0 - 23 for T1 lines, and 0 - 31 for E1 lines. Also, from 1 - 24 T1 and 1 - 31 E1 timeslots can be set. Channel speed options are 56 (T1) or 64 (E1) kbps. Note: Channel group and timeslot number ranges are different. Be sure to match them correctly and within the range. Also, when adding a second T1 or E1, be sure to begin channel numbering again at 0. 6.
Configuring the WAN Ports 4. Enter encapsulation ppp to select PPP encoding. 5. Enter no shutdown to keep the BRI interface enabled. BRI Leased Frame Relay 1. Enter interface bri 0:<1 | 2>.<1-30> to acquire BRI Interface mode and select the BRI port and channel 1 or 2. 2. Enter encapsulation frame-relay to select Frame Relay encoding. 3. Enter no shutdown to keep the BRI interface enabled. 4.
Configuring the WAN Ports ADSL Configuration ADSL can be configured using three different types of encapsulation: PPPoA, PPPoE, and IPoA. Continue configuration with the ADSL type of your choice. PPPoE The following commands configure a sample PPPoE topology. The first set configures the LAN interface with directed broadcasts prohibited. XSR(config)#interface XSR(config-if)#ip XSR(config-if)#no XSR(config-if)#no FastEthernet 1 address 192.168.1.1 255.255.255.
Firewall Sample Configuration The commands below configure the ATM interface and sub-interface with a negotiated IP address, CHAP username and password, and bans keepalives. XSR(config)#interface ATM 0 XSR(config-if)#no shutdown XSR(config-if)#interface ATM 0.1 XSR(config-if)#no shutdown XSR(config-if)#encapsulation snap pppoa XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if
Firewall Sample Configuration Figure 3-1 XSR with Firewall Topology 220.150.2.32/28 XSR-1850 S1 Internet Frame Relay 206.12.44.16/28 SECU RITY 220.150.2.35 FE1 ROUT ERS FE2 220.150.2.17 220.150.2.16/28 220.150.2.37 Internal 220.150.2.36 DMZ Mail server (SMTP) 220.150.2.18 Web server (HTTP) 220.150.2.19 In this configuration, the firewall provides protected access from the private to dmz networks. That is, access is restricted to Web and mail traffic only.
Setting Up RIP Routing Trial load the completed configuration into the firewall engine, and if successful, load the configuration: XSR(config)#ip firewall load trial XSR(config)#ip firewall load Complete LAN and WAN interface configuration: XSR(config)#interface fastethernet 1 XSR(config-if)#ip address 220.150.2.35 255.255.255.0 XSR(config-if)#no shutdown XSR(config)#interface fastethernet 2 XSR(config-if)#ip address 220.150.2.17 255.255.255.
Configure OSPF Routing 12. Enter network (IP address) of the network to be advertised. Repeat the command to configure additional networks. 13. Enter passive-interface type num if you want to prevent RIP transmissions on the interface. 14. Enter no receive-interface if you want to disable reception of RIP updates on the interface. Remember to save your configuration after all edits. For more RIP configuration examples, refer to the XSR User’s Manual.
Setting Up the Backup Line 7. Enter map-class frame-relay to designate this map-class and acquire Map-Class mode. 8. Enter frame-relay cir out to set the outgoing CIR (the default is 56000 bps). Refer to the XSR User’s Guide for more details. 9. Enter frame-relay bc out to set the Burst size for this map-class. Refer to the XSR User’s Manual for further directions. 10. Enter frame-relay be out to set the excess Burst site for this map-class.
Setting Up SNMP Community String, Traps and V3 Values 10. To set up the Console port as a dial-in port, perform the following: • Enter interface serial 0 to decouple the port from the CLI and acquire Interface mode. • Enter no shutdown to keep the interface enabled. 11. Enter dialer pool-member to set the dialer interface. 12. Enter clock rate 38400 to configure the proper baud rate. 13. Enter encapsulation ppp for the correct encoding method. 14. Enter ip address of the interface.
Configuring Message Logging and Severity Level 7. Optional. For SNMPv3, enter snmp-server user v3 [encrypted][auth {md5 | sha} auth-password [priv des56 priv-password]]} to add a user. Users can have different levels of encryption and passwords. Remember to save your configuration after all edits. Refer to the User’s Guide and CLI Reference Guide for more information.
Connecting Remotely via the Web Connecting Remotely via the Web 1. Enter configure to acquire Configuration mode. 2. Enter ip http server enable to access the XSR over the Web. 3. Point your terminal’s Web browser at the XSR’s IP address. Enter http://. The initial Web access window appears as shown in Figure 3-2. Figure 3-2 Initial Web Access Window STATUS * Product Version * X-Pedition Products X-Pedition Security Router XSR © 2004 Enterasys Networks.
Connecting Remotely via the Web Click on Product Version to bring up the Product Version window for a host of hardware, bootrom, and software information as shown in Figure 3-3. Figure 3-3 Web Product Version Window Product Version Copyright 2004 by Enterasys Networks, Inc. Hardware: Processor board ID: 9002854-02 REV0A Serial Number: (not displayed) Processor: IBM PowerPC 405GP Rev.
LAN-PPP Services Sample Configuration LAN-PPP Services Sample Configuration The sample configuration below, see Figure 3-4, creates a PPP, fractional T1 leased line connection from the XSR branch node to the Central Site router and a backup serial dialup link to the Backup Site regional router. Figure 3-4 Hostname: Username: Password: Sample LAN-PPP Services Configuration branch1 mainsite Toronto Hostname: Username: Password: mainsite branch1 Toronto 192.168.1.100/24 XSR-1850 154.168.1.
Frame Relay WAN Link with PPP Backup Sample Configuration XSR(config-controller)#no shutdown + Enables T1 controller XSR(config)#interface serial 1/0:0 + Configures Serial interface 1, port 1 using channel group 0 and acquires Interface mode XSR(config-if)#encapsulation ppp + Enables PPP encapsulation XSR(config-if)#ppp authentication chap + Configures CHAP authentication on the interface XSR(config-if)#ip address 154.68.1.47 255.255.255.
Frame Relay WAN Link with PPP Backup Sample Configuration Configure Users and Passwords XSR>enable + Acquires Privileged EXEC mode XSR#configure + Acquires Global configuration mode XSR(config)#username bob password cleartext bobspassword + Adds a user and unencrypted password Configure LAN Interface XSR(config)#interface fastethernet 1 + Configures the local LAN port and acquires Interface mode XSR(config-if)#ip address 192.168.1.100 255.255.255.
Frame Relay WAN Link with PPP Backup Sample Configuration XSR(config-pmap-c)#set ip dscp ef + Configures IP precedence to match packets with Expedited Forwarding XSR(config-pmap)#class priority-server + Adds another queue for this policy map and enters Class sub-mode XSR(config-pmap-c)#priority medium 20 6400 + Gives medium priority queue a peak 20% bandwidth and burst size of 6400 bits per second XSR(config)#policy-map data_policy + Adds a policy map and
Frame Relay WAN Link with PPP Backup Sample Configuration XSR(config-if
Frame Relay WAN Link with PPP Backup Sample Configuration Configure More Access Lists The following ACLs deny any packets to or from network 192.168.1.15 as they enter or leave FastEthernet 1 interface, and permit traffic to or from subnet 192.168.2.xx while denying any other traffic. XSR(config)#access-list 125 deny ip any host 192.168.1.15 XSR(config)#access-list 125 deny ip host 192.168.1.15 any XSR(config)#access-list 125 permit ip 192.162.2.0 0.0.0.255 any XSR(config)#access-list 125 permit ip 192.
VPN Site-to-Site Sample Configuration XSR(config-if)#di pool 1 + Specifies the dial pool from which calls originate XSR(config-if)#no shutdown + Enables the dial interface Configure SNMP ACL 26 is created to be permit SNMP traffic from host 192.168.2.32. Stricter ACLs can be written if tighter security controls are required. XSR(config)#access-list 26 permit host 192.168.2.
VPN Site-to-Site Sample Configuration Generate Master Encryption Key If you have not already generated a master encryption key, you should do so now to configure the VPN. A master key need only be generated once. Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key.
VPN Site-to-Site Sample Configuration Create a Transform Set The following transform-set specifies the specified encryption/data integrity choices, 768-bit Diffie-Hellman, and an SA lifetime expressed in kilobytes. The SA seconds lifetime value is disabled. Some commands are abbreviated.
VPN Sample Configuration with Network Extension Mode XSR(config)#interface vpn 57 multi-point XSR(config-int-vpn)#ip address 192.168.2.1 255.255.255.0 XSR(config)#router rip XSR(config-router)#network 112.16.10.0 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#no receive-interface fastethernet 2 XSR(config-router)#distribute-list 1 out vpn 1 XSR(config)#ip XSR(config)#ip XSR(config)#ip XSR(config)#ip route route route route 0.0.0.0 0.0.0.0 112.16.244.9 112.16.72.0 255.255.255.
VPN Sample Configuration with Network Extension Mode Figure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access FastEthernet 1: 172.16.10/24 FastEthernet 2: 26.26.26.10/24 Virtual IP Pool: 172.16.10.0/24 eth0: 10.11.11.1/24 eth1: 26.26.26.11/24 SECURI TY ROUTER XSR-1 850 S 10/100BT POWER SYS ACT VPN ETHERN PORT ET 1 10/100BT ACT ETHERN PORT ET 2 CONSOL E RITY XSR ROUT -185 ERS 0 POW ER 26.26.26.
VPN Sample Configuration with Network Extension Mode Configure AAA authentication by assigning a virtual subnet to the DEFAULT AAA group, associate it with DNS and WINs servers, and add two AAA users with passwords. When a remote XSR tunnels into the local XSR, it will be assigned these DNS, WINS and PPTP values and be assigned dynamically to IP pool virtual_subnet.
XSR Rebooting Characteristics XSR(config)#access-list 103 permit ip any 10.10.10.0 0.0.0.255 Create crypto maps for each ACL entry with the more protective tunnel mode set by default.
XSR Rebooting Characteristics Creation date: Oct 19 2002, 12:39:02 Cold Start : SystemReset watchdog ChipReset from pwr auto-booting... Unpacking flash:XSR1800.FLS file File chksum=0x0 SW image size=9543664 sum=0xb5b2 compressed_size=2916334 entry=0x10000 Diagnostics size=874252 sum=0x64b8 compressed_size=281490 entry=0x10000 Extracting Diagnostics at offset=0x2c8012 ... Inflating 281490 bytes ... Verifying uncompressed chksum ... Starting at 0x10000... Attaching interface lo0...
XSR Rebooting Characteristics Creation date: Oct 19 2002, 12:39:02 Cold Start : SystemReset from power up auto-booting... Unpacking flash:XSR1800.FLS file File chksum=0x0 SW image size=9543664 sum=0xb5b2 compressed_size=2916334 entry=0x10000 Diagnostics size=874252 sum=0x64b8 compressed_size=281490 entry=0x10000 Extracting System Image at offset=0x24 ... Inflating 2916334 bytes ... Verifying uncompressed chksum ... Starting at 0x10000... Attached TCP/IP interface to Eth unit 1 Attaching interface lo0...
Bootrom Monitor Mode Commands Power-Up Reboot If you power cycle the XSR by flipping the switch on the back panel, the XSR will cold reboot. The startup-config file stored in Flash becomes the running configuration. Reload Command from the CLI You can reboot the XSR firmware by issuing the command reload . You are then prompted to confirm the command. Once the firmware is reloaded, the configuration is loaded from the startup-config file.
Bootrom Monitor Mode Commands s t D Status Time and Date For Development Only All the commands in each group can be listed by entering the command group letter.
Bootrom Monitor Mode Commands Updating bootrom with file, "cflash:bootrom1_18.fls". Proceed with erasing current Bootrom in flash and replace with cflash:bootrom2_02.
Bootrom Monitor Mode Commands df This command shows free disk space. Sample output is shown as follows: XSR-1800: df Free space on flash: is 3383296 bytes (0x33a000). del This command removes a file from flash: or cflash: memory. dir This command lists the contents of the current directory in long format.
Bootrom Monitor Mode Commands Formatting flashrom file system ...................................................... Done. Set working directory to flash: Using default Bootrom password. The system is not secure!!! Use “bp” to change password ffc This command formats the CompactFlash card. ng This command retrieves a file over the network using a remote IP address/file path. np This command modifies network parameters. You are prompted to enter data by the following script.
Bootrom Monitor Mode Commands remove This command removes a file using the syntax remove rename This command renames a file using the syntax rename sb This command displays boot values. Sample output is shown as follows: XSR-1800: sb Current boot file is xsr1800.fls Boot selector default is flashrom, compactFlash, network Available Network boot devices: Eth1 sf This command shows a fault report.
Bootrom Monitor Mode Commands sn This command shows network values with the following sample output: XSR-1800: sn wLocal IP address Gateway IP address Remote IP address Remote file path Transfer Protocol Local target name Autoboot Quick boot : : : : : : : : 10.120.112.33 10.120.112.
A Specifications System Specifications This appendix details XSR data about hardware functionality including: • Processor, system memory, chassis, power supply, interfaces • Required cabling, CompactFlash and other accessories • Pinout assignments for WAN and LAN interfaces • LED behavior Refer to tables throughout this appendix for specific information.
System Specifications Table A-1 XSR Hardware Specifications (continued) Category Redundant Power System & Power Chassis I/O Interfaces Parameters Dimensions Power System: 5” long by 4” wide by 1.4” high Power Chassis: 1.72” high (1U) by 19” wide by 11” deep Weight Power System: 1.75 lbs Power Chassis: 8.5 lbs AC Input Voltage/Freq. 90 - 264 VAC (47-63 Hz) [same for internal power supply] Power Consumption Total power: (100 - -240~ Volts) 25 Watts +5.1V DC output 7A maximum, 35.
Cable, CompactFlash and Accessory Specifications Cable, CompactFlash and Accessory Specifications Refer to the following table for specifications of cables, CompactFlash and accessories for the XSR. This equipment can all be obtained separately from Enterasys Networks or through any computer supply retailer. Table A-2 XSR Cabling/Accessory Guide Part Description Connector Part # Function 6’ DB-9 null modem cable DB-9, male N/A from Enterasys Console link to serial line .
Cable, CompactFlash and Accessory Specifications Table A-2 A-4 XSR Cabling/Accessory Guide (continued) Part Description Connector Part # Function Auxiliary Flash RAM: 1.4”L x 1.
Cable, CompactFlash and Accessory Specifications Console Port The XSR comes equipped with a serial port useful for initial configuration. Using a serial (null modem) cable, you can attach the router’s DB-9 Console port to a data terminal port and directly configure the XSR over the asynchronous connection. Then, open a Microsoft HyperTerminal or Telnet session to communicate with the router.
Cable, CompactFlash and Accessory Specifications Ethernet Ports The XSR comes equipped with two Ethernet (LAN) 10/100Base-T ports that support full-duplex 10 or 100 Mbps transmission. Both ports conform to IEEE 802.3 standards with 8-pin modular RJ45 connectors. A cross-over cable is used to connect the XSR directly to a PC or uplink port while a straight-through cable is used to attach the router to a hub or switch. Refer to Figure A-2 for pinout assignments.
Cable, CompactFlash and Accessory Specifications Copper/Fiber-optic Ethernet NIMs The single-port Copper or Fiber-optic Ethernet NIMs, shown in Figure A-3 and Figure A-4, provide interfaces for half and full-duplex 10/100Base-T or fiber-optic 100Base-F transmission over LAN or WAN networks, respectively. The Copper Ethernet NIM incorporates a standard 8pin modular RJ-45 connector and the Fiber-optic Ethernet NIM has an MT-RJ multi-mode interface. Both NIMs conform to IEEE 802.3 and PCI 2.2 standards.
Cable, CompactFlash and Accessory Specifications 2/4-Port Serial NIM Card Port The High Speed Serial NIM card, as shown in Figure A-6, provides a WAN connection to four different types of DTEs: DB-15, 25, 37, and V.35. This interface can support dual and quad traffic up to 8 Mbps. Figure A-6 High Speed Serial NIM Port 68-pin Serial Pin 1 Pin 68 Refer to Figure A-7 through Figure A-11 for pinout assignments. Figure A-7 J1 3 11 5 10 4 7 6 8 15 16 9 14 X.21 DTE Pin Assignments X.
Cable, CompactFlash and Accessory Specifications Figure A-8 J1 1 2 3 11 5 10 4 7 EIA-232/530 DTE Pin Assignments J2 DSR0+ 6 DSR0- 22 RxD0+ 3 RxD0- 16 TxD0+ 2 TxD0- 14 RTS0+ 4 RTS0- 19 DTR0+ 20 DTR06 8 12 13 15 16 9 14 CTS0TxC0+ 36 37 45 39 44 38 41 42 46 47 49 50 43 48 7 Signal GND 1 J3 DSR1+ DSR1RxD1+ RxD1TxD1+ TxD1RTS1+ RTS1DTR1+ CTS1TxC1RxC1+ 27 21 52 3 53 16 61 2 55 14 60 4 54 19 57 56 13 58 15 62 12 63 7 Signal GND 65 66 59 64 Shield GND 1 2 14 4
Cable, CompactFlash and Accessory Specifications Figure A-9 J1 1 2 3 11 5 10 4 7 EIA-449 DTE Pin Assignments J2 ON0+ 11 ON0- 29 RD0+ 6 RD0- 24 SD0+ 4 SD0- 22 RS0+ 7 RS0TR0+ 25 12 TR06 8 12 13 15 16 9 14 CS0ST0+ ST0RT0+ 36 37 45 39 44 38 41 42 46 47 49 50 43 48 18 26 11 ON1- 29 RD1SD1+ SD1RS1+ RS1TR1+ 20 A-10 31 32 No tes: 1 25- Ind icates Twiste d Pair . 30 is braid on braid ed cable 2. Shield GND 3. Shield GND is drain wire o n foil shield cab 4.
Cable, CompactFlash and Accessory Specifications Figure A-10 J1 1 2 3 11 5 10 4 7 PORT 3 (EIA-232/530) 6 8 12 13 15 16 9 14 35 37 45 39 44 38 40 46 47 49 50 43 48 Combined V.35/EIA-232/530 DTE Pin Assignments J2 DSR3+ DSR3RxD3+ RxD3TxD3+ TxD3RTS3+ RTS3DTR3+ DTR3CTS3+ CTS3TxC3+ TxC3RxC3+ RxC3Signal GND Signal GND 6 22 3 16 2 14 4 19 20 23 5 13 15 12 17 9 7 Shield GND PORT 2 (V.
Cable, CompactFlash and Accessory Specifications Figure A-11 J1 1 3 11 5 10 4 6 12 13 15 16 9 14 V.
Cable, CompactFlash and Accessory Specifications T1/E1/ISDN PRI NIM Card Ports The T1/E1/ISDN PRI NIM, as shown in Figure A-12, comes equipped with either 1, 2 or 4 Ethernet (WAN) ports that support fractional T1/E1 transmission in full-channel, fractional or unchannelized format with 8-pin modular RJ-48C connectors and include a built-in DSU/CSU. Cables required for these ports must be 100-ohm, straight-through, twisted-pair for T1 lines and a 120-ohm version for E1 lines.
Cable, CompactFlash and Accessory Specifications Balun for E1 or PRI NIM Cards Some overseas electrical systems require that you use a balun and grounding shunt when utilizing an E1 or PRI NIM card on the XSR. A balun is an adapter employed to connect a 75-ohm coaxial cable pair (2 BNC connectors) to a 120-ohm twisted pair cable (RJ-48C connector). The balun and its connectors are illustrated in Figure A-14. The grounding shunt is also required to ground unused pins of the RJ-48C connector.
Cable, CompactFlash and Accessory Specifications Grounding Shunt for E1 NIM Cards If you connect a balun to a 75-ohm line, you will also need to attach a grounding shunt (or terminal strip) to any NIM pins whose RJ-48C connectors utilize the balun. The XSR requires that you use a shunt (shown in Figure A-15), or terminal strip to ground pins 3 and 6 of the RJ-48C interface, which are not needed to complete the connection.
Cable, CompactFlash and Accessory Specifications T3/E3 NIM Card The T3/E3 full and sub-rate NIM, as shown in Figure A-17, is equipped with 1 Ethernet (WAN) port that supports fractional T3/E3 transmission in un-channelized or clear channel mode with BNC connectors. User data are encapsulated in HDLC packets before being sent to the line. Figure A-17 Tx .1-Port T3/E3 NIM Card ALARM LOS Rx ENABLE LOF id Cables required for this NIM must be 75-ohm, DS3 Type 734 or 735 coaxial.
Cable, CompactFlash and Accessory Specifications 1/2-Port ISDN BRI-S/T NIM Card Ports The XSR offers a serial NIM card for 1 or 2 WAN interfaces over an ISDN BRI-S/T line, as shown in Figure A-18. The Port 0 and 1 LEDs shine when the lines are active and ready to receive traffic. See Figure A-19 for pinout assignments.
Cable, CompactFlash and Accessory Specifications Termination Shunt for the ISDN BRI-S/T NIM Card ISDN BRI-S/T terminal equipment devices may be connected at random points of the cable in point-to-point or point-to-multipoint configurations. Line termination resistors must be provided at both ends of the transmit/receive lines only. The XSR’s BRI NIM card provides an option to terminate receive as well as transmit lines using 100 Ohm resistors.
Cable, CompactFlash and Accessory Specifications 1/2-Port BRI-U NIM Card Ports The XSR provides a serial NIM card for 1 or 2 WAN interfaces over an ISDN BRI-U line, as shown in Figure A-21. The Port 0 and 1 LEDs shine when the lines are active and ready to receive traffic. . Figure A-21 ISDN BRI-U NIM Card (RJ-49C ports shown) Port 0 Activation LED Port 1 Activation LED Refer to Figure A-22 for pinout assignments.
Cable, CompactFlash and Accessory Specifications 1-Port ADSL NIM Card Port The XSR’s Asymmetric Digital Subscriber Line (ADSL) NIM card, as shown in Figure A-23, provides 1 WAN port on an ADSL over POTS (Annex A/C) or ISDN (Annex B) line with a 6-pin RJ-11 connector. The ADSL NIM supports both G.dmt and G.lite standards. ADSL NIMs are shipped with a CompactFlash card containing DSP firmware. This driver software copies the Flash file into host memory where it provides on-demand use by the DSP.
Cable, CompactFlash and Accessory Specifications T1/E1 Drop & Insert (D&I) NIM The XSR’s 2-port T1/E1 D&I NIM card, as shown in Figure A-25, is designed as an intermediary between the Central Office T1/E1 line and a PBX. It de-couples Channel Associated Signaling (CAS) and Voice DS0 timeslots and redirects them to a PBX, and conversely, reintegrates Voice DS0 timeslots from the PBX with the T1/E1 data stream. Both ports are functionally equivalent.
Cable, CompactFlash and Accessory Specifications XSR-1850 Redundant Power System The optional XSR-1850 Redundant Power System, as shown in Figure A-27, is an external, supplemental power source. This 50-watt, AC to DC power supply is a redundant unit which is operated in parallel with the standard internal power supply, with which it shares power buses. The power system requires no configuration - it begins operating when all cables are connected.
Cable, CompactFlash and Accessory Specifications Figure A-29 Passive Power Chassis DC Output Pinouts DC Output Pin 1 Pin 7 Pin 9 Pin 3 Pin Signal 1,2 +5.1V 4 -12V 5 +12V 3,7 COMMON 8 (+) 5.1V sense 9 (-) 5.1V sense 6 N/C For instructions on installing the Redundant Power System, refer to the Hardware Installation chapter on page 2‐1.
Cable, CompactFlash and Accessory Specifications Table A-3 A-24 LED Description LED State Function POWER ON 3.3V power is present SYS(tem Status) ON/OFF XSR is operational/malfunctioning due to hardware or bootrom problem Blinking slowly Flash update is in progress (software image downloading), warning you not to power down the XSR. Powering down now can leave the branch router without valid software.
Index B how to configure the console port A-5 Balun description A-14 Balun adapter A-3 BRI S/T card part numbers A-3 BRI S/Tpin assignments A-17 BRI U card part numbers A-3 BRI-U pin assignments A-19, A-20, A-21 I C cable/accessory guide A-3 cabling part numbers A-3 Canadian notices i-ii channelized card specifications A-3 chassis dimensions 1-2 specifications A-1 CompactFlash installation A-23 part numbers A-4 supported sizes A-1 using Monitor Mode command A-23 conditions causing reboots 3-35 configuri
how to install NIM cards 2-2 how to install the hardware 2-1 how to rack mount the XSR1850 2-2 how to set LAN ports 3-8 how to set up message logging 3-18 how to set up SNMP 3-17 how to set up the backup line 3-16 initial login 3-3 installation overview 1-10 LED initialization sequence 3-1 Onboard RAM size A-1 opening a Console session 3-3 processor specs A-1 rebooting characteristics 3-33 sample configuration 3-21 SDRAM size A-1 software configuration overview 3-1 software features 1-3 system memory A-1 T1
