X-Pedition™ Security Router XSR-1805 User’s Guide Version 5.
ELECTRICAL WARNING: Only qualified personnel should perform installation procedures. Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its Web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Product Product Identifier NIM-T1/E1-xx, NIM-CT1E1/PRI-xx US: 5N5DENANET1 NIM-BRI-U-xx US: 5N5DENANEBU A plug and jack used to connect the XSR to the premises wiring and telephone network must comply with the applicable FCC Part 68 rules and requirements adopted by ACTA. Refer to the following table and installation instructions for details.
Industry Canada Notices This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications. Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la class A prescrites dans le Règlement sur le brouillage radioélectrique édicté par le ministère des Communications du Canada.
VCCI Notice This is a class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI) V-3. If the XSR is used in a domestic environment, radio disturbance may arise. When such trouble occurs, you may be required to take corrective actions. VPN Consortium Interoperability The VPN Consortium's (VPNC) testing program is an important source for certification of conformance to IPSec standards.
Australian Telecom N826 WARNING: Do not install phone line connections during an electrical storm. WARNING: Do not connect phone line until the interface has been configured through local management. The service provider may shut off service if an un-configured interface is connected to the phone lines. WARNING: The NIM-BRI-ST cannot be connected directly to outside lines. An approved channel service unit (CSU) must be used for connection to the ISDN network.
(i) Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of error correction or interoperability, except to the extent expressly permitted by applicable law and to the extent the parties shall not be permitted by that applicable law, such rights are expressly excluded. Information necessary to achieve interoperability or correct errors is available from Enterasys upon request and upon payment of Enterasys’ applicable fee.
6) DISCLAIMER OF WARRANTY. EXCEPT FOR THOSE WARRANTIES EXPRESSLY PROVIDED TO YOU IN WRITING BY ENTERASYS, ENTERASYS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT WITH RESPECT TO THE PROGRAM.
12) WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion. 13) SEVERABILITY.
Table of Contents About This Guide Contents of the Guide ....................................................................................................... xxxi Conventions Used in This Guide...................................................................................xxxiii Getting Help .....................................................................................................................
Table of Contents Supported Physical Interfaces.............................................................................. 16 Supported Virtual Interfaces................................................................................ 16 Supported Ports ..................................................................................................... 17 Numbering XSR Slots, Cards, and Ports .................................................................... 17 Setting Port Configuration Mode .......
Table of Contents Using the Default Button....................................................................................... 28 Configuration Save Options..........................................................................................28 Using File System Commands.............................................................................. 29 Bulk Configuration Management.................................................................................29 Downloading the Configuration ........
Table of Contents Statistics ........................................................................................................................... 43 Alarm Management (Traps) ......................................................................................... 43 Software Image Download ........................................................................................... 44 Using SNMP Download with Auto-Reboot Option .........................................
Table of Contents T1/E1 Error Events Analysis ........................................................................................60 Slip Seconds Counter Increasing .......................................................................... 61 Framing Loss Seconds Increasing ........................................................................ 61 Line Code Violations Increasing .......................................................................... 61 Chapter 5 – Configuring IP Overview .........
Table of Contents Unnumbered Interface & Secondary IP.............................................................. 74 NAT & Secondary IP ............................................................................................. 74 DHCP & Secondary IP .......................................................................................... 74 VPN & Secondary IP ............................................................................................. 74 VRRP & Secondary IP ..........................
Table of Contents Multiple VRs Per Router........................................................................................ 90 Authentication ........................................................................................................ 90 Load Balancing........................................................................................................ 90 ARP Process on a VRRP Router ........................................................................... 91 Host ARP ................
Table of Contents Link Control Protocol (LCP)....................................................................................... 104 Network Control Protocol (NCP) .............................................................................. 105 Authentication.............................................................................................................. 105 Password Authentication Protocol (PAP) ........................................................
Table of Contents Virtual Circuits...................................................................................................... 121 DLCIs...................................................................................................................... 121 DTEs ....................................................................................................................... 123 DCEs ............................................................................................................
Table of Contents Asynchronous and Synchronous Support....................................................................... 138 AT Commands on Asynchronous Ports ................................................................... 139 V.25bis over Synchronous Interfaces......................................................................... 139 DTR Dialing for Synchronous Interfaces.................................................................. 140 Time of Day feature .................................
Table of Contents Dial Backup Features....................................................................................................152 Sequence of Backup Events ................................................................................................152 Link Failure Backup Example ............................................................................................154 Configuring a Dialed Backup Line....................................................................................
Table of Contents Dial-in Router Example ...................................................................................... 172 MLPPP Point-to-Multipoint Configuration ............................................................. 173 Node A (Calling Node) Configuration............................................................. 173 Node B (Called Node) Configuration............................................................... 174 MLPPP Point-to-Point Configurations ..................................
Table of Contents Chapter 9 – Configuring Integrated Services Digital Network (ISDN) ISDN Features.......................................................................................................................191 BRI Features...................................................................................................................192 PRI Features...................................................................................................................192 Understanding ISDN..........
Table of Contents ISDN (ITU Standard Q.931) Call Status Cause Codes ................................................... 207 Chapter 10 – Configuring Quality of Service Overview .............................................................................................................................. 213 Features................................................................................................................................. 214 Mechanisms to Provide QoS...................................
Table of Contents How a Virtual Private Network Works .....................................................................233 Ensuring VPN Security with IPSec/IKE ..........................................................................234 Defining VPN Encryption ...........................................................................................236 Describing Public-Key Infrastructure (PKI) .....................................................................237 Digital Signatures................
Table of Contents Client...................................................................................................................... 255 Configuring OSPF with Fail Over ..................................................................... 256 Server 1 .................................................................................................................. 256 Server 2 ..................................................................................................................
Table of Contents EZ-IPSec Configuration ...............................................................................................279 Configuration Examples .....................................................................................................281 XSR with VPN - Central Gateway..............................................................................281 XSR/Cisco Site-to-Site Example .................................................................................
Table of Contents Configuring DHCP Address Pools............................................................................ 308 Configuring DHCP - Network Configuration Parameters.................................... 308 Configuration Steps ............................................................................................................ 309 Create an IP Local Client Pool.................................................................................... 309 Create a Corresponding DHCP Pool......
Table of Contents Fragmented ICMP Traffic.................................................................................... 318 Large ICMP Packets ............................................................................................. 318 Ping of Death Attack ............................................................................................ 318 Spurious State Transition.............................................................................................
Table of Contents Appendix A – Alarms/Events and System Limits System Limits....................................................................................................................... 359 Alarms and Events.............................................................................................................. 362 Firewall and NAT Alarms and Reports ...........................................................................
About This Guide This guide provides a general overview of the XSR hardware and software features. It describes how to configure and maintain the router. Refer to the XSR CLI Reference Guide and the XSR Getting Started Guide for information not contained in this document. This guide is written for administrators who want to configure the XSR or experienced users who are knowledgeable of basic networking principles.
Contents of the Guide About This Guide Chapter 10, Configuring Quality of Service, describes XSR support for QoS, including Random Early Detection, tail-drop, DSCP, IP precedence, traffic policing, priority and CBWFQ queuing. Chapter 11, Configuring the Virtual Private Network, outlines XSR support for Site-to-Site, Site-to-Central-Site, and Remote Access VPN applications.
About This Guide Conventions Used in This Guide Conventions Used in This Guide The following conventions are used in this guide: NOTE XSR User’s Guide Notes supply additional helpful information, provide a cross-reference to the source of more information, or emphasize issues you should consider when performing an action. CAUTION Cautions contain directions that can prevent you from damaging the product or losing data.
Getting Help About This Guide Getting Help For additional support related to the XSR, contact Enterasys Networks using one of the following methods: World Wide Web http://www.enterasys.com Phone (978) 684-1000 1-800-872-8440 (toll-free in U.S. and Canada) For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support/gtac-all.html Internet mail support@enterasys.com FTP ftp://ftp.enterasys.
1 Overview This chapter briefly describes the functionality of the XSR. Refer to the following chapters in this manual for details on how to configure this functionality and the XSR CLI Reference Guide for a description of associated CLI commands and examples.
Chapter 1 Overview Serial Interface - The XSR’s NIM serial interface typically supports protocols such as PPP. The serial interface provides both asynchronous and synchronous protocol support. PPP (WAN) -The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-topoint links.
Chapter 1 Overview Quality of Service - The XSR provides traffic classification using IP Precedence and DSCP bits, bandwidth control via metered, policed and prioritized traffic queues, and queue management utilizing Drop Tail and Random Early Detection (RED). Virtual Private Network - The XSR supports VPN tunnels using L2TP, PPP or IPSec protected by DES, 3DES, RC4, MD5 or SHA-1 encryption.
2 Managing the XSR The XSR can be managed via three interfaces with varying levels of control: the Command Line Interface (CLI) for full configuration, performance and fault management; the Simple Network Management Protocol (SNMP) for remote monitoring and firmware upgrades, and the Web for gathering version information. Utilizing the Command Line Interface The Command Line Interface (CLI) is a widely used tool to access and control configurable parameters of the XSR.
Utilizing the Command Line Interface Chapter 2 Managing the XSR CAUTION When you enable the Console port as a WAN port, you can no longer directly connect to it because is in data communication mode. Your only access to the CLI will be to Telnet/SSH to an IP address of a configured port. Also, if startup-config does not set up any of the ports properly and sets up the console port as a serial port, you will no longer be able to login and will have to press the Default button to erase the configuration.
Chapter 2 Managing the XSR Utilizing the Command Line Interface That is, if the first four sessions are regular users, the fifth session will allow only the administrator to login. But if one of the first four is logged in as administrator, then the fifth session can be any user. You can also Telnet from the XSR to a server by using the telnet ip_address command. It is a useful utility for diagnostics. Be aware that the router will try to make a Telnet connection for 70 seconds.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Accessing the Initial Prompt The CLI is protected by security. Before you can access EXEC mode, you must enter a valid password. This mode lets you test basic connectivity of the XSR but does not permit you to change or monitor the router’s configuration. Access to enhanced commands is permitted only if you enter Privileged EXEC mode by entering enable. You can logout at any time by entering exit while in EXEC mode.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Command Abbreviation: You can abbreviate commands and keywords to the minimum number of characters that define a unique abbreviation. For example, you can abbreviate the hostname command to hostn (but you cannot abbreviate to hos because other commands also start with the letters hos). Output Display: By default, output data are displayed one page at a time if the data occupies more than one page.
Utilizing the Command Line Interface Chapter 2 Managing the XSR CLI Terminal Editing Command Keys: Refer to the following table for these useful shortcuts.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Setting CLI Configuration Modes The CLI provides modes of operation permitting a subset of commands to be issued from each mode. Also, you can issue any command and acquire any mode if the command entered or mode acquired subscribes to the same parent. For example, you can issue the interface serial command at Crypto Map mode because both Serial Interface and Crypto Map modes subscribe to Global (config) mode.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Login EXEC enable Privileged EXEC show commands 5 configure Global Configuration4 show commands 5 Controller cont-parameter Interface if-type num1 Config-if 3 Controller Router router-parameter 2 T1/E1 Config-Router Figure 1 Sample Configuration Mode Tree The footnotes below refer to command options cited in the illustration.
Chapter 2 Managing the XSR Utilizing the Command Line Interface User EXEC Mode You enter User EXEC (or simply EXEC) mode after logging in. The following sample commands can be entered in EXEC mode: enable ping Privileged EXEC Mode In order to make the changes to the configuration, you must enter PRIV EXEC mode. Some configuration parameters specified in this mode apply to XSR global settings such as the system clock.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Exiting From the Current Mode Each of these commands exits from your mode but with different results: Exit: In each mode exit quits from the current to previous mode End: end always returns to Privileged EXEC from either Global or sub-configuration mode Ctrl-Z: Same as the end command Be aware that you need not always exit from a mode if your current and destination modes subscribe to the same parent in the mode tree.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Table 4 CLI Syntax Convention Description [x {y | z} ] [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter (config-if) xx signifies the interface type; e.g., F1, G3, S2/1.0, D1, L0, BRI, PRI (T1/E1), VPN, etc.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Describing Ports and Interfaces This section describes ports and interfaces, the rules for port identification, and the association of port with interface. Technically speaking, a port is a physical connector with some physical layer values. XSR ports are: FastEthernet or GigabitEthernet, async and sync serial, and T1/E1. An interface is a data and management plane comprising the physical, link, and some part of the network layer.
Chapter 2 Managing the XSR Utilizing the Command Line Interface X.25 PVC/SVCs forming a sub-interface and one or more VCs of ATM forming a sub-interface. This interface shares its physical layer functionality with other sub-interfaces, but each sub-interface has its own layer-2 (PPP or Frame Relay) and IP layer functionality.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Setting Port Configuration Mode The configuration mode setting for ports on the XSR is as follows: Single-channel ports are configured in Interface configuration mode. Multi-channel ports are configured in Controller configuration mode. A physical layer data stream is identified by channel using the controller command, and this channel group is then configured using the interface command.
Chapter 2 Managing the XSR Utilizing the Command Line Interface T1-PRI (ISDN) Example controller t1 1/0/0 + Begins configuring PRI NIM card 1, port 0 pri-group + Enables ISDN, sets all timeslots to map to channel groups on NIM controller t1 1/0/0:23 + Maps T1 NIM to D-channel sub-interface isdn switch-type primary-ni + Selects switch type isdn pool-member 1 priority 100 + Adds a prioritized pool member to sub-interface Dialer Example interface dialer 4 + Begins configuring dialer interface 4 ip addre
Utilizing the Command Line Interface Chapter 2 Managing the XSR channel-group 0 timeslots 1-10 speed 64 channel-group 1 timeslots 11-20 speed 64 the following interfaces are added: interface serial 1/0:0 interface serial 1/0:1 You can delete those controller interfaces only by removing the channel groups which automatically created them by entering: no channel-group 0 + no channel-group 1 + This automatically deletes Serial port 1/0:0 This automatically deletes Serial port 1/0:1 To delete controller p
Chapter 2 Managing the XSR Utilizing the Command Line Interface Switched: When configuring a switched BRI connection, three serial sub-interfaces are automatically created when you enter: interface bri 2/1 isdn switch-type basic-ni1 The following sub-interfaces are added: interface serial 2/1:0 interface serial 2/1:1 interface serial 2/1:2 These serial sub-interfaces are removed with the no isdn switch-type command as follows: interface bri 2/1 no isdn switch-type + This deletes serial ports 2/1:0, 2/1
Utilizing the Command Line Interface Chapter 2 Managing the XSR where arp is the command and type of table to be filled or modified, 1.1.1.1 is the IP address corresponding to the MAC address e45e.ffe5.ffee. NOTE ARP is a table type, as well as a command, that fills or modifies entries in the ARP table.
Chapter 2 Managing the XSR Utilizing the Command Line Interface first creates an arp entry of 1.1.1.1 associated with MAC address e45e.ffe5.efef. Then, this entry is modified to be associated with the new MAC address e45e.ffe5.3434. Displaying Table Entries You can display ARP table, access-list table, gateway-type prefix table, IP routing table, and others at privileged EXEC mode.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Disabling an Interface An interface can be administratively disabled with the shutdown command: XSR(config-if)#shutdown + Disables interface Configuring an Interface You can configure an interface only after invoking Interface configuration mode. Each interface can be configured with a set of interface-specific commands. If you are unsure which commands are available, type ? to list them for the particular port.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Managing Message Logs Messages produced by the XSR, whether alarms or events, as well as link state changes for critical ports and a management authentication log, can be routed to various destinations with the logging command. And by issuing the no logging command, you can block messages to a site while permitting transmission to others.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Performing Fault Management When a software problem causes the XSR’s processor to fail, the system captures pertinent data, produces a Fault Report, and restarts the router automatically. The Fault Report is useful in diagnosing the problem. The router can store one Fault Report, retaining the first Fault Report in case of multiple failures.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Managing the System Configuration The XSR’s system configuration consists of three discrete types which are described below. The configuration can also be reset to default settings, saved, and uploaded or downloaded in bulk fashion. Factory Default Configuration: These system parameters are set at the factory.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Using the Default Button You can also boot up from the factory default configuration by pressing the default button on the rear panel, shown in Figure 3. Doing so will erase the content in the startup configuration in Flash memory.
Chapter 2 Managing the XSR Utilizing the Command Line Interface If you want to convert your startup configuration into the running configuration, you can issue the reload command which reboots the XSR and reloads the startup configuration. If you want to save the startup configuration to a remote site using a TFTP server, issue the copy startup-config tftp: command. See the associated command below.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Downloading the Configuration Downloading transfers a script file remotely from a server to the XSR’s startup configuration using TFTP or locally from cflash:. The ASCII-format script can include comments delineated by an exclamation mark. To perform the task correctly, the TFTP server must be running on a remote device with the configuration file residing in the TFTP root directory of the server.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Creating Alternate Configuration Files The XSR permits you to create multiple configurations, a useful option if you want to quickly select one of two configuration files stored in flash: or cflash:, for example: startup-config and startup-configB. The file named startup-config is used by the autoboot process. You can use any file name for the alternate configuration.
Utilizing the Command Line Interface Chapter 2 Managing the XSR BootRom Upgrade Choices There are two methods available to upgrade your Bootrom. If you use the Bootrom Update Utility, you will need the updateBootrom.fls and bootromX_xx.fls files. For more information on how to use these files to perform your Bootrom upgrade, refer to the Using the Bootrom Update Utility section. If you do not use the Bootrom Update Utility, you must perform a two-step procedure to upgrade from 1.xx to 2.
Chapter 2 Managing the XSR Utilizing the Command Line Interface Using the Bootrom Update Utility The Bootrom update utility upgrades the boot flash sectors of the on-board Flash memory. This update tool functions similar to the bU command but also can be executed from a Telnet session, allowing Bootrom updates to be performed remotely. The utility runs as a standalone program and can recognize both old (1.x) and new (2.01) versions of the Bootrom file format.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Copy 'tftpDir/bootrom2_01.fls' from server as 'bootrom.fls' into Flash(y/n) ? y !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Download from server done File size: 820136 bytes 4 Using TFTP, transfer updateBootrom.fls from the network: XSR-1805#copy tftp://192.168.27.95/C:/tftpDir/updateBootrom.fls flash:updateBootrom.fls Copy 'tftpDir/updateBootrom.fls' from server as 'updateBootrom.
Chapter 2 Managing the XSR Utilizing the Command Line Interface XSR-1805#more boot-config updateBootrom.fls XSR-1805#more restore-boot-config xsr1800.fls 8 This is a critical step and all previous steps must be completed accurately before proceeding. Reload and wait a couple of minutes. You will lose your Telnet session as the system reboots. The XSR will run updateBootrom.fls and update the Bootrom into the boot flash sectors.
Utilizing the Command Line Interface Chapter 2 Managing the XSR In summary, when upgrading 1.x to 2.x Bootrom versions only, you must run the bU command twice - first with the bootrom_uncmp.fls file, then with the upgraded Bootrom. Between upgrades you must reboot using bw.. To upgrade your firmware using the Local Bootrom Upgrade, perform the following steps: 1 Power on the XSR by flipping the rear switch and observe the front LEDs.
Chapter 2 Managing the XSR Utilizing the Command Line Interface 6 Verify the network boot values using the sn command. For example: XSR: sn Local IP address : 192.168.1.1 Remote IP address : 192.168.1.
Utilizing the Command Line Interface Chapter 2 Managing the XSR Programming 131072(0x20000) bytes at address 0xfff20000 Programming 131072(0x20000) bytes at address 0xfff40000 Programming 48299(0xbcab) bytes at address 0xfff60000 Verifying Bootrom flash sectors Locking 3 Bootrom flash sectors Second copy of Bootrom ...
Chapter 2 Managing the XSR Utilizing the Command Line Interface without valid software in flash: and should not be reloaded or powered down until a new image is downloaded. Also, the CLI session which initiated the copy command is blocked during a TFTP download, with a character repeatedly shown on screen to indicate a file transfer in progress.
Network Management through SNMP Chapter 2 Managing the XSR Network Management through SNMP XSR system monitoring provides for the SNMP v1 agent (READ-ONLY) including gets and limited sets and SNMP v3 gets and sets. Standard MIB II modules are supported as well as Enterasys MIBs, as listed in the following table. Proprietary MIBs are available via download at: http://www.enterasys.
Chapter 2 Managing the XSR Network Management through SNMP Variables to be configured include: community name, traps, and host. SNMP v3 support includes options to specify an engineID, security values for users and groups, and associated show commands. Also, the snmp-server view command is an especially powerful tool to display SNMP objects either via their SNMP term or numerical ID. SNMP v3 data is stored in the privateconfig file in Flash.
Accessing the XSR Through the Web Chapter 2 Managing the XSR Accessing the XSR Through the Web The XSR via a browser but provide a cursory display of hardware configuration data to diagnose the router over the Web. Because the Web server is disabled at boot-up, you must either manually enable the Web server using the CLI, or enable it in startup-config. The default Web server port is 80. Access to the XSR through the Web is not password protected.
Chapter 2 Managing the XSR Network Management Tools Using SNMP for Downloads You can use an SNMP manager to download or upload firmware from a remote server, and copy a configuration image file to the XSR. Only runtime/online mode downloads are supported. This requires setting the ctDLNetAddress and ctDLFileName objects and issuing a ctDLOnLineDownLoad defined in the CTRON-DOWNLOAD-MIB. For more details refer to the following URL: http://www.enterasys.
Network Management Tools Chapter 2 Managing the XSR Software Image Download The NetSight Remote Administrator application can download an image to the XSR using TFTP. The software image download is initiated through NetSight using an SNMP set command, which triggers a TFTP download session initiated from the XSR. NOTE The XSR does not support an off-line download triggered by SNMP. That is, when you use NetSight to download an image, a dialog box will pop up with a check box titled Online download.
3 Managing LAN/WAN Interfaces Overview of LAN Interfaces The XSR supports two 10/100 Base-T FastEthernet ports on the XSR 1800 Series branch routers and three 10/100/1000 Base-TGigabitEthernet ports on the XSR 3000 Series regional routers. All ports are capable of running in halfand full-duplex modes, and are ANSI/IEEE 802.3 and ANSI/IEEE 802.3u compliant. These ports connect to an Ethernet network for LAN connectivity.
Configuring the LAN Chapter 3 Managing LAN/WAN Interfaces Packet filtering - the interface will receive: – – – All broadcast packets All multicast packets Unicast packets which have the MAC addresses of the device Maximum Receive Unit (MRU) - all frames less than or equal to 1518 bytes are accepted including the 4-byte FCS. Oversized packets greater than 1518 bytes are not accepted. Runt packets of 64 bytes or less are not accepted.
Chapter 3 Managing LAN/WAN Interfaces MIB Statistics MIB Statistics The following table reflects MIB-II (RFC-1213) port statistics collected by a LAN interface. Table 6 MIB-II Interface Statistics Variable Description IfDescr Description of the interface. IfType Type of the interface (set once, and never changed). IfMtu Size of the largest packet that can be sent/received on the interface, specified in bytes.
Overview of WAN Interfaces Chapter 3 Managing LAN/WAN Interfaces Overview of WAN Interfaces The XSR supports as many as six serial cards (in an XSR-3250), each of which can support four ports for a maximum of 24 serial ports. Each port is individually configurable regarding speed, media-type, and protocol. The Serial WAN interface performs the following functions: Transmit packets given by the protocol layer onto a serial link. Receive packets from a serial link and pass up to the protocol layer.
Chapter 3 Managing LAN/WAN Interfaces – – – – – – – – Configuring the WAN 7200 Kbps 9600 Kbps (default) 14400 Kbps 19200 Kbps 28800 Kbps 38400 Kbps 57600 Kbps 115200 Kbps Statistics - all MIB-II interface statistics are supported. Clear commands such as clear counters serial and clear interface serial facilitate interface troubleshooting. Async mode commands such as databits, stopbits, and parity provide configuration of the serial line. Maximum Receive Unit (MRU) is 1504 bytes (including CRC).
Configuring the WAN Chapter 3 Managing LAN/WAN Interfaces XSR(config-if)#no shutdown The following example configures the asynchronous serial interface on NIM 2, port 0 with the following non-default values: PPP encapsulation, RS422 cabling, 57600 bps clock rate, MTU size of 1200 bytes, no parity, 7 databits and 2 stopbits. It also assigns the local IP address 192.168.1.1 to the interface.
4 Configuring T1/E1 Interfaces Overview The XSR provides a T1/E1 subsystem on a single NIM-based I/O card with a maximum of two installed NIMs. Depending on the card type and series, each card can support 1, 2 or 4 T1 or E1 physical ports. You can select either T1, at 1.544 Mbps interface rate per port, or E1, at 2.048 Mbps interface rate per port.
Configuring Channelized T1/E1 Interfaces Chapter 4 Configuring T1/E1 Interfaces Line encoding - T1: AMI, B8ZS; E1: AMI, HDB3 Data inversion Loopback Tests - local, network line, network payload, inband FDL Alarm detection - all levels of alarm/event detection and signaling T1/E1 Subsystem Configuration Each T1/E1 physical port is represented as a T1 or E1 controller. This is valid for both full rate T1/E1 mode and fractional/channelized modes.
Chapter 4 Configuring T1/E1 Interfaces 4 Configuring Channelized T1/E1 Interfaces Specify the controller's line encoding type: XSR(config-controller)#linecode b8zs 5 Specify a channel group and map timeslots to the channel group by entering the channel-group command. XSR(config-controller)#channel-group 0 timeslots 1,3-5,8 The example specifies channel group 0 and maps timeslots 1, 3 through 5, and 8 to channel group 0.
Troubleshooting T1/E1 Links Chapter 4 Configuring T1/E1 Interfaces Troubleshooting T1/E1 Links This section describes general procedures for troubleshooting T1/E1 lines on the XSR. The following flow diagram shows basic steps to perform.
Chapter 4 Configuring T1/E1 Interfaces Troubleshooting T1/E1 Links As shown in Figure 4, three troubleshooting actions are defined: T1/E1 Physical Layer (Layer 1) troubleshooting (loss of signal/frame) T1/E1 Alarm Analysis T1/E1 Error Events Analysis T1/E1 Physical Layer Troubleshooting This section describes the techniques and procedures to troubleshoot T1/E1 Physical Layer problems. The troubleshooting flowchart below displays the procedures described in the following section.
Troubleshooting T1/E1 Links Chapter 4 Configuring T1/E1 Interfaces When a T1/E1 controller (port) is created with an associated channel group, it can exist in three states: Administratively down: If you do not enter the no shutdown command when you create the controller (port) or enter the shutdown command for an already created controller (port), you create all associated channel-groups on that controller (port) but they are disabled.
Chapter 4 Configuring T1/E1 Interfaces Troubleshooting T1/E1 Links Complete the following steps if the receiver has a loss of signal: 1 Ensure the cable between the interface port and the T1/E1 service provider equipment is connected correctly. 2 Check the cable integrity by looking for breaks or other physical abnormalities in the cable. 3 Check the cable connectors. T1/E1 Alarm Analysis Perform the following steps to troubleshoot for various alarms that can occur within the T1/E1 subsystem.
Troubleshooting T1/E1 Links Chapter 4 Configuring T1/E1 Interfaces Receive Remote Alarm Indication (RAI - Yellow Alarm) 1 Insert an external loopback cable into the T1/E1 port. 2 Use the show controller command to check for alarms. To identify the type of the alarm, analyze the log report of the XSR. If alarms are reported, contact your service provider. 3 Remove the external loopback cable and the reconnect T1/E1 line. 4 Check the cabling. 5 Power cycle the XSR.
Chapter 4 Configuring T1/E1 Interfaces Troubleshooting T1/E1 Links Receive Remote Alarm Indication (Yellow alarm) - see Figure 5 Transmit Alarm Indication Signal (Blue alarm) - see Figure 5 Insert external loopback cable in the port No Does framing on the port match the line setting? No Check the cabling Are there any alarms? Use the following commands to set framing: controller t1 x framing {SF | ESF} Yes Yes Check the settings on the remote end Check the cabling Power cycle the XSR Contact y
Troubleshooting T1/E1 Links Chapter 4 Configuring T1/E1 Interfaces T1/E1 Error Events Analysis This section describes various error events that can occur on T1/E1 lines and provides troubleshooting information to fix some of these errors. The show controller command displays the status and statistics specific to the hardware. This information is useful for diagnostic tasks. All problems that can occur are captured by the underlying hardware and reported by the show controller output.
Chapter 4 Configuring T1/E1 Interfaces Troubleshooting T1/E1 Links NOTE Statistics displayed with the show controllers command are reset every 24 hours. That is, once the port or line is created with the controller command, the 24-hour timer starts. Slip Seconds Counter Increasing If slip seconds are present on the T1/E1 line, usually there is a clocking problem.
5 Configuring IP Overview This document describes the IP protocol suite functionality offered by the XSR including: General IP features (ARP, ICMP, TCP, UDP, TFTP, Telnet, SSH, NAT, VRRP, et al.) IP routing (RIP, OSPF, static routing, triggered-on-demand RIP updates) Applicable MIBs Configuration examples IP protocol, the main protocol of the TCP/IP suite, interconnects systems of packet-switched computer communication networks.
General IP Features Chapter 5 Configuring IP Ethernet 802.3 support of SNAP and DIX frame format Internet Standard Subnetting Procedure (ISSP) - RFC-950 ARP - dynamic, static, and proxy ARP IP subnet zero (always enabled) Router ID is always enabled and calculated as the highest non-zero IP address among all loopback interfaces or the highest non-zero IP address of existing interfaces (configured interfaces) if no loopback interfaces are configured.
Chapter 5 Configuring IP General IP Features IP Interface – – – – Numbered interfaces Un-numbered interfaces on point to point links NBMA support - Point to multipoint networks - Fully meshed networks Secondary IP Troubleshooting Tools – – Ping Traceroute IP Routing – – – – – – RIP Triggered-on-Demand RIP updates OSPF Static routes Default network CIDR (IP classless) Network Address Translation (NAT) Virtual Router Redundancy Protocol (VRRP): RFC-2338 and Definitions of Managed Objects fo
General IP Features Chapter 5 Configuring IP NOTE The XSR supports a total of 516 dynamic ARP entries, 128 ARP requests pending, and 200 static ARP entries with the standard memory of 64 MBytes installed. BOOTP/DHCP Relay The Bootstrap Protocol (BOOTP) is used by systems with no capability of learning their IP addresses. BOOTP requests can be forwarded by routers, not necessitating one server on each physical network.
Chapter 5 Configuring IP General IP Features The XSR supports directed broadcast using the ip directed-broadcast command. For security purposes, restrictions can be set by defining and applying an ACL and by restricting the protocols. There are two types of directed broadcasts, described as follows: A net-directed broadcast specifies a destination address with a host ID of all 1s. For example, a Class A net-directed broadcast destination address is netid.255.255.
General IP Features Chapter 5 Configuring IP IRDP allows hosts to locate routers and can also infer router locations by checking RIP updates. When the XSR operates as a client, router discovery packets are generated. When the device operates as a host, router discovery packets are received. The IRDP client/server implementation does not actually examine or store full routing tables sent by routing devices, it merely keeps track of which systems are sending such data.
Chapter 5 Configuring IP General IP Features SSH The Secure Shell (SSH) protocol provides for safe remote login and other network services on the XSR. Along with a user-supplied client, the SSHv2 server allows you to establish a secure connection, similar to that provided by an inbound Telnet connection with an important exception.
General IP Features Chapter 5 Configuring IP Trivial File Transfer Protocol (TFTP) TFTP is a bare bones file transfer protocol, as defined by RFC-1350, using UDP to simplify transport with less overhead. The XSR provides TFTP client functionality using the snmp-server tftp-server-list and copy commands. Always enabled on the router, it is useful to save and restore configuration files and images.
Chapter 5 Configuring IP General IP Features Secondary IP can be used when there are insufficient host addresses on a particular network segment. Configuring several subnets on the router interface which connects the network segment allows you to combine these logical subnets into one physical segment and make more host addresses available. Interface & Secondary IP The XSR supports seconday IP on Ethernet networks only.
General IP Features Chapter 5 Configuring IP If any router on a network segment uses a secondary address, all other devices on the same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can quickly cause routing loops. Configure the primary IP address before any secondary IP addresses on the same interface. Conversely, before a primary address can be removed, all secondary IP addresses should be removed.
Chapter 5 Configuring IP General IP Features When ICMP Mask request packets are received, the destination IP address will be matched against the entire subnet network associated with the primary and secondary IP addresses. The matched IP address will then be used as the source IP address of the reply packet. Routing Table Manager & Secondary IP If the interface is up, each primary and secondary IP address will have an entry in the routing table as a directly connected route.
General IP Features Chapter 5 Configuring IP Unnumbered Interface & Secondary IP If an unnumbered interface attempts to borrow an IP address from an Ethernet interface upon which a secondary IP address is configured, only the primary IP address can be borrowed. Also, sSecondary IP cannot be configured on an unnumbered interface. NAT & Secondary IP Only the primary IP address on the specified interface is used for NAT.
Chapter 5 Configuring IP General IP Features The XSR supports 11 IP addresses per VR (1 primary + 10 secondary) With four VR's allowed per XSR, you can configure up to 44 virtual IP addresses per XSR. PPPoE & Secondary IP Secondary IP is not supported on PPPoE interfaces. Maximum Transmission Unit (MTU) MTU is the largest frame size allowed on an interface. It is dictated by the link level limit on a particular port. Examples of link layer types are Ethernet encapsulation and 802.3 encapsulation.
IP Routing Protocols Chapter 5 Configuring IP IP Routing Protocols Routing is one of the most important functions of IP. Routing information, which is stored in a routing table, is used by the XSR to determine the route for each of the packets that pass through it. The following routing features are supported on the XSR: RIP OSPF Static routes Default network CIDR (IP classless) When you run multiple routing protocols, the XSR assigns a weight to each of them.
Chapter 5 Configuring IP IP Routing Protocols Redistribute static routes into RIP with the redistribute command. Split horizon with poisoned reverse enabled with the ip splithorizon command. Triggered updates delivered by default or disabled by the ip rip disable-triggered-updates command. Clear text authentication enabled by the ip rip authentication mode command. NOTE RIP commands configured under Interface mode are independent of enabling/disabling the RIP protocol.
IP Routing Protocols Chapter 5 Configuring IP IP split horizon must be enabled (default). Whether poison is enabled or not, triggered on demand will still send its updates with poison. Triggered-on-demand RIP on the XSR is implemented by the following: ip rip triggered-on-demand enables the functionality on a per interface basis.
Chapter 5 Configuring IP IP Routing Protocols The latest changes are sent when: – The routing database is modified by new data. The latest changes are sent through all interfaces running triggered-on-demand RIP. RFC-2091 also specifies how packet types are handled: An update request is defined as a request to a peer system to send its entire routing database. It is sent: – When the XSR is powered up; – When an interface is brought up.
IP Routing Protocols Chapter 5 Configuring IP An update packet with the flush flag set is received; all routes learned from that next hop router are marked unreachable. An excessive number of retransmissions of an update go unacknowledged. All routes learned from that next hop router are marked unreachable. An update response for an expired route comes in. That route is marked unreachable.
Chapter 5 Configuring IP IP Routing Protocols OSPF is superior to RIP because as a link-state protocol, it converges faster than RIP, a distance-vector protocol; OSPF’s longest path is not limited as is RIP’s (to 15); OSPF supports subnets - a subnet mask is associated with each advertised route.
IP Routing Protocols Chapter 5 Configuring IP Cost for default route sent into a stub area with the area default cost command Stub and NSSA set with the area stub and area nssa commands Opaque link state advertisement (LSA) option Manual and automatic virtual links enabled with the area virtual link command MD5 authentication enabled per interface with the area authentication and ip ospf message-digest-key commands Incremental SPF is always enabled.
Chapter 5 Configuring IP IP Routing Protocols LOCAL 10 STATIC 9 OSPF INTRA 7 OSPF_INTER 6 OSPF_EXT 4 PREF_RIP 4 Default Network The default network is used to specify candidates for the default route when a default route (0.0.0.0) is not specified or learned. If the network specified by the ip default-network command appears in the routing table from any source (dynamic or static), it is flagged as a candidate default route and is subject to being chosen as the default route for the XSR.
IP Routing Protocols Chapter 5 Configuring IP CIDR addressing also enables route aggregation in which a single high level route entry can represent many lower-level routes in the global routing tables. This reduces the routing table size. The XSR supports CIDR which is always enabled. The ip address <0-32> command implements CIDR. Network Address Translation Network Address Translation (NAT) maps IP address from one address realm to another, providing transparent routing to end hosts.
Chapter 5 Configuring IP IP Routing Protocols Port and Address Translation (NAPT) Standard Access Control Lists (1-99) only supported Application Level Gateway (ALG): – FTP – ICMP – Netbios over TCP and UDP Multiple ISP - NAPT based on the egress interface With NAPT, routing is not automatically filtered out. Use distribution lists to ensure global networks are advertised out of external ports. NAPT can be configured for VPN interfaces.
IP Routing Protocols Chapter 5 Configuring IP VR IP address: 10.10.10.1 XSR1 VR Master 10.10.10.1 ClientA XSR2 VR Backup 10.10.10.2 ClientB ClientC Figure 9 Simple VRRP Topology Because the VR uses the IP address of the physical Ethernet interface of XSR1, XSR1 becomes the master VR, also known as the IP address owner. XSR1, as the master VR, assumes the IP address of the VR and is responsible for forwarding packets sent to this IP address.
Chapter 5 Configuring IP IP Routing Protocols VR (Group 2) VR (Group 1) IP address: 10.10.10.1 IP address: 10.10.10.2 XSR2 XSR1 VR Master1/Backup2 VR Master2/Backup1 10.10.10.1 ClientA 10.10.10.2 ClientB ClientC ClientD Figure 10 Load Balanced, Redundant VRRP Topology VRRP Definitions The XSR defines VRRP terms as follows: VRRP Router - A router running the Virtual Router Redundancy Protocol. It may participate in one or more VRs.
IP Routing Protocols Chapter 5 Configuring IP How the VRRP Works Multiple IP routers on a single broadcast LAN comprise a single virtual router, which has a unique virtual IP address and virtual MAC address. Hosts on the LAN configure the VR as their default router (default gateway). Devices that provide support for a VR form a VRRP group. The device acting as the VR is designated the master of the group. At any one time, only one of the routers acts as the VR, forwarding packets from hosts on the LAN.
Chapter 5 Configuring IP IP Routing Protocols In the backup state, a VRRP router monitors the VR master to confirm it is alive, does not respond to ARP requests or accept packets for the IP address(es) associated with the VR, and discards packets destined for the VR’s MAC address.
IP Routing Protocols Chapter 5 Configuring IP VRRP Features Multiple Virtual IP Addresses per VR The XSR permits specifying multiple virtual IP addresses on the VR (up to 11) to support multiple logical IP subnet on a LAN segment. This functionality is specified by the vrrp ip command. The primary physical IP address in that interface will be selected as a VRRP primary IP address, which is used for the VRRP advertisement. The advertisement timer is set using the vrrp adver-int command.
Chapter 5 Configuring IP IP Routing Protocols ARP Process on a VRRP Router Three types of ARP requests can be employed on a VRRP router: Host, Proxy and Gratuitous ARP. Host ARP Host ARP performs according to the following rules: When a host sends an ARP request for one of the VR IP addresses, the master VR returns the virtual MAC address (00-00-5e-00-01-VRID). The backup VR must not respond to the ARP request for one of the VR IP addresses.
IP Routing Protocols Chapter 5 Configuring IP The master VR must receive packets with a virtual MAC address as the destination MAC address. The backup VR must not receive any packets with the virtual MAC address as the destination MAC address.
Chapter 5 Configuring IP IETF MIBs Supported When the actual IP address owner of the Virtual IP address releases the master state of the VR, it will no longer be able to receive any IP packet destined for that address even though the actual interface is still up. This may cause routing packets to not reach this interface and cause this interface to be considered down by other routers.
Configuring RIP Examples Chapter 5 Configuring IP SNMPv3 MIBs including: – – – – RFC-3411 Framework RFC-3412 MPD RFC-3414 USM RFC-3415 VACM Configuring RIP Examples The following example enables RIP on both FastEthernet interfaces and a serial link of the XSR. The FastEthernet 2 interface is configured to be totally passive (updates not sent or received). The serial interface uses split horizon with poison reverse while the others use split horizon (the default).
Chapter 5 Configuring IP Configuring RIP Examples XSR(config)#interface FastEthernet 1 XSR(config-if#no shutdown XSR(config-if)#ip address 192.168.1.100 255.255.255.0 XSR(config-if)#ip access-group 1 in XSR(config-if)#ip access-group 1 out XSR(config)#interface serial 1/0 XSR(config-if)#no shutdown XSR(config-if)#media-type V35 XSR(config-if)#encapsulate ppp XSR(config-if)#ip address 154.68.1.47 255.255.255.0 XSR(config)#router rip XSR(config-router)#network 154.68.
Configuring Unnumbered IP Serial Interface Example Chapter 5 Configuring IP XSR(config-if)#encapsulate ppp XSR(config-if)#ip unnumbered fastethernet 1 XSR(config)#router rip XSR(config-router)#network 192.168.1.100 XSR#copy running-config startup-config Configuring Unnumbered IP Serial Interface Example The following example configures an X.21-type, serial interface 1/0 as an unnumbered serial interface. Serial 1/0 is directed to use the IP address of FastEthernet port 1.
Chapter 5 Configuring IP Configuring NAT Examples XSR(config-if)#ip address 154.68.1.47 255.255.255.0 XSR(config-if)#ip ospf cost 64 XSR(config)#router ospf 1 XSR(config-router)#network 192.168.1.0 0.0.0.255 area 0.0.0.10 XSR(config-router)#network 154.68.1.0 0.0.0.255 area 0 XSR(config-router)#area 10 nssa default-information-originate XSR(config-router)#network 156.57.99.3 255.255.255.
Configuring NAT Examples Chapter 5 Configuring IP 2 The first packet the XSR receives from host 10.1.1.1 causes the router to check its NAT table. 3 The XSR replaces the inside local source address of 10.1.1.1 with the global IP address 200.20.2.1 and forwards the packet. 4 Host 172.20.2.1 receives the packet and responds to IP address 200.20.2.1. 5 The XSR receives the packet with the inside global destination IP address 200.20.2.
Chapter 5 Configuring IP Configuring NAT Examples Inside 10.1.1.1 Request SA: 10.1.1.1 DA: 172.20.2.1 Internal interface Reply after reverse lookup SA: 172.20.2.1 DA: 10.1.1.1 Outside NAT applied to this interface After Translation DA: 172.20.2.1 SA: 200.2.2.1 172.20.2.2 Internet External interface 200.20.2.1 NAPT Table Protocol Inside local IP addr:port TCP 10.1.1.1:1729 TCP 10.1.1.1:1780 Reply SA: 172.20.2.1 172.20.2.1 DA: 200.2.2.1 Inside global IP addr:port 200.2.2.1:40450 200.2.2.
Configuring VRRP Example Chapter 5 Configuring IP the inside local address 10.1.1.1 and destination port 1789, then forwards it to 10.1.1.1. Configuring NAPT The following steps are required to configure overloading of inside global addresses. The example configures an access list to permit specified traffic but is optional. All other traffic is implicitly denied.
Chapter 5 Configuring IP Configuring VRRP Example XSRa(config-if)#vrrp 1 track serial 2/0 XSRa(config-if)#vrrp 1 authentication robo XSRa(config-if)#vrrp 1 adver-int 3 XSRa(config-if)#vrrp 1 ip 10.10.10.10 XSRa(config-if)#vrrp 5 priority 100 XSRa(config-if)#vrrp 5 adver-int 30 XSRa(config-if)#vrrp 5 ip 10.10.10.50 XSRa(config-if)#vrrp 5 preempt delay 2 XSRa(config-if)#vrrp 100 ip 10.10.10.
6 Configuring PPP Overview The Point-to-Point Protocol (PPP), referenced in RFC-1616, is a standard method for transporting multi-protocol datagrams over point-to-point links. PPP defines procedures to assign and manage network addresses, asynchronous and synchronous encapsulation, link configuration, link quality testing, network protocol multiplexing, error detection, and option negotiation for network-layer address and data-compression negotiation.
PPP Features Chapter 6 Configuring PPP Authentication of peer entities through: Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Authentication Protocol (MSCHAP) Link Quality Monitoring (LQM) procedures as defined by RFC-1989 – – – VJ/IP header compression No restriction on frame size; default is 1500 octets for the information field - as defined by RFC-1661 Self-Describing Padding and FCS (16-bytes) as defined by RFC-1570
Chapter 6 Configuring PPP PPP Features Network Control Protocol (NCP) The Network Control Protocol (NCP) handles transmission and reception of various network layer control packets and datagrams. NCP provides: Sets up network layer control protocols over the established PPP link. Transmits/receives network layer datagrams if the corresponding NCP is successfully negotiated. The configuration negotiation procedures are performed once the LCP reaches the OPENED state.
PPP Features Chapter 6 Configuring PPP PAP is most appropriate where a plaintext password must be available to simulate a login at a remote host. In such a use, PAP provides a similar level of security to the usual user login at the remote host. Challenge Handshake Authentication Protocol (CHAP) The Challenge Handshake Authentication Protocol (CHAP), as referenced in RFC-1994, periodically verifies the identity of the peer using a 3-way handshake.
Chapter 6 Configuring PPP PPP Features It also defines a new packet called Change Password Packet, which enables a client to send a response packet based on a new password. An 8-octet challenge string is generated using a random number generator. A change password packet is sent in response to a failure packet from the peer that contains the failure code for change password.
PPP Features Chapter 6 Configuring PPP The XSR can receive upper layer protocol data units (PDU) fragmented using the multilink header and reassemble the fragments into the original PDU for processing The XSR can receive PDUs of size N octets where N is specified as part of the option even if N is larger than the maximum receive unit (MRU) for a single physical link When a packet is transmitted over a multilink bundle it is encapsulated by a multilink header, which includes information to allow the pa
Chapter 6 Configuring PPP PPP Features IP Address Assignment In PPP, IPCP configuration option type 3 corresponds to IP address negotiation. This configuration option provides a way to negotiate the IP address to be used on the local end of the link. It allows the sender of the Configure-Request to state which IP address is desired, or to request that the peer provide the information. The peer can do this by NAKing the option, and returning a valid IP address.
Configuring PPP with a Dialed Backup Line Chapter 6 Configuring PPP The BACP protocol must reach the Opened state using the standard PPP mechanism as defined in RFC-1661. Once BACP reaches the Opened state on a bundle, BAP may transmit packets through this PPP/MLPPP pipeline. BAP datagrams are encapsulated by the PPP/MLPPP module and transmitted across the link. Transmission and reception of BAP and BACP packets is through the same interface procedures used by any other NCP protocol pair.
Chapter 6 Configuring PPP Configuring a Synchronous Serial Interface XSR Primary link Serial interface 1/1 Primary link Serial interface 1/0 Backup link PSTN Site B Central Site Figure 13 XSR Configuration with One Backup Dial Line to Different Sites Configuring a Synchronous Serial Interface Perform the following steps to configure a synchronous V.35 serial interface to communicate with PPP: 1 Enter interface serial to specify the interface.
Configuring a Dialed Backup Line 4 Chapter 6 Configuring PPP Set the local IP address of this interface. XSR(config-if)#ip address 192.168.1.1 255.255.255.0 5 Enter no shutdown to enable this interface.
Chapter 6 Configuring PPP Configuring a Dialed Backup Line 3 Enter media-type {RS232 | RS422 | RS449 | RS530A | V35 | X21} for the cable your interface connects to. The default media-type is RS232. 4 Enter no shutdown to enable the interface. 5 Enter ppp max-bad auth number to set the number of retries after which the interface resets itself. 6 Enter dialer pool-member pool-number priority priority to assign the interface as a member of the pool that the dialer interface will use.
Configuring BAP Chapter 6 Configuring PPP XSR(config-if)#dialer pool 5 XSR(config-if)#no shutdown Configure interface dialer 1 to use dial pool 5: XSR(config)#interface dialer 1 XSR(config-if)#encapsulation ppp XSR(config-if)#ppp authentication chap pap XSR(config-if)#dialer pool 5 XSR(config-if)#no shutdown Configure serial port(s) for dial purposes and assign to dial pool 5: XSR(config)#interface serial 1/2 XSR(config-if)#encapsulation ppp XSR(config-if)#media-type
Chapter 6 Configuring PPP Configuring BAP One function central to DoD is the XSR’s ability to perform LAN route spoofing, a means of maintaining routes in the routing table while keeping unused lines physically down. The router brings up a line only when it receives a data packet and tears it down when idle timeout values are reached. Spoofing on the XSR is applicable to the dial out router only.
Configuring BAP Chapter 6 Configuring PPP XSR1(config-if)#no shutdown XSR1(config-if)#dialer pool-member 1 priority 0 3 Configure the Dialer 1 interface with a dialer pool: XSR1(config)#interface Dialer1 XSR1(config-if)#no shutdown XSR1(config-if)#dialer pool 1 XSR1(config-if)#encapsulation ppp 4 Set up BAP on Dialer 1 by specifying the load-threshold (BoD), enabling BAP, and configuring XSR1 to initiate the addition of a link.
Chapter 6 Configuring PPP Configuring BAP XSR2(config-if)#isdn switch-type basic-ni1 XSR2(config-if)#isdn spid1 0337250001 XSR2(config-if)#isdn spid2 0337250101 XSR2(config-if)#no shutdown XSR2(config-if)#dialer pool-member 1 priority 0 3 Configure the Dialer 1 interface with a dialer pool: XSR2(config)#interface Dialer1 XSR2(config-if)#no shutdown XSR2(config-if)#dialer pool 1 XSR2(config-if)#encapsulation ppp 4 Set up BAP on Dialer 1 by enabli
Configuring BAP Chapter 6 Configuring PPP XSR1(config-if)#encapsulation ppp XSR1(config-if)#multilink load-threshold 3 XSR1(config-if)#ppp multilink bap XSR1(config-if)#ppp bap number default 3200 XSR1(config-if)#ppp bap callback request XSR1(config-if)#dialer-group 2 XSR1(config-if)#dialer map ip 10.10.10.2 1300 XSR1(config-if)#ip address 10.10.10.1 255.255.255.
7 Configuring Frame Relay Overview Frame Relay is a simple, bit-oriented protocol that offers fast-packet switching for wide-area networking. It combines the statistical multiplexing and port-sharing features of an X.25 connection with high speed and low delay to provide high performance and less overhead.
Overview Chapter 7 Configuring Frame Relay Relay switch are processed by the DLCI in three ways: frames are checked for integrity, their associated DLCI is looked up in the DLCI table, and they are relayed to their destination through the port specified in the table. If the checks reveal errors or do not find the DLCI in the table, frames are discarded. The frame-relay interface-dlci command maps a DLCI to a specified Frame Relay sub-interface.
Chapter 7 Configuring Frame Relay Frame Relay Features DTEs A DTE is a network end station, either the ultimate source or destination of data through a Frame Relay network. A Frame Relay device can be a router, bridge, terminal or PC. For example, the XSR acts as a DTE originating or terminating device. As a source device, a DTE encapsulates data in a Frame Relay frame and transmits.
Multi-Protocol Encapsulation Chapter 7 Configuring Frame Relay Multi-protocol interconnect over Frame Relay - RFC-2427. Only IP is supported. RFC-2390 Frame Relay Inverse ARP. Multiple logical interfaces over the same physical Frame Relay port (sub-interfaces). Quality of Service: standard FIFO queuing, or IP QoS on DLCIs. Max PDU size of 1500 bytes. Industry-standard CLI and statistics.
Chapter 7 Configuring Frame Relay Controlling Congestion in Frame Relay Networks Controlling Congestion in Frame Relay Networks While Frame Relay provides dedicated, logical channels throughout the network, these channels share physical resources - links and Frame Relay switches, for example. When a DLCI is provisioned, the network assigns a Committed Information Rate (CIR), Committed burst (Bc) and Excess burst (Be) values for the virtual circuit.
Controlling Congestion in Frame Relay Networks Chapter 7 Configuring Frame Relay CIR is the minimum rate of service that a public Frame Relay provider guarantees for a given PVC under normal conditions. Frame Relay provides the ability to burst beyond the CIR if bandwidth is available. You can transmit traffic at a rate exceeding the CIR using Excess Information Rate (EIR), but excess traffic might be discarded in the event of congestion.
Chapter 7 Configuring Frame Relay Controlling Congestion in Frame Relay Networks Backward Explicit Congestion Notification (BECN) Backward Explicit Congestion Notification (BECN) sets a bit in frames traveling the opposite direction of frames encountering a congested path. A DTE device receiving frames with the BECN bit set can request that higherlevel protocols take flow control action as appropriate. Frames received with the BECN bit set indicates that the transmit path is congested.
Controlling Congestion in Frame Relay Networks Chapter 7 Configuring Frame Relay XSR(config-if)#no shutdown XSR(config-if)#media-type V35 XSR(config-if)#encapsulation frame-relay XSR(config-if)#frame-relay lmi-type ansi XSR(config-if)#frame-relay traffic-shaping XSR(config)#interface serial 1/0.1 multi-point XSR(config-subif)#frame-relay interface-dlci 16 XSR(config-fr-dlci)#class STG XSR(config-fr-dlci)#no shutdown XSR(config-fr-dlci
Chapter 7 Configuring Frame Relay Link Management Information (LMI) Link Management Information (LMI) A Frame Relay switch communicates with another Frame Relay switch or an attached Frame Relay DTE device (e.g., the XSR) about the status of the PVC connections through Link Management Information protocol (LMI). LMI monitors the status of the connection and provides the following data: Active/inactive interface - known as a keep alive or heartbeat signal. The valid DLCIs defined for that interface.
Sub-interface Support Chapter 7 Configuring Frame Relay NOTE Be sure the same version of the management protocol resides at each end of the Frame Relay link except for Auto. Each version includes a slightly different use of the management protocol. The XSR implements all three LMIs behaving as a DTE as well as auto, none and default options using the frame-relay lmi-type command. Auto is the fastest LMI type.
Chapter 7 Configuring Frame Relay Displaying Statistics Map-Class Configuration The Map Class configures a common profile (characteristics) that can be applied to PVCs, eliminating the need to configure parameters on all individual PVCs. The map-class frame-relay command configures a Frame Relay map class. Show Running Configuration The show running-configuration command displays the running configuration on the screen. NOTE Only those parameters different than default values are displayed.
Interconnecting via Frame Relay Network Chapter 7 Configuring Frame Relay Interconnecting via Frame Relay Network The following typical application uses Frame Relay to link remote branches to the corporate network at the central sites via a Frame Relay network. Frame Relay switch combines DLCIs from various remote branch sites at 56 kbps into a single high speed Frame Relay T1 interface with a large number of DLCIs at the central sites.
Chapter 7 Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Multi-point to Point-to-Point Example The following example configures the XSR in Austin to connect with XSRs in Boston, Charlotte, and Denver using Frame Relay, as shown in Figure 17. NOTE This example is not designed for OSPF networks since the nodes have mixed configurations. OSPF requires sub-interfaces to be set identically: either all point-to-point or all multipoint to multipoint.
Configuring Frame Relay Chapter 7 Configuring Frame Relay A point-to-point network with a 64 Kbps connection is also configured from Austin to Denver. Boston, Denver, and Charlotte each are configured with point-to-point networks with 64 Kbps, 128 Kbps, and 64 Kbps PVCs, respectively.
Chapter 7 Configuring Frame Relay Configuring Frame Relay On the Charlotte XSR, enter: XSR(config)#interface serial 1/0 XSR(config-if)#encapsulation frame-relay XSR(config-if)#frame-relay traffic-shaping XSR(config-if)#media-type v35 XSR(config-if)#no shutdown XSR(config)#interface serial 1/0.1 point-to-point XSR(config-subif)#ip address 10.10.10.3 255.255.255.0 XSR(config-subif)#frame-relay interface-dlci 16 XSR(config-fr-dlci
8 Configuring Dialer Services This chapter details information about the XSR’s suite of dialer functionality: Dial Ethernet Failover Backup Dialer Dial on Demand (DoD) Bandwidth on Demand (BoD) Multilink PPP (MLPPP) Overview of Dial Services Dial Services provide network connections across the Public Switched Telephone Network (PSTN). Networks are typically interconnected using dedicated lines for Wide-Area Network (WAN) connections.
Asynchronous and Synchronous Support Chapter 8 Configuring Dialer Services Addressing using numbered or unnumbered interfaces Outbound connections Time of day feature PPP encapsulation CHAP, MS-CHAP and PAP authentication and security Callback Modem Modem PSTN XSR XSR Ethernet Ethernet Figure 18 Typical Dial Services Interconnection Asynchronous and Synchronous Support Synchronous and asynchronous interfaces can be configured for dialed connections to one or more destination networks.
Chapter 8 Configuring Dialer Services Asynchronous and Synchronous Support AT Commands on Asynchronous Ports On asynchronous ports, AT commands are used to establish and clear the call. Refer to your modem documentation for a list of supported commands and options. The modem should be configured to drive Data Carrier Detect and Clear To Send CCITT V.24 signals and accept input of the Data Terminal Ready signal set by the XSR. V.
Asynchronous and Synchronous Support Chapter 8 Configuring Dialer Services Table 8 ITU-T V.25bis Options (Continued) Option Description T Dialing to be continued in DTMF mode - optional parameter & Flash - optional parameter DTR Dialing for Synchronous Interfaces Dialer interfaces also support connections from synchronous serial lines through non-V.25bis modems. Routers connected by non-V.
Chapter 8 Configuring Dialer Services Implementing Dial Services Implementing Dial Services Dial services are provided by dialer interfaces, which are defined as any XSR interface capable of placing or receiving a call. You can implement Dial Services by creating a dialer profile. Refer to Figure 19 for a network perspective and Figure 20 for a logical view of Dial Services. 16.1.2.0/24 XSR Dialer Profile Serialasync 10.1.1.2/24 Boston Serialsync 20.1.1.2/24 Hwood Serialasync 6.1.1.
Implementing Dial Services Chapter 8 Configuring Dialer Services Dialer Profiles Dialer profiles are comprised of virtual and physical interfaces which can be bound together dynamically on a per-call basis. Dialer profiles can also be configured as physical interfaces separate from the virtual configuration required to make a connection. This flexibility permits different dialer profiles to share XSR Serial interfaces.
Chapter 8 Configuring Dialer Services Implementing Dial Services Dialer Strings Setting dialer strings is straightforward but their configuration is very flexible. You can specify multiple dialer strings for the same dialer interface and each dialer string can be associated with a different dialer map class. Dialer Pool Each dialer interface uses one group of physical interfaces called a dialer pool.
Implementing Dial Services Chapter 8 Configuring Dialer Services PPP is the encapsulation method of choice for Dialer Services because it supports multiple protocols and is used for synchronous or asynchronous connections. Also, PPP performs address negotiation and authentication and is interoperable with different vendors. ISDN Callback ISDN callback funtionality, also known as dial-back, is a Dial on Demand application to handle ISDN call charge billing.
Chapter 8 Configuring Dialer Services Implementing Dial Services 16.1.2.0/24 IP 10.1.1.1/24 Interface Dialer0 Interface Dialer1 Map class Map class Dialer pool0 Dialer pool1 Serial0 Interface Dialer2 Dialer pool2 Serial1 Serial 3 Boston 5.1.1.1/24 20.1.1.1/24 10.1.1.2/24 Serial2 Serial 5 Serial 7 Serial 4 Hwood 20.1.1.2/24 Austin Serial 8 5.1.1.
Implementing Dial Services Chapter 8 Configuring Dialer Services Network 10.1.1.1/8 Interface dialer 0 ip address 10.1.1.1 255.0.0.0 encapsulation ppp dialer string 4161234456 class Toronto dialer string 9872312345 class Andover dialer pool 6 20.2.2.2/24 Dialer Interface 1 30.3.3.
Chapter 8 Configuring Dialer Services Implementing Dial Services Network 10.1.1.1/8 Interface dialer 0 ip address 10.1.1.1 255.0.0.
Implementing Dial Services Chapter 8 Configuring Dialer Services Network 10.1.1.1/8 Interface dialer 0 ip address 10.1.1.1 255.0.0.
Chapter 8 Configuring Dialer Services Implementing Dial Services Creating and Configuring the Dialer Interface 1 Enter interface dialer number to create the dialer interface. The number range is 0 to 255. 2 Enter encapsulation ppp to enable PPP encapsulation. 3 Enter dialer pool number to specify the dialer pool. The number range is 0 to 255. 4 Enter dialer string class to specify the remote destination string to be used. The string is normally a 10-digit telephone number.
Implementing Dial Services Chapter 8 Configuring Dialer Services XSR(config-if)#ip address 10.1.1.1 255.0.0.
Chapter 8 Configuring Dialer Services Implementing Dial Services XSR(config-if)#ip address 10.10.10.1 255.255.255.
Overview of Dial Backup Chapter 8 Configuring Dialer Services XSR(config-if)#dialer map ip 10.10.10.3 9053617363 XSR(config-if)#encapsulation ppp XSR(config-if)#ip address 10.10.10.1 255.255.255.0 XSR(config-if)#no shutdown Overview of Dial Backup The dialed backup feature provides a backup link over a dial line. The backup link is brought up when failure occurs in a primary link, and is brought down when the primary link is restored.
Chapter 8 Configuring Dialer Services Sequence of Backup Events 4 With the interface down, all routes reachable through that interface are removed from the routing table. 5 Backup function invokes the dialer to activate the configured (dial) backup interface. Activating the backup link can be delayed, if configured as such. 6 Backup link is up. 7 Backup link is activated. 8 Backup link is up, triggering the next action.
Link Failure Backup Example Chapter 8 Configuring Dialer Services Link Failure Backup Example Figure 24 illustrates a local link failure and the dial backup process.
Chapter 8 Configuring Dialer Services Configuring a Dialed Backup Line Configuring the Physical Interface for the Dialer Interface Perform the following steps to set up the physical port for the dialer interface: 1 Enter interface serial card / port to specify the interface. 2 Enter encapsulation ppp to set PPP encapsulation. 3 Enter dialer pool-member pool-number priority priority to assign the interface as a member of the pool that the dialer interface will use.
Configuring a Dialed Backup Line Chapter 8 Configuring Dialer Services XSR(config)#interface serial 1/0 XSR(config-if
Chapter 8 Configuring Dialer Services Configuring a Dialed Backup Line Dialer Dialer Interface 1 Dialer Interface 2 IP Dial Pool 1 XSR PPP PPP PPP Serial Interface 1/0 Serial Interface 1/1 Backup Dialer Interface 2 Serial Interface 1/2 Backup Dialer Interface 1 Leased line XSRs Site B Leased line Figure 25 Backup Dial Example XSR User’s Guide 155
Configuring a Dialed Backup Line Chapter 8 Configuring Dialer Services The CLI commands shown below are those used to configure the example shown in Figure 25: Configure interface dialer 1 to use dial pool 5: XSR(config)#interface dialer1 XSR(config-if)#encapsulation ppp XSR(config-if)#dialer pool 5 XSR(config-if)#no shutdown Configure interface dialer 2 to use dial pool 5: XSR(config)#interface dialer2 XSR(config-if)#encapsulation ppp XSR(config-if)#dialer pool 5 XSR(config-if)#n
Chapter 8 Configuring Dialer Services Overview of Dial on Demand/Bandwidth on Demand Overview of Dial on Demand/Bandwidth on Demand The XSR’s Dial on Demand/Bandwidth on Demand applications provide high-speed, available-when-needed dial services over point-to-point or multipoint PPP ISDN connections.
Answering Incoming ISDN Calls Chapter 8 Configuring Dialer Services Answering Incoming ISDN Calls The XSR handles incoming ISDN calls as follows: Always accepts incoming calls. If there is only one dialer interface configured it will bind the incoming call to that interface. If there is more than one dialer interface configured, the XSR will attempt to map the incoming call to only one of these interfaces based on any of the following data passed by the ISDN switch: – – Called number.
Chapter 8 Configuring Dialer Services Answering Incoming ISDN Calls Incoming Call Mapping Example This example, as shown in Figure 26, configures a node capable of handling multiple call setup requests coming from different remote peers and maps each incoming call to the correct IP interface (Dialer interface). Node A [XSR] IP address 10.10.10.1 phone# 2300 name toronto IP address 10.10.10.2 IP address 20.20.20.2 phone# 2400 ISDN . Node B [XSR] Connection requests Node D [XSR] IP address 20.20.
Answering Incoming ISDN Calls Chapter 8 Configuring Dialer Services XSR(config-if)dialer pool 25 XSR(config-if)encapsulation ppp ! XSR(config-if)#ppp pap sent-username toronto password q XSR(config-if)dialer idle-timeout 20 XSR(config-if)dialer-group 3 XSR(config-if)dialer map ip 10.10.10.2 2400 XSR(config-if)ip address 10.10.10.1 255.255.255.
Chapter 8 Configuring Dialer Services Answering Incoming ISDN Calls XSR(config)#interface dialer 1 XSR(config-if)#no shutdown XSR(config-if)dialer pool 22 XSR(config-if)encapsulation ppp XSR(config-if)dialer called 2400 ! dialer caller 2300 ! dialer remote-name toronto XSR(config-if)ip address 10.10.10.2 255.255.255.0 The following commands add a dialer pool and map BRI interface 1/0 to Dialer interface 2. The dialer called command maps incoming Node A calls to Node B’s 2400 number.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services XSR(config)#interface dialer 1 XSR(config-if)#no shutdown XSR(config-if)dialer pool 2 XSR(config-if)encapsulation ppp ! ppp pap sent-username boston password orbitor XSR(config-if)dialer idle-timeout 20 XSR(config-if)dialer-group 7 XSR(config-if)dialer map ip 20.20.20.2 2400 XSR(config-if)ip address 20.20.20.4 255.255.255.
Chapter 8 Configuring Dialer Services Configuring DoD/BoD IP address 10.10.10.2 IP address 20.20.20.2 phone# 2400 Node B [XSR] IP address 10.10.10.3 phone# 2500 IP address 10.10.10.1 phone# 2300 Node A [XSR] ISDN . Node C [XSR] IP address 10.10.10.4 IP address 20.20.20.4 phone# 2600 Node D [XSR] Figure 27 Dial on Demand Topology NOTE Configuration commands preceded by an exclamation point (!) are optional.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services XSR(config)#interface bri 1/0 XSR(config-if)#isdn switch-type basic-net3 XSR(config-if)#dialer pool-member 25 XSR(config-if)#no shutdown XSR(config)#interface dialer 1 XSR(config-if)#no shutdown XSR(config-if)#dialer pool 25 XSR(config-if)#encapsulation ppp XSR(config-if)#dialer idle-timeout 20 XSR(config-if)#dialer-group 3 XSR(config-if)#dialer map ip 10.10.10.
Chapter 8 Configuring Dialer Services Configuring DoD/BoD The following commands add a dial pool and map BRI interface 1/0 to Dialer interface 1. Optionally, you can employ the dialer called method to map incoming Node A calls to Node B’s phone number and add a second Dialer interface with similar mappings. XSR(config)#interface dialer 1 XSR(config-if)#no shutdown XSR(config-if)#dialer pool 22 XSR(config-if)#encapsulation ppp ! dialer called 2400 XSR(config-if)#ip address 10.10.10.2 255.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services XSR(config-if)#encapsulation ppp XSR(config-if)#dialer idle-timeout 35 XSR(config-if)#dialer-group 3 XSR(config-if)#dialer map ip 10.10.10.2 2400 XSR(config-if)#ip address 10.10.10.1 255.255.255.
Chapter 8 Configuring Dialer Services Configuring DoD/BoD The following command maps ACL 105 to dialer group 7: XSR(config)#dialer-list 7 protocol ip list 105 PPP Point-to-Point Configurations The following sample configuration is a PPP point-to-point topology, as illustrated in Figure 28. 172.22.80.4 XSR-Toronto 172.22.85.1 . Switched line 172.22.85.2 XSR-Andover 172.22.96.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services XSR(config-if)#dialer remote-name XSR-andover XSR(config-if)#no shutdown The following command configures authentication of the remote user: XSR(config)#username XSR-andover password secret 0 code The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if)#isdn switch-type basic-net3 XSR(config-if)#dialer pool-member 1 XSR(config-if<
Chapter 8 Configuring Dialer Services Configuring DoD/BoD The following command defines interesting packets for the dial out trigger by configuring access list 101 to pass all Type 8 source and destination ICMP traffic up to 20 idle seconds: XSR(config)#access-list 101 permit icmp any any 8 PPP Point-to-Multipoint Configurations The following topology can be used for Dial on Demand applications only; it cannot be used for Dialed Backup applications. Refer to Figure 29. 172.22.80.4 XSR-Toronto 172.22.85.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services XSR(config-if)#ip address 172.22.85.1 XSR(config-if)#ppp pap sent-username XSR-toronto password secret 0 xxgene XSR(config-if)#dialer pool 1 XSR(config-if)#dialer map ip 172.22.85.2 4710 XSR(config-if)#dialer map ip 172.22.85.3 89302 XSR(config-if)#dialer map ip 172.22.85.
Chapter 8 Configuring Dialer Services Configuring DoD/BoD The following commands add a dial pool and specifies the PPP authenticated username XSR-Boston to map incoming calls to Dialer interface 2: XSR(config)#interface dialer 2 XSR(config-if)#encapsulation ppp XSR(config-if)#ip address 172.22.85.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services The following commands define a dialer group, add a dialer pool, enable MLPPP, set a 20-second idle timeout, and map BRI interface 1/0 to Dialer interface 1. The min-links command directs the XSR to maintain a minimum of two links over the switched line. The dialer map command directs Node A to call Node B, specifying Node B’s IP address and phone number, as well as enables spoofing.
Chapter 8 Configuring Dialer Services Configuring DoD/BoD MLPPP Point-to-Point Configurations The following MLPPP point-to-point topology can be used for Bandwidth on Demand applications, as illustrated by Figure 30. This example creates three switched lines linking users on XSR-Toronto’s network with those on XSRAndover’s network. 172.22.80.4 XSRToronto 172.22.85.1 MLPPP Switched line Switched line Switched line . 172.22.85.2 XSR-Andover 172.22.95.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services The following commands add a dialer pool member and specify the primaryni switch on XSR-Toronto’s T1 interface 2/3: XSR(config)#controller t1 2/3 XSR(config-controller)#switch-type primary-ni XSR(config-controller)#dialer pool-member 1 XSR(config-controller)#no shutdown Dial-out Router Example The following commands add a dialer pool and dialer group, specify the call destination - XSR-Toronto - and configure Multilink PPP
Chapter 8 Configuring Dialer Services Configuring DoD/BoD MLPPP Point-to-Multipoint Configurations The following MLPPP point-to-multipoint topology can be used for BoD applications, as illustrated by Figure 31. This example creates multiple switched lines linking users on XSR-Toronto’s network with those on three remote networks. 172.22.80.4 XSR-Toronto 172.22.85.1 MLPPP MLPPP MLPPP . Switched line Switched line Switched line 172.22.85.2 Switched line Switched line 172.22.85.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services XSR(config-if)#ip address 172.22.85.1 XSR(config-if)#ppp multilink XSR(config-if)#dialer pool 1 XSR(config-if)#dialer idle-timeout 20 XSR(config-if)#dialer map ip 172.22.85.2 47410 XSR(config-if)#dialer map ip 172.22.85.3 425688 XSR(config-if)#dialer map ip 172.22.85.
Chapter 8 Configuring Dialer Services Configuring DoD/BoD XSR(config-controller)#dialer pool-member 1 XSR(config-controller)#no shutdown MLPPP Multipoint-to-Multipoint Configuration The following configuration, as shown in Figure 27, enables the setup of a switched MLPPP group when access list-defined data traffic is sent to a remote site. Both peer nodes can initiate and accept switched MLPPP calls.
Configuring DoD/BoD Chapter 8 Configuring Dialer Services Node B Configuration The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(config-if)#isdn switch-type basic-net3 XSR(config-if)#dialer pool-member 22 XSR(config-if)#no shutdown The following commands add a dialer pool and dialer group, and specify MLPPP call destination Node A on Node B’s Dialer interface 1.
Chapter 8 Configuring Dialer Services Switched PPP Multilink Configuration Switched PPP Multilink Configuration Bandwidth-on-Demand This example configures multilink PPP over ISDN together with BoD as shown in Figure 32. IP address 10.10.10.3 phone# 2500 IP address 10.10.10.1 phone# 2300 Node A [XSR] ISDN .
Switched PPP Multilink Configuration Chapter 8 Configuring Dialer Services XSR(config-if)#ppp multilink XSR(config-if)#dialer-group 7 XSR(config-if)#multilink load-threshold 3 XSR(config-if)#dialer idle-timeout 20 The following command defines interesting packets for the dial out trigger by configuring ACL 106 to pass all Type 8 source and destination ICMP packets up to 20 idle seconds: XSR(config)#access-list 106 permit icmp any any 8 The following command maps ACL 106 to dialer group 7
Chapter 8 Configuring Dialer Services Backup Configuration Backup Configuration Backup Using ISDN This example configures ISDN NIM cards (either BRI or T1/E1 configured for PRI) to be used for backing-up other interfaces, as shown in Figure 33. Node A [XSR] IP address 10.10.10.1 IP address 20.20.20.1 phone# 2300 IP address 30.30.30.1 IP address 40.40.40.1 IP address 10.10.10.3 IP address 20.20.20.3 phone# 2500/2501 ISDN Primary leased backup lines . Node C [XSR] IP address 30.30.30.3 IP address 40.
Backup Configuration Chapter 8 Configuring Dialer Services The following commands add a dialer pool, set Node C’s dialer number to call, specify a clear text password sent to the peer for PAP authentication, and map BRI interface 1/0 to Dialer interface 1. XSR(config)#interface dialer 1 XSR(config-if)#no shutdown XSR(config-if)#dialer pool 22 XSR(config-if)#dialer string 2500 XSR(config-if)#encapsulation ppp XSR(config-if)#ip address 10.10.10.1 255.255.255.
Chapter 8 Configuring Dialer Services Backup Configuration The following commands configure two channel groups with a total of three timeslots on T1 sub-interface 1/2:0: XSR(config)#controller t1 1/2/0 XSR(config-controller)#channel-group 1 timeslots 2 XSR(config-controller)#channel-group 0 timeslots 1 XSR(config-controller))#no shutdown The following commands add a dialer pool member and set the Central Office switch type on BRI port 1/0: XSR(config)#interface bri 1/0 XSR(c
Backup Configuration Chapter 8 Configuring Dialer Services XSR(config-if)#no shutdown XSR(config-if)#encapsulation ppp XSR(config-if)#ip address 30.30.30.3 255.255.255.0 The following command configures Serial sub-interface 2/0:1: XSR(config)#interface serial 2/0:1 XSR(config-if)#no shutdown XSR(config-if)#encapsulation ppp XSR(config-if)#ip address 40.40.40.3 255.255.255.
Chapter 8 Configuring Dialer Services Backup Configuration XSR(config-if)#ppp multilink XSR(config-if)#multilink min-links 2 The following command configures Serial sub-interface 2/0:0: XSR(config)#interface serial 2/0:0 XSR(config-if)#no shutdown XSR(config-if)#backup interface dialer1 XSR(config-if)#encapsulation ppp XSR(config-if)#ip address 30.30.30.1 255.255.255.
Backup Configuration Chapter 8 Configuring Dialer Services Configuration for Ethernet Failover This example provides DSL backup (PPPoE) on a FastEthernet interface. Dialer interface 57 is configured as the backup for FastEthernet sub-interface 2.1 - invoking the sub-interface enables PPPoE. Note that the IP address of the PPPoE caller is negotiated over PPP and the MTU size is reset to 1492 bytes to avoid Web access problems by PCs attached to the XSR.
9 Configuring Integrated Services Digital Network (ISDN) This chapter outlines how to configure the Integrated Services Digital Network (ISDN) Protocol on the XSR in the following sections: XSR ISDN features Understanding ISDN ISDN configuration topology – – – BRI PRI Leased line ISDN configuration examples – – – – – – T1 PRI E1 PRI ISDN BRI BRI Leased BRI Leased PPP BRI Leased Frame Relay Call Status Call Codes ISDN Features The XSR’s BRI interface and T1/E1 controller in PRI mode acts as a
ISDN Features Chapter 9 Configuring Integrated Services Digital Network (ISDN) 1 or 2 port BRI-S/T NIM card. 1 or 2 port BRI U NIM card. BRI Features Circuit Mode Data (CMD): Channels (DS0s or B’s)are switched by the CO to the destination user for the duration of the call. – – 0utgoing calls supported for Backup, DoD/BoD. Incoming calls routed to the correct protocol stack based on called number/sub-address and calling number/sub-address. Permanent B channel support, i.e.
Chapter 9 Configuring Integrated Services Digital Network (ISDN) Understanding ISDN Understanding ISDN Physically, an ISDN line is provisioned via unshielded twisted pair cable which would, in the absence of ISDN service, be used for regular analog telephone service or a T1/E1 connection. Typically, numerous ISDN devices connect onto this single line through a device known as an NT1 provided by the user in North America and by the carrier most everywhere else.
Understanding ISDN Chapter 9 Configuring Integrated Services Digital Network (ISDN) The number of B-channels is limited by the size of the standard trunk line used in the region; T1 in North America and Japan and E1 most everywhere else. Unlike BRI, PRI does not support a bus configuration, and only one device can be connected to a PRI line - point-to-point service. A single PRI connection is usually much less expensive than obtaining the equivalent number of B-channels through multiple BRI connections.
Chapter 9 Configuring Integrated Services Digital Network (ISDN) Understanding ISDN Unlike the B-channel, which functions as a simple pipe for user data, the Dchannel is associated with higher level protocols, Layer 2: Q.921 and 3: Q.931 of the OSI model. Q.931 is the call-control protocol component of this definition, although various carriers tend to use variants. This Layer 3 signaling protocol is transferred on the D-channel using Link Access Procedure-D-channel (LAPD): Q.
Understanding ISDN Chapter 9 Configuring Integrated Services Digital Network (ISDN) This explains the 56 in switched-56 services, which also use 8 Kbps of a 64 Kbps channel for signaling. Any ISDN call that passes through at least one network which lacks full SS7 signaling, must then limit its B-channel traffic to 56 Kbps. In such cases the ISDN equipment on both ends must be configured to put only 56 Kbps of data onto their 64 Kbps link.
Chapter 9 Configuring Integrated Services Digital Network (ISDN) Understanding ISDN Bandwidth Optimization The XSR offers features which reduce call connection time and prevent network overhead from triggering ISDN calls. Dial-on-Demand (DoD) processes data calls strictly as needed, when interesting packets must be passed to specific destinations. Bandwidth-on-Demand (BoD) allocates ISDN bandwidth as efficiently as possible to accommodate varying traffic loads.
Understanding ISDN Chapter 9 Configuring Integrated Services Digital Network (ISDN) Security Security is another important element of dial-up data communications, and ISDN can support the security features of protocols running through it, as well as its own unique mechanisms. ISDN, in addition to supporting the standard authentication schemes of protocols riding on it (e.g. PPP's PAP/CHAP protocols), enhances the security of dial-up connections with call number identification.
Chapter 9 Configuring Integrated Services Digital Network (ISDN) ISDN Configuration ISDN Configuration PRI interfaces share the T1/E1 NIM card and all physical configuration values the controller can configure. The pri-group command assigns the channels (DS0s) of the T1/E1 port to ISDN module control. Interfaces are configured one of two ways using the following commands: The pri-group command ISDN switching. The channel-group command for point-to-point connections.
ISDN Configuration Chapter 9 Configuring Integrated Services Digital Network (ISDN) BRI (Switched) Configuration Model Figure 34, shown below, illustrates how Dialer and BRI interfaces are configured on the XSR’s BRI NIM card as well as how those interfaces correlate to dialer and access lists, map classes, and dialer pools. Dialer Profile Defines the destination e l Lin Dia Dialer Pool M Dialer Pool 2 priority Dialer Pool 1 interface dialer 0 ip address 1.1.1.1 255.255.255.
Chapter 9 Configuring Integrated Services Digital Network (ISDN) ISDN Configuration The following example adds a dialer pool and group, and two phone numbers to the called node’s Dialer 0 port. It also configures a second dialer pool and group, a Multilink PPP line to four B channels on the Dialer 1 interface, and maps the 192.168.1.10 network and phone number to BRI interface 1/0, as well as adds a prioritized pool member and six SPIDs.
ISDN Configuration Chapter 9 Configuring Integrated Services Digital Network (ISDN) XSR(config)#interface bri 1/2 XSR(config-if)#isdn switch-type basic-ni1 XSR(config-if)#isdn spid1 0555500001 5555000 XSR(config-if)#isdn spid2 0555700001 5557000 XSR(config-if)#dialer pool-member 1 priority 80 XSR(config-if)#no shutdown For further explanation and more examples of Dialer interface and Multilink PPP configuration, refer to “Configuring Dialer Services” on page 1
Chapter 9 Configuring Integrated Services Digital Network (ISDN) ISDN Configuration The following T1 example adds a dialer pool and group, and two dialer strings to the node’s Dialer 0 port. It also sets all 23 B-channel timeslots, adds two prioritized pool members, and maps the T1 NIM card to the 1/0/0:23 D-channel sub-interface. You can add map class, dialer list and ACL commands not shown. XSR(config)#interface dialer 0 XSR(config-if)#ip address 1.1.1.1 255.255.255.
ISDN Configuration Chapter 9 Configuring Integrated Services Digital Network (ISDN) Leased-Line Configuration Model The BRI Leased Line application supports two basic modes: each B channel is routed to a different destination or both B channels are bounded. Only one BRI-specific command is needed for this application, leased-line, which can be configured at 56, 64, 112, 128, or 144 Kbps.
Chapter 9 Configuring Integrated Services Digital Network (ISDN) More Configuration Examples The following commands, as shown in Figure 36, add two leased lines on BRI 0//1/1 B-channels 1 and 2 with PPP and Frame Relay encapsulation on either line. You can add other serial interface commands as needed.
More Configuration Examples Chapter 9 Configuring Integrated Services Digital Network (ISDN) XSR(config-controller)#isdn calling-number 915086671234 XSR(config-controller)#no shutdown E1 PRI The following example configures a PRI connection on an E1 card: XSR(config)#controller e1 1/2/2 XSR(config-controller)#pri-group XSR(config-controller)#isdn switch-type primary-net5 XSR(config-controller)#isdn bchan-number-order descending XSR(config-controller)#isdn
Chapter 9 ISDN (ITU Standard Q.931) Call Status Cause Codes Configuring Integrated Services Digital Network (ISDN) BRI Leased Frame Relay The following example configures Frame Relay service over a multipoint leased BRI connection. For more information on Frame Relay, refer to “Configuring Frame Relay” on page 119.
ISDN (ITU Standard Q.
Chapter 9 ISDN (ITU Standard Q.
ISDN (ITU Standard Q.
Chapter 9 ISDN (ITU Standard Q.
10 Configuring Quality of Service Overview In a typical network, there are often many users and applications competing for limited system and network resources. While resource sharing on a firstcome, first-serve basis may suffice when your network load is light, access can freeze quickly when the network gets congested.
Features Chapter 10 Configuring Quality of Service Features The XSR’s support of QoS module allows you to: Classify traffic in different traffic flows using user-defined filters based on packet headers and payloads Meter and police traffic flows based on traffic policy Prioritize time-critical traffic flows and ensure that packets from these flows are serviced with bounded delay Share output bandwidth in a fair manner between the number of best-effort traffic flows Manage queues using two queue
Chapter 10 Configuring Quality of Service Mechanisms to Provide QoS The following table describes typical traffic classification: Table 10 Traffic Classification Classification Criteria Description Additional Comments IP Precedence bits in IP header (IP only) Simple classification for IP packets only. IP Precedence bits reside inside the TOS byte of the IPv4 header and are 3-bits long, providing up to 8 levels of QoS classes.
Mechanisms to Provide QoS Chapter 10 Configuring Quality of Service You must perform three steps to configure a class-based classifier: 1 Define a traffic class with the class-map command. 2 Create a traffic policy by associating the traffic class with one or more QoS features (using the policy-map command). 3 Attach the traffic policy to the port or DLCI with the service-policy command.
Chapter 10 Configuring Quality of Service Mechanisms to Provide QoS Describing the Policy Map The policy statement in a QoS policy-map specifies how traffic defined by the traffic class-map will be treated. Each class in policy-map has to be assigned to one of the two types of queues: CBWFQ or Priority Queue. This includes specifying the following: The bandwidth command assigns traffic from this class to a Class- Based Weight Fair Queue (CBWFQ) with the specified bandwidth.
Mechanisms to Provide QoS Chapter 10 Configuring Quality of Service default comprises whatever remains after all other classes are served. You can configure class-default as any other CBWFQ, except that you cannot assign bandwidth to it. Queuing and Services Once traffic has been classified, it is dropped into different queues so that each class of traffic can be treated differently (priority, bandwidth etc.).
Chapter 10 Configuring Quality of Service Mechanisms to Provide QoS Configuring CBWFQ CBWFQ is configured using the bandwidth command. It provides a minimum bandwidth guarantee during congestion. For example, policy-map keyser guarantees 30 percent of the bandwidth to class sosay and 60 percent of the bandwidth to class intrigue. If one class uses less of the requested share of bandwidth, the excess bandwidth may be used by the other class.
Mechanisms to Provide QoS Chapter 10 Configuring Quality of Service Configuring Priority Queues The priority command configures priority queuing for certain packets based on the traffic class. When you specify priority (using the following commands) for a class, it takes a bandwidth argument affording maximum bandwidth.
Chapter 10 Configuring Quality of Service Mechanisms to Provide QoS Assign the class frost to the priority queue: XSR(config)#policy-map frame1 XSR(config-pmap)#class frost XSR(config-pmap-c)#priority high 20 XSR(config-pmap-c)#queue-limit 30 Describing Traffic Policing While it is possible to precisely control the output rate of all traffic using CBWFQ and priority queues with maximum link bandwidth, practically speaking, this is rarely done.
Mechanisms to Provide QoS Chapter 10 Configuring Quality of Service The bucket for holding tokens for normal burst is refilled first. If the calculated Refill Token Bytes is enough to top the bucket for normal burst to the burst value specified, the remainder of Refill Token Bytes are added to the bucket for excess burst (refer to the formula below). Also, the number of tokens for excess burst is also limited by the excess burst value specified in the police command.
Chapter 10 Configuring Quality of Service Mechanisms to Provide QoS Congestion Control & Avoidance Describing Queue Size Control (Drop Tail) By using delay control and congestion avoidance, you can control the number of queued up packets. If the outgoing queue is empty when a packet is ready to be sent, the packet can be forwarded immediately to the line with minimal delay.
Mechanisms to Provide QoS Chapter 10 Configuring Quality of Service After a short delay, all sessions try to ramp up using slow-start in a process called Global Synchronization. The queue grows, congestion and packet drops recur, and undesirable global synchronization repeats. The end result is a distinctive “peak and trough” traffic pattern where the outgoing queue is full just before packets are dropped, delay throughout the network is high and varies by large margins.
Chapter 10 Configuring Quality of Service Mechanisms to Provide QoS In the following example, class bus has a minimum threshold of 460. RED will start to randomly (with a probability between 0 and 1/10) discard packets when its queue grows over 460 packets. It will start to discard each packet when the queue holds more than 550 packets. NOTE Drop Tail and RED cannot be used on the same queue at the same time. queue-limit and random-detect are mutually exclusive.
Configuring QoS on an Interface Chapter 10 Configuring Quality of Service Suggestions for Using QoS on the XSR The XSR supports QoS on all interfaces (FastEthernet/GigabitEthernet, Serial, and Frame Relay DLCI). But, you should enable QoS only on the data path that actually requires it (generally on lower speed Frame Relay and PPP interfaces) because QoS is fairly processor intensive and may adversely impact router performance. In a typical XSR environment, QoS may be enabled on the WAN link.
Chapter 10 Configuring Quality of Service Configuring QoS for Frame Relay XSR(config-cmap)#match ip precedence 2 Create the policy map: XSR(config)#policy-map policy1 XSR(config-pmap-policy1>)#class class1 XSR(config-pmap-c)#bandwidth 200 XSR(config-pmap-c)#queue-limit 40 XSR(config-pmap)#class class2 XSR(config-pmap-c)#bandwidth 300 XSR(config-pmap-c)#random-detect 34 56 3 XSR(config-pmap)#class class-default XSR(config-pmap-c)#que
Configuring QoS for Frame Relay Chapter 10 Configuring Quality of Service When there is no congestion each traffic class can use as much bandwidth as is available, except the voice which is priority class and is rate-limited to a maximum of 20 Kbps. BECN will adoptively reduce the CIR of the DLCI but does not influence the parameters of the policy-map frame1. Begin by creating three ACLs to define traffic classes: XSR(config)#access-list 101 permit udp 192.168.1.0 0.0.0.
Chapter 10 Configuring Quality of Service Configuring QoS for Frame Relay Configure map class parameters and apply the policy to the ports: XSR(config)#map-class frame-relay cc XSR(config-map-class)#frame-relay cir 64000 XSR(config-map-class)#frame-relay adaptive-shaping becn XSR(config-map-class)#frame-relay bc 8000 XSR(config-map-class)#frame-relay be 16000 XSR(config-map-class)#service-policy out frame1 ! XSR(config)#interface serial 1/1 XSR(config-if)#encapsulation frame-rela
11 Configuring the Virtual Private Network VPN Overview As it is most commonly defined, a Virtual Private Network (VPN) allows two or more private networks to be connected over a publicly accessed network. VPNs share some similarities with Wide Area Networks (WAN), but the key feature of VPNs is their use of the Internet rather than reliance on expensive, private leased lines.
VPN Overview Chapter 11 Configuring the Virtual Private Network Impersonation - Information passes to a person who poses as the intended recipient. Impersonation can take two forms: – – Spoofing - A person can pretend to be someone else. For example, a person can pretend to have the email address jdoe@acme.com, or a computer can identify itself as a site called www.acme.com when it is not. This type of impersonation is known as spoofing.
Chapter 11 Configuring the Virtual Private Network VPN Overview How a Virtual Private Network Works VPNs provide an advanced combination of tunneling, encryption, authentication and access control technologies and services to carry traffic over the Internet, a managed IP network or a provider's backbone. Traffic reaches these backbones using any combination of access technologies, including Ethernet, T1, Frame Relay, ISDN, or simple dial access. VPNs use familiar networking technology and protocols.
Ensuring VPN Security with IPSec/IKE Chapter 11 Configuring the Virtual Private Network Ensuring VPN Security with IPSec/IKE The key word in Virtual Private Networks is private. To ensure the security of sensitive corporate data, the XSR relies chiefly on IPSec, the standard framework of security protocols. IPSec is not a single protocol but a suite of protocols providing data integrity, authentication and privacy.
Chapter 11 Configuring the Virtual Private Network Ensuring VPN Security with IPSec/IKE The IP Encapsulating Security Payload (ESP), described in RFC-2406, performs confidentiality in addition to integrity and authentication checks, but it does not check the integrity of the IP header. As in AH, ESP uses HMAC with MD5 or SHA-1 authentication (RFC-2403/2404); privacy is provided using DES-CBC (RFC-2405), 3DES or AES encryption. Two types of modes are defined in IPSec, tunnel and transport.
Ensuring VPN Security with IPSec/IKE Chapter 11 Configuring the Virtual Private Network Using IPSec along with Network Address Translation (NAT) might be problematic because while AH is used to ensure that the packet header is not changed during transmission, NAT does the opposite - it changes the IP or layer 4 (UDP or TCP) header. AH cannot be used when NAT must be crossed to reach the other end of the tunnel.
Chapter 11 Configuring the Virtual Private Network Describing Public-Key Infrastructure (PKI) As a general rule, longer encryption keys are the strongest. The bit length of the algorithm determines the amount of effort required to crack the system using a brute force attack, where computers are combined to calculate all the possible key permutations.
Describing Public-Key Infrastructure (PKI) Chapter 11 Configuring the Virtual Private Network It is possible to use your private key for encryption and public key for decryption. Although this is not desirable when you are encrypting sensitive data, it is a crucial part of digitally signing any data. Instead of encrypting the data itself, the signing software creates a one-way hash of the data, then uses your private key to encrypt the hash.
Chapter 11 Configuring the Virtual Private Network Describing Public-Key Infrastructure (PKI) Machine Certificates for the XSR Certificates are used by the IKE subsystem to establish SAs for IPSec tunneling. Key information in the certificates is used to identify other IPSec clients to the XSR and vice versa. In order to utilize certificates on the XSR you must manually collect the certificates for one or more CAs (depending on your configuration) and enroll a certificate for the router.
Describing Public-Key Infrastructure (PKI) Chapter 11 Configuring the Virtual Private Network It is also possible to delegate certificate-issuing responsibilities to subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs. As shown in Figure 40, the root CA is at the top of the hierarchy. The root CA's certificate is a self-signed certificate: that is, the certificate is digitally signed by the same entity - the root CA - that the certificate identifies.
Chapter 11 Configuring the Virtual Private Network Describing Public-Key Infrastructure (PKI) Root CA CA certificate signed by self Trusted authority Asia CA Intermediate Sales CA Marketing CA CA certificate signed by Root CA authority U.S. CA Europe CA CA certificate Admin CA signed by U.S.
Describing Public-Key Infrastructure (PKI) Chapter 11 Configuring the Virtual Private Network The XSR will automatically verify the certificate chain structure associated with any IPSec client certificate once it manually collects certificates for all CAs in the chain. This includes the chain that exists for the certificate enrolled by the XSR and chains for any IPSec peer who will establish tunnels with the router.
Chapter 11 Configuring the Virtual Private Network DF Bit Functionality Once retries are exhausted, the enrollment becomes invalid and you must enroll again - each poll request and its result are logged in detail by the XSR. Ask your CA administrator what these values should be set to. Enroll Password Another way to verify where the IPSec client enroll derives from is to have the CA administrator issue a specific password for your enrollment.
VPN Applications Chapter 11 Configuring the Virtual Private Network This feature specifies whether the router can clear, set, or copy the DF bit in the encapsulating header. It is available only for IPSec tunnel mode - transport mode is not affected because it does not have an encapsulating IP header.
Chapter 11 Configuring the Virtual Private Network – – VPN Applications Tunnels are more easily scalable in multiple router topologies Network managment is more robust Remote Access - XSR functions as a tunnel server, establishing dial-up connections with clients over the Internet via local ISPs.
VPN Applications Chapter 11 Configuring the Virtual Private Network XSR/ VPN Gateway XSR/ VPN Gateway Internet Routing updates VPN tunnel Routing updates Figure 42 VPN Site-to-Site Topology It is important to note that routers/VPN gateways which terminate tunnels cannot reside behind a NAT device because external addresses must be valid, routable addresses. This factors into a site-to-site tunnel scenario where both XSRs play an equivalent role and any VPN gateway can initiate a tunnel.
Chapter 11 Configuring the Virtual Private Network VPN Applications Site-to-Central-Site Networks In a Site-to-Central-Site application, connecting nodes are not equivalent. One node initiates a connection and the other accepts the connection. In practice, the node initiating the connection represents the smaller entity and connects to the bigger corporate network. Since the connection is always initiated by one site, the initiating node can reside behind an ISP-operated NAT device.
VPN Applications Chapter 11 Configuring the Virtual Private Network Client Mode In the Client scenario, a private LAN residing behind the XSR is hidden from the corporate network. When the XSR connects to the Central site tunnel server, the tunnel server assigns the router an IP address which can be chosen from an internal pool kept by the tunnel server or from a DHCP server located on the corporate network. Hosts residing on the private LAN obtain IP addresses from a DHCP server running within the XSR.
Chapter 11 Configuring the Virtual Private Network VPN Applications on the corporate network. In this application the XSR must support the DHCP Relay protocol (RFC-3046) to extend hosts' DHCP requests for IP addresses. An obvious limitation of this configuration is that hosts cannot obtain IP addresses before a tunnel to the corporate network is created.
VPN Applications Chapter 11 Configuring the Virtual Private Network Depending on the protocol, the remote access scenario may require user authentication as well as machine authentication. A user database may be located on the XSR itself or a RADIUS server. After a tunnel has been built, the XSR may advertise routing information about the corporate network to the client which can use this information to share a connection to the Internet between secure tunnel and reach public services on the Internet.
Chapter 11 Configuring the Virtual Private Network VPN Applications OSPF Commands The same OSPF commands available for configuration in FastEthernet/GigabitEthernet or Serial Interface mode are available in Interface VPN mode.
VPN Applications Chapter 11 Configuring the Virtual Private Network Corporate network F1 VPN 1 Server VPN tunnel F2 INTERNET NAT Point-to-multipoint interface. Terminates, not initiates tunnels To another client VPN 1 F2 Client F1 Private segment invisible from server Point-to-point interface. This endpoint’s IP address is assigned by the server. The other tunnel endpoint’s IP address is configured on the server’s VPN interface.
Chapter 11 Configuring the Virtual Private Network VPN Applications Server FastEthernet 1 interface: This is the trusted side of the network on the XSR. It may consist of more than one IP segment. A network attached to FastEthernet 1 will be advertised in an OSPF area. VPN 1 interface: OSPF is required here to establish adjacency with connecting clients. From the point of view of OSPF, a set of connected clients is treated as a point-to-multipoint network.
VPN Applications Chapter 11 Configuring the Virtual Private Network The commands to configure this scenario are illustrated on page 277. Configuring OSPF Over Site-to-Site in Network Extension Mode Compared to Site-to-Site Client Mode configuration, Network Extension Mode is more flexible at the cost of a more sophisticated configuration. As shown in Figure 46, NAT is not used on the VPN interface at the client site as it is in the Client Mode application.
Chapter 11 Configuring the Virtual Private Network VPN Applications Server Apply the same settings as in the site-to-site scenario using Client Mode. OSPF is enabled on F1 and VPN 1 interfaces and is disabled on F2. Client Similar to the Client Mode model, OSPF is enabled on VPN 1 and disabled on FastEthernet 2. Additionally, OSPF is enabled on FastEthernet 1 because the route to network FastEthernet 1 should be learned at the central site's network.
VPN Applications Chapter 11 Configuring the Virtual Private Network Configuring OSPF with Fail Over In this scenario, the client initiates two tunnels to two servers which are connected on their trusted sites. With alternative paths to the trusted network behind the server (via the client's two tunnels), OSPF learns two paths of identical costs but uses the first learned path. Should the tunnel serving that path become non-functional, OSPF recalculates the routes and uses the alternate path.
Chapter 11 Configuring the Virtual Private Network Corporate network F1 VPN 1 VPN Applications Server 1 F1 VPN 1 Server 2 F2 F2 INTERNET VPN 1 VPN 2 Client F2 F1 Segment is extension of corporate network Figure 47 OSPF Used with Failover To test this configuration, attach an FTP server to the corporate network and an FTP client to the client's network with the hello-interval set to 2 seconds and dead-interval to 6 seconds on the VPN interfaces.
XSR VPN Features Chapter 11 Configuring the Virtual Private Network As mentioned earlier, OSPF may advertise a network’s reachability but IPSec policies may deny access to that network. To avoid that situation, you may extend crypto maps attached to interfaces, but this requires prior knowledge of networks advertised by OSPF, which renders OSPF’s dynamic network discovery useless. In this case, OSPF is used only for monitoring the links and providing alternate routes in case of link failure.
Chapter 11 Configuring the Virtual Private Network Data integrity – – – – – Encapsulating Security Payload (ESP), Authentication Header (AH) and IPComp Tunnel and Transport mode Diffie-Hellman Groups 1, 2 and 5 Mode Config for IP address assignment NAT Traversal via UDP encapsulation Public Key Infrastructure (PKI) – – – – – MD5 and SHA-1 algorithms Internet Protocol Security (IPSec) – VPN Configuration Overview Microsoft Certificate Authority (CA) support Simple Certificate Enrollment P
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network Next, perform the following: Generate a master key once on the XSR Define a Security Policy Database (SPD) by configuring crypto ACLs which specify the type of traffic to be secured Specify policies - IKE and IPSec transform-sets which spell out authentication, encryption, data integrity, policy lifetime, and other parameters to use when negotiating IPSec Security Associations (SAs) with IPSec peers.
Chapter 11 Configuring the Virtual Private Network VPN Configuration Overview ACL Configuration Rules Consider a few general rules when configuring ACLs on the XSR: Typically, two ACL sets are written, one set to filter IPSec/IKE traffic (defined in crypto maps), and a simple set to filter non-IPSec traffic. When crypto maps and ACLs are configured on the same interface, the XSR gives precedence to the crypto map, which is always consulted before the ACL for both inbound and outbound traffic.
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network XSR(config)#interface FastEthernet2 XSR(config-if)#no shutdown XSR(config-if)#ip access-group 101 in XSR(config-if)#ip access-group 102 out XSR(config-if)#ip address 141.154.196.87 255.255.255.192 If an XSR is configured as a VPN gateway, the external interface (FastEthernet 2, e.g.
Chapter 11 Configuring the Virtual Private Network XSR(config)#access-list XSR(config)#access-list XSR(config)#access-list XSR(config)#access-list XSR(config)#access-list XSR(config)#access-list VPN Configuration Overview 102 102 102 102 102 102 permit gre any any permit tcp any any permit tcp any any permit tcp any any permit tcp any any deny ip any any eq eq eq eq 80 1723 1701 389 XSR(config)#interface fastethernet 2 XSR(config-if)#ip access-group 101 in XSR(config-)#ip access-group 102 out
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network Security Policy Considerations You should be aware of these considerations when configuring security policy: DES is a weaker form of encryption than 3DES and provides a lower level of security than the newer algorithm. We recommend 3DES. Selecting any Perfect Forward Secrecy (PFS) option will make each generated key used in data encryption independent of previous keys.
Chapter 11 Configuring the Virtual Private Network VPN Configuration Overview Creating Crypto Maps Crypto maps filter and classify packets as well as define the policy to be applied to those packets. Filtering/classifying affects the traffic flow on an interface while policy affects the negotiation performed (via IKE) on behalf of that traffic. IPSec crypto maps link definitions of the following: Which traffic should be protected by ACLs, set with match address.
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 40 XSR(config-crypto-m)#set peer 192.168.45.12 XSR(config-crypto-m)#no set security-association level per-host Authentication, Authorization and Accounting Configuration The XSR’s AAA implementation configures all authentication, authorization and accounting characteristics of users (Remote Access) and peer gateways (Site-to-Site).
Chapter 11 Configuring the Virtual Private Network – ip address and group set the IP address and usergroup assigned to the remote user. Configures RADIUS, local or PKI databases with the aaa method command as well as the following sub-commands: – – – – – – – – – – – – VPN Configuration Overview acct-port sets the UDP port for accounting requests. address specifies the RADIUS server address with either a host name or IP address.
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network XSR(aaa-group)#wins server primary 112.16.1.16 XSR(aaa-group)#wins server secondary 112.16.1.
Chapter 11 Configuring the Virtual Private Network Remove individual certificates using the following commands: – – VPN Configuration Overview crypto ca certificate chain no certificate - The serial number can be found in the show crypto ca certificates command. Remove CA identities and all associated CA and IPSec client certificates by entering no crypto ca identity .
VPN Configuration Overview 1 Chapter 11 Configuring the Virtual Private Network Begin by asking your CA administrator for your CA name and URL. The CA’s URL defines its IP address, path and default port (80). You can resolve the CA server address manually by pinging its IP address. 2 Be sure that the XSR time setting is correct according to the UTC time zone so that it is synchronized with the CA’s time.
Chapter 11 Configuring the Virtual Private Network Fingerprint: Certificate Size: VPN Configuration Overview D423E129 81904CE0 1E6D0FE0 A123A302 1157 bytes RA KeyEncipher Certificate - PKItestca1-rae State: CA-AUTHENTICATED Version: V3 Serial Number: 458128935273366930063530 Issuer: MAILTO=foo@foo.
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network Remember that if you create a password, save it so it can be used later in case you need to revoke the CA. Respond yes to all questions. and jot down the certificate serial number for comparison purposes. XSR(config)#crypto ca enroll PKItestca1 % % Start certificate enrollment % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
Chapter 11 Configuring the Virtual Private Network Valid To: Subject: 3526015000250142 Fingerprint: Certificate Size: VPN Configuration Overview 2003 Aug 29th, 16:01:58 GMT CN=Enterasys Networks X-pedition Series ABF37B67 7200CCDA 604CB10C D5AC7F49 1590 bytes CA Certificate - PKItestca1 State: CA-AUTHENTICATED Version: V3 Serial Number: 6083684655030387331394927502614112809 Issuer: MAILTO=foo@foo.
VPN Configuration Overview Chapter 11 Configuring the Virtual Private Network Subject: MAILTO=SCEP, C=US, ST=MA, L=Andover, O=Enterasys Networks, OU=Engineering, CN=Scep Fingerprint: 91EB5A77 B5CA535A 077B65C5 65035615 Certificate Size: 1695 bytes Optional. Change the enrollment retry count and period to a value matching your CA administrator’s needs. 9 These values handle “non-pending” mode at the CA when a certificate request could time out while waiting for a response.
Chapter 11 Configuring the Virtual Private Network Configuring a Simple VPN Site-to-Site Application tunnel + Names a site-to-site VPN tunnel set heartbeat + Enables and configures tunnel connectivity monitoring set protocol (ipsec) + Selects a tunnel protocol set active + Brings the tunnel up set user + Designates the user name when initiating a tunnel and obtains credentials from the AAA subsystem set peer + Sets the IP address of the peer Configuring a Simple VPN Site-to-Site Application The followin
Configuring a Simple VPN Site-to-Site Application Chapter 11 Configuring the Virtual Private Network the VPN. In the context of VPN configuration, permit means protect or encrypt, and deny indicates don’t encrypt or allow as is. XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.0.0.255 XSR(config)#access-list 130 permit ip 63.81.64.0 0.0.0.255 63.81.66.0 0.0.0.255 XSR(config)#access-list 140 permit ip 63.81.68.0 0.0.0.255 63.81.66.0 0.0.0.
Chapter 11 Configuring the Virtual Private Network Configuring a Simple VPN Site-to-Site Application lifetime. You can specify an SA lifetime of seconds and kilobytes whichever value runs out first will cause a rekey.
Configuring the VPN Using EZ-IPSec Chapter 11 Configuring the Virtual Private Network XSR(config-crypto-m)#match address 130 + Applies map to ACL 130 and renders the ACL bi-directional XSR(config-crypto-m)#set peer 1.1.1.2 + Attaches map to peer XSR(config-crypto-m)#mode [tunnel | transport] + Selects IPSec mode XSR(config-crypto-m)#set security-association level per-host + Sets a separate SA for every traffic flow Configuring the XSR VPN interface is the last main task to perform to set up the VPN.
Chapter 11 Configuring the Virtual Private Network Configuring the VPN Using EZ-IPSec Supporting RIPv2 and OSPF through the tunnel The security policy automatically created by crypto ezipsec specifies transform-sets for IPSec ESP using 3DES and AES encryption with SHA-1 and MD5 integrity algorithms. Also, IPSec SA lifetimes are set to 100 MBytes and 3600 seconds - whichever value is reached first will cause a rekey.
Configuring the VPN Using EZ-IPSec Chapter 11 Configuring the Virtual Private Network XSR(config)#interface vpn 1 point-to-point + Sets VPN interface 1 to initiate a tunnel connection and acquires VPN interface mode.
Chapter 11 Configuring the Virtual Private Network Configuration Examples Configuration Examples XSR with VPN - Central Gateway In this scenario, as illustrated in Figure 49, a Central VPN gateway is configured to perform the following: Terminate NEM and Client mode tunnels Terminate remote access L2TP/IPSec tunnels Terminate PPTP remote access tunnels OSPF routing with the next hop corporate router on the trusted VPN interface DF bit clear on the public VPN interface to handle large no
Configuration Examples Chapter 11 Configuring the Virtual Private Network Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use time-sensitive certificates. XSR(config)#sntp-client server 10.120.84.
Chapter 11 Configuring the Virtual Private Network Configuration Examples XSR(cfg-crypto-tran)set security-association lifetime kilobytes 10000 Configure the following four crypto maps to match ACLs 150, 140, 120, and 110: XSR(config)#crypto map test 50 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 150 XSR(config)#crypto map test 40 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 140 XSR(config)#crypto map test 20 XSR(config-
Configuration Examples Chapter 11 Configuring the Virtual Private Network XSR(config-int-vpn)#firewall disable XSR(config-int-vpn)#ip address 10.120.70.1 255.255.255.0 XSR(config-int-vpn)#ip ospf priority 10 XSR(config-int-vpn)#ip ospf network nbma Add a default route to the next hop Internet gateway: XSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93 Define an IP pool for distribution of tunnel addresses to all client types: XSR(config)#ip local pool test 10.120.70.
Chapter 11 Configuring the Virtual Private Network Configuration Examples XSR(aaa-group)#dns server secondary 0.0.0.0 XSR(aaa-group)#wins server primary 10.120.112.220 XSR(aaa-group)#wins server secondary 0.0.0.
Configuration Examples Chapter 11 Configuring the Virtual Private Network Configure the Network Extension Mode tunnel, site-to-site IPSec tunnel to the central site XSR (Robo6). XSR(config)#interface vpn 1 point-to-point XSR(config-int-vpn)#ip address neg XSR(config-int-vpn)#tunnel Pipe XSR(config-tms-tunnel)#set user certificate XSR(config-tms-tunnel)#set protocol ipsec network XSR(config-tms-tunnel)#set active XSR(config-tms-tunnel)#set peer 141.154.196.
Chapter 11 Configuring the Virtual Private Network Configuration Examples service timestamps log uptime no service password-encryption hostname Cisco2600 enable secret 5 $1$9ljt$kg86F7Y1vsa2Np0Zj5wDf1 enable password welcome ip subnet-zero ip host spatel 192.168.1.1 crypto isakmp policy 1 hash md5 authentication pre-share group 2 lifetime 1200 crypto isakmp policy 20 hash md5 authentication pre-share lifetime 1200 crypto isakmp key welcome address 192.168.2.
Configuration Examples Chapter 11 Configuring the Virtual Private Network interface FastEthernet0/0 ip address 192.168.3.5 255.255.255.0 speed auto half-duplex no cdp enable interface FastEthernet0/1 ip address 192.168.2.5 255.255.255.0 duplex auto speed auto no cdp enable crypto map regular ip ip ip ip ip classless route 0.0.0.0 0.0.0.0 192.168.2.1 route 192.168.1.0 255.255.255.0 192.168.2.2 http server pim bidir-enable access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.
Chapter 11 Configuring the Virtual Private Network Configuration Examples XSR Configuration XSR(config)#access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 XSR(config)#crypto isakmp proposal test XSR(config-isakmp)#authentication pre-share XSR(config-isakmp)#encryption des XSR(config-isakmp)#hash md5 XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.
Interoperability Profile for the XSR Chapter 11 Configuring the Virtual Private Network Interoperability Profile for the XSR Scenario 1: Gateway-to-Gateway with Pre-Shared Secrets This section describes how to configure the XSR according to the VPN Consortium’s interoperability scenarios (http://www.vpnc.org/). The following is a typical gateway-to-gateway VPN that uses a pre-shared secret for authentication, as illustrated in Figure 50. 10.5.6.0/24 172.23.9.0/24 Gateway B Gateway A Internet AL 10.5.
Chapter 11 Configuring the Virtual Private Network Interoperability Profile for the XSR SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no Kbytes rekeying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets This configuration assumes you have already set up the XSR for basic operations (refer to the XSR Getting Started Guide).
Interoperability Profile for the XSR 6 Chapter 11 Configuring the Virtual Private Network Configure IKE policy Safe for the Gateway B remote peer. Optionally, multiple IKE proposals can be configured on each peer participating in IPSec. XSR(config)#crypto isakmp peer 22.23.24.25 255.255.255.
Chapter 11 Configuring the Virtual Private Network Interoperability Profile for the XSR Reply from 172.23.9.5: 10ms Reply from 172.23.9.5: 10ms Reply from 172.23.9.5: 10ms Packets: Sent = 5, Received = 5, Lost = 0 You can also issue the following show commands to examine Phase 1 and Phase 2 settings, respectively. When the tunnel is up, the commands will display the following output: XSR#show crypto isakmp sa Connection-ID State Source --------------------------4561 QM_IDLE 14.15.16.
Interoperability Profile for the XSR Chapter 11 Configuring the Virtual Private Network Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.
Chapter 11 Configuring the Virtual Private Network 2 Interoperability Profile for the XSR Be sure that the XSR time setting is correct according to the UTC time zone so that it is synchronized with the CA’s time. For example: XSR)#clock timezone -7 0 3 Specify the enrollment URL, authenticate the CA and retrieve the root certificate. Check your CA Website to ensure that the printed fingerprint matches the CA's fingerprint, which is retrieved from the CA itself, to verify the CA is not a fake.
Interoperability Profile for the XSR Chapter 11 Configuring the Virtual Private Network State: CA-AUTHENTICATED Version: V3 Serial Number: 458128935273366930063530 Issuer: MAILTO=foo@foo.
Chapter 11 Configuring the Virtual Private Network Interoperability Profile for the XSR For security reasons your password will not be saved in the configuration. Please make a note of it. Password:**** Re-enter password:**** Include the router serial number in the subject name (y/n) ? y The serial number in the certificate will be: 3526015000250142 Request certificate from CA (y/n) ? y You may experience a short delay while RSA keys are generated.
Interoperability Profile for the XSR Chapter 11 Configuring the Virtual Private Network CA Certificate - PKItestca1 State: CA-AUTHENTICATED Version: V3 Serial Number: 6083684655030387331394927502614112809 Issuer: MAILTO=foo@foo.com, C=US, ST=MA, L=Andover, O=Ent Sys, OU=Sales, CN=PKI Certificate Authority Valid From: 2002 Jun 4th, 12:40:46 GMT Valid To: 2004 Jun 4th, 12:48:15 GMT Subject: MAILTO=foo@foo.
12 Configuring DHCP Overview of DHCP The Dynamic Host Configuration Protocol (DHCP) allocates and delivers configuration values, including IP addresses, to Internet hosts. Consisting of of two components, DHCP provides host-specific configuration parameters from a DHCP Server to a host, and allocates network addresses to hosts. Recent extensions to the DHCP protocol extends high-availability, authenticated and QoS-dependent configuration of Internet hosts.
Features Chapter 12 Configuring DHCP Features The XSR offers the DHCP features: Persistent storage/database of network values for network clients. Persistent storage of network client lease states kept across reboot. Temporary or permanent network (IP) address allocation to clients. Network configuration parameter assignment to clients.
Chapter 12 Configuring DHCP How DHCP Works How DHCP Works DHCP’s client-server model defines a set of messages exchanged between two systems. A simplified description client-server communications follows: 1 A client issues a broadcast message (DISCOVER) to locate available DHCP Servers on its local subnet. This message may include suggested values for the network address and duration of a lease. Also, BOOTP relay agents may pass the message on to DHCP Servers not on the same physical subnet.
DHCP Services Chapter 12 Configuring DHCP DHCP Services The DHCP services comprising the Bindings Database, leases, network options, and Client Class configuration are described below. Persistent Storage of Network Parameters for Clients The first DHCP service is persistent storage of network parameters for network clients, also known as the bindings database.
Chapter 12 Configuring DHCP DHCP Services For example, the server may choose the least recently assigned address. As a consistency check, the allocating server will also probe the reused address before allocating the address - e.g., with an ICMP echo request - and the client will also probe the newly received address - e.g., with ARP.
DHCP Services Chapter 12 Configuring DHCP Nested Scopes: IP Pool Subsets As mentioned earlier, one of the main functions of the DHCP Server is to allocate IP addresses to clients. In that process, the DHCP Server works with three scopes or resource sets responsible for aggregated DHCP attributes Pools or subnets, Client Classes, and Hosts. Scopes can be assigned other attributes as well as IP addresses, and can nest these attributes hierarchically much like files are organized in a directory tree.
Chapter 12 Configuring DHCP DHCP Services Scope Caveat Keep the following caveat in mind when configuring scopes: IP address pools may not be configured to overlap. The following conditions apply: – – IP local pools may have multiple DHCP Servers per subnet for redundancy Each DHCP Server should have a unique address pool that does not overlap pools on other DHCP servers For example, a correct IP range would be configured as follows: On subnet 90.1.1.0/24, the DHCP Server A range can be from 90.1.1.
DHCP CLI Commands Chapter 12 Configuring DHCP 2 Enter host address [mask | prefix-length] to specify the IP address and subnet mask of the client. The prefix length sets the number of bits that comprise the address prefix. The prefix is an alternative to specifying the network mask of the client. The prefix length must be preceded by a forward slash (/). 3 Perform one of the following actions: – Specify a hardware address for the client.
Chapter 12 Configuring DHCP DHCP CLI Commands Create manual bindings of IP addresses and client hardware addresses - Manual bindings are comprised of: host - the DHCP client’s IP address and subnet mask or prefix length, entered with host – hardware-address - the DHCP client’s MAC address and platform protocol, entered with hardware-address, or – client-identifier - the DHCP client’s unique marker is its combined media type and MAC address, entered with client-identifier.
DHCP Set Up Overview Chapter 12 Configuring DHCP Use ip dhcp ping timeout to specify the period the server must wait before timing out a ping request. Monitor and maintain DHCP Server services by issuing the following show commands. Show ip dhcp bindings displays bindings data on the DHCP Server including lease expiration dates. Show ip dhcp conflict displays address conflicts found by a DHCP Server when addresses are offered to the client.
Chapter 12 Configuring DHCP Configuration Steps Configuration Steps Only four steps are required to minimally configure DHCP. They are: Create an IP Local Client Pool Create a Corresponding DHCP Pool Configure DHCP Network Parameters Enable the DHCP Server Optionally, you can also: Set up a DHCP Nested Scope Configure a DHCP Manual Binding These steps are described in the following sections.
Configuration Steps Chapter 12 Configuring DHCP XSR(config-dhcp-pool)#domain-name ets.enterasys.com NOTE Some values can also be configured for a Client-Class or Host scope. Enable the DHCP Server 4 Initialize the DHCP Server on FastEthernet interface 2: XSR(config)#interface fastethernet 2 XSR(config-if#ip dhcp server Optional: Set Up a DHCP Nested Scope 5 Continue configuring local_clients by creating a named client-class and using it to override the lease time.
Chapter 12 Configuring DHCP DHCP Server Configuration Examples DHCP Server Configuration Examples The following examples configure DHCP with different options. For DHCP implementations with firewall configured, refer to “Configuring Security on the XSR” on page 311. Pool with Hybrid Servers Example In the following example, the single DHCP pool dpool is created and two default routers defined: 168.16.22.100 (higher preference) and 168.16.22.101 (lower preference). The domain name enterasys.
DHCP Server Configuration Examples Chapter 12 Configuring DHCP Manual Binding with Class Example In the following example, the single DHCP pool dpool is created with the domain name enterasys.com. A class engineering is defined. The domain name for all hosts is ent.com. A host is defined with a MAC address in dotted decimal format. A manual binding is specified by IP address 1.1.1.20 and mask 255.255.255.0. The domain name for this host is specified as indusriver.com (this will override enterasys.
Chapter 12 Configuring DHCP DHCP Server Configuration Examples DHCP Option Examples The following sample DHCP option configurations illustrate the three types of option parameters prompted for by the CLI: IP address, ASCII and hex. For more examples, refer to the XSR User’s Manual. The following example configures DHCP option 3, which lists the IP addresses of four default routers on the DHCP client's subnet in descending order of preference.
13 Configuring Security on the XSR This chapter describes the security options available on the XSR including the firewall feature set and methods to protect against hacker attacks.
Features Chapter 13 Configuring Security on the XSR Access Control Lists Access Control Lists (ACL) impose selection criteria for specific types of packets, which when used in conjunction with other functions can restrict Layer 3 traffic through the XSR.
Chapter 13 Configuring Security on the XSR Features Smurf Attack A “smurf” attack involves an attacker sending ICMP echo requests from a falsified source (a spoofed address) to a directed broadcast address, causing all hosts on the target subnet to reply to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, inundating the host whose address is being falsified.
Features Chapter 13 Configuring Security on the XSR This feature is always enabled, and the maximum number of TCP sessions allowed is set at run time, depending on the number of TCP applications running, and the maximum number of sessions each of them could have. Any connection attempt above this number is denied. Fragmented and Large ICMP Packets The XSR offers these features to filter ICMP traffic based on IP data length, IP offset, and IP fragmentation bits. They apply to packets destined for the XSR.
Chapter 13 Configuring Security on the XSR General Security Precautions The attacker does not send any other packet, and the state machine of the host remains in CLOSE_WAIT state until the keep-alive timer resets it to the CLOSED state. To protect against this attack the XSR checks for TCP packets with both SYN and FIN flags set. With protection always enabled, these packets are harmlessly dropped. This feature is supported for packets destined for the XSR. Transit packets will be checked.
AAA Services Chapter 13 Configuring Security on the XSR Create ACLs to direct services to appropriate servers only Enable packet filtering and attack prevention mechanisms All only packets with valid source addresses to exit the network If using SNMP, use strong community names and set read-only access Minimize console logging to limit unnecessary CPU cycles Use OSPF rather than RIP to take advantage of MD5 authentication Control which router interfaces can be used to manage the XSR Use an
Chapter 13 Configuring Security on the XSR AAA Services Deleting the only privilege-15 user with Telnet or SSH policy is disallowed to prevent any accidental loss of access to the XSR. There are two types of default AAA methods, as follows: The default AAA method for the AAA service. This is set using the aaa method [local | pki | radius] default command. By default, the local method is the default AAA method for the AAA service.
AAA Services Chapter 13 Configuring Security on the XSR While most of these parameters are self-explanatory, the policy value is important in specifying which system each user will be allowed to access on the XSR. The module options are: firewall, ssh, telnet, and vpn..
Chapter 13 Configuring Security on the XSR 5 AAA Services Install a freeware program such as PuTTY on your client device. If you load PuTTY, enable these options for maximum ease of use: – Click Session, Close window on exit, Never. See Figure 53. – Click Terminal, Local echo, Force off. – Click Terminal, local line editing, Force off. – Click Connection, SSH, Don't allocate a pseudo-terminal.
AAA Services Chapter 13 Configuring Security on the XSR 8 Enter aaa user to create an authenticated user and acquire AAA user mode. 9 Enter password for the newly created user. 10 Enter privilege 15 to set the highest privilege level for the user. 11 Enter policy ssh to enable SSH access for the user. 12 Enter exit to quit AAA user mode. 13 Enter aaa client ssh to enable AAA client SSH user authentication. If you also want to enable Telnet, enter aaa client telnet.
Chapter 13 Configuring Security on the XSR Firewall Feature Set Overview Firewall Feature Set Overview A firewall is defined generally as a set of related applications or a device dedicated to protect the enterprise network. Placed at any entryway to a corporation’s private network, a firewall examines all packets arriving from the Internet and admits or bars traffic based upon its policies. A firewall may also control inside access to destinations on the Internet or interior resources.
Firewall Feature Set Overview Chapter 13 Configuring Security on the XSR Internet External Firewall inspection enabled SMTP server Policy DB DMZ XSR Router Firewall inspection enabled HTTP server Internal Client Figure 54 XSR Firewall Topology There are many possible network configurations for a firewall. The figure above shows a scenario with the firewall connected to the trusted network (internal) and servers that can be accessed externally (via the DMZ).
Chapter 13 Configuring Security on the XSR Firewall Feature Set Overview While this flexibility is useful, it emphasizes the fact that the shield is only as effective as the intelligence of the policies. Functionally, the XSR’s policy database defines the configuration and retains information about the sessions currently allowed through the firewall.
Firewall Feature Set Overview Chapter 13 Configuring Security on the XSR Filter bad packets and bad contents to protect internal hosts incapable of protecting themselves against these attacks: – – – – Bad packets (too long or too short) Un-recognized commands (possible attack) Legal but undesirable commands/operations (as set by policy) Objectionable contents (content and URL filtering) Drop incoming/outgoing connections such as FTP, gopher, or Telnet applications at the proxy firewall first Creat
Chapter 13 Configuring Security on the XSR XSR Firewall Feature Set Functionality Additionally, a stateful inspection firewall provides: Inspection of a packet’s communication and application state acquired from past communication data throughout all layers.
XSR Firewall Feature Set Functionality Chapter 13 Configuring Security on the XSR Table 12 Pre-defined Services ANY_TCP ANY_UDP AOL AuthUDP AudioCallCtrl Bootp Bootpc Bootp_relay DNSTCP DNSUDP Finger FTP H323 HTTP ICAClient ICABrowse IdentD IMAP IMAPS IRC ISAKMP KerberosAdmTCP KerberosAdmUDP KerberosTCP KerberosUDP klogin L2TP LDAP Login LotusNotes Microsoft_ds MSN NetBIOS_ns NetBIOS_tcp NetBIOS_udp NFSTCP NFSUDP NNTP NTP_UDP PCAnywhere POP3 POP3S PPTP Radius Ra
Chapter 13 Configuring Security on the XSR XSR Firewall Feature Set Functionality Application Level Gateway - Support for FTP and H.323 version 2 protocols Denial of Service (DoS) attack protection - Security for internal hosts against a common set of DoS attacks when the firewall is enabled (globally and per interface). The firewall also uses the XSR’s HostDoS feature to perform antispoofing - it enforces hostDos checkspoof for any firewall-enabled interface regardless of the hostDoS checkspoof setting.
XSR Firewall Feature Set Functionality Chapter 13 Configuring Security on the XSR Alarm Logging - The XSR supports Console and Syslog logging and provides session usage data using the allow-log/log options. If you want to enable persistent logging which preserves logs after a system reboot, you must install a CompactFlash memory card in the XSR. Logs stored in Flash are purged during a system reboot unless the XSR senses the presence of CompactFlash.
Chapter 13 Configuring Security on the XSR – – XSR Firewall Feature Set Functionality If no syslog server is configured, alarms will contain the IP address of the first circuit. FE1 will be checked first, then FE2, then any WAN interface etc., until an IP address is obtained. If no interfaces have been configured with an IP address, the hostname will be used. Authentication - AAA services provide secure access across the firewall delineated by several levels: user, client and session.
Firewall CLI Commands Chapter 13 Configuring Security on the XSR 2 The XSR’s AAA functionality talks to an authentication server or consults a local database based on the user’s credentials. 3 If authentication is successful, AAA informs the firewall engine of the user’s source IP address and an authentication entry is created within the firewall engine. 4 Policy rules specified for the firewall allow the user access to a server after consultation with the firewall engine’s authentication cache.
Chapter 13 Configuring Security on the XSR Firewall CLI Commands CAUTION Use care not to overlap internal and external address ranges since internal ranges take precedence over external ranges, and if an address exists in both ranges, the internal address will be considered for policy matching.
Firewall CLI Commands Chapter 13 Configuring Security on the XSR You should set a rule at the end of your configuration to handle default behavior in a specific direction. For example, in order to allow all packets from internal to external except for Telnet and FTP packets, rules for these applications must be defined first. Then you must define a rule allowing access to ANY_INTERNAL source and ANY_EXTERNAL destination for any service. These values are case-sensitive.
Chapter 13 Configuring Security on the XSR Firewall CLI Commands Load - Installs the completed firewall configuration in the XSR’s inspection engine with ip firewall load. This command avoids conflicts with existing sessions by clearing them. But, before doing so you can perform a trial load to verify settings or configure incrementally and check for errors between loads. You can view modified settings before loading with show ip firewall config.
Firewall CLI Commands Chapter 13 Configuring Security on the XSR Level 3: Error - abnormal and deny alarms are logged if system logging is set at MEDIUM or HIGH and firewall logging is level 3 or higher – Level 4: Warning - normal and permit alarms are logged if system logging is set at LOW and firewall logging is level 4 or higher – Level 5: Notice – Level 6: Information – Level 7: Debug You can generate fewer firewall alarms by setting a low logging level with the system logging command.
Chapter 13 Configuring Security on the XSR Firewall Limitations Firewall Limitations Consider the following caveats regarding firewall operations: Gating Rules - Internal XSR gating rules, which order traffic filtering, are stored in a temporary file in Flash. Because one gating rule exists for each network source/destination expansion, a potentially enormous number of rules can be generated by just a single firewall policy.
Firewall Limitations Chapter 13 Configuring Security on the XSR Table 13 Firewall Limitations Firewall Objects XSR 1800 @32MB XSR 1800 @64MB XSR 18/3000 @128 XSR 3000 @256 Sessions 250 10000 20000 60000 Authentications 75 150 300 1000 Gating Rules 300 5000 10000 12000 External Hosts 250 5000 5000 20000 Fragment Table 50 100 200 600 FTP Requests 20 400 600 1000 UDP Requests 20 400 600 1000 Timers 20 100 200 200 Java & ActiveX 20 100 200 200 Session Timeou
Chapter 13 Configuring Security on the XSR Firewall Limitations packets, NAT is performed before firewall inspection. Firewall rules are written using the actual addresses on the internal (even if they are private IP addresses) and exterior networks, independent of whether NAT is enabled on the interface. Firewall/VPN - VPN tunnels are implemented as virtual interfaces that sit on physical interfaces.
Pre-configuring the Firewall Chapter 13 Configuring Security on the XSR Pre-configuring the Firewall We recommend you consider the following suggestions to set up the firewall: Establish a security plan by: – – – – – Examining your network topology Determining exactly what resources you want to protect Deciding where on the network to enable the firewall and plan on writing a Telnet or SSH policy for remote administration if you are configuring an XSR located in the field Making a list of internal addr
Chapter 13 Configuring Security on the XSR Configuration Examples Load the configuration in the firewall engine Enable or disable the firewall: – – System wide, or on Individual interfaces or sub-interfaces After the firewall is installed, check event logging to examine blocked traffic for any missed applications rules Use port scanning tools to ensure policies are properly implemented Configuration Examples The following sample configurations describe step-by-step how to set up these firewall
Configuration Examples Chapter 13 Configuring Security on the XSR 220.150.2.32/28 XSR Frame Relay Internet S1 220.150.2.35 206.12.44.16/28 220.150.2.37 FE1 FE2 220.150.2.17 Internal 220.150.2.16/28 Web server (HTTP) 220.150.2.19 220.150.2.36 DMZ Mail server (SMTP) 220.150.2.18 Figure 57 XSR with Firewall Topology Begin by configuring network objects for private, dmz and Mgmt networks: XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.
Chapter 13 Configuring Security on the XSR Configuration Examples XSR(config)#ip firewall policy exttodmzsmtp ANY_EXTERNAL dmz SMTP allow bidirectional XSR(config)#ip firewall policy TelnetSESS private Mgmt Telnet allow bidirectional Set a policy to allow any traffic to pass from private to EXTERNAL networks: XSR(config)#ip firewall policy prvtoextprivate ANY_INTERNAL ANY_EXTERNAL allow Trial load the completed configuration into the firewall engine, and if successful, load the configuration: XSR(config
Configuration Examples Chapter 13 Configuring Security on the XSR XSR with Firewall, PPPoE and DHCP In this scenario, shown in Figure 58, the branch office uses a private address for its hosts. Access to the external networkis configured with PPPoE DSL service on the FastEthernet 2 interface/sub-interface and DHCP set on the FastEthernet 1 interface. A global IP address is available for a Web server and a static NAT entry is set for them.
Chapter 13 Configuring Security on the XSR Configuration Examples XSR(config-if)#ip address negotiated XSR(config-if)#ip mtu 1492 XSR(config-if)#ip nat source assigned overload XSR(config-if)#ppp pap sent-username b1jsSW23 “password is not displayed” XSR(config-if)#no shutdown Attach a static route to the PPPoE interface and add a local IP pool: XSR(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet2.1 XSR(config)#ip local pool myDhcpPool 10.10.10.0 255.255.255.
Configuration Examples Chapter 13 Configuring Security on the XSR Trial load the completed configuration into the firewall engine, and if successful, load the configuration: XSR(config)#ip firewall load trial XSR(config)#ip firewall load Configure the DHCP pool, DNS server and related settings: XSR(config)#ip dhcp pool myDhcpPool XSR(config)#default-router 10.10.10.1 XSR(config)#dns-server 209.226.175.223 XSR(config)#domain-name BT_basement XSR(config)#lease 1 3 15 Globally enable the firewall.
Chapter 13 Configuring Security on the XSR Configuration Examples XSR XSR SSR SSR-GLX19-02 FE2 Client 1 FE1 1 SSR-8 141.154.196.93 NEM 4 5 6 7 2 3 4 5 6 7 8 10/100BASE-TX 100-125~5A 200-240~3A 50-60 Hz 1000BASE-SX 2 10/100BASE-TX 2 3 4 5 6 7 2 3 4 5 6 7 SSR-HTX12-08 8 CONTROL MODULE PWR 1 1 SSR-HFX11-08 8 10/100BASE-TX 8 3 4 7 8 1 2 5 6 100BASE-FX PWR SSR-PS-8 100-125~5A 200-240~3A 50-60 Hz SSR-PS-8 96.96.96.7 141.154.196.
Configuration Examples Chapter 13 Configuring Security on the XSR XSR(config-isakmp-peer)#proposal xp soho p2p XSR(config-isakmp-peer)#config-mode gateway XSR(config-isakmp-peer)#nat-traversal automatic Configure the following IPSec SAs: XSR(config)#crypto ipsec transform-set esp-3des-md5 esp-3des espmd5-hmac XSR(cfg-crypto-tran)no set security-association lifetime kilobytes XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des espsha-hmac XSR(cfg-crypto-tran)set security-association lifetime kilo
Chapter 13 Configuring Security on the XSR Configuration Examples XSR(config-ifF2>)#crypto map test XSR(config-ifF2>)#ip address 141.154.196.106 255.255.255.192 XSR(config-ifF2>)#no shutdown Configure the VPN virtual interface as a terminating tunnel server with IP multicast redirection back to the gateway, add an OSPF network with cost and disable the firewall: XSR(config)#interface Vpn1 multi-point XSR(config-int-vpn)#ip multicast-redirect tunnel-endpoint XSR(config-int-vpn)#ip address 10.120.70.1 255.
Configuration Examples Chapter 13 Configuring Security on the XSR XSR(aaa-group)#pptp compression XSR(aaa-group)#pptp encrypt mppe 128 XSR(aaa-group)#l2tp compression XSR(aaa-group)#policy vpn Configure DEFAULT group parameters including DNS and WINs servers, an IP pool, PPTP and L2TP values, and client VPN permission: XSR(config)#aaa group DEFAULT XSR(aaa-group)#dns server primary 0.0.0.0 XSR(aaa-group)#dns server secondary 0.0.0.0 XSR(aaa-group)#wins server primary 0.0.0.
Chapter 13 Configuring Security on the XSR Configuration Examples XSR(aaa-method-radius)#enable XSR(aaa-method-radius)#group DEFAULT XSR(aaa-method-radius)#address ip-address 10.120.112.
Configuration Examples Chapter 13 Configuring Security on the XSR XSR(config)#ip firewall network ospf 224.0.0.5 224.0.0.6 internal XSR(config)#ip firewall network ssr 96.96.96.1 mask 255.255.255.255 internal Define the NetSight network management station: XSR(config)#ip firewall network netsight 10.120.84.3 mask 255.255.255.
Chapter 13 Configuring Security on the XSR Configuration Examples Write policies permitting RADIUS and all TCp and UDP traffic from remote VPN networks into the corporate networks: XSR(config)#ip firewall allow XSR(config)#ip firewall allow XSR(config)#ip firewall allow bidirectional XSR(config)#ip firewall allow bidirectional policy radiusauth f1a trusted radiusauth policy radiusacct f1a trusted radiusacct policy ANY_TCP remote trusted ANY_TCP policy ANY_UDP remote trusted ANY_UDP Allow IPSec (protocol
Configuration Examples Chapter 13 Configuring Security on the XSR Globally enable the firewall. Even though you have configured and loaded the firewall, only invoking the following command “turns on” the firewall. Once enabled, if you are remotely connected, the firewall will close your session. Simply login again. XSR(config)#ip firewall enable Firewall Configuration for VRRP This example briefly configures VRRP advertisements to be sent and received on a FastEthernet interface.
Chapter 13 Configuring Security on the XSR Configuration Examples XSR(aaa-method-radius)#address ip-address 10.10.10.
Configuration Examples Chapter 13 Configuring Security on the XSR XSR(config)#access-list 1 permit 192.168.10.0 0.0.0.255 XSR(config)#access-list 1 permit 192.168.20.0 0.0.0.255 XSR(config)#access-list 2 permit host 192.168.9.32 XSR(config)#access-list 100 deny ip any host 192.168.1.15 XSR(config)#access-list 100 deny any host 192.168.1.15 any XSR(config)#access-list 100 deny ip tcp host 192.168.1.15 any XSR(config)#access-list 100 permit ip 192.168.1.0 0.0.0.
A Alarms/Events and System Limits This appendix describes the configuration and memory limits of the XSR as well as system High, Medium and Low severity alarms and events and Firewall/NAT alarms captured by the router. System Limits The XSR-1805 proscribes limits on the following configurable functions.
System Limits Appendix A Alarms/Events and System Limits Table 14 XSR Limits (Continued) Function @ 64 MB @128 MB @ 32 MB OSPF LSA type 4 500 3500 100 OSPF LSA type 5 750 3500 750 OSPF LSA type 7 250 250 250 ACL list entries 500 1000 500 Users 25 25 25 SNMP read-only communities 20 20 20 SNMP read-write communities 20 20 20 SNMP trap servers 20 20 20 SNMP users 25 25 25 SNMP groups 100 100 100 SNMP views 50 50 50 Interfaces 136 136 42 AAA sessions 300 1
Appendix A Alarms/Events and System Limits System Limits Table 14 XSR Limits (Continued) Function @ 64 MB @128 MB @ 32 MB Dialer map classes 192 192 64 with Routing & VPN or Routing & Firewall Frame Relay map classes 30 30 30 with Routing & VPN or Routing & Firewall RIP networks 300 300 31 Dynamic NAT sessions 4095 4095 NAT static one-to-one mappings 1000 1000 Firewall networks 400 600 Any firmware option: 20 Firewall services 400 600 Any firmware option: 50 Firewall network g
Alarms and Events Appendix A Alarms/Events and System Limits Alarms and Events The XSR exhibits the following alarm logging behavior: Table 15 Alarm Behavior When alarm logging is set to: The XSR-1805 will log: HIGH HIGH severity alarms only MEDIUM MEDIUM and HIGH severity alarms LOW LOW, MEDIUM, and HIGH severity alarms DEBUG all alarms Refer to the table below for all High severity alarms and events reported by the XSR.
Appendix A Alarms/Events and System Limits Alarms and Events Table 16 High Severity Alarms/Events (Continued) Module Message Description T1E1 LOF alarm on receiver cleared. Indicates that T1/E1 physical port is not detecting OOF Alarm. T1E1 Transmiting Remote Alarm (Yellow Indicates that T1/E1 physical port is transmitting remote alarm. Alarm). T1E1 Transmit Remote Alarm cleared. Indicates that T1/E1 physical port is not transmitting remote alarm.
Alarms and Events Appendix A Alarms/Events and System Limits Table 16 High Severity Alarms/Events (Continued) Module Message Description ISDN %s Layer 2 Terminal %d is DOWN Q921 - LAP-D status, UP is normal operation. Terminal is 1 for PRI. %s Layer 2 Terminal %d is UP For BRI it may be 1 or 2. 1 for ETSI and NTT. For North America 1 and 2 if two SPIDs are configured.
Appendix A Alarms/Events and System Limits Alarms and Events Table 16 High Severity Alarms/Events (Continued) Module Frame Relay Message Description Serial a/b:d.e, station DOWN, DLCI The network reports station up. nnnn Frame Relay Serial a/b:d cannot establish LMI, port The network has not been responding for 5 minutes - check is down connection. Frame Relay Serial a/b:d LMI - port DOWN The LMI is reporting the port is Down.
Alarms and Events Appendix A Alarms/Events and System Limits Table 16 High Severity Alarms/Events (Continued) Module Message ETH1_DRIV Device not found Description This alarm most likely occurs because of a hardware failure, and means that the FastEthernet 2 chip cannot be found on the PCI bus (of the motherboard). When this alarm occurs, the FastEthernet 2 interface is unavailable.
Appendix A Alarms/Events and System Limits Alarms and Events Table 16 High Severity Alarms/Events (Continued) Module CLI Message Description CLI Config mode released by user When a user (unknown) exits Configuration mode. CLI CLI CLI CLI config mode released by startup- Configuration mode is released when the startup-config script finishes config the execution.
Alarms and Events Appendix A Alarms/Events and System Limits Table 16 High Severity Alarms/Events (Continued) Module CLI Message Description CLI config mode released by user Occurs when a user (unknown) exits the configuration mode CLI CLI CLI CLI Config mode locked by user Occurs when another user is in Configuration mode and you trying to get to configuration mode CLI Config mode locked by startup- Configuration mode is locked when the startup-config script finishes c
Appendix A Alarms/Events and System Limits Alarms and Events Table 17 Medium Severity Alarms/Events (Continued) Module T1E1 Message Description PCI device failure (Device/Port: card Error in initializing T1E1 HW card. number/port number). T1E1 Not enough memory (Device: card Error in allocating memory for T1E1 HW card. number). T1E1 Not enough memory (Device/Port: Error in allocating memory for T1E1 HW card. card number/port number).
Alarms and Events Appendix A Alarms/Events and System Limits Table 17 Medium Severity Alarms/Events (Continued) Module T1 Message Description ERROR: Shared memory allocation Error in allocating memory for T1E1 HW card. failed for Receive Free Queue. T1 ERROR: Shared memory allocation Error in allocating memory for T1E1 HW card. failed for Receive Done Queue. T1 ERROR: Shared memory allocation Error in allocating memory for T1E1 HW card. failed for Receive Descriptors.
Appendix A Alarms/Events and System Limits Alarms and Events Table 17 Medium Severity Alarms/Events (Continued) Module Message Description PPP PPP MS-CHAP authentication failed Indicates that PPP MS-CHAP authentication has failed while while authenticating remote peer's authenticating remote peer's response to the challenge.
Alarms and Events Appendix A Alarms/Events and System Limits Table 17 Medium Severity Alarms/Events (Continued) Module ISDN Message Description Call Call disconnected, the cause is the standard ISDN cause. E.g.
Appendix A Alarms/Events and System Limits Alarms and Events Table 17 Medium Severity Alarms/Events (Continued) Module Message Description DIAL No dial tone for modem on intf # Indicates that there is no dial tone for the modem PSTN line DIAL No carrier for modem on intf # Indicates that the remote modem is not present at the location called by the local modem DIAL DIAL No answer for modem on intf # Indicates that the remote modem is not configured for autoanswering.
Alarms and Events Appendix A Alarms/Events and System Limits Table 18 Low Severity Alarms/Events (Continued) Module Message Description T1E1 Receive AIS cleared. Indicates that T1/E1 physical port is not detecting AIS Alarm. T1 Cablelength long failed for slot/card/port. Configuration command sent to driver returned an error. T1 Cablelength short failed for slot/card/port. Configuration command sent to driver returned an error. T1 Bert start failed for slot/card/port.
Appendix A Alarms/Events and System Limits Alarms and Events Table 18 Low Severity Alarms/Events (Continued) Module Message Description T1 Stop controller failed for slot/card/port. Stop command sent to driver returned an error. T1 Bind controller failed for slot/card/port. Bind command sent to driver returned an error. Delete controller object failed for T1E1 controller object delete could not be executed. T1 slot/card/port.
Firewall and NAT Alarms and Reports Appendix A Alarms/Events and System Limits Table 18 Low Severity Alarms/Events (Continued) Module Message Description ASYNC_ Recoverable error The device has hard recoverable error. DRIV ASYNC_ Packets lost > 255 (RX overrun) The number of packets lost due to RX FIFO overrun has DRIV exceeded 255. Firewall and NAT Alarms and Reports The XSR reports logging messages for firewall and NAT functionality as listed below.
Appendix A Alarms/Events and System Limits Firewall and NAT Alarms and Reports Table 19 Firewall and NAT Alarms Severity Report Text 2 - CRIT Init: Error reading NAT Mapper table 3 - ERROR NAT: No NAT entry found, %IP_P2 3 - ERROR NAT: No NAT entry found, %IP_P2 3 - ERROR NAT: TCP reset, NAT port %d, %IP_P2 3 - ERROR UDP: NAT unable to forward packet, %IP_P2 4 - WARNING NAT table is full 4 - WARNING NAT: TCP connection closed, freeing NAT port %d 4 - WARNING Purging NAT Entry for port %d
Firewall and NAT Alarms and Reports Appendix A Alarms/Events and System Limits Table 19 Firewall and NAT Alarms 378 Severity Report Text 1 - ALERT IP fragment offset plus length exceeds the maximum IP datagram length 1 - ALERT IP fragment with negative fragmentation offset 1 - ALERT Maximum fragments for a single IP packet reached 1 - ALERT Session pool exhausted 1 - ALERT TCP: Detected portscan. %IP_P2 1 - ALERT TCP: Detected SYN Flood attack.
Appendix A Alarms/Events and System Limits Firewall and NAT Alarms and Reports Table 19 Firewall and NAT Alarms Severity Report Text 2 - CRIT Init: Failed to allocate memory for CLS Control module 2 - CRIT Init: Failed to allocate memory for gating rules 2 - CRIT Init: Failed to allocate memory for gating rules: %d 2 - CRIT Init: Failed to allocate memory for host ranges: %d 2 - CRIT Init: Failed to allocate memory for host table entries 2 - CRIT Init: Failed to allocate memory for host table
Firewall and NAT Alarms and Reports Appendix A Alarms/Events and System Limits Table 19 Firewall and NAT Alarms 380 Severity Report Text 3 - ERROR Deny: No filter for %s, %IP_2 3 - ERROR Deny: No filter for ICMP, %IP_2 3 - ERROR Deny: no matching filter, %IP2_ICMP 3 - ERROR Deny: OSPF packet, %IP2 3 - ERROR Deny: TCP Christmas Tree Packet, %IP_P2 3 - ERROR Deny: TCP SYN+ACK packet blocked. 3 - ERROR Deny: TCP SYN+ACK packet without ever seeing SYN packet.
Appendix A Alarms/Events and System Limits Firewall and NAT Alarms and Reports Table 19 Firewall and NAT Alarms Severity Report Text 3 - ERROR Internal error 3 - ERROR IP fragment cache entry purged 3 - ERROR IP header checksum does not match, %IP_P2 3 - ERROR osUnTimeOut() called with a bad index = %d 3 - ERROR Received fragmented Packet without the initial fragment 3 - ERROR TCP header checksum does not match, %IP_P2 3 - ERROR TCP: ACK packet in the TCP three-way handshake sequence was bl
Firewall and NAT Alarms and Reports Appendix A Alarms/Events and System Limits Table 19 Firewall and NAT Alarms 382 Severity Report Text 4 - WARNING CLS blocked FTP request, command: %CMD %IP_P2 4 - WARNING CLS blocked HTTP request, command: %CMD %IP_P2 4 - WARNING CLS blocked HTTP stray packet, %IP_P2 4 - WARNING CLS blocked SMTP request, command: %CMD %IP_P2 4 - WARNING CLS blocked stray SMTP packet, %IP_P2 4 - WARNING Could not allocate TCP buffer for H.323 connection.
Appendix A Alarms/Events and System Limits Firewall and NAT Alarms and Reports Table 19 Firewall and NAT Alarms Severity Report Text 4 - WARNING Permit: TCP Con_Req, %IP_P2 4 - WARNING Permit: UDP %IP_P2 4 - WARNING TCP connection closed %IP_P2 4 - WARNING TCP new session request %IP_P2 4 - WARNING TCP Out-Of-Sequence table is full 4 - WARNING UDP: Bad entry found in UDP Request cache table 4 - WARNING UDP: Bad response, %IP_P2 4 - WARNING UDP: Received Bad BOOTP Frame 4 - WARNING UDP:
