User`s guide
352 XSR User’s Guide
Configuration Examples Chapter 13
Configuring Security on the XSR
Globally enable the firewall. Even though you have configured and loaded
the firewall, only invoking the following command “turns on” the firewall.
Once enabled, if you are remotely connected, the firewall will close your
session. Simply login again.
XSR(config)#ip firewall enable
Firewall Configuration for VRRP
This example briefly configures VRRP advertisements to be sent and received
on a FastEthernet interface. You must configure two networks and a filter for
the VRRP protocol (number 112). It is assumed you have already configured
the Virtual Router and backup VR within the specified IP address range.
Enable multicasting in both directions on FastEthernet interface 2:
XSR(config-if<F2>)#ip firewall ip-multicast both
Configure the IP address of the firewall networks internal2 and vrrp,
specifying a range between 80.0.0.1 and 80.255.255.254 and a multicasting
host at 224.0.0.18/32, respectively. Finally, add a policy allowing VRRP
advertisements to pass between private and external networks.
XSR(config-ifF2>)#ip address 80.0.0.1/8
XSR(config)#ip firewall network internal2 80.0.0.0 mask 255.0.0.0
internal
XSR(config)#ip firewall network vrrp 224.0.0.18 mask
255.255.255.255 internal
XSR(config)#ip firewall filter mult2 internal2 vrrp protocol-id 112
Firewall Configuration for RADIUS Authentication and
Accounting
The following sample configuration employs the RADIUS method for AAA
authentication. The commands in the section below configure Steel Belted
RADIUS (SBR) as the RADIUS method, the server’s IP address and encryption
key, its RADIUS authentication and accounting ports (per IANA), and all four
client services. Also configured are the backup RADIUS server msradius with
one login attempt specified before the backup is accessed and five retransmit
requests specified for service, and reconfigured queue and timeout values.
XSR(config)#aaa method radius sbr default
XSR(aaa-method-radius)#backup msradius