Enterasys Networks X-PeditionTM - Manual

v Declaration of Conformity Application   of   Council   Directive(s): 89/336/EEC73/23/EEC Manufacturer’s   Name: Enterasys Networks, Inc. Manufacturer ’s   Address: 50   Minuteman   Road Andover,   MA   01810 USA European   Representative   Address: Enterasys Networks,   Ltd. Nexus   House,   Newbu...

vii Enterasys Networks, Inc. Firmware License Agreement BEFORE   OPENING   OR   UTILIZING   THE   ENCLOSED   PRODUCT, CAREFULLY   READ   THIS   LICENSE   AGREEMENT. This   document   is   an   agreement   (“Agreement”)   between   the   end   user   (“You”)   and   Enterasys Networks, Inc.   on   be...

xi Contents Preface Contents of the Guide ................................................................................................................................... xxviiConventions Used in This Guide .............................................................................................

xiii Chapter 3: Managing LAN/WAN Interfaces Overview of LAN Interfaces ............................................................................................................................ 3-1LAN Features ...........................................................................................

xv Load Balancing ................................................................................................................................. 5-31ARP Process on a VRRP Router ..................................................................................................... 5-31Host ARP .......

xvii Describing the XSR’s PIM-SM v2 Features .................................................................................................... 7-7 Phase 1: Building a Shared Tree ............................................................................................................. 7-8Phase...

xviii Chapter 9: Configuring Frame Relay Overview ......................................................................................................................................................... 9-1 Virtual Circuits ..............................................................................

xx Backup Using ISDN ............................................................................................................................. 10-37 Node A (Backed-up Node) Configuration ....................................................................................... 10-37Node C (Called N...

xxi Measuring Bandwidth Utilization ...................................................................................................... 12-5Describing Priority Queues ............................................................................................................... 12-5Configuring Pr...

xxii ADSL Hardware ..................................................................................................................................... 13-5 NIM Card ........................................................................................................................................

xxiii Server 1 .......................................................................................................................................... 14-17Server 2 .......................................................................................................................................

xxiv DHCP Client Services .................................................................................................................................. 15-6 Router Option ...............................................................................................................................

xxv Application Level Commands ......................................................................................................... 16-13Application Level Gateway ............................................................................................................. 16-13On Board URL Filt...

XSR User’s Guide xxvii Preface This guide provides a general overview of the XSR hardware and software features. It describes how to configure and maintain the router. Refer to the XSR CLI Reference Guide and the XSR Getting Started Guide for information not contained in this document. This guide is...

Conventions Used in This Guide xxviii Preface • Chapter 11, Configuring ISDN, outlines how to set up the Integrated Services Digital Network protocol on the XSR for BRI, PRI and leased line applications. ISDN protocol tracing and partial decoding of Q921 and Q931 frames is also described. • Chapter ...

Getting Help xxx Preface Getting Help For additional support related to the XSR, contact Enterasys Networks by one of these methods: Before contacting Enterasys Networks for technical support, have the following information ready: • Your Enterasys Networks service contract number • A description of ...

XSR User’s Guide 1-1 1 Overview This chapter briefly describes the functionality of the XSR. Refer to the following chapters in this manual for details on how to configure this functionality and the XSR CLI Reference Guide for a description of associated CLI commands and examples. The following func...

XSR User’s Guide 2-1 2 Managing the XSR The XSR can be managed via three interfaces with varying levels of control: the Command Line Interface (CLI) for full configuration, performance and fault management; the Simple Network Management Protocol (SNMP) for remote monitoring and firmware upgrades, an...

Utilizing the Command Line Interface 2-2 Managing the XSR Using the Console Port to Remotely Control the XSR The XSR’s Console port can also be connected to a modem for the purpose of remote console control. Make the connection with a straight-through cable and enter the following XSR commands: XSR(...

Utilizing the Command Line Interface XSR User’s Guide 2-3 Terminal Commands If you want to display identification information about the current terminal connection, issue the show whoami command. Refer to the XSR Getting Started Guide and XSR CLI Reference Guide for more information on commands. Con...

Utilizing the Command Line Interface 2-4 Managing the XSR PuTTY and other shareware programs are compatible with the XSR’s SSH server. Refer to the XSR Getting Started and CLI Reference guides for more details. Accessing the Initial Prompt The CLI is protected by security. Before you can access EXEC...

Utilizing the Command Line Interface XSR User’s Guide 2-5 Managing the Session A first-time CLI session is set up with default attributes; e.g., the session is set to time out after 1800 seconds of idle time. You can reconfigure session values such as create users, passwords, and login banners, and ...

Utilizing the Command Line Interface XSR User’s Guide 2-7 DHCP client over the LAN: • Operational over an Ethernet interface only on the lowest slot/card/port only . • Uses the options field for TFTP server, IP address, host name and config file. • Optionally uses Reverse DNS if options are not popu...

Utilizing the Command Line Interface 2-8 Managing the XSR RAI checks each DLCI, up to 30, on a given interface for a Bootp response , an rDNS server and a TFTP server with a configuration file. The first DLCI that accomplishes this will be chosen. If the connection fails, RAI will reset itself and r...

Utilizing the Command Line Interface 2-10 Managing the XSR PPP RAI over a Leased Line PPP over a leased line performs similarly to Frame Relay RAI over a serial link via a leased Telco line. When PPP negotiation is successful, a point-to-point connection is established from the remote XSR to the cen...

Utilizing the Command Line Interface XSR User’s Guide 2-11 The first phase establishes a physical connection (training) on the ADLS line. RAI ADSL attempts a physical connection on the first port of the ADSL card, waiting one minute for training to succeed. If it fails, RAI abandons ADSL RAI and mov...

Utilizing the Command Line Interface 2-12 Managing the XSR • Command Recall : Non-help commands are stored in the command history list buffer up to the last 32 commands. You can recall and edit previous commands using shortcut keys. For example: Ctrl + p/Ctrl + n will list the previous/next command ...

Utilizing the Command Line Interface 2-14 Managing the XSR 4. Some attributes can be set at this level without acquiring other modes. For example: access- list access-list-num [deny | permit] [parameter [parameter…]] 5. Show commands can all be entered at EXEC, Privileged EXEC or higher modes. User ...

Utilizing the Command Line Interface XSR User’s Guide 2-15 Mode Examples Consider the following examples to change configuration mode: XSR>enable + Acquires Privileged EXEC mode XSR#config terminal + Acquires Global configuration mode XSR(config)#interface fastethernet 1 + Acquires Interface mode...

Utilizing the Command Line Interface 2-16 Managing the XSR CLI Command Limits CLI commands on the XSR are bounded by the following: • Total number of characters in a command line/help message: 299 • Total number of words in a command line: 127 • Number of command history entries recalled: 31 • Total...

Utilizing the Command Line Interface XSR User’s Guide 2-17 Supported Ports The XSR supports the following port types: • Single-channel ports: Fast- and GigabitEthernet, Sync/Async serial, ATM • Multiple-channel type ports: BRI, T1/E1 Numbering XSR Slots, Cards, and Ports The syntax for XSR slot, car...

Utilizing the Command Line Interface 2-18 Managing the XSR • Virtual Interfaces: – Loopback - Range 0 to 15. Interface type: Internal Loopback. – Dialer - Range: 0 to 255, Interface type: Dialer. – VPN - Range: 0 to 255, Interface type: VPN tunnel/Dialer. – Multilink - Range: 1 to 32767, Interface t...

Utilizing the Command Line Interface 2-20 Managing the XSR – Switched : When configuring a switched BRI connection, three serial sub-interfaces are automatically created when you enter: interface bri 2/1isdn switch-type basic-ni1 – The following sub-interfaces are added: interface serial 2/1:0interf...

Utilizing the Command Line Interface XSR User’s Guide 2-21 Deleting Table Entries There are two ways to delete an entry from a table depending on the table type. Type (e.g.): XSR(config)#no arp 1.1.1.1 e45e.ffe5.ffee + removes the arp entry related to row 1.1.1.1. where no is the command that negate...

Utilizing the Command Line Interface 2-22 Managing the XSR Ports can be enabled or disabled, configured for default settings, associated tables, clock rate, priority group, and encapsulation, for example. Refer to the XSR CLI Reference Guide for more details on Interface mode commands. Enabling an I...

Utilizing the Command Line Interface XSR User’s Guide 2-23 Managing Message Logs Messages produced by the XSR, whether alarms or events, as well as link state changes for critical ports and a management authentication log, can be routed to various destinations with the logging command. And by issuin...

Utilizing the Command Line Interface 2-24 Managing the XSR • Contents of stacks (task stacks, interrupt stack) • Status of one special task (packet processor by default) • Code around the crash program counter • Task message queues • Memory management statistics • Task stack traces for all tasks The...

Utilizing the Command Line Interface XSR User’s Guide 2-25 Using the Real-Time Clock The XSR’s Real-Time Clock (RTC) is employed by other system software modules to time-stamp events, alarms and is useful when no network clock source is accessible. It is normally synchronized with a master clock sou...

Utilizing the Command Line Interface 2-26 Managing the XSR Resetting the Configuration to Factory Default In situations where the XSR has invalid software or a problem booting up, you can reset the router and return it to its factory default settings by accessing Bootrom Monitor Mode. Take these ste...

Utilizing the Command Line Interface XSR User’s Guide 2-27 Configuration Save Options There are several options available regarding configuration: • If you want to make your running configuration the new startup configuration, you can save it to Flash memory with the copy running-config startup-conf...

Utilizing the Command Line Interface 2-28 Managing the XSR For more command details, refer to the XSR CLI Reference Guide . Uploading the Configuration/Crash Report An upload copies the XSR startup-configuration file (partial) to a system in a CLI script format using TFTP. You can later retrieve the...

Utilizing the Command Line Interface XSR User’s Guide 2-29 Managing the Software Image The XSR can store more than one software image in Flash. Creating Alternate Software Image Files The XSR can create multiple software images, a useful option if you want to quickly select an alternate image. For e...

Utilizing the Command Line Interface 2-30 Managing the XSR • Optionally , if you have CompactFlash installed, you can download the firmware file to cflash: then perform Step 1 (see below) followed by the bu (lower-case u ) command. • If you use the Cabletron TFTP/BOOTP Services application, which do...

Utilizing the Command Line Interface XSR User’s Guide 2-31 4. Using TFTP, transfer updateBootrom.fls from the network: XSR-1805# copy tftp://192.168.27.95/C:/tftpDir/ updateBootrom.fls flash:updateBootrom.fls Copy 'tftpDir/updateBootrom.fls' from server as 'updateBootrom.fls' into Flash(y/n) ? y !!!...

Utilizing the Command Line Interface 2-32 Managing the XSR Local Bootrom Upgrade Due to the change in the format of the Bootrom file between version 1. x and version 2.01, a transitional step is required when updating across these versions only. This transitional step can be avoided by using the Boo...

Utilizing the Command Line Interface XSR User’s Guide 2-33 – DOS-style full path (without the file name) of the site of the Bootrom file on the host PC. – The username and password to use when connecting to your FTP server on the host PC. 6. Verify the network boot values using the sn command. For e...

Utilizing the Command Line Interface 2-34 Managing the XSR Programming 131072(0x20000) bytes at address 0xfffa0000Programming 48299(0xbcab) bytes at address 0xfffc0000Verifying Bootrom flash sectorsLocking 3 Bootrom flash sectorsLocking 8 Bootrom flash sectors ***** Bootrom update completed. ***** D...

Utilizing the Command Line Interface XSR User’s Guide 2-35 • If the power to XSR fails, try another reload • If a syntax error is indicated, examine your configuration for errors • If XSR crashes, do not retry reloading. Contact Technical Support EOS fallback is configurable from the CLI or via SNMP...

Utilizing the Command Line Interface 2-36 Managing the XSR 5. Set the operation to imageSetSelected : set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.3.1 0100 6. Set the row to active : set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.11.1 1 7. Reboot the XSR to load the new image by configuring the following:...

Memory Management XSR User’s Guide 2-37 When the XSR boots up, the checksum of these files is calculated and stored in volatile memory. From then on any time the content of those files is changed the hash is recalculated and stored. You can access the hash value in the etsysConfigMgmtPersistentStora...

Network Management through SNMP 2-38 Managing the XSR When the memory governor is asked to allow or deny a new resource, the decision is based on: • memory low watermark • extreme limit You can push the extreme limit of individual resources as long as the memory low watermark is not met. Once the lo...

Network Management through SNMP XSR User’s Guide 2-39 SNMP Informs SNMP Informs were first introduced in SNMPv2. An Inform is essentially nothing more than an acknowledged trap . That is, when a remote application receives an Inform it sends back an “I got it” message. When you send an Inform you us...

Network Management through SNMP 2-40 Managing the XSR Alarm Management (Traps) The following events are supported by SNMP traps: snmpTrapColdStart, snmpTrapWarmStart, snmpTrapLinkDown, snmpTrapLinkUp, snmpTrapAuthFailure, entityTrapConfigChange, frameRelayTrapfrDLCIStatusChange, ospfTrapIfStateChang...

Network Management through SNMP XSR User’s Guide 2-41 Latency (network delay) is measured with the formula: D(i)=(Ri-Si) , which is the round-trip interval between sending and receiving the ICMP packet triggered by the initiator and echoed back by the target. Jitter (network delay variation) is the ...

Network Management through SNMP 2-42 Managing the XSR Via SNMP The following example creates a row in the aggregate measure table with owner userA . If the entry is created with owner monitor , replace 5.117.115.101.114.65 with 7.109.111.110.105.116.111.114 . 1. Create a row ( etsysSrvcLvlAggrMeasur...

Network Management through SNMP XSR User’s Guide 2-43 Query a Measurement Now that you have performed the previous actions, you can query the measurement result. Via CLI The following command displays rtr output: XSR#show rtr history Via SNMP 1. Query the etsysSrvcLvlHistoryTable ( 1.3.6.1.4.1.5624....

Network Management through SNMP 2-44 Managing the XSR Software Image Download using NetSight The NetSight Remote Administrator application can download an image to the XSR using TFTP. The software image download is initiated through NetSight using an SNMP set command, which triggers a TFTP download ...

Accessing the XSR Through the Web XSR User’s Guide 2-45 1. Write a plain ASCII file containing the CLI commands you want entered. For example: interface FastEthernet2ip address 192.168.19.1 255.255.255.0no shutdown 2. Save and move the file to the root directory of the TFTP server on your PC. 3. Use...

Network Management Tools 2-46 Managing the XSR Using the CLI for Downloads TFTP can be used to transfer system firmware to the XSR remotely. A TFTP server must be running on the remote machine and the firmware image file must reside in the TFTP root directory of the server when using the copy tftp f...

XSR User’s Guide 3-1 3 Managing LAN/WAN Interfaces Overview of LAN Interfaces The XSR supports two 10/100 Base-T FastEthernet ports on the XSR 1800 Series branch routers and three 10/100/1000 Base-T GigabitEthernet ports on the XSR 3000 Series regional routers. All ports are capable of running in ha...

Configuring the LAN 3-2 Managing LAN/WAN Interfaces • Maximum Transmission Unit (MTU) - all frames less than or equal to 1518 bytes are accepted. MTU size is set using the ip mtu command. • Speed is enabled using the speed command with the following options: – 10 - 10 Mbps – 100 - 100 Mbps – 1000 - ...

Overview of WAN Interfaces XSR User’s Guide 3-3 Overview of WAN Interfaces The XSR supports as many as six serial cards (in an XSR-3250), each of which can support four ports for a maximum of 24 serial ports. Each port is individually configurable regarding speed, media-type, and protocol. The Seria...

Configuring the WAN 3-4 Managing LAN/WAN Interfaces • Clocking speed - For Sync interfaces, an external clock must be provided. Acceptable clock values range from 2400 Hz to 10 MHz. For Async interfaces, the clock is internally generated and can be set to the following values using clock rate : – 24...

XSR User’s Guide 4-1 4 Configuring T1/E1 & T3/E3 Interfaces Overview The XSR provides Frame Relay and PPP service via T1/E1 and T3/E3 functionality as well as Drop and Insert features. T1/E1 Functionality The XSR provides a T1/E1 subsystem on a single NIM-based I/O card with a maximum of two ins...

Features 4-2 Configuring T1/E1 & T3/E3 Interfaces • Support for local and remote loopback • Support for an IP interface as a loopback (refer to the CLI Reference Guide for an example) • Timing - line and internal • Framing - T1: SF, ESF; E1: CRC4, NO-CRC4 • Line encoding - T1: AMI, B8ZS; E1: AMI...

Features XSR User’s Guide 4-3 • Line rate - 34.368 Mbps • Full rate - 34.0995 Mbps (G751) • Sub-rate - approximately 3 Mbps increments up to 33 Mbps • Compatible DSUs supported – Cisco or Quick Eagle (formerly Digital Link) DL3100 E3 -300-33.920 Kbps – ADC Kentrox T3/E3 IDSU • Scrambling - Cisco mod...

Features 4-4 Configuring T1/E1 & T3/E3 Interfaces • Clear Channel service is similar to the full rate service except that the data stream rate is slightly higher because the framing overhead bits are also used to deliver data. – T3 - Not Available – E3 - 34.368Mbps payload T1 Drop & Insert O...

Configuring Channelized T1/E1 Interfaces XSR User’s Guide 4-5 • The D&I NIM supports different framing and line coding on the CO T1 and PBX T1 ports (ESF versus D4, B8ZS versus AMI), but if the ports are not identically configured, the bypass relays will not restore the voice link in the case of...

Configuring Un-channelized T3/E3 Interfaces 4-6 Configuring T1/E1 & T3/E3 Interfaces 9. Add any additional configuration commands required to enable IP- or PPP-related protocols. 10. Use the no shutdown and exit commands to enable the interface and return to configuration mode. Repeat the previo...

Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-9 2. Restart the controller: XSR(config-controller<T1/0>)#no shutdown If the T1/E1or T3/E3 controller and line are not up , check that either the T3/E3 NIM LOS or LOF LEDs are shining or one of the following messages displays in the sh...

Troubleshooting T1/E1 & T3/E3 Links 4-10 Configuring T1/E1 & T3/E3 Interfaces Receive Remote Alarm Indication (RAI - Yellow Alarm) 1. Insert an external loopback cable into the T1/E1 or T3/E3 port. 2. Use the show controller command to check for alarms. To identify the type of the alarm, ana...

Troubleshooting T1/E1 & T3/E3 Links 4-12 Configuring T1/E1 & T3/E3 Interfaces Figure 4-6 T1/E1 & T3/E3 Error Events Analysis Troubleshooting Flowchart Slip Seconds Counter Increasing If slip seconds are present on the T1/E1 or T3/E3 line, usually there is a clocking problem. Complete the...

Troubleshooting T1/E1 & T3/E3 Links XSR User’s Guide 4-13 Framing Loss Seconds Increasing If framing loss seconds are present on the T1/E1 line, usually there is a framing problem. Perform the following steps to correct this problem: 1. Ensure the framing format configured on the controller port...

XSR User’s Guide 5-1 5 Configuring IP Overview This document describes the XSR’s IP protocol suite functionality including: • General IP features (ARP, ICMP, TCP, UDP, TFTP, Telnet, SSH, NAT, VRRP, Proxy DNS, et al.) • IP routing (RIP, OSPF, static routing, triggered-on-demand RIP updates) • VLAN ro...

General IP Features 5-4 Configuring IP • Virtual Router Redundancy Protocol (VRRP): RFC-2338 and Definitions of Managed Objects for the Virtual Router Redundancy Protocol: RFC-2787 • Equal-Cost Multi-Path (ECMP) per packet and per flow (round robin) for OSPF, BGP and static routes (RIP excluded) – U...

General IP Features XSR User’s Guide 5-5 When a BOOTP/DHCP response is received, the packet is sent to the requester as a unicast IP packet, according to RFC-951, with clarifications in RFC-1532. The source addresses of the relayed BOOTP/DHCP packets can be selected using ip dhcp relay- source gatew...

General IP Features 5-6 Configuring IP does not actually examine or store full routing tables sent by routing devices, it merely keeps track of which systems are sending such data. Using IRDP, the XSR can specify both a priority and the time after which a device should be assumed down if no further ...

General IP Features XSR User’s Guide 5-7 hostkey.dat file unless none have been generated or the content of the file is corrupted in which case default keys are used to secure the connection. A number of SSH clients are commercially available. Enterasys recommends the PuTTY client freeware as compat...

General IP Features XSR User’s Guide 5-9 Routing Table Manager & Secondary IP If the interface is up, each primary and secondary IP address will have an entry in the routing table as a directly connected route. If the interface is rejected or the IP addresses configured on it are removed, the Ro...

IP Routing Protocols 5-10 Configuring IP VRRP & Secondary IP Multiple virtual IP addresses per Virtual Router (VR) are available to support multiple logical IP subnets on a single LAN segment. Secondary IP interacts with the XSR’s implementation of the Virtual Router Redundancy Protocol (VRRP) a...

IP Routing Protocols 5-14 Configuring IP • Dial-on-demand connections. Retransmissions are governed by the following conditions, among others: • The retransmission timer is a periodic timer set to 5 seconds. • A limit in the number of retransmissions will be set, after which the routes learned throu...

IP Routing Protocols XSR User’s Guide 5-15 • Incremental SPF is always enabled. SPF calculation can be changed with timers spf • Hello wait intervals with ip ospf dead-interval and ip ospf hello-interval as well as the poll timer to set up adjacencies as quickly as possible with ip ospf poll-timer •...

IP Routing Protocols 5-16 Configuring IP Each LSA type configurable for database overflow can generate a log to reflect pending overflow , overflow entered and exited logs in this format: – Date and time stamp – Router ID (IP address) – Module (OSPF) – Log Description – LSA Type – Current LSA count ...

IP Routing Protocols XSR User’s Guide 5-17 OSPF Troubleshooting XSR commands provide debugging of OSPF Version 2 control information including: • Monitoring specific OSPF events from the CLI with show ip ospf (with debugging enabled) • Control Packets with debug ip ospf packet • LSA transmissions/re...

IP Routing Protocols 5-18 Configuring IP – Static routes: 1 – BGP external routes: 20 – OSPF intra-area routes: 108 – OSPF inter-area routes: 110 – OSPF external routes: 112 – RIP routes: 120 – BGP internal routes: 200 – Values between 241 and 255 are reserved for internal use • The show ip route co...

IP Routing Protocols XSR User’s Guide 5-19 Figure 5-1 802.1Q VLAN Tag The reserved Tag Type denotes the associated Ethernet frame type of the VLAN Tag while the remaining 16 tag bits comprise this control data: • a 3-bit value indicating the user priority of the Ethernet frame for QoS purposes • a 1...

IP Routing Protocols 5-20 Configuring IP Figure 5-3 Topology of Ethernet/PPPoE/VLAN/PPPoE over VLAN VLAN Processing Over the XSR’s Ethernet Interfaces The VLAN routing process, shown in Figure 5-4 , works as follows on the XSR. The following steps are reflected in the graphic below. Figure 5-4 XSR’s...

IP Routing Protocols XSR User’s Guide 5-21 Figure 5-5 VLAN Ethernet to Fast/GigabitEthernet Topology VLAN Processing: VLAN-enabled Ethernet to WAN Interfaces In this scenario, shown in Figure 5-6 , the XSR does not insert a VLAN tag in Ethernet frames because no VLAN is linked with the outgoing port...

IP Routing Protocols 5-22 Configuring IP Figure 5-7 WAN Interface to VLAN Ethernet Topology For sample configurations, refer to “Configuring VLAN Examples” on page 5-46. QoS with VLAN The XSR’s support for Quality of Service (QoS) with VLAN is described in the chapter “Configuring Quality of Service...

IP Routing Protocols XSR User’s Guide 5-23 2. When a policy entry is found for a packet, the table search ends and the packet is processed according to that entry. 3. Each entry has a group of match and set clauses. All match clauses must match in order to process the packet according to the entry. ...

IP Routing Protocols 5-24 Configuring IP Default Network The default network is used to specify candidates for the default route when a default route is not specified or learned. If the network specified by the ip default-network command appears in the routing table from any source (dynamic or stati...

IP Routing Protocols XSR User’s Guide 5-25 Leaving the Router ID unconfigured or allowing it to be assigned by default to a physical IP interface can be risky because physical interfaces are impermanent and their IP addresses can be re-configured. A change in an IP address or the state of a physical...

IP Routing Protocols 5-26 Configuring IP RTP_compression TX reached maximum allowed connections, RTP compression received un-expected 8 bit CID RTP compression received un-expected 16 bit CID Received CID (mmm) exceeds the negotiated max CID nnn. Network Address Translation Network Address Translati...

IP Routing Protocols XSR User’s Guide 5-27 • Application Level Gateway (ALG) for FTP, ICMP, Netbios over TCP and UDP – PPTP/GRE ALG for NAPT - allows PPTP traffic to be NATted • Multiple ISP - NAPT based on the egress interface. • With NAPT, routing is not automatically filtered out. Use distributio...

IP Routing Protocols 5-28 Configuring IP Figure 5-8 Simple VRRP Topology Because the VR uses the IP address of the physical Ethernet interface of XSR1, XSR1 becomes the master VR , also known as the IP address owner . XSR1, as the master VR, assumes the IP address of the VR and is responsible for fo...

IP Routing Protocols XSR User’s Guide 5-29 • Virtual Router - An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN. It consists of a VR Identifier and a set of associated IP address(es) across a common LAN. A VRRP router may back up one or more VRs. • IP Address...

IP Routing Protocols 5-30 Configuring IP • Broadcasts an ARP message with the VR’s MAC address to all the IP addresses associated with the VR’s IP address, • Starts the advertisement timer, • And transitions to the master state. • If an advertisement is received that has a higher priority, or a high...

IP Routing Protocols 5-32 Configuring IP • Master VR - all traffic, including locally generated or forwarding traffic, uses one of the virtual MAC addresses as the source MAC address except VRRP protocol packets, which use the corresponding virtual MAC address as the source MAC address. For example,...

IP Routing Protocols XSR User’s Guide 5-33 When the actual IP address owner of the Virtual IP address releases the master state of the VR, it will no longer be able to receive any IP packet destined for that address even though the actual interface is still up. This may cause routing packets to not ...

IP Routing Protocols 5-34 Configuring IP Equal-Cost Multi-Path (ECMP) Equal-Cost Multi-Path (ECMP) is a technique to forward packets along multiple paths of equal cost, aggregating multiple physical links into one virtual link to effectively increase the total bandwidth of a connection. Internally, ...

Configuring RIP Examples XSR User’s Guide 5-35 Figure 5-10 ECMP VPN Load Balancing Topology Configuring RIP Examples The following example enables RIP on both FastEthernet interfaces and a serial link of the XSR. The FastEthernet 2 interface is configured to be totally passive (updates not sent or r...

Configuring Unnumbered IP Serial Interface Example XSR User’s Guide 5-37 Configuring Unnumbered IP Serial Interface Example The following example configures an X.21-type, serial interface 1/0 as an unnumbered serial interface. Serial 1/0 is directed to use the IP address of FastEthernet port 1. XSR(...

Configuring NAT Examples 5-38 Configuring IP Configuring NAT Examples Basic One-to-One Static NAT The following example illustrates inside source address translation on the XSR, as shown in Figure 5-11 below. Figure 5-11 NAT Inside Source Translation 1. The user at 10.1.1.1 opens a connection to hos...

Configuring NAT Examples XSR User’s Guide 5-39 Dynamic Pool Configuration The following example illustrates dynamic pool translation on the XSR, as shown in Figure 5-12 . Figure 5-12 Dynamic Pool Translation Configuring Dynamic Pool Translation Dynamic pool translation, as shown in Figure 5-12 , is ...

Configuring NAT Examples 5-40 Configuring IP 3. Optional . Add an ACL to permit NAT traffic from the 10.1.1.0 network. All other traffic is implicitly denied. XSR(config)#access-list 57 permit 10.1.1.0 0.0.0.255 4. Optional . Reset the default NAT timeout interval to 5 minutes: XSR(config)#ip nat tr...

Configuring NAT Examples XSR User’s Guide 5-41 3. Host 172.20.2.1 receives the packet and responds to address 200.2.2.1. 4. When the XSR receives the packet, it searches the NAPT table, using the protocol, global address and port, and translates the address to the inside local address 10.1.1.1 and d...

Configuring NAT Examples 5-42 Configuring IP 2. The first packet the XSR receives from 10.1.1.1 is checked against its ACLs. ACL 101 matches and pool NatPool is used. A check is made for existing mapping and if found is used otherwise a new one is created. The global address is 200.2.2.1 . 3. Packet...

Configuring NAT Examples XSR User’s Guide 5-43 Figure 5-15 Static NAT within Interface As shown in Figure 5-15 , packets from the PC at 10.1.1.1 are statically NATted to the PC at 203.2.2.1 but through neither of the pools. This occurs because static NAT takes precedence over other NAT forms. Also, ...

Configuring Policy Based Routing Example 5-44 Configuring IP + The above optional NAPT commands use ACL 101 for the 200.2.2.0 network and ACL 102 for the 201.2.2.0 network XSR(config-if<F2>)#ip nat source intf-static 10.1.1.1 203.2.2.1 + The above optional command statically NATs packets from ...

Configuring VRRP Example XSR User’s Guide 5-45 XSR(config-if<G1>)#ip policy These commands create the PBR, map it to ACL 101, and set the forwarding router as 192.168.5.2: XSR(config)#route-map pbr 101XSR(config-pbr-map)#match ip address 101XSR(config-pbr-map)#set ip next-hop 192.168.5.2 Confi...

Configuring VLAN Examples 5-46 Configuring IP XSRb(config-if<F1>)#vrrp 5 priority 200XSRb(config-if<F1>)#vrrp 5 adver-int 30XSRb(config-if<F1>)#vrrp 5 ip 10.10.10.50XSRb(config-if<F1>)#vrrp 5 preempt delay 2XSRb(config-if<F1>)#vrrp 5 track serial 2/0XSRb(config-if<F1...

XSR User’s Guide 6-1 6 Configuring the Border Gateway Protocol Features The XSR supports the following the Border Gateway Protocol (BGP-4) features: • Full mandatory BGP v4 protocol support (RFC-1771) • Support for all BGP v4 MIB tables defined in RFC-1657 including BGP SNMP traps • Protection of BG...

Overview 6-2 Configuring the Border Gateway Protocol Figure 6-1 Differentiating EBGP from IBGP BGP can be categorized as a path vector routing protocol which defines a route as a pairing between a destination and the qualities of the path to that destination. The main role of a BGP-speaking node is ...

Overview XSR User’s Guide 6-3 • Hold time : Number of seconds that the sender proposes for the value of the Hold Timer. The hold time defines the interval that can elapse without the receipt of an Update or KeepAlive message before the peer is assumed to be disabled. • BGP identifier : IP address of...

Overview 6-4 Configuring the Border Gateway Protocol AS Path The AS_PATH attribute, as shown in Figure 6-2 , is the sequence of AS numbers a route has traversed to reach a destination. The AS that originates the route adds its own AS number when sending the route to its EBGP peers. Subsequently, eac...

Overview XSR User’s Guide 6-5 BGP considers the ORIGIN attribute in its decision-making process to set a preference ranking among multiple routes. Namely, BGP prefers the path with the lowest origin type, where IGP is lower than EGP, and EGP is lower than INCOMPLETE. The attribute is configured with...

Overview XSR User’s Guide 6-7 Weight Weight, as shown in Figure 6-4 , and LOCAL_PREF attributes are similar except that weight is not exchanged between routers. It is significant only locally. Higher preference is accorded the route with a higher weight. Weight can be used to influence routes coming...

Overview 6-8 Configuring the Border Gateway Protocol Aggregator The AGGREGATOR attribute, as shown in Figure 6-5 , is added by the BGP speaker that formed the aggregate route. It includes the AS and router ID of the BGP speaker that originated the aggregate prefix. It is commonly used for debugging ...

Overview XSR User’s Guide 6-9 Figure 6-6 MED Applied to Direct Ingress Traffic Flow to an AS Community A BGP community, as shown in Figure 6-7 , is defined as a group of destinations that share some common property and is not limited to one network or AS. Communities simplify routing policies by ide...

Overview 6-10 Configuring the Border Gateway Protocol learn, advertise, or redistribute routes. When routes are aggregated, the resulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes. Community lists form groups of communities for use in a route map...

Overview XSR User’s Guide 6-11 BGP Path Selection Process BGP routers usually consider multiple paths to a destination. The BGP best path selection process decides the optimal path to install in the IP routing table and use for forwarding traffic. Only routes that are synchronized, are free of AS lo...

Overview 6-12 Configuring the Border Gateway Protocol Access Control Lists Access Control Lists (ACLs) are filters which permit or deny access to one or more IP addresses. ACLs generally apply to both route updates and packet filtering but with BGP, route update filtering is emphasized. Prefix-based...

Overview XSR User’s Guide 6-13 • Set community attributes for a specific route with set community • Set the origin for a specific route with set origin • Set the MED of a specific route with set metric • Set the local preference for a specific route with set local-preference • Set the AS-Path list f...

Overview 6-14 Configuring the Border Gateway Protocol • Display all routes with any AS path: – show ip bgp “.*” • Display all routes having at least two AS numbers in the AS path: – show ip bgp “. . + “ • Display all routes that traversed AS number 600: – show ip bgp “.* 600 .*” • Display all routes...

Overview XSR User’s Guide 6-15 • Permit a local BGP speaker to send the default route 0.0.0.0 to a neighbor as the default route: neighbor default-originate • Configure the COMMUNITIES attribute to be sent to the neighbor at this IP address: neighbor send-community • Permit interior BGP sessions to ...

Overview 6-16 Configuring the Border Gateway Protocol Synchronization When an AS provides transit service to other ASs and if there are non-BGP routers in the AS, transit traffic might be dropped if the intermediate non-BGP routers have not learned routes for that traffic via an IGP. BGP synchroniza...

Overview XSR User’s Guide 6-17 prefix is suppressed for a calculated period (a penalty) which is further incremented with every subsequent flap. The penalty is then decremented by a half-life value until the penalty is below a reuse threshold. So, if stable for a certain period, the hold-down is rel...

Overview 6-18 Configuring the Border Gateway Protocol Scaling BGP BGP requires that all BGP speakers with a single AS (IBGP) be fully meshed , as shown in Figure 6- 10 . The result is that for any BGP speakers within an AS, the number of unique BGP sessions required is determined by the following fo...

Overview XSR User’s Guide 6-19 Route Reflectors Route reflectors are an alternative to the requirement of a fully meshed network within an AS, as illustrated in Figure 6-11 . This approach allows a BGP speaker (known as a route reflector ) to advertise IBGP learned routes to certain IBGP peers. This...

Overview 6-20 Configuring the Border Gateway Protocol It is typical for a client cluster to have one route reflector and be identified by the reflector ’s router ID. If you want greater redundancy and wish to avoid a single point of failure, you can add more than one reflector to a cluster. This is ...

Overview XSR User’s Guide 6-21 Figure 6-12 Figure 12 Use of Confederations to Reduce IBGP Mesh D isplaying System and Network Statistics The XSR supports BGP statistical displays such as routing table entries, caches, and databases. The XSR can also show data about node accessibility and the path pa...

Configuring BGP Route Maps 6-22 Configuring the Border Gateway Protocol • Show BGP peer group data: show ip bgp peer-group • Show routes matching regular AS path expressions: show ip bgp regexp • Show summary BGP neighbor status: show ip bgp summary Configuring BGP Route Maps The following example i...

Configuring BGP Route Maps XSR User’s Guide 6-23 XSR(config-router)#neighbor 192.168.57.4 remote-as 200XSR(config-router)#neighbor 192.168.57.4 route-map 77 outXSR(config-router)#route-map 77 5 permitXSR(config-route-map)#set as-path prepend 100XSR(config-route-map)#match ip address 12 XSR(config-ro...

Configuring BGP Route Maps 6-24 Configuring the Border Gateway Protocol XSR(config-router)#neighbor 192.168.57.69 filter-list 3 outXSR(config-router)#neighbor 192.168.57.69 filter-list 2 inXSR(config-router)#exitXSR(config)#ip as-path access-list 1 permit _102_XSR(config)#ip as-path access-list 2 pe...

Configuring BGP Peer Groups XSR User’s Guide 6-25 XSR(config-router)#neighbor 130.32.32.1 remote-as 37 In a BGP speaker in AS 2, configure the peers from AS’s 1 and 3 as special EBGP peers. Node 191.169.57.1 is a standard IBGP peer and 131.21.12.2 is a standard EBGP peer from AS 30. XSR(config)#rout...

Configuring BGP Peer Groups 6-26 Configuring the Border Gateway Protocol XSR(config-router)#neighbor IBGP filter-list 1 outXSR(config-router)#neighbor IBGP filter-list 2 inXSR(config-router)#neighbor 192.168.57.3 peer-group IBGPXSR(config-router)#neighbor 192.168.57.4 peer-group IBGPXSR(config-route...

XSR User’s Guide 7-1 7 Configuring PIM-SM and IGMP This chapter describes Protocol Independent Multicast - Sparse Mode (PIM-SM) and Internet Group Management Protocol (IGMP) configuration. Features The XSR supports the following IGMP/PIM features: • IGMP versions 1, 2 and 3 (on LAN interface only) •...

IP Multicast Overview 7-2 Configuring PIM-SM and IGMP calculates the checksum based on the whole Register packet including the data portion. When the XSR receives a Register packet, it accepts both partial and whole checksum methods. • The XSR permits configuration of the CRP value and sets the defa...

IP Multicast Overview XSR User’s Guide 7-3 • Addresses between 239.0.0.0 and 239.255.255.255 should not be forwarded beyond an organization's intranet. • Addresses between 232.0.0.0 and 232.255.255.255 are set aside especially for a Source-Specific Multicast service (SSM). IP multicast enables multi...

Describing the XSR’s IP Multicast Features 7-4 Configuring PIM-SM and IGMP Two basic types of MDTs are source and shared trees, described as follows: • A source tree is a distribution network with its root at the source and branches forming a spanning tree through the network to its receivers. Becau...

Describing the XSR’s IP Multicast Features XSR User’s Guide 7-5 IGMP is an asymmetric protocol, so there are separate behaviors for group members (hosts or routers that wish to receive multicast packets) and multicast routers (routers that can forward multicast packets). Group Membership Actions Gro...

Describing the XSR’s IP Multicast Features 7-6 Configuring PIM-SM and IGMP Receiving a Query When a LAN contains multiple multicast routers, IGMPv3 chooses a single querier per subnet using the same querier election mechanism as IGMPv2, namely by IP address . When a router receives a query with a lo...

Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-7 Behavior of Group Members Among Older Version Group Members An IGMPv3 host may be situated in a network where hosts have not yet been upgraded to IGMPv3. A host may allow its IGMPv3 Membership Record to be suppressed by either a Version 1 ...

Describing the XSR’s PIM-SM v2 Features 7-8 Configuring PIM-SM and IGMP Phase 1: Building a Shared Tree During phase one, PIM-SM builds a shared tree rooted at a special router called Rendezvous Point (RP), as shown in Figure 7-2 . Each multicast group is mapped to a specific RP to which all Designe...

Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-9 interconnects with a router which is already on the shortest path tree from S to the same multicast group, the Join message can end on that router to get a short-cut path. After the path is established, both the native packet along the SPT...

Describing the XSR’s PIM-SM v2 Features 7-10 Configuring PIM-SM and IGMP Figure 7-4 Phase 3 Topology: Shortest Path Tree Between Sender and Receiver Neighbor Discovery and DR Election PIM-SM neighbor discovery and DR election are performed via Hello messages which are sent periodically through each ...

Describing the XSR’s PIM-SM v2 Features XSR User’s Guide 7-11 PIM Register Message By the end of PIM-SM phase one, the DR for the sender will encapsulate packets from the sender in a Register message and send it to RP for the multicast group. When the DR receives a RegisterStop message from RP, the ...

Describing the XSR’s PIM-SM v2 Features 7-12 Configuring PIM-SM and IGMP Assert messages are used to negotiate which router will forward the multicast packets. The rule for the assert winner is the router with the lower preference (usually a unicast routing protocol preference) and a metric learned ...

PIM Configuration Examples XSR User’s Guide 7-13 PIM Configuration Examples The following is a simple PIM configuration using the virtual Loopback interface 0 and physical interface FastEthernet 1. Configuring a Loopback interface is a safer way to ensure PIM routers discover each other since specif...

XSR User’s Guide 8-1 8 Configuring PPP Overview The Point-to-Point Protocol (PPP), referenced in RFC-1616, is a standard method for transporting multi-protocol datagrams over point-to-point links. PPP defines procedures to assign and manage network addresses, asynchronous and synchronous encapsulati...

PPP Features XSR User’s Guide 8-3 Authentication Authentication protocols, as referenced in RFC-1334, are used primarily by hosts and routers to connect to a PPP network server via switched circuits or dialup lines, but might be applied to dedicated links as well. The server can use identification o...

PPP Features 8-6 Configuring PPP MLPPP Packet Fragmentation and Serialization Transmission Latency MLPPP’s packet transport method over multiple member links is made possible by fragmenting the packet after balancing the load bandwidth to fully utilize the member links’ bandwidth. When sent over a M...

PPP Features XSR User’s Guide 8-7 The overall serialization latency for a fragment over a synchronous/ asynchronous Serial or T1 link should be multiplied by the size of the transmission queue. To control latency, both the transmission queue size and fragment size must be controlled. Fragment Interl...

PPP Features 8-8 Configuring PPP The class number is defaulted to five for both short and the long sequence numbers. That includes four suspendable levels from 0 to 4 with the highest level at 5. The current limits on memory and throughput set the optimized number of class to 4 for the XSR. The resu...

PPP Features XSR User’s Guide 8-9 IP Address Assignment In PPP, IPCP configuration option type 3 corresponds to IP address negotiation. This configuration option provides a way to negotiate the IP address to be used on the local end of the link. It allows the sender of the Configure-Request to state...

Configuring PPP with a Dialed Backup Line 8-10 Configuring PPP Configuring PPP with a Dialed Backup Line You can configure PPP on the following types of physical interfaces: • Asynchronous serial • Synchronous serial • T1/E1 By enabling PPP encapsulation on physical interfaces, PPP can also be used ...

Configuring a Dialed Backup Line XSR User’s Guide 8-11 5. Enter no shutdown to enable this interface. XSR(config-if<S1/0>)#no shutdown Configuring a Dialed Backup Line The following tasks must be performed to configure a Dialed Backup line: • Configure the dialer interface • Configure a physic...

Configuring a Dialed Backup Line 8-12 Configuring PPP Configuring the Interface as the Backup Dialer Interface 1. Enter interface serial card / port to specify the interface to back up. 2. Enter ip address ip-address mask to specify the IP address and subnet mask of the interface. 3. Enter backup in...

Configuring MLPPP on a Multilink/Dialer interface XSR User’s Guide 8-13 Configuring MLPPP on a Multilink/Dialer interface Multilink Example The following example enables Multi-Class MLPPP on interfaces 71, 72 and 73 with different fragmentation delay intervals but permits multicast traffic in and ou...

Configuring BAP 8-14 Configuring PPP XSR(config-if<D255>)#multilink min-links 37XSR(config-if<D255>)#ppp multilink bapXSR(config-if<D255>)#ppp bap number default 1200XSR(config-if<D255>)#ppp bap number default 1400XSR(config-if<D255>)#ppp bap call requestXSR(config-if&l...

Configuring BAP XSR User’s Guide 8-15 XSR1(config-controller<T1-1/0>)#isdn bchan-number-order ascendingXSR1(config-controller<T1-1/0>)#no shutdownXSR1(config-controller<T1-1/0>)#dialer pool-member 1 priority 0 2. Configure BRI interface 2/0 with the basic-ni1 switch type and two SP...

Configuring BAP 8-16 Configuring PPP 3. Configure the Dialer 1 interface with a dialer pool: XSR2(config)#interface Dialer1XSR2(config-if<D1>)#no shutdownXSR2(config-if<D1>)#dialer pool 1XSR2(config-if<D1>)#encapsulation ppp 4. Set up BAP on Dialer 1 by enabling BAP and adding BAP ...

XSR User’s Guide 9-1 9 Configuring Frame Relay Overview Frame Relay (FR) is a simple, bit-oriented protocol that offers fast-packet switching for wide-area networking. It combines the statistical multiplexing and port-sharing features of an X.25 connection with fast speed and low delay for high perf...

Overview 9-2 Configuring Frame Relay Figure 9-1 Frame Relay Network Topology From the perspective of the OSI reference model, Frame Relay is a high-performance WAN protocol suite operating at the physical and data link layers (1 and 2). Starting from a source site, variable-length packets are switch...

Frame Relay Features XSR User’s Guide 9-3 Frame Relay Features The XSR supports the following FR features: • The XSR acts as a DTE/DCE device in the UNI (User Network Interface) interface, supporting FR PVC connections (NNI functionality is not supported) • 10-bit DLCI addressing using a 2-byte DLCI...

Controlling Congestion in Frame Relay Networks 9-4 Configuring Frame Relay Address Resolution The XSR supports dynamic resolution via Inverse ARP to map virtual circuits (DLCI) to remote protocol addresses, as defined in RFC-2390. Dynamic Resolution Using Inverse ARP Inverse ARP lets a network node ...

Controlling Congestion in Frame Relay Networks XSR User’s Guide 9-5 Several other parameters work hand-in-hand with CIR in controlling traffic flow. Committed burst (Bc) is the peak number of bits that the network attempts to deliver during a given period. Bc differs from CIR - it is a number, not a...

Link Management Information (LMI) XSR User’s Guide 9-7 Link Management Information (LMI) A FR UNI-DCE device communicates with an attached FR DTE device (e.g., the XSR) about the status of the PVC connections through Link Management Information protocol (LMI). LMI monitors the status of the connecti...

FRF.12 Fragmentation 9-8 Configuring Frame Relay FRF.12 Fragmentation Generally speaking, it is difficult to deliver good end-to-end quality of service for time-sensitive packets (voice and video) when operating over low speed FR lines (64 kbps or lower), especially when the link is also used to tra...

FRF.12 Fragmentation XSR User’s Guide 9-9 until you enter the copy running config startup config command to copy the running configuration into the startup configuration file within Flash. Map-Class Configuration The Map Class configures a common profile (characteristics) that can be applied to PVCs...

Interconnecting via Frame Relay Network 9-10 Configuring Frame Relay Interconnecting via Frame Relay Network The following typical application uses FR to link remote branches to the corporate network at the central sites via a FR network, as shown in Figure 9-3 . Figure 9-3 Branch/Central Frame Rela...

Configuring Frame Relay XSR User’s Guide 9-11 Configuring Frame Relay Multi-point to Point-to-Point Example The following example configures the XSR in New York to connect with XSRs in Andover and Montreal using Frame Relay, as shown in Figure 9-4 . Figure 9-4 Frame Relay Multipoint to Point-to-Poin...

XSR User’s Guide 10-1 10 Configuring Dialer Services This chapter details information about the XSR’s suite of dialer functionality: • Dial • Ethernet Failover • Backup Dialer • Dial on Demand (DoD) • Bandwidth on Demand (BoD) • Multilink PPP (MLPPP) • Dialer Interface Spoofing • Dialer Watch Overvi...

Asynchronous and Synchronous Support 10-2 Configuring Dialer Services Asynchronous and Synchronous Support Synchronous and asynchronous interfaces can be configured for dialed connections to one or more destination networks. When requested, the XSR uses dialing commands to send the phone number of t...

Asynchronous and Synchronous Support XSR User’s Guide 10-3 Table 10-1 lists V.25bis options. By default, the synchronous port will use V25bis. The functions of these options are nation-specific, and they may have different implementations. Refer to your modem documentation for a list of supported co...

Implementing Dial Services 10-4 Configuring Dialer Services Implementing Dial Services Dial services are provided by dialer interfaces , which are defined as any XSR interface capable of placing or receiving a call. You can implement Dial Services by creating a dialer profile . Refer to Figure 10-2 ...

Implementing Dial Services XSR User’s Guide 10-5 to support point-to-point or point-to-multi-point connections and can be non-spoofed for backup purposes. Refer to “Dialer Interface Spoofing” on page 10-18 for more information. • Dialer map class defines all line characteristics of calls to the dest...

Implementing Dial Services 10-6 Configuring Dialer Services Configuring Encapsulation When a clear data link is established between two peers, traffic must be encapsulated and framed for transport across the Dialer media. PPP is the encapsulation method of choice for Dialer Services because it suppo...

Implementing Dial Services XSR User’s Guide 10-7 Figure 10-3 Logical View of Dialer Profiles Figure 10-4 on page 10-8 illustrates three Dialer Interfaces with three associated Dialer Pools. Dialer Pool 6 supports two Serial interfaces of different priority “weighting”. Dialer Pools 3 and 9 support t...

Implementing Dial Services 10-8 Configuring Dialer Services Figure 10-4 Sample Dialer Topology As illustrated in Figure 10-5 on page 10-9 and Figure 10-6 on page 10-10, Toronto and Andover Dialer Profiles share similar parameters except phone numbers and values specifying the interval to wait for a ...

Implementing Dial Services 10-10 Configuring Dialer Services Figure 10-6 Dialer Profile of Destination (987) 231-2345 Configuring the Dialer Interface The following tasks need to be performed to configure a dialer profile: • Create and configure the dialer interface • Configure a map class (optional...

Implementing Dial Services XSR User’s Guide 10-11 Configuring the Map Class 1. Enter map-class dialer classname to create a map-class identifier. This value must match the classname value you specified in the dialer string command. 2. Enter dialer wait-for-carrier-time seconds to set the interval th...

Implementing Dial Services 10-12 Configuring Dialer Services Configuring ISDN Callback The following CLI commands configure point-to-point and point-to-multipoint applications with single or multiple neighbors. Point-to-Point with Matched Calling/Called Numbers The following commands configure the c...

Overview of Dial Backup XSR User’s Guide 10-13 XSR(config-if<D1>)#dialer idle-timer 0XSR(config-if<D1>)#dialer map ip 10.10.10.2 9053617921XSR(config-if<D1>)#dialer map ip 10.10.10.3 9053617363XSR(config-if<D1>)#encapsulation pppXSR(config-if<D1>)#ip address 10.10.10.1 ...

Link Failure Backup Example 10-14 Configuring Dialer Services 8. Backup link is up, triggering the next action. 9. Static Backup route configured - the routing process searches its configured Static Routing entries and installs the routes that can be reached through the backup interface. 10. Dynamic...

Configuring a Dialed Backup Line 10-16 Configuring Dialer Services Sample Configuration Figure 10-8 on page 10-16 shows an example of two dialer interfaces used to back up two separate serial lines using only one dial out line ( serial interface 1 ). Figure 10-8 Backup Dial Example The CLI commands ...

Overview of Dial on Demand/Bandwidth on Demand XSR User’s Guide 10-17 XSR(config-if<D2>)#encapsulation pppXSR(config-if<D2>)#dialer pool 5XSR(config-if<D2>)#no shutdown Configure backup serial port for dial purposes to belong to dial pool 5: XSR(config)#interface serial 1/0XSR(conf...

Dialer Interface Spoofing 10-18 Configuring Dialer Services For more information on ISDN fundamentals, refer “Configuring Integrated Services Digital Network” on page 1 and the XSR CLI Reference Guide. Dialer Interface Spoofing Spoofing on a dialer interface is defined as the line “pretending” to be...

Dialer Watch XSR User’s Guide 10-19 A watch group can also be specified for use by the Virtual Router Redundancy Protocol (VRRP) with the vrrp <number> track watch-group command. For more information, refer to “Configuring IP” on page 1 . At the outset, the XSR’s Routing Table Manager (RTM) no...

Answering Incoming ISDN Calls 10-20 Configuring Dialer Services Caveat The following caveat applies to Dialer Watch functionality: The dialer will not disconnect the secondary backup switched link if this connection has a better cost to the watched route than the primary link. But, you can remedy th...

Answering Incoming ISDN Calls XSR User’s Guide 10-21 Incoming Call Mapping Example This example, as shown in Figure 10-10 , configures a node capable of handling multiple call setup requests coming from different remote peers and maps each incoming call to the correct IP interface (Dialer interface)...

Configuring DoD/BoD 10-24 Configuring Dialer Services Figure 10-11 Dial on Demand Topology PPP Point-to-Multipoint Configuration In this configuration, only one of the peer nodes can initiate the setup of a switched link when access-list defined data traffic is sent to the remote peer. Node A (Calli...

Configuring DoD/BoD XSR User’s Guide 10-25 ! XSR(config-if<D2>)#dialer map ip 20.20.20.2 2401! XSR(config-if<D2>)#ip address 20.20.20.1 255.255.255.0 The following command defines interesting packets for the dial out trigger by configuring access list 101 to pass all Type 8 source and de...

Configuring DoD/BoD 10-26 Configuring Dialer Services XSR(config)#interface dialer 1XSR(config-if<D1>)#no shutdownXSR(config-if<D1>)#dialer pool 25XSR(config-if<D1>)#encapsulation pppXSR(config-if<D1>)#dialer idle-timeout 35XSR(config-if<D1>)#dialer-group 3XSR(config-if...

Configuring DoD/BoD XSR User’s Guide 10-27 Figure 10-12 Point-to-Point Topology Dial-in Routing for Dial on Demand Example The following commands configure dialer interface 1 : XSR(config)#interface dialer 1XSR(config-if<D1>)#encapsulation pppXSR(config-if<D1>)#ip address 172.22.85.1XSR(...

Configuring DoD/BoD XSR User’s Guide 10-29 Dial-out Router Example The following commands add a dialer pool and dialer group, specify a secret password to be sent to the peer for PAP authentication, and specify three MLPPP call destinations - XSR-Andover, XSR-Boston and XSR-Buffalo - on XSR-Toronto’...

Configuring DoD/BoD 10-34 Configuring Dialer Services The following command defines interesting packets for the dial out trigger by configuring ACL 101 to pass all Type 8 source and destination ICMP packets: XSR(config)#access-list 101 permit icmp any any 8 Dial-in Router Example The following comma...

Switched PPP Multilink Configuration XSR User’s Guide 10-35 XSR(config)#access-list 101 permit icmp any any 8 The following command maps ACL 101 to dialer group 3: XSR(config)#dialer-list 3 protocol ip list 101 Node B Configuration The following commands add a dialer pool member and set the Central ...

Backup Configuration XSR User’s Guide 10-37 Backup Configuration Backup Using ISDN This example configures ISDN NIM cards (either BRI or T1/E1 configured for PRI) to be used for backing-up other interfaces, as shown in Figure 10-17 . Figure 10-17 Backup Topology Using ISDN Node A (Backed-up Node) Co...

Backup Configuration XSR User’s Guide 10-39 XSR(config-if<D2>)#no shutdownXSR(config-if<D2>)#dialer pool 28XSR(config-if<D2>)#encapsulation pppXSR(config-if<D2>)#dialer called 2501XSR(config-if<D2>)#ip address 20.20.20.3 255.255.255.0 The following command configures Se...

Backup Configuration 10-40 Configuring Dialer Services XSR(config-if<S2/0:0>)#backup interface dialer1XSR(config-if<S2/0:0>)#encapsulation pppXSR(config-if<S2/0:0>)#ip address 30.30.30.1 255.255.255.0 Node C (Called Node) Configuration The following commands configure two channel g...

Backup Configuration XSR User’s Guide 10-41 Configuration for Frame Relay Encapsulation This backup dial-out example configures FR encapsulation and typical call parameters (dial pool, dial string, dial class) on parent Dialer interface 20 while setting the DLCI and IP address on Dialer sub-interfac...

XSR User’s Guide 11-1 11 Configuring Integrated Services Digital Network This chapter outlines how to configure the Integrated Services Digital Network (ISDN) Protocol on the XSR in the following sections: • XSR ISDN features • Understanding ISDN • ISDN configuration topology – BRI – PRI – Leased li...

Understanding ISDN 11-2 Configuring Integrated Services Digital Network BRI Features • Circuit Mode Data (CMD): Channels (DS0s or B’s) are switched by the CO to the destination user for the duration of the call. – 0utgoing calls supported for Backup, DoD/BoD. – Incoming calls routed to the correct p...

Understanding ISDN XSR User’s Guide 11-3 which provides access to 23 B-channels in North America and Japan and 30 B-channels in Europe and most of Asia, and a 64 Kbps D-channel in both. Basic Rate Interface The XSR’s BRI NIM provides two BRI ports. Each port has two 64 Kbps B-channels and one 16 Kbp...

Understanding ISDN 11-4 Configuring Integrated Services Digital Network D-Channel Standards The XSR supports several D-channel standards, which are enabled with the isdn switch-type command. The accepted standards and some associated switches are: • Europe/ International: basic-net3 for BRI and prim...

Understanding ISDN XSR User’s Guide 11-5 reference point represents the customer premises’ wiring. S/T is a point-to-multipoint wiring configuration, that is, the NTI can be connected to as many as eight TEs that contend for the two B channels. Most XSR applications are critical and require point-to...

Understanding ISDN 11-6 Configuring Integrated Services Digital Network Call Monitoring Call monitoring is also an vital element of the XSR’s ISDN service. Call monitoring features are useful in terms of security, but also enable tracking of call volume and logging of all connections so that adminis...

Understanding ISDN XSR User’s Guide 11-7 Rx ISDN-BRI 1/0 03:13:47:676 Q921 UI p 0 sapi 63 tei 127 c/r 1 • + 2nd line: info:0F 00 00 06 FF Tx ISDN-BRI 1/0 03:13:52:601 Q921 INFO p 0 nr 0 ns 0 sapi 0 tei 64 c/r0info:08 00 7B 3A 07 32 38 30 30 35 35 35 Tx ISDN-BRI 1/0 03:13:52:556 Q921 SABME p 1 sapi 0...

Understanding ISDN 11-8 Configuring Integrated Services Digital Network – + Next line: 04 Bearer capability 8890 18 Channel Id. 816C Calling number N0:280070 Called number N0:2500 The succeeding section lists all message types and IEs the XSR displays. All unsupported message types and IEs are marke...

ISDN Configuration XSR User’s Guide 11-9 Decoded IEs Only IEs referring to data calls are supported and decoded by the XSR, as shown in the following examples. Those IEs used for voice calls and supplementary services are not applicable. • Called party number: 70 Called number N0:2500 • Calling part...

ISDN Configuration XSR User’s Guide 11-11 Figure 11-1 . Switched BRI Configuration Model The following example adds a dialer pool and group, and two phone numbers to the called node’s Dialer 0 port. It also configures a second dialer pool and group, a Multilink PPP line to four B channels on the Dia...

ISDN Configuration 11-12 Configuring Integrated Services Digital Network XSR(config)#interface dialer 1XSR(config-if<D1>)#ip address 2.2.2.2 255.255.255.0XSR(config-if<D0>)#encapsulation pppXSR(config-if<D0>)#ppp multilinkXSR(config-if<D0>)#dialer map ip 192.168.1.10 name HOM...

ISDN Configuration 11-14 Configuring Integrated Services Digital Network Be aware that the isdn bchan-number-order command forces the PRI interface to make outgoing calls in ascending or descending order. The command is recommended only if your service provider requests it to lessen the chance of ca...

More Configuration Examples XSR User’s Guide 11-15 XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0XSR(config-if<BRI-1/1:2>)#encapsulation frame relay The following commands add a third, bundled B1/B2 line on BRI interface 0/1/1 and another lease line on BRI channel 0/1/2:1 wit...

ISDN (ITU Standard Q.931) Call Status Cause Codes 11-16 Configuring Integrated Services Digital Network XSR(config-if<BRI-1/1>)#no shutdownXSR(config-if<BRI-1/1>)#dialer pool-member 1 priority 1 BRI Leased Line The following example configures a leased-line BRI connection: XSR(config)#in...

ISDN (ITU Standard Q.931) Call Status Cause Codes 11-18 Configuring Integrated Services Digital Network 54 Incoming calls barred 55 Incoming calls barred within CUG 56 Call waiting not subscribed 57 Bearer capability not authorized 58 Bearer capability not presently available 63 Service or option no...

XSR User’s Guide 12-1 12 Configuring Quality of Service Overview In a typical network, there are often many users and applications competing for limited system and network resources. While resource sharing on a first-come, first-serve basis may suffice when your network load is light, access can fre...

Mechanisms Providing QoS 12-2 Configuring Quality of Service • QoS on the dialer interfaces is directly applied to the dialer interface and inherited by the dial pool members (Serial or ISDN). • QoS on MLPPP interfaces. • QoS on point-to-point and point-to-multi-point VPN interfaces. • Control over ...

Mechanisms Providing QoS XSR User’s Guide 12-3 features in the traffic policy determine how to treat the classified traffic. Traffic policy cannot be applied to multilink PPP interfaces at this time. You must perform three steps to configure a class-based classifier: 1. Define a traffic class with t...

Mechanisms Providing QoS 12-4 Configuring Quality of Service • The priority command assigns traffic from this class a Priority Queue (PQ) and sets the parameter for the queue. Priority queues provide guaranteed bandwidth - they always receive the bandwidth requested. Priority class is not allowed to...

Mechanisms Providing QoS XSR User’s Guide 12-5 Configuring CBWFQ CBWFQ is configured using the bandwidth command. It provides a minimum bandwidth guarantee during congestion. For example, policy-map keyser guarantees 30 percent of the bandwidth to class sosay and 60 percent of the bandwidth to class...

Mechanisms Providing QoS 12-6 Configuring Quality of Service excess bandwidth may be used by CBWFQ. A rule of thumb for configuring PQs is to assign time-sensitive traffic (voice and video) to PQs and other types (e.g., Telnet) to fair queues. Any traffic you do not specially assign (e.g., Email) is...

Mechanisms Providing QoS XSR User’s Guide 12-7 This is how the policer works. It maintains two token buckets, one holding tokens for normal burst and the other for excess burst. The policing algorithm handles token refilling and burst checking. Token buckets are refilled every time a new packet arri...

Mechanisms Providing QoS 12-8 Configuring Quality of Service Class-based traffic shaping can be configured on any class and applied to any data path (interface or DLCI) with the shape command. In order to do so, you must define a traffic policy and within that policy apply traffic shaping to a class...

Mechanisms Providing QoS XSR User’s Guide 12-9 XSR(config-pmap-c<d32>)#exitXSR(config-pmap<cbts>)#class fooXSR(config-pmap-c<foo>)#shape 38400 15440XSR(config-pmap-c<foo>)#bandwidth per 30XSR(config-pmap-c<foo>)#exitXSR(config-pmap<cbts>)#class class-defaultXSR(co...

Mechanisms Providing QoS 12-10 Configuring Quality of Service queue-limit value for the queue size. Be aware that by setting the queue size smaller than the shaper burst, shape will not be able to achieve the configured average rate. When the queue-limit command is not invoked, queue size is determi...

Mechanisms Providing QoS XSR User’s Guide 12-11 Figure 12-1 RED Drop Probability Calculation In the following example, class bus has a minimum threshold of 460. RED will start to randomly (with a probability between 0 and 1/10) discard packets when its queue grows over 460 packets. It will start to ...

Mechanisms Providing QoS 12-12 Configuring Quality of Service WRED. Traffic marked with a lower drop probability is assigned a higher MaxP , and bigger thresholds for MinTh and MaxTh than traffic marked with DSCP values having a higher drop level. Because higher drop DSCPs have a lower MinTh , as th...

QoS and Link Fragmentation and Interleaving (LFI) XSR User’s Guide 12-13 the dialer interface is pushed to binded serial and, when disconnected, is removed from the serial port. Refer to “Configuring PPP” on page 8-1. Suggestions for Using QoS on the XSR The XSR supports QoS on all interfaces but yo...

QoS with VLAN 12-14 Configuring Quality of Service QoS with MLPPP multi-class regulates the output queue in such a way that, ideally, there is at most one non-priority packet in front of the priority packet so the greatest latency that latency-sensitive packets experience is never bigger than the fr...

QoS with VLAN XSR User’s Guide 12-15 Describing VLAN QoS Packet Flow The following scenarios illustrate how prioritized VLAN and non-VLAN packets behave across XSR interfaces with VLAN and QoS configured and include minimal CLI commands. VLAN Packet with Priority Routed out a Fast/GigabitEthernet In...

QoS with VLAN 12-16 Configuring Quality of Service Figure 12-4 LAN/QoS Serial Scenario Non-VLAN IP Packet Routed Out a Fast/GigabitEthernet Interface In this scenario, shown in Figure 12-5 , the policy map setCos4 is applied to the output interface FastEthernet 1.1. Since the input IP DSCP was 46 it...

QoS on Input XSR User’s Guide 12-17 Priority levels range from 0 (lowest) to 7. 6. Create a traffic policy. policy-map <policy-map-name> 7. Optional . Mark the IEEE 802.1 priority in the output VLAN header. set cos <0 - 7> 8. Attach the service policy to the input or output interface. in...

QoS on VPN 12-18 Configuring Quality of Service The XSR offers you two choices in applying QoS service policy: • before encryption on the VPN tunnel ( virtual VPN) interface or, • after encryption on the underlying physical interface. Copying of the ToS byte brings into play security concerns you mu...

QoS on VPN XSR User’s Guide 12-19 outer header. In this scenario, all QoS-related parameters are attached to the VPN interface. Note that the VPN interface is a virtual interface without any bandwidth attached to it so certain QoS operations may not be applied here, namely, scheduling packets. But, ...

QoS on VPN 12-20 Configuring Quality of Service Figure 12-6 QoS on a Virtual Interface Example The following commands configure Ser and Vpn policy maps on the XSR Remote 1 as shown in Figure 12-7 . XSR Central configuration is not described. Configure the QoS Class Maps RTP and FTP matched to ACLs 1...

QoS on VPN 12-22 Configuring Quality of Service XSR(config)#interface vpn 1XSR(config-int-vpn)#ip address 20.20.20.1/24XSR(config-int-vpn)#copy-tosXSR(config-int-vpn)#service-policy output vpnXSR(config-tms-tunnel)#tunnel t1XSR(config-tms-tunnel)#set protocol greXSR(config-tms-tunnel)#set peer 10.10...

QoS on VPN XSR User’s Guide 12-23 This situation can cause unexpected results when QoS is applied to VPN interfaces. If the rate of traffic traversing the VPN interface is higher than the physical interface bandwidth, packets are dropped after they are sent from the VPN interface. Due to this, QoS s...

QoS Policy Configuration Examples 12-24 Configuring Quality of Service As an example, tunnels with ESP and 3DES encoding will add 44 bytes (or more) overhead. Padding for 3DES may add eight more bytes. Calculate the shaper rate with this formula: ShaperRate = LineRate * ( 1 - OverHead/(OverHead +Avg...

QoS Policy Configuration Examples XSR User’s Guide 12-25 XSR(config-pmap-c<class1>)#queue-limit 40XSR(config-pmap-c<class1>)#exitXSR(config-pmap<policy1>)#class class2XSR(config-pmap-c<class2>)#bandwidth 300XSR(config-pmap-c<class2>)#random-detect 34 56 3XSR(config-pmap...

QoS Policy Configuration Examples 12-26 Configuring Quality of Service Create a policy map consisting of one or more traffic classes and specify QoS characteristics for each traffic class: XSR(config)#policy-map frame1XSR(config-pmap<frame1>)#class voiceXSR(config-pmap-c<voice>)#priority...

QoS Policy Configuration Examples XSR User’s Guide 12-27 XSR(config-pmap<QoS-Policy>)#class VoIP-RTPXSR(config-pmap-c<class VoIP-RTP>)#priority high 100XSR(config-pmap-c<class VoIP-RTP>)#class FTPXSR(config-pmap-c<class VoIP-RTP>)#bandwidth per 30 XSR(config)#access-list 101 ...

QoS Policy Configuration Examples 12-28 Configuring Quality of Service XSR(config)#map-class frame-relay VoIPXSR(config-map-class<VoIP>)#frame-relay cir out 256000XSR(config-map-class<VoIP>)#frame-relay bc out 25600XSR(config-map-class<VoIP>)#frame-relay be out 0XSR(config-map-clas...

QoS Policy Configuration Examples XSR User’s Guide 12-29 XSR(config)#interface multilink 1XSR(config-if<M1>)#service-policy input InOutXSR(config-if<M1>)#exit XSR(config)#interface fastethernet 1XSR(config-if<F1>)#service-policy output InOut Input QoS on Ingress to the Diffserv Dom...

XSR User’s Guide 13-1 13 Configuring ADSL This chapter details the background, features, implementation and configuration of Asymmetric Digital Subscriber Line (ADSL) on the XSR. Overview ADSL (Asymmetric Digital Subscriber Line) is a technology for transmitting digital information at a high bandwid...

Features 13-2 Configuring ADSL Figure 13-1 RFC Encapsulation Layers PDU Encapsulation Choices The XSR’s Protocol Data Unit (PDU) encapsulation choices are described and illustrated as follows. PPP over ATM The XSR’s PPPoA option, as defined by RFC-2364, supports the following features. The router in...

Features XSR User’s Guide 13-3 Figure 13-2 PPPoA Network Diagram This implementation is restricted as follows: • Maximum MTU of 1500 bytes • ATM SVCs are not supported • Frame Relay/ATM internetworking (per FRF.8) is not supported • PPP coding transitions - switching the method (VC-multiplexed PPP t...

Features 13-4 Configuring ADSL Figure 13-3 PPPoE Network Diagram The limitations of this configuration are as follows: • Maximum MTU of 1492 bytes • ARP is not supported • Other received bridged PDU types are silently discarded (802.4, 802.5, 802.6, FDDI) • Does not send (PID type 0x00-01) and ignor...

Features XSR User’s Guide 13-5 Figure 13-4 IP over ATM Network Diagram Restrictions of this implementation are as follows: • Maximum MTU of 1500 bytes • NLPID-formatted routed IP version 4 PDUs over ATM PVCs are not supported • LLC-encapsulated bridge PDUs are not supported. Any bridged PDUs receive...

Features 13-6 Configuring ADSL ADSL on the Motherboard Two versions of ADSL are provided by the XSR Series 1200 routers: • Annex A over POTS on the XSR-1220 • Annex B over ISDN on the XSR-1235 DSP Firmware Digital Signal Processing (DSP) firmware, which the XSR’s onboard ADSL modem uses to communica...

Features XSR User’s Guide 13-7 OAM Cells OAM cells are messages used to operate, administer, and maintain ATM networks. They provide in-band control functions for virtual circuits, including hop-by-hop and end-to-end functions such as path connectivity and delay measurement. Two distinct varieties e...

Configuration Examples 13-8 Configuring ADSL Inverse ARP The XSR employs Inverse ARP as defined in RFC-1293 with modifications specified by RFC-2225 (Classical IP over ATM). Inverse ARP is supported for PVCs which are configured as Routed IPv4 circuits (per RFC-1483), using LLC/SNAP encapsulation. T...

Configuration Examples XSR User’s Guide 13-9 VCI values to those requested by the DSL provider. Notice that the Maximum Segment Size (MSS) is set to 1400 bytes for TCP SYN (synchronize) packets. Because a PC connected to a Fast/GigabitEthernet port may be unable to access Web sites if its MSS settin...

Configuration Examples 13-10 Configuring ADSL The following optional command configures a universal default route: XSR(config)#ip route 0.0.0.0 0.0.0.0 atm 1/0.1 IPoA Enter the following commands to configure a IPoA topology: XSR(config)#interface ATM 1/0XSR(config-if<ATM1/0>)#no shutdownXSR(c...

XSR User’s Guide 14-1 14 Configuring the Virtual Private Network VPN Overview As it is most commonly defined, a Virtual Private Network (VPN) allows two or more private networks to be connected over a publicly accessed network. VPNs share some similarities with Wide Area Networks (WAN), but the key ...

Ensuring VPN Security with IPSec/IKE/GRE 14-2 Configuring the Virtual Private Network • Encryption and decryption promote confidentiality by allowing two communicating parties to disguise information they share. The sender encrypts, or scrambles, data before sending it. The receiver decrypts, or uns...

Ensuring VPN Security with IPSec/IKE/GRE XSR User’s Guide 14-3 Since IPSec is the standard security protocol, the XSR can establish IPSec connections with third-node devices including routers as well as PCs. An IPSec tunnel basically acts as the network layer protecting all data packets that pass th...

Ensuring VPN Security with IPSec/IKE/GRE 14-4 Configuring the Virtual Private Network Figure 14-2 Tunnel Mode Processing As shown above, AH authenticates the entire packet transmitted on the network whereas ESP only covers a portion of the packet transmitted (the higher layer data in transport mode ...

Describing Public-Key Infrastructure (PKI) XSR User’s Guide 14-5 Defining VPN Encryption To ensure that the VPN is secure, limiting user access is only one piece of the puzzle; once the user is authenticated, the data itself needs to be protected as well. Without a mechanism to provide data privacy,...

Describing Public-Key Infrastructure (PKI) 14-6 Configuring the Virtual Private Network data. Instead of encrypting the data itself, the signing software creates a one-way hash of the data, then uses your private key to encrypt the hash. The encrypted hash, along with other information, such as the ...

Describing Public-Key Infrastructure (PKI) XSR User’s Guide 14-7 CRL checking is not optional. CRLs are collected automatically by the XSR using information available in the IPSec and CA certificates it has already collected. Two methods are available to perform this collection: • HTTP Get issues an...

Describing Public-Key Infrastructure (PKI) 14-8 Configuring the Virtual Private Network Figure 14-4 Certificate Chain Example A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy. In a certificate chain, the following occurs: • Each certificat...

DF Bit Functionality XSR User’s Guide 14-9 Pending Mode Once you have authenticated against the parent CA in your XSR certificate chain, you then enroll the XSR's IPSec client certificate against the CA using the SCEP enroll command. Depending on how your CA administrator has configured the CA, you ...

VPN Applications 14-10 Configuring the Virtual Private Network This feature specifies whether the router can clear , set , or copy the DF bit in the encapsulating header. It is available only for IPSec tunnel mode - transport mode is not affected because it does not have an encapsulating IP header. ...

VPN Applications XSR User’s Guide 14-11 Site-to-Site Networks Site-to-site tunnels run as point-to-point links. They are useful when connecting geographically dispersed network segments where each segment contains servers and hosts. VPN tunnels play the role of point-to-point links and are transpare...

VPN Applications 14-12 Configuring the Virtual Private Network If you filter traffic with ACLs, you will need to write an ACL similar to this example: access- list 101 permit udp any host 192.168.57.4 eq 4500 . If you enable the XSR firewall, refer to “Configuring Security on the XSR” on page 16-1 f...

VPN Applications XSR User’s Guide 14-13 the hosts on the private LAN. The XSR's internal NAT operates only on Layer-4 protocols such as TCP and UDP. NAT also employs a set of modules - Application Level Gateway (ALG) - processing non-UDP/TCP protocols such as ICMP and H323. Routing updates are unidi...

VPN Applications 14-14 Configuring the Virtual Private Network behind the XSR. After a tunnel has been built, the XSR may advertise routing information about the corporate network to the client. Authentication can be performed in several ways depending on the protocol used. For PPTP, authentication ...

VPN Applications XSR User’s Guide 14-15 From the server ’s point of view, connected tunnels are point-to-multipoint links. The VPN interface serving as the server ’s tunnel endpoint must be a point-to-multipoint interface. Additionally, the server does not see segments behind the clients because in ...

VPN Applications XSR User’s Guide 14-17 The VPN interface on the server may terminate a mix of connections - some of which may be Client-type connections and others may be Network Extension connections. The following OSPF settings should be applied in this scenario: Server Apply the same settings as...

XSR VPN Features 14-18 Configuring the Virtual Private Network Server 2 Interfaces Fast/GigabitEthernet 1 and VPN 1 Client Interfaces Fast/GigabitEthernet 1, VPN 1 and VPN 2. Figure 14-10 OSPF Used with Failover Limitations Peer-to-Peer IPSec tunnels are configured without the VPN interface by apply...

VPN Configuration Overview 14-20 Configuring the Virtual Private Network • Authentication, Authorization, and Accounting (AAA) support including AAA per interface (for clients), AAA for PPP, and AAA debugging • Dynamic Host Configuration Protocol (DHCP) support – DHCP Server • OSPF over VPN • DF Bit...

VPN Configuration Overview XSR User’s Guide 14-21 • Enter crypto key master generate in Global configuration mode. ACL Configuration Rules Consider a few general rules when configuring ACLs on the XSR: • Typically, two ACL sets are written, one to filter IPSec/IKE traffic (defined in crypto maps), a...

VPN Configuration Overview XSR User’s Guide 14-23 More than one IKE proposal can be specified on each node. When IKE negotiation begins, it seeks a common proposal on both peers with identical parameters. IKE policy is configured using the crypto isakmp peer command. Specified parameters are effecti...

VPN Configuration Overview 14-24 Configuring the Virtual Private Network Configure IKE policy for the remote peer, assuming that two other IKE proposals ( try2 and try3 ) have been configured: XSR(config)#crypto isakmp peer 192.168.57.33/32XSR(config-isakmp-peer)#proposal try1 try2 try3XSR(config-is...

VPN Configuration Overview XSR User’s Guide 14-25 Authentication, Authorization and Accounting Configuration The XSR’s AAA implementation handles all authentication, authorization and accounting of users (Remote Access) and peer gateways (Site-to-Site). The components include: • Usernames and passwo...

VPN Configuration Overview 14-26 Configuring the Virtual Private Network AAA Commands The following XSR AAA commands useful for VPN configuration include: • Configure users and groups with aaa user and aaa group commands as well as the following sub-commands: – policy specifies SSH , Telnet , Firewa...

VPN Configuration Overview XSR User’s Guide 14-27 XSR(aaa-user)#aaa password ThISisMYShaREDsecRET The following sample configuration creates user Jeremiah in the PromisedLand usergroup, with DNS, WINS and MPPE encryption, and assigns IP local pool remote_user s for remote access: XSR(config)#aaa gro...

VPN Configuration Overview 14-28 Configuring the Virtual Private Network – crypto ca certificate chain – no certificate - The serial number can be found in: show crypto ca certificates • Remove CA identities and all associated CA and IPSec client certificates by entering no crypto ca identity <ca...

VPN Configuration Overview XSR User’s Guide 14-31 Issuer: C=US, O=sml, CN=ldapca Valid From: 2002 Aug 5th, 12:40:46 GMT Valid To: 2004 Aug 5th, 12:48:15 GMT Subject: C=US, O=sml, CN=ldapca Fingerprint: D423E129 81904CE0 1E6D0FE0 A123A302 Certificate Size: 1157 bytes RA KeyEncipher Certificate - ldap...

Configuring a Simple VPN Site-to-Site Application 14-32 Configuring the Virtual Private Network VPN Interface Sub-Commands The following sub-commands are available at VPN Interface mode: ip firewall + Set of commands to configure the firewall ip address-negotiated + Sets the VPN interface’s IP addre...

Configuring the VPN Using EZ-IPSec 14-34 Configuring the Virtual Private Network XSR(config-crypto-m)#match address 140 + Applies map to ACL 140 and renders the ACL bi-directional XSR(config-crypto-m)#set peer 1.1.1.2 + Attaches map to peer XSR(config-crypto-m)#mode [tunnel | transport] + Selects IP...

Configuring the VPN Using EZ-IPSec XSR User’s Guide 14-35 EZ-IPSec is invoked using the crypto ezipsec command in Interface mode to create a set of standard IPSec policies, relieving you of the complex manual process. It enables dynamic routing over an IPSec tunnel: • Via Client or Network Extension...

Configuration Examples 14-36 Configuring the Virtual Private Network XSR(config-tms-tunnel)#set peer 200.10.20.30 + Specifies the IP address of the remote peer XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode + Selects IPSec to initiate a NEM tunnel connection Most of the parameters ...

Configuration Examples XSR User’s Guide 14-37 Figure 14-12 EZ-IPSec Client, XP Client and Gateway Topology Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use time-sensitive certificates. XSR(config)#sntp-client server 10.120.84.3XSR(config)#sntp-client p...

Configuration Examples 14-40 Configuring the Virtual Private Network XSR(config-if)#encapsulation pppXSR(config-if)#ip address negotiatedXSR(config-if)#ip mtu 1492XSR(config-if)#ip nat source assigned overloadXSR(config-if)#ppp pap sent-username pezhmon password pezhmon Configure the Network Extensi...

Configuration Examples 14-44 Configuring the Virtual Private Network XSR/Cisco Site-to-Site Example The following Site-to-Site configuration connects a Cisco 2600 router with internal/external IP addresses of 192.168.3.5/192.168.2.5 to a XSR with internal/external IP addresses of 192.168.1.2/192.168...

Configuration Examples XSR User’s Guide 14-45 interface FastEthernet0/0ip address 192.168.3.5 255.255.255.0speed autohalf-duplexno cdp enable interface FastEthernet0/1ip address 192.168.2.5 255.255.255.0duplex autospeed autono cdp enablecrypto map regular ip classlessip route 0.0.0.0 0.0.0.0 192.168...

Interoperability Profile for the XSR 14-46 Configuring the Virtual Private Network XSR(config)#crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmacXSR(cfg-crypto-tran)#set pfs group2XSR(cfg-crypto-tran)#no set security-association life kiloXSR(cfg-crypto-tran)#set security-association life se...

Interoperability Profile for the XSR XSR User’s Guide 14-49 Scenario 2: Gateway-to-Gateway with Certificates The following is a typical gateway-to-gateway VPN that uses certificates for authentication, as illustrated in Figure 14-14 . Figure 14-14 Gateway-to Gateway with Certificates Topology Gatewa...

XSR User’s Guide 15-1 15 Configuring DHCP Overview of DHCP The Dynamic Host Configuration Protocol (DHCP) allocates and delivers configuration values, including IP addresses, to Internet hosts. Consisting of two components, DHCP provides host-specific configuration parameters from a DHCP Server to a...

How DHCP Works 15-2 Configuring DHCP XSR User’s Guide • Provisioning of differentiated network values by Client Class. • Persistent and user-controllable conflict avoidance to prevent duplicate IP address including configurable ping checking. • Visibility of DHCP network activity and leases through ...

DHCP Services XSR User’s Guide 15-3 client used a client ID when it got the lease, it will use the same identifier in the message. Alternately, when a lease is near expiration, the client tries to renew it. If unsuccessful in renewing by a certain period, the client enters a rebinding state and send...

DHCP Services 15-4 Configuring DHCP XSR User’s Guide control data are carried in tagged data items which are stored in the options field of the DHCP message. The data items themselves, also called options, are enabled on the XSR by the options command specifying IP address, hex or ASCII string value...

DHCP Services XSR User’s Guide 15-5 When DHCP Server surveys its clients using the manual bindings of a client-identifier or hardware- address, and host address, it generally inherits attributes from an outer down to an inner scope. But, the DHCP Server will override outermost attributes when they a...

DHCP Client Services 15-6 Configuring DHCP XSR User’s Guide 4. Optionally, specify the client name using any standard ASCII character. Enter client-name <name> . The client name should not include the domain name. For example, the name acme should not be specified as acme.enterasys.com . DHCP ...

DHCP Client Services XSR User’s Guide 15-7 Primary and secondary IP addresses on the same interface are not permitted within the same subnet nor are they allowed within the same subnets already occupied by other interfaces. Also, the primary IP address must be configured before any secondary address...

DHCP CLI Commands 15-8 Configuring DHCP XSR User’s Guide DHCP CLI Commands The XSR offers CLI commands to provide the following functionality: • DHCP Server address pool(s) with related parameters and DHCP options/vendor extensions. You can configure a DHCP address pool with a name that is a symboli...

DHCP Set Up Overview XSR User’s Guide 15-9 addresses are offered to the client. Show ip dhcp server statistics is a useful catch-all command. Show ip local pool shows a list of active IP local pools, excluded and in use IP addresses. DHCP Set Up Overview Configuring DHCP Address Pools The DHCP Serve...

Configuration Steps 15-10 Configuring DHCP XSR User’s Guide 1. Add global pool local_clients including the starting IP address of the range and addresses that are unreachable to network clients: XSR(config)#ip local pool local_clients 1.1.1.0/24XSR(ip-local-pool)#exclude 1.1.1.249 6 Create a Corresp...

DHCP Server Configuration Examples XSR User’s Guide 15-11 8. Add to the host scope by specifying the NetBIOS-node-type for this particular host: XSR(config-dhcp-host)#netbios-node-type h-node 9. Specify any numbered options. For example, setting DHCP option 28 specifies the broadcast address in use ...

DHCP Server Configuration Examples 15-12 Configuring DHCP XSR User’s Guide The domain name for this host is specified as indusriver.com (this will override enterasys.com specified for this pool, and ent.com specified for the class). XSR(config)#ip local pool dpool 1.1.1.0/24XSR(config)#ip dhcp pool ...

XSR User’s Guide 16-1 16 Configuring Security on the XSR This chapter describes the security options available on the XSR including the firewall feature set and methods to protect against hacker attacks. Features The following security features are supported on the XSR: • Standard and Extended Acces...

Features 16-2 Configuring Security on the XSR To configure ACLs, you define them by number only then apply them to an interface. Any number of entries can be defined in a single ACL and may actually conflict, but they are analyzed in the order in which they appear in the show access-lists command. I...

Features XSR User’s Guide 16-3 Smurf Attack A “smurf” attack involves an attacker sending ICMP echo requests from a falsified source (a spoofed address) to a directed broadcast address, causing all hosts on the target subnet to reply to the falsified source. By sending a continuous stream of such re...

General Security Precautions 16-4 Configuring Security on the XSR Large ICMP Packets This protection is triggered for ICMP packets larger than a size you can configure. Such packets are dropped by the XSR if the protection is enabled with the HostDoS command. Ping of Death Attack This protection is ...

AAA Services XSR User’s Guide 16-5 • If you must enable PPP on the WAN, use CHAP authentication • Disable all unnecessary router services (e.g., HTTP, if not used) • Write strict ACLs to limit HTTP, Telnet and SNMP access • Write ACLs to limit the type of ICMP messages • Create ACLs to direct servic...

AAA Services 16-6 Configuring Security on the XSR The method to perform AAA is configured globally by the aaa method command, which provides additional acct-port , address , attempts , auth-port , backup , client , enable , group , hash enable , key , qtimeout , retransmit , and timeout sub-commands...

AAA Services XSR User’s Guide 16-7 2. Enter crypto key master generate to create a master key. 3. Enter crypto key dsa generate to create a host key pair on the XSR. When successful, this message will display: Keys are generated, new connections will use these keys for authentication 4. If you wish ...

AAA Services 16-8 Configuring Security on the XSR Figure 16-8 PuTTY Alert Message 7. The SSH login screen will appear as shown in Figure 16-9 . Login with Admin and no password unless you created both values earlier. Figure 16-9 PuTTY Login Screen 8. Back on the CLI, enter session-timeout ssh <15...

Firewall Feature Set Overview XSR User’s Guide 16-9 18. Optionally, if you want to tighten security on the XSR, enter ip ssh server disable to deactivate SSH. 19. Enter policy telnet to enable Telnet access for the new user. 20. Enter exit to quit AAA user mode. 21. Enter aaa client telnet to permit...

Firewall Feature Set Overview 16-10 Configuring Security on the XSR Figure 16-10 XSR Firewall Topology There are many possible network configurations for a firewall. The figure above shows a scenario with the firewall connected to the trusted network (internal) and servers that can be accessed exter...

Firewall Feature Set Overview XSR User’s Guide 16-11 and port numbers. These firewalls are scalable, easy to implement and widely deployed for simple Network layer filtering, but they suffer the following disadvantages: • Do not maintain states for an individual session nor track a session establish...

XSR Firewall Feature Set Functionality 16-12 Configuring Security on the XSR Stateful Inspection Firewalls A stateful inspection firewall combines the aspects of other firewalls to filter packets at the network layer, determine whether session packets are legitimate and evaluate the payload of packe...

XSR Firewall Feature Set Functionality XSR User’s Guide 16-13 Application Level Commands A special action option - Command Level Security (CLS) - to filter inter-protocol actions within several protocols. The CLS examines the message type produced by the application being filtered and either passes ...

XSR Firewall Feature Set Functionality 16-14 Configuring Security on the XSR On Board URL Filtering This features lets you block access to a list of Uniform Resource Locators (URLs) or limit access to certain approved sites. The XSR extracts the absolute URL from the Get and Host headers of the http...

XSR Firewall Feature Set Functionality XSR User’s Guide 16-15 Figure 16-11 Blocked Web Site Screen You must include the re-direct URL in the white URL list when redirect URL is used with a white list, otherwise the XSR will enter an endless loop with the Web browser, performing re-direction to the s...

XSR Firewall Feature Set Functionality 16-16 Configuring Security on the XSR against the routing table. If a packet is received from an interface with a source IP address that is not routable through this interface, it is considered spoofed and dropped. A high priority log is generated when DoS atta...

XSR Firewall Feature Set Functionality XSR User’s Guide 16-17 • Flooding attacks (TCP, UDP, ICMP) logs • Firewall start and restart • Failures (out of memory) A sample Web access (port 80) permit alarm, which logs at level 4, displays: FW: Permit: Port-2, Out TCP Con_Req, 10.10.10.10(1042) -> 192...

XSR Firewall Feature Set Functionality 16-18 Configuring Security on the XSR Figure 16-12 illustrates the process by which a user accesses a server after authentication by the XSR firewall, as explained below: 1. A user Telnets to the firewall presenting a name and password. 2. The XSR’s AAA functio...

Firewall CLI Commands XSR User’s Guide 16-19 Firewall CLI Commands The XSR provides configuration objects which, used in policy rules, can be specified at the CLI. These and other firewall commands are, as follows: • Network - Identifies a network or host. A network with a subnet address or a host w...

Firewall CLI Commands XSR User’s Guide 16-21 • Event Logging - Defines the event threshold for firewall values logged to the Console or Syslog with ip firewall logging . You can set eight severity levels ranging from 0 for emergency alarms down to 7 which cumulatively logs all firewall messages thro...

Firewall Limitations 16-22 Configuring Security on the XSR Firewall Limitations Consider the following caveats regarding firewall operations: • Gating Rules - Internal XSR gating rules, which order traffic filtering, are stored in a temporary file in Flash. Because one gating rule exists for each ne...

Pre-configuring the Firewall XSR User’s Guide 16-23 cache will not automatically switch over. If the firewall is enabled on a slave router, then all sessions would have to be re-established. You would have to re-authenticate users for access to authentication-protected servers. • Load Sharing - If t...

Configuration Examples 16-24 Configuring Security on the XSR – Multicast or broadcast filtering for routing and communications protocol filtering • Perform a trial or delayed load to check for configuration errors • Load the configuration in the firewall engine • Enable or disable the firewall: – Sy...

Configuration Examples XSR User’s Guide 16-25 Figure 16-14 XSR with Firewall Topology Begin by configuring network objects for private , dmz and Mgmt networks: XSR(config)#ip firewall network dmz 220.150.2.16 mask 255.255.255.240 internalXSR(config)#ip firewall network private 220.150.2.32 mask 255....

Configuration Examples 16-26 Configuring Security on the XSR XSR(config)#interface fastethernet 2XSR(config-if<F2>)#ip address 220.150.2.17 255.255.255.0XSR(config-if<F1>)#no shutdown XSR(config)#interface serial 1/0:0XSR(config-if<S1/0:0>)#ip address 206.12.44.16/24XSR(config-if&l...

Configuration Examples 16-28 Configuring Security on the XSR – Terminate Network Extension Mode (NEM) and Client mode tunnels – Terminate remote access L2TP/IPSec tunnels – Terminate PPTP remote access tunnels – Firewall inspection on the public VPN interface (the crypto map interface) – Firewall in...

Configuration Examples XSR User’s Guide 16-33 Load the firewall configuration: XSR(config)#ip firewall load Globally enable the firewall. Even though you have configured and loaded the firewall, only invoking the following command “turns on” the firewall. Once enabled, if you are remotely connected,...

Configuration Examples 16-34 Configuring Security on the XSR XSR(config)#ip firewall policy radius internal internal Radius allow bidirectionalXSR(config)#ip firewall policy RADacct internal internal Radius_ACCT allow bidirectional Configuring Simple Security This configuration offers simple protect...

Configuration Examples XSR User’s Guide 16-35 RPC Policy Configuration The following configuration creates policies which permit TCP RPC-based applications to flow from a Branch to Corporate network. You can use the keyword bidirectional if you expect the branch network to also have RPC-based servic...

XSR User’s Guide A-1 A Alarms/Events, System Limits, and Standard ASCII Table This appendix describes the configuration and memory limits of the XSR as well as system High, Medium and Low severity, firewall and NAT (separately described on page A-14 ) alarms and events captured by the router. Recomm...

System Alarms and Events XSR User’s Guide A-3 System Alarms and Events The XSR exhibits the following logging behavior for all except firewall and NAT alarms: Refer to the following table for all High severity alarms and events reported by the XSR. All of the following messages are USER_LEVEL facili...

Firewall and NAT Alarms and Reports A-14 Alarms/Events, System Limits, and Standard ASCII Table Firewall and NAT Alarms and Reports The XSR reports logging messages for firewall and NAT functionality as listed below. Low system-level logging messages are classified at Levels 4 or 6 while Medium syst...

Standard ASCII Character Table XSR User’s Guide A-19 Standard ASCII Character Table The following table displays standard ASCII characters for referencing SNMP conventions found in “ Configuration Examples ” on page 2-41. Figure A-17 Standard ASCII Character Table 4 - WARNING TCP connection closed %...

XSR User’s Guide B-1 B XSR SNMP Proprietary and Associated Standard MIBs This appendix lists and describes XSR-supported SNMP tables and objects for the following standard (partial listing) and proprietary MIBS: • “Service Level Reporting MIB Tables” (page B-1) • “BGP v4 MIB Tables” (page B-5) • “Fi...

Service Level Reporting MIB Tables B-2 XSR SNMP Proprietary and Associated Standard MIBs etsysSrvcLvlOwnerTable A management entity interested in creating and activating remote SLA measurements must previously be registered in the Service Level Owners Table which contains owner's contact information...

Service Level Reporting MIB Tables XSR User’s Guide B-3 etsysSrvcLvlNetMeasureTable Entries in the Service Level Network Measurement Table display several metric measurements per packet exchange. Each measurement step produces a single result per metric with measurement intervals and metrics saved i...

Service Level Reporting MIB Tables B-4 XSR SNMP Proprietary and Associated Standard MIBs etsysSrvcLvlAggrMeasureTable Entries in the Service Level Aggregate Measurement Table display several metric measurements per packet exchange. Each step of the measurement produces a single result with the inter...

BGP v4 MIB Tables XSR User’s Guide B-5 BGP v4 MIB Tables The XSR supports the following BGP v4 tables, whose fields are described in the following pages: • General Variables • Peer Table • Received Path Attribute Table • Traps General Variables Table BGP v4 Peer Table etsysSrvcLvlAggrMeasureHistoryO...

BGP v4 MIB Tables B-6 XSR SNMP Proprietary and Associated Standard MIBs bgpPeerAdminStatus The desired state of the BGP connection. A transition from stop to start will cause the BGP Start Event to be generated. A transition from start to stop will cause the BGP Stop Event to be generated. This valu...

BGP v4 MIB Tables XSR User’s Guide B-7 BGP-4 Received Path Attribute Table bgpPeerKeepAlive Interval for the KeepAlive timer established with the peer, range: 1-21845 seconds. The value is calculated by this BGP speaker such that, when compared with bgpPeerHoldTime , it has the same proportion as bg...

Firewall MIB Tables XSR User’s Guide B-9 Firewall MIB Tables The firewall MIB contains the following tables, most of which are detailed in this section: Firewall on Interface Group, Interface to Policy Group, Group Policy, Policy Rule Definition, Authentication Group, Network in Network Group, Netwo...

Firewall MIB Tables B-10 XSR SNMP Proprietary and Associated Standard MIBs Monitoring Objects This section describes counters and statistics that are available to SNMP from the firewall. All fields are read-only and cannot be modified. The XSR supports SNMP gets only for these objects. Policy Rule T...

Firewall MIB Tables XSR User’s Guide B-11 IP Session Counters These counters track the activities of IP sessions. IP Session Table This table contains information about each active IP session. Authenticated Address Counters This table provides a summary of the authentication activity. Authenticated ...

VPN MIB Tables B-12 XSR SNMP Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters These elements reflect the DOS attack summaries stored in the firewall. DOS Attacks Blocked Table These elements reflect the hits against DOS attack types recognized by the firewall. VPN MIB Tables The...

VPN MIB Tables XSR User’s Guide B-13 • etsysVpnIpsecProposalTable • etsysVpnIpsecPropTransformsTable • etsysVpnAhTransformTable • etsysVpnEspTransformTable • etsysVpnIpcompTransformTable • ospfIfTable • rip2IfConfTable • ipCidrRouteTable for Static Routes etsysVpnIkePeer Table This table is used to ...

VPN MIB Tables B-14 XSR SNMP Proprietary and Associated Standard MIBs etsysVpnIkeProposal Table This table contains the IKE proposals used during IKE negotiation. The named row is equivalent to the crypto isakmp proposal CLI command. The table index is { etsysVpnIkePropName }, which is the name refe...

VPN MIB Tables XSR User’s Guide B-15 etsysVpnIpsecPolicyRule Table This table defines the IPSec policy rules. The table index is { etsysVpnIpsecPolicyName , etsysVpnPolRulePriority }. etsysVpnIpsecPolProposals Table This table links IPSec proposals in the etsysVpnIpsecProposalTable with IPSec policy...

VPN MIB Tables B-16 XSR SNMP Proprietary and Associated Standard MIBs etsysVpnIpsecProposal Table This table contains the IPSec proposals. The table index is { etsysVpnIpsecPropName }. etsysVpnIpsecPropTransforms Table This table aggregates transforms from the ipspAhTransformTable , ipspEspTransform...

VPN MIB Tables XSR User’s Guide B-17 etsysVpnEspTransform Table This table lists all the ESP transforms created by adding ESP rows to the etsysVpnIpsecPropTransformsTable . The table also contains read-only rows for XSR EZ-IPSec transforms. The table index is { etsysVpnEspTranName }. etsysVpnIpcompT...

ipCidrRouteTable for Static Routes B-18 XSR SNMP Proprietary and Associated Standard MIBs ipCidrRouteTable for Static Routes VPN configuration on the XSR may require a default route to the next-hop Internet gateway. Static routes can be added with the IP Forwarding MIB (RFC-2096). This MIB is not cu...

Enterasys Configuration Management MIB XSR User’s Guide B-19 Enterasys Configuration Management MIB The Enterasys Configuration Management MIB supports parameters for an SNMP management entity to reset the managed entity, upload and download executable images and configuration files, and identify th...

Enterasys Configuration Change MIB B-20 XSR SNMP Proprietary and Associated Standard MIBs Enterasys Configuration Change MIB The Enterasys Configuration Change MIB supports parameters for SNMP management entities to determine if and when configuration changes have occurred. Refer to the supported fi...

Enterasys SNMP Persistence MIB XSR User’s Guide B-21 Enterasys SNMP Persistence MIB This MIB permits management applications to commit persistent SNMP configuration information to persistent storage. etsysConfigChangeFirmwareGroup A collection of objects providing firmware change data. etsysConfigCh...

Enterasys Syslog Client MIB B-22 XSR SNMP Proprietary and Associated Standard MIBs Enterasys Syslog Client MIB This Enterasys MIB module defines a portion of the SNMP Enterprise MIBs under the Enterasys Enterprise OID pertaining toconfiguriation of Syslog-compatible diagnostic messages generated for...

Enterasys Syslog Client MIB XSR User’s Guide B-23 • etsysSyslogServerAddressType The type of Internet address by which the Syslog server is specified in etsysSyslogServerAddress . • etsysSyslogServerAddress The Internet address for the Syslog message server. • etsysSyslogServerUdpPort The UDP port n...

Enterasys Syslog Client MIB B-24 XSR SNMP Proprietary and Associated Standard MIBs etsysSyslogServerGroup A collection of objects providing descriptions of syslog servers for sending system messages to: • estetsysSyslogServerMaxEntries• etsysSyslogServerNumEntries• etsysSyslogServerTableNextAvailabl...