User Reference Manual Revision Date: 07.03.
NOTICE Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
ENTERASYS NETWORKS, INC. PROGRAM LICENSE AGREEMENT BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for civil end uses only and not for military purposes. If the Program is exported from the United States pursuant to the License Exception TSR under the U.S.
9. OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys. 10. ENFORCEMENT.
vi Enterasys X-Pedition User Reference Manual
Contents About this Manual ................................................................................................. i What’s New..................................................................................................................................i Related Documentation............................................................................................................. iii Document Conventions........................................................................................
Contents 24-7 Networks and VRRP ......................................................................................... 20 Identifying the Primary and Backup Control Modules in a Dual CM Environment . 20 Removing the Primary Control Module .................................................................... 20 Removing the Backup Control Module ..................................................................... 21 Installing a Control Module..............................................................
Contents Set Up an Audit Trail on the Console................................................................................60 Set Up an Audit Trail on a Syslog Server..........................................................................61 ACL Logging ............................................................................................................................63 Chapter 6: SmartTRUNK Configuration Guide ..............................................65 Overview ..........................
Contents Configuring Layer-2 Filters .............................................................................................. 87 Monitoring Bridging ................................................................................................................ 88 Configuration Examples........................................................................................................... 88 Creating an IP or IPX VLAN.................................................................................
Contents Associate a Virtual Channel to a VLAN .........................................................................114 Define an ATM Service Class .........................................................................................115 Apply an ATM Service Class ..........................................................................................115 Configure an Interface on an ATM Port ..........................................................................115 ATM Sample Configuration 4 ..
Contents Configuring Address Resolution Protocol (ARP)........................................................... 142 Configuring ARP Cache Entries.............................................................................. 142 Unresolved MAC Addresses for ARP Entries......................................................... 142 Local Proxy ARP ..................................................................................................... 143 Configuring Reverse Address Resolution Protocol (RARP) ..
Contents Configuring RIP Interfaces ..............................................................................................176 Configuring RIP Parameters ............................................................................................176 Configuring RIP Route Preference ..................................................................................178 Configuring RIP Route Default-Metric ...........................................................................178 Monitoring RIP ....
Contents Local Preference Examples............................................................................................. 222 Using the local-pref Option ..................................................................................... 224 Using the set-pref Option......................................................................................... 224 Multi-Exit Discriminator Attribute Example ..................................................................
Contents Example 1: Importing from RIP ...............................................................................255 Example 2: Importing from OSPF............................................................................258 Examples of Export Policies............................................................................................262 Example 1: Exporting to RIP....................................................................................262 Example 2: Exporting to OSPF ............
Contents Applying an IP Policy to Locally Generated Packets.............................................. 316 IP Policy Configuration Examples......................................................................................... 317 Routing Traffic to Different ISPs.................................................................................... 317 Prioritizing Service to Customers ...................................................................................
Contents Setting Timeouts for Load Balancing Mappings .............................................................347 Displaying Load Balancing Information .........................................................................347 Configuration Examples ..................................................................................................348 Web Hosting with One Virtual Group and Multiple Destination Servers................
Contents Chapter 22: Access Control List Configuration Guide ..................................369 ACL Basics ............................................................................................................................ 370 Defining Selection Criteria in ACL Rules ...................................................................... 370 How ACL Rules are Evaluated ....................................................................................... 371 Implicit Deny Rule..................
Contents Assigning Users ........................................................................................................401 Defining Views.........................................................................................................402 Defining Targets .......................................................................................................403 Configuring Target Parameters ................................................................................
Contents Layer-4..................................................................................................................... 429 Traffic Prioritization............................................................................................................... 429 Layer-2 Flows ................................................................................................................. 429 Configuring Layer-2 QoS ...............................................................................
Contents Configuration Examples ..................................................................................................461 Displaying RMON Information ..............................................................................................463 RMON CLI Filters...........................................................................................................464 Creating RMON CLI Filters.....................................................................................
Contents Configuring WAN Interfaces.......................................................................................... 490 Primary and Secondary Addresses.................................................................................. 490 Static, Mapped, and Dynamic Peer IP/IPX Addresses ................................................... 490 Static Addresses ....................................................................................................... 491 Mapped Addresses ...............
About this Manual This manual provides information for configuring the Enterasys X-Pedition (XP) software. It details the procedures and provides configuration examples. If you have not yet installed the XP, use the instructions in the XP Getting Started Guide to install the chassis and perform basic setup tasks, then return to this manual for more detailed configuration information.
What’s New VLAN Port-based VLANs on page 77 XP VLAN Support on page 78 VIRTUAL CHANNELS Setting the Operation Mode for a Virtual Channel on page 93 UNICAST Unicast Routing Protocols on page 137 RIP Configuring RIP Parameters on page 176 BGP BGP Overview on page 197 The X-Pedition BGP Implementation on page 198 BGP Configuration Examples on page 204 Using the set-pref Option on page 224 BGP Load-Sharing Configuration on page 228 Load Balancing on page 340 PASSWORD Password Policy Management on page 392 Conf
Related Documentation Related Documentation The Enterasys X-Pedition documentation set includes the following items. Refer to these other documents to learn more about your product.
Getting Help Getting Help For additional support related to the Common CLI syntax or this document, contact Enterasys Networks using one of the following methods: World Wide Web http://www.enterasys.com Phone 603-332-9400 1-800-872-8440 (toll-free in U.S. and Canada) For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support/gtac-all.html Internet mail support@enterasys.com FTP ftp://ftp.enterasys.
Chapter 1 Maintaining Configuration Files This chapter provides information about working with configuration files for the Enterasys X-Pedition (XP). Discussion centers on the different types of configuration files and the procedures involved in changing, displaying, saving, and backing up these files. Configuration Files The XP Getting Started Guide introduced the following configuration files: • Startup – The configuration file that the XP uses to configure itself when the system is powered on.
Configuration Files Because some commands depend on other commands for successful execution, the XP scratchpad simplifies system configuration by allowing you to enter configuration commands in any order, even when dependencies exist. When you activate the commands in the scratchpad, the XP sorts out the dependencies and executes the command in the proper sequence.
Configuration Files You may use the negate command on a specific line of the active configuration to “disable” an enabled feature or function, or to remove a line of comments. To remove a line of comments, enter the negate command and specify the numeric range of the lines you want to remove. The router does not require users to enter the save active command in conjunction with comment commands. Table 1.
Configuration Files 2. Ensure that you are in Configure mode by entering the configure command in the CLI. 3. Enter the following command: xp (config)# save active The CLI displays the following message: xp (config)# Do you want to make the changes Active? [y] Note: 4. If you attempt to save an empty configuration to the startup file from a Telnet session, you will terminate your connection and the session will end. Type y to activate the changes.
Configuration Files Displaying Configuration Information The following table lists the commands that are useful for displaying the XP’s configuration information. Table 2. Commands to Display Configuration Information Task Command Enable Mode: Show active configuration of the system. system show active Show the non-activated configuration changes in the scratchpad. system show scratchpad Show the startup configuration for the next reboot.
Backing up and Restoring the System Image 3. – – – – 4. The CLI displays the active configuration file with the following possible annotations: Commands without errors are displayed without any annotation. Commands with errors are annotated with an “E.” Comments are annotated with a “C.” If a particular command has been applied such that it can be expanded on additional interfaces/modules, it is annotated with a “P”.
Backing up and Restoring the System Image image to the PCMCIA flash by using the system image add command in Enable mode. If the en0 interface has not been configured, then you will need to configure it by specifying the following: IP address and netmask of the XP, IP address of the TFTP server, and IP address of the default gateway.
Backup Control Module Boot Firmware Upgrade server for backup purposes, enter the following command. The CLI will then prompt the user for the TFTP server’s IP address or hostname and the filename: xp# copy startup to tftp-server TFTP server? 10.136.11.1 Destination filename? my_startup.cfg Use the file commands to display the configuration files stored in the flash memory of the CM and, if necessary, to delete any of these files: Display a directory of the files in the flash memory or in the PCMCIA card.
Remote File Boot To use the tftp-server option to add the prom image file to both control modules, enter the following: xp# system promimage upgrade tftp-server 10.50.89.88 filename images/prom-upgrade To use the tftp-url option to add the prom image file to both control modules, enter the following: xp# system promimage upgrade tft-url tftp://10.50.89.
Configuring System Settings Configuring System Settings In addition to the initial settings described in the Getting Started Guide, there are additional system features you can set on the XP. Setting Daylight Saving Time You can set daylight saving time (DST) on the XP in three different ways: • According to specific days. For example, from the first Sunday of April to the last Saturday of October. • According to specific dates. For example, from April 1st to October 31st.
Chapter 2 Virtual File Systems This chapter provides information about the Virtual File Systems used on the PCMCIA Flash Module. PCMCIA Virtual File System (VFS) The Virtual File System is used to format the PCMCIA Flash Module in such a way that the module can organize and store files, and enable you to change Boot and System Firmware images on the module. Enterasys refers to the original virtual file system as VFS1. With Boot Firmware version 1.1.0.8 and System Firmware version 3.0.0.
PCMCIA Virtual File System (VFS) Changing the Virtual File System When you move to another VFS, the files stored on the PCMCIA Flash Module will not change. Before you change to another VFS, perform the following actions: 5. Reboot the XP. During the Boot Firmware initialization, press the Escape key to stop the System Firmware from booting. (Typically, the Boot Firmware waits two seconds for user interruption before starting to boot the System Firmware.) 6.
PCMCIA Virtual File System (VFS) If the file system on the PCMCIA flash card is not mounted, the pcumount command will fail and an error message will appear—you may safely ignore this message. The PCMCIA card's file system is now initialized; however, it lacks a System Firmware image. Note: 3. If the PCMCIA flash card is write-protected, the erasepcvfs command will fail.
PCMCIA Virtual File System (VFS) 14 Enterasys X-Pedition User Reference Manual
Chapter 3 Hot Swapping Hot Swapping Overview Hot swapping is the ability to replace a line card, Control Module, Switch Fabric (XP-8600 only), or GBIC (ER16 only) without disrupting router operations. Hot swapping allows you to remove or install line cards without switching off or rebooting the X-Pedition, and line cards that are swapped into the X-Pedition begin functioning immediately after they are installed. On the XP-8000 and XP-8600, you can hot swap line cards and secondary control modules.
Line Cards • Hold the module only by its edges or front panel. • Wear an anti-static wristband connected to a suitable earth ground whenever handling the module. • Store or transport this module only in appropriate anti-static packaging. Line Cards The procedure for hot swapping a line card consists of deactivating the line card, removing it from its slot in the X-Pedition chassis, and installing a new line card in the slot.
Line Cards • Use the system hotswap out command from the CLI. For example, to deactivate the line card in slot 7, enter the following command in Enable mode: xp# system hotswap out slot 7 After a user enters this command, the Offline LED on the line card lights and messages will appear on the console to indicate that the ports on the line card are inoperative. Note: To reactivate a deactivated line card (whose offline LED is lit), pull the line card from its slot and push it back in.
Control Modules Control Modules Introduction The Control Module functions as the brain of the router. The XP-8000/8600 and ER16 can support up to two control modules (the primary and backup CMs), residing in slots 0 and 1 on the XP-8000/8600 and slots 8 and 9 on the ER16. The Primary CM is the CM in control of the router and processes packets that come through it. The backup CM remains in standby mode, receiving heartbeats from the Primary CM.
Control Modules Note: On an XP-8000/8600, you can install either a line card or a Control Module in slot CM/1, but you can install only a Control Module in slot CM. On the ER16, control modules will operate only in slots 8 and 9—slot 8 is reserved for the Primary control module. WARNING 5. You must install the PCMCIA card before you install the CM or while the CM is on standby after a hot swap. Do not remove a PCMCIA card while the unit is powered on. Secure the Control Module.
Control Modules 24-7 Networks and VRRP In most networks, one to five minutes is too long to wait for a system to come back on line—VRRP was created for this reason. The VRRP protocol uses another X-Pedition to take over in the case of a fail-over. If the backup VRRP router fails to receive messages from the master VRRP router for three seconds (the default), the backup VRRP router will take over. Enterasys recommends the VRRP method for 24-7 networks that use the X-Pedition for routing.
Control Modules 3. Press the Hot Swap button or enter the following from the CLI: xp# system hotswap out slot 4. When the module is ready to remove, the Offline LED will turn ON and all other LEDs will turn OFF. Figure 3 shows the location of the LEDs and Hot Swap buttons on Control Modules.
Control Modules 2. Press the Hot Swap button or enter the following from the CLI: xp# system hotswap out slot 3. When the module is ready to remove, the Offline LED will turn ON and all other LEDs will turn OFF. Figure 3 shows the location of the LEDs and Hot Swap buttons on Control Modules. 4. Loosen the captive screws on each side of the Control Module and, in the case of the ER16, open the ejectors. 5. Carefully remove the Control Module from the chassis.
Switching Fabric Module (XP-8600 only) Switching Fabric Module (XP-8600 only) The XP-8600 has slots for two Switching Fabric Modules. While the XP-8600 is operating, you can install a second Switching Fabric Module. If two Switching Fabric Modules are installed, you can hot swap one of them. When you remove one of the Switching Fabric Modules, the other goes online and stays online until it is removed or the XP-8600 is powered off.
Switching Fabric Module (XP-8600 only) Installing a Switching Fabric Module WARNING The X-Pedition and its components are sensitive to static discharge. To prevent electrostatic damage, observe the guidelines provided in Preventing Electrostatic Damage on page 15. To install a Switching Fabric Module: 1. Slide the Switching Fabric Module all the way into the slot, firmly but gently pressing to ensure that the pins on the back of the module are completely seated in the backplane.
GBICs (ER16 only) GBICs (ER16 only) The Gigabit Ethernet line cards have slots for GBICs that can be installed at any time. You can hot swap the GBICs installed in the line cards, as well as the line cards themselves. For information on hot swapping line cards, see Line Cards on page 16. WARNING The GBIC and the host gigabit Ethernet line cards are sensitive to static discharge. To prevent electrostatic damage, observe the guidelines provided in Preventing Electrostatic Damage on page 15.
GBICs (ER16 only) Installing a GBIC into the Line Card Install the GBIC into the line card as follows: 1. Hold the GBIC with the network port facing away from the line card. The 20-pin connector should be facing toward the empty GBIC slot of the line card. 2. The alignment slot on the GBIC must line up with the alignment guides inside the GBIC slot. The top of the GBIC must be next to the hinged side of the GBIC slot door of the line card. Insert GBIC into opening.
Chapter 4 Using the CLI This chapter provides information about the X-Pedition’s Command Line Interface (CLI). The X-Pedition provides a command line interface (CLI) to configure and manage the X-Pedition. In this manual, example configurations show how to use the CLI commands to configure the X-Pedition. CLI commands are grouped by subsystems. For example, the set of commands that let you configure and display IP routing table information all start with ip.
Command Modes Enable Mode Enable mode provides more facilities than User mode. You can display critical features within Enable mode including router configuration, access control lists, and SNMP statistics. To enter Enable mode from the User mode, enter the command enable (or en), then supply the password when prompted. If no password is configured, a warning message advising you to configure a password is displayed.
Command Modes Native and Common CLI Modes The X-Pedition supports two standard interfaces—the Native CLI and the Common CLI. Each mode contains specific commands that are accessible only from within the particular mode. To switch between modes, enter one of the following commands. Native to Common xp> cli set common Common to native (Firmware version E8.2.0.0 and newer) xp> terminal cli native Common to native (Firmware versions E8.1.x.
Configuring CLI Access Security Configuring CLI Access Security When configuring your network access security policy, Enterasys recommends that you employ at least the following: • Minimum password length of 8 characters. • Successful login time of 60 seconds. • Number of failed login attempts before disabling a user’s account should not exceed 6. • New login attempts cannot be made for at least 60 minutes after disabling a user account.
Configuring CLI Access Security Types of passwords to avoid: – User’s name (first or last), child's name, or the name of a pet – Birthday or anniversary – “Password” – Repeated characters (e.g., “AAAAAA” or “999999") – Sports teams or terms (such as “Bulls” or “Golfer”) – Favorite recording artist – Obscenities or sexual terms In addition to avoiding bad passwords, do not employ bad security practices: – Do NOT write down the password and post it near the terminal.
Configuring CLI Access Security Table 3.
Configuring CLI Access Security Password Policy Management Secure access to the X-Pedition through password protection and policies is available in both single- and multi-user modes. Global password policies are established using the system set password-policy command and apply to all passwords in single- or multi-user mode unless specifically overridden by one of the command options described below.
Configuring CLI Access Security here you can access Configure mode and make configuration changes. Access to Configuration mode may be configured to require a password. The X-Pedition stores passwords in the startup configuration file. If you copy a configuration file from one X-Pedition to another, the passwords in the file will automatically apply to the new router.
Establishing Telnet Sessions • Whether or not to disable the user account after too many failed login attempts. The following example creates a new user account for Jane and grants password access to configure mode. All other options remain at their default levels. For details on specific password and privilege options associated with the system set user command, consult the Enterasys X-Pedition Command Line Interface Reference Manual.
Secure Shell (ssh) Server control module. The default is 5 minutes. You can disable this feature, by setting the time-out value to zero. Display the last five connections to the X-Pedition. system show telnet-access Specify time-out value for a serial or telnet connection. system set idle-time-out serial|telnet End the specified telnet session. system kill telnet-session Additionally, you can telnet to another X-Pedition during a CLI session.
Secure Shell (ssh) Server Note: SSH client requires firmware version E9.1.0.0 or later. To set up the SSH server, use the following steps: 1. Generate host keys. 2. Enable the SSH server. The easiest way to generate host keys is to use the all option of the ssh-server generate-host-key command from enable mode.
Secure Shell (ssh) Server – In SSH-1, the stamp is a cyclic redundancy check (CRC-32) of the packet contents. This type of data validation is commonly used for error detection purposes but does not hold up to cryptographic standards because it is feasible for an attacker to change the contents of the packet while maintaining a valid CRC-32 stamp.
Secure Shell (ssh) Server To generate host keys, use the ssh-server generate-host-key command from enable mode. The following example demonstrates how to generate a 768-bit RSA host key: xp# ssh-server generate-host-key rsa bits 768 When selecting the bit size for the host key, keep in mind that, in general, 1,024 bits (the default) is considered very secure. Lengths greater than 1,024 bits are not considered to provide much additional security and will slow down cryptographic operations.
Secure Shell (ssh) Server The server key provides perfect forward secrecy, meaning that the security of previous sessions will not be compromised—even if the host or session key is compromised. Since the server key regenerates periodically, the impact of a compromised key is minimal. The more often the server key regenerates, the more secure it will be; however, frequent regenerating requires more system resources.
Secure Shell (ssh) Server You may also accomplish this task on a per-session basis by using the encryption-preference command-line option: xp# ssh 192.168.1.1 encryption-preference aes128-cbc,blowfish,3des-cbc For the SSH-1 protocol version, users cannot specify a preference for encryption algorithms. However, users may use the ssh-client set ssh1-encryption command or the ssh1-encryption command-line option to force use of a particular cipher.
Secure Shell (ssh) Server This may also be accomplished on a per-session basis with the mac-preference command-line option: xp# ssh 192.168.1.1 mac-preference hmac-sha1-96,hmac-sha1 Additional Options Each active Secure Shell session can use a fair amount of system resources. To what degree each session will impact overall system performance depends on the protocol versions, ciphers, and MACs in use, and the amount of activity in each session.
Setting CLI Parameters By default, the tilde (~) character initiates the escape sequence. Typing “~?” immediately following a new line while in an active SSH client session will display a menu of all the available escape sequences. The escape sequence initiator character can be changed by using the ssh-client set escape configuration command, or by specifying the escape command-line option.
Getting Help with CLI Commands the most recent. To specify the number of commands stored in the command history buffer, enter the following command in User or Configure mode. Set the size of the command history buffer. cli set history size |default|maxsize Alternatively, you can display all the commands that were executed during a CLI session. To display the CLI commands, enter the following command in User mode. cli show history Display command history.
Getting Help with CLI Commands sfs statistics stp telnet traceroute vlan - Show SecureFast Switching (SFS) parameters - Show or clear X-Pedition statistics - Show STP status - Telnet utility - Traceroute utility - Show VLAN-related parameters You can also type the ? character while entering in a command line to see a description of the parameters or options that you can enter. Once the help information is displayed, the command line is redisplayed as before but without the ? character.
Getting Help with CLI Commands Line Editing Commands The X-Pedition provides line editing capabilities that are similar to Emacs, a Unix text editor. For example, you can use certain line editing keystrokes to move forward or backward on a line, delete or transpose characters, and delete portions of a line. To use the line editing commands, you need to have a VT-100 terminal or terminal emulator. The line editing commands that you can use with CLI are detailed in Table 4. Table 4.
Port Names Table 4. CLI Line Editing Commands Command Resulting Action Ctrl-x Move forward one word Ctrl-y Paste back what was deleted by the previous Ctrl-k or Ctrl-w command. Text is pasted back at the cursor location Ctrl-z If inside a subsystem, it exits back to the top level. If in Enable mode, it exits back to User mode. If in Configure mode, it exits back to Enable mode. ESC-b Move backward one word ESC-d Kill word from cursor’s current location until the first white space.
Port Names is the type of line card and can be one of the following: at et gi hs se so ATM line card 10 Base-X/100 Base-X Ethernet line card 1000 Base-X Gigabit Ethernet line card Dual HSSI WAN line card Serial WAN line card Packet-over-SONET line card is determined by the X-Pedition model and the physical slot in which the line card is installed. On the XP-2000, the slot number is printed on the side of each slot.
Port Names • et.(1-3).(1-8) references all the following ports: et.1.1 through et.1.8, et.2.1 through et.2.8, and et.3.1 through et.3.8. • et.(1,3).(1-8) references the following ports: et.1.1 through et.1.8, and et.3.1 through et.3.8 • et.(1-3).(1,8) references the following ports: et.1.1, et.1.8, et.2.1, et.2.8, et.3.1, et.3.
Port Names 50 Enterasys X-Pedition User Reference Manual
Chapter 5 Logging Introduction The X-Pedition uses a series of system messages to track router activity and status. These messages display helpful information to inform users of simple changes in operational status or warn users of more severe issues that may affect system operations. The areas to which these messages apply depends on the facilities used and the user-defined status type of the messages displayed.
Introduction 52 CONFIG Configuration CONS Console CTRONCHASSIS Chassis-Related DDT Diagnostics DHCPD Dynamic Host Configuration Protocol DVMRP Distance Vector Multicast Routing Protocol ERR Error ETH 10Base-T Ethernet Driver FDDI Fiber Distributed Data Interface GARP Generic Attribute Registration Protocol GATED Gate Daemon Routing Parent Task GVRP GARP VLAN Registration Protocol HBT Control Module Heartbeat IGMP Internet Group Membership Protocol IGMP_PIM Internet Group Membe
Introduction PHY_POLL Physical ports PIM Protocol Independent Multicast PING Ping POLICY Policy PPP Point-to-Point Protocol PROFILE Profile PTY Pseudo TTY QOS Quality of Service RARPD Reverse Address Resolution Protocol RCP Remote Copy Protocol RDISC Router Discovery RELAY Relay RES Resolver RIP Routing Information Protocol RL Rate Limit RMON Remote Network Monitoring SIO Serial Input/Output SNMP Simple Network Management Protocol SONET Packet-Over-Sonet SR Temperatur
Introduction Reading Messages Every system message the X-Pedition supports follows the same basic format: %-- where: • lists the date and time when the message appeared (e.g., 2002-08-23 14:32:00). • is a code consisting of uppercase letters that indicates the facility to which the error message refers (e.g., VLAN, SNMP, WAN). • is a single-letter code used to indicate the severity of the error condition.
Logging Methods Logging Methods The X-Pedition allows you to monitor and track system activity by generating messages that report various states and events. You may view and discard this information or store it for future reference. To track these messages, the X-Pedition uses the console and Syslog logging methods.
Logging Methods Console Logging Console logging displays messages to the console only and allows users to view only as many messages as will fit on the screen—as new messages appear, old messages simply scroll off the console. While this is a temporary means of logging this information, it allows administrators to track very specific activities quickly and easily.
Logging Methods Syslog Logging Users may write messages locally to the internal Flash, externally to the Syslog server, or both. However, because the Syslog method does not display output on the console, it may not be readily obvious to users that this method is enabled. Remote Syslog Server The Syslog logging method allows users to identify the server to which the X-Pedition should send system messages.
Logging Methods Local Flash The local parameter of the system set syslog command logs Syslog messages to a local log file, int-flash/cfg/syslog—even if you have not configured a remote Syslog server. Note: The local Flash is NOT the PCMCIA card—it is the X-Pedition’s internal memory. Each time the router reboots and the Syslog facility initializes, the local Syslog file moves to int-flash/cfg/syslog.bak and a new log is created. Local logging is subject to the Syslog filtering mechanism.
Audit Trail Audit Trail With the X-Pedition’s ability to support multiple user accounts on the same router, it is important to be able to monitor what administrative changes are performed on the system and who performs them. The X-Pedition collects this information and outputs it to a console, Syslog server, or Flash memory in the form of audit log messages which allow you to track information such as the username, source IP address, and session type.
Audit Trail The X-Pedition stores the last messages in a local circular buffer. The circular buffer is a location in system memory allocated by the heap to store system messages before sending them to the Syslog server or Flash—messages remain in memory until the buffer reaches the maximum buffer size and begins to replace old messages with new ones. To view the current contents of the buffer, use the system show syslog buffer command.
Audit Trail Set Up an Audit Trail on a Syslog Server To configure an Audit Trail for a specific facility only and log to an external Syslog server, do the following: • Set the global message level to write to the Syslog server. Select Fatal to prevent the router from logging any message that does not present a fatal condition. This will help limit the number of messages collected and make it easier to view the activity within a specific area.
Audit Trail Each time the router reboots and the Syslog facility initializes, the local Syslog file moves to int-flash/cfg/syslog.bak and a new log is created. Local logging is subject to the Syslog filtering mechanism. To display the contents of the local log files use either of the following: xp# file type syslog xp# file type syslog.bak Note: You may still use the system show syslog buffer command to display the buffered messages. The X-Pedition stores the last messages in a local circular buffer.
ACL Logging ACL Logging The report-denies [all | periodic] option of the acl apply interface and acl apply port commands allows enhanced detection of messages denied access by ACL rules. This aids network testing, diagnosis, and security monitoring. By default, the router logs only the first ACL match and records a hardware flow entry—subsequent messages that match the ACL are dropped. Note: This functionality is currently available for IP ACL's only.
ACL Logging 64 Enterasys X-Pedition User Reference Manual
Chapter 6 SmartTRUNK Configuration Guide Overview This chapter explains how to configure and monitor SmartTRUNKs on the XP. A SmartTRUNK is Enterasys Networks’ technology for load balancing and load sharing. A SmartTRUNK is a group of two or more ports that have been logically combined into a single port. Multiple physical connections between devices are aggregated into a single logical, high-speed path that acts as a single link.
Configuring SmartTRUNKs Configuring SmartTRUNKs To configure a SmartTRUNK, perform the following tasks: 1. Create a SmartTRUNK and specify a control protocol for it. 2. Add physical ports to the SmartTRUNK. 3. Specify the policy for distributing traffic across SmartTRUNK ports (optional). By default, the XP distributes traffic to ports in a round-robin (sequential) manner.
Configuring SmartTRUNKs To create a SmartTRUNK, enter the following command in Configure mode: Create a SmartTRUNK that will connect to a device that supports the DEC Hunt Group control protocol. smarttrunk create protocol huntgroup Create a SmartTRUNK that will connect to a device that does not support the DEC Hunt Group control protocol. smarttrunk create protocol no-protocol Create a SmartTRUNK to use for 802.3ad link aggregation.
Configuring SmartTRUNKs Specify Traffic Distribution Policy (Optional) The default policy for distributing traffic across the ports in a SmartTRUNK is “round-robin,” where the XP selects the port on a rotating basis. The other policy that can be chosen is “linkutilization,” where packets are sent to the least-used port in a SmartTRUNK. You can choose to specify the link-utilization policy for a particular SmartTRUNK, a list of SmartTRUNKs, or for all SmartTRUNKs on the XP.
Monitoring SmartTRUNKs Monitoring SmartTRUNKs Statistics are gathered for data flowing through a SmartTRUNK and each port in the SmartTRUNK. To display SmartTRUNK statistics, enter one of the following commands in Enable mode: Display information about all SmartTRUNKS and the control protocol used. smarttrunk show trunks Display statistics on traffic distribution statistics on SmartTRUNK.
Example Configurations Example Configurations The following shows a network design based on SmartTRUNKs. R1 is an XP operating as a router, while S1 and S2 are XPs operating as switches. Cisco 7500 Router st.1 10.1.1.1/24 st.2 10.1.1.2/24 to-cisco Router R1 11.1.1.2/24 to-s1 st.4 Switch S1 Server 12.1.1.2/24 to-s2 st.3 Switch S2 st.5 Cisco Catalyst 5K Switch The following is the configuration for the Cisco 7500 router: interface port-channel 1 ip address 10.1.1.1 255.255.255.
Configuring the Link Aggregation Control Protocol (LACP) The following is the SmartTRUNK configuration for the XP labeled ‘R1’ in the diagram: smarttrunk create st.1 protocol no-protocol smarttrunk create st.2 protocol huntgroup smarttrunk create st.3 protocol huntgroup smarttrunk add ports et.1(1-2) to st.1 smarttrunk add ports et.2(1-2) to st.2 smarttrunk add ports et.3(1-2) to st.3 interface create ip to-cisco address-netmask 10.1.1.2/24 port st.1 interface create ip to-s1 address-netmask 11.1.1.
Configuring the Link Aggregation Control Protocol (LACP) Configuring SmartTRUNKs for LACP To configure a SmartTRUNK and specify the LACP protocol, perform the following tasks: 1. Enter the following command in Configure mode to create a SmartTRUNK and specify the LACP protocol.
Configuring the Link Aggregation Control Protocol (LACP) 3. Enter the following command in Configure mode to configure the aggregator’s properties. Configure the aggregator’s properties. smarttrunk lacp aggregator port-type 10-100-Ethernet| Gigabit-Ethernet actor-key | default-10-100| default-gig [system-priority ] The following parameters are required. For additional information about the LACP Set command, see Enterasys X-Pedition Command Line Interface Reference Manual.
Configuring the Link Aggregation Control Protocol (LACP) 74 Enterasys X-Pedition User Reference Manual
Chapter 7 Bridging Configuration Guide Bridging Overview The Enterasys X-Pedition provides the following bridging functions: • Compliance with the IEEE 802.1D standard and IEEE 802.
VLAN Overview Address-based bridging - The XP performs this type of bridging by looking up the destination address in an L2 lookup table on the line card that receives the bridge packet from the network. The L2 lookup table indicates the exit port(s) for the bridged packet. If the packet is addressed to the XP's own MAC address, the packet is routed rather than bridged.
VLAN Overview Detailed information about these types of VLANs is beyond the scope of this manual. Each type of VLAN is briefly explained in the following subsections. Port-based VLANs Ports of L2 devices (switches, bridges) are assigned to VLANs. Any traffic received by a port is classified as belonging to the VLAN to which the port belongs. For example, if ports 1, 2, and 3 belong to the VLAN named “Marketing,” then a broadcast frame received by port 1 is transmitted on ports 2 and 3.
VLAN Overview Policy-based VLANs Policy-based VLANs are the most general definition of VLANs. Each incoming (untagged) frame is looked up in a policy database, which determines the VLAN to which the frame belongs. For example, you could set up a policy which creates a special VLAN for all E-mail traffic between the management officers of a company, so that this traffic will not be seen anywhere else.
VLAN Overview The XP switching routers use VLANs to achieve this behavior. This means that a L3 subnet (i.e., an IP or IPX subnet) is mapped to a VLAN. A given subnet maps to exactly one and only one VLAN. With this definition, the terms VLAN and subnet are almost interchangeable. To configure an XP as a combined switch and router, the administrator must create VLANs whenever multiple ports of the XP are to belong to a particular VLAN/subnet.
Configuring XP Bridging Functions You can use the port enable 8021p command to tag frames transmitted from access ports with a one-byte, 802.1p class of service (CoS) value. The CoS value indicates the frame’s priority. There are 8 CoS values, 0 is the lowest priority and 7 is the highest. Note: A packet entering a Q-trunk has an 802.1Q header containing a priority field. Typically, users can change the 802.1Q priority using the qos set l2 commands.
Configuring XP Bridging Functions The corresponding bridge tables for address-based and flow-based bridging are shown below. As shown, the bridge table contains more information on the traffic patterns when flow-based bridging is enabled compared to address-based bridging. Address-Based Bridge Table Flow-Based Bridge Table A (source) A→ B B (source) B→ A C (destination) B→ C A→ C With the XP configured in flow-based bridging mode, the network manager has “per flow” control of layer-2 traffic.
Configuring XP Bridging Functions By default, spanning tree is disabled on the XP. To enable spanning tree on the XP, you perform the following tasks on the ports where you want spanning tree enabled. Enable spanning tree on one or more ports for default spanning tree. stp enable port Enable spanning tree on one or more ports for a particular VLAN.
Configuring XP Bridging Functions Note: Only network administrators with a good understanding of how bridges and the SpanningTree Protocol work should make adjustments to spanning-tree parameters. Poorly chosen adjustments to these parameters can have a negative impact on performance. A good source on bridging is the IEEE 802.1D specification.
Configuring XP Bridging Functions To assign port costs, enter the following command in Configure mode: Set a different port cost other than the defaults for default spanning tree. stp set port port-cost Set a different port cost other than the defaults for a particular instance of spanning tree.
Configuring a Port- or Protocol-Based VLAN Defining the Maximum Age If a bridge does not hear BPDUs from the root bridge within a specified interval, it assumes that the network has changed and recomputes the spanning-tree topology. To change the default interval setting, enter the following command in Configure mode: Change the amount of time a bridge will wait to hear BPDUs from the root bridge for default spanning tree.
Configuring a Port- or Protocol-Based VLAN Note: The XP will display VLAN names up to 32 characters in length. Adding Ports to a VLAN To add ports to a VLAN, enter the following command in Configure mode. Add ports to a VLAN. Note: vlan add ports to The XP will display VLAN and interface names up to 32 characters in length. Configuring VLAN Trunk Ports The XP supports standards-based VLAN trunking between multiple XPs as defined by IEEE 802.1Q. 802.
Configuring a Port- or Protocol-Based VLAN Configuring VLANs for Bridging The XP allows you to create VLANs for AppleTalk, DECnet, SNA, and IPv6 traffic as well as for IP and IPX traffic. You can create a VLAN for handling traffic for a single protocol, such as a DECnet VLAN. Or, you can create a VLAN that supports several specific protocols, such as SNA and IP traffic. Note: Some commands in this facility require updated XP hardware.
Monitoring Bridging Monitoring Bridging The XP provides display of bridging statistics and configurations contained in the XP. To display bridging information, enter the following commands in Enable mode. Show IP routing table. ip show routes Show all MAC addresses currently in the l2 tables. l2-tables show all-macs Show l2 table information on a specific port. l2-tables show port-macs Show information the master MAC table. l2-tables show mac-table-stats Show information on a specific MAC address.
Configuration Examples First, create an IP VLAN named ‘BLUE’ xp(config)# vlan create BLUE ip Note: The XP will display VLAN and interface names up to 32 characters in length. Next, assign ports to the ‘BLUE’ VLAN. xp(config)# vlan add ports et.4.(1-8),gi.1.(1-2) to BLUE Creating a non-IP/non-IPX VLAN In this example, SNA, DECnet, and AppleTalk hosts are connected to et.1.1 and et.2.(1-4). You can associate all the ports containing these hosts to a VLAN called ‘RED’ with the VLAN ID 5.
Configuration Examples First, create a VLAN named ‘GREEN’ with VLAN ID 100 on both XP1 and XP2 and add the ports to the VLAN: XP1(config)# vlan create GREEN port-based id 100 XP1(config)# vlan add ports gi.1.(1-2),et.3.1 to GREEN XP2(config)# vlan create GREEN port-based id 100 XP2(config)# vlan add ports gi.2.(1-2) to GREEN Note: The XP will display VLAN and interface names up to 32 characters in length. Then, create a spanning tree instance for VLAN ‘GREEN’.
Chapter 8 ATM Configuration Guide ATM Overview This chapter provides an overview of the Asynchronous Transfer Mode (ATM) features available for the Enterasys X-Pedition. ATM is a cell switching technology used to establish multiple connections over a physical link, and configure each connection with its own traffic parameters. This provides more control over specific connections within a network. Note: This release supports PVCs only.
Virtual Channels Virtual Channels A virtual channel is a point-to-point connection that exists within a physical connection. You can create multiple virtual channels within one physical connection, with each virtual channel having its own traffic profile. The name “virtual” implies that the connection is located in silicon instead of a physical wire. Refer to Creating a Service Profile Definition on page 94 for information about defining a set of traffic parameters for a virtual channel.
Virtual Channels Virtual channel and IPX Routing The following commands create an ATM virtual channel on an ATM port and associate the port with an IPX interface. This allows IPX routing between two IPX interfaces. As with any IPX interface, IPX routing using RIP (the default) will begin when you configure an IPX interface. xp(config)# atm create vcl port at.3.1.1.100 xp(config)# interface create ipx finance address 01234567 peer-address 01234567.00:00:1d:a9:8c:a1 port at.3.1.1.
Service Profile Definition Service Profile Definition ATM provides the ability to specify various parameters for each virtual channel. These parameters include traffic parameters which define the bandwidth characteristics and delay guarantees. You can apply a different set of traffic parameters for each virtual channel. This provides network administrators more control of their network resources and more options in connections to accommodate different user needs.
Service Profile Definition rt-vbr Real-Time Variable Bit Rate. This service category provides a guaranteed constant bandwidth (specified by the SCR), but also provides for peak bandwidth requirements (specified by the PCR). This service category requires the PCR, SCR, and MBS options and is intended for applications that can accommodate bursty real-time traffic such as compressed voice or video. pcr Specifies the Peak Cell Rate, which defines the maximum cell transmission rate.
Cell Scrambling Applying a Service Profile Definition To apply a service profile definition to a virtual channel, virtual path, or an ATM port, enter the following command in Configure mode: Applies a service profile definition. atm apply service port The following is a description of the parameters used to apply a service profile definition: service Specifies the name of the service profile definition which you want to apply. The maximum length is 32 characters.
Cell Mapping Note: Refer to the SONET chapter in the Command Line Interface Manual for information about cell scrambling on SONET PHY interfaces. To enable cell scrambling on an ATM port, enter the following command in Configure mode: Enables cell scrambling on an ATM port. atm set port pdh-cell-scramble on| off The following is a description of the parameters used to enable cell scrambling: port Specifies the port, in the format: media.slot.port.
VPI Bit Allocation cell-mapping direct|plcp Specify direct to select direct ATM cell mapping. Specify plcp to select PLCP mapping. VPI Bit Allocation The Virtual Path Identifier defines a virtual path, a grouping of virtual channels transmitting across the same physical connection. The actual number of virtual paths and virtual channels available on an ATM port depends upon how many bits are allocated for the VPI and VCI, respectively.
Peer Address Mapping Peer Address Mapping Peer addresses allow you to specify a certain destination address for a specific virtual channel. This allows you to set the destination address for a virtual channel using the atm set peer-addr command. This way, a virtual channel can be dedicated to handle traffic between two specific devices. Note: The default interface type is “broadcast.
Displaying ATM Port Information Note: If the associated virtual channel is in the VC-muxing mode, use virtual peer mapping. ip-address Specifies an IP address for the peer. Specify a unicast IP address and netmask value in the following format: a.b.c.d/e. This IP address will be mapped to the VC. ipx-address . Specifies an IPX address for the peer. Specify an IPX network and node address in the following format: a1b2c3d4.aa:bb:cc:dd:ee:ff.
Displaying ATM Port Information • Operational Status Shows whether the VP is passing traffic. Up indicates traffic. Down indicates no traffic. • Last State Change Shows the last time the VP went up or down. Time is in seconds relative to system bootup. • Service Definition Shows the name of the defined service and its traffic parameters To display information about the service definition on an ATM port: Displays the service definition on an ATM port.
Displaying ATM Port Information Responses Only indicates that the port will respond but doesn’t generate OAM cells. Requests & Responses indicates that the port will respond and generate OAM cells. To display information about the port settings on an ATM port: Displays the port setting configurations on an ATM port.
Displaying ATM Port Information esf indicates extended super frame and is used for T1 framing. g832 is used for E3 framing. g751 is used for E3 framing. • VC Mode Shows the bit allocation for vpi and vci. • Service Definition Shows the name of the defined service on the port and its traffic parameters. The following is an example of the information that is displayed with the command listed above (for a SONET PHY interface): xp (atm-show)# port-settings at.8.
ATM Sample Configuration 1 ATM Sample Configuration 1 Consider the following network configuration: VLAN B Subnet 11.1.2.0 11.1.2.1/24 XP 1 et.1.1 11.1.100.1/24 at.1.1 11.1.2.1/24 at.2.1 XP 2 et.2.1 11.1.1.1/24 VLAN A Subnet 11.1.1.0 The network shown consists of two XPs, VLAN A, and VLAN B. Both XPs have an ATM module with two ATM ports. Also both XPs contain a 10/100 TX Ethernet module. XP1 is connected to VLAN A through Ethernet port et.2.
ATM Sample Configuration 1 Apply an interface on both Ethernet ports. Creating an interface on an Ethernet port assigns a network IP address and submask on that port. The following command assigns an IP address of 11.1.1.1/24 on port et.2.1 on xp1: xp1 (config)# interface create ip subnetA address-netmask 11.1.1.1/24 port et.2.1 The following command assigns an IP address of 11.1.2.1/24 on port et.1.1 on xp2: xp2 (config)# interface create ip subnetB address-netmask 11.1.2.1/24 port et.1.
ATM Sample Configuration 1 Applying an ATM Service Profile After defining a service profile on XP1 and XP2, apply them to the VC connection we created earlier. The following command line applies the service profile ‘cbr1m’ to the VC (vpi=0, vci=100) on ATM port at.1.1 of XP1: xp1(config)# atm apply service cbr1m port at.1.1.0.100 The following command line applies the service profile ‘cbr1m’ to the VC (vpi=0, vci=100) on ATM port at.2.1 of XP2: xp2(config)# atm apply service cbr1m port at.2.1.0.
ATM Sample Configuration 1 11.1.2.1/24) belongs to the subnet 11.1.2.0. Similarly, VLAN A (connected to IP interface 11.1.1.1/24) belongs to the subnet 11.1.1.0. Creating an IP route allows the interfaces on the ATM ports to act as gateways to any subnet. Traffic from VLAN A reaches the Ethernet port on XP1 and is automatically directed to the gateway address (interface on the ATM port for XP2). Then the traffic travels through the VC and arrives at the Ethernet port connected to VLAN B.
ATM Sample Configuration 2 ATM Sample Configuration 2 Consider the following network configuration: Subnet A 10.1.1.X/24 Subnet B 20.1.1.X/24 et 2.4 10.1.1.130/24 et 2.3 20.1.1.130/24 SSR1 at 4.2 30.1.1.127/24 VPI = 0, VCI =100 CBR, 100 Mbit 40.1.1.127/24 VPI = 0, VCi = 101 UBR, 20 Mbit ATM Network 40.1.1.128/24 VPI = 0, VCi = 101 UBR, 20 Mbit 30.1.1.128/24 VPI = 0, VCI =100 CBR, 100 Mbit at 3.1 SSR2 50.1.1.130/24 et 5.1 Subnet C 50.1.1.
ATM Sample Configuration 2 bandwidth connection, able to support video conferencing. Subnet B consists of users who require less stringent requirements and are mainly concerned with email and server backup type of traffic. As the network administrator, you can accommodate both client groups using only one ATM physical connection. This is accomplished by setting up two VCs on the ATM port, each with its own service profile definitions. This example shows how to configure this network.
ATM Sample Configuration 2 The following command creates a virtual channel on port at.3.1 with VPI=0 and VCI=100: xp2(config)# atm create vcl port at.3.1.0.100 The following command creates a virtual channel on port at.3.1 with VPI=0 and VCI=101: xp2(config)# atm create vcl port at.3.1.0.101 Step 3: Configuring an Interface on Each ATM Port The following command assigns an IP address of 40.1.1.127/24 on port at.4.2.0.101: xp1(config)# interface create ip ubrservice address-netmask 40.1.1.
ATM Sample Configuration 2 xp2(config)# atm define service cbrservice srv-cat cbr pcr-kbits 100000 Step 5: Applying an ATM Service Profile The following command applies the ‘ubrservice’ service profile on at.4.2.0.101: xp1(config)# atm apply service ubrservice port at.4.2.0.101 The following command applies the ‘cbrservice’ service profile on at.4.2.0.100: xp1(config)# atm apply service ubrservice port at.4.2.0.100 The following command applies the ‘ubrservice’ service profile on at.3.1.0.
ATM Sample Configuration 2 Step 8: Apply the IP Policy to the Ethernet Ports The following command applies the IP policy ‘subnetApolicy’ to port et.2.4: xp1(config)# ip-policy subnetAtoCpolicy apply interface subnetA The following command applies the IP policy ‘subnetBpolicy’ to port et.2.3: xp1(config)# ip-policy subnetBtoCpolicy apply interface subnetB Traffic from Subnet C to Subnet A and Subnet B Step 9: Create an IP ACL The following command creates an IP ACL policy for port et.5.
ATM Sample Configuration 3 The following command applies the IP policy ‘subnetCtoBpolicy’ to port et.5.1: xp2(config)# ip-policy subnetCtoBpolicy apply interface subnetC All traffic between SubnetA and Subnet C will now travel over the 20 mbit VCL. Traffic between Subnet B and Subnet C will travel over the 100 mbit VCL. ATM Sample Configuration 3 Consider the following network configuration: Router VLAN A et.5.1 at.4.3 WAN et.6.
ATM Sample Configuration 3 Apply an interface on both ethernet ports. Creating an interface on an ethernet port assigns a network IP address and submask on that port. The following command assigns an IP address of 11.1.1.1/24 on port et.5.1: xp(config)# interface create ip subnetA address-netmask 11.1.1.1/24 port et.5.1 The following command assigns an IP address of 11.1.2.1/24 on port et.6.2: xp(config)# interface create ip subnetB address-netmask 11.1.2.1/24 port et.6.
ATM Sample Configuration 3 The following command line associates VLAN B (et.6.2) to the virtual channel with VPI=0 and VCI=101 (at.4.3.0.101): xp(config)# vlan add ports et.6.2,at.4.3.0.
ATM Sample Configuration 4 The following command line sets an interface name ‘vlanB’ and IP address 11.1.100.2/24 on ATM port at.4.3.0.101: xp(config)# interface create ip vlanB address-netmask 11.1.100.2/24 port at.4.3.0.101 Note: Enterasys recommends that you use alphabetic characters when defining interface names—purely numeric interfaces will be interpreted as IP addresses. The XP will display interface names up to 32 characters in length.
ATM Sample Configuration 4 To try and keep things simple, you prefer to connect all 3 virtual channels to a single interface on the XP, instead of creating a separate interfaces for each VC. You as the network administrator can accommodate these requirements by using Enterasys’ ability to configure multiple VCs on a single interface. The following steps will lead you through the configuration process on the XP side of the ATM cloud.
ATM Sample Configuration 4 The following command line associates VLAN ‘video’ to the virtual channel with VPI=0 and VCI=103: xp(config)# vlan add ports at.2.1.0.103 to video Configure an Interface on an ATM Port The following command line sets the interface name for the VLAN as ‘atm-video’ and the IP address as 120.131.0.2/24: xp(config)# interface create ip atm-video address-netmask 120.131.0.
Chapter 9 Packet-over-SONET Configuration Guide Overview This chapter explains how to configure and monitor packet-over-SONET (PoS) on the XP. See the sonet commands section of the Enterasys X-Pedition Command Line Interface Reference Manual for a description of each command. PoS requires installation of the OC-3c or OC-12c PoS line cards in an XP-8000 or an XP-8600. The OC-3c line card has four PoS ports, while the OC-12c line card has two PoS ports. You must use the “so.” prefix for PoS interface ports.
Configuring Packet-over-SONET Links interface as part of a VLAN for PoS links. You can also configure multiple IP addresses for each interface, as described in Configuring IP Interfaces and Parameters on page 138. When creating the IP interface for a PoS link, you can either specify the peer address if it is known (static address), or allow the peer address to be automatically discovered via IPCP negotiation (dynamic address).
Configuring Automatic Protection Switching Note: The XP will display VLAN and interface names up to 32 characters in length. 3. If you want to increase the MTU size on a port, specify the parameter mtu with the ‘port set’ command and define a value up to 65442 (octets). See Configuring Jumbo Frames on page 140 for more information. 4. Specify the bit error rate thresholds, if necessary. See Specifying Bit Error Rate Thresholds on page 123 for more information. 5.
Configuring Automatic Protection Switching IP address and netmask configured for the interface, spanning tree protocol (STP), per-VLAN spanning tree (PVST), etc. Configuring Working and Protecting Ports APS on the XP requires configuration of a working port and a corresponding protecting port. You can configure any number of PoS ports. The limit is the number of PoS ports on the XP. Any port on any module can be configured for APS.
Specifying Bit Error Rate Thresholds Force a switch to the specified port. This command can be applied to either the working or protecting port. sonet set protection-switch forced Manually switch the line to the specified port. This command can be applied to either the working or protecting port. sonet set protection-switch manual Note: You can only specify one option, lockoutprot, forced or manual, for a port.
Monitoring PoS Ports To specify different BER thresholds, enter the following commands in Enable mode: Specify signal degrade BER threshold. sonet set sd-ber Specify signal failure BER threshold. sonet set sf-ber Monitoring PoS Ports To display PoS port configuration information, enter one of the following commands in Enable mode: Show framing status, line type, and circuit ID of the optical link.
Example Configurations Example Configurations This section shows example configurations for PoS links. APS PoS Links Between XPs The following example shows APS PoS links between two XPs, router A and router B. Router A so.7.1 pos21 20.11.11.21/24 so.7.2 Note: Router B (working) (protecting) pos11 20.11.11.20/24 so.13.1 so.13.2 PPP does not renegotiate when you hot swap a POS card (with APS enabled) or if either end of a connection goes down.
Example Configurations PoS Link Between the XP and a Cisco Router The following example shows a PoS link between an XP, router A, and a Cisco 12000 series Gigabit Switch Router, router B. The MTU on both routers is configured for same size of 9216 octets. Router A so.6.1 Router B so-1 40.1.1.1/16 POS1/0 The following is the configuration for router A: port set so.6.1 mtu 9216 interface create ip so-1 address-netmask 40.1.1.1/16 port so.6.
Example Configurations The following is the configuration for router A: port set so.7.1 mtu 65442 stp enable port so.7.1 vlan create v1 port-based id 10 vlan add ports so.7.1 to v1 interface create ip int1 address-netmask 1.1.1.1/8 vlan v1 interface add ip int1 address-netmask 2.1.1.1/8 peer-address 2.1.1.2 The following is the configuration for router B: port set so.6.1 mtu 65442 stp enable port so.6.1 vlan create v1 port-based id 10 vlan add ports so.6.1 to v1 interface create ip int1 address-netmask 1.
Example Configurations 128 Enterasys X-Pedition User Reference Manual
Chapter 10 DHCP Configuration Guide DHCP Overview The Dynamic Host Configuration Protocol (DHCP) server on the XP provides dynamic address assignment and configuration to DHCP capable end-user systems, such as Windows 95/98/NT and Apple Macintosh systems. You can configure the server to provide a dynamic IP address from a pre-allocated pool of IP addresses or a static IP address.
Configuring DHCP Configuring DHCP By default, the DHCP server is not enabled on the XP. You can selectively enable DHCP service on particular interfaces and not others. To enable DHCP service on an interface, you must first define a DHCP scope. A scope consists of a pool of IP addresses and a set of parameters for a DHCP client. The parameters are used by the client to configure its network environment, for example, the default gateway and DNS domain name.
Configuring DHCP Table 8. Client Parameters Parameter Value dns-server IP address of DNS server gateway IP address of default gateway lease-time Amount of time the assigned IP address is valid for the system netbios-name-server IP address of NetBIOS Name Server (WINS server) netbios-node-type NetBIOS node type of the client netbios-scope NetBIOS scope of the client Note: The DHCP server does not currently specify BootP server addresses to requesting clients.
Updating the Lease Database Note: The DHCP server does not process packets that arrive on PPP MLP interfaces. Configuring DHCP Server Parameters You can configure several “global” parameters that affect the behavior of the DHCP server itself. To configure global DHCP server parameters, enter the following commands in Configure mode: Specify a remote location to back up the lease database. dhcp global set lease-database Specify the intervals at which the lease database is updated.
DHCP Configuration Examples DHCP Configuration Examples The following configuration describes DHCP configuration for a simple network with just one interface on which DHCP service is enabled to provide both dynamic and static IP addresses. 1. Create an IP VLAN called ‘client_vlan’. vlan create client_vlan ip 2. Add all Fast Ethernet ports in the XP to the VLAN ‘client_vlan’. vlan add port et.*.* to client_vlan 3. Create an IP interface called ‘clients’ with the address 10.1.1.
DHCP Configuration Examples 10. Specify a database update interval of every 15 minutes. dhcp global set commit-interval 15 Configuring Secondary Subnets In some network environments, multiple logical subnets can be imposed on a single physical segment. These logical subnets are sometimes referred to as “secondary subnets” or “secondary networks.” For these environments, the DHCP server may need to give out addresses on different subnets.
DHCP Configuration Examples resides on the 10.1.x.x subnet. When all the addresses for ‘scope1’ are assigned, the server will start giving out addresses from ‘scope2’ which will include the default gateway parameter 10.2.1.1 on subnet 10.2.x.x. Secondary Subnets and Directly-Connected Clients A directly-connected client is a system that resides on the same physical network as the DHCP server and does not have to go through a router or relay agent to communicate with the server.
DHCP Configuration Examples 8. Include ‘scope2’ in the superscope ‘super1’. dhcp scope2 attach superscope super1 For clients on the secondary subnet, the default gateway is 10.2.1.1, which is also the secondary address for the interface ‘clients’. Interacting with Relay Agents For clients that are not directly connected to the DHCP server, a relay agent (typically a router) is needed to communicate between the client and the server.
Chapter 11 IP Routing Configuration Guide The XP supports standards-based TCP, UDP, and IP. This chapter describes how to configure IP interfaces and general non-protocol-specific routing parameters. IP Routing Protocols The XP supports standards-based unicast and multicast routing. Unicast routing protocol support includes Interior Gateway Protocols and Exterior Gateway Protocols. Multicast routing protocols are used to determine how multicast data is transferred in a routed environment.
Configuring IP Interfaces and Parameters Note: The X-Pedition does not currently follow "Breaking Ties (Phase2)," Section 9.1.2.1 (p. 37-38) of RFC 1771. Instead, the router follows "Breaking Ties (Phase2)," Section 9.1.2.2 (p. 49-50) of Draft-ietf-ier-bgp-4-17. Multicast Routing Protocols IP multicasting allows a host to send traffic to a subset of all hosts. These hosts subscribe to group membership, thus notifying the XP of participation in a multicast transmission.
Configuring IP Interfaces and Parameters Configuring IP Interfaces to Ports You can configure an IP interface directly to a physical port. Each port can be assigned multiple IP addresses representing multiple subnets connected to the physical port. For example, to assign an IP interface ‘RED’ to physical port et.3.4, enter the following: xp(config)# interface create ip RED address-netmask 10.50.0.0/255.255.0.0 port et.3.4 To configure a secondary address of 10.23.4.36 with a 24-bit netmask (255.255.255.
Configuring IP Interfaces and Parameters Note: When using line cards introduced prior to the “AA” series, SNA/DLC/NetBIOS traffic may not bridge properly. The issue in bridging DLC packets occurs where the length field within an IEEE 802.3 frame indicates less than 46 bytes of data. The X-Pedition removes the length field information of incoming IEEE 802.3, 802.2, and Ethernet SNAP packets, then recalculates the field prior to re-transmission.
Configuring IP Interfaces and Parameters xp(config)# port set gi.3.1 mtu 50022 xp(config)# port set gi.3.2-8 mtu 65442 xp(config)# vlan create JUMBO1 ip xp(config)# vlan add ports gi.3.1-4 to JUMBO1 xp(config)# interface create ip int3 address-mask 10.20.3.
Configuring IP Interfaces and Parameters Configuring Address Resolution Protocol (ARP) The XP allows you to configure Address Resolution Protocol (ARP) table entries and parameters. ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated MAC address. Once a media or MAC address is determined, the IP address/media address association is stored in an ARP cache for rapid retrieval.
Configuring IP Interfaces and Parameters You can configure the XP to drop packets for hosts whose MAC addresses the XP has been unable to resolve. To enable dropping of packets for hosts with unresolved MAC addresses: xp# arp set drop-unresolved enabled When you enable packets to be dropped for hosts with unresolved MAC addresses, the XP will still attempt to periodically resolve these MAC addresses. By default, the XP sends ARP requests at 30second intervals to try to resolve up to 50 dropped entries.
Configuring IP Interfaces and Parameters 2.
Configuring IP Interfaces and Parameters Specifying IP Interfaces for RARP The rarpd set interface command allows you to specify which interfaces the XP’s RARP server responds to when sent RARP requests. You can specify individual interfaces or all interfaces. To cause the XP’s RARP server to respond to RARP requests from interface int1: xp(config)# rarpd set interface int1 Defining MAC-to-IP Address Mappings The rarpd add command allows you to map a MAC address to an IP address for use with RARP.
Configuring IP Interfaces and Parameters Note: The XP will display VLAN and interface names up to 32 characters in length. Configuring DNS Parameters The XP can be configured to specify DNS servers, which supply name services for DNS requests. You can specify up to three DNS servers. To configure three DNS servers and configure the XP’s DNS domain name to “mrb.com”: xp(config)# system set dns server “10.1.2.3 10.2.10.12 10.3.4.5” domain mrb.
Configuring IP Interfaces and Parameters To forward UDP broadcast packets received on interface int2 to the host 10.2.48.8 for packets with the destination port 111 (port mapper): xp(config)# ip helper-address interface int2 10.2.48.
Configuring IP Interfaces and Parameters To allow packets destined for the XP, but do not have a service defined for them on the XP, to be processed by the XP’s CPU: xp(config)# ip dos disable port-attack-protection Monitoring IP Parameters The XP provides display of IP statistics and configurations contained in the routing table. Information displayed provides routing and performance information.
Configuring Router Discovery To display additional IP information, enter the following command in Enable mode: Show ARP table entries. arp show all Show IP interface configuration. interface show ip Show DNS parameters. system show dns Configuring Router Discovery The router discovery server on the XP periodically sends out router advertisements to announce the existence of the XP to other hosts.
Configuring Router Discovery If you want to have only specific addresses included in router advertisements, use the rdisc add address command to specify those addresses. The rdisc set address command lets you specify the type of router advertisement in which the address is included and the preference of the address for use as a default route.
Configuration Examples 3. The interface on which router advertisement is enabled. 4. Multicast address. 5. Current values for the intervals between the sending of router advertisements and the lifetime of addresses sent in a router advertisement. 6. IP address that is included in router advertisement. The preference of this address as a default route is 0, the default value. 7. Shows configured values for the specified interface.
Configuration Examples 152 Enterasys X-Pedition User Reference Manual
Chapter 12 VRRP Configuration Guide VRRP Overview This chapter explains how to set up and monitor the Virtual Router Redundancy Protocol (VRRP) on the XP. VRRP is defined in RFC 2338. End host systems on a LAN are often configured to send packets to a statically configured default router. If this default router becomes unavailable, all the hosts that use it as their first hop router become isolated on the network. VRRP provides a way to ensure the availability of an end host’s default router.
Configuring VRRP Configuring VRRP This section presents three sample VRRP configurations: • A basic VRRP configuration with one virtual router • A symmetrical VRRP configuration with two virtual routers • A multi-backup VRRP configuration with three virtual routers Basic VRRP Configuration Figure 8 shows a basic VRRP configuration with a single virtual router. Routers R1 and R2 are both configured with one virtual router (VRID=1). Router R1 serves as the Master and Router R2 serves as the Backup.
Configuring VRRP • The XP supports only 512 instances of VRRP. An instance is defined as one virtual router running on one interface. Running a single virtual router on four interfaces is considered four instances of VRRP, as is running four virtual routers on a single interface. • Do not use an IP address for VRRP that is already configured for load-balancing. Configuration of Router R1 The following is the configuration file for Router R1 in Figure 8. 1: interface create ip test address-netmask 10.0.
Configuring VRRP Backup router to respond with an ICMP Echo Response when it is in the Master state. Use the following command to enable ICMP Echo Response: ip-redundancy set vrrp interface icmp-response For more information, see the Enterasys X-Pedition Command Line Interface Reference Manual. Symmetrical Configuration Figure 9 shows a VRRP configuration with two routers and two virtual routers. Routers R1 and R2 are both configured with two virtual routers (VRID=1 and VRID=2).
Configuring VRRP Figure 9. Symmetrical VRRP Configuration In this configuration, half the hosts use 10.0.0.1/16 as their default route, and half use 10.0.0.2/16. IP address 10.0.0.1/16 is associated with virtual router VRID=1, and IP address 10.0.0.2/16 is associated with virtual router VRID=2. If Router R1, the Master for virtual router VRID=1, goes down, Router R2 would take over the IP address 10.0.0.1/16.
Configuring VRRP On line 1, Router R2 is made owner of IP address 10.0.0.2/16. Line 5 associates this IP address with virtual router VRID=2, so Router R2 is the Master for virtual router VRID=2. Line 4 associates IP address 10.0.0.1/16 with virtual router VRID=1, making Router R2 the Backup for virtual router VRID=1. Ping the Backup VRRP Router When enterprise customers run an XP in a VRRP configuration, the customers may not know if a problem exists with the Backup router.
Configuring VRRP Master for VRID=1 1st Backup for VRID=2 1st Backup for VRID=3 Master for VRID=2 1st Backup for VRID=1 2nd Backup for VRID=3 Master for VRID=3 2nd Backup for VRID=1 2nd Backup for VRID=2 R1 R2 R3 VRID=1 10.0.0.1/16 H1 VRID=3 VRID=2 10.0.0.3/16 10.0.0.2/16 H2 H3 Default Route = 10.0.0.1/16 H4 Default Route = 10.0.0.2/16 H5 H6 Default Route = 10.0.0.3/16 Figure 10.
Configuring VRRP Configuration of Router R1 The following is the configuration file for Router R1 in Figure 10. 1: interface create ip test address-netmask 10.0.0.1/16 port et.1.1 ! 2: ip-redundancy create vrrp 1 interface test 3: ip-redundancy create vrrp 2 interface test 4: ip-redundancy create vrrp 3 interface test ! 5: ip-redundancy associate vrrp 1 interface test address 10.0.0.1/16 6: ip-redundancy associate vrrp 2 interface test address 10.0.0.
Configuring VRRP The following table shows the priorities for each virtual router configured on Router R1. Virtual Router Default Priority Configured Priority VRID=1 – IP address=10.0.0.1/16 255 (address owner) 255 (address owner) VRID=2 – IP address=10.0.0.2/16 100 200 (see line 8) VRID=3 – IP address=10.0.0.3/16 100 200 (see line 9) Configuration of Router R2 The following is the configuration file for Router R2 in Figure 10. 1: interface create ip test address-netmask 10.0.0.2/16 port et.1.
Configuring VRRP Note: Since 100 is the default priority, line 9, which sets the priority to 100, is actually unnecessary. It is included for illustration purposes only. Ping the Backup VRRP Router When enterprise customers run an XP in a VRRP configuration, the customers may not know if a problem exists with the Backup router. As a result, the XP feature set includes the ability to ping the Backup router while the router is in a non-Master state.
Configuring VRRP The following table shows the priorities for each virtual router configured on Router R3. Virtual Router Default Priority Configured Priority VRID=1 – IP address=10.0.0.1/16 100 100 (see line 8) VRID=2 – IP address=10.0.0.2/16 100 100 (see line 9) VRID=3 – IP address=10.0.0.3/16 255 (address owner) 255 (address owner) Note: Since 100 is the default priority, lines 8 and 9, which set the priority to 100, are actually unnecessary.
Configuring VRRP Using VLANs with VRRP A natural method of assigning VLAN and VRRP IDs is to start at 1, 10, 100, or something similar and increase incrementally through a numeric range. However, if you assign the configuration to the router using the same sequence of numbers for VLAN IDs as for VRRP IDs, a problem will result. Part of the process of creating VRRP entries is to mark the L2 table entry associated with the VRRP and VLAN permanent in memory to prevent entries from aging out.
Configuring VRRP increment the ID’s first digit (e.g., 101–105 becomes 201–205). The following example shows the corrected IDs. vlan create ip101 id 1101 vlan create ip102 id 1102 vlan create ip103 id 1103 vlan create ip104 id 1104 vlan create ip105 id 1105 ... interface create ip ip101 address-netmask 10.0.0.100/24 vlan ip101 interface create ip ip102 address-netmask 10.0.0.101/24 vlan ip102 interface create ip ip103 address-netmask 10.0.0.102/24 vlan ip103 interface create ip ip104 address-netmask 10.0.
Configuring VRRP to prevent VLAN and VRRP IDs from hashing to the same location. To configure hashing to use different locations, change the hash variant to m1. vlan create ip0 id 1 vlan create ip1 id 2 vlan create ip2 id 3 vlan create ip3 id 4 vlan create ip4 id 5 ... interface create ip ip1 address-netmask 10.0.0.100/24 vlan ip1 interface create ip ip2 address-netmask 10.0.0.101/24 vlan ip2 interface create ip ip3 address-netmask 10.0.0.102/24 vlan ip3 interface create ip ip4 address-netmask 10.0.0.
Configuring VRRP Additional Configuration This section covers settings you can modify in a VRRP configuration, including backup priority, advertisement interval, pre-empt mode, and authentication key. Setting the Backup Priority As described in Multi-Backup Configuration on page 158, you can specify which Backup router takes over when the Master router goes down by setting the priority for the Backup routers.
Configuring VRRP Setting Pre-empt Mode When a Master router goes down, the Backup with the highest priority takes over the IP addresses associated with the Master. By default, when the original Master comes back up again, it takes over from the Backup router that assumed its role as Master. When a VRRP router does this, it is said to be in pre-empt mode. Pre-empt mode is enabled by default on the XP. You can prevent a VRRP router from taking over from a lower-priority Master by disabling pre-empt mode.
Monitoring VRRP Monitoring VRRP The XP provides two commands for monitoring a VRRP configuration: ip-redundancy trace, which displays messages when VRRP events occur, and ip-redundancy show, which reports statistics about virtual routers. ip-redundancy trace The ip-redundancy trace command is used for troubleshooting purposes. This command causes messages to be displayed when certain VRRP events occur on the XP.
Monitoring VRRP ip-redundancy show The ip-redundancy show command reports information about a VRRP configuration. To display information about all virtual routers on interface int1: xp# ip-redundancy show vrrp interface int1 VRRP Virtual Router 100 - Interface int1 -----------------------------------------Uptime 0 days, 0 hours, 0 minutes, 17 seconds.
Monitoring VRRP To display VRRP statistics for virtual router 100 on interface int1: xp# ip-redundancy show vrrp 1 interface int1 verbose VRRP Virtual Router 100 - Interface int1 -----------------------------------------Uptime 0 days, 0 hours, 0 minutes, 17 seconds. State Backup Priority 100 (default value) Virtual MAC address 00005E:000164 Advertise Interval 1 sec(s) (default value) Preempt Mode Enabled (default value) Authentication None (default value) Primary Address 10.8.0.2 Associated Addresses 10.8.
VRRP Configuration Notes VRRP Configuration Notes • The XP supports only 512 instances of VRRP. An instance is defined as one virtual router running on one interface. Running a single virtual router on four interfaces is considered four instances of VRRP, as is running four virtual routers on a single interface. • Do not use an IP address for VRRP that is already configured for load-balancing. • The Master router sends keep-alive advertisements.
VRRP Configuration Notes • These MAC addresses, when active, use entries in the port's Routing Address Table (RAT). Since the RAT has eight entries and other resources also use the RAT, the system will limit the number of unique virtual routing ID's to six or fewer on a per port basis. • If multiple virtual routers are created on a single interface, the virtual routers must have unique identifiers. If virtual routers are created on different interfaces, you can reuse virtual router IDs.
VRRP Configuration Notes 174 Enterasys X-Pedition User Reference Manual
Chapter 13 RIP Configuration Guide RIP Overview This chapter describes how to configure the Routing Information Protocol (RIP) on the Enterasys X-Pedition. RIP is a distance-vector routing protocol for use in small networks. RIP is described in RFC 1723. A router running RIP broadcasts updates at set intervals. Each update contains paired values where each pair consists of an IP network address and an integer distance to that network. RIP uses a hop count metric to measure the distance to a destination.
Configuring RIP Enabling and Disabling RIP To enable or disable RIP, enter one of the following commands in Configure mode. Enable RIP. rip start Disable RIP. rip stop Configuring RIP Interfaces To configure RIP in the XP, you must first add interfaces to inform RIP about attached interfaces. To add RIP interfaces, enter the following commands in Configure mode. Add interfaces to the RIP process. rip add interface Add gateways from which the XP will accept RIP updates.
Configuring RIP RIP Parameter Default Value Authentication None Update interval 30 seconds To change RIP parameters, enter the following commands in Configure mode. Set RIP Version on an interface to RIP V1. rip set interface |all version 1 Set RIP Version on an interface to RIP V2. rip set interface |all version 2 Specify that RIP V2 packets should be multicast on this interface.
Monitoring RIP Enable acceptance of RIP routes that have a metric of zero. rip set check-zero-metric disable|enable Enable poison reverse, as specified by RFC 1058. rip set poison-reverse disable|enable Specify the maximum number of RIP routes maintained in the routing information base (RIB). The default is 4. rip set max-routes Disable multipath route calculation for RIP routes. Rip set multipath off Note: The XP will display interface names up to 32 characters in length.
Configuration Example To monitor RIP information, enter the following commands in Enable mode. Show all RIP information. rip show all Show RIP export policies. rip show export-policy Show RIP global information. rip show globals Show RIP import policies. rip show import-policy Show RIP information on the specified interface. rip show interface Show RIP interface policy information. rip show interface-policy Show detailed information of all RIP packets.
Configuration Example ! Configure rip on XP-1 rip add interface XP1-if1 rip set interface XP1-if1 version 2 rip start ! ! ! Set authentication method to md5 rip set interface XP1-if1 authentication-method md5 ! ! Change default metric-in rip set interface XP1-if1 metric-in 2 ! ! Change default metric-out rip set interface XP1-if1 metric-out 3 180 Enterasys X-Pedition User Reference Manual
Chapter 14 OSPF Configuration Guide OSPF Overview Open Shortest Path First Routing (OSPF) is a shortest path first or link-state protocol. The XP supports OSPF Version 2.0, as defined in RFC 1583. OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system. OSPF chooses the least-cost path as the best path.
Configuring OSPF external to OSPF (and usually external to the AS). Routes exported into OSPF ASE as type 1 ASE routes are supposed to be from interior gateway protocols (e.g., RIP) whose external metrics are directly comparable to OSPF metrics. When a routing decision is being made, OSPF will add the internal cost to the AS border router to the external metric. Type 2 ASEs are used for exterior gateway protocols whose metrics are not comparable to OSPF metrics.
Configuring OSPF Enabling OSPF OSPF is disabled by default on the XP. To enable or disable OSPF, enter one of the following commands in Configure mode. Enable OSPF. ospf start Disable OSPF. ospf stop Configuring OSPF Interface Parameters You can configure the OSPF interface parameters shown in the table below. Table 9. OSPF Interface Parameters OSPF Parameter Default Value Interface OSPF State (Enable/Disable) Enable (except for virtual links) Cost See Default Cost of an OSPF Interface below.
Configuring OSPF The following is a table of the port types and the OSPF default cost associated with each type: Table 10. OSPF Default Cost Per Port Type Port Media Type Speed OSPF Default Cost Ethernet 1000 1000 Mbps 2 Ethernet 10/100 100 Mbps 20 Ethernet 10/100 10 Mbps 200 WAN (T1) 1.5 Mbps 1333 WAN (T3) 45 Mbps 44 To configure OSPF interface parameters, enter one of the following commands in Configure mode: 184 Enable OSPF state on interface.
Configuring OSPF Specify the identifier of the key chain containing the authentication keys. ospf set interface |all key-chain Specify the authentication method to be used on this interface. ospf set interface |all authentication-method none|simple|md5 Note: The XP will display interface names up to 32 characters in length. Configuring an OSPF Area OSPF areas are a collection of subnets that are grouped in a logical fashion.
Configuring OSPF Configuring OSPF Area Parameters The XP allows configuration of various OSPF area parameters, including stub areas, stub cost and authentication method. Information about routes which are external to the OSPF routing domain is not sent into a stub area. Instead, there is a default external route generated by the ABR into the stub area for destinations outside the OSPF routing domain.
Configuring OSPF To configure virtual links, enter the following commands in the Configure mode. Create a virtual link. ospf add virtual-link neighbor transit-area Set virtual link parameters.
Monitoring OSPF network. If an IP interface that is using PPP is to be treated as an OSPF broadcast network, then use the type broadcast option of the interface create command. • Non-Broadcast Multiple Access (NBMA). An example of a NBMA network is a fully-meshed Frame Relay or ATM network with virtual circuits. Because there is no general multicast for these networks, each neighboring router that is reachable over the NBMA network must be specified, so that routers can poll each other.
Monitoring OSPF To display OSPF information, enter the following commands in Enable mode. Show IP routing table. ip show table routing Monitor OSPF error conditions. ospf monitor errors [destination ] Show information about all interfaces configured for OSPF. ospf monitor interfaces [destination ] Display link state advertisement information on another router.
OSPF Configuration Examples Show OSPF statistics. ospf show statistics Shows information about OSPF Border Routes. ospf show summary-asb Show OSPF timers. ospf show timers Show OSPF virtual-links.
OSPF Configuration Examples ospf add interface 140.1.2.1 to-area 140.1.0.0 ospf add interface 140.1.3.1 to-area 140.1.0.0 ospf add interface 130.1.1.1 to-area backbone Exporting all Interfaces and Static Routes to OSPF Router R1 has several static routes. We would export these static routes as type-2 OSPF routes. The interface routes would be redistributed as type-1 OSPF routes. You may accomplish this using either of the following examples. Example 1 1.
OSPF Configuration Examples Exporting all RIP, Interface, and Static Routes to OSPF Note: Also export interface, static, RIP, OSPF, and OSPF-ASE routes into RIP. In the configuration shown in Figure 11 on page 195, RIP Version 2 is configured on the interfaces of routers R1 and R2, attached to the sub-network 120.190.0.0/16. Suppose you would like to redistribute these RIP routes as OSPF type-2 routes and associate the tag 100 with them.
OSPF Configuration Examples 8. Create the Export-Policy for redistributing all interface, RIP and static routes into OSPF. ip-router policy export destination ospfExpDstType1 source directExpSrc network all ip-router policy export destination ospfExpDstType2 source statExpSrc network all ip-router policy export destination ospfExpDstType2t100 source ripExpSrc network all 9. Create a RIP export destination.
OSPF Configuration Examples To reproduce the result of steps 9-12: ip-router policy redistribute from-proto static to-proto rip network all ip-router policy redistribute from-proto rip to-proto rip network all ip-router policy redistribute from-proto direct to-proto rip network all ip-router policy redistribute from-proto ospf to-proto rip network all ip-router policy redistribute from-proto ospf-ase to-proto rip network all 194 Enterasys X-Pedition User Reference Manual
OSPF Configuration Examples R6 140.1.4/24 140.1.5/24 R41 140.1.1.2/24 A r e a 140.1.0.0 R1 140.1.1.1/24 140.1.3.1/24 140.1.2.1/24 190.1.1.1/16 120.190.1.1/16 R2 BGP A r e a R3 R10 R5 B a c k b o n e Figure 11. Exporting to OSPF 160.1.5.2/24 130.1.1.3/16 130.1.1.1/16 160.1.5.2/24 R7 150.20.3.1/16 150.20.3.2/16 R8 A r e a 150.20.0.0 195 Enterasys X-Pedition User Reference Manual R42 R11 202.1.2.2/16 120.190.1.
OSPF Configuration Examples 196 Enterasys X-Pedition User Reference Manual
Chapter 15 BGP Configuration Guide BGP Overview The Border Gateway Protocol (BGP) is an exterior gateway protocol that allows IP routers to exchange network reachability information. BGP became an internet standard in 1989 (RFC 1105) and the current version, BGP-4, was published in 1994 (RFC 1771). BGP typically runs between Internet Service Providers. It is also frequently used by multi-homed ISP customers and large commercial networks. Notes: • BGP management traps are not supported in this release.
Basic BGP Tasks such as selectively determining which AS routes are to be accepted or what routes are to be advertised to BGP peers. The X-Pedition BGP Implementation The X-Pedition routing protocol implementation is based on GateD 4.0.3 code (http://www.gated.org). GateD is a modular software program consisting of core services, a routing database, and protocol modules supporting multiple routing protocols (RIP versions 1 and 2, OSPF version 2, BGP version 2 through 4, and Integrated IS-IS).
Basic BGP Tasks Setting the Autonomous System Number An autonomous system number identifies your autonomous system to other routers. To set the X-Pedition’s autonomous system number, enter the following command in Configure mode. Set the X-Pedition’s autonomous system number. ip-router global set autonomous-system loops The autonomous-system parameter sets the AS number for the router. Specify a number from 1–65534.
Basic BGP Tasks where: peer-group Is a group ID, which can be a number or a character string. type Specifies the type of BGP group you are adding. You can specify one of the following: external In the classic external BGP group, full policy checking is applied to all incoming and outgoing advertisements. The external neighbors must be directly reachable through one of the machine's local interfaces.
Basic BGP Tasks Adding and Removing a BGP Peer There are two ways to add BGP peers to peer groups. You can explicitly add a peer host, or you can add a network. Adding a network allows for peer connections from any addresses in the range of network and mask pairs specified in the bgp add network command. To add BGP peers to BGP peer groups, enter one of the following commands in Configure mode. Add a host to a BGP peer group.
Basic BGP Tasks aspath_term {m,n} A regular expression followed by {m,n} (where m and n are both non-negative integers and m <= n) means at least m and at most n repetitions. aspath_term {m} A regular expression followed by {m} (where m is a positive integer) means exactly m repetitions. aspath_term {m,} A regular expression followed by {m,} (where m is a positive integer) means m or more repetitions. aspath_term * An AS path term followed by * means zero or more repetitions. This is shorthand for {0,}.
Basic BGP Tasks To import all routes (.* matches all AS paths) with the default preference: ip-router policy create bgp-import-source allOthers aspath-regular-expression “(.*)” origin any sequencenumber 20 ip-router policy import source allOthers network all To export all active routes from 284 or 813 or 814 or 815 or 816 or 3369 or 3561 to autonomous system 64800.
BGP Configuration Examples • If the as-count option is entered for an active BGP session, routes will not be resent to reflect the new setting. To have routes reflect the new setting, you must restart the peer session. To do this: a. Enter Configure mode. b. Negate the command that adds the peer-host to the peer-group. (If this causes the number of peer-hosts in the peer-group to drop to zero, then you must also negate the command that creates the peer group.) c. Exit Configure mode. d.
BGP Configuration Examples parameters). Upon successful completion of the BGP Open negotiations, BGP Update messages containing the BGP routing table can be sent between peers. BGP does not require a periodic refresh of the entire BGP routing table between peers. Only incremental routing changes are exchanged. Therefore, each BGP speaker is required to retain the entire BGP routing table of their peer for the duration of the peer’s connection.
BGP Configuration Examples The CLI configuration for router X-Pedition1 is as follows: interface create ip et.1.1 address-netmask 10.0.0.1/16 port et.1.1 # # Set the AS of the router # ip-router global set autonomous-system 1 # # Set the router ID # ip-router global set router-id 10.0.0.1 # # Create EBGP peer group pg1w2 for peering with AS 2 # bgp create peer-group pg1w2 type external autonomous-system 2 # # Add peer host 10.0.0.2 to group pg1w2 # bgp add peer-host 10.0.0.
BGP Configuration Examples The gated.conf file for router X-Pedition2 is as follows: autonomoussystem 2 ; routerid 10.0.0.2 ; bgp yes { group type external peeras 1 { peer 10.0.0.1 ; }; }; IBGP Configuration Example Connections between BGP speakers within the same AS are referred to as internal links. A peer in the same AS is an internal peer. Internal BGP is commonly abbreviated IBGP; external BGP is EBGP. An AS that has two or more EBGP peers is referred to as a multihomed AS.
BGP Configuration Examples Figure 13 shows a sample BGP configuration that uses the Routing group type. AS-64801 10.12.1.1/30 Cisco 10.12.1.6/30 lo0 172.23.1.25/30 OSPF 10.12.1.5/30 10.12.1.2/30 X-Pedi X-Pedi IBGP 172.23.1.10/30 172.23.1.5/30 lo0 172.23.1.26/30 172.23.1.6/30 X-Ped 172.23.1.9/30 Figure 13.
BGP Configuration Examples In this example, OSPF is configured as the IGP in the autonomous system. The following lines in the router X-Pedition6 configuration file configure OSPF: # # Create a secondary address for the loopback interface # interface add ip lo0 address-netmask 172.23.1.26/30 ospf create area backbone ospf add interface to-X-Pedition4 to-area backbone ospf add interface to-X-Pedition1 to-area backbone # # This line is necessary because we want CISCO to peer with our loopback # address.
BGP Configuration Examples The following lines on the Cisco router set up IBGP peering with router X-Pedition6. router bgp 64801 ! ! Disable synchronization between BGP and IGP ! no synchronization neighbor 172.23.1.26 remote-as 64801 ! ! Allow internal BGP sessions to use any operational interface for TCP ! connections ! neighbor 172.23.1.
BGP Configuration Examples Figure 14 illustrates a sample IBGP Internal group configuration. C2 C1 16.122.128.8/24 16.122.128.9/24 16.122.128.1/24 16.122.128.1/24 AS-1 X-Peditio X-Peditio 17.122.128.1/24 17.122.128.2/24 Legend: Physical Link Peering Relationship Figure 14.
BGP Configuration Examples The gated.conf file for router X-Pedition1 is as follows: autonomoussystem 1 ; routerid 16.122.128.1 ; bgp yes { traceoptions aspath detail packets detail open detail update ; group type internal peeras 1 { peer 16.122.128.2 ; peer 16.122.128.8 ; peer 16.122.128.9 ; }; }; The CLI configuration for router X-Pedition2 is as follows: ip-router global set autonomous-system 1 bgp create peer-group int-ibgp-1 type internal autonomous-system 1 bgp add peer-host 16.122.128.
BGP Configuration Examples The configuration for router C1 (a Cisco router) is as follows: router bgp 1 no synchronization network 16.122.128.0 mask 255.255.255.0 network 17.122.128.0 mask 255.255.255.0 neighbor 16.122.128.1 remote-as 1 neighbor 16.122.128.1 next-hop-self neighbor 16.122.128.1 soft-reconfiguration inbound neighbor 16.122.128.2 remote-as 1 neighbor 16.122.128.2 next-hop-self neighbor 16.122.128.2 soft-reconfiguration inbound neighbor 16.122.128.9 remote-as 1 neighbor 16.122.128.
BGP Configuration Examples EBGP Multihop Configuration Example EBGP Multihop refers to a configuration where external BGP neighbors are not connected to the same subnet. Such neighbors are logically, but not physically connected. For example, BGP can be run between external neighbors across non-BGP routers. Some additional configuration is required to indicate that the external peers are not physically attached.
BGP Configuration Examples The gated.conf file for router X-Pedition1 is as follows: autonomoussystem 64800 ; routerid 0.0.0.1 ; bgp yes { traceoptions state ; group type external peeras 64801 { peer 18.122.128.2 gateway 16.122.128.3 ; }; }; static { 18.122.0.0 masklen 16 gateway 16.122.128.3 ; }; The CLI configuration for router X-Pedition2 is as follows: interface create ip to-R1 address-netmask 16.122.128.3/16 port et.1.1 interface create ip to-R3 address-netmask 17.122.128.3/16 port et.1.
BGP Configuration Examples The gated.conf file for router X-Pedition3 is as follows: static { 16.122.0.0 masklen 16 gateway 17.122.128.3 ; }; The CLI configuration for router X-Pedition4 is as follows: bgp create peer-group ebgp_multihop autonomous-system 64801 type external bgp add peer-host 18.122.128.2 group ebgp_multihop ! ! Specify the gateway option, which indicates EBGP multihop. Set the ! gateway option to the address of the router that has a route to the ! peer. ! bgp set peer-host 18.122.128.
BGP Configuration Examples Community Attribute Example The following configuration illustrates the BGP community attribute. Community is specified as one of the parameters in the optional attributes list option of the ip-router policy create command. Figure 15 shows a BGP configuration where the specific community attribute is used. Figure 16 shows a BGP configuration where the well-known community attribute is used. AS-64901 AS-64902 ISP2 ISP1 R11 1.6 172.25.1.1/16 172.25.1.2/16 1.1 1.1 1.
BGP Configuration Examples AS-64901 AS-64902 ISP2 X-Pedi 172.25.1.1/16 172.25.1.2/16 X-Pedi 10.220.1.1/16 192.168.20.2/16 AS-64900 192.168.20.1/16 100.200.12.20/24 100.200.13.1/24 Legend: Physical Link X-Pedit Peering Relationship Information Flow Figure 16. Sample BGP Configuration (Well-Known Community) The Community attribute can be used in three ways: 1.
BGP Configuration Examples In Figure 16, router X-Pedition11 has the following configuration: # # Create an optional attribute list with identifier color1 for a community # attribute (community-id 160 AS 64901) # ip-router policy create optional-attributes-list color1 community-id 160 autonomous-system 64901 # # Create an optional attribute list with identifier color2 for a community # attribute (community-id 155 AS 64901) # ip-router policy create optional-attributes-list color2 community-id 155 autonomou
BGP Configuration Examples communities specified with the optional-attributes-list option are sent in addition to any received in the route or specified with the group.
BGP Configuration Examples The specific community consists of the combination of the AS-value and community ID. • Well-known-community no-export Well-known-community no-export is a special community which indicates that the routes associated with this attribute must not be advertised outside a BGP confederation boundary. Since the X-Pedition’s implementation does not support Confederations, this boundary is an AS boundary.
BGP Configuration Examples Local Preference Examples There are two methods of specifying the local preference with the bgp set peer-group command: • Setting the local-pref option. This option can only be used for the internal, routing, and IGP group types and is not designed to be sent outside of the AS. • Setting the set-pref option, which allows GateD to set the local preference to reflect GateD’s own internal preference for the route, as given by the global protocol preference value.
BGP Configuration Examples 10.200.12.1/24 10.200.13.1/24 10.200.14.1/24 10.200.15.1/24 AS-64900 1.1 1.1 1.3 X-Pedition10 1.3 X-Pedition11 192.169.20.2/16 192.169.20.1/16 1.6 1.6 192.168.20.1/16 172.28.1.1/16 EBGP EBGP 192.168.20.2/16 172.28.1.2/16 1.1 AS-64901 1.1 X-Pedition12 1.3 1.3 172.25.1.1/16 X-Pedition13 172.25.1.2/16 1.6 1.6 172.27.1.1/16 172.26.1.1/16 172.26.1.2/16 172.27.1.2/16 X-Pedition14 1.3 1.
BGP Configuration Examples Using the local-pref Option For router X-Pedition12’s CLI configuration file, local-pref is set to 194: bgp set peer-group as901 local-pref 194 For router X-Pedition13, local-pref is set to 204. bgp set peer-group as901 local-pref 204 Using the set-pref Option The formula used to compute the local preference is as follows: Local_Pref = 254 – (global protocol preference for this route) + set-pref metric Note: A value greater than 254 will be reset to 254.
BGP Configuration Examples groups. For example, in Figure 17, routers X-Pedition12, X-Pedition13, and X-Pedition14 use the following in their configuration files: bgp set peer-group as901 set-pref 100 • If a user does not set the set-pref metric to the same value for all IBGP peer groups upon saving, only the first configured IBGP peer group will become (or remain) functional. All other IBGP Peer group hosts are removed from the router until the configuration is compliant.
BGP Configuration Examples Figure 18 shows a sample BGP configuration where the MED attribute has been used. 10.200.12.4/24 X-Ped 172.16.200.4/24 172.16.200.6/24 X-Pe 10.200.12.6/24 N1 10.200.12.0/24 AS 64752 10.200.12.15/24 Legend: C1 AS 64751 Physical Link Peering Relationship Information Flow Figure 18. Sample BGP Configuration (MED Attribute) Routers X-Pedition4 and X-Pedition6 inform router C1 about network 172.16.200.0/24 through External BGP (EBGP).
BGP Configuration Examples Note: Before the router can process and select the correct route based on the MED values received from other BGP peers, users must set the selection process in the active configuration of the router where the peer is defined. To set the selection process, enter one (or both) of the following commands in the configuration, depending on the type of BGP peer configured (i.e.
BGP Configuration Examples BGP Load-Sharing Configuration The BGP load-sharing feature is used to connect one External BGP peer (protocol 4 only) using up to four gateways that are statically configured as a gateway list. All prefixes learned from this peer will be installed into the RIB with this active gateway list. The BGP peering session uses all the gateways, so the session will be maintained as long as at least one gateway is reachable.
BGP Configuration Examples Sample Configuration 1 The following example depicts a BGP load-sharing configuration with a Cisco router: X-Pedition Router Cisco Router 204.1.1.2 LoopBack 6.6.6.6 204.1.1.1 LoopBack 5.5.5.5 WAN Links 205.1.1.2 AS20 205.1.1.1 AS10 X-Pedition Configuration Cisco Router Configuration port set se.3.1 wan-encapsulation ppp speed 64000 port set se.3.3 wan-encapsulation ppp speed 64000 interface create ip ser1 address-netmask 204.1.1.2 port se.3.
BGP Configuration Examples Sample Configuration 2 The following example shows a BGP load-sharing configuration between two X-Pedition routers: X-Pedition Router X-Pedition Router 11.1.1.2/30 11.1.1.1/30 LoopBack 2.2.2.2 LoopBack 1.1.1.1 A 12.1.1.2/30 12.1.1.1/30 AS2000 B AS1000 Router A Configuration Router B Configuration xp# system show version Software Information Software Version : E9.1.3.0A Copyright : Copyright (c) 2003 Enterasys Networks Image Information : Version E9.1.3.
BGP Configuration Examples EBGP Aggregation Example Figure 19 shows a simple EBGP configuration in which one peer is exporting an aggregated route to its upstream peer and restricting the advertisement of contributing routes to the same peer. The aggregated route is 212.19.192.0/19. AS-64900 AS-64901 212.19.199.62/24 212.19.198.1/24 X-Pedi 194.109.86.6 194.109.86.5 X-Pedi 212.19.192.2/24 Legend: Physical Link Peering Relationship Figure 19.
BGP Configuration Examples Route Reflection Example In some ISP networks, the internal BGP mesh becomes quite large, and the IBGP full mesh does not scale well. For such situations, route reflection provides a way to alleviate the need for a full IBGP mesh. In route reflection, the clients peer with the route reflector and exchange routing information with it. In turn, the route reflector passes on (reflects) information between clients.
BGP Configuration Examples In this example, there are two clusters. Router X-Pedition10 is the route reflector for the first cluster and router X-Pedition11 is the route reflector for the second cluster. Router X-Pedition10 has router X-Pedition9 as a client peer and router X-Pedition11 as a non-client peer. The following line in router X-Pedition10’s configuration file causes it to be a route reflector.
BGP Configuration Examples The direct routes of router X-Pedition8, i.e. 192.68.11.0/24 in AS64900 (which are redistributed in BGP), do show up in the route table of router X-Pedition14 in AS64902, as shown below: ********************************************************** * Route Table (FIB) of Router 14 * ********************************************************** rtr-14# ip show routes Destination Gateway Owner Netif --------------------- ----10.50.0.0/16 directly connected en0 127.0.0.0/8 127.0.0.
BGP Configuration Examples • If the cluster ID is changed, all BGP sessions with reflector clients will be dropped and restarted.
BGP Configuration Examples 236 Enterasys X-Pedition User Reference Manual
Chapter 16 Routing Policy Configuration Guide Route Import and Export Policy Overview The XP family of routers supports extremely flexible routing policies.
Route Import and Export Policy Overview Preference can be set based on one network interface over another, from one protocol over another, or from one remote gateway over another. Preference may not be used to control the selection of routes within an Interior Gateway Protocol (IGP). This is accomplished automatically by the protocol based on metric. Preference may be used to select routes from the same Exterior Gateway Protocol (EGP) learned from different peers or autonomous systems.
Route Import and Export Policy Overview • Route-Filter Import-Source This component specifies the source of the imported routes. It can also specify the preference to be associated with the routes imported from this source. The routes to be imported can be identified by their associated attributes: • Type of the source protocol (RIP, OSPF, BGP). • Source interface or gateway from which the route was received. • Source autonomous system from which the route was learned.
Route Import and Export Policy Overview The preference associated with the imported routes are inherited unless explicitly specified. If there is no preference specified with a route-filter, then the preference is inherited from the one specified with the import-source. Every protocol (RIP, OSPF, and BGP) has a configurable parameter that specifies the defaultpreference associated with routes imported to that protocol.
Route Import and Export Policy Overview In some cases, a combination of the associated attributes can be specified to identify the routes to be exported. Route-Filter This component specifies the individual routes which are to exported or restricted. The metric to be associated with these routes can also be explicitly specified using this component. The metric associated with the exported routes are inherited unless explicitly specified.
Route Import and Export Policy Overview the mask is implied to be the natural mask of the network. In the second, the mask is explicitly specified. In the third, the mask is specified by the number of contiguous one bits. If no optional parameters (exact, refines, or between) are specified, any destination that falls in the range given by the network and mask is matched, so the mask of the destination is ignored. If a natural network is specified, the network, any subnets, and any hosts will be matched.
Route Import and Export Policy Overview Aggregate-Source This component specifies the source of the routes contributing to an aggregate/summarized route. It can also specify the preference to be associated with the contributing routes from this source. This preference can be overridden by explicitly specifying a preference with the route-filter. The routes contributing to an aggregate can be identified by their associated attributes: • Protocol type (RIP, OSPF, BGP, Static, Direct, Aggregate).
Route Import and Export Policy Overview Authentication Methods There are mainly two authentication methods: Simple Password: In this method, an authentication key of up to 8 characters is included in the packet. If this does not match what is expected, the packet is discarded. This method provides little security, as it is possible to learn the authentication key by watching the protocol packets.
Configuring Simple Routing Policies Configuring Simple Routing Policies Simple routing policies provide an efficient way for routing information to be exchanged between routing protocols. The redistribute command can be used to redistribute routes from one routing domain into another routing domain. Redistribution of routes between routing domains is based on route policies. A route policy is a set of conditions based on which routes are redistributed.
Configuring Simple Routing Policies redistributed by this command. If all direct routes are to be redistributed set the network parameter to all. Note that the network parameter is a filter that is used to specify routes that are to be redistributed. To redistribute direct routes, enter one of the following commands in Configure mode: To redistribute direct routes into RIP. ip-router policy redistribute from-proto direct to-proto rip network all To redistribute direct routes into OSPF.
Configuring Simple Routing Policies Redistributing Aggregate Routes The aggregate parameter causes an aggregate route with the specified IP address and subnet mask to be redistributed. Note: The aggregate route must first be created using the aggr-gen command. This command creates a specified aggregate route for routes that match the aggregate. To redistribute aggregate routes, enter one of the following commands in Configure mode: To redistribute aggregate routes into RIP.
Configuring Simple Routing Policies ip add route 135.3.3.0/24 gateway 130.1.1.3 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.190.1.2 ip add route 160.1.5.0/24 gateway 120.190.1.
Configuring Simple Routing Policies The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Configuring Advanced Routing Policies In the configuration shown in Figure 22 on page 260, suppose we decide to run RIP Version 2 on network 120.190.0.0/16, connecting routers R1 and R2. Router R1 would like to export all RIP, interface, and static routes to OSPF.
Configuring Advanced Routing Policies • Export Sources - This component specifies the source of the exported routes. It can also specify the metric to be associated with the routes exported from this source. The routes to be exported can be identified by their associated attributes, such as protocol type, interface or the gateway from which the route was received, and so on. • Route Filter - This component provides the means to define a filter for the routes to be distributed.
Configuring Advanced Routing Policies Creating an Export Destination To create an export destination, enter one the following commands in Configure mode: Create a RIP export destination. ip-router policy create rip-export-destination Create an OSPF export destination.
Configuring Advanced Routing Policies After you create one or more building blocks, they are tied together by the ip-router policy import command. To create route import policies, enter the following command in Configure mode: Create an import policy.
Configuring Advanced Routing Policies Creating an Aggregate Route Route aggregation is a method of generating a more general route, given the presence of a specific route. The routing process does not perform any aggregation unless explicitly requested. Aggregate-routes can be constructed from one or more of the following building blocks: • Aggregate-Destination - This component specifies the aggregate/summarized route. It also specifies the attributes associated with the aggregate route.
Configuring Advanced Routing Policies router policy aggr-gen destination source command should be repeated for each . Creating an Aggregate Destination To create an aggregate destination, enter the following command in Configure mode: Create an aggregate destination.
Configuring Advanced Routing Policies R6 R42 160.1.1.1/16 140.1.2.1/24 RIP v2 10.51.0.0/16 Figure 21. Exporting to RIP R1 170.1.1.1/16 130.1.1.1/16 140.1.1.1/24 140.1.1.4/24 R41 120.190.1.1/16 R2 120.190.1.2/16 202.1.0.0/10 160.1.5.0/24 R7 135.3.2.1/24 135.3.3.1/24 R3 135.3.1.1/24 (RIP V1) 130.1.1.3/16 de f a ul t 170.1.1.
Configuring Advanced Routing Policies The following configuration commands for router R1: • Determine the IP address for each interface. • Specify the static routes configured on the router. • Determine its RIP configuration. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Configuring Advanced Routing Policies Importing a Selected Subset of Routes from One RIP Trusted Gateway Router R1 has several RIP peers. Router R41 has an interface on the network 10.51.0.0. By default, router R41 advertises network 10.51.0.0/16 in its RIP updates. Router R1 would like to import all routes except the 10.51.0.0/16 route from its peer R41. 1. Add the peer 140.1.1.41 to the list of trusted and source gateways. rip add source-gateways 140.1.1.41 rip add trusted-gateways 140.1.1.41 2.
Configuring Advanced Routing Policies It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router. Like the other interior protocols, preference cannot be used to choose between OSPF ASE routes. That is done by the OSPF costs. Routes that are rejected by policy are stored in the table with a negative preference. For all examples in this section, refer to the configuration shown in Figure 22 on page 260.
Configuring Advanced Routing Policies R6 140.1.4/24 R42 R11 140.1.5/24 R41 140.1.1.2/24 A r e a 140.1.0.0 R1 140.1.1.1/24 140.1.3.1/24 140.1.2.1/24 190.1.1.1/16 120.190.1.1/16 R2 120.190.1.2/16 202.1.2.2/16 BGP A r e a R3 R10 R5 B a c k b o n e Figure 22. Exporting to OSPF 160.1.5.2/24 130.1.1.3/16 130.1.1.1/16 160.1.5.2/24 R7 150.20.3.1/16 150.20.3.2/16 R8 A r e a 150.20.0.
Configuring Advanced Routing Policies The following configuration commands for router R1: • Determine the IP address for each interface • Specify the static routes configured on the router • Determine its OSPF configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.
Configuring Advanced Routing Policies Examples of Export Policies Example 1: Exporting to RIP Exporting to RIP is controlled by any of protocol, interface or gateway. If more than one is specified, they are processed from most general (protocol) to most specific (gateway). It is not possible to set metrics for exporting RIP routes into RIP. Attempts to do this are silently ignored. If no export policy is specified, RIP and interface routes are exported into RIP.
Configuring Advanced Routing Policies ip add route 135.3.1.0/24 gateway 130.1.1.3 ip add route 135.3.2.0/24 gateway 130.1.1.3 ip add route 135.3.3.0/24 gateway 130.1.1.3 !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Configure default routes to the other subnets reachable through R2. !+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ip add route 202.1.0.0/16 gateway 120.190.1.2 ip add route 160.1.5.0/24 gateway 120.190.1.
Configuring Advanced Routing Policies 3. Create a RIP export source since we would like to export RIP routes. ip-router policy create rip-export-source ripExpSrc 4. Create a Direct export source since we would like to export direct/interface routes. ip-router policy create direct-export-source directExpSrc 5. Create the export-policy redistributing the statically created default route, and all (RIP, Direct) routes into RIP.
Configuring Advanced Routing Policies Exporting All Static Routes Reachable Over a Given Interface to a Specific RIP-Interface In this case, router R1 would export/redistribute all static routes accessible through its interface 130.1.1.1 to its RIP-interface 140.1.1.1 only. 1. Create a RIP export destination for interface with address 140.1.1.1, since we intend to change the rip export policy for interface 140.1.1.1 ip-router policy create rip-export-destination ripExpDst141 interface 140.1.1.1 Note: 2.
Configuring Advanced Routing Policies Exporting Aggregate-Routes into RIP In the configuration shown in Figure 21 on page 256, suppose you decide to run RIP Version 1 on network 130.1.0.0/16, connecting routers R1 and R3. Router R1 desires to announce the 140.1.1.0/24 and 140.1.2.0/24 networks to router R3. RIP Version 1 does not carry any information about subnet masks in its packets. Thus it would not be possible to announce the subnets (140.1.1.0/24 and 140.1.2.
Configuring Advanced Routing Policies 8. Create the Export-Policy redistributing all (RIP, Direct) routes and the aggregate route 140.1.0.0/16 into RIP. ip-router policy export destination ripExpDst130 source aggrExpSrc network 140.1.0.
Configuring Advanced Routing Policies !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various IP interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ interface create ip to-r2 address-netmask 120.190.1.1/16 port et.1.2 interface create ip to-r3 address-netmask 130.1.1.1/16 port et.1.3 interface create ip to-r41 address-netmask 140.1.1.1/24 port et.1.4 interface create ip to-r42 address-netmask 140.1.2.1/24 port et.1.
Configuring Advanced Routing Policies 4. Create a Direct export source since we would like to export interface/direct routes. ip-router policy create direct-export-source directExpSrc 5. Create the Export-Policy for redistributing all interface routes and static routes into OSPF.
Configuring Advanced Routing Policies 6. Create a Static export source. ip-router policy create static-export-source statExpSrc 7. Create a Direct export source. ip-router policy create direct-export-source directExpSrc 8. Create the Export-Policy for redistributing all interface, RIP and static routes into OSPF.
Chapter 17 Multicast Routing Configuration Guide IP Multicast Overview Multicast routing on the XP is supported through DVMRP and IGMP. IGMP is used to determine host membership on directly attached subnets. DVMRP is used to determine forwarding of multicast traffic between XPs.
IGMP Overview Note: Because DVMRP and PIM-SM run in separate processes on the XP, current IGMP functionality may be used only with DVMRP. PIM-SM must use a separate group of commands called “PIM IGMP.” The XP allows per-interface control of the host query interval and response time. Query interval defines the time between IGMP queries. Response time defines the time the XP will wait for host responses to IGMP queries. The XP can be configured to deny or accept group membership filters.
IGMP Overview To configure the IGMP host membership query time interval, enter the following command in Configure mode: Configure the IGMP host membership query time interval. igmp set queryinterval IGMP Response Wait Time You can configure the XP with a wait time for IGMP Host Membership responses which is different from the default. The wait time you set then applies to all ports on the XP. The default response time is 10 seconds.
DVMRP Overview L2 Snooping IGMP L2 snooping allows an XP functioning strictly as a layer-2 switch for a specific VLAN to actively participate in IGMP traffic forwarding. To enable IGMP snooping on a vlan, use the following command: igmp enable vlan VLAN_NAME Note: The igmp start-snooping command must be present for the igmp enable vlan command to function properly. The XP will display VLAN names up to 32 characters in length. IGMP L2 snooping depends on the presence of an upstream IGMP querier.
DVMRP Overview You can use threshold values and scopes to control internetwork traffic on each DVMRP interface. Threshold values determine whether traffic is either restricted or not restricted to a subnet, site, or region. Scopes define a set of multicast addresses of devices to which the XP can send DVMRP data. Scopes can include only addresses of devices on a company's internal network and cannot include addresses that require the XP to send DVMRP data on the Internet.
DVMRP Overview automatically with DVMRP. To enable IGMP on an interface, enter the following command in the Configure mode: Enable DVMRP on an interface. Note: dvmrp enable interface | The XP will display interface names up to 32 characters in length. DVMRP Parameters In order to support backward compatibility, DVMRP neighbor timeout and prune time can be configured on a per-interface basis. The default neighbor timeout is 35 seconds.
DVMRP Overview TTL < 64 Threshold = 64 Application restricted to a region TTL < 128 Threshold = 128 Application restricted to a continent TTL = 255 Application not restricted To configure the TTL Threshold, enter the following command in Configure mode: Configure the TTL Threshold. dvmrp set interface threshold TTL thresholding is not always considered useful. There is another approach of a range of multicast addresses for “administrative” scoping.
Monitoring IGMP & DVMRP Monitoring IGMP & DVMRP You can monitor IGMP and DVMRP information on the XP. To display IGMP and DVMRP information, enter the following commands from Enable mode. Show all interfaces running DVMRP. Also shows the neighbors on each interface. dvmrp show interface Display DVMRP routing table. dvmrp show routes Shows all the interfaces and membership details running IGMP. igmp show interface Shows all IGMP group memberships on a port basis.
Protocol Independent Multicast (PIM) ! Enable IGMP interfaces. ! igmp enable interface 10.135.89.10 igmp enable interface 172.1.1.10 igmp enable interface 207.135.122.11 igmp enable interface 207.135.89.64 ! ! Set IGMP Query Interval ! igmp set queryinterval 30 ! ! Enable DVMRP ! dvmrp enable interface 10.135.89.10 dvmrp enable interface 172.1.1.10 dvmrp enable interface 207.135.122.11 dvmrp enable interface 207.135.89.64 dvmrp enable interface 10.40.1.10 ! ! Set DVMRP parameters ! dvmrp set interface 172.
Protocol Independent Multicast (PIM) 2. Sending “hello” messages to determine neighbor presence and configuration. 3. Sending “join/prune” messages to determine the need to retain multicast route information for a particular group on an interface. 4. Sending “assert” messages to resolve conflicts that occur regarding inbound interfaces. PIM-SM message types PIM-SM defines the following message types: • Hello messages announce the sender's presence to other PIM-SM routers.
Protocol Independent Multicast (PIM) source or RP, each router sends its own assert message—the router with the best metric wins. The other router removes that link from its OIF list for the group. Sparse Mode In contrast to dense multicast routing protocols like DVMRP and PIM Dense Mode which flood traffic across every link and prune back unnecessary paths (i.e., the Flood and Prune model), PIM Sparse Mode follows the Explicit Join model.
Protocol Independent Multicast (PIM) The Shortest Path Tree When a receiver's DR wants to receive traffic directly from the source, the DR sends (S,G) join messages upstream toward the source, not the RP. This will create an SPT. (S,G) prune messages sent in the same manner indicate that the leaf router has no more active listeners for the source. In PIM-SM's source-specific mode (SSM), joins and prunes are always (S,G)—since there is no RP or shared tree, routers always send joins toward the source.
Protocol Independent Multicast (PIM) Configuration & Limitations Routing Tables By definition, PIM-SM does not operate a routing protocol. PIM-SM uses active routes in the unicast routing table to determine the IIF; however, PIM-SM may not use those routes until they are configured for use by multicast routing protocols. For this reason, gated now maintains two routing information bases or RIBs—one unicast and one multicast.
Protocol Independent Multicast (PIM) Reconfiguration This release does not support the use of GenIDs, a mechanism used to let neighboring routers know that the router rebooted. Upon receiving a new GenID, a router should retransmit certain information related to its current state and RP-set. Future releases will support GenID.
Protocol Independent Multicast (PIM) Example 1 The following example demonstrates how to configure three routers that use different routing protocols (RIPv2, OSPF, and BGP) as the underlying method to provide route information for PIMSM. One of the servers is attached directly to the RP (which is also configured as the BSR in the network). Note: To perform RPF checks to the IP address of the server, you must enable PIM-SM on the server's network. Figure 23.
Protocol Independent Multicast (PIM) Static Routes Static route information is made available to PIM-SM through the “unicast-rib” and “multicastrib” keywords. By default, a static route is available only to the unicast RIB; however, if you use the multicast-rib keyword, the static route is used only in the multicast RIB. To use the static route for both unicast and multicast route lookups, use both keywords as depicted in the following example: xp(config)# ip add route default gateway 135.1.1.
Protocol Independent Multicast (PIM) RIPv2 RIP routes must be imported into the multicast RIB using the ip-router policy. To create this policy, use the ip-router policy create rip-import-source unicast multicast command. To apply the policy, use the ip-router policy import source network all command.
Protocol Independent Multicast (PIM) R6: interface create ip toR4 address-netmask 135.1.1.30/30 port et.5.8 interface create ip i137 address-netmask 137.1.1.2/24 port et.5.7 interface add ip lo0 address-netmask 6.6.6.
Protocol Independent Multicast (PIM) OSPF In order to get OSPF to make its routes available for PIM-SM to use, you must enter the ospf set ase-defaults multicast command in the configuration. The following examples are taken from the configuration files for the routers used in Figure 23 on page 285. R4: interface create ip toR5 address-netmask 135.1.1.25/30 port et.2.5 interface create ip toR6 address-netmask 135.1.1.29/30 port et.2.6 interface add ip lo0 address-netmask 4.4.4.4/32 ospf create area 0.0.0.
Protocol Independent Multicast (PIM) R6: interface create ip toR4 address-netmask 135.1.1.30/30 port et.5.8 interface create ip i137 address-netmask 137.1.1.2/24 port et.5.7 interface add ip lo0 address-netmask 6.6.6.6/32 ip-router policy redistribute from-proto static to-proto ospf ip-router policy redistribute from-proto direct to-proto ospf ospf create area 0.0.0.255 ospf add interface toR4 to-area 0.0.0.255 ospf add stub-host 6.6.6.6 to-area 0.0.0.
Protocol Independent Multicast (PIM) BGP To configure BGP to populate the multicast RIB, you must create an import policy for the peer AS. This is similar to RIP, but you must associate an AS number with the import source. To create the import source policy, use the ip-router policy create bgp-import-source unicast multicast autonomous-system command, then apply the policy with the ip-router policy import source network all command. The following examples show R4 in AS3, and R5 in AS2.
Protocol Independent Multicast (PIM) R5: interface create ip iserver address-netmask 136.1.1.1/24 port et.2.5 interface create ip toR4 address-netmask 135.1.1.26/30 port et.2.4 interface add ip lo0 address-netmask 5.5.5.5/32 ip-router global set autonomous-system 2 ip-router global set router-id 5.5.5.
Protocol Independent Multicast (PIM) The RIB as seen from R4: R4# ip-router show rib Routing Tables: Destinations: 9 Routes: 9 Holddown: 0 Delete: 15 Hidden: 0 Codes: Network - Destination Network Address U - Unicast Status + = Best Route, - = Last Active, * = Both M - Multicast Status + = Best Route, - = Last Active, * = Both Src - Source of the route : Ag - Aggregate, B - BGP derived, C - Connected R - RIP derived, St - Static, O - OSPF derived OE - OSPF ASE derived, D - Default Next hop - Gateway for th
Protocol Independent Multicast (PIM) The RIB as seen from R5: R5# ip-router show rib Routing Tables: Destinations: 9 Routes: 9 Holddown: 0 Delete: 19 Hidden: 0 Codes: Network - Destination Network Address U - Unicast Status + = Best Route, - = Last Active, * = Both M - Multicast Status + = Best Route, - = Last Active, * = Both Src - Source of the route : Ag - Aggregate, B - BGP derived, C - Connected R - RIP derived, St - Static, O - OSPF derived OE - OSPF ASE derived, D - Default Next hop - Gateway for th
Protocol Independent Multicast (PIM) Example 2 This example demonstrates some options for configuring the PIM DR, BSR address, CRP address, and static RPs. The configuration for the routers in the following diagram are listed below. Figure 24.
Protocol Independent Multicast (PIM) R1 configuration: interface create ip toR3 address-netmask 135.1.1.1/30 port et.1.3 interface create ip toR4 address-netmask 135.1.1.5/30 port et.1.4 interface create ip toR2 address-netmask 135.1.1.9/30 port et.1.2 interface create ip i139 address-netmask 139.1.1.1/24 port et.4.8 interface add ip lo0 address-netmask 1.1.1.1/32 ip-router policy redistribute from-proto direct to-proto ospf ospf create area 0.0.0.255 ospf add interface toR3 to-area 0.0.0.
Protocol Independent Multicast (PIM) R3 configuration: interface create ip toR5 address-netmask 135.1.1.21/30 port et.2.5 interface create ip toR4 address-netmask 135.1.1.13/30 port et.2.4 interface create ip toR1 address-netmask 135.1.1.2/30 port et.2.1 interface create ip musers address-netmask 100.1.1.1/24 port et.2.8 interface add ip lo0 address-netmask 3.3.3.3/32 ip-router global set router-id 3.3.3.3 ip-router policy redistribute from-proto direct to-proto ospf ospf create area 0.0.0.
Protocol Independent Multicast (PIM) R5 configuration: interface create ip iserver address-netmask 136.1.1.1/24 port et.2.5 interface create ip toR4 address-netmask 135.1.1.26/30 port et.2.4 interface create ip toR3 address-netmask 135.1.1.22/30 port et.2.3 interface add ip lo0 address-netmask 5.5.5.5/32 ip-router global set router-id 5.5.5.5 ospf create area 0.0.0.255 ospf add stub-host 5.5.5.5 to-area 0.0.0.255 cost 5 ospf add interface iserver to-area 0.0.0.255 ospf add interface toR4 to-area 0.0.0.
Protocol Independent Multicast (PIM) PIM DR The XP supports the PIM Hello packet priority option which, by default, carries an advertised priority of 1. If all PIM-SM routers sharing a subnet use the priority option in the Hello packet, the router with the highest priority will win the DR election. In the case of a tie, the router with the highest IP address becomes the DR. To set the hello priority for an interface, use the pim sparse set interface hello-priority command.
Protocol Independent Multicast (PIM) Using the configuration listed for R1 above, the neighbor table shows: R1# pim show neighbor all PIM Neighbors: Neighbor Address : 135.1.1.2, Interface : toR3 Component : R1, Uptime : 52:26s, Expires : 1:43s soon Hello Priority : 1 (DR) Neighbor Address : 135.1.1.1, Interface : toR3 Component : R1, Uptime : 52:27s, Expires : never Hello Priority : 1 Neighbor Address : 135.1.1.
Protocol Independent Multicast (PIM) The output displayed in the previous screen indicates that R1 is not the DR for any of the subnets listed. In the following configuration, the priority is increased for R1 to make it the DR on the 135.1.1.0/30 network (the network between R1 and R3). R1# configure R1(config)# pim sparse set interface toR3 hello-priority 10 R1(config)# save startup Are you sure you want to overwrite the Startup configuration [no]? y There are non-committed configuration changes.
Protocol Independent Multicast (PIM) R1 configuration after setting the hello priority: interface create ip toR3 address-netmask 135.1.1.1/30 port et.1.3 interface create ip toR4 address-netmask 135.1.1.5/30 port et.1.4 interface create ip toR2 address-netmask 135.1.1.9/30 port et.1.2 interface create ip i139 address-netmask 139.1.1.1/24 port et.4.8 interface add ip lo0 address-netmask 1.1.1.1/32 ip-router policy redistribute from-proto direct to-proto ospf ospf create area 0.0.0.
Protocol Independent Multicast (PIM) No matter which command is used, users must enter another line in the configuration to set the priority: pim sparse set component R5 bsr-priority 5 The current BSR status will appear as follows: R5# pim show bsr PIM-SM Bootstrap Routers: Component State CBSR-Pri ------------------- -------R5 Elected 5 CBSR-Addr ---------------135.1.1.26 Elected-Pri ----------5 Elected-Addr ---------------135.1.1.
Protocol Independent Multicast (PIM) In the following example, R5 and R1 are configured to be candidate RPs. The pim show crp command displays the CRP status and pim show rp-set displays the RP set that the BSR is advertising. View from R5 R5# pim show crp PIM-SM Candidate-RPs: Candidate RPs for R5 (135.1.1.26) pri 0 holdtime: 2:30 224/4 pri: 0 R5# pim show rp-set PIM-SM RP-Set: comp R5: Group: 224/4 Dependencies: Candidate RPs: 135.1.1.1: pri: 0 age: 16s expires-in: 2:15s 135.1.1.
Protocol Independent Multicast (PIM) Static RPs Configuring static RPs allows users to configure an RP set that cannot change dynamically for a particular domain. When using static RPs, the domain does not require users to configure a candidate RP or BSR. Every router retains a copy of the RP set as it appears in the configuration file—the RP set cannot change except through alterations to the configuration.
Protocol Independent Multicast (PIM) Example 3 (*,G) Joins Typically, a (*,G) join is created by an IGMP client attached to a router. In the following example, CLIENT3 connects to R3 and will send an IGMP Join to the router. When CLIENT3 sends a membership report for a particular group, the router will see the IGMP Join and create (*,G) state. To improve the readability of these tables, the configuration of R3 will change slightly.
Protocol Independent Multicast (PIM) Now CLIENT 3 joins to the 239.1.1.1 group: R3# pim show route PIM Routes: FLAGS: R - RPT W - WC S - SPT N - Neg cache J - Reject E - Expanded X - External P - Pending C - Changing U - Null IIF T - switching D - Delete L - Local ROUTES for R3 Source/Mask -----------------0.0.0.0/0 Group/Mask Flags ------------------ ----239.1.1.1/32 W IIF OIFs -------------- ---toR5 musers The 0.0.0.
Protocol Independent Multicast (PIM) (S,G) Joins: The XP creates an (S,G) join when it wants to join to a specific source sending to a multicast group. This scenario typically indicates that multicast data is flowing through the network. The pim show routes and multicast show mfc commands will reflect this state.
Protocol Independent Multicast (PIM) Multiple Clients Joining Now that one client can see the multicast data, CLIENT 2 should also be able to request the stream. R2 will request the traffic when it receives an IGMP Join request.
Protocol Independent Multicast (PIM) After receiving the join, the view from R4: R4# pim show route PIM Routes: FLAGS: R - RPT W - WC S - SPT N - Neg cache J - Reject E - Expanded X - External P - Pending C - Changing U - Null IIF T - switching D - Delete L - Local ROUTES for R4 Source/Mask Group/Mask Flags IIF ---------------------------------------------------0.0.0.0/0 239.1.1.1/32 W toR5 136.1.1.100/32 239.1.1.
Protocol Independent Multicast (PIM) References The information in this section referenced the following materials: Deering, S., D. Estrin, D. Farinacci, V. Jacobson, A. Helmy, D. Meyer, L. Wei. Draft-ietf-idmr-pimdm-06. Network Working Group, August 6, 1997. Fenner, B., M. Handley, H. Holbrook, I. Kouvelas. Draft-ietf-pim-sm-new-03. Internet Engineering Task Force, July 20, 2001. Fenner, B., M. Handley, R. Kermode, D. Thaler. Draft-ietf-pim-sm-bsr-01.
Protocol Independent Multicast (PIM) 312 Enterasys X-Pedition User Reference Manual
Chapter 18 IP Policy-Based Forwarding Configuration Guide Overview You can configure the XP to route IP packets according to policies that you define. IP policy-based routing allows network managers to engineer traffic to make the most efficient use of their network resources. IP policies forward packets based on Layer-3 or Layer-4 IP header information.
Configuring IP Policies For example, you can set up an IP policy to send packets originating from a certain network through a firewall, while letting other packets bypass the firewall. Sites that have multiple Internet service providers can use IP policies to assign user groups to particular ISPs. You can also create IP policies to select service providers based on various traffic types.
Configuring IP Policies For example, the following command creates an IP policy called “p1” and specifies that packets matching profile “prof1” are forwarded to next-hop gateway 10.10.10.10: xp(config)# ip-policy p1 permit acl prof1 next-hop-list 10.10.10.10 You can also set up a policy to prevent packets from being forwarded by an IP policy.
Configuring IP Policies Setting Load Distribution for Next-Hop Gateways You can specify up to four next-hop gateways in an ip-policy statement. If you specify more than one next-hop gateway, you can use the ip-policy set command to control how the load is distributed among them and to check the availability of the next-hop gateways. Note: To ensure that a gateway for policy-based routing is available, use the ip-policy set command and enable the pinger task.
IP Policy Configuration Examples IP Policy Configuration Examples This section presents some examples of IP policy configurations. The following uses of IP policies are demonstrated: • Routing traffic to different ISPs • Prioritizing service to customers • Authenticating users through a firewall • Firewall load balancing Routing Traffic to Different ISPs Sites that have multiple Internet service providers can create IP policies that cause different user groups to use different ISPs.
IP Policy Configuration Examples The following is the IP policy configuration for the Policy Router in Figure 25: interface create ip user-a address-netmask 10.50.1.1/16 port et.1.1 interface create ip user-b address-netmask 11.50.1.1/16 port et.1.2 acl user-a-http permit ip 10.50.0.0/16 207.31.0.0/16 any http 0 acl user-a permit ip 10.50.0.0/16 207.31.0.0/16 any any 0 acl user-b permit ip 11.50.0.0/16 any any any 0 ip-policy net-a permit acl user-a-http next-hop-list 100.1.1.
IP Policy Configuration Examples Traffic from the standard customer always uses one gateway (200.1.1.1). If for some reason that gateway is not available, packets from the standard customer are dropped. The following is the IP policy configuration for the Policy Router in Figure 26: interface create ip premium-customer address-netmask 10.50.1.1/16 port et.1.1 interface create ip standard-customer address-netmask 11.50.1.1/16 port et.1.2 acl premium-customer permit ip 10.50.0.
IP Policy Configuration Examples The following is the IP policy configuration for the Policy Router in Figure 27: interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1 acl contractors permit ip 10.50.1.0/24 any any any 0 acl full-timers permit ip 10.50.2.0/24 any any any 0 ip-policy access permit acl contractors next-hop-list 11.1.1.1 action policy-only ip-policy access permit acl full-timers next-hop-list 12.1.1.
Monitoring IP Policies The following is the configuration for Policy Router 1 in Figure 28. vlan create firewall vlan add ports et.1.(1-5) to firewall interface create ip firewall address-netmask 1.1.1.5/16 vlan firewall acl firewall permit ip any any any 0 ip-policy p1 permit acl firewall next-hop-list “1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4” action policy-only ip-policy p1 set load-policy ip-hash both ip-policy p1 apply interface mls1 The following is the configuration for Policy Router 2 in Figure 28.
Monitoring IP Policies For example, to display information about an active IP policy called “p1”, enter the following command in Enable mode: xp# ip-policy show policy-name p1 -------------------------------------------------------------------------------IP Policy name : p1 1 Applied Interfaces : int1 2 Load Policy : first available 3 4 5 6 7 8 9 10 ACL Source IP/Mask Dest. IP/Mask SrcPort DstPort TOS Prot ---------------- --------------------- --------- --- ---prof1 9.1.1.5/32 15.1.1.
Monitoring IP Policies 12. The rule to apply to the packets matching the profile: either permit or deny 13. The name of the profile (ACL) of the packets to be forwarded using an IP policy. 14. The number of packets that have matched the profile since the IP policy was applied (or since the ip-policy clear command was last used) 15. The method by which IP policies are applied with respect to dynamic or statically configured routes; possible values are Policy First, Policy Only, or Policy Last. 16.
Monitoring IP Policies 324 Enterasys X-Pedition User Reference Manual
Chapter 19 Network Address Translation Configuration Guide Overview Note: Some commands in this facility require updated XP hardware. NAT interfaces do not currently support VRRP. Network Address Translation (NAT) allows an IP address used within one network to be translated into a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet.
Overview traffic from any port. When running this configuration, it is suggested that NAT secure-plus is enabled (nat set secure-plus on) in order to increase security and prevent private address leaks. For more information, please reference RFC 1579 (“Firewall-Friendly FTP”).
Configuring NAT The XP allows you to create the following NAT address bindings: • Static, one-to-one binding of inside, local address or address pool to outside, global address or address pool. A static address binding does not expire until the command that defines the binding is negated. IP addresses defined for static bindings cannot be reassigned. For static address bindings, PAT allows TCP or UDP port numbers to be translated along with the IP addresses.
Forcing Flows through NAT Setting NAT Rules Static You create NAT static bindings by entering the following command in Configure mode. Enable NAT with static address binding. nat create static protocol ip|tcp|udp local-ip global-ip [local-port |any] [global-port |any] Dynamic You create NAT dynamic bindings by entering the following command in Configure mode. Enable NAT with dynamic address binding.
Managing Dynamic Bindings enabled (nat set secure-plus on) in order to increase security and prevent private address leaks. For more information, please reference RFC 1579 (“Firewall-Friendly FTP”). Managing Dynamic Bindings As mentioned previously, dynamic address bindings expire only after a period of non-use or when they are manually deleted. The default timeout for dynamic address bindings is 1440 minutes (24 hours).
NAT and ICMP Packets The default timeout for DNS dynamic address bindings is 30 minutes. You can change this timeout by entering the following command in Configure mode: Specify the timeout for DNS bindings.
NAT and VRRP enabled (nat set secure-plus on) in order to increase security and prevent private address leaks. For more information, please reference RFC 1579 (“Firewall-Friendly FTP”). NAT and VRRP NAT interfaces do not currently support VRRP. Monitoring NAT To display NAT information, enter the following command in Enable mode. Display NAT information. nat show [translations all|] [timeouts] [statistics] Configuration Examples This section shows examples of NAT configurations.
Configuration Examples Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT static rules: nat create static protocol ip local-ip 10.1.1.2 global-ip 192.50.20.2 Using Static NAT Static NAT can be used when the local and global IP addresses are to be bound in a fixed manner. These bindings never get removed nor time out until the static NAT command itself is negated.
Configuration Examples The first step is to create the interfaces: interface create ip 10-net address-netmask 10.1.1.1/24 port et.2.1 interface create ip 192-net address-netmask 192.50.20.1/24 port et.2.2 Next, define the interfaces to be NAT “inside” or “outside”: nat set interface 10-net inside nat set interface 192-net outside Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.
Configuration Examples Dynamic NAT with IP Overload (PAT) Configuration The following example configures a dynamic address binding for inside addresses 10.1.1.0/24 to outside address 192.50.20.0/24: Outbound: Translate source pool 10.1.1.0/24 to global pool 192.50.20.1-192.50.20.3 10.1.1.4 Router Global Internet IP network 10.1.1.0/24 10.1.1.3 10.1.1.2 et.2.1 interface 10-net (10.1.1.1/24) et.2.2 interface 192-net (192.50.20.
Configuration Examples are created; he/she just sets the pools and the XP automatically chooses a free global IP from the global pool for the local IP. Dynamic bindings are removed when the flow count goes to zero or the timeout has been reached. The removal of bindings frees the port for that global and the port is available for reuse. When all the ports for that global are used, then ports are assigned from the next free global. If no more ports and globals are available, the packets will be dropped.
Configuration Examples Using Dynamic NAT with DNS When a client from outside sends a query to the static global IP address of the DNS server, NAT will translate the global IP address to the local IP address of the DNS server. The DNS server will resolve the query and respond with a reply. The reply can include the local IP address of a host inside the local network (for example, 10.1.1.2); this local IP address will be translated by NAT into a global IP address (for example, 192.50.20.
Configuration Examples Then, define the NAT dynamic rules by first creating the source ACL pool and then configuring the dynamic bindings: acl lcl permit ip 10.1.1.1/24 nat create dynamic local-acl-pool lcl global-pool 192.50.20.1/24 matching-if 192-net nat create dynamic local-acl-pool lcl global-pool 210.50.20.
Configuration Examples 338 Enterasys X-Pedition User Reference Manual
Chapter 20 Web Hosting Configuration Guide Overview Accessing information on websites for both work or personal purposes is becoming a normal practice for an increasing number of people. For many companies, fast and efficient web access is important for both external customers who need to access the company websites, as well as for users on the corporate intranet who need to access Internet websites.
Load Balancing Load Balancing You can use the load balancing feature on the X-Pedition to distribute session load across a group of servers. If you configure the X-Pedition to provide load balancing, client requests that go through the X-Pedition can be redirected to any one of several predefined hosts. With load balancing, clients access servers through a virtual IP.
Load Balancing Adding Servers to the Load Balancing Group Once a logical server group is created, you specify the servers that can handle client requests. When the X-Pedition receives a client request directed to the virtual server address, it redirects the request to the actual server address and port. Server selection is done according to the specified policy. To add servers to the server group, enter the following command in Configure mode: Add load balancing servers to a specific server group.
Load Balancing • SSL persistence: a binding is determined by matching the source IP address and the virtual destination IP/port address. Note that requests from any source socket with the client IP address are considered part of the same session. For example, requests from the client IP address of 134.141.176.10:1024 or 134.141.176.10:1025 to the virtual destination address 207.135.89.
Load Balancing session, the source IP address can change to one of several sequential addresses in the translation pool; the netmask allows client requests to be sent to the same server. Optional Group or Server Operating Parameters There are several commands you can specify that affect the operating parameters of individual servers or the entire group of load balancing servers.
Load Balancing Verifying Servers and Applications The X-Pedition automatically performs the following types of verification for the attached load balancing servers/applications: • Verifies the state of the server by sending a ping to the server at 5-second intervals. If the X-Pedition does not receive a reply from a server after four ping requests, the server is considered to be “down.
Load Balancing Verifying Extended Content You can also have the X-Pedition verify the content of an application on one or more load balancing servers. For this type of verification, you specify the following: • A string that the X-Pedition sends to a single server or to the group of load balancing servers. The string can be a simple HTTP command to get a specific HTML page. Or, it can be a command to execute a user-defined CGI script that tests the operation of the application.
Load Balancing Setting Server Status It may become necessary at times to prevent new sessions from being directed to one or more load balancing servers. For example, if you need to perform maintenance tasks on a server system, you might want new sessions to temporarily not be directed to that server. Setting the status of a server to “down” prevents new sessions from being directed to that server. The “down” status does not affect any current sessions on the server.
Load Balancing Setting Timeouts for Load Balancing Mappings A mapping between a host (source) and a load-balancing server (destination) times out after a certain period. After the mapping times out, any server in the load balancing group can be selected. The default timeouts depend upon the session persistence level configured when the load balance group is created. You can specify the timeout for source-destination load balancing mappings.
Load Balancing Configuration Examples This section shows examples of load balancing configurations. Web Hosting with One Virtual Group and Multiple Destination Servers In the following example, a company web site is established with a URL of www.enterasys.com. The system administrator configures the networks so that the X-Pedition forwards web requests among four separate servers, as shown below. Web requests forwarded to one of the servers 10.1.1.1 Internet Router Web requests to www.enterasys.
Load Balancing The read-till-index option is not necessary if the file test.html contains “OK” as the first two characters. The read-till-index option is helpful if the exact index of the acv-reply string in the file is not known to the user. In the above example, the X-Pedition will search from the beginning of the file up to the 25th character for the start of the string “OK.
Load Balancing closure of the connection. The following command shows an example of how to send a specific string to close a connection on a server: load-balance set group-options quick-smtp acv-quit “quit” Virtual IP Address Ranges ISPs who provide web hosting services for their clients require a large number of virtual IP addresses (VIPs). The load-balance create vip-range-name and load-balance add host-to-viprange commands were created specifically for this.
Load Balancing The network shown in the previous example can be created with the following load-balance commands: load-balance create vip-range-name mywwwrange 207.135.89.16-207.135.89.50 virtual-port 80 protocol tcp load-balance add host-to-vip-range 10.1.1.16-10.1.1.50 vip-range-name mywwwrange port 80 load-balance add host-to-vip-range 10.1.2.16-10.1.2.50 vip-range-name mywwwrange port 80 Session and Netmask Persistence In the following example, traffic to a company web site (www.enterasys.
Web Caching Web Caching Web caching provides a way to store frequently accessed Web objects on a cache of local servers. Each HTTP request is transparently redirected by the X-Pedition to a configured cache server. When a user first accesses a Web object, that object is stored on a cache server. Each subsequent request for the object uses this cached object.
Web Caching Specifying the Client(s) for the Cache Group (Optional) You can explicitly specify the hosts whose HTTP requests are or are not redirected to the cache servers. If you do not explicitly specify these hosts, then all HTTP requests are redirected to the cache servers. To specify the clients or non-clients for the cache group, enter the following commands in Configure mode: Define hosts whose requests are redirected to cache servers.
Web Caching Configuration Example In the following example, a cache group of seven local servers is configured to store Web objects for users in the local network: Cache1 s2 Servers: s1 Servers: 186.89.10.51 186.89.10.55 Router ip1 Global Internet 176.89.10.50 176.89.10.51 176.89.10.52 176.89.10.53 176.89.10.
Web Caching Bypassing Cache Servers Some Web sites require source IP address authentication for user access, therefore HTTP requests for these sites cannot be redirected to the cache servers. To specify the sites for which HTTP requests are not redirected to the cache servers, enter the following command in Configure mode: Define destination sites to which HTTP requests are sent directly.
Web Caching Monitoring Web-Caching To display Web-caching information, enter the following commands in Enable mode. 356 Show information for all caching policies and all server lists. web-cache show all Show caching policy information. web-cache show cache-name |all Show cache server information.
Chapter 21 IPX Routing Configuration Guide IPX Routing Overview The Internetwork Packet Exchange (IPX) is a datagram connectionless protocol for the Novell NetWare environment. You can configure the XP for IPX routing and SAP. Routers interconnect different network segments and by definition are network layer devices. Thus routers receive their instructions for forwarding a packet from one segment to another from a network layer protocol. IPX, with the help of RIP and SAP, perform these Network Layer Task.
IPX Routing Overview RIP (Routing Information Protocol) IPX routers use RIP to create and dynamically maintain a database of internetwork routing information. RIP allows a router to exchange routing information with a neighboring router. As a router becomes aware of any change in the internetwork layout, this information is immediately broadcast to any neighboring routers. Routers also send periodic RIP broadcast packets containing all routing information known to the router.
Configuring IPX RIP & SAP Configuring IPX RIP & SAP This section provides an overview of configuring various IPX parameters and setting up IPX interfaces. IPX RIP On the XP, RIP automatically runs on all IPX interfaces. The XP will keep multiple routes to the same network having the lowest ticks and hop count. Static routes can be configured on the XP using the CLI’s ipx add route command. Through the use of RIP filters, the XP can control the acceptance and advertisement of networks per-interface.
Configuring IPX Interfaces and Parameters Configuring IPX Interfaces and Parameters This section provides an overview of configuring various IPX parameters and setting up IPX interfaces. Configuring IPX Addresses to Ports You can configure one IPX interface directly to a physical port. To configure an IPX interface to a port, enter the following command in Configure mode: Configure an IPX interface to a physical port.
Configuring IPX Interfaces and Parameters Specifying IPX Encapsulation Method The Enterasys X-Pedition supports four encapsulation types for IPX. You can configure encapsulation type on a per-interface basis. • Ethernet II: The standard ARPA Ethernet Version 2.0 encapsulation, which uses a 16-bit protocol type code (the default encapsulation method) • 802.3 SNAP: SNAP IEEE 802.3 encapsulation, in which the type code becomes the frame length for the IEEE 802.
Configuring IPX Routing Configuring IPX Routing By default, IPX routing is enabled on the XP. Enabling IPX RIP IPX RIP is enabled by default on the XP. You must first create an IPX interface or assign an IPX interface to a VLAN before RIP will start learning routes. Note: The XP supports a maximum of 120 RIP interfaces. Enabling SAP IPX SAP is enabled by default on the XP. You must first create an IPX interface or assign an IPX interface to a VLAN before SAP will start learning services.
Configuring IPX Routing Controlling Access to IPX Networks To control access to IPX networks, you create access control lists and then apply them with filters to individual interfaces. The XP supports the following IPX access lists that you can use to filter various kinds of traffic: Note: You may not apply ACLs to interface EN0 of the control module.
Configuring IPX Routing Creating an IPX SAP Access Control List IPX SAP access control lists control which SAP services are available on a server. To create an IPX SAP access control list, enter the following command in Configure mode: Create an IPX SAP access control list. acl permit|deny ipxsap Once an IPX SAP access control list has been created, you must apply the access control list to an IPX interface.
Configuring IPX Routing Creating an IPX RIP Access Control List IPX RIP access control lists control which RIP updates are allowed. To create an IPX RIP access control list, perform the following task in the Configure mode: Create an IPX RIP access control list. acl permit|deny ipxrip Once an IPX RIP access control list has been created, you must apply the access control list to an IPX interface.
Monitoring an IPX Network Monitoring an IPX Network The XP reports IPX interface information and RIP or SAP routing information. To display IPX information, enter the following command in Enable mode: Show a RIP entry in the IPX RIP table. ipx find rip Show a SAP entry in the IPX SAP table. ipx find sap Show IPX interface information. ipx show interfaces Show IPX RIP table. ipx show tables rip Show IPX routing table.
Configuration Examples ! !Add static sap ipx add sap 0004 FILESERVER1 9.03:04:05:06:07:08 452 1 AAAAAAAA ! !RIP Access List acl 100 deny ipxrip 1 2 ! !RIP inbound filter acl 100 apply interface ipx1 input ! !SAP Access List acl 200 deny ipxsap A.
Configuration Examples 368 Enterasys X-Pedition User Reference Manual
Chapter 22 Access Control List Configuration Guide This chapter explains how to configure and use Access Control Lists (ACLs) on the XP. ACLs are lists of selection criteria for specific types of packets. When used in conjunction with certain XP functions, ACLs allow you to restrict Layer-3/4 traffic going through the router. This chapter contains the following sections: • ACL Basics on page 370 explains how ACLs are defined and how the XP evaluates them.
ACL Basics ACL Basics An ACL consists of one or more rules describing a particular type of IP or IPX traffic. ACLs can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the XP to either permit or deny packets that match selection criteria specified in the rule. Each ACL is identified by a name. The name can be a meaningful string, such as denyftp or noweb or it can be a number such as 100 or 101.
ACL Basics The following syntax description shows the fields of an IPX ACL rule: acl permit|deny ipx Each field in an ACL rule is position sensitive. For example, for a TCP traffic rule, the source address must be followed by the destination address, the source socket, the destination socket, and so on. Not all fields of an ACL rule need to be specified.
ACL Basics If you were to reverse the order of the two rules: acl 101 permit tcp any any any any acl 101 deny tcp 10.2.0.0/16 any any any all TCP packets would be allowed to go through, including traffic from subnet 10.2.0.0/16. This is because TCP traffic coming from 10.2.0.0/16 would match the first rule and be allowed to go through. The second rule would not be looked at since the first match determines the action taken on the packet.
ACL Basics If a packet comes in from a network other than 10.1.20.0/24, you might expect the packet to go through because it doesn’t match the first rule. However, that is not the case because of the implicit deny rule. With the implicit deny rule attached, the rule looks like this: acl 102 deny ip 10.1.20.0/24 any any any acl 102 deny any any any any any A packet coming from 10.1.20.0/24 would not match the first rule, but would match the implicit deny rule.
Creating ACLs The following ACL illustrates this feature: acl 101 permit tcp established acl 101 apply interface int1 input Any incoming TCP packet on interface int1 is examined, and if the packet is in response to an internal request, it is permitted; otherwise, it is rejected. Note that the ACL contains no restriction for outgoing packets on interface int1, since internal hosts are allowed to access the outside world.
Applying ACLs Note: You must reapply or comment in the apply line of the ACL before changes will take affect. In-line Editing The XP allows you to manage ACLs from the configuration by negating command lines. By negating the ACL apply line from the configuration, you may completely turn off an ACL. Negating a specific rule within the ACL will remove it from the ACL’s rule list. Wildcards The following command creates an ACL to permit all IP traffic.
Applying ACLs Applying ACLs to Interfaces An ACL can be applied to an interface to examine either inbound or outbound traffic. Inbound traffic is traffic coming into the XP. Outbound traffic is traffic going out of the XP. For each interface, only one ACL can be applied for the same protocol in the same direction. For example, you cannot apply two or more IP ACLs to the same interface in the inbound direction.
Applying ACLs Applying ACLs to Services ACLs can also be created to permit or deny access to system services provided by the XP; for example, HTTP or Telnet servers. This type of ACL is known as a Service ACL. By definition, a Service ACL is for controlling inbound packets to a service on specific interfaces on the router. For example, on a particular interface, you can grant Telnet server access from a few specific hosts or deny Web server access from a particular subnet.
Applying ACLs The following XP features use ACL profiles: XP Feature ACL Profile Usage IP policy Specifies the packets that are subject to the IP routing policy. Dynamic NAT Defines local address pools for dynamic bindings. Port mirroring Defines traffic to be mirrored. Note: The XP supports port mirroring, ACL, and Layer-2 filtering on a per-WAN-card basis, not a per-port basis. Rate limiting Specifies the incoming traffic flow to which rate limiting is applied.
Applying ACLs policy command to specify what happens to packets that match the selection criteria (in this example, forward them to address 10.10.10.10). The following commands illustrate this example. This command creates a Profile ACL called prof1 that uses as its selection criteria all telnet packets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24: xp(config)# acl prof1 permit ip 9.1.1.0/24 15.1.1.
Applying ACLs Using Profile ACLs with Dynamic NAT Network Address Translation (NAT) allows you to map an IP address used within one network to a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet. The XP supports two kinds of NAT: static NAT and dynamic NAT.
Applying ACLs The following command causes packets matching Profile ACL prof3’s selection criteria (that is, all IGMP traffic) to be copied to mirror port et.1.2. xp(config)# port mirroring dst-ports et.1.2 src-acl prof3 See Configuring the X-Pedition for Port Mirroring on page 451 for more information on using the port mirroring command.
Modifying ACLs Preventing Web Objects from Being Cached You can also use a Profile ACL to prevent certain Web objects from being cached. For example, you can specify that information in packets originating from Internet site 1.2.3.4 and destined for local host 10.10.10.10 not be sent to the cache servers. The following commands illustrate this example. This command creates a Profile ACL called prof5 that uses as its selection criteria all packets with a source address of 1.2.3.
Modifying ACLs If you edit and save changes to an ACL that is currently being used or applied to an interface, the changes will take effect immediately. There is no need to remove the ACL from the interface before making changes and reapply it after changes are made. The process is automatic. Editing ACLs Offline You can create and edit ACLs on a remote host and then upload them to the XP with TFTP or RCP.
Enabling ACL Logging Enabling ACL Logging To see whether incoming packets are permitted or denied because of an ACL, enable ACL logging. You can enable logging when applying the ACL or you can enable logging for a specific ACL rule. The following commands define an ACL and apply the ACL to an interface, with logging enabled for the ACL: acl 101 deny ip 10.2.0.
Monitoring ACLs All This will report all denied packets. Reporting options will still be the same as those mentioned in the preceding paragraphs. This option effectively removes the XP's hardware protection against DOS attacks, and is not recommended for normal usage. Periodic This will periodically report statistics on all denied traffic streams. The reporting frequency defaults to 15 seconds, and is configurable with the acl logging set deny-report-frequency command.
Monitoring ACLs 386 Enterasys X-Pedition User Reference Manual
Chapter 23 Security Configuration Guide Security Overview The X-Pedition provides security features that help control access to the X-Pedition and filter traffic going through the X-Pedition. Access to the X-Pedition can be controlled by: • Enabling RADIUS • Enabling TACACS Plus Note: The X-Pedition no longer supports TACACS and will ignore any commands used for it in the configuration—without generating an error.
Configuring X-Pedition Access Security Configuring X-Pedition Access Security This section describes the following methods of controlling access to the X-Pedition: • RADIUS • TACACS Plus • Passwords • SNMP RADIUS Configuring RADIUS You can secure login or Enable mode access to the X-Pedition by enabling a Remote Authentication Dial-In Service (RADIUS) client. A RADIUS server responds to the X-Pedition RADIUS client to provide authentication.
Configuring X-Pedition Access Security Logs to RADIUS server SNMP changes to startup or active configuration. radius accounting snmp active|startup Logs specified type(s) of messages to RADIUS server. radius accounting system fatal|error|warning|info Monitoring RADIUS You can monitor RADIUS configuration and statistics within the X-Pedition. To monitor RADIUS, enter the following commands in Enable mode: Show RADIUS server statistics. radius show stats Show all RADIUS parameters.
Configuring X-Pedition Access Security TACACS Plus Configuring TACACS Plus You can secure login or Enable mode access to the X-Pedition by enabling a TACACS Plus client. A TACACS Plus server responds to the X-Pedition TACACS Plus client to provide authentication. You can configure up to five TACACS Plus server targets on the X-Pedition. A timeout is set to tell the X-Pedition how long to wait for a response from TACACS Plus servers.
Configuring X-Pedition Access Security Monitoring TACACS Plus You can monitor TACACS Plus configuration and statistics within the X-Pedition. To monitor TACACS Plus, enter the following commands in Enable mode: Show TACACS Plus server statistics. tacacs-plus show stats Show all TACACS Plus parameters. tacacs-plus show all The X-Pedition also allows you to display information on up to five previous users who logged in to the X-Pedition using TACACS+ or RADIUS.
Configuring X-Pedition Access Security Password Policy Management Secure access to the X-Pedition through password protection and policies is available in both single- and multi-user modes. Global password policies are established using the system set password-policy command and apply to all passwords in single- or multi-user mode unless specifically overridden by one of the command options described below.
Configuring X-Pedition Access Security password is defined, the X-Pedition will advise you to configure a password, then switch to Enable mode—from here you can access Configure mode and make configuration changes. Access to Configuration mode may be configured to require a password. For recommendations on selecting a password, refer to Passwords on page 30. The X-Pedition stores passwords in the startup configuration file.
Configuring X-Pedition Access Security • Password lifetime limit • Mode or privilege where the user can gain access to the system • Whether or not to disable the user account after too many failed login attempts. The following example creates a new user account for Jane and grants password access to configure mode. All other options remain at their default levels.
Configuring X-Pedition Access Security authenticating and encrypting packets over the network. The security features provided in SNMPv3 are: • Message integrity. Ensuring that a packet has not been tampered with in-transit. • Authentication. Determining the message is from a valid source. • Encryption. Scrambling the contents of a packet to prevent it from being seen by an unauthorized source. SNMPv3 provides for both security models and security levels.
Configuring X-Pedition Access Security In other words, VACM gives the ability to allow or deny access to any individual item of management information depending on the user's group membership and the level of security provided by the communications channel. Reliability In addition to better security and better access control, SNMPv3 also provides a higher degree of reliability for notifying management stations when critical events occur.
Configuring X-Pedition Access Security • RFC 2011 Internet Protocol (IP) MIB using SMIv2 • RFC 2012 Transmission Control Protocol (TCP) MIB using SMIv2 • RFC 2013 User Datagram Protocol (UDP) MIB using SMIv2 • RFC 2021 Remote Network Monitoring Version 2 (RMON 2) • RFC 2096 IP Forwarding MIB • RFC 2115 Frame Relay DTE using SMIv2 • RFC 2358 Ethernet-like Interface Types MIB • RFC 2495 E1 / DS1 MIB • RFC 2496 E3 / DS3 MIB • RFC 2576 SNMP Community and Target Extensions MIBs •
Configuring X-Pedition Access Security Notes: • The SNMPv3 management framework, security model, and protocol operations are defined in RFC 3411 thru 3416. This framework handles SNMPv1, SNMPv2c, and SNMPv3 message types. • RFC 2576 defines how the SNMPv1 and SNMPv2c community based security model coexists with the SNMPv3 user based security model. • RFC 1901 defines the SNMPv2c message type.
Configuring X-Pedition Access Security To create a new user, use the snmp set user command. For a detailed explanation of the snmp set user command, see the Enterasys X-Pedition Command Line Interface Reference Manual. Most commonly, users will be configured to authenticate with the local SNMP engine only, however, individual users can be configured to authenticate with remote authoritative SNMP engines if necessary (see Configuring Informs on page 405).
Configuring X-Pedition Access Security Note: The first two versions of the snmp set community command described above imply a security-to-group mapping that uses the privilege or group option in conjunction with the v1 or v2c option. However, when specifying the name, security-name, or tag option, the privilege and group options are not allowed. Instead, you must use another command, snmp set community-to-group to provide the security-to-group mapping.
Configuring X-Pedition Access Security Creating Groups Groups facilitate the assignment of access rights to specific users. Users who require the same level of access should be grouped together into the same group. Different groups can then be created with the necessary access rights. To create groups, use the snmp set group command. For a detailed explanation of the snmp set group command, see the Enterasys X-Pedition Command Line Interface Reference Manual.
Configuring X-Pedition Access Security users using the SNMPv3 protocol with authentication enabled. Then the user “jane” will be assigned to the “operators” group. xp(config)# snmp set user jane engine-id local auth sha1 xp(config)# snmp set group operators v3 auth read all write all notify all xp(config)# snmp set user-to-group jane to operators This process will give the user “jane” read, write, and notify access to the built-in “all” view when she is successfully authenticated by the local SNMP engine.
Configuring X-Pedition Access Security one in the mask indicates a significant byte in the OID while a zero indicates an insignificant, or “wild card” byte. Written out in bit notation the mask is: 1111 1111 1011 1111. Notice that the zero (10th bit) matches up with the column header of the ifTable OID (10th byte). Combined with the subtree 1.3.6.1.2.1.2.2.1.1.35, the zero has the effect of selecting ALL columns in the ifTable, while the trailing ones select ONLY the 35th row of the table.
Configuring X-Pedition Access Security example assumes that the user “jane” has already been created with the appropriate SNMP EngineID. router(config)# snmp set target foo ip-address 10.10.10.10 v3 auth security-name jane type inform Additionally, a target-params entry can be utilized (see Configuring Target Parameters on page 404) to apply the same configuration parameters to multiple targets. This can be accomplished via the param option. The following example illustrates the use of the param option.
Configuring X-Pedition Access Security The category and subtree options are used to specify which notifications to filter. The category option acts as a shortcut for specifying common notification subtrees. When used with the category option, the subtree option is not available. As with view subtrees, filter subtrees can also be modified using the mask option (see the explanation on masking in Defining Views on page 402 for more information).
Configuring X-Pedition Access Security 0x00:11:22:33:44:55:66:77:88:99:aa:bb. The user “Informer” will then be used to authenticate with the manager using the password “foo” when an inform is sent.
Layer-2 Security Filters X-Pedition allows one alias assignment per interface and limits each alias to a maximum length of 64 characters. You must use a remote SNMP manager to view, add, change, or delete an alias. To assign an alias, enter the following from configuration mode: router(config)# snmp set if-alias alias Note: You cannot remove an interface until you remove any alias assigned to the interface.
Layer-2 Security Filters • Secure port filters A secure filter shuts down access to the X-Pedition based on MAC addresses. All packets received by a port are dropped. When combined with static entries, however, these filters can be used to drop all received traffic but allow some frames to go through. Configuring Layer-2 Address Filters If you want to control access to a source or destination on a per-MAC address basis, you can configure an address filter.
Layer-2 Security Filters To configure Layer-2 port address lock filters, enter the following commands in Configure mode: Configure a port address lock filter. Note: filters add port-address-lock name sourcemac vlan in-portlist The X-Pedition will display VLAN names up to 32 characters in length.
Layer-2 Security Filters You can combine secure port filters with static entries in the following ways: • Combine a source secure port filter with a source static entry to drop all received traffic but allow any frame coming from specific source MAC address to go through • Combine a source secure port filter with a flow static entry to drop all received traffic but allow any frame coming from a specific source MAC address that is destined to specific destination MAC address to go through • Combine a d
Layer-2 Security Filters Layer-2 Filter Examples X-Pedition et.1.1 et.1.2 et.1.3 Hub Engineers, Consultant Engineering File Servers Finance File Servers Figure 29. Source Filter Example Example 1: Address Filters Source filter: The consultant is not allowed to access any file servers. The consultant is only allowed to interact with the engineers on the same Ethernet segment – port et.1.1. All traffic coming from the consultant’s MAC address will be dropped.
Layer-2 Security Filters Destination static entry: Restrict “login multicasts” originating from the engineering segment (port et.1.1) from reaching the finance servers. filters add static-entry name login-mcasts dest-mac 010000:334455 vlan 1 in-port-list et.1.1 out-port-list et.1.3 restriction disallow or filters add static-entry name login-mcasts dest-mac 010000:334455 vlan 1 in-port-list et.1.1 out-port-list et.1.
Layer-3 Security Controls Destination secure port: To block access to all file servers on all ports from port et.1.1 use the following command: filters add secure-port name engineers direction dest vlan 1 in-port-list et.1.1 To allow all engineers access to the engineering servers, you must “punch” a hole through the secure-port wall. A “dest static-entry” overrides a “dest secure port”. filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1 in-port-list et.1.1 out-port-list et.1.
Layer-3 Security Controls A big problem in security today is Denial of Service or DoS. DoS attacks are used to prevent normal operation of network hardware and end systems. DoS packets attempt to congest a network and render it useless. The X-Pedition is resistant to many of these attacks, but some attacks may still cause problems—even attack packets being handled by a flow. By using rate limiting, traffic (good or bad) can be handled appropriately and network performance maintained.
Layer-3 Security Controls Define an aggregate rate limit policy. rate-limit aggregate acl rate [drop-packets| no-action| lower-priority| lower-priority-except-control| tos-precedencerewrite | tos-precedence-rewrite-lowerpriority ] [allocate-resources-duringapply| allocate-resources-during-traffic]| [burst-compensating] Apply an aggregate rate limit policy to an interface.
Layer-3 Security Controls Sample configuration: Per-Flow Rate Limiting X-Pedition et.2.1 et.1.1 et.1.2 Consider the following configuration. Traffic from two interfaces, ipNet1 with ip address 10.10.10.10 and ipNet2 with IP address 20.20.20.20, will have their packet priority lowered if they exceed 10Mbs for each flow: vlan create net1 ip vlan create outNet ip vlan create net2 ip vlan add ports et.1.1 to net1 vlan add ports et.1.2 to net2 vlan add ports et.2.
Layer-3 Security Controls Output If the X-Pedition successfully creates a rate-limiting policy, an %RL-I-CREATED message will appear. Additionally, %RL-I-INTERFACE messages will appear if the rate limit needs to be applied. The messages displayed for the commands in the previous example are as follows: %VLAN-I-CREATED, VLAN net1 created with VLAN ID 2. To add ports to the VLAN, use the “vlan add ports” command. %VLAN-I-CREATED, VLAN outNet created with VLAN ID 3.
Layer-3 Security Controls • A single port cannot redirect traffic to multiple ports; however, you may configure multiple ports to redirect to the same port. • The port receiving the redirected traffic must be able to handle such a load. • The packets-limited option applies only to the redirect port. • When a port shuts down, it no longer receives traffic—nor can it filter the type of packets it receives (i.e., broadcast or unlearned). Note: Bmon applies to ports only.
Layer-3 Security Controls Enable / Disable To disable bmon commands, remove them from the active configuration. Port Mirroring The port mirroring facility, available in configuration mode, allows the X-Pedition to duplicate traffic between ports. For additional information, see Configuring the X-Pedition for Port Mirroring on page 451.
Layer-3 Security Controls To configure port mirrors, enter the following commands while in configuration mode: Specify ports to be mirrored out another set of ports. port mirroring dst-ports srcports Specify an ACL to be mirrored out the designated ports. port mirroring dst-ports src-acl Sample configurations Example 1: One to Many Mirror X-Pedition et.1.1 et.2.1 et.2.2 et.2.3 Port et.1.1 is being mirrored out 3 ports, et.2.1, et.2.2 and et.2.3.
Layer-3 Security Controls Example 2: Many To One Mirror X-Pedition et.1.1 et.1.2 et.1.3 gi.1.1 Ports et.1.1, et.1.2 and et.1.3 are being mirrored out gi.1.1 port mirroring dst-ports gi.1.1 src-ports et.1.(1-3) Example 3: ACL Mirror All traffic coming into the X-Pedition matching the ACL, inNet, will be sent out port gi.1.1. For information on configuring ACLs see Access Control List Configuration Guide on page 369. port mirroring dst-ports gi.1.
Layer-4 Bridging and Filtering Layer-4 Bridging and Filtering Layer-4 bridging is the X-Pedition’s ability to use layer-3/4 information to perform filtering or QoS during bridging. As described in Layer-2 Security Filters on page 407, you can configure ports to filter traffic using MAC addresses. Layer-4 bridging adds the ability to use IP addresses, layer-4 protocol type, and port number to filter traffic in a bridged network.
Layer-4 Bridging and Filtering Creating an IP or IPX VLAN for Layer-4 Bridging The ports to be used in Layer-4 Bridging must all be on the same VLAN. To create an IP or IPX VLAN, enter the following command in Configure mode: Create an IP VLAN. Note: vlan create ip id The X-Pedition will display VLAN names up to 32 characters in length.
Layer-4 Bridging and Filtering Creating ACLs to Specify Selection Criteria for Layer-4 Bridging Access control lists (ACLs) specify the kind of filtering to be done for Layer-4 Bridging.
Layer-4 Bridging and Filtering Notes • Layer-4 Bridging works for IP and IPX traffic only. The X-Pedition will drop non-IP/IPX traffic on a Layer-4 Bridging VLAN. For Appletalk and DECnet packets, a warning is issued before the first packet is dropped. • If you use a SmartTRUNK with a Layer-4 Bridging VLAN, the X-Pedition maintains the packet order on a per-flow basis, rather than per-MAC pair.
Layer-4 Bridging and Filtering 426 Enterasys X-Pedition User Reference Manual
Chapter 24 QoS Configuration Guide QoS, Layer-2, Layer-3, and Layer-4 Flow Overview The XP allows network managers to identify traffic and set Quality of Service (QoS) policies without compromising wire speed performance. The XP can guarantee bandwidth on an application by application basis, thus accommodating high-priority traffic even during peak periods of usage.
QoS, Layer-2, Layer-3, and Layer-4 Flow Overview Within the XP, QoS policies are used to classify Layer-2, Layer-3, and Layer-4 traffic into the following priority queues (in order from highest priority to lowest): • Control (for router control traffic; the remaining classes are for normal data flows) • High • Medium • Low Separate buffer space is allocated to each of these four priority queues.
Traffic Prioritization Layer-3 For Layer-3 (IP and IPX) traffic you can define flows, blueprints, or templates of IP and IPX packet headers. • The IP fields are source IP address, destination IP address, UDP/TCP source port, UDP/TCP destination port, TOS (Type of Service), transport protocol (TCP or UDP), and a list of incoming interfaces. • The IPX fields are source network, source node, destination network, destination node, source port, destination port, and a list of incoming interfaces.
Traffic Prioritization can also specify a list of ports to apply the policy. If a port operates in flow-bridging mode, you can be more specific and configure priorities for frames that match both a source AND a destination MAC address and a VLAN ID. You can also specify a list of ports to apply the policy. The VLAN ID in the QoS configuration must match the VLAN ID assigned to the list of ports to which the QoS policy is applied.
Traffic Prioritization Table 13: Default Priority Map 802.1p CoS Values 6, 7 Internal Priority Queue Control You can create one or more priority maps that are different from the default priority map and then apply these maps to some or all ports of the XP. The new priority mapping replaces the default mappings for those ports to which they are applied.
Traffic Prioritization The ability to specify per-port priority maps is enabled on the XP by default. You can disable use of per-port priority maps on the XP; all ports on the XP will then be configured to use the default priority map only. If the commands to create and apply priority maps exist in the active configuration, they will remain in the configuration but be ineffective.
Traffic Prioritization Setting an IP QoS Policy To set a QoS policy on an IP traffic flow, enter the following command in Configure mode: Set an IP QoS policy. qos set ip |any |any |any |any |any ||any |any |any |any |any For example, the following command assigns control priority to any traffic coming from the 10.10.11.
Traffic Prioritization Specifying Precedence for an IPX QoS Policy To specify the precedence for an IPX QoS policy, enter the following command in Configure mode: Specify precedence for an IPX QoS policy. qos precedence ipx [srcnet ] [srcnode ] [srcport ] [dstnet ] [dstnode ] [dstport ] [intf ] Configuring the XP Queuing Policy The XP queuing policy is set on a system-wide basis. The XP default queuing policy is strict priority.
Weighted Random Early Detection (WRED) Weighted Random Early Detection (WRED) WRED is a dynamic process used to control congestion on WRED-enabled ports and the segments of the network associated with them by selectively dropping packets before the queue becomes completely flooded. The WRED process consists of setting a minimum queue threshold (minthreshold) and a maximum queue threshold (max-threshold) on any of the four queues (low, medium, high, and control) that belong to a port.
Weighted Random Early Detection (WRED) The ability to dampen the response time for changes to the average queue size changes the way that WRED responds to bursty traffic. For example, notice in Figure 31 that while the traffic (solid line) bursts at times, the average queue size (dotted curve) is dampened such that it does not rise above the minimum threshold within the duration of the bursts. This prevents the port from discriminating against periodic bursts of traffic. Figure 31.
ToS Rewrite To enable WRED on input queues of specific ports, enter the following command in Configure mode: Enable WRED on input or output queue of specified ports.
ToS Rewrite Note: In RFC 2474, the IETF redefined the ToS octet as the “DiffServ” byte. You will still be able to use the ToS rewrite feature to implement DiffServ when this standard is deployed. Configuring ToS Rewrite for IP Packets The ToS rewrite for IP packets is set with the qos set command in Configure mode. You can define the QoS policy based on any of the following IP fields: source IP address, destination IP address, source port, destination port, ToS, port, or interface.
ToS Rewrite The following example will rewrite the ToS Precedence and the ToS fields to 5 and 30 if the incoming packet is from the 10.10.10.0/24 network with the ToS Precedence field set to 2 and the ToS field set to 7. (In this example, the MBZ bit is included in the ToS field.) The figure below shows how the parameter values are derived. Incoming Packet: 0 1 0 0 0 ToS Precedence = 2 Mask (look at all bits): Rewritten ToS byte for 10.10.10.
Limiting Traffic Rate Limiting Traffic Rate Note: Some commands in this facility require updated XP hardware. For a complete list of hardware and the features they support, consult the Release Notes on the Enterasys Networks web site: www.enterasys.com Rate limiting provides the ability to control the usage of a fundamental network resource, bandwidth.
Limiting Traffic Rate • Port-level Output Rate Limiting—Configure policies that limit traffic going out of a particular port. This type of policy can be used to limit any type of traffic and will work for line cards in per-flow or aggregate mode. See Rate Limiting Modes on page 442. Note: You can configure a maximum of 24 port and aggregate rate-limiting policies per line card. Credit buckets are reserved in hardware for both port-level and aggregate policies.
Limiting Traffic Rate the priority of the packets, depending on the exceed-action specified. Because the burst compensating option allows you to create larger credit buckets and smaller time slices, you can prevent constricting the flow of rate-limited, bursty traffic. Note: If you do not specify this option, rate-limiting will provide accurate results (to within 10-15%) for “smooth” traffic only (e.g., traffic created by a traffic generator).
Limiting Traffic Rate To define a per-flow rate limit policy and apply the policy to an interface, enter the following commands in Configure mode: Define a per-flow rate limit policy. rate-limit input acl rate exceed-action drop-packets| set-priority-low| set-priority-medium| set-priority-high [sequence ]| [burst-compensating] Apply a per-flow rate limit profile to an interface.
Limiting Traffic Rate Aggregate Rate Limiting Use an aggregate rate limiting policy if an aggregation of flows needs to be limited to a particular rate. For example, you can use aggregate rate limiting to rate limit traffic to or from a particular subnet. Note: You cannot apply an aggregate rate limiting policy to an interface that spans ports on more than one line card.
Limiting Traffic Rate Flow-Aggregate Rate Limiting The Flow-Aggregate Rate Limiting policy allows you to limit an aggregation of flows to a particular rate. For example, you can use aggregate rate limiting to rate limit traffic to or from a particular subnet; however, you do not need to enable the aggregate rate limiting mode on the line card to use flow-aggregate rate limiting. See Rate Limiting Modes on page 442 for more information.
Limiting Traffic Rate Port Rate Limiting Use a port rate limiting policy if incoming or outgoing traffic on a particular port needs to be rate limited. Unlike other types of rate limiting policies, you do not specify an ACL when defining this type of policy. Port rate limiting policies do not need to be applied to an interface and take effect when they are created.
Limiting Traffic Rate To define a VLAN rate limiting policy, enter one of the following commands in Configure mode: Define a VLAN rate limiting policy to limit incoming or outgoing traffic on a VLAN.
Limiting Traffic Rate 448 Enterasys X-Pedition User Reference Manual
Chapter 25 Performance Monitoring Guide Performance Monitoring Overview The X-Pedition is a full wire-speed Layer-2, -3 and -4 switching router. As packets enter the X-Pedition, Layer-2, -3, and -4 flow tables are populated on each line card. The flow tables contain information on performance statistics and traffic forwarding. Thus the X-Pedition provides the capability to monitor performance at Layer-2, -3, and -4.
Performance Monitoring Overview 450 Show information about the master MAC table. l2-tables show mac-table-stats Show information about a particular MAC address. l2-tables show mac Show info about multicasts registered by IGMP. l2-tables show igmp-mcast-registrations Show whether IGMP is on or off on a VLAN. l2-tables show vlan-igmp-status Show info about MACs registered by the system. l2-tables show bridge-management Show SNMP statistics. snmp show statistics Show ICMP statistics.
Configuring the X-Pedition for Port Mirroring Configuring the X-Pedition for Port Mirroring The X-Pedition allows you to monitor activity with port mirroring. Port mirroring allows you to monitor the performance and activities of ports on the X-Pedition or for traffic defined by an ACL through one or more separate ports. While in Configure mode, you can configure your X-Pedition for port mirroring with a simple command line like the following: Configure Port Mirroring.
Monitoring Broadcast Traffic • When a port shuts down, it no longer receives traffic—nor can it filter the type of packets it receives (i.e., broadcast or unlearned). Note: Bmon applies to ports only. To configure broadcast monitors, enter the following commands from configuration mode: Configure and attach a broadcast monitor on a set of ports.
Chapter 26 RMON Configuration Guide RMON Overview You can employ Remote Network Monitoring (RMON) to help monitor traffic at remote points on the network. With RMON, data collection and processing is done with a remote probe, namely the XP. The XP also includes RMON agent software that communicates with a network management station via SNMP.
Memory Allocation Requirements Memory Allocation Requirements The memory used by RMON is determined automatically by the number of ports and the level of functionality (i.e., lite, standard, or professional) you select. When you use the rmon enable command, the RMON memory allocation requirements for your system are calculated using the following values Table 14.
Configuring and Enabling RMON 120-port XP-8600 with lite, standard, and professional enabled: 500k + (120 * 240k) = 29.3M of memory Configuring and Enabling RMON By default, RMON is disabled on the XP. To configure and enable RMON on the XP, follow these steps: 1. Turn on the Lite, Standard, or Professional RMON groups by entering the rmon set lite|standard|professional command.
Configuring and Enabling RMON RMON Groups The RMON MIB groups are defined in RFCs 1757 (RMON 1) and 2021 (RMON 2). On the XP, you can configure one or more levels of RMON support for a set of ports. Each level—Lite, Standard, or Professional—enables different sets of RMON groups (described later in this section). You need to configure at least one level before you can enable RMON on the XP.
Configuring and Enabling RMON Standard RMON Groups This section describes the RMON groups that are enabled when you specify the Standard support level. The Standard RMON groups are shown in the table below. Table 16. Standard RMON Groups Group Function Host Records statistics about the hosts discovered on the network. Host Top N Gathers the top n hosts, based on a specified rate-based statistic. This group requires the hosts group. Matrix Records statistics for source and destination address pairs.
Configuring and Enabling RMON Table 17. Professional RMON Groups Group Function Network Layer Matrix (and Top N) Monitors traffic at the network layer for protocols defined in the Protocol Directory. Top N gathers the top n network layer matrix entries. Address Map Records MAC address to network address bindings discovered for specified ports. User History Records historical data on user-defined statistics. Control Tables Many RMON groups contain both control and data tables.
Using RMON Using RMON RMON on the XP allows you to analyze network traffic patterns, set up alarms to detect potential problems before they turn into real congestive situations, identify heavy network users to assess their possible candidacy for moves to dedicated or higher speed ports, and analyze traffic patterns to facilitate more long-term network planning. RMON 1 provides layer 2 information. Traffic flowing through the XP’s layer 2 ASIC is collected by RMON 1 groups.
Configuring RMON Groups Configuring RMON Groups As mentioned previously, control tables in many RMON groups specify the data that is to be collected for the particular RMON group. If the information you want to collect is in the default control tables, then you only need to turn on the default tables when you specify the RMON groups (Lite, Standard, or Professional); you do not need to configure entries in the default tables.
Configuring RMON Groups To configure the History group. rmon history index port [interval ] [owner ] [samples ] [status enable|disable] To configure the Application Layer and Network Layer Host groups. rmon hl-host index port nlmax-entries al-max-entries [owner ] [status enable|disable] To configure the Application Layer and Network Layer Matrix groups.
Configuring RMON Groups The following examples configure the XP to create an event when a module is hot swapped into the chassis or any new IP interface is configured. The managed object ifTableLastChanged from RFC 2233) has an object identifier (OID) of 1.3.6.1.2.1.31.1.5.0 and the XP will poll this OID every 5 minutes (300 seconds). The command line below is an example of an RMON Event group configuration with the following attributes: • Index number 15 to identify this entry in the Event control table.
Displaying RMON Information Displaying RMON Information The CLI rmon show commands allow you to display the same RMON statistics that can be viewed from a management station. To display RMON statistics for the XP, use the following CLI command lines in Enable mode: 1 To show Ethernet statistics. rmon show etherstats |all-ports To show all events and logs. rmon show events To show all alarms. rmon show alarms To show histories and logs.
Displaying RMON Information To show all user history logs. rmon show user-history To show probe configuration. rmon show probe-config [basic] [net-config] [trap-dest] 1 To display Ethernet statistics and related statistics for WAN ports, RMON has to be activated on that port. Note: WAN traffic received on a WAN port will reflect on the first physical port of the module only.
Displaying RMON Information The following shows the same rmon show hosts command with a filter applied so that only hosts with inpkts greater than 500 are displayed: xp# rmon apply cli-filter 4 xp# rmon show hosts et.5.4 RMON I Host Table Filter: inpkts > 500 Address Port ---------00001D:9D8138 et.5.4 01000C:CCCCCC et.5.4 0180C2:000000 et.5.4 080020:835CAA et.5.4 FFFFFF:FFFFFF et.5.
Troubleshooting RMON Troubleshooting RMON If you are not seeing the information you expected with an rmon show command, or if the network management station is not collecting the desired statistics, first check that the port is up. Then, use the rmon show status command to check the RMON configuration on the XP. Check the following fields on the rmon show status command output: xp# rmon show status RMON Status ----------* RMON is ENABLED 1 * RMON initialization successful.
Allocating Memory to RMON 5. Make sure that RMON has not run out of memory. Allocating Memory to RMON RMON allocates memory depending on the number of ports enabled for RMON, the RMON groups that have been configured, and whether or not default tables have been turned on or off. Enabling RMON with all groups (Lite, Standard, and Professional) with default tables uses approximately 300 Kbytes per port. If necessary, you can dynamically allocate additional memory to RMON.
Allocating Memory to RMON To set the amount of memory allocated to RMON, use the following CLI command in User or Enable mode: Specifies the total amount of Mbytes of memory allocated to RMON.
Chapter 27 NetFlow Configuration Guide Introduction Customers who invest in state-of-the-art switch-routers demand more than just routing services— they also need to know capacity utilization. Usage accounting, traffic profiling, traffic engineering, intrusion detection, network surveillance, QoS monitoring, and data warehousing and mining all require system utilization information. Enterasys X-Pedition routers provide a mechanism to gather and export utilization data for such applications.
Flow Accounting Note: Hardware restrictions do not allow NetFlow to report a destination port for ICMP flows— the destination port is reported as 0. Flow Accounting Flow accounting refers to the gathering and management of data-forwarding, statistical information. The basic unit used to classify this information is called a flow. A flow is a set of packets that pass an observed point in the network during a specific time interval.
Flow Accounting be met with reasonable technical effort. NetFlow applications are not limited to the implementations described here. Since requirement details and weighting differ for specific implementations, NetFlow derives this information from the general functionality of the application. Furthermore, the application itself should lead to a better understanding of the requirements—particularly when designing or implementing a traffic flow measuring device.
Flow Accounting Attack/Intrusion Detection Capturing flow information plays an important role in network security—especially when it comes to security violation detection and subsequent defense. In the case of a Denial of Service (DOS) attack, flow monitoring can detect unusual load situations or suspicious flows. NetFlow can export information about these flows and allow you to derive a defense strategy.
Supported Interfaces NetFlow Data Warehousing and Mining When you warehouse NetFlow data or derived information for later retrieval and analysis, you can determine which applications internal and external users utilize and target these services for improvement. This is especially useful when determining the relevant who, what, where, and how long information that will permit you to add greater depth to your services. Supported Interfaces NetFlow is supported only on interfaces that carry IP traffic.
Life of a Flow setting. By default, the interval timer is set to 30. To adjust the interval timer setting, enter the following from configure mode: xp# netflow set interval Create export flow record clear flow table entry Time stamp end of flow Increment hardware flow counters Yes No 474 Time stamp beginning of flow Initialize hardware flow counters Yes New Flow? Yes Is there flow activity? No Existing Flow Timeout? No Figure 32.
NetFlow Architecture NetFlow Architecture A NetFlow design is composed of four elements: • Export device(s) • Collection device(s) • Server • Applications Export device(s) An export device detects flow characteristics and exports accounting information to a collector. The XP is an export device that uses the NetFlow v5 protocol. Collection device(s) A collector gathers flow accounting information from one or more export devices.
How does NetFlow Account for a Flow? solutions where all the elements in a solution are compatible—they are not simply architectural pieces. Enterasys is currently identifying compatible third-party NetFlow-based applications.
How does NetFlow Account for a Flow? The following tables describe the format of NetFlow Version 5 headers and flow records: Table 18. Version 5 Header Format Bytes Content Description 0 to 1 Version NetFlow export format version number (in this case, 5). 2 to 3 Count Number of flows (1-30) exported in this packet. 4 to 7 SysUptime Number of milliseconds since the routing device was last booted. 8 to 11 unix_secs Number of seconds since 0000 UTC 1970.
Export Policy Bytes Content Description 38 prot IP protocol (e.g., 6=TCP, 17=UDP). 39 tos IP ToS. 40 to 41 src_as AS of the source address (origin or peer). 42 to 43 dst_as AS of the destination address (origin or peer). 44 src_mask Source address prefix mask bits. 45 dst_mask Destination address prefix mask bits. 46 to 47 pad2 Pad 2 is unused (zero bytes). Export Policy Policy governs the rate at which the XP exports data.
Export Policy As demonstrated in the following figure, when flows 30 and 31 terminate, each termination results in the creation of an export record. Since the record for flow 30 fills the export buffer, data for flows 1-30 exports to a collector. Flow 30 terminates Flows 1-29 terminated Flow 31 terminates* Interval Time Data for flows 1-30 is exported * After flow 31 terminates, the export buffer appears as follows: Header Flow 31 Empty record . . .
Export Policy Example In the following example, the XP will export 91 flow records when the interval timer expires. Shown here, 4 transmissions result. Transmission 1 Header Flow 1 Flow 30 . . . Transmission 2 Header Flow 31 Flow 60 . . . Transmission 3 Header Flow 61 Flow 90 . . . Transmission 4 Header Flow 91 Asynchronous and Periodic Exportation If the interval timer expires before NetFlow fills the export buffer with inactive flows, NetFlow will fill the remaining space with active flows.
Prerequisites Prerequisites Before configure NetFlow, do the following: • Enable SNMP. A system initialization task automatically enables the SNMP agent unless the snmp stop command is in the configuration file. • Disable RMON Professional. Collector Relationship Management Specifying Collectors Described previously, the XP exports accounting data to a collector.
Overriding Default Parameters Mode Syntax Usage Configure netflow set memory Required Configure netflow set memory-threshold Optional Configure netflow set ports | all-ports Optional Configure netflow set priority |low |medium |high Optional Configure netflow set collector [flow-destination-port ] Required Enable netflow show configuration| collector| statistics| status| historical max memory bytes| historical max memory tim
Overriding Default Parameters appear). To view the number of number of flows not reported by NetFlow (discarded), use the netflow show command. NetFlow System Memory Utilization The following table lists the amount of memory required for your system.
Overriding Default Parameters the default destination port is 2055. To set a common port address for all collector applications, use the following command: xp (config)# netflow set flow-destination-port Note: Hardware restrictions do not allow NetFlow to report a destination port for ICMP flows— the destination port is reported as 0.
Show Command Output Show Command Output To display all information about the NetFlow client on the XP, use the netflow show all command.
Show Command Output Continued from previous page: Counters Current number of flows: Number of times netflow has sent reports: Number of packets used to send reports: Number of flows created in Netflow: Number of flows deleted in Netflow: Number of flows pending delete: Number of flows not reported by Netflow (discarded): Number of reported records (flows): 0 1 1 2 2 0 0 2 Ports Enabled for NetFlow: Port Tracked Tracked ifIndex Name In Flows Out Flows Monitored --------------------------------------------
Show Command Output Field Description Default Port Default UDP destination port used to send export data to the collector NetFlow Task Priority Priority of the NetFlow task NetFlow Statistics Statistics representing the current state of the NetFlow task Time of Last Reporting Interval Date and time when the reporting interval last expired Time of Next Reporting Date and time when the next synchronous update will be sent to the collector Total Memory Available for use Amount of heap that exists
Performance Measurements Field Description Number of times NetFlow has sent reports A count of the number of NetFlow packets sent to the collector. Number of packets used to send reports A count of the number of packets NetFlow used to send the NetFlow records to the collector. Number of flows created in NetFlow A count of the number of created flows. You may reset this value. Number of flows deleted in NetFlow A count of the number of deleted flows.
Chapter 28 WAN Configuration Guide This chapter provides an overview of Wide Area Network (WAN) applications as well as an overview of both Frame Relay and PPP configuration for the XP. In addition, you can view an example of a multi-router WAN configuration complete with diagram and configuration files in WAN Configuration Examples on page 504.
WAN Overview hardware you have. Each type of interface plays a part in the nomenclature of port identification. You must use either the “hs.” or “se.” prefix for HSSI and serial interfaces, respectively, when specifying WAN port identities. For example, you would specify a frame relay serial WAN port located at router slot 4, port 1, on VC 100 as “se.4.1.100”. Using the same approach, a PPP high-speed serial interface (HSSI) WAN port located at router slot 3, port 2 would be identified as “hs.3.2”.
WAN Overview Static Addresses If the peer IP/IPX address is known before system setup, you can specify the peer address when the interface is created. This disables Inverse ARP (InArp) for Frame Relay on that source/peer address pair; however, InArp will still be enabled for any other addresses on that interface or other interfaces. A static peer address for PPP means that the address the peer supplies during IP Control Protocol (IPCP) or IPX Control Protocol (IPXCP) negotiations will be ignored.
WAN Overview Note: The default interface type is “broadcast.” If you connect an interface to a router capable of “point-to-point” only, you must specify the interface type as point-to-point within the configuration. Similarly, the peer address will be automatically discovered via IPCP/IPXCP negotiation in a PPP environment. The following command lines display examples for a port and a VC: interface create ip IPWAN address-netmask 10.50.1.1/16 port hs.3.1 interface create ip IPWAN address-netmask 10.50.
WAN Overview • latency requirements Each of these factors is discussed in more detail in the following sections and should be taken into consideration before enabling compression. Since the factors are dependent on the environment, you should first try running with compression histories enabled. If compression statistics do not show a very good long-term compression ratio, then select the “no history” option.
WAN Overview Example Configurations The following command line displays an example for Frame Relay: frame-relay set payload-compress ports se.3.1.300 The following command line displays an example for PPP: ppp set payload-compress port se.4.2 Packet Encryption Packet encryption allows data to travel through unsecured networks. You can enable packet encryption for PPP ports, however, both ends of a link must be configured to use packet encryption: ppp set payload-encrypt port se.4.2, mp.
WAN Overview Source Filtering and ACLs Source filtering and ACLs can be applied to a WAN interface; however, they affect the entire module, not an individual port. For example, if you want to apply a source MAC address filter to a WAN serial card located in slot 5, port 2, your configuration command line would look like the following: xp(config)# filters add address-filter name wan1 source-mac 000102:030405 vlan 2 in-port-list se.5 Port se.5 is specified instead of se.5.
Frame Relay Overview The CLI commands related to RED in both the Frame Relay and PPP protocol environments allow you to set maximum and minimum threshold values for each of the low-, medium-, and highpriority categories of WAN traffic.
Configuring Frame Relay Interfaces for the XP allow you to route critical packet transmissions from host to peer without concern for network congestion significantly slowing, let alone interrupting, your communications. PVCs are the most prevalent type of circuit used today and are similar to dedicated private lines in that you can lease and set them up through a service provider.
Monitoring Frame Relay WAN Ports Note: The XP comes with a set of “default values” for Frame Relay interface configuration settings, which means that setting up a Frame Relay service profile is not absolutely necessary to begin sending and receiving Frame Relay traffic on your XP. After you configure one or more service profiles for your Frame Relay interface(s), you can then apply a service profile to active Frame Relay WAN ports, specifying their behavior when handling Frame Relay traffic.
Frame Relay Port Configuration Display MIBII statistics for frame relay WAN ports frame-relay show stats port mibII Display a summary of all LMI statistics frame-relay show stats port summary Frame Relay Port Configuration To configure Frame Relay WAN ports, you must first define the type and location of the WAN interface, optionally “set up” a library of configuration settings, then apply those settings to the desired interface(s).
Point-to-Point Protocol (PPP) Overview Point-to-Point Protocol (PPP) Overview Because of its ability to quickly and easily accommodate IP and IPX protocol traffic, Point-to-Point Protocol (PPP) routing has become a very important aspect of WAN configuration. Using PPP, you can set up router-to-router, host-to-router, and host-to-host connections. Note: For PPP, IPX network numbers for local and peer routers must match.
Configuring PPP Interfaces Defining the Type and Location of a PPP Interface To configure a PPP WAN port, you need to first define the type and location of one or more PPP WAN ports on your XP. The following command line displays a simplified example of a PPP WAN port definition: Define the type and location of a PPP WAN port.
Configuring PPP Interfaces Applying a Service Profile to an Active PPP Port Once you have created one or more PPP service profiles, you can specify their use on one or more active PPP ports on the XP. The following command line displays a simplified example of this process: Apply a service profile to an active WAN port.
Monitoring PPP WAN Ports Monitoring PPP WAN Ports Once you have configured your PPP WAN interface(s), you can use the CLI to monitor status and statistics for your WAN ports. Note: WAN traffic received on a WAN port reflects on the first physical port of the module only. The following table describes the monitoring commands for WAN interfaces, designed for use in Enable mode: Display a particular PPP service profile. ppp show service Display all available PPP service profiles.
WAN Configuration Examples • Use of LCP magic numbers disabled • The maximum allowable number of unanswered requests set to 8 • The maximum allowable number of negative-acknowledgment transmissions set to 5 • The maximum allowable number of unanswered/improperly answered connection-termination requests before declaring the link to a peer lost set to 4 • Random Early Discard disabled • The number of seconds between subsequent configuration request transmissions (the “retry interval”) set to 25 •
WAN Configuration Examples Multi-Router WAN Configuration The following is a diagram of a multi-router WAN configuration encompassing three subnets. From the diagram, you can see that R1 is part of both Subnets 1 and 2; R2 is part of both Subnets 2 and 3; and R3 is part of subnets 1 and 3. You can click on the router label (in blue) to jump to the actual text configuration file for that router: et.1.1 50.50.50.5 R 100.100.100.5 se.4.1 100.100.100.4 se.6.3 50.50.50.
WAN Configuration Examples Router R1 Configuration File The following configuration file applies to Router R1. ---------------------------------------------------------------------Configuration for ROUTER R1 ---------------------------------------------------------------------port set hs.7.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.1 wan-encapsulation frame-relay speed 45000000 port set hs.3.2 wan-encapsulation ppp speed 45000000 port set et.1.* duplex full frame-relay create vc port hs.
WAN Configuration Examples rip set interface all version 2 rip set auto-summary enable rip start system set name R2 arp add 20.20.20.12 exit-port et.1.1 mac-addr 000202:020200 Router R3 Configuration File The following configuration file applies to Router R3. ---------------------------------------------------------------------Configuration for ROUTER R3 ---------------------------------------------------------------------port set se.2.1 wan-encapsulation frame-relay speed 1500000 port set et.1.
WAN Configuration Examples frame-relay create vc port se.6.1.304 vlan create s1 id 200 vlan add ports se.6.1.304,se.6.3 to s1 interface create ip s1 address-netmask 100.100.100.4/16 vlan s1 rip add interface all rip set interface all version 2 rip set interface all xmt-actual enable rip set broadcast-state always rip set auto-summary enable rip start system set name R4 Router R5 Configuration File The following configuration file applies to Router R5.
WAN Configuration Examples frame-relay create vc port hs.3.1.106 frame-relay define service CIRforR1toR6 cir 45000000 bc 450000 frame-relay apply service CIRforR1toR6 ports hs.3.1.106 vlan create BridgeforR1toR6 port-based id 106 interface create ip FRforR1toR6 address-netmask 100.100.100.6/16 vlan BridgeforR1toR6 interface create ip lan1 address-netmask 60.60.60.6/16 port et.15.1 vlan add ports hs.3.1.106 to BridgeforR1toR6 vlan add ports et.15.2 to BridgeforR1toR6 qos set ip VideoFromNT high 100.100.100.
WAN Configuration Examples 510 Enterasys X-Pedition User Reference Manual