Home
/
Cabletron Systems
/
SmartSwitch Router
/
User'S Reference Manual

Cabletron Systems SmartSwitch Router, User'S Reference Manual

Share

Page: 259 / 338

Cabletron Systems SmartSwitch Router User'S Reference Manual Download Page 259

SmartSwitch Router User Reference Manual

259

Chapter 17: Access Control List Configuration Guide

Although the implicit deny rule may seem obvious in the above example, this is not
always the case. For example, consider the following ACL rule:

If a packet comes in from a network other than 10.1.20.0/24, you might expect the packet
to go through because it doesn’t match the first rule. However, that is not the case because
of the implicit deny rule. With the implicit deny rule attached, the rule looks like this:

A packet coming from 10.1.20.0/24 would not match the first rule, but would match the
implicit deny rule. As a result, no packets would be allowed to go through. The first rule is
simply a subset of the second rule. To allow packets from subnets other than 10.1.20.0/24
to go through, you would have to explicitly define a rule to permit other packets to go
through.

To correct the above example and let packets from other subnets enter the SSR, you must
add a new rule to permit packets to go through:

The second rule forwards all packets that are not denied by the first rule.

Because of the implicit deny rule, an ACL works similarly to a firewall that is elected to
deny all traffic. You create ACL rules that punch “holes” into the firewall to permit
specific types of traffic; for example, traffic from a specific subnet or traffic from a specific
application.

Allowing External Responses to Established TCP Connections

Typically organizations that are connected to the outside world implement ACLs to deny
access to the internal network. If an internal user wishes to connect to the outside world,
the request is sent; however any incoming replies may be denied because ACLs prevent
them from going through. To allow external responses to internally generated requests,
you would have to create an ACL to allow responses from each specific outside host. If the
number of outside hosts that internal users need to access is large or changes frequently,
this can be difficult to maintain.

To address this problem, the SSR can be configured to accept outside TCP responses into
the internal network, provided that the TCP connection was initiated internally.

acl 102 deny ip 10.1.20.0/24 any any any

acl 102 deny ip 10.1.20.0/24 any any any
acl 102 deny any any any any any

acl 101 deny ip 10.1.20.0/24 any any any
acl 101 permit ip
acl 101 deny any any any any any

«
...
257
258
259
260
261
...
»

Summary of Contents for SmartSwitch Router

Page 1: ...SmartSwitch Router User Reference Manual 9032578 04...

Page 2: ...trademark of CompuServe Inc i960 microprocessor is a registered trademark of Intel Corp Ethernet is a trademark of Xerox CorporationFCC Notice This device complies with Part 15 of the FCC rules Opera...

Page 3: ...n of service in some situations Repairs to certified equipment should be coordinated by a representative designated by the supplier Any repairs or alterations made by the user to this equipment or equ...

Page 4: ...s of this License Agreement You may not copy reproduce or transmit any part of the Program except as permitted by the Copyright Act of the United States or as authorized in writing by Cabletron 2 OTHE...

Page 5: ...through d of the Commercial Computer Software Restricted Rights Clause and its successors and iii in all respects is proprietary data belonging to Cabletron and or its suppliers For Department of Def...

Page 6: ...the Copyright Act of the United States or as authorized in writing by Cabletron 2 OTHER RESTRICTIONS You may not reverse engineer decompile or disassemble the Program 3 APPLICABLE LAW This License Ag...

Page 7: ...a belonging to Cabletron and or its suppliers For Department of Defense units the Product is considered commercial computer software in accordance with DFARS section 227 7202 3 and its successors and...

Page 8: ...t 1 LICENSE You have the right to use only the one 1 copy of the Program provided in this package subject to the terms and conditions of this License Agreement You may not copy reproduce or transmit a...

Page 9: ...ricted computer software submitted with restricted rights in accordance with section 52 227 19 a through d of the Commercial Computer Software Restricted Rights Clause and its successors and iii in al...

Page 10: ...an Services FDA IEC Publication 825 International Electrotechnical Commission CENELEC EN 60825 European Committee for Electrotechnical Standardization When operating within their performance limitatio...

Page 11: ...shire RG13 2PZ England Conformance to Directive s Product Standards EC Directive 89 336 EEC EC Directive 73 23 EEC EN 55022 EN 50082 1 EN 60950 Equipment Type Environment Networking Equipment for use...

Page 12: ...Notice 12 SmartSwitch Router User Reference Manual...

Page 13: ...37 Boot PROM Mode 38 Disabling a Function or Feature 39 Loading System Images and Configuration Files 39 Boot and System Image 39 Configuration Files 39 Loading System Image Software 40 Loading Boot...

Page 14: ...57 Subnet based VLANs 57 Multicast based VLANs 58 Policy based VLANs 58 SSR VLAN Support 58 VLANs and the SSR 58 Ports VLANs and L3 Interfaces 59 Access Ports and Trunk Ports 802 1Q support 59 Explic...

Page 15: ...uration Examples 79 Configuring Secondary Subnets 80 Secondary Subnets and Directly Connected Clients 81 Interacting with Relay Agents 82 Chapter 6 IP Routing Configuration Guide 85 IP Routing Overvie...

Page 16: ...4 Setting the Advertisement Interval 104 Setting Pre empt Mode 104 Setting an Authentication Key 105 Monitoring VRRP 105 ip redundancy trace 105 ip redundancy show 106 VRRP Configuration Notes 106 Cha...

Page 17: ...h Prepend Feature 134 BGP Configuration Examples 134 BGP Peering Session Example 135 IBGP Configuration Example 137 IBGP Routing Group Example 138 IBGP Internal Group Example 141 EBGP Multihop Configu...

Page 18: ...port Destination 179 Creating an Export Source 179 Import Policies 179 Creating an Import Source 180 Creating a Route Filter 180 Creating an Aggregate Route 180 Creating an Aggregate Destination 182 C...

Page 19: ...file 210 Associating the Profile with an IP Policy 210 Creating Multi statement IP Policies 211 Setting Load Distribution for Next hop Gateways 212 Setting the IP Policy Action 212 Checking the Availa...

Page 20: ...and Multiple Destination Servers 237 Web Hosting with Multiple Virtual Groups and Multiple Destination Servers 238 Virtual IP Address Ranges 239 Web Caching 240 Configuring Web Caching 240 Creating th...

Page 21: ...s Offline 260 Maintaining ACLs Using the ACL Editor 261 Using ACLs 262 Applying ACLs to Interfaces 262 Applying ACLs to Services 263 Using ACLs as Profiles 263 Using Profile ACLs with the IP Policy Fa...

Page 22: ...4 Flows 286 Configuring IP QoS Policies 286 Setting an IP QoS Policy 287 Specifying Precedence for an IP QoS Policy 287 Configuring IPX QoS Policies 287 Setting an IPX QoS Policy 287 Specifying Prece...

Page 23: ...ink Integrity 319 Latency Requirements 319 Example Configurations 319 Packet Encryption 320 WAN Quality of Service 320 Source Filtering and ACLs 321 Weighted Fair Queueing 321 Congestion Management 32...

Page 24: ...PPP Port Configuration 330 WAN Configuration Examples 332 Simple Configuration File 332 Multi Router WAN Configuration 333 Router R1 Configuration File 334 Router R2 Configuration File 334 Router R3...

Page 25: ...al if you are a network administrator responsible for configuring and monitoring the SSR How to Use This Manual If You Want To See Read overview information Chapter 1 SSR Product Overview on page 29 H...

Page 26: ...ng Configuration Guide on page 209 Configure Network Address Translation Chapter 14 Network Address Translation Configuration Guide on page 223 Configure web hosting Chapter 15 Web Hosting Configurati...

Page 27: ...duct For Information About See the Installing and setting up the SSR SmartSwitch Router Getting Started Guide Managing the SSR using Cabletron s element management application CoreWatch User s Manual...

Page 28: ...Preface 28 SmartSwitch Router User Reference Manual...

Page 29: ...ou do not need to accept performance compromises to run QoS or access control lists ACLs The following table lists the basic hardware and software specifications for the SSR Table 1 SSR Hardware and s...

Page 30: ...on flows Up to 400 000 Layer 2 MAC addresses 20 000 Layer 2 security and access control filters SSR 8600 Up to 250 000 routes Up to 4 000 000 Layer 4 application flows Up to 800 000 Layer 2 MAC addres...

Page 31: ...ortest Path First OSPF Version 2 Quality of Service QoS Layer 2 prioritization 802 1p Layer 3 source destination flows Layer 4 source destination flows Layer 4 application flows RMON RMON v1 v2 for ea...

Page 32: ...s that you can use to configure the SSR and display its status Some commands are available to all users others can be executed only after the user enters an Enable password You use the CLI to configur...

Page 33: ...e character Configure Allows you to make configuration changes To enter Configure mode first enter Enable mode enable command then enter the configure command from the Enable command prompt When you a...

Page 34: ...set of those available in Enable mode In general the User commands allow you to display basic information and use basic utilities such as ping information To list the User commands enter The User mode...

Page 35: ...l PVST parameters sfs Show SecureFast Switching SFS parameters statistics Show or clear SSR statistics stp Show STP status telnet Telnet utility traceroute Traceroute utility vlan Show VLAN related pa...

Page 36: ...Protocol OSPF ping Ping utility port Show or change Port parameters ppp Display Point to Point Protocol PPP statistics pvst Show Per Vlan Spanning Tree Protocol PVST parameters qos Show Quality of Se...

Page 37: ...gp Configure Border Gateway Protocol BGP cli Modify the command line interface behavior dhcp Configure DHCP server dvmrp Configure DVMRP related parameters exit Exit current mode filters Configure L2...

Page 38: ...or flows rdisc Configure Router Discovery Protocol rip Configure Routing Information Protocol RIP rmon Configure RMON related parameters sfs Configure SecureFast Switching SFS parameters smarttrunk Co...

Page 39: ...guration file Boot and System Image Only one boot image exists on the internal flash of the SSR Control Module Multiple system images can be stored on the external PC flash Configuration Files The SSR...

Page 40: ...copy the software upgrade onto the PCMCIA flash card in the Control Module Here is an example 4 Enter the system image list command to list the images on the PCMCIA flash card and verify that the new...

Page 41: ...se the system promimage upgrade command to copy the boot PROM upgrade onto the internal memory in the Control Module Here is an example 4 Enter the system show version command to verify that the new b...

Page 42: ...ing configuration changes to the SSR However if you power down or reboot the SSR the new changes are lost Use the following procedure to save the changes into the Startup configuration file so that th...

Page 43: ...have activated commands in the scratchpad you can compare the activated changes with a previously saved configuration file To compare the activated commands with the Startup or another configuration f...

Page 44: ...at sends a synchronization packet to the server every 60 minutes This means the SSR will attempt to set its own clock against the server once every hour The synchronization interval as well as the NTP...

Page 45: ...munity string enter the following command in Configure mode To configure the SNMP trap server target address enter the following command in Configure mode Configuring DNS The SSR allows you to configu...

Page 46: ...messages to the management console These messages include informational warning error and fatal messages Console messages can also be sent to a Syslog server To configure a Syslog server enter the fo...

Page 47: ...ion of the system system show active config Show the contents of the boot log file which contains all the system messages generated during bootup system show bootlog Show boot PROM parameters for TFTP...

Page 48: ...xt reboot system show startup config Show the status of the switching fabric module system show switching fabric Show the IP address of the SYSLOG server and the level of messages the SSR sends to the...

Page 49: ...d by the SSR and begin functioning immediately after they are installed On the SSR 8000 and SSR 8600 you can hot swap line cards and secondary control modules On the SSR 8600 you can also hot swap the...

Page 50: ...ter this command the Offline LED on the line card lights and messages appear on the console indicating the ports on the line card are inoperative Note If you have deactivated a line card and want to a...

Page 51: ...other You can hot swap one type of line card with another type For example you can replace a 10 100Base TX line card with a 1000Base SX line card The SSR can be configured to accommodate whichever lin...

Page 52: ...ote The Offline LED on the Control Module has a different function from the Offline LED on a line card On a line card it means that the line card has been deactivated On a Control Module a lit Offline...

Page 53: ...odule SSR 8600 only The SSR 8600 has slots for two Switching Fabric Modules While the SSR 8600 is operating you can install a second Switching Fabric Module If two Switching Fabric Modules are install...

Page 54: ...ching Fabric Module to free it from the connectors holding it in place in the chassis 3 Carefully remove the Switching Fabric Module from its slot To install a Switching Fabric Module 1 Slide the Swit...

Page 55: ...nsparently bridged network into virtual local area networks VLANs based on physical ports or protocol IP or IPX or bridged protocols like Appletalk Frame filtering based on MAC address for bridged and...

Page 56: ...ing or address based bridging However address based bridging is more efficient because it requires fewer table entries while flow based bridging provides tighter management and control over bridged tr...

Page 57: ...address is looked up in the VLAN database The VLAN database returns the name of the VLAN to which this frame belongs This type of VLAN is powerful in the sense that network devices such as printers a...

Page 58: ...switch and router use the subnet based VLANs in addition to port based and protocol based VLANs It is not necessary to remember the types of VLANs in order to configure the SSR as seen in the section...

Page 59: ...to a physical connector on the SSR such as an ethernet port Each port must belong to at least one VLAN When the SSR is unconfigured each port belongs to a VLAN called the default VLAN By creating VLAN...

Page 60: ...trunk ports always transmit and receive tagged frames only The format of the tag is specified by the IEEE 802 1Q standard The only exception to this is Spanning Tree Protocol frames which are transmit...

Page 61: ...s based on layer 2 traffic flows To enable flow based bridging on a port enter the following command in Configure mode To change a port from flow based bridging to address based bridging enter the fol...

Page 62: ...rming any of the tasks in the following sections Set the Bridge Priority Set an Interface Priority Note Only network administrators with a good understanding of how bridges and the Spanning Tree Proto...

Page 63: ...ng Bridge Protocol Data Unit BPDU Intervals You can adjust BPDU intervals as described in the following sections Adjust the Interval between Hello BPDUs Define the Forward Delay Interval Set the bridg...

Page 64: ...ed and recomputes the spanning tree topology To change the default interval setting enter the following command in Configure mode Specify the interval between hello time for default spanning tree stp...

Page 65: ...a standard Ethernet frame which includes a unique VLAN id per trunk between two SSRs These VLAN IDs extend the VLAN broadcast domain to more than one SSR To configure a VLAN trunk enter the following...

Page 66: ...These filters allow or force traffic to go to a set of destination ports based on a frame s source MAC address destination MAC address or both source and destination MAC addresses in flow bridging mod...

Page 67: ...unicate with clients connected to et 4 1 8 You can associate all the ports containing the clients and servers to an IP VLAN called BLUE First create an IP VLAN named BLUE Next assign ports to the BLUE...

Page 68: ...Chapter 3 Bridging Configuration Guide 68 SmartSwitch Router User Reference Manual...

Page 69: ...in the combined link increasing overall available system bandwidth SmartTRUNKs allow administrators the ability to increase bandwidth at congestion points in the network thus eliminating potential tra...

Page 70: ...onfiguration etc If you are connecting the SmartTRUNK to a device that does not support the DEC Hunt Group control protocol such as those devices that support Cisco s EtherChannel technology specify n...

Page 71: ...n Enable mode To clear statistics for SmartTRUNK ports enter the following command in Enable mode Create a SmartTRUNK that will be connected to a device that supports the DEC Hunt Group control protoc...

Page 72: ...wing is the configuration for the Cisco 7500 router The following is the configuration for the Cisco Catalyst 5K switch Cisco 7500 Router Router R1 Cisco Catalyst 5K Switch Server Switch S2 10 1 1 1 2...

Page 73: ...tocol huntgroup smarttrunk add ports et 1 1 2 to st 1 smarttrunk add ports et 2 1 2 to st 2 smarttrunk add ports et 3 1 2 to st 3 interface create ip to cisco address netmask 10 1 1 2 24 port st 1 int...

Page 74: ...Chapter 4 SmartTRUNK Configuration Guide 74 SmartSwitch Router User Reference Manual...

Page 75: ...valid for a system is called a lease The SSR maintains a lease database which contains information about each assigned IP address the MAC address to which it is assigned the lease expiration and wheth...

Page 76: ...ed through a single port you can also define multiple scopes on the same interface and group the scopes together into a superscope Configuring an IP Address Pool To define a pool of IP addresses that...

Page 77: ...pools on different subnets that all are accessed through the same SSR port In this case scopes that use the same interface must be grouped together into a superscope To attach a scope to a superscope...

Page 78: ...global set commit interval command to specify this interval the default is one hour To force the DHCP server to immediately update its lease database enter the following command in Enable mode Monitor...

Page 79: ...0 1 1 10 through 10 1 1 20 6 Define another IP address pool for addresses 10 1 1 40 through 10 1 1 50 7 Define a static IP address for 10 1 7 5 8 Define another static IP address for 10 1 7 7 and give...

Page 80: ...t must be a router on the client s local subnet The following example shows a simple configuration to support secondary subnets 10 1 x x and 10 2 x x 1 Define the network parameters for scope1 with th...

Page 81: ...connected clients on a secondary subnet you must configure the secondary subnet using the interface add ip command The interface add ip command configures a secondary address for an interface that wa...

Page 82: ...client must be capable of reaching the SSR s DHCP server The SSR must also be capable of reaching the client s network The route must be configured with static routes for example or learned with RIP o...

Page 83: ...SmartSwitch Router User Reference Manual 83 Chapter 5 DHCP Configuration Guide 4 Define the address pool for scope1 dhcp scope1 define pool 10 5 1 10 10 5 1 20...

Page 84: ...Chapter 5 DHCP Configuration Guide 84 SmartSwitch Router User Reference Manual...

Page 85: ...built upon the IP layer TCP is a connection oriented protocol that specifies the data format buffering and acknowledgments used in the transfer of data TCP is a full duplex connection which also spec...

Page 86: ...mation Protocol RIP Version 1 2 RFC 1058 1723 Open Shortest Path First OSPF Version 2 RFC 1583 Exterior Gateway Protocols are used to transfer information between different autonomous systems The SSR...

Page 87: ...addresses to the VLAN To configure a VLAN with an IP interface enter the following command in Configure mode Specifying Ethernet Encapsulation Method The SmartSwitch Router supports two encapsulation...

Page 88: ...he network Configuring ARP Cache Entries You can add and delete entries in the ARP cache To add or delete static ARP entries enter one of the the following commands in Configure mode Configuring Proxy...

Page 89: ...erfaces that the RARP server on the SSR should respond to enter the following command in Configure mode Defining MAC to IP Address Mappings To map a MAC address to an IP address enter the following co...

Page 90: ...rvices ICMP The SSR provides ICMP message capabilities including ping and traceroute Ping allows you to determine the reachability of a certain IP host Traceroute allows you to trace the IP gateways t...

Page 91: ...adcast traffic from the local subnet to a specified IP address or all associated IP addresses This is a more efficient method than defining only one local interface and remote IP address destination a...

Page 92: ...on the SSR on which it is enabled and contain a list of the addresses on the interface and the preference of each address for use as a default route for the interface A host can also send a router so...

Page 93: ...Assigning IP IPX Interfaces To enable routing on the SSR you must assign an IP or IPX interface to a VLAN To assign an IP or IPX interface named RED to the BLUE VLAN enter the following command Start...

Page 94: ...ser Reference Manual You can also assign an IP or IPX interface directly to a physical port For example to assign an IP interface RED to physical port et 3 4 perform the following ssr config interface...

Page 95: ...by assigning IP addresses that end hosts use as their default route to a virtual router A Master router is assigned to forward traffic designated for the virtual router If the Master router should be...

Page 96: ...When Router R1 comes up again it would take over as Master and Router R2 would revert to Backup Configuration of Router R1 The following is the configuration file for Router R1 in Figure 4 Line 1 adds...

Page 97: ...own this IP address it is the Backup It will take over from the Master if it should become unavailable Symmetrical Configuration Figure 5 shows a VRRP configuration with two routers and two virtual r...

Page 98: ...e 5 Router R1 is the owner of IP address 10 0 0 1 16 Line 4 associates this IP address with virtual router VRID 1 so Router R1 is the Master for virtual router VRID 1 R1 R2 H1 H2 H3 H4 Default Route 1...

Page 99: ...Backup Configuration Figure 6 shows a VRRP configuration with three routers and three virtual routers Each router serves as a Master for one virtual router and as a Backup for each of the others When...

Page 100: ...rtual router VRID 1 If both Routers R1 and R3 should fail Router R2 would become the Master for all three virtual routers Packets sent to IP addresses 10 0 0 1 16 10 0 0 2 16 and 10 0 0 3 16 would all...

Page 101: ...ority for that virtual router is 255 and cannot be changed If a router is not the address owner for a virtual router then its priority for that virtual router is 100 by default and can be changed by t...

Page 102: ...ority Configured Priority VRID 1 IP address 10 0 0 1 16 255 address owner 255 address owner VRID 2 IP address 10 0 0 2 16 100 200 see line 8 VRID 3 IP address 10 0 0 3 16 100 200 see line 9 1 interfac...

Page 103: ...ration purposes only Additional Configuration This section covers settings you can modify in a VRRP configuration including backup priority advertisement interval pre empt mode and authentication key...

Page 104: ...tting Pre empt Mode When a Master router goes down the Backup with the highest priority takes over the IP addresses associated with the Master By default when the original Master comes back up again i...

Page 105: ...istics about virtual routers ip redundancy trace The ip redundancy trace command is used for troubleshooting purposes This command causes messages to be displayed when certain VRRP events occur on the...

Page 106: ...on Master down interval 3 advertisement interval skew time The skew time depends on the Backup router s configured priority Skew time 256 Priority 256 Therefore the higher the priority the faster a Ba...

Page 107: ...outers are created on a single interface the virtual routers must have unique identifiers If virtual routers are created on different interfaces you can reuse virtual router IDs For example the follow...

Page 108: ...Chapter 7 VRRP Configuration Guide 108 SmartSwitch Router User Reference Manual...

Page 109: ...nteger distance to that network RIP uses a hop count metric to measure the distance to a destination The SmartSwitch Router provides support for RIP Version 1 and 2 The SSR implements plain text and M...

Page 110: ...ing information These default parameters may be modified to suit your needs by using the rip set interface command Enable RIP rip start Disable RIP rip stop Add interfaces to the RIP process rip add i...

Page 111: ...incoming RIP routes rip set interface interfacename or IPaddr all metric in num Change the metric on outgoing RIP routes rip set interface interfacename or IPaddr all metric out num Set the authentica...

Page 112: ...xport command To configure default metric enter the following command in Configure mode For num you must specify a number between 1 and 16 Monitoring RIP The rip trace command can be used to trace all...

Page 113: ...ive Show detailed information of all response received by the router rip trace response receive Show detailed information of response packets sent by the router rip trace response send Show detailed i...

Page 114: ...Chapter 8 RIP Configuration Guide 114 SmartSwitch Router User Reference Manual Change default metric out rip set interface SSR1 if1 metric out 3...

Page 115: ...he SSR supports the following OSPF functions Stub Areas Definition of stub areas is supported Authentication Simple password and MD5 authentication methods are supported within an area Virtual Links V...

Page 116: ...asks Enable OSPF Create OSPF areas Create an IP interface or assign an IP interface to a VLAN Add IP interfaces to OSPF areas Configure OSPF interface parameters if necessary Note By default the prior...

Page 117: ...ast 30 non broadcast Router dead interval 4 times the hello interval Poll Interval 120 seconds Key chain N A Authentication Method None Enable OSPF state on interface ospf set interface name or IPaddr...

Page 118: ...faces enter the following commands in the Configure mode Specify the number of seconds required to transmit a link state update on an OSPF interface ospf set interface name or IPaddr all transit delay...

Page 119: ...commands in the Configure mode Creating Virtual Links In OSPF virtual links can be established To connect an area via a transit area to the backbone To create a redundant backbone connection via anot...

Page 120: ...r NBMA circuits are suppressed To configure OSPF over WAN circuits enter the following command in Configure mode Create a virtual link ospf add virtual link number or string neighbor IPaddr transit ar...

Page 121: ...hostname or IPaddr Shows information about all OSPF routing neighbors ospf monitor neighborsdestination hostname or IPaddr Show information on valid next hops ospf monitor next hop list destination h...

Page 122: ...w summary asb Show OSPF timers ospf show timers Show OSPF virtual links ospf show virtual links Create the various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 in...

Page 123: ...Routes to OSPF Note Also export interface static RIP OSPF and OSPF ASE routes into RIP In the configuration shown in Figure 7 on page 126 if we decide to run RIP Version 2 on network 120 190 0 0 16 c...

Page 124: ...OSPF rip add interface 120 190 1 1 rip set interface 120 190 1 1 version 2 type multicast ip router policy create ospf export destination ospfExpDstType1 type 1 metric 1 ip router policy create ospf e...

Page 125: ...ripExpDst ip router policy create ospf export source ospfExpSrc type OSPF ip router policy create ospf export source ospfAseExpSrc type OSPF ASE ip router policy export destination ripExpDst source st...

Page 126: ...R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130...

Page 127: ...esigned to handle multi AS policy and security issues Similarly using static routes may not be the best choice for exchanging AS AS routing information because there may be a large number of routes or...

Page 128: ...the SSR Enable prompt VLANs interfaces ACLs and many other SSR configurable entities and functionality can only be configured using the SSR CLI Therefore a gated conf file is dependent upon some SSR...

Page 129: ...ID is set to the address of the first interface that is in the up state that the SSR encounters except the interface en0 which is the Control Module s interface The address of a non point to point int...

Page 130: ...immediate next hops This implementation comes closest to the IBGP implementation of other router vendors internal An internal group operating where there is no IP level IGP for example an SMDS networ...

Page 131: ...by default To start BGP enter the following command in Configure mode Using AS Path Regular Expressions An AS path regular expression is a regular expression where the alphabet is the set of AS numbe...

Page 132: ...by m where m is a positive integer means m or more repetitions aspath_term An AS path term followed by means zero or more repetitions This is shorthand for 0 aspath_term A regular expression followed...

Page 133: ...gthening the AS path makes the path less desirable than would otherwise be the case However this method of influencing downstream path selection is feasible only when comparing prefixes of the same le...

Page 134: ...hen you must also negate the command that creates the peer group c Exit Configure mode d Re enter Configure mode e Add the peer host back to the peer group If the as count option is part of the startu...

Page 135: ...en peers across the TCP connection to establish various BGP variables BGP Version AS number ASN hold time BGP identifier and optional parameters Upon successful completion of the BGP Open negotiations...

Page 136: ...s netmask 10 0 0 1 16 port et 1 1 Set the AS of the router ip router global set autonomous system 1 Set the router ID ip router global set router id 10 0 0 1 Create EBGP peer group pg1w2 for peering w...

Page 137: ...uccessfully provide transit services all EBGP speakers in the transit AS must have a consistent view of all of the routes reachable through their AS Multihomed transit ASs can use IBGP between EBGP sp...

Page 138: ...IBGP Routing group will determine the immediate next hops for routes by using the next hop received with a route from a peer as a forwarding address and using this to look up an immediate next hop in...

Page 139: ...ample BGP configuration that uses the Routing group type Figure 9 Sample IBGP Configuration Routing Group Type SSR6 SSR1 Cisco SSR4 lo0 172 23 1 25 30 10 12 1 6 30 10 12 1 5 30 172 23 1 10 30 172 23 1...

Page 140: ...want CISCO to peer with our loopback address This will make sure that the loopback address gets announced into OSPF domain ospf add stub host 172 23 1 26 to area backbone cost 1 ospf set interface to...

Page 141: ...irectly attached to a shared subnet so that like external peers the next hops received in BGP advertisements may be used directly for forwarding All Internal group peers should be L2 adjacent router b...

Page 142: ...r SSR1 is as follows AS 1 SSR2 SSR1 17 122 128 2 24 17 122 128 1 24 16 122 128 1 24 16 122 128 1 24 16 122 128 8 24 16 122 128 9 24 C2 C1 Physical Link Legend Peering Relationship ip router global set...

Page 143: ...update group type internal peeras 1 peer 16 122 128 2 peer 16 122 128 8 peer 16 122 128 9 ip router global set autonomous system 1 bgp create peer group int ibgp 1 type internal autonomous system 1 bg...

Page 144: ...hbor 16 122 128 1 remote as 1 neighbor 16 122 128 1 next hop self neighbor 16 122 128 1 soft reconfiguration inbound neighbor 16 122 128 2 remote as 1 neighbor 16 122 128 2 next hop self neighbor 16 1...

Page 145: ...onship SSR1 16 122 128 1 16 SSR3 AS 64800 AS 64801 SSR4 SSR2 16 122 128 3 16 17 122 128 3 16 17 122 128 4 16 18 122 128 3 16 18 122 128 4 16 bgp create peer group ebgp_multihop autonomous system 64801...

Page 146: ...peeras 64801 peer 18 122 128 2 gateway 16 122 128 3 static 18 122 0 0 masklen 16 gateway 16 122 128 3 interface create ip to R1 address netmask 16 122 128 3 16 port et 1 1 interface create ip to R3 ad...

Page 147: ...GP configuration where the specific community attribute is used Figure 12 shows a BGP configuration where the well known community attribute is used static 16 122 0 0 masklen 16 gateway 17 122 128 3 b...

Page 148: ...172 26 1 2 16 172 25 1 2 16 192 168 20 2 16 172 25 1 1 16 1 1 R13 1 6 R10 192 169 20 1 16 192 169 20 2 16 100 200 13 1 24 10 200 15 1 24 1 6 R14 AS 64901 AS 64900 AS 64899 1 6 1 1 1 1 1 3 1 8 ISP1 IS...

Page 149: ...BGP update If multiple communities are specified in the optional attributes list option only updates carrying all of the specified communities will be matched If well known community none is specifie...

Page 150: ...uence number 1 ip router policy create bgp import source 901color1 optional attributes list color1 autonomous system 64900 sequence number 1 ip router policy create bgp import source 901color2 optiona...

Page 151: ...nity id 155 autonomous system 64902 ip router policy create bgp import source 902color1 optional attributes list color1 autonomous system 64899 sequence number 1 ip router policy create bgp import sou...

Page 152: ...s export destination has an identifier 900to899dest ip router policy create bgp export destination 900to899dest autonomous system 64899 optional attributes list color1 ip router policy create bgp expo...

Page 153: ...its neighbor However if a packet is received with this attribute it cannot be transmitted to another BGP peer Well known community no export subconfed Well known community no export subconfed is a spe...

Page 154: ...ith two autonomous systems The local preference is not set directly in the CLI but rather is a function of the GateD preference and setpref metric The setpref option allows GateD to set the local pref...

Page 155: ...ute Figure 13 Sample BGP Configuration Local_Pref Attribute AS 64900 Physical Link Legend Peering Relationship AS 64901 SSR10 Information Flow 10 200 12 1 24 10 200 13 1 24 10 200 14 1 24 10 200 15 1...

Page 156: ...or example if the import policy sets GateD preferences ranging from 170 to 200 a setpref metric of 170 would make sense You should set the metric high enough to avoid conflicts between BGP routes and...

Page 157: ...f 10 Router SSR4 has the following CLI configuration Router SSR6 has the following CLI configuration bgp create peer group pg752to751 type external autonomous system 64751 bgp add peer host 10 200 12...

Page 158: ...199 62 24 port et 1 2 interface create ip xenosite address netmask 212 19 198 1 24 port et 1 7 interface add ip lo0 address netmask 212 19 192 1 30 bgp create peer group webnet type external autonomo...

Page 159: ...ction the clients peer with the route reflector and exchange routing information with it In turn the route reflector passes on reflects information between clients The IBGP peers of the route reflecto...

Page 160: ...nd router SSR11 is the route reflector for the second cluster Router SSR10 has router SSR9 as a client peer and router SSR11 as a non client peer The following line in router SSR10 s configuration fil...

Page 161: ...2 as shown below bgp set peer group rtr11 reflector client Route Table FIB of Router 8 rtr 8 ip show routes Destination Gateway Owner Netif 10 50 0 0 16 directly connected en 127 0 0 0 8 127 0 0 1 Sta...

Page 162: ...o or more may also be configured to be reflectors for the same cluster In this case a cluster ID should be selected to identify all reflectors serving the cluster using the clusterid option Gratuitous...

Page 163: ...autonomous system Source and destination interface Previous hop router Autonomous system path Tag associated with routes Specific destination address The network administrator can specify a preference...

Page 164: ...he same destination in a single routing database The active route is chosen by the lowest preference value A default preference is assigned to each source from which the SSR routing process receives r...

Page 165: ...cified using the optional attributes list only updates carrying all of the specified communities will be matched If the specified optional attributes list has the value none for the well known communi...

Page 166: ...imported to that protocol If a preference is not explicitly specified with the route filter as well as the import source then it is inherited from the default preference associated with the protocol f...

Page 167: ...also be explicitly specified using this component The metric associated with the exported routes are inherited unless explicitly specified If there is no metric specified with a route filter then the...

Page 168: ...ers exact refines or between are specified any destination that falls in the range given by the network and mask is matched so the mask of the destination is ignored If a natural network is specified...

Page 169: ...te The preference to be associated with an aggregate route can be specified using this component Aggregate Source This component specifies the source of the routes contributing to an aggregate summari...

Page 170: ...ed from trusted routers Many protocols like RIP V2 and OSPF provide mechanisms for authenticating protocol exchanges A variety of authentication schemes can be used Authentication has two components a...

Page 171: ...rface none simple and RFC 2178 OSPF MD5 authentication It is possible to configure different authentication schemes on different interfaces RFC 2178 allows multiple MD5 keys per interface Each key has...

Page 172: ...rk parameter specifies the set of static routes that will be redistributed by this command If all static routes are to be redistributed set the network parameter to all Note that the network parameter...

Page 173: ...static routes rip routes direct routes bgp routes or aggregate routes which are redistributed into an OSPF domain OSPF routes may be redistributed into RIP To redistribute OSPF into RIP enter the foll...

Page 174: ...oto aggregate to proto OSPF Create the various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 int...

Page 175: ...in this section refer to the configurations shown in Figure 18 on page 187 The following configuration commands for router R1 Determine the IP address for each interface RIP Box Level Configuration r...

Page 176: ...P interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask 140 1 1...

Page 177: ...systems are used by the SSR routing process Using import policies it is possible to ignore route updates from an unreliable peer and give better preference to routes learned from a trusted peer Expor...

Page 178: ...do not have complex filter requirements then use the second method After you create one or more building blocks they are tied together by the iprouter policy export command To create route export poli...

Page 179: ...be done using one of two methods Creating a route filter and associating an identifier with it A route filter has several network specifications associated with it Every route is checked against the...

Page 180: ...ce enter one of the following commands in Configure mode Creating a Route Filter Route policies are defined by specifying a set of filters that will match a certain route by destination or by destinat...

Page 181: ...ociated with a route filter is used in the ip router policy aggr gen command Specifying the networks as needed in the ip router policy aggr gen command If you want to create a complex route filter and...

Page 182: ...P routes may be controlled by any of protocol source interface or source gateway If more than one is specified they are processed from most general protocol to most specific gateway RIP does not suppo...

Page 183: ...pecify the static routes configured on the router Determine its RIP configuration Figure 17 Exporting to RIP Internet R6 R42 R41 R1 R2 R3 R7 135 3 1 1 24 135 3 2 1 24 135 3 3 1 24 140 1 1 4 24 140 1 1...

Page 184: ...6 address netmask 160 1 1 1 16 port et 1 6 interface create ip to r7 address netmask 170 1 1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configu...

Page 185: ...t source with the interface as 140 1 1 1 since we would like to import all routes except the 10 51 0 0 16 route from this interface 2 Create the Import Policy importing all routes except the 10 51 0 0...

Page 186: ...routes when functioning as an AS border router Like the other interior protocols preference cannot be used to choose between OSPF ASE routes That is done by the OSPF costs Routes that are rejected by...

Page 187: ...BGP R1 R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 2...

Page 188: ...3 interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface create ip to r6 address netmask 140 1 3 1 24 port et...

Page 189: ...hop of the loopback interface i e static and internally generated default routes via RIP it is necessary to specify the metric at some level in the export policy Just setting a default metric for RIP...

Page 190: ...create export sources for those protocols 3 Create a RIP export source since we would like to export RIP routes ip add route 135 3 1 0 24 gateway 130 1 1 3 ip add route 135 3 2 0 24 gateway 130 1 1 3...

Page 191: ...export source since we would like to export direct interface routes 5 Create the Export Policy redistributing the statically created default route and all RIP Direct routes into RIP ip router policy...

Page 192: ...orting Aggregate Routes into RIP In the configuration shown in Figure 17 on page 183 suppose you decide to run RIP Version 1 on network 130 1 0 0 16 connecting routers R1 and R3 Router R1 desires to a...

Page 193: ...nly for interface 130 1 1 1 5 Create a Aggregate export source since we would to export redistribute an aggregate summarized route 6 Create a RIP export source since we would like to export RIP routes...

Page 194: ...command OSPF ASE routes also have the provision to carry a tag This is an arbitrary 32 bit number that can be used on OSPF routers to filter routing information The default tag is specified by the os...

Page 195: ...ate ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface...

Page 196: ...face routes would redistributed as type 1 OSPF routes Router R1 would like to redistribute its OSPF OSPF ASE RIP Static and Interface Direct routes into RIP 1 Enable RIP on interface 120 190 1 1 16 2...

Page 197: ...ation ripExpDst source ripExpSrc network all ip router policy create static export source statExpSrc ip router policy create direct export source directExpSrc ip router policy export destination ospfE...

Page 198: ...to RIP ip router policy export destination ripExpDst source statExpSrc network all ip router policy export destination ripExpDst source ripExpSrc network all ip router policy export destination ripExp...

Page 199: ...IGMP Provides an overview of the SSR s implementation of the Distance Vector Multicast Routing Protocol DVMRP Discusses configuring DVMRP routing on the SSR Discusses configuring IGMP on the SSR IGMP...

Page 200: ...both DVMRP and IGMP You can start and stop DVMRP independently from other multicast routing protocols IGMP starts and stops automatically with DVMRP The SSR supports up to 64 multicast interfaces To...

Page 201: ...the SSR To enable IGMP on an interface enter the following command in Configure mode Configuring IGMP Query Interval You can configure the SSR with a different IGMP Host Membership Query time interval...

Page 202: ...owing DVMRP configuration tasks Creating IP interfaces Setting global parameters that will be used for all the interfaces on which DVMRP is enabled Configuring DVMRP on individual interfaces You do so...

Page 203: ...per interface basis The default neighbor timeout is 35 seconds The default prune time is 7200 seconds 2 hours To configure neighbor timeout or prune time enter one of the following commands in Config...

Page 204: ...ve scoping In other words such addresses would be usable within a certain administrative scope a corporate network for instance but would not be forwarded across the internet The range from 239 0 0 0...

Page 205: ...tion on the SSR To display IGMP and DVMRP information enter the following commands in the Enable mode Configure a DVMRP tunnel to MBONE dvmrp create tunnel string local ip addr remote ip addr Configur...

Page 206: ...et 5 8 interface create ip company address netmask 207 135 89 64 25 port et 5 1 interface create ip test address netmask 10 135 89 10 25 port et 1 8 interface create ip rip address netmask 190 1 0 1 p...

Page 207: ...SmartSwitch Router User Reference Manual 207 Chapter 12 Multicast Routing Configuration Guide...

Page 208: ...Chapter 12 Multicast Routing Configuration Guide 208 SmartSwitch Router User Reference Manual...

Page 209: ...ts based on layer 3 or layer 4 IP header information You can define IP policies to route packets to a set of next hop IP addresses based on any combination the following IP header fields IP protocol S...

Page 210: ...to next hop gateway 100 1 1 1 Configuring an IP policy consists of the following tasks Defining a profile Associating the profile with a policy Applying the IP policy to an interface Defining an ACL P...

Page 211: ...ample an IP policy can contain one statement that sends all packets matching a profile to one next hop gateway and another statement that sends packets matching a different profile to a different next...

Page 212: ...in Configure mode Setting the IP Policy Action You can specify when to apply the IP policy route with respect to dynamic or statically configured routes The SSR can cause packets to use the IP policy...

Page 213: ...inbound IP interface Once the IP policy is applied to the interface packets start being forwarded according to the IP policy Cause packets matching the profile to use the IP policy route first If the...

Page 214: ...es of IP policies are demonstrated Routing traffic to different ISPs Prioritizing service to customers Authenticating users through a firewall Firewall load balancing Routing Traffic to Different ISPs...

Page 215: ...owing is the IP policy configuration for the Policy Router in Figure 19 interface create ip user a address netmask 10 50 1 1 16 port et 1 1 interface create ip user b address netmask 11 50 1 1 16 port...

Page 216: ...0 Using an IP policy to prioritize service to customers Traffic from the premium customer is load balanced across two next hop gateways in the high cost high availability network If neither of these g...

Page 217: ...firewall cannot be reached packets from the contractors group are dropped Packets from users defined in the full timers group do not have to go through the firewall interface create ip premium custom...

Page 218: ...ne session should always go to a particular firewall for persistence interface create ip mls0 address netmask 10 50 1 1 16 port et 1 1 acl contractors permit ip 10 50 1 0 24 any any any 0 acl full tim...

Page 219: ...nable mode vlan create firewall vlan add ports et 1 1 5 to firewall interface create ip firewall address netmask 1 1 1 5 16 vlan firewall acl firewall permit ip any any any 0 ip policy p1 permit acl f...

Page 220: ...show interface interface Display information about IP policies that have been applied to all interfaces ip policy show interface all Clear statistics gathered for IP policies ip policy clear all polic...

Page 221: ...permit or deny 13 The name of the profile ACL of the packets to be forwarded using an IP policy 14 The number of packets that have matched the profile since the IP policy was applied or since the ip p...

Page 222: ...Chapter 13 IP Policy Based Forwarding Configuration Guide 222 SmartSwitch Router User Reference Manual...

Page 223: ...provides the following benefits Limits the number of IP addresses used for private intranets that are required to be registered with the Internet Assigned Numbers Authority IANA Conserves the number o...

Page 224: ...n for each address in the global pool The ports are dynamically assigned between the range of 1024 to 4999 Hence you have about 4 000 ports per global IP address Dynamic bindings are removed automatic...

Page 225: ...ly delete dynamic address bindings for a specific address pool or delete all dynamic address bindings To set the timeout for dynamic address bindings enter the following command in Configure mode To f...

Page 226: ...the following commands in Configure mode Monitoring NAT To display NAT information enter the following command in Enable mode Configuration Examples This section shows examples of NAT configurations...

Page 227: ...ction i e the first packet is coming from outside to inside This could be the case when you have a server in the local network and clients located remotely Dynamic NAT would not work for this case as...

Page 228: ...t is sent from a local network as defined by the NAT dynamic local ACl pool The network administrator does not have to worry about the way in which the bindings are created the network administrator j...

Page 229: ...ddress binding for inside addresses 10 1 1 0 24 to outside address 192 50 20 0 24 The first step is to create the interfaces Next define the interfaces to be NAT inside or outside Then define the NAT...

Page 230: ...when the flow count goes to zero or the timeout has been reached The removal of bindings frees the port for that global and the port is available for reuse When all the ports for that global are used...

Page 231: ...case is possible when you have two ISPs connected on two different interfaces to the Internet Through a routing protocol some routes will result in traffic going out of one interface and for others g...

Page 232: ...Chapter 14 Network Address Translation Configuration Guide 232 SmartSwitch Router User Reference Manual...

Page 233: ...SR provide ways to improve Web access for external and internal users Load balancing allows incoming HTTP requests to a company s Website to be distributed across several physical servers If one serve...

Page 234: ...ng servers This step is optional by default the SSR assigns sessions to servers in a round robin sequential manner 3 Define the servers in the group Creating the Server Group To use load balancing you...

Page 235: ...mes to prevent new sessions from being directed to one or more load balancing servers For example if you need to perform maintenance tasks on a server system you might want new sessions to temporarily...

Page 236: ...fied hosts can be allowed to directly access servers in the load balancing group without address translation Note however that such hosts cannot use the virtual IP address and port number to access th...

Page 237: ...eb requests among four separate servers as shown below Show the groups of load balancing servers load balance show virtual hosts group name group name virtual ip ipaddr virtual port port number Show s...

Page 238: ...P Port Real Server IP TCP Port www ctron com 207 135 89 16 80 10 1 1 1 80 10 1 1 2 80 10 1 1 3 80 10 1 1 4 80 load balance create group name ctron www virtual ip 207 135 89 16 virtual port 80 protocol...

Page 239: ...of web servers like Apache which serve different web pages based on the destination address in the http request The following example illustrates this load balance create group name quick www virtual...

Page 240: ...redirects HTTP requests to local servers on which the web objects are cached One or more local servers are needed to work as cache servers with the SSR s web caching function Configuring Web Caching T...

Page 241: ...mands in Configure mode Redirecting HTTP Traffic on an Interface To start the redirection of HTTP requests to the cache servers you need to apply a caching policy to a specific outbound interface This...

Page 242: ...or web cache deny commands Other Configurations This section discusses other commands that may be useful in configuring Web caching in your network Bypassing Cache Servers Some Web sites require sour...

Page 243: ...uses the destination IP address of the HTTP request to determine which cache server to send the request However if there is a Web site that is being accessed very frequently the cache server serving r...

Page 244: ...sting Configuration Guide 244 SmartSwitch Router User Reference Manual Show caching policy information web cache show cache name cache name all Show cache server information web cache show servers cac...

Page 245: ...on the internetwork IPX defines internetwork and intranode addressing schemes IPX internetwork addressing is based on network numbers assigned to each network segment on a Novell NetWare internetwork...

Page 246: ...SAP Service Advertising Protocol SAP provides routers with a means of exchanging internetwork service information Through SAP servers advertise their services and addresses Routers gather this informa...

Page 247: ...es per interface Creating IPX Interfaces When you create IPX interfaces on the SSR you provide information about the interface such as its name output MAC encapsulation and IPX address You also enable...

Page 248: ...re mode Specifying IPX Encapsulation Method The SmartSwitch Router supports two encapsulation types for IPX You can configure encapsulation type on a per interface basis Ethernet II The standard ARPA...

Page 249: ...outes In a Novell NetWare network the SSR uses RIP to determine the best paths for routing IPX However you can add static RIP routes to RIP routing table to explicitly specify a route To add a static...

Page 250: ...s advertisements or learning of SAP services These lists are used for SAP filters They can also be used for Get Nearest Server GNS replies RIP access control list Restricts advertisements or learning...

Page 251: ...IPX GNS Access Control List IPX GNS access control lists control which SAP services the SSR can reply with to a get nearest server GNS request To create an IPX GNS access control list enter the follo...

Page 252: ...tion enter the following command in Enable mode Configuration Examples This example performs the following configuration Creates IPX interfaces Adds static RIP routes Adds static SAP entries Adds a RI...

Page 253: ...static route to network 9 ipx add route 9 BBBBBBBB 01 02 03 04 05 06 1 1 Add static sap ipx add sap 0004 FILESERVER1 9 03 04 05 06 07 08 452 1 AAAAAAAA RIP Access List acl 100 deny ipxrip 1 2 RIP inbo...

Page 254: ...Chapter 16 IPX Routing Configuration Guide 254 SmartSwitch Router User Reference Manual...

Page 255: ...hrough the router This chapter contains the following sections ACL Basics on page 256 explains how ACLs are defined and how the SSR evaluates them Creating and Modifying ACLs on page 260 describes how...

Page 256: ...istics about a packet In the example above the selection criteria are IP packets from 10 2 0 0 16 The selection criteria you can specify in an ACL rule depends on the type of ACL you are creating For...

Page 257: ...o specify a value for another field To skip a field use the keyword any For example the following ACL rule denies SMTP traffic between any two hosts Note that in the above example the tos Type of Serv...

Page 258: ...For a packet that doesn t match any of the user specified rules the implicit deny rule acts as a catch all rule All packets match this rule This is done for security reasons If an ACL is misconfigure...

Page 259: ...Because of the implicit deny rule an ACL works similarly to a firewall that is elected to deny all traffic You create ACL rules that punch holes into the firewall to permit specific types of traffic...

Page 260: ...a remote host and then upload them to the SSR with TFTP or RCP With this method you use a text editor on a remote host to edit delete replace or reorder ACL rules in a file Once the changes are made...

Page 261: ...es and make them effective again Maintaining ACLs Using the ACL Editor In addition to the traditional method of maintaining ACLs using TFTP or RCP the SSR provides a simpler and more user friendly mec...

Page 262: ...n does not prevent you from specifying many rules in an ACL You just have to put all of these rules into one ACL and apply it to an interface When a packet comes into the SSR at an interface where an...

Page 263: ...t only inbound traffic to the SSR is checked Destination address and port information is ignored therefore if you are defining a Service ACL you do not need to specify destination information Note If...

Page 264: ...age of Profile ACLs is described in more detail in the following sections Using Profile ACLs with the IP Policy Facility The IP policy facility uses a Profile ACL to define criteria that determines wh...

Page 265: ...ied limit For example you can cause packets in flows from source address 1 2 2 2 to be dropped if their bandwidth usage exceeds 10 Mbps You use a Profile ACL to define the selection criteria in this c...

Page 266: ...work 10 1 1 0 24 Note When a Profile ACL is defined for dynamic NAT only the source IP address field in the acl statement is evaluated All other fields in the acl statement are ignored Once you have d...

Page 267: ...d to the cache servers Specifying characteristics of Web objects that should not be cached Redirecting HTTP Traffic to Cache Servers You can use a Profile ACL to specify which HTTP traffic should alwa...

Page 268: ...e Web caching policy is applied to an interface information in packets originating from source address 1 2 3 4 and destined for address 10 10 10 10 is not sent to the cache servers See Web Caching on...

Page 269: ...he SSR provides a display of ACL configurations active in the system To display ACL information enter the following commands in Enable mode Show all ACLs acl show all Show a specific ACL acl show acln...

Page 270: ...Chapter 17 Access Control List Configuration Guide 270 SmartSwitch Router User Reference Manual...

Page 271: ...SSR enables Layer 2 security filters Perform filtering on source or destination MAC addresses Layer 3 Access Control Lists Perform filtering on source or destination IP address source or destination T...

Page 272: ...y enter the following commands in Configure mode Specify a RADIUS server radius set server hostname or IP addr Set the RADIUS time to wait for a RADIUS server reply radius set timeout number Determine...

Page 273: ...ovide authentication You can configure up to five TACACS server targets on the SSR A timeout is set to tell the SSR how long to wait for a response from TACACS servers To configure TACACS security ent...

Page 274: ...Plus time to wait for a TACACS Plus server reply tacacs plus set timeout number Determine the SSR action if no server responds tacacs plus set last resort password succeed Enable TACACS Plus tacacs pl...

Page 275: ...ion MAC addresses in flow bridging mode Address filters are always configured and applied to the input port Port to address lock filters These filters prohibit a user connected to a locked port or set...

Page 276: ...yer 2 Port to Address Lock Filters Port address lock filters allow you to bind or lock specific source MAC addresses to a port or set of ports Once a port is locked only the specified source MAC addre...

Page 277: ...n use a secure port filter by itself to secure unused ports Secure port filters can be configured as source or destination port filters A secure port filter applied to a source port forces all incomin...

Page 278: ...the following commands in Enable mode Configure a source secure port filter filters add secure port name name direction source vlan VLAN num in port list port list Configure a destination secure port...

Page 279: ...ant is restricted access to one of the finance file servers Note that port et 1 1 should be operating in flow bridging mode for this filter to work Static Entries Example Source static entry The consu...

Page 280: ...other ports enter the following command To allow ONLY the engineering manager access to the engineering servers you must punch a hole through the secure port wall A source static entry overrides a so...

Page 281: ...t Layer 3 traffic going through the SSR Each ACL consists of one or more rules describing a particular type of IP or IPX traffic An ACL can be simple consisting of only one rule or complicated with ma...

Page 282: ...Chapter 18 Security Configuration Guide 282 SmartSwitch Router User Reference Manual...

Page 283: ...Once a packet has been identified it can be assigned into any one of four priorities in order to ensure delivery Priority can be allocated based on any combination of Layer 2 Layer 3 or Layer 4 traffi...

Page 284: ...nsport protocol TCP or UDP and a list of incoming interfaces The IPX fields are source network source node destination network destination node source port destination port and a list of incoming inte...

Page 285: ...nation MAC address Before applying a QoS policy to a layer 2 flow you must first determine whether a port is in address bridging mode or flow bridging mode If a port operates in address bridging mode...

Page 286: ...u can set QoS policies for IP flows based on source IP address destination IP address source TCP UDP port destination TCP UDP port type of service TOS and transport protocol TCP or UCP You can set QoS...

Page 287: ...3 or 4 flow and set the IPX QoS policy 2 Specify the precedence for the fields within an IPX flow Setting an IPX QoS Policy To set a QoS policy on an IPX traffic flow enter the following command in Co...

Page 288: ...nd in Configure mode ToS Rewrite In the Internet IP packets that use different paths are subject to delays as there is little inherent knowledge of how to optimize the paths for different packets from...

Page 289: ...command you can access the value in the ToS octet which includes both the Precedence and ToS fields in each packet The upper layer application can then decide how to handle the packet based on either...

Page 290: ...ny and specify a value for tos rewrite then the upper three bits remain unchanged and the lower five bits are rewritten If you specify values for both tos precedence rewrite and tos rewrite then the u...

Page 291: ...hardware Please refer to the Release Notes for details Traffic rate limiting provides the ability to control the usage of a fundamental network resource bandwidth It allows you to limit the rate of t...

Page 292: ...umber is used to identify the order in which the profiles are applied You can define the action taken on the traffic that exceeds the upper limit either drop the packets or reset the priority of the t...

Page 293: ...ent1 vlan add ports et 1 2 to client2 vlan add ports et 1 8 to backbone interface create ip ipclient1 vlan client1 address netmask 1 1 1 1 8 interface create ip ipclient2 vlan client2 address netmask...

Page 294: ...Chapter 19 QoS Configuration Guide 294 SmartSwitch Router User Reference Manual...

Page 295: ...e statistics are accessible to SNMP through RMON RMON2 and can be displayed by using the statistics show command in the CLI In addition to the monitoring commands listed you can find more monitoring c...

Page 296: ...ow ip Show unicast routing statistics statistics show ip routing Show IPX statistics statistics show ipx Show IPX interface s statistics statistics show ipx interface Show IPX routing statistics stati...

Page 297: ...by port basis You can only configure port mirroring for the entire WAN card Only IP ACLs can be specified for port mirroring Monitoring Broadcast Traffic The SSR allows you to monitor broadcast traff...

Page 298: ...Chapter 20 Performance Monitoring Guide 298 SmartSwitch Router User Reference Manual...

Page 299: ...support for both RMON 1 and RMON 2 MIBs as specified in RFCs 1757 and 2021 respectively While non RMON SNMP products allow the monitoring and control of specific network devices RMON 1 returns statis...

Page 300: ...commands to configure and enable RMON on the SSR The next sections describe Lite Standard and Professional RMON groups and control tables ssr config show Running system configuration Last modified fro...

Page 301: ...onfigure Lite with default tables on for ports et 1 1 8 and then configure Standard with no default tables for the same ports You cannot configure Lite on one set of ports and Standard on another set...

Page 302: ...hosts based on a specified rate based statistic This group requires the hosts group Matrix Records statistics for source and destination address pairs Filter Specifies the type of packets to be match...

Page 303: ...te the default control tables and then configure the appropriate control tables for the data you wish to collect Even if you use the default control tables you can always use the rmon commands to modi...

Page 304: ...lanning RMON 1 provides layer 2 information Traffic flowing through the SSR s layer 2 ASIC is collected by RMON 1 groups RMON 2 in the SSR provides layer 3 traffic information for IP and IPX protocols...

Page 305: ...1125 211192 ether2 ip v4 tcp 10 50 89 88 15 15 15 3 1122 210967 ether2 ip v4 tcp telnet 10 50 89 88 15 15 15 3 3 225 ether2 ip v4 tcp www http To configure the Address Map group rmon address map inde...

Page 306: ...gure the History group rmon history index index number port port interval seconds owner string samples num status enable disable To configure the Application Layer and Network Layer Host groups rmon h...

Page 307: ...n RMON Event group configuration with the following attributes Index number 15 to identify this entry in the Event control table The event is both logged in the Event table and an SNMP trap generated...

Page 308: ...mmand lines in Enable mode ssr config rmon alarm index 20 variable 1 3 6 1 2 1 31 1 5 0 interval 300 startup both type absolute value rising threshold 1 falling threshold 1 rising event index 15 falli...

Page 309: ...of information displayed with the rmon show commands An RMON CLI filter can only be applied to a current Telnet or Console session To display the RMON 2 Address Map table rmon show address map port l...

Page 310: ...8 75196 885 114387 0 0 00001D A9815F 0 0 102 7140 0 0 00105A 08B98D 0 0 971 199960 0 0 004005 40A0CD 0 0 51 3264 0 0 006083 D65800 0 0 2190 678372 0 0 0080C8 E0F8F3 0 0 396 89818 0 0 00E063 FDD700 0 0...

Page 311: ...t seeing the information you expected with an rmon show command or if the network management station is not collecting the desired statistics first check that the port is up Then use the rmon show sta...

Page 312: ...t control tables may be created for all ports on the SSR Or if the RMON group is not one for which default control tables can be created you will need to configure control table entries using the appr...

Page 313: ...To display the amount of memory that is currently allocated to RMON use the following CLI command in Enable mode Any memory allocation failures are reported The following is an example of the informat...

Page 314: ...e 314 SmartSwitch Router User Reference Manual To set the amount of memory allocated to RMON use the following CLI command in User or Enable mode Specifies the total amount of Mbytes of memory allocat...

Page 315: ...protocol PPP Both protocols have their own set of configuration and monitoring CLI commands described in the SmartSwitch Router Command Line Interface Reference Manual High Speed Serial Interface HSSI...

Page 316: ...sses which are static or dynamic For PPP however the primary addresses may be dynamic or static but the secondary addresses must be static This is because the primary addresses of both the local and p...

Page 317: ...lowing command line displays two examples for PPP Dynamic Addresses If the peer IP IPX address is unknown you do not need to specify it when creating the interface When in the Frame Relay environment...

Page 318: ...th ends of a link must be configured to use packet compression Enabling compression on WAN serial links should be decided on a case by case basis Important factors to consider include average packet s...

Page 319: ...mpressions in Frame Relay compression histories are always used Compression histories take advantage of data redundancy between packets In an environment with high packet loss or over subscribed links...

Page 320: ...ow a more critical issue than ever before The fact that IP communications to the desktop are clearly the most prevalent used today has made it the protocol of choice for end to end audio video and dat...

Page 321: ...packets with the highest priority can be allotted a sizable percentage of the available bandwidth and whisked through WAN interface s Meanwhile the remaining bandwidth is distributed for lower priori...

Page 322: ...This eliminates the need to have direct connections between all of the remote members of a complex network such as a host of corporate satellite offices The advantage that Frame Relay offers to this...

Page 323: ...ng in the Frame Relay protocol environment you must first define the type and location of the WAN interface Having established the type and location of your WAN interfaces you need to optionally defin...

Page 324: ...ffic The following command line displays all of the possible attributes used to define a Frame Relay service profile Applying a Service Profile to an Active Frame Relay WAN Port Once you have created...

Page 325: ...with a speed rating of 45 million bits per second To define the location and identity of a High Speed Serial Interface HSSI VC located at slot 4 port 1 with a DLC of 100 Suppose you wish to set up a s...

Page 326: ...om Early Discard RED disabled RMON enabled The command line necessary to set up a service profile with the above attributes would be as follows To assign the above service profile to the VC interface...

Page 327: ...explicit LCP or NCP frames instruct the host and or the peer router to close the link or until some external event i e user interruption or system time out takes place You can set up PPP ports on you...

Page 328: ...alues for PPP interface configuration settings which means that setting up a PPP service profile is not absolutely necessary to begin sending and receiving PPP traffic on your SSR After you configure...

Page 329: ...s the packets and places them in their correct sequence The following table describes the commands for configuring MLP Compression on MLP Bundles or Links Compression can be applied on either a bundle...

Page 330: ...e and location of the WAN interface optionally set up a library of configuration settings then apply those settings to the desired interface s The following examples are designed to give you a small m...

Page 331: ...mum allowable number of unanswered improperly answered connection termination requests before declaring the link to a peer lost set to 4 Random Early Discard disabled The number of seconds between sub...

Page 332: ...e Multi Router WAN Configuration next port set hs 5 1 wan encapsulation frame relay speed 45000000 port set hs 5 2 wan encapsulation ppp speed 45000000 interface create ip fr1 address netmask 10 1 1 1...

Page 333: ...ckets Video Server Win NT SmartBits IP packets 50 50 50 5 50 50 50 15 et 1 1 100 100 100 5 100 100 100 4 100 100 100 4 100 100 100 3 se 4 1 se 6 3 se 6 1 se 2 1 hs 4 2 hs 4 1 hs 7 2 hs 3 1 et 1 1 et 1...

Page 334: ...dd ports hs 3 2 to s2 interface create ip s1 address netmask 100 100 100 1 16 vlan s1 interface create ip s2 address netmask 120 120 120 1 16 vlan s2 rip add interface all rip set interface all versio...

Page 335: ...4 2 wan encapsulation ppp speed 45000000 frame relay create vc port se 2 1 304 frame relay create vc port hs 4 1 103 vlan create s1 id 200 interface create ip SBitsLAN address netmask 30 30 30 3 16 po...

Page 336: ...interface all version 2 rip set interface all xmt actual enable rip set broadcast state always rip set auto summary enable rip start system set name R4 Configuration for ROUTER R5 port set se 4 1 wan...

Page 337: ...terface create ip FRforR1toR6 address netmask 100 100 100 6 16 vlan BridgeforR1toR6 interface create ip lan1 address netmask 60 60 60 6 16 port et 15 1 vlan add ports hs 3 1 106 to BridgeforR1toR6 vla...

Page 338: ...Chapter 22 WAN Configuration Guide 338 SmartSwitch Router User Reference Manual...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands