Foundry Networks AR1202 User Manual Download Page 9

Page: 9 / 293

Contents

June 2004

ENERIC

OUTING

NCAPSULATION

(GRE) ..............................................................................................14-7

HAPTER

ECURITY

EATURES

................................................................................ 15-1

NTRODUCTION

ECURITY

....................................................................................................................15-1

NABLING

ECURITY

EATURES

.........................................................................................................15-1

ECURING

EMOTE

CCESS

SING

IPS

VPN .......................................................................................15-2

CCESS

ETHODS

.............................................................................................................................15-2

XAMPLE

1: S

ECURELY

ANAGING

THE

OUNDRY

AR1204 O

VER

IPS

UNNEL

..........................15-3

XAMPLE

2: J

OINING

RIVATE

ETWORKS

WITH

IP S

ECURITY

UNNEL

.................................15-10

XAMPLE

3: J

OINING

ETWORKS

WITH

IPS

UNNEL

USING

ULTIPLE

IPS

ROPOSALS

.15-19

XAMPLE

4: S

UPPORTING

EMOTE

SER

CCESS

............................................................................15-28

XAMPLE

5: C

ONFIGURING

IPS

EMOTE

CCESS

ORPORATE

LAN

WITH

ODE

-C

ONFIGURATION

ETHOD

....................................................................................................................................15-37

ONFIGURING

GRE ................................................................................................................................15-45

IREWALLS

.............................................................................................................................................15-50

IREWALL

ONFIGURATION

XAMPLES

..............................................................................................15-50

TOPPING

S A

TTACKS

.................................................................................................................15-56

ACKET

EASSEMBLY

......................................................................................................................15-57

NAT C

ONFIGURATIONS

....................................................................................................................15-57

NAT C

ONFIGURATION

XAMPLES

.....................................................................................................15-58

ECURITY

ROTOCOL

EFAULTS

............................................................................................................15-61

IPS

UPPORTED

ROTOCOLS

AND

LGORITHMS

...........................................................................15-61

OUNDRY

IKE

AND

IPS

EFAULTS

...............................................................................................15-62

IREWALL

EFAULT

ALUES

...................................................................................................................15-63

UNNELING

EFAULT

ALUES

.................................................................................................................15-65

Summary of Contents for AR1202

Page 1: ...ry Networks Inc Foundry AR Series Router User Guide For AR1202 AR1204 AR1208 AR1216 AR3201 CH CL and AR3202 CH CL Routers 2100 Gold Street P O Box 649100 San Jose CA 95164 9100 Tel 408 586 1700 Fax 40...

Page 2: ...roperty of Foundry or other third parties You are not permitted to use these Marks without the prior written consent of Foundry or such appropriate third party Foundry Networks BigIron FastIron IronVi...

Page 3: ...GET HELP 1 5 WEB ACCESS 1 5 EMAIL ACCESS 1 5 TELEPHONE ACCESS 1 5 WARRANTY COVERAGE 1 5 CHAPTER 2 COMMAND LINE INTERFACE 2 1 COMMAND TYPES 2 1 CONTEXT SENSITIVE COMMANDS 2 1 COMMAND CONVENTIONS 2 2 A...

Page 4: ...IGURE POLICY ROUTE_MAP SET AS_PATH 3 15 CONFIGURE POLICY ROUTE_MAP SET COMMUNITY 3 16 CONFIGURE POLICY ROUTE_MAP SET DISTANCE 3 17 CONFIGURE POLICY ROUTE_MAP SET LOCAL_PREFERENCE 3 18 CONFIGURE POLICY...

Page 5: ...IGHBOR DESCRIPTION 7 19 CONFIGURE ROUTER BGP NEIGHBOR DISTRIBUTE_LIST 7 20 CONFIGURE ROUTER BGP NEIGHBOR EBGP_MULTIHOP 7 21 CONFIGURE ROUTER BGP NEIGHBOR FILTER_LIST 7 22 CONFIGURE ROUTER BGP NEIGHBOR...

Page 6: ...IRTUAL_LINK AUTHENTICATION 9 14 CONFIGURE ROUTER OSPF AREA VIRTUAL_LINK DEAD_INTERVAL 9 15 CONFIGURE ROUTER OSPF AREA VIRTUAL_LINK HELLO_INTERVAL 9 16 CONFIGURE ROUTER OSPF AREA VIRTUAL_LINK RETRANSMI...

Page 7: ...HOW IP OSPF GLOBAL 10 13 SHOW IP OSPF INTERFACE 10 14 SHOW IP OSPF INTERFACE ALL 10 15 SHOW IP OSPF INTERFACE BUNDLE 10 16 SHOW IP OSPF INTERFACE ETHERNET 10 17 SHOW IP OSPF NEIGHBOR 10 18 SHOW IP OSP...

Page 8: ...2 CONFIGURE ROUTER RIP TIMERS HOLDDOWN 11 23 CONFIGURE ROUTER RIP TIMERS UPDATE 11 24 CHAPTER 12 RIP SHOW COMMANDS 12 1 SHOW IP RIP 12 2 SHOW IP RIP GLOBAL 12 3 SHOW IP RIP INTERFACE 12 4 SHOW IP RIP...

Page 9: ...XAMPLE 3 JOINING TWO NETWORKS WITH AN IPSEC TUNNEL USING MULTIPLE IPSEC PROPOSALS 15 19 EXAMPLE 4 SUPPORTING REMOTE USER ACCESS 15 28 EXAMPLE 5 CONFIGURING IPSEC REMOTE ACCESS TO CORPORATE LAN WITH MO...

Page 10: ...BGP4 PIM and VRRP Nomenclature This guide uses the following typographical conventions to show information Italic highlights the title of another publication and occasionally emphasizes a word or phr...

Page 11: ...o assist users with the initial installation and deployment of Foundry rack mounted routers The guide provides a brief overview of the installation and initial configuration processes Foundry AR Serie...

Page 12: ...Multicast PIM SM PIM SSM IGMP v2 v3 High Availability VRRP BGP4 Multi homing Bundle Tracking MLPPP Bundle Thresholding LAN Interface Load Sharing with Failover Security Management Stateful Packet Insp...

Page 13: ...nagement RED DiffServ Class based Queuing per IP address Flow VLAN tag Application port Frame Relay traffic shaping and policing VLAN 802 1P 8 queue prioritization of VLAN frames Service Provisioning...

Page 14: ...cal requests can also be sent to the following email address support foundrynet com Telephone Access 1 877 TURBOCALL 887 2622 United States 1 408 586 1881 Outside the United States Warranty Coverage C...

Page 15: ...Foundry AR Series Router User Guide 1 6 2004 Foundry Networks Inc June 2004...

Page 16: ...es the bundle dallas Standard commands are used to configure the system Following each standard command is a brief description a list of parameters and definitions a syntax and usage example a list of...

Page 17: ...ng enclosed in the angled brackets Example 1 Normal type only In this example the user enters the word or argument module appearing in the syntax in normal type Syntax module Command execution module...

Page 18: ...1000 diff 100 dis 10 1 100 22 a b c Normal brackets indicate optional keywords or arguments A vertical bar separates individual settings Example In this example the user enters the word timeout must...

Page 19: ...back several commands type Ctrl P repeatedly until the desired previous command appears Or you may go directly back to the main CLI prompt from anywhere in the command hierarchy by typing Ctrl Z Figu...

Page 20: ...Question Mark Help Screen To view help information for a command category specific command or a parameter type the associated word followed by a space and a question mark For example if you type a que...

Page 21: ...other network hosts access to the save commands from anywhere in the CLI ensures that your configurations may be saved periodically NAME xcli This is root and not a command SYNTAX COMMANDS cr DESCRIPT...

Page 22: ...on feature is not currently available for global commands show configuration Select type of configuration Hit Tab dir CONTENTS OF flash1 size date time name 6467513 FEB 04 2004 13 51 22 AR0x_ x 677126...

Page 23: ...Foundry AR Series Router User Guide 2 8 2004 Foundry Networks Inc June 2004...

Page 24: ...ides information about routing policy commands that are supported by Foundry configure policy This command provides access to the next level commands related commands configure policy as_path configur...

Page 25: ...on It is an integer ranging from 0 to 65536 the Foundry regular expression matcher is AS number based Any number of AS path access list lines may be declared They are evaluated in the order declared I...

Page 26: ...es as well If the exact match keyword is used then it must contai8n exactly the same communities as listed The communities parameter can be local_as no_advertise no_export aa nn an integer between 0 a...

Page 27: ...list extended_community 100 1 deny community 44 45 local_as aa_nn 400 500 no_advertise applicable systems All models community_list Extended community list number The range is 100 199 community_index...

Page 28: ...55 232592 no_advertise example Foundry AR1208 configure policy community_list standard_community 90 150 permit community 42949672 no_advertise applicable systems All models community_list Extended com...

Page 29: ...matched in a similar fashion That is the route is matched if the address part matches and the bits in the mask that are not covered by one bits in net mask are equal to the corresponding bits in mask...

Page 30: ...works Inc 3 7 example Foundry AR1208 configure policy ip_access_list 1 1 permit network 10 0 0 0 netmask 0 255 255 255 mask 255 0 0 0 maskmask 0 255 255 255 This example restricts the prefixes to 10 0...

Page 31: ...s if one of its deny clauses matches Matching proceeds sequentially and stops at the first match If the route_map succeeds the actions specified by the set statements in the matched clause are perform...

Page 32: ...Policy Commands June 2004 2004 Foundry Networks Inc 3 9 related commands applicable systems All models configure policy route_map commit configure policy route_map match configure policy route_map set...

Page 33: ...configure policy route_map match This command accesses next level commands for configuring the policy for matching parameters of the routes related commands configure policy route_map match as_path co...

Page 34: ...ess lists Parameter Description syntax no policy match as_path path_list n example Foundry AR1208 configure policy route_map Block100 1 match as_path 1 related commands applicable systems All models p...

Page 35: ...h community This command matches any of the specified BGP community lists syntax no policy match community example Foundry AR1208 configure policy route_map Block100 1 match community related commands...

Page 36: ...e prefix against any of the specified IP access lists Parameter Description syntax no match ip ip_address ip_list n example Foundry AR1208 configure policy route_map Block100 1 match ip ip_address 20...

Page 37: ...el commands to set parameters for the routes related commands configure policy route_map set as_path configure policy route_map set community configure policy route_map set distance configure policy r...

Page 38: ...0 1 set as_path prepend 100 250 tag 0 related commands applicable systems All models prepend AS path access list Enter a list of numbers The range is 1 65535 the maximum list size is 32 tag Set tag as...

Page 39: ...le Foundry AR1208 configure policy route_map Block100 1 set community aa nn 500 60 related commands applicable systems All models number Community number unsigned The range is 1 4294967294 The maximum...

Page 40: ...xample Foundry AR1208 configure policy route_map Block100 1 set distance 20 related commands applicable systems All models distance Default preference value The range is 0 255 configure policy route_m...

Page 41: ...cal_preference n example Foundry 1450configure policy route_map Block100 1 set local_preference 50 related commands applicable systems All models local_preference Preference value The range is 1 42929...

Page 42: ...c n example Foundry AR1208 configure policy route_map Block100 1 set metric 120 related commands applicable systems All models metric Metric value The range is 1 4294967294 configure policy route_map...

Page 43: ...ample Foundry AR1208 configure policy route_map Block100 1 set metric_type internal related commands applicable systems All models type Internal internal Use the IGP metric as the MED for BGP configur...

Page 44: ...syntax no set origin origin egp igp incomplete example Foundry AR1208 configure policy route_map Block100 1 set origin igp applicable systems All models related commands origin egp EGP protocol igp IG...

Page 45: ...Foundry AR Series Router User Guide 3 22 2004 Foundry Networks Inc June 2004...

Page 46: ...ms that a route goes through to reach its destination Loops are detected and avoided by checking for your own AS number in the AS path s received from neighboring autonomous systems Every time a BGP p...

Page 47: ...This eases interoperation with Exterior Gateway Protocols EGPs which can tag OSPF routes with AS numbers Meshed networks OSPF provides the ability to support complex meshed networks The following feat...

Page 48: ...f RIP The network path is limited to 15 hops A destination with a greater number of hops is considered unreachable The time required to determine a next hop and bandwidth could be substantial in a lar...

Page 49: ...clearly defined perimeter inside secure building and locked equipment closets Increasingly companies have a need to provide remote access to their corporate resources for the employees on the move Tra...

Page 50: ...commands to clear bgp configuration settings clear ip bgp This command provides access to the following next level commands syntax clear ip bgp related commands example Foundry AR1208 clear ip bgp app...

Page 51: ...undry Networks Inc June 2004 clear ip bgp all This command removes all BGP neighbor connections syntax clear ip bgp all example Foundry AR1208 clear ip bgp all related commands applicable systems All...

Page 52: ...GP group Parameter Description syntax clear ip bgp group group_name name example Foundry AR1208 clear ip bgp group north In this example all BGP connections that belong to neighbor group north will be...

Page 53: ...ax clear ip bgp neighbor ip_address IP address remote_as n example Foundry AR1208 clear ip bgp neighbor 10 1 1 1 200 related commands applicable systems All models ip_address The IP address of the nei...

Page 54: ...is chapter contains routing commands that are not protocol specific These commands can be used interchangeably with the three routing protocols supported by Foundry configure router This command provi...

Page 55: ...04 Foundry Networks Inc June 2004 configure router routerid This command configures a router for routing operation syntax no router routerid IP address example Foundry AR1208 configure router routerid...

Page 56: ...the network mask network Network IP address Enter an IP address mask Network mask Enter a netmask address protocol all All protocols bgp Border Gateway protocol BGP connected Connected routes ospf Op...

Page 57: ...ted ip routes issue the show ip routes connected command example To display static routes issue the show ip routes static command example To display RIP routes issue the show ip routes rip command exa...

Page 58: ...commands listed below Parameter Description syntax no router bgp as_number n example Foundry AR1208 configure router bgp 10 related commands applicable systems All models as_number The number of an a...

Page 59: ...and the AS path is truncated when the aggregate is formed generate_summary_only summary_only Filters more specific routes from updates Suppresses transmission of any contributing routes if an aggrega...

Page 60: ...gure Commands June 2004 2004 Foundry Networks Inc 7 3 applicable systems All models configure router bgp default_metric configure router bgp group configure router bgp neighbor configure router bgp re...

Page 61: ...is done on paths within the same autonomous system This command allows the comparison to be made for paths received from other autonomous systems syntax no always_compare_med example Foundry AR1208 c...

Page 62: ...stributed routes Parameter Description syntax no default_metric default_metric n example Foundry AR1208 configure router bgp 10 default_metric 2000 related commands applicable systems All models defau...

Page 63: ...e Distance Values How Route is Learned Default Preferenc e Command to Modify Default Preference Directly connected network 0 Not configurable Static 1 Not configurable OSPF non external route 10 confi...

Page 64: ...ription syntax no group name name group_type external external_rt internal internal_ rt example Foundry AR1208 configure router bgp 10 group toronto internal related commands applicable systems All mo...

Page 65: ..._option out example Foundry AR1208 configure router bgp 10 group toronto internal distribute_list 101 out related commands applicable systems All models access_list IP access list number The range is...

Page 66: ...out example Foundry AR1208 configure router bgp 10 group toronto internal filter_list 103 out related commands applicable systems All models access list AS path access list The range is 1 199 filter_...

Page 67: ...ll peers in the group syntax next_hop_self example Foundry AR1208 configure router bgp 10 group blue external next_hop_self related commands applicable systems All models configure router bgp group di...

Page 68: ...word md5_password string example Foundry AR1208 configure router bgp 10 group toronto internal password rt56htd related commands applicable systems All models md5_password TCP MD5 password string for...

Page 69: ...that are sent out syntax no remove_private_AS example Foundry AR1208 configure router bgp 10 group toronto internal remove_private_AS related commands applicable systems All models configure router b...

Page 70: ...e_map route_map name route_map_options out example Foundry AR1208 configure router bgp 10 group toronto internal route_map foo out related commands applicable systems All models route_map Route map na...

Page 71: ...p neighbor default_originate configure router bgp neighbor description configure router bgp neighbor distribute_list configure router bgp neighbor ebgp_multihop configure router bgp neighbor filter_li...

Page 72: ...BGP4 Configure Commands June 2004 2004 Foundry Networks Inc 7 15 applicable systems All models configure router bgp redistribute...

Page 73: ...d configures the minimum time interval for sending BGP route updates Parameter Description syntax no advertisement_interval advertisement_interval n example Foundry AR1208 configure router bgp 10 neig...

Page 74: ...bgp neighbor allowbadid This command permits BGP sessions to be established with routers that represent their router ID as 0 0 0 0 or 255 255 255 255 syntax no allowbadid example Foundry AR1208 config...

Page 75: ...hbor default_originate This command sends the default route to the neighbor Parameter Description syntax no default_originate route_map name example Foundry AR1208 configure router bgp 10 neighbor 101...

Page 76: ...This command describes or identifies a neighbor router Parameter Description syntax no description neighbor_description string example Foundry AR1208 configure router bgp 10 neighbor 101 101 1 2 4 des...

Page 77: ...gures filter updates to or from this neighbor Parameter Description syntax no distribute_list access_list n filter_option in example Foundry AR1208 configure router bgp 10 neighbor 101 101 1 2 4 distr...

Page 78: ...tworks Inc 7 21 configure router bgp neighbor ebgp_multihop This command configures multihop EBGP on a neighbor syntax no ebgp_multihop example Foundry AR1208 configure router bgp 10 neighbor 101 101...

Page 79: ...command configures BGP filters Parameter Description syntax no filter_list access_list n access_list_option in example Foundry AR1208 configure router bgp 10 neighbor 101 101 1 2 4 filter_list 103 in...

Page 80: ...p This command configures neighbor route storage options Parameter Description syntax keep keep_option all none example Foundry AR1208 configure router bgp 10 neighbor 10 10 20 1 2 keep all applicable...

Page 81: ...June 2004 configure router bgp neighbor logupdown This command configures logging of established state transition changes of a neighbor syntax no logupdown example Foundry AR1208 configure router bgp...

Page 82: ...utes to be accepted If the neighbor sends more prefixes than are configured the connection to this neighbor will be broken Parameter Description syntax maximum_prefix prefix_number n example Foundry A...

Page 83: ...ighbor_group This command configures a neighbor to a specific group Parameter Description syntax no neighbor_group neighbor_group name example Foundry AR1208 configure router bgp 10 neighbor 101 101 1...

Page 84: ...s Inc 7 27 configure router bgp neighbor next_hop_self This command disables the next hop calculation for this neighbor syntax next_hop_self example Foundry AR1208 configure router bgp 10 neighbor 10...

Page 85: ...ord This command configures a password for md5 authentication Parameter Description syntax md5_password string example Foundry AR1208 configure router bgp 10 neighbor 10 10 20 1 2 md5_password asdf ap...

Page 86: ...under the group tree for applying route_map to a group of neighbors in the outbound direction Parameter Description syntax no route_map route_map name route_map_options in example Foundry AR1208 confi...

Page 87: ...timers for a neighbor peer The holdtime timer value is calculated as three times the value of the keepalive timer Parameter Description syntax no timers keepalive n example Foundry AR1208 configure ro...

Page 88: ...GP TCP connections for a specified neighbor as the IP address specified instead of the IP address of a physical interface This address will be used as the source address for routing updates syntax no...

Page 89: ...s exported some protocols may provide additional policy features that allow the suppression of protocol routes related commands related commands configure router bgp redistribute connected configure r...

Page 90: ...o redistribute connected metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute connected metric 5000 related commands applicable systems All models metric Default metric...

Page 91: ...tion syntax no redistribute ospf metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute ospf metric AR1208 related commands applicable systems All models metric The defaul...

Page 92: ...no redistribute rip metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute rip route_map east8 related commands applicable systems All models metric The default metric The...

Page 93: ...iption syntax no redistribute static metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute static metric 25 related commands applicable systems All models metric The defa...

Page 94: ...NOTE The CLI commands show and display can be used interchangeably show ip bgp This command accesses the following next level display show commands related commands show ip bgp aggregate_address show...

Page 95: ...f configured aggregate addresses Parameter Description syntax show ip bgp aggregate_address address IP address mask subnet mask example Foundry AR1208 show ip bgp aggregate_address address 100 12 23 0...

Page 96: ...p bgp community aa nn 0 999 number Community number enter a list of unsigned numbers The maximum list size is 10 The range is 1 4294967294 aa nn Community number in aa nn format Enter a list of string...

Page 97: ...nd Origin Codes Status codes valid The table entry is valid best The table entry is the best entry to use for that network i internal The table entry was learned via an internal BGP session Origin cod...

Page 98: ...June 2004 2004 Foundry Networks Inc 8 5 show ip bgp groups This command provides information about BGP groups syntax show ip bgp groups name example Foundry AR1208 show ip bgp groups north applicable...

Page 99: ...d transmit updates BGP state status TCP connection active or inactive Parameter Description syntax show ip bgp neighbors group name address IP address routes advertised_routes received_routes example...

Page 100: ...local AS The local AS number of the neighbor link Identifies the link as internal or external BGP version Identifies the BGP version local router ID BGP identifier of the local router remote router ID...

Page 101: ...8 2004 Foundry Networks Inc June 2004 applicable systems All models updates Number of sent BGP updates Maximum prefixes The maximum number of prefixes that can be received from this neighbor Table 8 3...

Page 102: ...plicable systems All models Table 2 Interpreting BGP Paths term hash An area where path IP addresses are stored refcount The number of routes using a specific path path The AS path and origin for that...

Page 103: ...his command displays routes matching the regular expression Parameter Description syntax show ip bgp regexp reg_exp string example Foundry AR1208 show ip bgp regexp 600 applicable systems All models r...

Page 104: ...p bgp summary applicable systems All models Table 8 4 Header Definitions BGP router identifier The local router ID IP address local AS number The local AS number V BGP version spoken by a specific nei...

Page 105: ...e table syntax show ip bgp table example Foundry AR1208 show ip bgp table applicable systems All models Table 8 5 Status and Origin Codes Status codes valid The table entry is valid i internal The tab...

Page 106: ...Foundry Networks Inc 8 13 show policy This command provides access to the following next level policy display commands related commands show policy as_path show policy community_list show policy ip_a...

Page 107: ...n syntax show policy as_path access_list n example Foundry AR1208 show policy as_path related commands applicable systems All models access_list The access list number The range is 1 199 show policy c...

Page 108: ...on syntax show policy community_list community n example Foundry AR1208 show policy community_list related commands applicable systems All models community The community list number The range is 1 199...

Page 109: ...dry 1450 show policy ip_access_list related commands applicable systems All models number IP access list number The range is 1 99 show policy as_path show policy community_list show policy route_map s...

Page 110: ...tax show policy route_map name example Foundry AR1208 show policy route_map related commands applicable systems All models name The name of the route map show policy as_path show policy community_list...

Page 111: ...Foundry AR Series Router User Guide 8 18 2004 Foundry Networks Inc June 2004...

Page 112: ...mismatch even though the adjacency will come up route reachability issues may develop When the IP address is specified for a bundle and you later want to change the network type on that bundle to broa...

Page 113: ...outing syntax router ospf example Foundry AR1208 configure router ospf related commands applicable systems All models configure router ospf 1583Compatability configure router ospf area configure route...

Page 114: ...f all routers in an OSPF domain should be configured the same The default is 1583Compatibility disabled syntax 1583Compatibility example Foundry AR1208 configure router ospf 1583Compatibility related...

Page 115: ...ed commands applicable systems All models area_id OSPF area id Enter either a decimal number or an IP address configure router ospf area area_type configure router ospf area default_cost configure rou...

Page 116: ...el commands for configuring an area type related commands related commands applicable systems All models configure router ospf area area_type normal configure router ospf area area_type nssa configure...

Page 117: ...area area_type normal This command specifies an area area type as normal syntax area_type normal example Foundry AR1208 configure router ospf area 0 area_type normal related commands applicable syste...

Page 118: ...n area type as nssa not so stubby area syntax area_type nssa example Foundry AR1208 configure router ospf area 1 area_type nssa related commands related commands applicable systems All models configur...

Page 119: ...ure router ospf area area_type nssa no_summary This command prevents an nssa area boundary router from sending summary link advertisements into an nssa area syntax no_summary example Foundry AR1208 co...

Page 120: ...external advertisements Stub areas reduce the amount of memory required on stub area routers syntax no area_type stub example Foundry AR1208 configure router ospf area 1 area_type stub related command...

Page 121: ...igure router ospf area area_type stub no_summary This command prevents an area boundary router from sending summary link advertisements into the stub area syntax no_summary example Foundry AR1208 conf...

Page 122: ...te sent into a stub area Parameter Description syntax default_cost n example Foundry AR1208 configure router ospf area 1 default_cost 10 related commands applicable systems All models default_cost Ent...

Page 123: ...range networknumber IP address mask netmask advertise_enum advertise not_advertise example Foundry AR1208 configure router ospf area 0 range 100 1 0 0 255 255 0 0 advertise related commands applicable...

Page 124: ...ID and the virtual link neighbor s router ID Parameter Description syntax no virtual_link IP address example Foundry AR1208 configure router ospf area 1 virtual_link 100 10 1 5 related commands appli...

Page 125: ...dry AR1208 configure router ospf area 1 virtual_link 100 10 1 5 authentication simple Foundry related commands applicable systems All models authentication type simple Uses a text password that is imb...

Page 126: ...example Foundry AR1208 configure router opsf area 1 virtual_link 100 10 1 5 dead_interval 10 related commands applicable systems All models dead_interval The time in seconds The value configured must...

Page 127: ...ter ospf area 1 virtual_link 100 10 1 5 hello_interval 10 related commands applicable systems All models hello_interval The time in seconds The value configured must be the same for all routers and se...

Page 128: ...1208 configure router ospf area 1 virtual_link 100 10 1 5 retransmit_interval 5 related commands applicable systems All models retransmit_interval The time in seconds The configured value must be grea...

Page 129: ...f area 1 virtual_link 100 10 1 5 transmit_delay 1 related commands applicable systems All models transmit_delay The time in seconds Link state advertisements in the update packet are aged by this amou...

Page 130: ...ds to configure OSPF administrative distances for routes related commands related commands applicable systems All models configure router ospf distance ospf configure router ospf 1583Compatability con...

Page 131: ...figure router ospf distance ospf This command accesses next level commands that configure OSPF administrative distances based on route type related commands applicable systems All models configure rou...

Page 132: ...range is 1 255 the default is 150 Table 9 1 Default Route Preference Administrative Distance Values How Route is Learned Default Preference Command to Modify Default Preference Directly connected net...

Page 133: ...intra area routes The range is 1 255 the default is 10 Table 9 2 Default Route Preference Administrative Distance Values How Route is Learned Default Preference Command to Modify Default Preference D...

Page 134: ...r frame relay use The range is 16 1022 there is no default area_id OSPF area ID Enter either a decimal number or an IP address configure router ospf 1583Compatibility configure router ospf area config...

Page 135: ...ation type simple Simple password authentication md5 MD5 authentication md5_cisco Cisco compatible md5 authentication line A 16 character maximum password string beginning with an alpha character conf...

Page 136: ...cost of sending packets on a particular OSPF interface The range is 1 65535 the default is computed based on the interface bandwidth configure router ospf interface authentication configure router os...

Page 137: ...x no dead_interval n example Foundry AR1208 configure router ospf interface dead_interval 50 related commands applicable systems All models dead_interval Time in seconds The range is 1 65535 the defau...

Page 138: ...ello_interval 30 related commands applicable systems All models hello_interval Time in seconds The default is 10 the range is 1 65535 configure router ospf interface authentication configure router os...

Page 139: ...ds applicable systems All models ip address The IP address of the neighbor router priority Sets the router priority for a non broadcast neighbor The range is 0 255 the default is 1 configure router os...

Page 140: ...cast related commands interface type network type default PPP HDLC point to point Ethernet broadcast Frame Relay point to point network type broadcast Configures network type to broadcast multi access...

Page 141: ...Foundry AR Series Router User Guide 9 30 2004 Foundry Networks Inc June 2004 applicable systems All models...

Page 142: ...ospf interface toBoston poll_interval 15 related commands applicable systems All models poll_interval The time in seconds The range is 0 2147483647 the default is 120 configure router ospf interface...

Page 143: ...nds applicable systems All models priority Number that specifies the router priority This is only used in non point to point networks The range is 0 255 the default is 1 configure router ospf interfac...

Page 144: ...ndry AR1208 configure router ospf interface toBoston retransmit_interval 60 related commands applicable systems All models seconds Time in seconds between retransmission It must be conservatively set...

Page 145: ...related commands applicable systems All models seconds Time in seconds Usage of this command is most appropriate for low speed links The range is 1 65535 the default is 1 configure router ospf interfa...

Page 146: ...1208 configure router ospf redistribute related commands related commands applicable systems All models configure router ospf redistribute bgp configure router ospf redistribute connected configure ro...

Page 147: ...tag n example Foundry AR1208 configure router ospf redistribute bgp as_number 10 related commands applicable systems All models as_number Autonomous system number The range is 1 65535 metric OSPF def...

Page 148: ...metric n metric_type n route_map name tag n example Foundry AR1208 configure router ospf redistribute connected related commands applicable systems All models metric OSPF default metric The range is 0...

Page 149: ...metric_type n route_map name tag n example Foundry AR1208 configure router ospf redistribute rip related commands applicable systems All models metric OSPF default metric The range is 0 16777214 the...

Page 150: ...tric_type n route_map name tag n example Foundry AR1208 configure router ospf redistribute static related commands applicable systems All models metric OSPF default metric The range is 1 16777214 the...

Page 151: ...tiple high bandwidth links Parameter Description syntax ref_bw n example Foundry AR1208 configure router ospf ref_bw 100000 related commands applicable systems All models reference_bandwidth Reference...

Page 152: ..._delay 20 related commands applicable systems All models timers spf_delay Delay between receiving a change to the SPF calculation The range is 1 65535 the default is 5 spf_holdtime The hold time betwe...

Page 153: ...Foundry AR Series Router User Guide 9 42 2004 Foundry Networks Inc June 2004...

Page 154: ...how and display can be used interchangeably show ip ospf area This command displays configuration information about an OSPF area Parameter Description syntax area area_id example Foundry AR1208 show i...

Page 155: ...undry Networks Inc June 2004 related commands applicable systems All models show ip ospf global show ip ospf database show ip ospf interface show ip ospf neighbor show ip ospf retransmission_list show...

Page 156: ...stems All models show ip ospf database all show ip ospf database asbr_summary show ip ospf database database_summary show ip ospf database external show ip ospf database network show ip ospf database...

Page 157: ...related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP address link_id OSPF link state ID En...

Page 158: ...how ip ospf database asbr_summary related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP addr...

Page 159: ...pf database database_summary related commands applicable systems All models show ip ospf database all show ip ospf database asbr_summary show ip ospf database external show ip ospf database network sh...

Page 160: ...show ip ospf database external related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP address...

Page 161: ...08 show ip ospf database network related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP addre...

Page 162: ...08 show ip ospf database nssa_external related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP...

Page 163: ...stems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP address link_id OSPF link state ID Enter an IP address show ip ospf...

Page 164: ...08 show ip ospf database self_originate related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address show ip ospf database all show ip ospf databa...

Page 165: ...AR1208 show ip ospf database summary related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP...

Page 166: ...show ip ospf interface show ip ospf neighbor show ip ospf retransmission_list show ip ospf request_list show ip ospf virtual_links show ip ospf global Routing Process ospf 30583 with ID 10 1 1 1 It i...

Page 167: ...erfaces syntax interface example Foundry AR1208 show ip ospf interface related commands related commands applicable systems All models show ip ospf interface all show ip ospf interface bundle show ip...

Page 168: ...terface all This command displays configuration information about all configured OSPF interfaces syntax interface all example Foundry AR1208 show ip ospf interface all related commands applicable syst...

Page 169: ...pf interface bundle This command displays configuration information about an OSPF bundle syntax interface bundle name pvc n example Foundry AR1208 show ip ospf interface bundle Boise related commands...

Page 170: ...ce ethernet This command displays OSPF configuration information about an Ethernet interface syntax interface ethernet n example Foundry AR1208 show ip ospf interface ethernet 1 related commands appli...

Page 171: ...rs syntax neighbor example Foundry AR1208 show ip ospf neighbor related commands related commands applicable systems All models show ip ospf neighbor detail show ip ospf neighbor id show ip ospf neigh...

Page 172: ...This command displays detailed OSPF configuration information about all neighbors syntax neighbor detail example Foundry AR1208 show ip ospf neighbor detail related commands applicable systems All mo...

Page 173: ...This command displays OSPF configuration information about a specific neighbor syntax neighbor id IP address example Foundry AR1208 show ip ospf neighbor id 10 3 1 2 related commands applicable syste...

Page 174: ...ds that display OSPF configuration information about all neighbors in an interface syntax neighbor interface ethernet n bundle name pvc n example Foundry AR1208 show ip ospf neighbor interface etherne...

Page 175: ...r interface bundle This command displays information about an OSPF neighbors on a bundle interface syntax neighbor interface bundle name pvc n example Foundry AR1208 show ip ospf neighbor interface bu...

Page 176: ...ce ethernet This command displays configuration information about a neighbor on an Ethernet interface syntax neighbor interface ethernet n example Foundry AR1208 show ip ospf neighbor interface ethern...

Page 177: ...spf neighbor list This command displays a list of neighbors attached to this router syntax neighbor list example Foundry AR1208 show ip ospf neighbor list related commands applicable systems All model...

Page 178: ...list of the specified neighbor syntax request_list IP address example Foundry AR1208 show ip ospf request_list 10 10 10 1 related commands applicable systems All models show ip ospf area show ip ospf...

Page 179: ...ransmission list of the specified neighbor syntax retransmission_list IP address example Foundry AR1208 show ip ospf retransmission_list 10 10 10 1 related commands applicable systems All models show...

Page 180: ...ut configured OSPF virtual links syntax virtual_links IP address example Foundry AR1208 show ip ospf virtual_links related commands applicable systems All models show ip ospf area show ip ospf global...

Page 181: ...Foundry AR Series Router User Guide 10 28 2004 Foundry Networks Inc June 2004...

Page 182: ...hapter 11 RIP Configure Commands Use RIP configure commands to configure all RIP parameters NOTE See the command configure interface loopback in the Command Reference Guide Domestic Products for impor...

Page 183: ...syntax no router rip example Foundry AR1208 configure router rip related commands applicable systems All models configure router rip default_metric configure router rip distance configure router rip...

Page 184: ...oundry AR1208 configure router rip default_metric 4 This example configures the default metric to 4 related commands applicable systems All models metric Default metric The range is 1 4294967294 the d...

Page 185: ...es How Route is Learned Default Preferenc e Command to Modify Default Preference Directly connected network 0 Not configurable Static 1 Not configurable OSPF internal route 10 configure router ospf di...

Page 186: ...ure router rip interface name dlci n example Foundry AR1208 configure router rip interface ethernet0 This example configures the Ethernet 0 interface for RIP related commands applicable systems All mo...

Page 187: ...ax no authentication auth_type line example Foundry AR1208 configure router rip interface ethernet1 authentication md5 mymd5keyvalue This example configures RIP interface Ethernet 1 for MD5 authentica...

Page 188: ...Foundry AR1208 configure router rip interface ethernet0 distribute_list 2 in This example sets access list 2 to be used for all inbound routes for this interface related commands applicable systems A...

Page 189: ...ip interface ethernet0 metric 3 This example configures the RIP routes metric for interface Ethernet 0 to 3 related commands applicable systems All models metric Default metric The range is 1 42949672...

Page 190: ...syntax no mode n example Foundry AR1208 configure router rip interface ethernet0 mode 1 This example configures interface Ethernet 0 for RIP version 1 related commands applicable systems All models mo...

Page 191: ...Parameter Description syntax no neighbor ip_address example Foundry AR1208 configure router rip interface ethernet0 neighbor 192 168 31 2 This example configures IP address 192 168 31 2 as a RIP neig...

Page 192: ...rface syntax no passive example Foundry AR1208 configure router rip interface ethernet1 passive This example configures interface Ethernet 1 to listen only mode related commands applicable systems All...

Page 193: ...onfigure router rip interface ethernet0 split_horizon simple This example configures interface Ethernet 0 to do simple split horizon related commands applicable systems All models splitval Split horiz...

Page 194: ...escription syntax no mode n example Foundry AR1208 configure router rip mode 3 related commands applicable systems All models mode Enter a mode value 1 RIP version 1 2 RIP version 2 default 3 RIP vers...

Page 195: ...is router will be sent in several small intervals instead on one burst This is useful when the number of routes to be sent is large more than 1000 syntax no pacing example Foundry AR1208 configure rou...

Page 196: ...on a specific interface by configuring RIP mode for that specific interface syntax no passive example Foundry AR1208 configure router rip passive This example configures all RIP interfaces to listen o...

Page 197: ...lowing next level commands that configure the system to use RIP updates to redistribute routes learned from other routing protocols related commands applicable systems All models configure router rip...

Page 198: ...x redistribute bgp as_number metric n example Foundry AR1208 configure router rip redistribute bgp 1 related commands applicable systems All models as_number Autonomous system number The range is 1 65...

Page 199: ...iption syntax no redistribute connected metric n example Foundry AR1208 configure router rip redistribute connected This example configures RIP to redistribute connected routes related commands applic...

Page 200: ...outes Parameter Description syntax no redistribute ospf metric n example Foundry AR1208 configure router rip redistribute ospf related commands applicable systems All models metric Default metric The...

Page 201: ...iption syntax no redistribute static metric n example Foundry AR1208 configure router rip redistribute static This example configures RIP to redistribute static routes related commands applicable syst...

Page 202: ...igure router rip timers This command accesses the following next level commands that configure the global RIP timers related commands applicable systems All models configure router rip timers flush co...

Page 203: ...g table This value should be configured to be greater than the configured holddown time value Parameter Description syntax no flush time n example Foundry AR1208 configure router rip timers flush 300...

Page 204: ...ld be configured to be at least twice the value of the update timers Parameter Description syntax no holddown time n example Foundry 140 configure router rip timers holddown 200 This example configure...

Page 205: ...conds for sending periodic RIP updates Parameter Description syntax no update time n example Foundry AR1208 configure router rip timers update 45 This example globally configures RIP updates to occur...

Page 206: ...2004 2004 Foundry Networks Inc 12 1 Chapter 12 RIP show Commands Use RIP display show commands to display all configured RIP information NOTE The CLI commands show and display can be used interchange...

Page 207: ...oundry Networks Inc June 2004 show ip rip This command accesses the following next level commands that display more specific information related commands applicable systems All models show ip rip glob...

Page 208: ...mode distance default metric and timers for RIP syntax show ip rip global example Foundry AR1208 show ip rip global related commands applicable systems All models show ip rip interface show ip rip ro...

Page 209: ...the following next level commands that display configuration information about mode metric authentication split horizon and routers for the RIP interface related commands applicable systems All model...

Page 210: ...ax show ip rip interface all example Foundry AR1208 show ip rip interface all related commands applicable systems All models show ip rip interface bundle show ip rip interface ethernet show ip rip int...

Page 211: ...w ip rip interface bundle name example Foundry AR1208 show ip rip interface bundle Dallas related commands applicable systems All models bundle_name The name of the desired bundle Enter a string of up...

Page 212: ...ip rip interface ethernet 0 1 example Foundry AR1208 show ip rip interface ethernet0 related commands applicable systems All models show ip rip interface all show ip rip interface bundle show ip rip i...

Page 213: ...number or bad routes received and the number of triggered updates sent syntax show ip rip interface statistics example Foundry AR1208 show ip rip interface statistics related commands applicable syste...

Page 214: ...IP statistics such as route changes and queries syntax show ip rip statistics example Foundry AR1208 show ip rip statistics related commands applicable systems All models show ip rip global show ip ri...

Page 215: ...Foundry AR Series Router User Guide 12 10 2004 Foundry Networks Inc June 2004...

Page 216: ...ions regex A regex is a character string containing one of the following AS Path Terms A term is one of the following 690 Matches only the specific AS path 690 690 Matches any AS path containing 690 6...

Page 217: ...ger matches m or more repetitions of term term m A term followed by m where m is a positive integer matches m or more repetitions of term term A term followed by matches zero or more repetitions of te...

Page 218: ...modes of PIM protocol Dense mode DM and Sparse mode SM Foundry supports SM only PIM DM floods multicast traffic throughout the network initially and then generates prune messages as required PIM SM at...

Page 219: ...e ip pim rp switch immediate Configure Threshold for DR Foundry configure ip pim threshold dr bps Configure Threshold for RP Foundry configure ip pim threshold rp bps Configure to calculate whole pack...

Page 220: ...igure PIM interface hello interval Foundry configure ip pim interface wan1 hello interval time Configure PIM interface Join Prune Delay Timeout Foundry configure ip pim interface wan1 join prune timeo...

Page 221: ...other multicast routers This reporting system allows distribution trees to be formed to deliver multicast datagrams The original version of IGMP was defined in RFC 1112 Host Extensions for IP Multicas...

Page 222: ...ulticast traffic to the host only if its is from a specific source IGMP Commands The IGMP commands supported are TABLE 6 IGMP COMMANDS Enabling igmp Foundry configure ip igmp Disabling igmp Foundry co...

Page 223: ...forwards it to the previous hop The first hop router the router that believes that packets from the source originate on one of its directly connected networks changes the packet type to indicate a re...

Page 224: ...load balancing but variable path MTUs variable latencies and debugging can limit the effectiveness of these methods The following methods have been developed to deal with the load balancing limitatio...

Page 225: ...nce both unicast and multicast IP packets appear to the IPSec protocol as IP unicast frame after GRE tunneling If all connectivity must go through the home gateway router tunnels also enable the use o...

Page 226: ...nabling Security Features The advanced VPN and firewall advance_vpn license allows users to manage remote LANs This license also includes Basic VPN and Firewall licenses To see the license available i...

Page 227: ...ally an always on Internet connection One of the main limitations in providing remote access is the typical remote user connects with a dynamically assigned IP address provided by the ISP IPSec uses t...

Page 228: ...also provide WINS and DNS server addresses Upon successful IKE authentication of a VPN client the server checks whether the IKE policy used to authenticate the VPN client is enabled for mode configura...

Page 229: ...untrusted Router1 configure ip route 10 0 2 0 24 wan1 Router1 configure crypto Router1 configure crypto ike policy Router2 172 16 0 2 Router1 configure crypto ike policy Router2 172 16 0 2 local addre...

Page 230: ...Initiate PFS is not enabled Shared Key is Local ident 172 16 0 1 ip address Remote Ident 172 16 0 2 ip address Proposal of priority 1 Encryption algorithm 3des Hash Algorithm sha1 Authentication Mode...

Page 231: ...Any Source ip address ip mask port 172 16 0 1 255 255 255 255 any Destination ip address ip mask port 10 0 2 0 255 255 255 0 any Proposal of priority 1 Protocol esp Mode tunnel Encryption Algorithm a...

Page 232: ...it Router1 configure firewall internet Router1 configure firewall internet policy 1001 in service snmp self Router1 configure firewall internet policy 1001 in exit Router1 configure firewall internet...

Page 233: ...abled Rpc Filter is disabled Nat is disabled Bytes In 0 Bytes Out 0 Policy with Priority 1002 is enabled Direction is inbound Action permit Traffic is self Logging is disable Source Address is any Des...

Page 234: ...figure snmp community public rw Router1 configure snmp exit Router1 show snmp communities Community public privilege rw Router1 show crypto ike sa all Policy Peer State Bytes Transform Router2 172 16...

Page 235: ...ident ip mask port 10 0 2 0 255 255 255 0 any Remote ident ip mask port 172 16 0 1 255 255 255 255 any Peer Address is 172 16 0 1 PFS Group is disabled inbound ESP sas Spi 0xe8453c2b Transform aes128...

Page 236: ...gure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure interface bundle wan1 crypto untrusted Router1 configure interface bundl...

Page 237: ...outer2 172 16 0 2 proposal 1 Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 encryption al algorithm 3des cbc Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 exit R...

Page 238: ...Router1 configure crypto ipsec policy Router2 172 16 0 2 match address 10 0 1 0 24 10 0 2 0 24 Default proposal created with priority1 esp 3des sha1 tunnel and activated Router1 configure crypto ipsec...

Page 239: ...1 Protocol esp Mode tunnel Encryption Algorithm aes256 key length 256 bits Hash Algorithm sha1 Lifetime in seconds 3600 Lifetime in Kilobytes 4608000 Policy name INRouter2 is enabled Direction is inbo...

Page 240: ...IT SE Router1 show firewall policy internet detail Policy with Priority 1000 is enabled Direction is inbound Action permit Traffic is self Logging is disable Source Address is any Dest Address is any...

Page 241: ...l policies in the corp map applicable only if firewall license is enabled Router1 show firewall policy corp Advanced S Self Traffic F Ftp Filter H Http Filter R Rpc Filter N Nat Ip Nat Pool L Logging...

Page 242: ...ss is any Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled...

Page 243: ...1 show crypto ike sa all Policy Peer State Bytes Transform Router2 172 16 0 2 SA_MATURE 1796 pre g1 3des sha1 Router1 show crypto ike sa all detail Crypto Policy name Router2 Remote ident 172 16 0 2 P...

Page 244: ...posal As a result of quick mode negotiation the two routers are expected to converge on a mutually acceptable proposal which is the proposal IPSec ESP with AES 256 bit and HMAC SHA1 in this example Ro...

Page 245: ...Router1 configure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure interface bundle wan1 crypto untrusted Router1 configure i...

Page 246: ...72 16 0 2 proposal 1 Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 encryption al gorithm 3des cbc Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 exit Router1 con...

Page 247: ...nd activated Router1 configure crypto ipsec policy Router2 172 16 0 2 proposal 1 Router1 configure crypto ipsec policy Router2 172 16 0 2 proposal 1 encryption algorithm des cbc Router1 configure cryp...

Page 248: ...al of priority 1 Protocol esp Mode tunnel Encryption Algorithm des Hash Algorithm sha1 Lifetime in seconds 3600 Lifetime in Kilobytes 4608000 Proposal of priority 2 Protocol esp Mode tunnel Encryption...

Page 249: ...any PERMIT SE Router1 show firewall policy internet detail Policy with Priority 1000 is enabled Direction is inbound Action permit Traffic is self Logging is disable Source Address is any Dest Addres...

Page 250: ...s in the corp map applicable only if firewall license is enabled Router1 show firewall policy corp Advanced S Self Traffic F Ftp Filter H Http Filter R Rpc Filter N Nat Ip Nat Pool L Logging E Policy...

Page 251: ...any Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes...

Page 252: ...show crypto ike sa all Policy Peer State Bytes Transform Router2 172 16 0 2 SA_MATURE 1796 pre g1 3des sha1 Router1 show crypto ike sa all detail Crypto Policy name Router2 Remote ident 172 16 0 2 Pe...

Page 253: ...P tunnel with AES256 and HMAC SHA1 Router1 show crypto ipsec sa all detail Crypto Policy name INRouter2 Protocol is Any Local ident ip mask port 10 0 2 0 255 255 255 0 any Remote ident ip mask port 10...

Page 254: ...configure interface bundle wan1 link t1 1 Router1 configure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure interface bundle...

Page 255: ...t proposal created with priority1 des sha1 pre_shared g1 Key String has to be configured by the user Router1 configure crypto dynamic ike policy sales remote id email id mike abc corp com mike New use...

Page 256: ...de pre shared key DH Group group1 Lifetime in seconds 86400 Lifetime in kilobytes unlimited Router1 configure crypto dynamic ipsec policy sales Router1 configure crypto dynamic ipsec policy sales matc...

Page 257: ...key length 256 bits Hash Algorithm sha1 Lifetime in seconds 3600 Lifetime in Kilobytes 4608000 Policy INsales is enabled User group name sales Direction is inbound Action is Apply Key Management is A...

Page 258: ...H Http Filter R Rpc Filter N Nat Ip Nat Pool L Logging E Policy Enabled M Smtp Filter Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced Router1 show firewall policy internet deta...

Page 259: ...cy Step 15 Display firewall policies in the corp map applicable only if firewall license is enabled Router1 configure firewall corp Router1 configure firewall corp policy 1000 in user group sales addr...

Page 260: ...Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes In...

Page 261: ...lients Client Address Client Id Policy Advanced 192 168 107 105 david abc corp sales UserGrp Router1 show crypto ike sa all Policy Peer State Bytes Transform Router1 show crypto ike sa all detail Cryp...

Page 262: ...er IP header will carry the dynamic IP address assigned by the Internet Service Provider as the source address The security requirements are as follows Phase 1 3DES with SHA1 Mode Configuration Phase...

Page 263: ...ndle Router1 configure interface bundle wan1 link t1 1 Router1 configure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure inte...

Page 264: ...les added with priority1 3des sha1 tunnel Router1 configure crypto dynamic ike policy sales remote id email mike abc corp com Router1 configure crypto dynamic ike policy sales key secretkeyforsales Ro...

Page 265: ...hm 3des Hash Algorithm sha1 Authentication Mode pre shared key DH Group group1 Lifetime in seconds 86400 Lifetime in kilobytes unlimited Router1 configure crypto Router1 configure crypto dynamic Route...

Page 266: ...rotocol is Any Source ip address ip mask port 10 0 1 0 255 255 255 0 any Destination ip address ip mask port any any any Proposal of priority 1 Protocol esp Mode Tunnel Encryption Algorithm aes256 key...

Page 267: ...mtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes In 0 Bytes Out 0 Policy with Priority 1024 is enabled Direction is outbound Action permit Traffic is self Lo...

Page 268: ...Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes In...

Page 269: ...david abc corp sales 20 1 1 1 ModecfgGrp Router1 show crypto ike sa all Policy Peer State Bytes Transform sales 192 168 107 105 SA_MATURE 2052 pre g1 3des sha1 Router1 show crypto ike sa all detail C...

Page 270: ...st IP Spi Bytes Transform INsales 172 16 0 1 0xbba97427 840 esp aes sha1 tunl sales 192 168 107 105 0xcb0e23f3 560 esp aes sha1 tunl Router1 Router1 show crypto ipsec sa all detail Crypto Policy name...

Page 271: ...94 220 192 168 55 75 40 1 1 0 Foundry configure terminal Foundry configure interface bundle wan1 Foundry configure interface bundle wan1 link t1 1 Foundry configure interface bundle wan1 encapsulatio...

Page 272: ...et Broadcast 103 1 1 255 Maximum Transfer Unit 1476 bytes Source Address 192 168 94 220 Destination Address 192 168 55 75 Gateway wan1 Protocol GRE Mac Address 00 50 52 60 00 00 Foundry show interface...

Page 273: ...g if exit cisco config ip route 0 0 0 0 0 0 0 0 192 168 55 254 cisco config ip route 10 3 1 0 255 255 255 0 Tunnel0 Foundry configure terminal Foundry configure interface bundle wan1 Foundry configure...

Page 274: ...nfiguration above 2 Add to the Cisco configuration above 3 To verify the OSPF configuration enter Foundry show ip ospf interface all Foundry configure ip route 0 0 0 0 0 0 0 0 192 168 94 254 Foundry c...

Page 275: ...on NAT NAT allows users on the inside of the firewall to use private nonroutable IP addresses which are translated to routable IP addresses at the firewall The firewall manages the address translation...

Page 276: ...2 1 1 24 Foundry configure interface ethernet 0 exit Foundry configure interface ethernet 1 Configuring existing Ethernet interface Foundry configure interface ethernet 1 ip address 10 3 1 1 24 Foundr...

Page 277: ...olicy 1024 out exit Foundry configure firewall corp policy 1021 in deny Foundry configure firewall corp policy 1021 in exit Foundry configure firewall corp object Foundry configure firewall corp objec...

Page 278: ...ewall dmz policy 100 in apply object nat pool ftpsrvr Foundry configure firewall dmz policy 100 in apply object ftp filter putdeny Foundry configure firewall dmz policy 100 in exit Foundry configure f...

Page 279: ...t alarms linemode exit linemode exit t1 module t1 2 alarms thresholds exit thresholds exit alarms linemode exit linemode exit t1 module t1 3 alarms thresholds exit thresholds exit alarms linemode exit...

Page 280: ...ypto trusted exit ethernet interface bundle wan link t1 1 encapsulation ppp ip address 193 168 94 220 255 255 255 0 ip multicast ospfrip2 red exit red icmp exit icmp qos exit qos aaa exit aaa crypto u...

Page 281: ...t policy exit firewall firewall dmz interface ethernet1 object nat pool ftpsrvr static 10 3 1 100 10 3 1 100 ftp filter putdeny deny put mkdir exit object policy 100 in address any any 193 168 94 221...

Page 282: ...port number it allocated to this session Therefore when some server com sends a reply packet to the PC the Foundry system can quickly determine how it needs to re write the packet before transmitting...

Page 283: ...esses are utilized in a better and optimum manner dynamically If a NAT IP address cannot be allocated dynamically at the connection creation time the packet would be dropped Figure 15 6 Dynamic NAT Th...

Page 284: ...7 includes Private network address 10 1 1 1 10 1 1 3 Public NAT IP address range 50 1 1 1 50 1 1 3 To create NAT pool with type static specify the IP address and the ending NAT IP address Add a polic...

Page 285: ...rk address 10 1 1 1 10 1 1 3 PAT address 50 1 1 5 Method 1 Specifying NAT address with the policy command To configure this method of PAT add the policy with the source IP address range then specify t...

Page 286: ...Encryption Algorithms for ESP Block Size Data Encryption Standard DES 56 bits Triple Data Encryption Standard 3DES 168 bits Advanced Encryption Standard AES 128 128 bits Advanced Encryption Standard A...

Page 287: ...user must enter a pre shared key Table 15 3 Authentication Algorithms Authentication Algorithms for AH ESP Hash Size HMAC MD5 96 96 bits HMAC HSHA1 96 96 bits Table 15 4 Diffie Hellman Groups Diffie...

Page 288: ...nagement type Automatic Hash algorithm SAH1 Encryption algorithm 3DES Protocol ESP Mode Tunnel Lifetime in seconds 3600 seconds Lifetime in kilobytes 4608000 Direction Out Position in SPD where policy...

Page 289: ...n Rate Disabled Policing Disabled Bandwidth Disabled Table 15 9 Default Connection Limit by Security Zone Security Zone Maximum Connections Default Corp 1024 outgoing connections User Created Security...

Page 290: ...nce Check Disabled Table 15 11 Tunnel Interface Defaults Parameter Default Value IP Address No Default Tunnel Source No Default Tunnel Destination No Default MTU 1476 Not configurable ICMP unreachable...

Page 291: ...Foundry AR Series Router User Guide 15 66 2004 Foundry Networks Inc June 2004...

Page 292: ...4 conventions manual 3 1 D display show command 4 7 displaying command tree 4 5 E Email Access 3 5 entering commands abbreviated 4 3 context sensitive 4 1 environment 6 2 6 3 G getting command help 4...

Page 293: ...Foundry AR Series Router User Guide Index 2 2004 Foundry Networks Inc June 2004...

Search results

Summary of Contents for AR1202

Reviews:

Related manuals for AR1202

Brands by name

Popular brands

Foundry Networks AR1202, User Manual

Search results

Summary of Contents for AR1202

Reviews:

Related manuals for AR1202

Brands by name

Popular brands