Cabletron Systems GIGAswitch GSR-16 Скачать руководство пользователя страница 278 | Manualshive

Страница: 278 / 346

background image

Chapter 18: Security Configuration Guide

254

DIGITAL GIGAswitch/Router User Reference Manual

Configuring TACACS Plus

You can secure login or Enable mode access to the GSR by enabling a TACACS Plus client.
A TACACS Plus server responds to the GSR TACACS Plus client to provide
authentication.

You can configure up to five TACACS Plus server targets on the GSR. A timeout is set to
tell the GSR how long to wait for a response from TACACS Plus servers.

To configure TACACS Plus security, enter the following commands in Configure mode:

Specify a TACACS Plus server.

tacacs-plus set server

<hostname or IP-addr>

Set the TACACS Plus time to wait
for a TACACS Plus server reply.

tacacs-plus set timeout

<number>

Determine the GSR action if no
server responds.

tacacs-plus set last-resort
password|succeed

Enable TACACS Plus.

tacacs-plus enable

Cause TACACS Plus
authentication at user login or
when user tries to access Enable
mode.

tacacs-plus authentication login|enable

Cause TACACS Plus
authentication at user login or
when user tries to access Enable
mode.

tacacs-plus authentication login|enable

Logs specified types of command
to TACACS Plus server.

tacacs-plus accounting command level
<

level

>

Logs to TACACS Plus server
when shell is stopped or started
on GSR.

tacacs-plus accounting shell
start|stop|all

Logs to TACACS Plus server
SNMP changes to startup or
active configuration.

tacacs-plus accounting snmp
active|startup

Logs specified type(s) of
messages to TACACS Plus server.

tacacs-plus accounting system
fatal|error|warning|info

«
...
276
277
278
279
280
...
»

Содержание GIGAswitch GSR-16

Страница 1: ...ITAL GIGAswitch Router User Reference Manual December 1999 This manual describes how to use the DIGITAL GIGAswitch Router GSR Revision Update Information This is a revised document Part Number 9032684...

Страница 2: ...SHOULD HAVE KNOWN THE POSSIBILITY OF SUCH DAMAGES Copyright 1999 by Cabletron Systems Inc All rights reserved Printed in the United States of America Trademarks Apple AppleTalk and Macintosh are regi...

Страница 3: ...prescribed in the appropriate Terminal Equipment Technical Requirements document s The department does not guarantee the equipment will operate to the user s satisfaction Before installing this equip...

Страница 4: ...s Read the instructions for correct handling Taiwanese Notice Class A Computing Device CE Notice Class A Computing Device Warning This is a Class A product In a domestic environment this product may c...

Страница 5: ...nse Agreement shall be interpreted and governed under the laws and in the state and federal courts of New Hampshire You accept the personal jurisdiction and venue of the New Hampshire courts Exclusion...

Страница 6: ...ceivers use an optical feedback loop to maintain Class 1 operation limits This control loop eliminates the need for maintenance checks or adjustments The output is factory set and does not allow any u...

Страница 7: ...land Conformance to Directive s Product Standards EC Directive 89 336 EEC EC Directive 73 23 EEC EN 55022 EN 50082 1 EN 60950 Equipment Type Environment Networking Equipment for use in a Commercial or...

Страница 8: ......

Страница 9: ...ted Routing Protocols 3 Configuring the DIGITAL GIGAswitch Router 4 Understanding the Command Line Interface 4 Basic Line Editing Commands 4 Access Modes 5 User Mode 6 Enable Mode 7 Configure Mode 9 B...

Страница 10: ...Line Card 25 Hot Swapping One Type of Line Card With Another 25 Hot Swapping a Secondary Control Module 26 Deactivating the Control Module 26 Removing the Control Module 27 Installing the Control Modu...

Страница 11: ...ring Layer 2 Filters 40 Monitoring Bridging 41 Configuration Examples 42 Creating an IP or IPX VLAN 42 Creating a non IP non IPX VLAN 42 Chapter 4 SmartTRUNK Configuration Guide 43 Overview 43 Configu...

Страница 12: ...Configuring IP Services ICMP 65 Configuring IP Helper 65 Configuring Direct Broadcast 66 Configuring Denial of Service DOS 66 Monitoring IP Parameters 66 Configuring Router Discovery 67 Configuration...

Страница 13: ...er Non Broadcast Multiple Access 95 Monitoring OSPF 95 OSPF Configuration Examples 97 Exporting All Interface Static Routes to OSPF 97 Exporting All RIP Interface Static Routes to OSPF 98 Chapter 10 B...

Страница 14: ...nfiguring Simple Routing Policies 148 Redistributing Static Routes 148 Redistributing Directly Attached Networks 149 Redistributing RIP into RIP 149 Redistributing RIP into OSPF 149 Redistributing OSP...

Страница 15: ...172 Exporting All RIP Interface Static Routes to OSPF 173 Chapter 12 Multicast Routing Configuration Guide 177 IP Multicast Overview 177 IGMP Overview 177 DVMRP Overview 178 Configuring IGMP 179 Conf...

Страница 16: ...NAT 205 Dynamic Configuration 206 Using Dynamic NAT 206 Dynamic NAT with IP Overload PAT Configuration 207 Using Dynamic NAT with IP Overload 208 Dynamic NAT with Outside Interface Redundancy 208 Usin...

Страница 17: ...8 Configuring IPX Addresses to Ports 228 Configuring IPX Interfaces for a VLAN 228 Specifying IPX Encapsulation Method 228 Configuring IPX Routing 229 Enabling IPX RIP 229 Enabling SAP 229 Configuring...

Страница 18: ...Configuring TACACS Plus 254 Monitoring TACACS Plus 255 Configuring Passwords 255 Layer 2 Security Filters 255 Configuring Layer 2 Address Filters 256 Configuring Layer 2 Port to Address Lock Filters 2...

Страница 19: ...N Configuration Guide 279 RMON Overview 279 Configuring and Enabling RMON 280 Example of RMON Configuration Commands 280 RMON Groups 281 Lite RMON Groups 282 Standard RMON Groups 282 Professional RMON...

Страница 20: ...ofile 304 Applying a Service Profile to an Active Frame Relay WAN Port 304 Monitoring Frame Relay WAN Ports 305 Frame Relay Port Configuration 305 Point to Point Protocol PPP Overview 307 Use of LCP M...

Страница 21: ...k administrator responsible for configuring and monitoring the GSR How to Use This Manual If You Want To See Read overview information Chapter 1 DIGITAL GIGAswitch Router Product Overview Hot swap lin...

Страница 22: ...onfigure Network Address Translation Chapter 14 Network Address Translation Configuration Guide Configure web hosting Chapter 15 Web Hosting Configuration Guide Configure IPX routing Chapter 16 IPX Ro...

Страница 23: ...ation refer to the DIGITAL Network Products Home Page on the World Wide Web located at the following addresses For Information About See the Installing and setting up the GSR DIGITAL GIGAswitch Router...

Страница 24: ...ve please provide the following information Your Name Your Company Name Address Email Address Phone Number FAX Number Detailed description of the issue including history what you ve tried and conditio...

Страница 25: ...tering and Quality of Service QoS features enabled by the software You do not need to accept performance compromises to run QoS or access control lists ACLs The following table lists the basic hardwar...

Страница 26: ...ication flows Up to 800 000 Layer 2 MAC addresses 20 000 Layer 2 security and access control filters Routing protocols IP RIP v1 v2 OSPF BGP 2 3 4 IPX RIP SAP Multicast IGMP DVMRP Bridging and VLAN pr...

Страница 27: ...nformation Protocol RIP Version 1 2 Chapter 6 IP Routing Configuration Guide describes these protocols in detail Exterior gateway protocol Border Gateway Protocol BGP Version 2 3 4 Chapter 10 BGP Conf...

Страница 28: ...derstanding the Command Line Interface The GSR Command Line Interface CLI provides access to several different command modes Each command mode provides a group of related commands This chapter describ...

Страница 29: ...gure mode first enter Enable mode enable command then enter the configure command from the Enable command prompt When you are in Configure mode the command prompt ends with config Boot This mode appea...

Страница 30: ...tup configuration file in the Control Module s boot flash and therefore are not reinstated after a reboot User Mode After you log in to the GSR you are automatically in User mode The User commands ava...

Страница 31: ...gn gs r aging Show L2 and L3 Aging information cli Modify the command line interface behavior dvmrp Show DVMRP related parameters enable Enable privileged user mode exit Exit current mode file File ma...

Страница 32: ...d parameters ip policy Show IP policy information ip redundancy Show IP Redundancy information VRRP ip router Show unicast IP Routing related parameters ipx Show IPX related parameters l2 tables Show...

Страница 33: ...ollowing example smarttrunk Show SmartTRUNK information snmp Show SNMP related parameters statistics Show or clear GSR statistics stp Show STP status system Show system wide parameters tacacs Show TAC...

Страница 34: ...erface parameters pvst Configure Per Vlan Spanning Tree Protocol PVST qos Configure Quality of Service parameters radius Configure RADIUS related parameters rate limit Configure rate limits for flows...

Страница 35: ...line of the active configuration to disable a feature or function which has been enabled For example Spanning Tree Protocol is disabled by default If after enabling Spanning Tree Protocol on the DIGI...

Страница 36: ...on commands in any order even when dependencies exist When you activate the commands in the scratchpad the GSR sorts out the dependencies and executes the command in the proper sequence Loading System...

Страница 37: ...image file the GSR will use the next time you reboot the switch Here is an example 6 Enter the system image list command to verify the change Note You do not need to activate this change gs r system i...

Страница 38: ...nal memory in the Control Module Here is an example 4 Enter the system show version command to verify that the new boot PROM software is on the internal memory of the Control Module Activating the Con...

Страница 39: ...SR However if you power down or reboot the GSR the new changes are lost Use the following procedure to save the changes into the Startup configuration file so that the GSR reinstates the changes when...

Страница 40: ...rder that they are executed To display the configuration commands in a different order enter the following command in Configure mode Whenever you have activated commands in the scratchpad you can comp...

Страница 41: ...uring DNS Connecting between the GSR and other systems Setting the GSR Name The GSR name is set to gs r by default You may customize the name for the GSR by entering the following command in Configure...

Страница 42: ...clock enter the following command in Configure mode Configuring the GSR CLI You can customize the CLI display format to a desired line length or row count To configure the CLI terminal display enter t...

Страница 43: ...ts up to four telnet sessions You can immediately end a particular telnet session for example an unauthorized user is logged in to the GSR To end a user s telnet session first determine the session ID...

Страница 44: ...er you add configuration items and commit them to the active configuration you can display them using the following commands Configure a Syslog server system set syslog server hostname or IPaddr level...

Страница 45: ...rmation system show hardware Show the GSR s location system show location Show the GSR login banner system show login banner Show the GSR name system show name Show the type of Power On Self Test POST...

Страница 46: ...ct Overview 22 DIGITAL GIGAswitch Router User Reference Manual Show GSR uptime system show uptime Show the current Telnet connections to the GSR system show users Show the software version running on...

Страница 47: ...move or install line cards without switching off or rebooting the GSR Swapped in line cards are recognized by the GSR and begin functioning immediately after they are installed On the GSR 8 and GSR 16...

Страница 48: ...Use the system hotswap out command in the CLI For example to deactivate the line card in slot 7 enter the following command in Enable mode After you enter this command the Offline LED on the line card...

Страница 49: ...ard is installed the GSR recognizes and activates it The Online LED button lights Hot Swapping One Type of Line Card With Another You can hot swap one type of line card with another type For example y...

Страница 50: ...ually slot CM contains the primary Control Module and slot CM 1 contains the secondary Control Module On the primary Control Module the Online LED is lit and on the secondary Control Module the Offlin...

Страница 51: ...both the upper and lower tracks 2 Tighten the captive screws on each side of the Control Module or line card to secure it to the chassis On a line card the Online LED lights indicating it is now acti...

Страница 52: ...ric Module Figure 3 Location of Offline LED and Hot Swap button on a Switching Fabric Module To remove the Switching Fabric Module 1 Loosen the captive screws on each side of the Switching Fabric Modu...

Страница 53: ...t a transparently bridged network into virtual local area networks VLANs based on physical ports or protocol IP or IPX or bridged protocols like Appletalk Frame filtering based on MAC address for brid...

Страница 54: ...perform both types of bridging at the same time The GSR performance is equivalent when performing flow based bridging or address based bridging However address based bridging is more efficient because...

Страница 55: ...AC address based VLANs In this type of VLAN each switch or a central VLAN information server keeps track of all MAC addresses in a network and maps them to VLANs based on information configured by the...

Страница 56: ...database which determines the VLAN to which the frame belongs For example you could set up a policy which creates a special VLAN for all email traffic between the management officers of a company so t...

Страница 57: ...that belong to different subnets should be routed The GSR switching routers use VLANs to achieve this behavior This means that a L3 subnet i e an IP or IPX subnet is mapped to a VLAN A given subnet m...

Страница 58: ...1 is classified as belonging to VLAN IP_VLAN Trunk ports 802 1Q are usually used to connect one VLAN aware switch to another They carry traffic belonging to several VLANs For example suppose that GSR...

Страница 59: ...xample the following illustration shows a GSR with traffic being sent from port A to port B port B to port A port B to port C and port A to port C The corresponding bridge tables for address based and...

Страница 60: ...you want spanning tree enabled Adjusting Spanning Tree Parameters You may need to adjust certain spanning tree parameters if the default values are not suitable for your bridge configuration Paramete...

Страница 61: ...er the bridge s priority the more likely the bridge will be selected as the root bridge This priority is determined by default however you can change it To set the bridge priority enter the following...

Страница 62: ...he interval between hello time To adjust this interval enter the following command in Configure mode Defining the Forward Delay Interval The forward delay interval is the amount of time spent listenin...

Страница 63: ...a Port or Protocol Based VLAN To create a VLAN enter the following command in Configure mode Adding Ports to a VLAN To add ports to a VLAN enter the following command in Configure mode Set the defaul...

Страница 64: ...s for details Configuring Layer 2 Filters Layer 2 security filters on the GSR allow you to configure ports to filter specific MAC addresses When defining a Layer 2 security filter you specify to which...

Страница 65: ...provides display of bridging statistics and configurations contained in the GSR To display bridging information enter the following commands in Enable mode Show IP routing table ip show routes Show a...

Страница 66: ...nnected to port gi 1 1 2 on the GSR need to communicate with clients connected to et 4 1 8 You can associate all the ports containing the clients and servers to an IP VLAN called BLUE First create an...

Страница 67: ...n devices are aggregated into a single logical high speed path that acts as a single link Traffic is balanced across all interfaces in the combined link increasing overall available system bandwidth S...

Страница 68: ...ontrol protocol is to be used If you are connecting the SmartTRUNK to another GSR or to other DIGITAL devices such as the DIGITAL GIGAswitch Router specify the DEC Hunt Group Control Protocol The DEC...

Страница 69: ...onfigure mode Specify Traffic Distribution Policy Optional The default policy for distributing traffic across the ports in a SmartTRUNK is round robin where the GSR selects the port on a rotating basi...

Страница 70: ...out all SmartTRUNKs and the control protocol used smarttrunk show trunks Display statistics on traffic distribution on SmartTRUNK smarttrunk show distribution smarttrunk list all smarttrunks Display i...

Страница 71: ...s the configuration for the Cisco 7500 router The following is the configuration for the Cisco Catalyst 5K switch Cisco 7500 Router Router R1 Cisco Catalyst 5K Switch Server Switch S2 10 1 1 1 24 st 1...

Страница 72: ...protocol huntgroup smarttrunk add ports et 1 1 2 to st 1 smarttrunk add ports et 2 1 2 to st 2 smarttrunk add ports et 3 1 2 to st 3 interface create ip to cisco address netmask 10 1 1 2 24 port st 1...

Страница 73: ...lar IP address is valid for a system is called a lease The GSR maintains a lease database which contains information about each assigned IP address the MAC address to which it is assigned the lease ex...

Страница 74: ...cessed through a single port you can also define multiple scopes on the same interface and group the scopes together into a superscope Configuring an IP Address Pool To define a pool of IP addresses t...

Страница 75: ...on different subnets that all are accessed through the same GSR port In this case scopes that use the same interface must be grouped together into a superscope To attach a scope to a superscope enter...

Страница 76: ...cp global set commit interval command to specify this interval the default is one hour To force the DHCP server to immediately update its lease database enter the following command in Enable mode Moni...

Страница 77: ...0 1 1 10 through 10 1 1 20 6 Define another IP address pool for addresses 10 1 1 40 through 10 1 1 50 7 Define a static IP address for 10 1 7 5 8 Define another static IP address for 10 1 7 7 and give...

Страница 78: ...e it must be a router on the client s local subnet The following example shows a simple configuration to support secondary subnets 10 1 x x and 10 2 x x 1 Define the network parameters for scope1 with...

Страница 79: ...connected clients on a secondary subnet you must configure the secondary subnet using the interface add ip command The interface add ip command configures a secondary address for an interface that wa...

Страница 80: ...he client must be capable of reaching the GSR s DHCP server The GSR must also be capable of reaching the client s network The route must be configured with static routes for example or learned with RI...

Страница 81: ...DIGITAL GIGAswitch Router User Reference Manual 57 DHCP Configuration Examples 4 Define the address pool for scope1 dhcp scope1 define pool 10 5 1 10 10 5 1 20...

Страница 82: ......

Страница 83: ...uch as TCP or UDP interoperate over a routed network The Transmission Control Protocol TCP is built upon the IP layer TCP is a connection oriented protocol that specifies the data format buffering and...

Страница 84: ...s before routing activities can begin A routing process listens to updates from other routers on these networks and broadcasts its own routing information on those same networks The GSR supports the f...

Страница 85: ...epresenting multiple subnets connected to the physical port To configure an IP interface to a port enter one of the following commands in Configure mode Configuring IP Interfaces for a VLAN You can co...

Страница 86: ...mines the associated MAC address Once a media or MAC address is determined the IP address media address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated i...

Страница 87: ...he mappings of MAC addresses to IP addresses Specifying IP Interfaces for RARP To specify the interfaces that the RARP server on the GSR should respond to enter the following command in Configure mode...

Страница 88: ...s To configure DNS servers enter the following command in Configure mode You can also specify a domain name for the GSR The domain name is used by the GSR to respond to DNS requests To configure a dom...

Страница 89: ...roadcast packets with that destination port number will be forwarded By default if no UDP port number is specified the GSR will forward UDP broadcast packets for the following six services BOOTP DHCP...

Страница 90: ...e if directed broadcast is not enabled on the interface where the packet is received You can disable this feature causing directed broadcast packets to be processed on the GSR even if directed broadca...

Страница 91: ...4 0 0 1 by default You can specify that broadcast be used even if IP multicasting is available When router advertisements are sent to the all hosts multicast address or an interface is configured for...

Страница 92: ...an IP interface RED to physical port et 3 4 perform the following Define IP address to be included in router advertisements rdisc add address hostname or ipaddr Enable router advertisement on an inte...

Страница 93: ...er become isolated on the network VRRP provides a way to ensure the availability of an end host s default router This is done by assigning IP addresses that end hosts use as their default route to a v...

Страница 94: ...RID 1 Router R1 serves as the Master and Router R2 serves as the Backup The four end hosts are configured to use 10 0 0 1 16 as the default route IP address 10 0 0 1 16 is associated with virtual rout...

Страница 95: ...in Figure 4 The configuration for Router R2 is nearly identical to Router R1 The difference is that Router R2 does not own IP address 10 0 0 1 16 Since Router R2 does not own this IP address it is the...

Страница 96: ...is associated with virtual router VRID 1 and IP address 10 0 0 2 16 is associated with virtual router VRID 2 If Router R1 the Master for virtual router VRID 1 goes down Router R2 would take over the I...

Страница 97: ...o Router R2 is the Master for virtual router VRID 2 Line 4 associates IP address 10 0 0 1 16 with virtual router VRID 1 making Router R2 the Backup for virtual router VRID 1 1 interface create ip test...

Страница 98: ...routers VRID 2 and VRID 3 If Router R2 or R3 were to go down Router R1 would assume the IP addresses associated with virtual routers VRID 2 and VRID 3 Router R2 is the Master for virtual router VRID...

Страница 99: ...255 When a Master router goes down the router with the next highest priority takes over the virtual router If more than one router has the next highest priority the router that has the highest number...

Страница 100: ...uter VRID 1 On line 9 the backup priority for virtual router VRID 3 is set to 100 Since Router R1 s backup priority for this virtual router is 200 Router R1 is the primary Backup and Router R2 is the...

Страница 101: ...routers VRID 1 and VRID 2 Virtual Router Default Priority Configured Priority VRID 1 IP address 10 0 0 1 16 100 200 see line 8 VRID 2 IP address 10 0 0 2 16 255 address owner 255 address owner VRID 3...

Страница 102: ...Backup router enter the following command in Configure mode The priority can be between 1 lowest and 254 The default is 100 The priority for the IP address owner is 255 and cannot be changed Setting...

Страница 103: ...ng command in Configure mode Note If the IP address owner is available then it will always take over as the Master regardless of whether pre empt mode is on or off Setting an Authentication Key By def...

Страница 104: ...ation To display VRRP information enter the following commands in Enable mode Display a message when any VRRP event occurs Disabled by default ip redundancy trace vrrp events enabled Display a message...

Страница 105: ...lt advertisement interval 1 second Default Backup router priority 100 Master down interval time it takes a Backup to detect the Master is down 3 adv interval skew time 3 1 second 256 100 256 3 6 secon...

Страница 106: ...ied in RFC 2338 a Backup router that has transitioned to Master will not respond to pings accept telnet sessions or field SNMP requests directed at the virtual router s IP address Not responding allow...

Страница 107: ...and an integer distance to that network RIP uses a hop count metric to measure the distance to a destination The DIGITAL GIGAswitch Router provides support for RIP Version 1 and 2 The GSR implements p...

Страница 108: ...to inform RIP about attached interfaces To add RIP interfaces enter the following commands in Configure mode Enable RIP rip start Disable RIP rip stop Add interfaces to the RIP process rip add interfa...

Страница 109: ...e to RIP V1 rip set interface interfacename or IPaddr all version 1 Set RIP Version on an interface to RIP V2 rip set interface interfacename or IPaddr all version 2 Specify that RIP V2 packets should...

Страница 110: ...nter the following command in Configure mode For num you must specify a number between 1 and 16 Specify the metric to be used when advertising routes that were learned from other protocols rip set def...

Страница 111: ...P interface policy information rip show interface policy Show detailed information of all RIP packets rip trace packets detail Show detailed information of all packets received by the router rip trace...

Страница 112: ...reate ip GSR1 if1 address netmask 1 1 1 1 16 port et 1 1 Configure rip on GSR 1 rip add interface GSR1 if1 rip set interface GSR1 if1 version 2 rip start Set authentication method to md5 rip set inter...

Страница 113: ...k The GSR supports the following OSPF functions Stub Areas Definition of stub areas is supported Authentication Simple password and MD5 authentication methods are supported within an area Virtual Link...

Страница 114: ...g tasks Enable OSPF Create OSPF areas Create an IP interface or assign an IP interface to a VLAN Add IP interfaces to OSPF areas Configure OSPF interface parameters if necessary Note By default the pr...

Страница 115: ...non broadcast Router dead interval 4 times the hello interval Poll Interval 120 seconds Key chain N A Authentication Method None Enable OSPF state on interface ospf set interface name or IPaddr all s...

Страница 116: ...nto other areas as inter area routes Instead the specified ranges are advertised as summary network LSAs Specify the number of seconds required to transmit a link state update on an OSPF interface osp...

Страница 117: ...or OSPF packets can be specified on a per area basis To configure OSPF area parameters enter the following commands in the Configure mode Create an OSPF area ospf create area area num backbone Add an...

Страница 118: ...ting routes from the routing table into OSPF ASEs To specify AS external link advertisements parameters enter the following commands in the Configure mode Create a virtual link ospf add virtual link n...

Страница 119: ...IP routing table ip show table routing Monitor OSPF error conditions ospf monitor errors destination hostname or IPaddr Show information on all interfaces configured for OSPF ospf monitor interfaces...

Страница 120: ...xported routes Show all OSPF global parameters ospf show globals Show information about OSPF import policies ospf show import policies Show OSPF interfaces ospf show interfaces Shows information about...

Страница 121: ...various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask...

Страница 122: ...to redistribute these RIP routes as OSPF type 2 routes and associate the tag 100 with them Router R1 would also like to redistribute its static routes as type 2 OSPF routes The interface routes would...

Страница 123: ...pe2 type 2 metric 4 ip router policy create ospf export destination ospfExpDstType2t100 type 2 tag 100 metric 4 ip router policy export destination ripExpDst source ripExpSrc network all ip router pol...

Страница 124: ...RIP ip router policy export destination ripExpDst source statExpSrc network all ip router policy export destination ripExpDst source ripExpSrc network all ip router policy export destination ripExpDs...

Страница 125: ...R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130...

Страница 126: ......

Страница 127: ...t designed to handle multi AS policy and security issues Similarly using static routes may not be the best choice for exchanging AS AS routing information because there may be a large number of routes...

Страница 128: ...at the GSR Enable prompt VLANs interfaces ACLs and many other GSR configurable entities and functionality can only be configured using the GSR CLI Therefore a gated conf file is dependent upon some G...

Страница 129: ...ary address being 127 0 0 1 is the most preferred candidate for selection as the GSR s router ID If there are no secondary addresses on the loopback interface then the default router ID is set to the...

Страница 130: ...hop received with a route from a peer as a forwarding address and using this to look up an immediate next hop in an IGP s routes Such groups support distant peers but need to be informed of the IGP wh...

Страница 131: ...ways to add BGP peers to peer groups You can explicitly add a peer host or you can add a network Adding a network allows for peer connections from any addresses in the range of network and mask pairs...

Страница 132: ...lement or on a regular expression enclosed in parentheses An AS path operator is one of the following aspath_term m n A regular expression followed by m n where m and n are both non negative integers...

Страница 133: ...rence To export all active routes from 284 or 813 or 814 or 815 or 816 or 3369 or 3561 to autonomous system 64800 ip router policy create bgp import source mciRoutes aspath regular expression 3561 ori...

Страница 134: ...pecific prefix always is preferable On the GSR the number of instances of an AS that are put in the route advertisement is controlled by the as count option of the bgp set peer host command The follow...

Страница 135: ...nship between BGP speakers The first step in creating a BGP neighbor relationship is the establishment of a TCP connection using TCP port 179 between peers A BGP Open message can then be sent between...

Страница 136: ...ress netmask 10 0 0 1 16 port et 1 1 Set the AS of the router ip router global set autonomous system 1 Set the router ID ip router global set router id 10 0 0 1 Create EBGP peer group pg1w2 for peerin...

Страница 137: ...uccessfully provide transit services all EBGP speakers in the transit AS must have a consistent view of all of the routes reachable through their AS Multihomed transit ASs can use IBGP between EBGP sp...

Страница 138: ...s An IBGP Routing group will determine the immediate next hops for routes by using the next hop received with a route from a peer as a forwarding address and using this to look up an immediate next ho...

Страница 139: ...ample BGP configuration that uses the Routing group type Figure 9 Sample IBGP Configuration Routing Group Type GSR6 GSR1 Cisco GSR4 lo0 172 23 1 25 30 10 12 1 6 30 10 12 1 5 30 172 23 1 10 30 172 23 1...

Страница 140: ...we want CISCO to peer with our loopback address This will make sure that the loopback address gets announced into OSPF domain ospf add stub host 172 23 1 26 to area backbone cost 1 ospf set interface...

Страница 141: ...rectly attached to a shared subnet so that like external peers the next hops received in BGP advertisements may be used directly for forwarding All Internal group peers should be L2 adjacent router bg...

Страница 142: ...outer GSR1 is as follows AS 1 GSR2 GSR1 17 122 128 2 24 17 122 128 1 24 16 122 128 1 24 16 122 128 1 24 16 122 128 8 24 16 122 128 9 24 C2 C1 Physical Link Legend Peering Relationship ip router global...

Страница 143: ...update group type internal peeras 1 peer 16 122 128 2 peer 16 122 128 8 peer 16 122 128 9 ip router global set autonomous system 1 bgp create peer group int ibgp 1 type internal autonomous system 1 bg...

Страница 144: ...eighbor 16 122 128 1 remote as 1 neighbor 16 122 128 1 next hop self neighbor 16 122 128 1 soft reconfiguration inbound neighbor 16 122 128 2 remote as 1 neighbor 16 122 128 2 next hop self neighbor 1...

Страница 145: ...nship GSR1 16 122 128 1 16 GSR3 AS 64800 AS 64801 GSR4 GSR2 16 122 128 3 16 17 122 128 3 16 17 122 128 4 16 18 122 128 3 16 18 122 128 4 16 bgp create peer group ebgp_multihop autonomous system 64801...

Страница 146: ...nal peeras 64801 peer 18 122 128 2 gateway 16 122 128 3 static 18 122 0 0 masklen 16 gateway 16 122 128 3 interface create ip to R1 address netmask 16 122 128 3 16 port et 1 1 interface create ip to R...

Страница 147: ...GP configuration where the specific community attribute is used Figure 12 shows a BGP configuration where the well known community attribute is used static 16 122 0 0 masklen 16 gateway 17 122 128 3 b...

Страница 148: ...R11 172 26 1 2 16 172 25 1 2 16 192 168 20 2 16 172 25 1 1 16 1 1 R13 1 6 R10 192 169 20 1 16 192 169 20 2 16 100 200 13 1 24 10 200 15 1 24 1 6 R14 AS 64901 AS 64900 AS 64899 1 6 1 1 1 1 1 3 1 8 ISP1...

Страница 149: ...BGP update If multiple communities are specified in the optional attributes list option only updates carrying all of the specified communities will be matched If well known community none is specified...

Страница 150: ...sequence number 1 ip router policy create bgp import source 901color1 optional attributes list color1 autonomous system 64900 sequence number 1 ip router policy create bgp import source 901color2 opti...

Страница 151: ...nity id 155 autonomous system 64902 ip router policy create bgp import source 902color1 optional attributes list color1 autonomous system 64899 sequence number 1 ip router policy create bgp import sou...

Страница 152: ...This export destination has an identifier 900to899dest ip router policy create bgp export destination 900to899dest autonomous system 64899 optional attributes list color1 ip router policy create bgp e...

Страница 153: ...its neighbor However if a packet is received with this attribute it cannot be transmitted to another BGP peer Well known community no export subconfed Well known community no export subconfed is a spe...

Страница 154: ...on with two autonomous systems The local preference is not set directly in the CLI but rather is a function of the GateD preference and setpref metric The setpref option allows GateD to set the local...

Страница 155: ...ute Figure 13 Sample BGP Configuration Local_Pref Attribute AS 64900 Physical Link Legend Peering Relationship AS 64901 GSR10 Information Flow 10 200 12 1 24 10 200 13 1 24 10 200 14 1 24 10 200 15 1...

Страница 156: ...s For example if the import policy sets GateD preferences ranging from 170 to 200 a setpref metric of 170 would make sense You should set the metric high enough to avoid conflicts between BGP routes a...

Страница 157: ...10 Router GSR4 has the following CLI configuration Router GSR6 has the following CLI configuration bgp create peer group pg752to751 type external autonomous system 64751 bgp add peer host 10 200 12 1...

Страница 158: ...19 199 62 24 port et 1 2 interface create ip xenosite address netmask 212 19 198 1 24 port et 1 7 interface add ip lo0 address netmask 212 19 192 1 30 bgp create peer group webnet type external auton...

Страница 159: ...tion the clients peer with the route reflector and exchange routing information with it In turn the route reflector passes on reflects information between clients The IBGP peers of the route reflector...

Страница 160: ...r and router GSR11 is the route reflector for the second cluster Router GSR10 has router GSR9 as a client peer and router GSR11 as a non client peer The following line in router GSR10 s configuration...

Страница 161: ...2 as shown below bgp set peer group rtr11 reflector client Route Table FIB of Router 8 rtr 8 ip show routes Destination Gateway Owner Netif 10 50 0 0 16 directly connected en 127 0 0 0 8 127 0 0 1 Sta...

Страница 162: ...two or more may also be configured to be reflectors for the same cluster In this case a cluster ID should be selected to identify all reflectors serving the cluster using the clusterid option Gratuit...

Страница 163: ...on autonomous system Source and destination interface Previous hop router Autonomous system path Tag associated with routes Specific destination address The network administrator can specify a prefere...

Страница 164: ...to the same destination in a single routing database The active route is chosen by the lowest preference value A default preference is assigned to each source from which the GSR routing process receiv...

Страница 165: ...ecified using the optional attributes list only updates carrying all of the specified communities will be matched If the specified optional attributes list has the value none for the well known commun...

Страница 166: ...configurable parameter that specifies the default preference associated with routes imported to that protocol If a preference is not explicitly specified with the route filter as well as the import s...

Страница 167: ...t tags All other protocols have a tag of zero In some cases a combination of the associated attributes can be specified to identify the routes to be exported Route Filter This component specifies the...

Страница 168: ...n exact refines between number number Matching usually requires both an address and a mask although the mask is implied in the shorthand forms listed below These three forms vary in how the mask is sp...

Страница 169: ...ctually used for packet forwarding by the originator of the aggregate route but only by the receiver if it wishes Instead of requiring a route peer to know about individual subnets which would increas...

Страница 170: ...e explicitly specified using this component The contributing routes are ordered according to the aggregation preference that applies to them If there is more than one contributing route with the same...

Страница 171: ...d Key Management An authentication key permits the generation and verification of the authentication field in protocol packets In many situations the same primary and secondary keys are used on severa...

Страница 172: ...e exported The values for the to proto parameter can be rip ospf and bgp The network parameter provides a means to define a filter for the routes to be distributed The network parameter defines a filt...

Страница 173: ...wing commands in Configure mode Redistributing RIP into RIP The GSR routing process requires RIP redistribution into RIP if a protocol is redistributed into RIP To redistribute RIP into RIP enter the...

Страница 174: ...gregate route must first be created using the aggr gen command This command creates a specified aggregate route for routes that match the aggregate To redistribute aggregate routes enter one of the fo...

Страница 175: ...1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure static routes to the 135 3 0 0 subnets reachable through R3 ip add route 135 3 1 0 24 g...

Страница 176: ...hese routes except the default route to all RIP interfaces Example 2 Redistribution into OSPF For all examples given in this section refer to the configurations shown in Figure 18 on page 164 The foll...

Страница 177: ...necting routers R1 and R2 Create the various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 inter...

Страница 178: ...rence to routes learned from a trusted peer Export Policies Advanced export policies can be constructed from one or more of the following building blocks Export Destinations This component specifies t...

Страница 179: ...one or more building blocks they are tied together by the ip router policy export command To create route export policies enter the following command in Configure mode The exp dest id is the identifi...

Страница 180: ...can be done using one of two methods Creating a route filter and associating an identifier with it A route filter has several network specifications associated with it Every route is checked against...

Страница 181: ...an Import Source Import sources specify the routing protocol from which the routes are imported The source may be RIP or OSPF To create an import source enter one of the following commands in Configur...

Страница 182: ...f two methods Creating a route filter and associating an identifier with it A route filter has several network specifications associated with it Every route is checked against the set of network speci...

Страница 183: ...To create an aggregate source enter the following command in Configure mode Examples of Import Policies Example 1 Importing from RIP The importation of RIP routes may be controlled by any of protocol...

Страница 184: ...igure 17 Exporting to RIP Internet R6 R42 R41 R1 R2 R3 R7 135 3 1 1 24 135 3 2 1 24 135 3 3 1 24 140 1 1 4 24 140 1 1 1 24 130 1 1 1 16 130 1 1 3 16 120 190 1 1 16 120 190 1 2 16 202 1 0 0 10 160 1 5...

Страница 185: ...address netmask 170 1 1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure default routes to the 135 3 0 0 subnets reachable through R3 ip ad...

Страница 186: ...uter R1 has several RIP peers Router R41 has an interface on the network 10 51 0 0 By default router R41 advertises network 10 51 0 0 16 in its RIP updates Router R1 would like to import all routes ex...

Страница 187: ...10 If a tag is specified the import clause will only apply to routes with the specified tag It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router L...

Страница 188: ...SPF BGP R1 R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3...

Страница 189: ...interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface create ip to r6 address netmask 140 1 3 1 24 port et...

Страница 190: ...ported RIP version 1 assumes that all subnets of the shared network have the same subnet mask so it is only able to propagate subnets of that network RIP version 2 removes that restriction and is capa...

Страница 191: ...h 170 1 1 7 ip add route default gateway 170 1 1 7 Configure default routes to the 135 3 0 0 subnets reachable through R3 ip add route 135 3 1 0 24 gateway 130 1 1 3 ip add route 135 3 2 0 24 gateway...

Страница 192: ...RIP routes 4 Create a Direct export source since we would like to export direct interface routes 5 Create the export policy redistributing the statically created default route and all RIP Direct rout...

Страница 193: ...0 1 1 1 since we intend to change the rip export policy for interface 140 1 1 1 2 Create a Static export source since we would like to export static routes 3 Create a RIP export source since we would...

Страница 194: ...rce of the routes contributing to the aggregate Since in this case we do not care about the source of the contributing routes we would specify the protocol as all 3 Create the aggregate summarized rou...

Страница 195: ...set ase defaults type 1 2 command This may be overridden by a specification in the ip router policy create ospf export destination command OSPF ASE routes also have the provision to carry a tag This...

Страница 196: ...ress netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r4...

Страница 197: ...like to redistribute these RIP routes as OSPF type 2 routes and associate the tag 100 with them Router R1 would also like to redistribute its static routes as type 2 OSPF routes The interface routes...

Страница 198: ...pfExpDstType2 type 2 metric 4 ip router policy create ospf export destination ospfExpDstType2t100 type 2 tag 100 metric 4 ip router policy export destination ripExpDst source ripExpSrc network all ip...

Страница 199: ...o RIP ip router policy export destination ripExpDst source statExpSrc network all ip router policy export destination ripExpDst source ripExpSrc network all ip router policy export destination ripExpD...

Страница 200: ......

Страница 201: ...col IGMP Provides an overview of the GSR s implementation of the Distance Vector Multicast Routing Protocol DVMRP Discusses configuring DVMRP routing on the GSR Discusses configuring IGMP on the GSR I...

Страница 202: ...run both DVMRP and IGMP You can start and stop DVMRP independently from other multicast routing protocols IGMP starts and stops automatically with DVMRP The GSR supports up to 64 multicast interfaces...

Страница 203: ...art the multicast routing protocol i e DVMRP Configuring IGMP on an IP Interface By default IGMP is disabled on the GSR To enable IGMP on an interface enter the following command in Configure mode Con...

Страница 204: ...he per interface membership control enter the following commands in Configure mode Configuring DVMRP You configure DVMRP routing on the GSR by performing the following DVMRP configuration tasks Creati...

Страница 205: ...enter the following command in the Configure mode Configuring DVMRP Parameters In order to support backward compatibility DVMRP neighbor timeout and prune time can be configured on a per interface bas...

Страница 206: ...cted to a site TTL 64 Threshold 64 Application restricted to a region TTL 128 Threshold 128 Application restricted to a continent TTL 255 Application not restricted To configure the TTL Threshold ente...

Страница 207: ...he GSR s multitasking ASICs DVMRP tunnels need to be created before being enabled Tunnels are recognized by the tunnel name Once a DVMRP tunnel is created you can enable DVMRP on the interface The GSR...

Страница 208: ...MRP routing table dvmrp show routes Shows all the interfaces and membership details running IGMP igmp show interface Shows all IGMP group memberships on a port basis igmp show memberships Show all IGM...

Страница 209: ...1 interface create ip test address netmask 10 135 89 10 25 port et 1 8 interface create ip rip address netmask 190 1 0 1 port et 1 4 interface create ip mbone address netmask 207 135 122 11 29 port e...

Страница 210: ......

Страница 211: ...uting allows network managers to engineer traffic to make the most efficient use of their network resources IP policies forward packets based on layer 3 or layer 4 IP header information You can define...

Страница 212: ...l telnet packets going from network 9 1 0 0 16 to network 15 1 0 0 16 You then associate the profile with an IP policy The IP policy specifies what to do with the packets that match the profile For ex...

Страница 213: ...command creates an IP policy called p2 that prevents packets matching prof1 from being forwarded using an IP policy Creating Multi statement IP Policies An IP policy can contain more than one ip poli...

Страница 214: ...o set the load distribution for next hop gateways enter one of the following commands in Configure mode Setting the IP Policy Action You can specify when to apply the IP policy route with respect to d...

Страница 215: ...on Cause packets matching the profile to use the IP policy route first If the next hop gateway is not reachable use the dynamic route instead ip policy name permit acl profile action policy first Rout...

Страница 216: ...IP Policy Configuration Examples This section presents some examples of IP policy configurations The following uses of IP policies are demonstrated Routing traffic to different ISPs Prioritizing servi...

Страница 217: ...the IP policy configuration for the Policy Router in Figure 19 interface create ip user a address netmask 10 50 1 1 16 port et 1 1 interface create ip user b address netmask 11 50 1 1 16 port et 1 2 a...

Страница 218: ...e 20 Using an IP policy to prioritize service to customers Traffic from the premium customer is load balanced across two next hop gateways in the high cost high availability network If neither of thes...

Страница 219: ...cannot be reached packets from the contractors group are dropped Packets from users defined in the full timers group do not have to go through the firewall interface create ip premium customer addres...

Страница 220: ...on One session should always go to a particular firewall for persistence interface create ip mls0 address netmask 10 50 1 1 16 port et 1 1 acl contractors permit ip 10 50 1 0 24 any any any 0 acl full...

Страница 221: ...ave been forwarded to each next hop gateway vlan create firewall vlan add ports et 1 1 5 to firewall interface create ip firewall address netmask 1 1 1 5 16 vlan firewall acl firewall permit ip any an...

Страница 222: ...nformation about IP policies that have been applied to all interfaces ip policy show interface all Clear statistics gathered for IP policies ip policy clear all policy name name all gs r ip policy sho...

Страница 223: ...ents are listed in the order they are evaluated lowest sequence number to highest 12 The rule to apply to the packets matching the profile either permit or deny 13 The name of the profile ACL of the p...

Страница 224: ......

Страница 225: ...in the public global Internet NAT provides the following benefits Limits the number of IP addresses used for private intranets that are required to be registered with the Internet Assigned Numbers Au...

Страница 226: ...l PAT allows port address translation for each address in the global pool The ports are dynamically assigned between the range of 1024 to 4999 Hence you have about 4 000 ports per global IP address Dy...

Страница 227: ...amic address bindings for a specific address pool or delete all dynamic address bindings To set the timeout for dynamic address bindings enter the following command in Configure mode To flush dynamic...

Страница 228: ...ter the following commands in Configure mode Monitoring NAT To display NAT information enter the following command in Enable mode Configuration Examples This section shows examples of NAT configuratio...

Страница 229: ...irst packet is coming from outside to inside This could be the case when you have a server in the local network and clients located remotely Dynamic NAT would not work for this case as bindings are al...

Страница 230: ...cket is sent from a local network as defined by the NAT dynamic local ACl pool The network administrator does not have to worry about the way in which the bindings are created the network administrato...

Страница 231: ...for inside addresses 10 1 1 0 24 to outside address 192 50 20 0 24 The first step is to create the interfaces Next define the interfaces to be NAT inside or outside Then define the NAT dynamic rules b...

Страница 232: ...ed when the flow count goes to zero or the timeout has been reached The removal of bindings frees the port for that global and the port is available for reuse When all the ports for that global are us...

Страница 233: ...le when you have two ISPs connected on two different interfaces to the Internet Through a routing protocol some routes will result in traffic going out of one interface and for others going out on the...

Страница 234: ......

Страница 235: ...the GSR provide ways to improve Web access for external and internal users Load balancing allows incoming HTTP requests to a company s Web site to be distributed across several physical servers If one...

Страница 236: ...iguring load balancing on the GSR 1 Create a logical group of load balancing servers and define a virtual IP for the group 2 Specify the policy for distributing workload for this group of load balanci...

Страница 237: ...ent request directed to the virtual server address it redirects the request to the actual server address and port Server selection is done according to the specified policy To add servers to the serve...

Страница 238: ...addresses to be translated on the GSR It may be undesirable in some cases for a source address to be translated for example when data is to be updated on an individual server Specified hosts can be al...

Страница 239: ...cing information enter the following commands in Enable mode Specify the timeout for source destination mappings load balance set mappings age timer timer Show the groups of load balancing servers loa...

Страница 240: ...g four separate servers as shown below The network shown above can be created with the following load balance commands Router Internet 10 1 1 1 10 1 1 2 10 1 1 3 10 1 1 4 www goodcompany com Web reque...

Страница 241: ...d to the server www quick com ftp quick com User Queries www quick com 10 1 1 2 ftp quick com Domain Name Virtual IP TCP Port Real Server IP TCP Port www quick com 207 135 89 16 80 10 1 1 1 80 ftp qui...

Страница 242: ...he load balance add host to vip range command These two commands combined help ISPs take advantage of web servers like Apache which serve different web pages based on the destination address in the ht...

Страница 243: ...k as cache servers with the GSR s web caching function Configuring Web Caching The following are the steps in configuring Web caching on the GSR 1 Create the cache group a list of cache servers to cac...

Страница 244: ...a specific outbound interface This interface is typically an interface that connects to the Internet Note By default the GSR redirects HTTP requests on port 80 Secure HTTP https requests do not run o...

Страница 245: ...P requests from all hosts in the network are redirected as there are no web cache permit or web cache deny commands Other Configurations This section discusses other commands that may be useful in con...

Страница 246: ...d by the proxy server To redirect HTTP requests to a non standard HTTP port number enter the following command in Configure mode Distributing Frequently Accessed Sites Across Cache Servers The GSR use...

Страница 247: ...Web caching information enter the following commands in Enable mode Show information for all caching policies and all server lists web cache show all Show caching policy information web cache show ca...

Страница 248: ......

Страница 249: ...and SAP perform these Network Layer Task These tasks include addressing routing and switching information packets from one location to another on the internetwork IPX defines internetwork and intrano...

Страница 250: ...ternetwork configuration Routers perform broadcasting whenever they detect a change in the internetwork configurations GSR s RIP implementation follows the guidelines given in Novell s IPX RIP and SAP...

Страница 251: ...ill keep multiple SAPs having the lowest hop count Static SAPs can be configured on the GSR using the CLI s ipx add sap command Through the use of SAP filters the GSR can control the acceptance and ad...

Страница 252: ...nfiguring IPX Interfaces for a VLAN You can configure one IPX interface per VLAN To configure a VLAN with an IPX interface enter the following command in Configure mode Specifying IPX Encapsulation Me...

Страница 253: ...services Configuring Static Routes In a Novell NetWare network the GSR uses RIP to determine the best paths for routing IPX However you can add static RIP routes to RIP routing table to explicitly spe...

Страница 254: ...ricts advertisements or learning of SAP services These lists are used for SAP filters They can also be used for Get Nearest Server GNS replies RIP access control list Restricts advertisements or learn...

Страница 255: ...NS Access Control List IPX GNS access control lists control which SAP services the GSR can reply with to a get nearest server GNS request To create an IPX GNS access control list enter the following c...

Страница 256: ...ts IPX interface information and RIP or SAP routing information To display IPX information enter the following command in Enable mode Create an IPX RIP access control list acl name permit deny ipxrip...

Страница 257: ...x2 address BBBBBBBB port et 1 2 output mac encapsulation ethernet_802 3 Add static route to network 9 ipx add route 9 BBBBBBBB 01 02 03 04 05 06 1 1 Add static sap ipx add sap 0004 FILESERVER1 9 03 04...

Страница 258: ......

Страница 259: ...oing through the router This chapter contains the following sections ACL Basics on page 236 explains how ACLs are defined and how the GSR evaluates them Creating and Modifying ACLs on page 240 describ...

Страница 260: ...owing ACL has a rule that permits all IP packets from subnet 10 2 0 0 16 to go through the GSR Defining Selection Criteria in ACL Rules Selection criteria in the rule describe characteristics about a...

Страница 261: ...specified it is treated as a wildcard or don t care condition However if a field is specified that particular field will be matched against the packet Each protocol can have a number of different fiel...

Страница 262: ...u were to reverse the order of the two rules all TCP packets would be allowed to go through including traffic from subnet 10 2 0 0 16 This is because TCP traffic coming from 10 2 0 0 16 would match th...

Страница 263: ...d to go through The first rule is simply a subset of the second rule To allow packets from subnets other than 10 1 20 0 24 to go through you would have to explicitly define a rule to permit other pack...

Страница 264: ...to accept outside TCP responses into the internal network provided that the TCP connection was initiated internally Otherwise it will be rejected To do this enter the following command in Configure M...

Страница 265: ...caused by the addition of new ACL rules to existing rules Basically the no acl command cleans up the system for the new ACL rules Once the negation command is executed the second and the third comman...

Страница 266: ...from the interface before making changes and reapply it after changes are made The process is automatic Using ACLs It is important to understand that an ACL is simply a definition of packet characteri...

Страница 267: ...herwise the GSR will have to process the packet determine where the packet should go only to find out that the packet should be dropped at the outbound interface In some cases however it may not be si...

Страница 268: ...as Profile ACLs ACLs for non IP protocols cannot be used as Profile ACLs The permit deny keywords while required in the ACL rule definition are disregarded in the configuration commands for the above...

Страница 269: ...0 24 to destination network 15 1 1 0 24 to be forwarded to destination address 10 10 10 10 You use a Profile ACL to define the selection criteria in this case telnet packets travelling from source ne...

Страница 270: ...selection criteria that is traffic from 1 2 2 2 to be restricted to 10 Mbps for each flow If this rate limit is exceeded the packets are dropped When the rate limit definition is applied to an interfa...

Страница 271: ...probe can be attached In addition to mirroring traffic on one or more ports the GSR can mirror traffic that matches selection criteria defined in a Profile ACL For example you can mirror all IGMP traf...

Страница 272: ...t and never to the cache servers The following commands illustrate this example This command creates a Profile ACL called prof4 that uses as its selection criteria all packets with a source address of...

Страница 273: ...Logging is turned on the router prints out a message on the console about whether a packet is forwarded or dropped If you have a Syslog server configured for the GSR the same information will also be...

Страница 274: ...n the system To display ACL information enter the following commands in Enable mode Show all ACLs acl show all Show a specific ACL acl show aclname name all Show an ACL on a specific interface acl sho...

Страница 275: ...he GSR enables Layer 2 security filters Perform filtering on source or destination MAC addresses Layer 3 Access Control Lists Perform filtering on source or destination IP address source or destinatio...

Страница 276: ...rity enter the following commands in Configure mode Specify a RADIUS server radius set server hostname or IP addr Set the RADIUS time to wait for a RADIUS server reply radius set timeout number Determ...

Страница 277: ...vide authentication You can configure up to five TACACS server targets on the GSR A timeout is set to tell the GSR how long to wait for a response from TACACS servers To configure TACACS security ente...

Страница 278: ...eply tacacs plus set timeout number Determine the GSR action if no server responds tacacs plus set last resort password succeed Enable TACACS Plus tacacs plus enable Cause TACACS Plus authentication a...

Страница 279: ...n specify the following security filters Address filters These filters block traffic based on the frame s source MAC address destination MAC address or both source and destination MAC addresses in flo...

Страница 280: ...n MAC address A flow which filters out any frame coming from a specific source MAC address that is also destined to a specific destination MAC address To configure Layer 2 address filters enter the fo...

Страница 281: ...estined to specific destination MAC address will be allowed disallowed or forced to go to a set of ports To configure Layer 2 static entry filters enter the following commands in Configure mode Config...

Страница 282: ...ined to specific destination MAC address to go through To configure Layer 2 secure port filters enter the following commands in Configure mode Monitoring Layer 2 Security Filters The GSR provides disp...

Страница 283: ...is restricted access to one of the finance file servers Note that port et 1 1 should be operating in flow bridging mode for this filter to work Static Entries Example Source static entry The consultan...

Страница 284: ...all other ports enter the following command To allow ONLY the engineering manager access to the engineering servers you must punch a hole through the secure port wall A source static entry overrides...

Страница 285: ...ct Layer 3 traffic going through the GSR Each ACL consists of one or more rules describing a particular type of IP or IPX traffic An ACL can be simple consisting of only one rule or complicated with m...

Страница 286: ......

Страница 287: ...different priority queues from non critical network traffic Once a packet has been identified it can be assigned into any one of four priorities in order to ensure delivery Priority can be allocated...

Страница 288: ...source port UDP TCP destination port TOS Type of Service transport protocol TCP or UDP and a list of incoming interfaces The IPX fields are source network source node destination network destination...

Страница 289: ...idging mode Any source MAC address to a specific destination MAC address Before applying a QoS policy to a layer 2 flow you must first determine whether a port is in address bridging mode or flow brid...

Страница 290: ...ased on specific fields in the IP and IPX headers You can set QoS policies for IP flows based on source IP address destination IP address source TCP UDP port destination TCP UDP port type of service T...

Страница 291: ...the Layer 3 or 4 flow and set the IPX QoS policy 2 Specify the precedence for the fields within an IPX flow Setting an IPX QoS Policy To set a QoS policy on an IPX traffic flow enter the following com...

Страница 292: ...mmand in Configure mode ToS Rewrite In the Internet IP packets that use different paths are subject to delays as there is little inherent knowledge of how to optimize the paths for different packets f...

Страница 293: ...you can access the value in the ToS octet which includes both the Precedence and ToS fields in each packet The upper layer application can then decide how to handle the packet based on either the Pre...

Страница 294: ...only the upper three bits of the ToS byte are changed If you set tos precedence rewrite to any and specify a value for tos rewrite then the upper three bits remain unchanged and the lower five bits a...

Страница 295: ...s the ToS rewrite for the example Monitoring QoS The GSR provides display of QoS statistics and configurations contained in the GSR To display QoS information enter the following commands in Enable mo...

Страница 296: ...nd traffic rate limitations A single rate limiting profile can have multiple ACLs to define different traffic profiles and traffic rate limitations When there are multiple traffic profiles a sequence...

Страница 297: ...1 vlan add ports et 1 2 to client2 vlan add ports et 1 8 to backbone interface create ip ipclient1 vlan client1 address netmask 1 1 1 1 8 interface create ip ipclient2 vlan client2 address netmask 3 3...

Страница 298: ......

Страница 299: ...nd in the CLI Layer 3 and 4 performance statistics are accessible to SNMP through RMON RMON2 and can be displayed by using the statistics show command in the CLI In addition to the monitoring commands...

Страница 300: ...w IP interface s statistics statistics show ip Show unicast routing statistics statistics show ip routing Show IPX statistics statistics show ipx Show IPX interface s statistics statistics show ipx in...

Страница 301: ...ort by port basis You can only configure port mirroring for the entire WAN card Only IP ACLs can be specified for port mirroring Monitoring Broadcast Traffic The GSR allows you to monitor broadcast tr...

Страница 302: ......

Страница 303: ...e management station s processing load are reduced The GSR provides support for both RMON 1 and RMON 2 MIBs as specified in RFCs 1757 and 2021 respectively While non RMON SNMP products allow the monit...

Страница 304: ...mmand to enable RMON on the GSR Example of RMON Configuration Commands The following are examples of the commands to configure and enable RMON on the GSR gs r config show Running system configuration...

Страница 305: ...To specify the support level for RMON groups use the following CLI command line in Configure mode To specify the ports on which RMON is to be enabled use the following CLI command line in Configure mo...

Страница 306: ...Table 6 Lite RMON Groups Group Function EtherStats Records Ethernet statistics for example packets dropped packets sent etc for specified ports Event Controls event generation and the resulting action...

Страница 307: ...trol tables for the data you wish to collect Even if you use the default control tables you can always use the rmon commands to modify control table entries Table 8 Professional RMON Groups Group Func...

Страница 308: ...han the default control tables must be configured with CLI commands as described in Configuring RMON Groups Using RMON RMON on the GSR allows you to analyze network traffic patterns set up alarms to d...

Страница 309: ...only need to turn on the default tables when you specify the RMON groups Lite Standard or Professional you do not need to configure entries in the default tables gs r rmon show protocol distribution e...

Страница 310: ...l action lock wrap slice size number download slice size number download offset number max octets number owner string status enable disable To configure the Filter group you must configure both the Ch...

Страница 311: ...s enable disable To configure the Host group rmon host index index number port port owner string status enable disable To configure the Host Top N entries rmon host top n index index number host index...

Страница 312: ...iguration with the following attributes Index number 20 to identify this entry in the Alarm control table The OID 1 3 6 1 2 1 31 1 5 0 identifies the attribute to be monitored Samples taken at 300 sec...

Страница 313: ...all ports To show all channels rmon show channels To show all filters rmon show filters To show all packet captures and logs rmon show packet capture To display the RMON 2 Protocol Directory rmon show...

Страница 314: ...CLI filter can only be applied to a current Telnet or Console session The following shows Host table output without a CLI filter To show all user history logs rmon show user history To show probe con...

Страница 315: ...ers To see and use RMON CLI filters use the following CLI command in User or Enable mode gs r rmon apply cli filter 4 gs r rmon show hosts et 5 4 RMON I Host Table Filter inpkts 500 Address Port InPkt...

Страница 316: ...e standard professional command 3 Make sure that RMON is enabled on the port for which you want statistics Use the rmon set ports command to specify the port on which RMON will be enabled 4 Make sure...

Страница 317: ...n out of memory Allocating Memory to RMON RMON allocates memory depending on the number of ports enabled for RMON the RMON groups that have been configured and whether or not default tables have been...

Страница 318: ...mmand in User or Enable mode gs r rmon show status RMON Status RMON is ENABLED RMON initialization successful RMON Group Status Group Status Default Lite On Yes Std On Yes Pro On Yes RMON is enabled o...

Страница 319: ...face using two basic protocols Frame Relay and point to point protocol PPP Both protocols have their own set of configuration and monitoring CLI commands described in the DIGITAL GIGAswitch Router Com...

Страница 320: ...LAN interfaces WAN interfaces can have primary and secondary IP addresses For Frame Relay you can configure primary and secondary addresses which are static or dynamic For PPP however the primary addr...

Страница 321: ...dress The following command lines display two examples for Frame Relay The following command line displays two examples for PPP Dynamic Addresses If the peer IP IPX address is unknown you do not need...

Страница 322: ...me Relay VCs and for PPP ports however both ends of a link must be configured to use packet compression Enabling compression on WAN serial links should be decided on a case by case basis Important fac...

Страница 323: ...h compression enabled If this is the situation on your network you should not enable compression histories this applies only to PPP compressions in Frame Relay compression histories are always used Co...

Страница 324: ...there is a limited albeit huge supply Therefore making the most effective use of existing bandwidth is now a more critical issue than ever before The fact that IP communications to the desktop are cle...

Страница 325: ...by specifying source and destination IP addresses with appropriate subnet masks you can achieve your intended level of control Weighted Fair Queueing Through the use of Weighted Fair Queueing QoS poli...

Страница 326: ...sive return to the negotiated information transfer rate upon congestion abatement The CLI command related to adaptive shaping allows you to set threshold values for triggering the adaptive shaping fun...

Страница 327: ...administrators can use PVCs in an internal network to set aside bandwidth for critical connections such as videoconferencing with other corporate departments Configuring Frame Relay Interfaces for th...

Страница 328: ...r when handling Frame Relay traffic The following command line displays all of the possible attributes used to define a Frame Relay service profile Applying a Service Profile to an Active Frame Relay...

Страница 329: ...pecification To define the location and identity of a serial frame relay WAN port located at slot 5 port 1 with a speed rating of 45 million bits per second To define the location and identity of a Hi...

Страница 330: ...IR of 20 million bits per second Leave high low and medium priority queue depths set to factory defaults Random Early Discard RED disabled RMON enabled The command line necessary to set up a service p...

Страница 331: ...otocols have been configured both the host and remote peer can send packets to one another using any and all of the configured network layer protocols The link will remain active until explicit LCP or...

Страница 332: ...ing command line displays a simplified example of a PPP WAN port definition If the port is an HSSI port that will be connected to a HSSI port on another router you can specify clock clock source in th...

Страница 333: ...tive PPP ports on the GSR The following command line displays a simplified example of this process Define a PPP service profile ppp define service service name bridging enable disable ip enable disabl...

Страница 334: ...will be compressed after the MLP processing In general choose bundle compression over link compression whenever possible Compressing packets before they are split by MLP is much more efficient for bo...

Страница 335: ...he steps necessary for a typical PPP WAN interface specification To define the location and identity of a High Speed Serial Interface HSSI PPP WAN port located at router slot 5 port 1 with a speed rat...

Страница 336: ...ximum allowable number of unanswered improperly answered connection termination requests before declaring the link to a peer lost set to 4 Random Early Discard disabled The number of seconds between s...

Страница 337: ...e Multi Router WAN Configuration next port set hs 5 1 wan encapsulation frame relay speed 45000000 port set hs 5 2 wan encapsulation ppp speed 45000000 interface create ip fr1 address netmask 10 1 1 1...

Страница 338: ...P packets Video Server Win NT SmartBits IP packets 50 50 50 5 50 50 50 15 et 1 1 100 100 100 5 100 100 100 4 100 100 100 4 100 100 100 3 se 4 1 se 6 3 se 6 1 se 2 1 hs 4 2 hs 4 1 hs 7 2 hs 3 1 et 1 1...

Страница 339: ...frame relay create vc port hs 7 1 106 frame relay create vc port hs 3 1 103 frame relay define service CIRforR1toR6 cir 45000000 bc 450000 frame relay apply service CIRforR1toR6 ports hs 7 1 106 vlan...

Страница 340: ...30 130 130 2 16 peer address 130 130 130 3 port hs 7 2 interface create ip SBitsLAN address netmask 20 20 20 2 16 port et 1 1 vlan add ports hs 7 1 to s2 interface create ip s2 address netmask 120 120...

Страница 341: ...te vc port se 2 1 304 frame relay create vc port hs 4 1 103 vlan create s1 id 200 interface create ip SBitsLAN address netmask 30 30 30 3 16 port et 1 1 vlan add ports hs 4 1 103 se 2 1 304 to s1 inte...

Страница 342: ...to s1 interface create ip s1 address netmask 100 100 100 4 16 vlan s1 rip add interface all rip set interface all version 2 rip set interface all xmt actual enable rip set broadcast state always rip...

Страница 343: ...R6 ports hs 3 1 106 vlan create BridgeforR1toR6 port based id 106 interface create ip FRforR1toR6 address netmask 100 100 100 6 16 vlan BridgeforR1toR6 interface create ip lan1 address netmask 60 60 6...

Страница 344: ......

Страница 345: ......

Страница 346: ...9032684 03 Printed in U S A...

Отзывы:

Нет отзывов

Похожие инструкции для GIGAswitch GSR-16

xStack DGS-3427

Бренд: D-Link Страницы: 246

RMQ-Titan M30 Series

Бренд: Eaton Страницы: 4

SkyEdge II-c Capricorn Pro 4 AC Series

Бренд: Gilat Страницы: 2

Бренд: socomec Страницы: 43

Бренд: hager Страницы: 4

Бренд: Samson Страницы: 64

Бренд: Manhattan Страницы: 4

Smart-Switch/801 FEP-30109T-C

Бренд: UNICOM Страницы: 22

Бренд: PowerShield Страницы: 2

Бренд: Ortech Страницы: 3

Бренд: Epcom Страницы: 2

Бренд: Alloy Страницы: 13

NSwitch Outdoors

Бренд: Moxa Technologies Страницы: 30

Бренд: Taiden Страницы: 4

Бренд: Hored Страницы: 4

Бренд: TP-Link Страницы: 2

Бренд: WELLTECH Страницы: 280

Бренд: GarrettCom Страницы: 42

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды