Cabletron Systems SmartSwitch Router Скачать руководство пользователя страница 266 | Manualshive

Страница: 266 / 338

Cabletron Systems SmartSwitch Router Скачать руководство пользователя страница 266

Chapter 17: Access Control List Configuration Guide

266

SmartSwitch Router User Reference Manual

See

“Limiting Traffic Rate” on page 291

for more information on using the

rate-limit

command.

Using Profile ACLs with Dynamic NAT

Network Address Translation (NAT) allows you to map an IP address used within one
network to a different IP address used within another network. NAT is often used to map
addresses used in a private, local intranet to one or more addresses used in the public,
global Internet.

The SSR supports two kinds of NAT:

static

NAT and

dynamic

NAT. With dynamic NAT, an

IP address within a range of local IP addresses is mapped to an IP address within a range
of global IP addresses. For example, you can configure IP addresses on network
10.1.1.0/24 to use an IP address in the range of IP addresses in network 192.50.20.0/24.
You can use a Profile ACL to define the ranges of local IP addresses.

The following command creates a Profile ACL called

local

. The local profile specifies as its

selection criteria the range of IP addresses in network 10.1.1.0/24..

Note:

When a Profile ACL is defined for dynamic NAT, only the source IP address field
in the

acl

statement is evaluated. All other fields in the

acl

statement are ignored.

Once you have defined a Profile ACL, you can then use the

nat create dynamic

command

to bind the range of IP addresses defined in the local profile to a range in network
192.50.20.0/24.

See

“Network Address Translation Configuration Guide” on page 223

for more

information on using dynamic NAT.

Using Profile ACLs with the Port Mirroring Facility

Port mirroring refers to the SSR’s ability to copy traffic on one or more ports to a “mirror”
port, where an external analyzer or probe can be attached. In addition to mirroring traffic
on one or more ports, the SSR can mirror traffic that matches selection criteria defined in a
Profile ACL.

For example, you can mirror all IGMP traffic on the SSR. You use a Profile ACL to define
the selection criteria (in this example, all IGMP traffic). Then you use a

port mirroring

command to copy packets that match the selection criteria to a specified mirror port. The
following commands illustrate this example.

ssr(config)#

acl local permit ip 10.1.1.0/24

ssr(config)#

nat create dynamic local-acl-pool local global-pool 192.50.20.10/24

«
...
264
265
266
267
268
...
»

Содержание SmartSwitch Router

Страница 1: ...SmartSwitch Router User Reference Manual 9032578 04...

Страница 2: ...trademark of CompuServe Inc i960 microprocessor is a registered trademark of Intel Corp Ethernet is a trademark of Xerox CorporationFCC Notice This device complies with Part 15 of the FCC rules Opera...

Страница 3: ...n of service in some situations Repairs to certified equipment should be coordinated by a representative designated by the supplier Any repairs or alterations made by the user to this equipment or equ...

Страница 4: ...s of this License Agreement You may not copy reproduce or transmit any part of the Program except as permitted by the Copyright Act of the United States or as authorized in writing by Cabletron 2 OTHE...

Страница 5: ...through d of the Commercial Computer Software Restricted Rights Clause and its successors and iii in all respects is proprietary data belonging to Cabletron and or its suppliers For Department of Def...

Страница 6: ...the Copyright Act of the United States or as authorized in writing by Cabletron 2 OTHER RESTRICTIONS You may not reverse engineer decompile or disassemble the Program 3 APPLICABLE LAW This License Ag...

Страница 7: ...a belonging to Cabletron and or its suppliers For Department of Defense units the Product is considered commercial computer software in accordance with DFARS section 227 7202 3 and its successors and...

Страница 8: ...t 1 LICENSE You have the right to use only the one 1 copy of the Program provided in this package subject to the terms and conditions of this License Agreement You may not copy reproduce or transmit a...

Страница 9: ...ricted computer software submitted with restricted rights in accordance with section 52 227 19 a through d of the Commercial Computer Software Restricted Rights Clause and its successors and iii in al...

Страница 10: ...an Services FDA IEC Publication 825 International Electrotechnical Commission CENELEC EN 60825 European Committee for Electrotechnical Standardization When operating within their performance limitatio...

Страница 11: ...shire RG13 2PZ England Conformance to Directive s Product Standards EC Directive 89 336 EEC EC Directive 73 23 EEC EN 55022 EN 50082 1 EN 60950 Equipment Type Environment Networking Equipment for use...

Страница 12: ...Notice 12 SmartSwitch Router User Reference Manual...

Страница 13: ...37 Boot PROM Mode 38 Disabling a Function or Feature 39 Loading System Images and Configuration Files 39 Boot and System Image 39 Configuration Files 39 Loading System Image Software 40 Loading Boot...

Страница 14: ...57 Subnet based VLANs 57 Multicast based VLANs 58 Policy based VLANs 58 SSR VLAN Support 58 VLANs and the SSR 58 Ports VLANs and L3 Interfaces 59 Access Ports and Trunk Ports 802 1Q support 59 Explic...

Страница 15: ...uration Examples 79 Configuring Secondary Subnets 80 Secondary Subnets and Directly Connected Clients 81 Interacting with Relay Agents 82 Chapter 6 IP Routing Configuration Guide 85 IP Routing Overvie...

Страница 16: ...4 Setting the Advertisement Interval 104 Setting Pre empt Mode 104 Setting an Authentication Key 105 Monitoring VRRP 105 ip redundancy trace 105 ip redundancy show 106 VRRP Configuration Notes 106 Cha...

Страница 17: ...h Prepend Feature 134 BGP Configuration Examples 134 BGP Peering Session Example 135 IBGP Configuration Example 137 IBGP Routing Group Example 138 IBGP Internal Group Example 141 EBGP Multihop Configu...

Страница 18: ...port Destination 179 Creating an Export Source 179 Import Policies 179 Creating an Import Source 180 Creating a Route Filter 180 Creating an Aggregate Route 180 Creating an Aggregate Destination 182 C...

Страница 19: ...file 210 Associating the Profile with an IP Policy 210 Creating Multi statement IP Policies 211 Setting Load Distribution for Next hop Gateways 212 Setting the IP Policy Action 212 Checking the Availa...

Страница 20: ...and Multiple Destination Servers 237 Web Hosting with Multiple Virtual Groups and Multiple Destination Servers 238 Virtual IP Address Ranges 239 Web Caching 240 Configuring Web Caching 240 Creating th...

Страница 21: ...s Offline 260 Maintaining ACLs Using the ACL Editor 261 Using ACLs 262 Applying ACLs to Interfaces 262 Applying ACLs to Services 263 Using ACLs as Profiles 263 Using Profile ACLs with the IP Policy Fa...

Страница 22: ...4 Flows 286 Configuring IP QoS Policies 286 Setting an IP QoS Policy 287 Specifying Precedence for an IP QoS Policy 287 Configuring IPX QoS Policies 287 Setting an IPX QoS Policy 287 Specifying Prece...

Страница 23: ...ink Integrity 319 Latency Requirements 319 Example Configurations 319 Packet Encryption 320 WAN Quality of Service 320 Source Filtering and ACLs 321 Weighted Fair Queueing 321 Congestion Management 32...

Страница 24: ...PPP Port Configuration 330 WAN Configuration Examples 332 Simple Configuration File 332 Multi Router WAN Configuration 333 Router R1 Configuration File 334 Router R2 Configuration File 334 Router R3...

Страница 25: ...al if you are a network administrator responsible for configuring and monitoring the SSR How to Use This Manual If You Want To See Read overview information Chapter 1 SSR Product Overview on page 29 H...

Страница 26: ...ng Configuration Guide on page 209 Configure Network Address Translation Chapter 14 Network Address Translation Configuration Guide on page 223 Configure web hosting Chapter 15 Web Hosting Configurati...

Страница 27: ...duct For Information About See the Installing and setting up the SSR SmartSwitch Router Getting Started Guide Managing the SSR using Cabletron s element management application CoreWatch User s Manual...

Страница 28: ...Preface 28 SmartSwitch Router User Reference Manual...

Страница 29: ...ou do not need to accept performance compromises to run QoS or access control lists ACLs The following table lists the basic hardware and software specifications for the SSR Table 1 SSR Hardware and s...

Страница 30: ...on flows Up to 400 000 Layer 2 MAC addresses 20 000 Layer 2 security and access control filters SSR 8600 Up to 250 000 routes Up to 4 000 000 Layer 4 application flows Up to 800 000 Layer 2 MAC addres...

Страница 31: ...ortest Path First OSPF Version 2 Quality of Service QoS Layer 2 prioritization 802 1p Layer 3 source destination flows Layer 4 source destination flows Layer 4 application flows RMON RMON v1 v2 for ea...

Страница 32: ...s that you can use to configure the SSR and display its status Some commands are available to all users others can be executed only after the user enters an Enable password You use the CLI to configur...

Страница 33: ...e character Configure Allows you to make configuration changes To enter Configure mode first enter Enable mode enable command then enter the configure command from the Enable command prompt When you a...

Страница 34: ...set of those available in Enable mode In general the User commands allow you to display basic information and use basic utilities such as ping information To list the User commands enter The User mode...

Страница 35: ...l PVST parameters sfs Show SecureFast Switching SFS parameters statistics Show or clear SSR statistics stp Show STP status telnet Telnet utility traceroute Traceroute utility vlan Show VLAN related pa...

Страница 36: ...Protocol OSPF ping Ping utility port Show or change Port parameters ppp Display Point to Point Protocol PPP statistics pvst Show Per Vlan Spanning Tree Protocol PVST parameters qos Show Quality of Se...

Страница 37: ...gp Configure Border Gateway Protocol BGP cli Modify the command line interface behavior dhcp Configure DHCP server dvmrp Configure DVMRP related parameters exit Exit current mode filters Configure L2...

Страница 38: ...or flows rdisc Configure Router Discovery Protocol rip Configure Routing Information Protocol RIP rmon Configure RMON related parameters sfs Configure SecureFast Switching SFS parameters smarttrunk Co...

Страница 39: ...guration file Boot and System Image Only one boot image exists on the internal flash of the SSR Control Module Multiple system images can be stored on the external PC flash Configuration Files The SSR...

Страница 40: ...copy the software upgrade onto the PCMCIA flash card in the Control Module Here is an example 4 Enter the system image list command to list the images on the PCMCIA flash card and verify that the new...

Страница 41: ...se the system promimage upgrade command to copy the boot PROM upgrade onto the internal memory in the Control Module Here is an example 4 Enter the system show version command to verify that the new b...

Страница 42: ...ing configuration changes to the SSR However if you power down or reboot the SSR the new changes are lost Use the following procedure to save the changes into the Startup configuration file so that th...

Страница 43: ...have activated commands in the scratchpad you can compare the activated changes with a previously saved configuration file To compare the activated commands with the Startup or another configuration f...

Страница 44: ...at sends a synchronization packet to the server every 60 minutes This means the SSR will attempt to set its own clock against the server once every hour The synchronization interval as well as the NTP...

Страница 45: ...munity string enter the following command in Configure mode To configure the SNMP trap server target address enter the following command in Configure mode Configuring DNS The SSR allows you to configu...

Страница 46: ...messages to the management console These messages include informational warning error and fatal messages Console messages can also be sent to a Syslog server To configure a Syslog server enter the fo...

Страница 47: ...ion of the system system show active config Show the contents of the boot log file which contains all the system messages generated during bootup system show bootlog Show boot PROM parameters for TFTP...

Страница 48: ...xt reboot system show startup config Show the status of the switching fabric module system show switching fabric Show the IP address of the SYSLOG server and the level of messages the SSR sends to the...

Страница 49: ...d by the SSR and begin functioning immediately after they are installed On the SSR 8000 and SSR 8600 you can hot swap line cards and secondary control modules On the SSR 8600 you can also hot swap the...

Страница 50: ...ter this command the Offline LED on the line card lights and messages appear on the console indicating the ports on the line card are inoperative Note If you have deactivated a line card and want to a...

Страница 51: ...other You can hot swap one type of line card with another type For example you can replace a 10 100Base TX line card with a 1000Base SX line card The SSR can be configured to accommodate whichever lin...

Страница 52: ...ote The Offline LED on the Control Module has a different function from the Offline LED on a line card On a line card it means that the line card has been deactivated On a Control Module a lit Offline...

Страница 53: ...odule SSR 8600 only The SSR 8600 has slots for two Switching Fabric Modules While the SSR 8600 is operating you can install a second Switching Fabric Module If two Switching Fabric Modules are install...

Страница 54: ...ching Fabric Module to free it from the connectors holding it in place in the chassis 3 Carefully remove the Switching Fabric Module from its slot To install a Switching Fabric Module 1 Slide the Swit...

Страница 55: ...nsparently bridged network into virtual local area networks VLANs based on physical ports or protocol IP or IPX or bridged protocols like Appletalk Frame filtering based on MAC address for bridged and...

Страница 56: ...ing or address based bridging However address based bridging is more efficient because it requires fewer table entries while flow based bridging provides tighter management and control over bridged tr...

Страница 57: ...address is looked up in the VLAN database The VLAN database returns the name of the VLAN to which this frame belongs This type of VLAN is powerful in the sense that network devices such as printers a...

Страница 58: ...switch and router use the subnet based VLANs in addition to port based and protocol based VLANs It is not necessary to remember the types of VLANs in order to configure the SSR as seen in the section...

Страница 59: ...to a physical connector on the SSR such as an ethernet port Each port must belong to at least one VLAN When the SSR is unconfigured each port belongs to a VLAN called the default VLAN By creating VLAN...

Страница 60: ...trunk ports always transmit and receive tagged frames only The format of the tag is specified by the IEEE 802 1Q standard The only exception to this is Spanning Tree Protocol frames which are transmit...

Страница 61: ...s based on layer 2 traffic flows To enable flow based bridging on a port enter the following command in Configure mode To change a port from flow based bridging to address based bridging enter the fol...

Страница 62: ...rming any of the tasks in the following sections Set the Bridge Priority Set an Interface Priority Note Only network administrators with a good understanding of how bridges and the Spanning Tree Proto...

Страница 63: ...ng Bridge Protocol Data Unit BPDU Intervals You can adjust BPDU intervals as described in the following sections Adjust the Interval between Hello BPDUs Define the Forward Delay Interval Set the bridg...

Страница 64: ...ed and recomputes the spanning tree topology To change the default interval setting enter the following command in Configure mode Specify the interval between hello time for default spanning tree stp...

Страница 65: ...a standard Ethernet frame which includes a unique VLAN id per trunk between two SSRs These VLAN IDs extend the VLAN broadcast domain to more than one SSR To configure a VLAN trunk enter the following...

Страница 66: ...These filters allow or force traffic to go to a set of destination ports based on a frame s source MAC address destination MAC address or both source and destination MAC addresses in flow bridging mod...

Страница 67: ...unicate with clients connected to et 4 1 8 You can associate all the ports containing the clients and servers to an IP VLAN called BLUE First create an IP VLAN named BLUE Next assign ports to the BLUE...

Страница 68: ...Chapter 3 Bridging Configuration Guide 68 SmartSwitch Router User Reference Manual...

Страница 69: ...in the combined link increasing overall available system bandwidth SmartTRUNKs allow administrators the ability to increase bandwidth at congestion points in the network thus eliminating potential tra...

Страница 70: ...onfiguration etc If you are connecting the SmartTRUNK to a device that does not support the DEC Hunt Group control protocol such as those devices that support Cisco s EtherChannel technology specify n...

Страница 71: ...n Enable mode To clear statistics for SmartTRUNK ports enter the following command in Enable mode Create a SmartTRUNK that will be connected to a device that supports the DEC Hunt Group control protoc...

Страница 72: ...wing is the configuration for the Cisco 7500 router The following is the configuration for the Cisco Catalyst 5K switch Cisco 7500 Router Router R1 Cisco Catalyst 5K Switch Server Switch S2 10 1 1 1 2...

Страница 73: ...tocol huntgroup smarttrunk add ports et 1 1 2 to st 1 smarttrunk add ports et 2 1 2 to st 2 smarttrunk add ports et 3 1 2 to st 3 interface create ip to cisco address netmask 10 1 1 2 24 port st 1 int...

Страница 74: ...Chapter 4 SmartTRUNK Configuration Guide 74 SmartSwitch Router User Reference Manual...

Страница 75: ...valid for a system is called a lease The SSR maintains a lease database which contains information about each assigned IP address the MAC address to which it is assigned the lease expiration and wheth...

Страница 76: ...ed through a single port you can also define multiple scopes on the same interface and group the scopes together into a superscope Configuring an IP Address Pool To define a pool of IP addresses that...

Страница 77: ...pools on different subnets that all are accessed through the same SSR port In this case scopes that use the same interface must be grouped together into a superscope To attach a scope to a superscope...

Страница 78: ...global set commit interval command to specify this interval the default is one hour To force the DHCP server to immediately update its lease database enter the following command in Enable mode Monitor...

Страница 79: ...0 1 1 10 through 10 1 1 20 6 Define another IP address pool for addresses 10 1 1 40 through 10 1 1 50 7 Define a static IP address for 10 1 7 5 8 Define another static IP address for 10 1 7 7 and give...

Страница 80: ...t must be a router on the client s local subnet The following example shows a simple configuration to support secondary subnets 10 1 x x and 10 2 x x 1 Define the network parameters for scope1 with th...

Страница 81: ...connected clients on a secondary subnet you must configure the secondary subnet using the interface add ip command The interface add ip command configures a secondary address for an interface that wa...

Страница 82: ...client must be capable of reaching the SSR s DHCP server The SSR must also be capable of reaching the client s network The route must be configured with static routes for example or learned with RIP o...

Страница 83: ...SmartSwitch Router User Reference Manual 83 Chapter 5 DHCP Configuration Guide 4 Define the address pool for scope1 dhcp scope1 define pool 10 5 1 10 10 5 1 20...

Страница 84: ...Chapter 5 DHCP Configuration Guide 84 SmartSwitch Router User Reference Manual...

Страница 85: ...built upon the IP layer TCP is a connection oriented protocol that specifies the data format buffering and acknowledgments used in the transfer of data TCP is a full duplex connection which also spec...

Страница 86: ...mation Protocol RIP Version 1 2 RFC 1058 1723 Open Shortest Path First OSPF Version 2 RFC 1583 Exterior Gateway Protocols are used to transfer information between different autonomous systems The SSR...

Страница 87: ...addresses to the VLAN To configure a VLAN with an IP interface enter the following command in Configure mode Specifying Ethernet Encapsulation Method The SmartSwitch Router supports two encapsulation...

Страница 88: ...he network Configuring ARP Cache Entries You can add and delete entries in the ARP cache To add or delete static ARP entries enter one of the the following commands in Configure mode Configuring Proxy...

Страница 89: ...erfaces that the RARP server on the SSR should respond to enter the following command in Configure mode Defining MAC to IP Address Mappings To map a MAC address to an IP address enter the following co...

Страница 90: ...rvices ICMP The SSR provides ICMP message capabilities including ping and traceroute Ping allows you to determine the reachability of a certain IP host Traceroute allows you to trace the IP gateways t...

Страница 91: ...adcast traffic from the local subnet to a specified IP address or all associated IP addresses This is a more efficient method than defining only one local interface and remote IP address destination a...

Страница 92: ...on the SSR on which it is enabled and contain a list of the addresses on the interface and the preference of each address for use as a default route for the interface A host can also send a router so...

Страница 93: ...Assigning IP IPX Interfaces To enable routing on the SSR you must assign an IP or IPX interface to a VLAN To assign an IP or IPX interface named RED to the BLUE VLAN enter the following command Start...

Страница 94: ...ser Reference Manual You can also assign an IP or IPX interface directly to a physical port For example to assign an IP interface RED to physical port et 3 4 perform the following ssr config interface...

Страница 95: ...by assigning IP addresses that end hosts use as their default route to a virtual router A Master router is assigned to forward traffic designated for the virtual router If the Master router should be...

Страница 96: ...When Router R1 comes up again it would take over as Master and Router R2 would revert to Backup Configuration of Router R1 The following is the configuration file for Router R1 in Figure 4 Line 1 adds...

Страница 97: ...own this IP address it is the Backup It will take over from the Master if it should become unavailable Symmetrical Configuration Figure 5 shows a VRRP configuration with two routers and two virtual r...

Страница 98: ...e 5 Router R1 is the owner of IP address 10 0 0 1 16 Line 4 associates this IP address with virtual router VRID 1 so Router R1 is the Master for virtual router VRID 1 R1 R2 H1 H2 H3 H4 Default Route 1...

Страница 99: ...Backup Configuration Figure 6 shows a VRRP configuration with three routers and three virtual routers Each router serves as a Master for one virtual router and as a Backup for each of the others When...

Страница 100: ...rtual router VRID 1 If both Routers R1 and R3 should fail Router R2 would become the Master for all three virtual routers Packets sent to IP addresses 10 0 0 1 16 10 0 0 2 16 and 10 0 0 3 16 would all...

Страница 101: ...ority for that virtual router is 255 and cannot be changed If a router is not the address owner for a virtual router then its priority for that virtual router is 100 by default and can be changed by t...

Страница 102: ...ority Configured Priority VRID 1 IP address 10 0 0 1 16 255 address owner 255 address owner VRID 2 IP address 10 0 0 2 16 100 200 see line 8 VRID 3 IP address 10 0 0 3 16 100 200 see line 9 1 interfac...

Страница 103: ...ration purposes only Additional Configuration This section covers settings you can modify in a VRRP configuration including backup priority advertisement interval pre empt mode and authentication key...

Страница 104: ...tting Pre empt Mode When a Master router goes down the Backup with the highest priority takes over the IP addresses associated with the Master By default when the original Master comes back up again i...

Страница 105: ...istics about virtual routers ip redundancy trace The ip redundancy trace command is used for troubleshooting purposes This command causes messages to be displayed when certain VRRP events occur on the...

Страница 106: ...on Master down interval 3 advertisement interval skew time The skew time depends on the Backup router s configured priority Skew time 256 Priority 256 Therefore the higher the priority the faster a Ba...

Страница 107: ...outers are created on a single interface the virtual routers must have unique identifiers If virtual routers are created on different interfaces you can reuse virtual router IDs For example the follow...

Страница 108: ...Chapter 7 VRRP Configuration Guide 108 SmartSwitch Router User Reference Manual...

Страница 109: ...nteger distance to that network RIP uses a hop count metric to measure the distance to a destination The SmartSwitch Router provides support for RIP Version 1 and 2 The SSR implements plain text and M...

Страница 110: ...ing information These default parameters may be modified to suit your needs by using the rip set interface command Enable RIP rip start Disable RIP rip stop Add interfaces to the RIP process rip add i...

Страница 111: ...incoming RIP routes rip set interface interfacename or IPaddr all metric in num Change the metric on outgoing RIP routes rip set interface interfacename or IPaddr all metric out num Set the authentica...

Страница 112: ...xport command To configure default metric enter the following command in Configure mode For num you must specify a number between 1 and 16 Monitoring RIP The rip trace command can be used to trace all...

Страница 113: ...ive Show detailed information of all response received by the router rip trace response receive Show detailed information of response packets sent by the router rip trace response send Show detailed i...

Страница 114: ...Chapter 8 RIP Configuration Guide 114 SmartSwitch Router User Reference Manual Change default metric out rip set interface SSR1 if1 metric out 3...

Страница 115: ...he SSR supports the following OSPF functions Stub Areas Definition of stub areas is supported Authentication Simple password and MD5 authentication methods are supported within an area Virtual Links V...

Страница 116: ...asks Enable OSPF Create OSPF areas Create an IP interface or assign an IP interface to a VLAN Add IP interfaces to OSPF areas Configure OSPF interface parameters if necessary Note By default the prior...

Страница 117: ...ast 30 non broadcast Router dead interval 4 times the hello interval Poll Interval 120 seconds Key chain N A Authentication Method None Enable OSPF state on interface ospf set interface name or IPaddr...

Страница 118: ...faces enter the following commands in the Configure mode Specify the number of seconds required to transmit a link state update on an OSPF interface ospf set interface name or IPaddr all transit delay...

Страница 119: ...commands in the Configure mode Creating Virtual Links In OSPF virtual links can be established To connect an area via a transit area to the backbone To create a redundant backbone connection via anot...

Страница 120: ...r NBMA circuits are suppressed To configure OSPF over WAN circuits enter the following command in Configure mode Create a virtual link ospf add virtual link number or string neighbor IPaddr transit ar...

Страница 121: ...hostname or IPaddr Shows information about all OSPF routing neighbors ospf monitor neighborsdestination hostname or IPaddr Show information on valid next hops ospf monitor next hop list destination h...

Страница 122: ...w summary asb Show OSPF timers ospf show timers Show OSPF virtual links ospf show virtual links Create the various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 in...

Страница 123: ...Routes to OSPF Note Also export interface static RIP OSPF and OSPF ASE routes into RIP In the configuration shown in Figure 7 on page 126 if we decide to run RIP Version 2 on network 120 190 0 0 16 c...

Страница 124: ...OSPF rip add interface 120 190 1 1 rip set interface 120 190 1 1 version 2 type multicast ip router policy create ospf export destination ospfExpDstType1 type 1 metric 1 ip router policy create ospf e...

Страница 125: ...ripExpDst ip router policy create ospf export source ospfExpSrc type OSPF ip router policy create ospf export source ospfAseExpSrc type OSPF ASE ip router policy export destination ripExpDst source st...

Страница 126: ...R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130...

Страница 127: ...esigned to handle multi AS policy and security issues Similarly using static routes may not be the best choice for exchanging AS AS routing information because there may be a large number of routes or...

Страница 128: ...the SSR Enable prompt VLANs interfaces ACLs and many other SSR configurable entities and functionality can only be configured using the SSR CLI Therefore a gated conf file is dependent upon some SSR...

Страница 129: ...ID is set to the address of the first interface that is in the up state that the SSR encounters except the interface en0 which is the Control Module s interface The address of a non point to point int...

Страница 130: ...immediate next hops This implementation comes closest to the IBGP implementation of other router vendors internal An internal group operating where there is no IP level IGP for example an SMDS networ...

Страница 131: ...by default To start BGP enter the following command in Configure mode Using AS Path Regular Expressions An AS path regular expression is a regular expression where the alphabet is the set of AS numbe...

Страница 132: ...by m where m is a positive integer means m or more repetitions aspath_term An AS path term followed by means zero or more repetitions This is shorthand for 0 aspath_term A regular expression followed...

Страница 133: ...gthening the AS path makes the path less desirable than would otherwise be the case However this method of influencing downstream path selection is feasible only when comparing prefixes of the same le...

Страница 134: ...hen you must also negate the command that creates the peer group c Exit Configure mode d Re enter Configure mode e Add the peer host back to the peer group If the as count option is part of the startu...

Страница 135: ...en peers across the TCP connection to establish various BGP variables BGP Version AS number ASN hold time BGP identifier and optional parameters Upon successful completion of the BGP Open negotiations...

Страница 136: ...s netmask 10 0 0 1 16 port et 1 1 Set the AS of the router ip router global set autonomous system 1 Set the router ID ip router global set router id 10 0 0 1 Create EBGP peer group pg1w2 for peering w...

Страница 137: ...uccessfully provide transit services all EBGP speakers in the transit AS must have a consistent view of all of the routes reachable through their AS Multihomed transit ASs can use IBGP between EBGP sp...

Страница 138: ...IBGP Routing group will determine the immediate next hops for routes by using the next hop received with a route from a peer as a forwarding address and using this to look up an immediate next hop in...

Страница 139: ...ample BGP configuration that uses the Routing group type Figure 9 Sample IBGP Configuration Routing Group Type SSR6 SSR1 Cisco SSR4 lo0 172 23 1 25 30 10 12 1 6 30 10 12 1 5 30 172 23 1 10 30 172 23 1...

Страница 140: ...want CISCO to peer with our loopback address This will make sure that the loopback address gets announced into OSPF domain ospf add stub host 172 23 1 26 to area backbone cost 1 ospf set interface to...

Страница 141: ...irectly attached to a shared subnet so that like external peers the next hops received in BGP advertisements may be used directly for forwarding All Internal group peers should be L2 adjacent router b...

Страница 142: ...r SSR1 is as follows AS 1 SSR2 SSR1 17 122 128 2 24 17 122 128 1 24 16 122 128 1 24 16 122 128 1 24 16 122 128 8 24 16 122 128 9 24 C2 C1 Physical Link Legend Peering Relationship ip router global set...

Страница 143: ...update group type internal peeras 1 peer 16 122 128 2 peer 16 122 128 8 peer 16 122 128 9 ip router global set autonomous system 1 bgp create peer group int ibgp 1 type internal autonomous system 1 bg...

Страница 144: ...hbor 16 122 128 1 remote as 1 neighbor 16 122 128 1 next hop self neighbor 16 122 128 1 soft reconfiguration inbound neighbor 16 122 128 2 remote as 1 neighbor 16 122 128 2 next hop self neighbor 16 1...

Страница 145: ...onship SSR1 16 122 128 1 16 SSR3 AS 64800 AS 64801 SSR4 SSR2 16 122 128 3 16 17 122 128 3 16 17 122 128 4 16 18 122 128 3 16 18 122 128 4 16 bgp create peer group ebgp_multihop autonomous system 64801...

Страница 146: ...peeras 64801 peer 18 122 128 2 gateway 16 122 128 3 static 18 122 0 0 masklen 16 gateway 16 122 128 3 interface create ip to R1 address netmask 16 122 128 3 16 port et 1 1 interface create ip to R3 ad...

Страница 147: ...GP configuration where the specific community attribute is used Figure 12 shows a BGP configuration where the well known community attribute is used static 16 122 0 0 masklen 16 gateway 17 122 128 3 b...

Страница 148: ...172 26 1 2 16 172 25 1 2 16 192 168 20 2 16 172 25 1 1 16 1 1 R13 1 6 R10 192 169 20 1 16 192 169 20 2 16 100 200 13 1 24 10 200 15 1 24 1 6 R14 AS 64901 AS 64900 AS 64899 1 6 1 1 1 1 1 3 1 8 ISP1 IS...

Страница 149: ...BGP update If multiple communities are specified in the optional attributes list option only updates carrying all of the specified communities will be matched If well known community none is specifie...

Страница 150: ...uence number 1 ip router policy create bgp import source 901color1 optional attributes list color1 autonomous system 64900 sequence number 1 ip router policy create bgp import source 901color2 optiona...

Страница 151: ...nity id 155 autonomous system 64902 ip router policy create bgp import source 902color1 optional attributes list color1 autonomous system 64899 sequence number 1 ip router policy create bgp import sou...

Страница 152: ...s export destination has an identifier 900to899dest ip router policy create bgp export destination 900to899dest autonomous system 64899 optional attributes list color1 ip router policy create bgp expo...

Страница 153: ...its neighbor However if a packet is received with this attribute it cannot be transmitted to another BGP peer Well known community no export subconfed Well known community no export subconfed is a spe...

Страница 154: ...ith two autonomous systems The local preference is not set directly in the CLI but rather is a function of the GateD preference and setpref metric The setpref option allows GateD to set the local pref...

Страница 155: ...ute Figure 13 Sample BGP Configuration Local_Pref Attribute AS 64900 Physical Link Legend Peering Relationship AS 64901 SSR10 Information Flow 10 200 12 1 24 10 200 13 1 24 10 200 14 1 24 10 200 15 1...

Страница 156: ...or example if the import policy sets GateD preferences ranging from 170 to 200 a setpref metric of 170 would make sense You should set the metric high enough to avoid conflicts between BGP routes and...

Страница 157: ...f 10 Router SSR4 has the following CLI configuration Router SSR6 has the following CLI configuration bgp create peer group pg752to751 type external autonomous system 64751 bgp add peer host 10 200 12...

Страница 158: ...199 62 24 port et 1 2 interface create ip xenosite address netmask 212 19 198 1 24 port et 1 7 interface add ip lo0 address netmask 212 19 192 1 30 bgp create peer group webnet type external autonomo...

Страница 159: ...ction the clients peer with the route reflector and exchange routing information with it In turn the route reflector passes on reflects information between clients The IBGP peers of the route reflecto...

Страница 160: ...nd router SSR11 is the route reflector for the second cluster Router SSR10 has router SSR9 as a client peer and router SSR11 as a non client peer The following line in router SSR10 s configuration fil...

Страница 161: ...2 as shown below bgp set peer group rtr11 reflector client Route Table FIB of Router 8 rtr 8 ip show routes Destination Gateway Owner Netif 10 50 0 0 16 directly connected en 127 0 0 0 8 127 0 0 1 Sta...

Страница 162: ...o or more may also be configured to be reflectors for the same cluster In this case a cluster ID should be selected to identify all reflectors serving the cluster using the clusterid option Gratuitous...

Страница 163: ...autonomous system Source and destination interface Previous hop router Autonomous system path Tag associated with routes Specific destination address The network administrator can specify a preference...

Страница 164: ...he same destination in a single routing database The active route is chosen by the lowest preference value A default preference is assigned to each source from which the SSR routing process receives r...

Страница 165: ...cified using the optional attributes list only updates carrying all of the specified communities will be matched If the specified optional attributes list has the value none for the well known communi...

Страница 166: ...imported to that protocol If a preference is not explicitly specified with the route filter as well as the import source then it is inherited from the default preference associated with the protocol f...

Страница 167: ...also be explicitly specified using this component The metric associated with the exported routes are inherited unless explicitly specified If there is no metric specified with a route filter then the...

Страница 168: ...ers exact refines or between are specified any destination that falls in the range given by the network and mask is matched so the mask of the destination is ignored If a natural network is specified...

Страница 169: ...te The preference to be associated with an aggregate route can be specified using this component Aggregate Source This component specifies the source of the routes contributing to an aggregate summari...

Страница 170: ...ed from trusted routers Many protocols like RIP V2 and OSPF provide mechanisms for authenticating protocol exchanges A variety of authentication schemes can be used Authentication has two components a...

Страница 171: ...rface none simple and RFC 2178 OSPF MD5 authentication It is possible to configure different authentication schemes on different interfaces RFC 2178 allows multiple MD5 keys per interface Each key has...

Страница 172: ...rk parameter specifies the set of static routes that will be redistributed by this command If all static routes are to be redistributed set the network parameter to all Note that the network parameter...

Страница 173: ...static routes rip routes direct routes bgp routes or aggregate routes which are redistributed into an OSPF domain OSPF routes may be redistributed into RIP To redistribute OSPF into RIP enter the foll...

Страница 174: ...oto aggregate to proto OSPF Create the various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 int...

Страница 175: ...in this section refer to the configurations shown in Figure 18 on page 187 The following configuration commands for router R1 Determine the IP address for each interface RIP Box Level Configuration r...

Страница 176: ...P interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask 140 1 1...

Страница 177: ...systems are used by the SSR routing process Using import policies it is possible to ignore route updates from an unreliable peer and give better preference to routes learned from a trusted peer Expor...

Страница 178: ...do not have complex filter requirements then use the second method After you create one or more building blocks they are tied together by the iprouter policy export command To create route export poli...

Страница 179: ...be done using one of two methods Creating a route filter and associating an identifier with it A route filter has several network specifications associated with it Every route is checked against the...

Страница 180: ...ce enter one of the following commands in Configure mode Creating a Route Filter Route policies are defined by specifying a set of filters that will match a certain route by destination or by destinat...

Страница 181: ...ociated with a route filter is used in the ip router policy aggr gen command Specifying the networks as needed in the ip router policy aggr gen command If you want to create a complex route filter and...

Страница 182: ...P routes may be controlled by any of protocol source interface or source gateway If more than one is specified they are processed from most general protocol to most specific gateway RIP does not suppo...

Страница 183: ...pecify the static routes configured on the router Determine its RIP configuration Figure 17 Exporting to RIP Internet R6 R42 R41 R1 R2 R3 R7 135 3 1 1 24 135 3 2 1 24 135 3 3 1 24 140 1 1 4 24 140 1 1...

Страница 184: ...6 address netmask 160 1 1 1 16 port et 1 6 interface create ip to r7 address netmask 170 1 1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configu...

Страница 185: ...t source with the interface as 140 1 1 1 since we would like to import all routes except the 10 51 0 0 16 route from this interface 2 Create the Import Policy importing all routes except the 10 51 0 0...

Страница 186: ...routes when functioning as an AS border router Like the other interior protocols preference cannot be used to choose between OSPF ASE routes That is done by the OSPF costs Routes that are rejected by...

Страница 187: ...BGP R1 R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 2...

Страница 188: ...3 interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface create ip to r6 address netmask 140 1 3 1 24 port et...

Страница 189: ...hop of the loopback interface i e static and internally generated default routes via RIP it is necessary to specify the metric at some level in the export policy Just setting a default metric for RIP...

Страница 190: ...create export sources for those protocols 3 Create a RIP export source since we would like to export RIP routes ip add route 135 3 1 0 24 gateway 130 1 1 3 ip add route 135 3 2 0 24 gateway 130 1 1 3...

Страница 191: ...export source since we would like to export direct interface routes 5 Create the Export Policy redistributing the statically created default route and all RIP Direct routes into RIP ip router policy...

Страница 192: ...orting Aggregate Routes into RIP In the configuration shown in Figure 17 on page 183 suppose you decide to run RIP Version 1 on network 130 1 0 0 16 connecting routers R1 and R3 Router R1 desires to a...

Страница 193: ...nly for interface 130 1 1 1 5 Create a Aggregate export source since we would to export redistribute an aggregate summarized route 6 Create a RIP export source since we would like to export RIP routes...

Страница 194: ...command OSPF ASE routes also have the provision to carry a tag This is an arbitrary 32 bit number that can be used on OSPF routers to filter routing information The default tag is specified by the os...

Страница 195: ...ate ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface...

Страница 196: ...face routes would redistributed as type 1 OSPF routes Router R1 would like to redistribute its OSPF OSPF ASE RIP Static and Interface Direct routes into RIP 1 Enable RIP on interface 120 190 1 1 16 2...

Страница 197: ...ation ripExpDst source ripExpSrc network all ip router policy create static export source statExpSrc ip router policy create direct export source directExpSrc ip router policy export destination ospfE...

Страница 198: ...to RIP ip router policy export destination ripExpDst source statExpSrc network all ip router policy export destination ripExpDst source ripExpSrc network all ip router policy export destination ripExp...

Страница 199: ...IGMP Provides an overview of the SSR s implementation of the Distance Vector Multicast Routing Protocol DVMRP Discusses configuring DVMRP routing on the SSR Discusses configuring IGMP on the SSR IGMP...

Страница 200: ...both DVMRP and IGMP You can start and stop DVMRP independently from other multicast routing protocols IGMP starts and stops automatically with DVMRP The SSR supports up to 64 multicast interfaces To...

Страница 201: ...the SSR To enable IGMP on an interface enter the following command in Configure mode Configuring IGMP Query Interval You can configure the SSR with a different IGMP Host Membership Query time interval...

Страница 202: ...owing DVMRP configuration tasks Creating IP interfaces Setting global parameters that will be used for all the interfaces on which DVMRP is enabled Configuring DVMRP on individual interfaces You do so...

Страница 203: ...per interface basis The default neighbor timeout is 35 seconds The default prune time is 7200 seconds 2 hours To configure neighbor timeout or prune time enter one of the following commands in Config...

Страница 204: ...ve scoping In other words such addresses would be usable within a certain administrative scope a corporate network for instance but would not be forwarded across the internet The range from 239 0 0 0...

Страница 205: ...tion on the SSR To display IGMP and DVMRP information enter the following commands in the Enable mode Configure a DVMRP tunnel to MBONE dvmrp create tunnel string local ip addr remote ip addr Configur...

Страница 206: ...et 5 8 interface create ip company address netmask 207 135 89 64 25 port et 5 1 interface create ip test address netmask 10 135 89 10 25 port et 1 8 interface create ip rip address netmask 190 1 0 1 p...

Страница 207: ...SmartSwitch Router User Reference Manual 207 Chapter 12 Multicast Routing Configuration Guide...

Страница 208: ...Chapter 12 Multicast Routing Configuration Guide 208 SmartSwitch Router User Reference Manual...

Страница 209: ...ts based on layer 3 or layer 4 IP header information You can define IP policies to route packets to a set of next hop IP addresses based on any combination the following IP header fields IP protocol S...

Страница 210: ...to next hop gateway 100 1 1 1 Configuring an IP policy consists of the following tasks Defining a profile Associating the profile with a policy Applying the IP policy to an interface Defining an ACL P...

Страница 211: ...ample an IP policy can contain one statement that sends all packets matching a profile to one next hop gateway and another statement that sends packets matching a different profile to a different next...

Страница 212: ...in Configure mode Setting the IP Policy Action You can specify when to apply the IP policy route with respect to dynamic or statically configured routes The SSR can cause packets to use the IP policy...

Страница 213: ...inbound IP interface Once the IP policy is applied to the interface packets start being forwarded according to the IP policy Cause packets matching the profile to use the IP policy route first If the...

Страница 214: ...es of IP policies are demonstrated Routing traffic to different ISPs Prioritizing service to customers Authenticating users through a firewall Firewall load balancing Routing Traffic to Different ISPs...

Страница 215: ...owing is the IP policy configuration for the Policy Router in Figure 19 interface create ip user a address netmask 10 50 1 1 16 port et 1 1 interface create ip user b address netmask 11 50 1 1 16 port...

Страница 216: ...0 Using an IP policy to prioritize service to customers Traffic from the premium customer is load balanced across two next hop gateways in the high cost high availability network If neither of these g...

Страница 217: ...firewall cannot be reached packets from the contractors group are dropped Packets from users defined in the full timers group do not have to go through the firewall interface create ip premium custom...

Страница 218: ...ne session should always go to a particular firewall for persistence interface create ip mls0 address netmask 10 50 1 1 16 port et 1 1 acl contractors permit ip 10 50 1 0 24 any any any 0 acl full tim...

Страница 219: ...nable mode vlan create firewall vlan add ports et 1 1 5 to firewall interface create ip firewall address netmask 1 1 1 5 16 vlan firewall acl firewall permit ip any any any 0 ip policy p1 permit acl f...

Страница 220: ...show interface interface Display information about IP policies that have been applied to all interfaces ip policy show interface all Clear statistics gathered for IP policies ip policy clear all polic...

Страница 221: ...permit or deny 13 The name of the profile ACL of the packets to be forwarded using an IP policy 14 The number of packets that have matched the profile since the IP policy was applied or since the ip p...

Страница 222: ...Chapter 13 IP Policy Based Forwarding Configuration Guide 222 SmartSwitch Router User Reference Manual...

Страница 223: ...provides the following benefits Limits the number of IP addresses used for private intranets that are required to be registered with the Internet Assigned Numbers Authority IANA Conserves the number o...

Страница 224: ...n for each address in the global pool The ports are dynamically assigned between the range of 1024 to 4999 Hence you have about 4 000 ports per global IP address Dynamic bindings are removed automatic...

Страница 225: ...ly delete dynamic address bindings for a specific address pool or delete all dynamic address bindings To set the timeout for dynamic address bindings enter the following command in Configure mode To f...

Страница 226: ...the following commands in Configure mode Monitoring NAT To display NAT information enter the following command in Enable mode Configuration Examples This section shows examples of NAT configurations...

Страница 227: ...ction i e the first packet is coming from outside to inside This could be the case when you have a server in the local network and clients located remotely Dynamic NAT would not work for this case as...

Страница 228: ...t is sent from a local network as defined by the NAT dynamic local ACl pool The network administrator does not have to worry about the way in which the bindings are created the network administrator j...

Страница 229: ...ddress binding for inside addresses 10 1 1 0 24 to outside address 192 50 20 0 24 The first step is to create the interfaces Next define the interfaces to be NAT inside or outside Then define the NAT...

Страница 230: ...when the flow count goes to zero or the timeout has been reached The removal of bindings frees the port for that global and the port is available for reuse When all the ports for that global are used...

Страница 231: ...case is possible when you have two ISPs connected on two different interfaces to the Internet Through a routing protocol some routes will result in traffic going out of one interface and for others g...

Страница 232: ...Chapter 14 Network Address Translation Configuration Guide 232 SmartSwitch Router User Reference Manual...

Страница 233: ...SR provide ways to improve Web access for external and internal users Load balancing allows incoming HTTP requests to a company s Website to be distributed across several physical servers If one serve...

Страница 234: ...ng servers This step is optional by default the SSR assigns sessions to servers in a round robin sequential manner 3 Define the servers in the group Creating the Server Group To use load balancing you...

Страница 235: ...mes to prevent new sessions from being directed to one or more load balancing servers For example if you need to perform maintenance tasks on a server system you might want new sessions to temporarily...

Страница 236: ...fied hosts can be allowed to directly access servers in the load balancing group without address translation Note however that such hosts cannot use the virtual IP address and port number to access th...

Страница 237: ...eb requests among four separate servers as shown below Show the groups of load balancing servers load balance show virtual hosts group name group name virtual ip ipaddr virtual port port number Show s...

Страница 238: ...P Port Real Server IP TCP Port www ctron com 207 135 89 16 80 10 1 1 1 80 10 1 1 2 80 10 1 1 3 80 10 1 1 4 80 load balance create group name ctron www virtual ip 207 135 89 16 virtual port 80 protocol...

Страница 239: ...of web servers like Apache which serve different web pages based on the destination address in the http request The following example illustrates this load balance create group name quick www virtual...

Страница 240: ...redirects HTTP requests to local servers on which the web objects are cached One or more local servers are needed to work as cache servers with the SSR s web caching function Configuring Web Caching T...

Страница 241: ...mands in Configure mode Redirecting HTTP Traffic on an Interface To start the redirection of HTTP requests to the cache servers you need to apply a caching policy to a specific outbound interface This...

Страница 242: ...or web cache deny commands Other Configurations This section discusses other commands that may be useful in configuring Web caching in your network Bypassing Cache Servers Some Web sites require sour...

Страница 243: ...uses the destination IP address of the HTTP request to determine which cache server to send the request However if there is a Web site that is being accessed very frequently the cache server serving r...

Страница 244: ...sting Configuration Guide 244 SmartSwitch Router User Reference Manual Show caching policy information web cache show cache name cache name all Show cache server information web cache show servers cac...

Страница 245: ...on the internetwork IPX defines internetwork and intranode addressing schemes IPX internetwork addressing is based on network numbers assigned to each network segment on a Novell NetWare internetwork...

Страница 246: ...SAP Service Advertising Protocol SAP provides routers with a means of exchanging internetwork service information Through SAP servers advertise their services and addresses Routers gather this informa...

Страница 247: ...es per interface Creating IPX Interfaces When you create IPX interfaces on the SSR you provide information about the interface such as its name output MAC encapsulation and IPX address You also enable...

Страница 248: ...re mode Specifying IPX Encapsulation Method The SmartSwitch Router supports two encapsulation types for IPX You can configure encapsulation type on a per interface basis Ethernet II The standard ARPA...

Страница 249: ...outes In a Novell NetWare network the SSR uses RIP to determine the best paths for routing IPX However you can add static RIP routes to RIP routing table to explicitly specify a route To add a static...

Страница 250: ...s advertisements or learning of SAP services These lists are used for SAP filters They can also be used for Get Nearest Server GNS replies RIP access control list Restricts advertisements or learning...

Страница 251: ...IPX GNS Access Control List IPX GNS access control lists control which SAP services the SSR can reply with to a get nearest server GNS request To create an IPX GNS access control list enter the follo...

Страница 252: ...tion enter the following command in Enable mode Configuration Examples This example performs the following configuration Creates IPX interfaces Adds static RIP routes Adds static SAP entries Adds a RI...

Страница 253: ...static route to network 9 ipx add route 9 BBBBBBBB 01 02 03 04 05 06 1 1 Add static sap ipx add sap 0004 FILESERVER1 9 03 04 05 06 07 08 452 1 AAAAAAAA RIP Access List acl 100 deny ipxrip 1 2 RIP inbo...

Страница 254: ...Chapter 16 IPX Routing Configuration Guide 254 SmartSwitch Router User Reference Manual...

Страница 255: ...hrough the router This chapter contains the following sections ACL Basics on page 256 explains how ACLs are defined and how the SSR evaluates them Creating and Modifying ACLs on page 260 describes how...

Страница 256: ...istics about a packet In the example above the selection criteria are IP packets from 10 2 0 0 16 The selection criteria you can specify in an ACL rule depends on the type of ACL you are creating For...

Страница 257: ...o specify a value for another field To skip a field use the keyword any For example the following ACL rule denies SMTP traffic between any two hosts Note that in the above example the tos Type of Serv...

Страница 258: ...For a packet that doesn t match any of the user specified rules the implicit deny rule acts as a catch all rule All packets match this rule This is done for security reasons If an ACL is misconfigure...

Страница 259: ...Because of the implicit deny rule an ACL works similarly to a firewall that is elected to deny all traffic You create ACL rules that punch holes into the firewall to permit specific types of traffic...

Страница 260: ...a remote host and then upload them to the SSR with TFTP or RCP With this method you use a text editor on a remote host to edit delete replace or reorder ACL rules in a file Once the changes are made...

Страница 261: ...es and make them effective again Maintaining ACLs Using the ACL Editor In addition to the traditional method of maintaining ACLs using TFTP or RCP the SSR provides a simpler and more user friendly mec...

Страница 262: ...n does not prevent you from specifying many rules in an ACL You just have to put all of these rules into one ACL and apply it to an interface When a packet comes into the SSR at an interface where an...

Страница 263: ...t only inbound traffic to the SSR is checked Destination address and port information is ignored therefore if you are defining a Service ACL you do not need to specify destination information Note If...

Страница 264: ...age of Profile ACLs is described in more detail in the following sections Using Profile ACLs with the IP Policy Facility The IP policy facility uses a Profile ACL to define criteria that determines wh...

Страница 265: ...ied limit For example you can cause packets in flows from source address 1 2 2 2 to be dropped if their bandwidth usage exceeds 10 Mbps You use a Profile ACL to define the selection criteria in this c...

Страница 266: ...work 10 1 1 0 24 Note When a Profile ACL is defined for dynamic NAT only the source IP address field in the acl statement is evaluated All other fields in the acl statement are ignored Once you have d...

Страница 267: ...d to the cache servers Specifying characteristics of Web objects that should not be cached Redirecting HTTP Traffic to Cache Servers You can use a Profile ACL to specify which HTTP traffic should alwa...

Страница 268: ...e Web caching policy is applied to an interface information in packets originating from source address 1 2 3 4 and destined for address 10 10 10 10 is not sent to the cache servers See Web Caching on...

Страница 269: ...he SSR provides a display of ACL configurations active in the system To display ACL information enter the following commands in Enable mode Show all ACLs acl show all Show a specific ACL acl show acln...

Страница 270: ...Chapter 17 Access Control List Configuration Guide 270 SmartSwitch Router User Reference Manual...

Страница 271: ...SSR enables Layer 2 security filters Perform filtering on source or destination MAC addresses Layer 3 Access Control Lists Perform filtering on source or destination IP address source or destination T...

Страница 272: ...y enter the following commands in Configure mode Specify a RADIUS server radius set server hostname or IP addr Set the RADIUS time to wait for a RADIUS server reply radius set timeout number Determine...

Страница 273: ...ovide authentication You can configure up to five TACACS server targets on the SSR A timeout is set to tell the SSR how long to wait for a response from TACACS servers To configure TACACS security ent...

Страница 274: ...Plus time to wait for a TACACS Plus server reply tacacs plus set timeout number Determine the SSR action if no server responds tacacs plus set last resort password succeed Enable TACACS Plus tacacs pl...

Страница 275: ...ion MAC addresses in flow bridging mode Address filters are always configured and applied to the input port Port to address lock filters These filters prohibit a user connected to a locked port or set...

Страница 276: ...yer 2 Port to Address Lock Filters Port address lock filters allow you to bind or lock specific source MAC addresses to a port or set of ports Once a port is locked only the specified source MAC addre...

Страница 277: ...n use a secure port filter by itself to secure unused ports Secure port filters can be configured as source or destination port filters A secure port filter applied to a source port forces all incomin...

Страница 278: ...the following commands in Enable mode Configure a source secure port filter filters add secure port name name direction source vlan VLAN num in port list port list Configure a destination secure port...

Страница 279: ...ant is restricted access to one of the finance file servers Note that port et 1 1 should be operating in flow bridging mode for this filter to work Static Entries Example Source static entry The consu...

Страница 280: ...other ports enter the following command To allow ONLY the engineering manager access to the engineering servers you must punch a hole through the secure port wall A source static entry overrides a so...

Страница 281: ...t Layer 3 traffic going through the SSR Each ACL consists of one or more rules describing a particular type of IP or IPX traffic An ACL can be simple consisting of only one rule or complicated with ma...

Страница 282: ...Chapter 18 Security Configuration Guide 282 SmartSwitch Router User Reference Manual...

Страница 283: ...Once a packet has been identified it can be assigned into any one of four priorities in order to ensure delivery Priority can be allocated based on any combination of Layer 2 Layer 3 or Layer 4 traffi...

Страница 284: ...nsport protocol TCP or UDP and a list of incoming interfaces The IPX fields are source network source node destination network destination node source port destination port and a list of incoming inte...

Страница 285: ...nation MAC address Before applying a QoS policy to a layer 2 flow you must first determine whether a port is in address bridging mode or flow bridging mode If a port operates in address bridging mode...

Страница 286: ...u can set QoS policies for IP flows based on source IP address destination IP address source TCP UDP port destination TCP UDP port type of service TOS and transport protocol TCP or UCP You can set QoS...

Страница 287: ...3 or 4 flow and set the IPX QoS policy 2 Specify the precedence for the fields within an IPX flow Setting an IPX QoS Policy To set a QoS policy on an IPX traffic flow enter the following command in Co...

Страница 288: ...nd in Configure mode ToS Rewrite In the Internet IP packets that use different paths are subject to delays as there is little inherent knowledge of how to optimize the paths for different packets from...

Страница 289: ...command you can access the value in the ToS octet which includes both the Precedence and ToS fields in each packet The upper layer application can then decide how to handle the packet based on either...

Страница 290: ...ny and specify a value for tos rewrite then the upper three bits remain unchanged and the lower five bits are rewritten If you specify values for both tos precedence rewrite and tos rewrite then the u...

Страница 291: ...hardware Please refer to the Release Notes for details Traffic rate limiting provides the ability to control the usage of a fundamental network resource bandwidth It allows you to limit the rate of t...

Страница 292: ...umber is used to identify the order in which the profiles are applied You can define the action taken on the traffic that exceeds the upper limit either drop the packets or reset the priority of the t...

Страница 293: ...ent1 vlan add ports et 1 2 to client2 vlan add ports et 1 8 to backbone interface create ip ipclient1 vlan client1 address netmask 1 1 1 1 8 interface create ip ipclient2 vlan client2 address netmask...

Страница 294: ...Chapter 19 QoS Configuration Guide 294 SmartSwitch Router User Reference Manual...

Страница 295: ...e statistics are accessible to SNMP through RMON RMON2 and can be displayed by using the statistics show command in the CLI In addition to the monitoring commands listed you can find more monitoring c...

Страница 296: ...ow ip Show unicast routing statistics statistics show ip routing Show IPX statistics statistics show ipx Show IPX interface s statistics statistics show ipx interface Show IPX routing statistics stati...

Страница 297: ...by port basis You can only configure port mirroring for the entire WAN card Only IP ACLs can be specified for port mirroring Monitoring Broadcast Traffic The SSR allows you to monitor broadcast traff...

Страница 298: ...Chapter 20 Performance Monitoring Guide 298 SmartSwitch Router User Reference Manual...

Страница 299: ...support for both RMON 1 and RMON 2 MIBs as specified in RFCs 1757 and 2021 respectively While non RMON SNMP products allow the monitoring and control of specific network devices RMON 1 returns statis...

Страница 300: ...commands to configure and enable RMON on the SSR The next sections describe Lite Standard and Professional RMON groups and control tables ssr config show Running system configuration Last modified fro...

Страница 301: ...onfigure Lite with default tables on for ports et 1 1 8 and then configure Standard with no default tables for the same ports You cannot configure Lite on one set of ports and Standard on another set...

Страница 302: ...hosts based on a specified rate based statistic This group requires the hosts group Matrix Records statistics for source and destination address pairs Filter Specifies the type of packets to be match...

Страница 303: ...te the default control tables and then configure the appropriate control tables for the data you wish to collect Even if you use the default control tables you can always use the rmon commands to modi...

Страница 304: ...lanning RMON 1 provides layer 2 information Traffic flowing through the SSR s layer 2 ASIC is collected by RMON 1 groups RMON 2 in the SSR provides layer 3 traffic information for IP and IPX protocols...

Страница 305: ...1125 211192 ether2 ip v4 tcp 10 50 89 88 15 15 15 3 1122 210967 ether2 ip v4 tcp telnet 10 50 89 88 15 15 15 3 3 225 ether2 ip v4 tcp www http To configure the Address Map group rmon address map inde...

Страница 306: ...gure the History group rmon history index index number port port interval seconds owner string samples num status enable disable To configure the Application Layer and Network Layer Host groups rmon h...

Страница 307: ...n RMON Event group configuration with the following attributes Index number 15 to identify this entry in the Event control table The event is both logged in the Event table and an SNMP trap generated...

Страница 308: ...mmand lines in Enable mode ssr config rmon alarm index 20 variable 1 3 6 1 2 1 31 1 5 0 interval 300 startup both type absolute value rising threshold 1 falling threshold 1 rising event index 15 falli...

Страница 309: ...of information displayed with the rmon show commands An RMON CLI filter can only be applied to a current Telnet or Console session To display the RMON 2 Address Map table rmon show address map port l...

Страница 310: ...8 75196 885 114387 0 0 00001D A9815F 0 0 102 7140 0 0 00105A 08B98D 0 0 971 199960 0 0 004005 40A0CD 0 0 51 3264 0 0 006083 D65800 0 0 2190 678372 0 0 0080C8 E0F8F3 0 0 396 89818 0 0 00E063 FDD700 0 0...

Страница 311: ...t seeing the information you expected with an rmon show command or if the network management station is not collecting the desired statistics first check that the port is up Then use the rmon show sta...

Страница 312: ...t control tables may be created for all ports on the SSR Or if the RMON group is not one for which default control tables can be created you will need to configure control table entries using the appr...

Страница 313: ...To display the amount of memory that is currently allocated to RMON use the following CLI command in Enable mode Any memory allocation failures are reported The following is an example of the informat...

Страница 314: ...e 314 SmartSwitch Router User Reference Manual To set the amount of memory allocated to RMON use the following CLI command in User or Enable mode Specifies the total amount of Mbytes of memory allocat...

Страница 315: ...protocol PPP Both protocols have their own set of configuration and monitoring CLI commands described in the SmartSwitch Router Command Line Interface Reference Manual High Speed Serial Interface HSSI...

Страница 316: ...sses which are static or dynamic For PPP however the primary addresses may be dynamic or static but the secondary addresses must be static This is because the primary addresses of both the local and p...

Страница 317: ...lowing command line displays two examples for PPP Dynamic Addresses If the peer IP IPX address is unknown you do not need to specify it when creating the interface When in the Frame Relay environment...

Страница 318: ...th ends of a link must be configured to use packet compression Enabling compression on WAN serial links should be decided on a case by case basis Important factors to consider include average packet s...

Страница 319: ...mpressions in Frame Relay compression histories are always used Compression histories take advantage of data redundancy between packets In an environment with high packet loss or over subscribed links...

Страница 320: ...ow a more critical issue than ever before The fact that IP communications to the desktop are clearly the most prevalent used today has made it the protocol of choice for end to end audio video and dat...

Страница 321: ...packets with the highest priority can be allotted a sizable percentage of the available bandwidth and whisked through WAN interface s Meanwhile the remaining bandwidth is distributed for lower priori...

Страница 322: ...This eliminates the need to have direct connections between all of the remote members of a complex network such as a host of corporate satellite offices The advantage that Frame Relay offers to this...

Страница 323: ...ng in the Frame Relay protocol environment you must first define the type and location of the WAN interface Having established the type and location of your WAN interfaces you need to optionally defin...

Страница 324: ...ffic The following command line displays all of the possible attributes used to define a Frame Relay service profile Applying a Service Profile to an Active Frame Relay WAN Port Once you have created...

Страница 325: ...with a speed rating of 45 million bits per second To define the location and identity of a High Speed Serial Interface HSSI VC located at slot 4 port 1 with a DLC of 100 Suppose you wish to set up a s...

Страница 326: ...om Early Discard RED disabled RMON enabled The command line necessary to set up a service profile with the above attributes would be as follows To assign the above service profile to the VC interface...

Страница 327: ...explicit LCP or NCP frames instruct the host and or the peer router to close the link or until some external event i e user interruption or system time out takes place You can set up PPP ports on you...

Страница 328: ...alues for PPP interface configuration settings which means that setting up a PPP service profile is not absolutely necessary to begin sending and receiving PPP traffic on your SSR After you configure...

Страница 329: ...s the packets and places them in their correct sequence The following table describes the commands for configuring MLP Compression on MLP Bundles or Links Compression can be applied on either a bundle...

Страница 330: ...e and location of the WAN interface optionally set up a library of configuration settings then apply those settings to the desired interface s The following examples are designed to give you a small m...

Страница 331: ...mum allowable number of unanswered improperly answered connection termination requests before declaring the link to a peer lost set to 4 Random Early Discard disabled The number of seconds between sub...

Страница 332: ...e Multi Router WAN Configuration next port set hs 5 1 wan encapsulation frame relay speed 45000000 port set hs 5 2 wan encapsulation ppp speed 45000000 interface create ip fr1 address netmask 10 1 1 1...

Страница 333: ...ckets Video Server Win NT SmartBits IP packets 50 50 50 5 50 50 50 15 et 1 1 100 100 100 5 100 100 100 4 100 100 100 4 100 100 100 3 se 4 1 se 6 3 se 6 1 se 2 1 hs 4 2 hs 4 1 hs 7 2 hs 3 1 et 1 1 et 1...

Страница 334: ...dd ports hs 3 2 to s2 interface create ip s1 address netmask 100 100 100 1 16 vlan s1 interface create ip s2 address netmask 120 120 120 1 16 vlan s2 rip add interface all rip set interface all versio...

Страница 335: ...4 2 wan encapsulation ppp speed 45000000 frame relay create vc port se 2 1 304 frame relay create vc port hs 4 1 103 vlan create s1 id 200 interface create ip SBitsLAN address netmask 30 30 30 3 16 po...

Страница 336: ...interface all version 2 rip set interface all xmt actual enable rip set broadcast state always rip set auto summary enable rip start system set name R4 Configuration for ROUTER R5 port set se 4 1 wan...

Страница 337: ...terface create ip FRforR1toR6 address netmask 100 100 100 6 16 vlan BridgeforR1toR6 interface create ip lan1 address netmask 60 60 60 6 16 port et 15 1 vlan add ports hs 3 1 106 to BridgeforR1toR6 vla...

Страница 338: ...Chapter 22 WAN Configuration Guide 338 SmartSwitch Router User Reference Manual...

Отзывы:

Нет отзывов