background image

Security Features

June 2004

© 2004 Foundry Networks, Inc.

15 - 53

Step 8:Verify the firewall policy for Security Zone DMZ:

Step 9: Verify that the FTP filter objects for Security Zone DMZ are created as configured:

Step 10: Create a default route out of the WAN:

Foundry/configure# firewall dmz

Foundry/configure/firewall dmz# object

Foundry/configure/firewall dmz/object# ftp-filter putdeny deny put 

mkdir

Foundry/configure/firewall dmz/object# nat-pool ftpsrvr static 

10.3.1.100

Foundry/configure/firewall dmz/object# exit

Foundry/configure/firewall dmz# policy 100 in address any any 

193.168.94.221 32

Foundry/configure/firewall dmz/policy 100 in# apply-object nat-pool 

ftpsrvr

Foundry/configure/firewall dmz/policy 100 in# apply-object ftp-filter 

putdeny

Foundry/configure/firewall dmz/policy 100 in# exit

Foundry/configure/firewall dmz# exit 

Foundry/configure# show firewall policy dmz
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
          R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
          E - Policy Enabled, M - Smtp-Filter

Pri  Dir Source Addr        Destination Addr   Sport Dport Proto Action Advanced
---  --- -----------        ----------------   ----------------- ------ --------
100  in  any                193.168.94.221/32  any   any   any   PERMIT FNE
1022 out any                any                any   any   any   PERMIT SE
1023 in  any                any                any   any   any   PERMIT SE
1024 out any                any                any   any   any   PERMIT E

Foundry/configure# show firewall object ftp-filter dmz

Object Name     Action Log Commands

-----------     ------ --- --------

putdeny         deny   no  put mkdir

Foundry/configure#

Foundry/configure# ip route 0.0.0.0 0 wan

Foundry/configure#

Содержание AR1202

Страница 1: ...ry Networks Inc Foundry AR Series Router User Guide For AR1202 AR1204 AR1208 AR1216 AR3201 CH CL and AR3202 CH CL Routers 2100 Gold Street P O Box 649100 San Jose CA 95164 9100 Tel 408 586 1700 Fax 40...

Страница 2: ...roperty of Foundry or other third parties You are not permitted to use these Marks without the prior written consent of Foundry or such appropriate third party Foundry Networks BigIron FastIron IronVi...

Страница 3: ...GET HELP 1 5 WEB ACCESS 1 5 EMAIL ACCESS 1 5 TELEPHONE ACCESS 1 5 WARRANTY COVERAGE 1 5 CHAPTER 2 COMMAND LINE INTERFACE 2 1 COMMAND TYPES 2 1 CONTEXT SENSITIVE COMMANDS 2 1 COMMAND CONVENTIONS 2 2 A...

Страница 4: ...IGURE POLICY ROUTE_MAP SET AS_PATH 3 15 CONFIGURE POLICY ROUTE_MAP SET COMMUNITY 3 16 CONFIGURE POLICY ROUTE_MAP SET DISTANCE 3 17 CONFIGURE POLICY ROUTE_MAP SET LOCAL_PREFERENCE 3 18 CONFIGURE POLICY...

Страница 5: ...IGHBOR DESCRIPTION 7 19 CONFIGURE ROUTER BGP NEIGHBOR DISTRIBUTE_LIST 7 20 CONFIGURE ROUTER BGP NEIGHBOR EBGP_MULTIHOP 7 21 CONFIGURE ROUTER BGP NEIGHBOR FILTER_LIST 7 22 CONFIGURE ROUTER BGP NEIGHBOR...

Страница 6: ...IRTUAL_LINK AUTHENTICATION 9 14 CONFIGURE ROUTER OSPF AREA VIRTUAL_LINK DEAD_INTERVAL 9 15 CONFIGURE ROUTER OSPF AREA VIRTUAL_LINK HELLO_INTERVAL 9 16 CONFIGURE ROUTER OSPF AREA VIRTUAL_LINK RETRANSMI...

Страница 7: ...HOW IP OSPF GLOBAL 10 13 SHOW IP OSPF INTERFACE 10 14 SHOW IP OSPF INTERFACE ALL 10 15 SHOW IP OSPF INTERFACE BUNDLE 10 16 SHOW IP OSPF INTERFACE ETHERNET 10 17 SHOW IP OSPF NEIGHBOR 10 18 SHOW IP OSP...

Страница 8: ...2 CONFIGURE ROUTER RIP TIMERS HOLDDOWN 11 23 CONFIGURE ROUTER RIP TIMERS UPDATE 11 24 CHAPTER 12 RIP SHOW COMMANDS 12 1 SHOW IP RIP 12 2 SHOW IP RIP GLOBAL 12 3 SHOW IP RIP INTERFACE 12 4 SHOW IP RIP...

Страница 9: ...XAMPLE 3 JOINING TWO NETWORKS WITH AN IPSEC TUNNEL USING MULTIPLE IPSEC PROPOSALS 15 19 EXAMPLE 4 SUPPORTING REMOTE USER ACCESS 15 28 EXAMPLE 5 CONFIGURING IPSEC REMOTE ACCESS TO CORPORATE LAN WITH MO...

Страница 10: ...BGP4 PIM and VRRP Nomenclature This guide uses the following typographical conventions to show information Italic highlights the title of another publication and occasionally emphasizes a word or phr...

Страница 11: ...o assist users with the initial installation and deployment of Foundry rack mounted routers The guide provides a brief overview of the installation and initial configuration processes Foundry AR Serie...

Страница 12: ...Multicast PIM SM PIM SSM IGMP v2 v3 High Availability VRRP BGP4 Multi homing Bundle Tracking MLPPP Bundle Thresholding LAN Interface Load Sharing with Failover Security Management Stateful Packet Insp...

Страница 13: ...nagement RED DiffServ Class based Queuing per IP address Flow VLAN tag Application port Frame Relay traffic shaping and policing VLAN 802 1P 8 queue prioritization of VLAN frames Service Provisioning...

Страница 14: ...cal requests can also be sent to the following email address support foundrynet com Telephone Access 1 877 TURBOCALL 887 2622 United States 1 408 586 1881 Outside the United States Warranty Coverage C...

Страница 15: ...Foundry AR Series Router User Guide 1 6 2004 Foundry Networks Inc June 2004...

Страница 16: ...es the bundle dallas Standard commands are used to configure the system Following each standard command is a brief description a list of parameters and definitions a syntax and usage example a list of...

Страница 17: ...ng enclosed in the angled brackets Example 1 Normal type only In this example the user enters the word or argument module appearing in the syntax in normal type Syntax module Command execution module...

Страница 18: ...1000 diff 100 dis 10 1 100 22 a b c Normal brackets indicate optional keywords or arguments A vertical bar separates individual settings Example In this example the user enters the word timeout must...

Страница 19: ...back several commands type Ctrl P repeatedly until the desired previous command appears Or you may go directly back to the main CLI prompt from anywhere in the command hierarchy by typing Ctrl Z Figu...

Страница 20: ...Question Mark Help Screen To view help information for a command category specific command or a parameter type the associated word followed by a space and a question mark For example if you type a que...

Страница 21: ...other network hosts access to the save commands from anywhere in the CLI ensures that your configurations may be saved periodically NAME xcli This is root and not a command SYNTAX COMMANDS cr DESCRIPT...

Страница 22: ...on feature is not currently available for global commands show configuration Select type of configuration Hit Tab dir CONTENTS OF flash1 size date time name 6467513 FEB 04 2004 13 51 22 AR0x_ x 677126...

Страница 23: ...Foundry AR Series Router User Guide 2 8 2004 Foundry Networks Inc June 2004...

Страница 24: ...ides information about routing policy commands that are supported by Foundry configure policy This command provides access to the next level commands related commands configure policy as_path configur...

Страница 25: ...on It is an integer ranging from 0 to 65536 the Foundry regular expression matcher is AS number based Any number of AS path access list lines may be declared They are evaluated in the order declared I...

Страница 26: ...es as well If the exact match keyword is used then it must contai8n exactly the same communities as listed The communities parameter can be local_as no_advertise no_export aa nn an integer between 0 a...

Страница 27: ...list extended_community 100 1 deny community 44 45 local_as aa_nn 400 500 no_advertise applicable systems All models community_list Extended community list number The range is 100 199 community_index...

Страница 28: ...55 232592 no_advertise example Foundry AR1208 configure policy community_list standard_community 90 150 permit community 42949672 no_advertise applicable systems All models community_list Extended com...

Страница 29: ...matched in a similar fashion That is the route is matched if the address part matches and the bits in the mask that are not covered by one bits in net mask are equal to the corresponding bits in mask...

Страница 30: ...works Inc 3 7 example Foundry AR1208 configure policy ip_access_list 1 1 permit network 10 0 0 0 netmask 0 255 255 255 mask 255 0 0 0 maskmask 0 255 255 255 This example restricts the prefixes to 10 0...

Страница 31: ...s if one of its deny clauses matches Matching proceeds sequentially and stops at the first match If the route_map succeeds the actions specified by the set statements in the matched clause are perform...

Страница 32: ...Policy Commands June 2004 2004 Foundry Networks Inc 3 9 related commands applicable systems All models configure policy route_map commit configure policy route_map match configure policy route_map set...

Страница 33: ...configure policy route_map match This command accesses next level commands for configuring the policy for matching parameters of the routes related commands configure policy route_map match as_path co...

Страница 34: ...ess lists Parameter Description syntax no policy match as_path path_list n example Foundry AR1208 configure policy route_map Block100 1 match as_path 1 related commands applicable systems All models p...

Страница 35: ...h community This command matches any of the specified BGP community lists syntax no policy match community example Foundry AR1208 configure policy route_map Block100 1 match community related commands...

Страница 36: ...e prefix against any of the specified IP access lists Parameter Description syntax no match ip ip_address ip_list n example Foundry AR1208 configure policy route_map Block100 1 match ip ip_address 20...

Страница 37: ...el commands to set parameters for the routes related commands configure policy route_map set as_path configure policy route_map set community configure policy route_map set distance configure policy r...

Страница 38: ...0 1 set as_path prepend 100 250 tag 0 related commands applicable systems All models prepend AS path access list Enter a list of numbers The range is 1 65535 the maximum list size is 32 tag Set tag as...

Страница 39: ...le Foundry AR1208 configure policy route_map Block100 1 set community aa nn 500 60 related commands applicable systems All models number Community number unsigned The range is 1 4294967294 The maximum...

Страница 40: ...xample Foundry AR1208 configure policy route_map Block100 1 set distance 20 related commands applicable systems All models distance Default preference value The range is 0 255 configure policy route_m...

Страница 41: ...cal_preference n example Foundry 1450configure policy route_map Block100 1 set local_preference 50 related commands applicable systems All models local_preference Preference value The range is 1 42929...

Страница 42: ...c n example Foundry AR1208 configure policy route_map Block100 1 set metric 120 related commands applicable systems All models metric Metric value The range is 1 4294967294 configure policy route_map...

Страница 43: ...ample Foundry AR1208 configure policy route_map Block100 1 set metric_type internal related commands applicable systems All models type Internal internal Use the IGP metric as the MED for BGP configur...

Страница 44: ...syntax no set origin origin egp igp incomplete example Foundry AR1208 configure policy route_map Block100 1 set origin igp applicable systems All models related commands origin egp EGP protocol igp IG...

Страница 45: ...Foundry AR Series Router User Guide 3 22 2004 Foundry Networks Inc June 2004...

Страница 46: ...ms that a route goes through to reach its destination Loops are detected and avoided by checking for your own AS number in the AS path s received from neighboring autonomous systems Every time a BGP p...

Страница 47: ...This eases interoperation with Exterior Gateway Protocols EGPs which can tag OSPF routes with AS numbers Meshed networks OSPF provides the ability to support complex meshed networks The following feat...

Страница 48: ...f RIP The network path is limited to 15 hops A destination with a greater number of hops is considered unreachable The time required to determine a next hop and bandwidth could be substantial in a lar...

Страница 49: ...clearly defined perimeter inside secure building and locked equipment closets Increasingly companies have a need to provide remote access to their corporate resources for the employees on the move Tra...

Страница 50: ...commands to clear bgp configuration settings clear ip bgp This command provides access to the following next level commands syntax clear ip bgp related commands example Foundry AR1208 clear ip bgp app...

Страница 51: ...undry Networks Inc June 2004 clear ip bgp all This command removes all BGP neighbor connections syntax clear ip bgp all example Foundry AR1208 clear ip bgp all related commands applicable systems All...

Страница 52: ...GP group Parameter Description syntax clear ip bgp group group_name name example Foundry AR1208 clear ip bgp group north In this example all BGP connections that belong to neighbor group north will be...

Страница 53: ...ax clear ip bgp neighbor ip_address IP address remote_as n example Foundry AR1208 clear ip bgp neighbor 10 1 1 1 200 related commands applicable systems All models ip_address The IP address of the nei...

Страница 54: ...is chapter contains routing commands that are not protocol specific These commands can be used interchangeably with the three routing protocols supported by Foundry configure router This command provi...

Страница 55: ...04 Foundry Networks Inc June 2004 configure router routerid This command configures a router for routing operation syntax no router routerid IP address example Foundry AR1208 configure router routerid...

Страница 56: ...the network mask network Network IP address Enter an IP address mask Network mask Enter a netmask address protocol all All protocols bgp Border Gateway protocol BGP connected Connected routes ospf Op...

Страница 57: ...ted ip routes issue the show ip routes connected command example To display static routes issue the show ip routes static command example To display RIP routes issue the show ip routes rip command exa...

Страница 58: ...commands listed below Parameter Description syntax no router bgp as_number n example Foundry AR1208 configure router bgp 10 related commands applicable systems All models as_number The number of an a...

Страница 59: ...and the AS path is truncated when the aggregate is formed generate_summary_only summary_only Filters more specific routes from updates Suppresses transmission of any contributing routes if an aggrega...

Страница 60: ...gure Commands June 2004 2004 Foundry Networks Inc 7 3 applicable systems All models configure router bgp default_metric configure router bgp group configure router bgp neighbor configure router bgp re...

Страница 61: ...is done on paths within the same autonomous system This command allows the comparison to be made for paths received from other autonomous systems syntax no always_compare_med example Foundry AR1208 c...

Страница 62: ...stributed routes Parameter Description syntax no default_metric default_metric n example Foundry AR1208 configure router bgp 10 default_metric 2000 related commands applicable systems All models defau...

Страница 63: ...e Distance Values How Route is Learned Default Preferenc e Command to Modify Default Preference Directly connected network 0 Not configurable Static 1 Not configurable OSPF non external route 10 confi...

Страница 64: ...ription syntax no group name name group_type external external_rt internal internal_ rt example Foundry AR1208 configure router bgp 10 group toronto internal related commands applicable systems All mo...

Страница 65: ..._option out example Foundry AR1208 configure router bgp 10 group toronto internal distribute_list 101 out related commands applicable systems All models access_list IP access list number The range is...

Страница 66: ...out example Foundry AR1208 configure router bgp 10 group toronto internal filter_list 103 out related commands applicable systems All models access list AS path access list The range is 1 199 filter_...

Страница 67: ...ll peers in the group syntax next_hop_self example Foundry AR1208 configure router bgp 10 group blue external next_hop_self related commands applicable systems All models configure router bgp group di...

Страница 68: ...word md5_password string example Foundry AR1208 configure router bgp 10 group toronto internal password rt56htd related commands applicable systems All models md5_password TCP MD5 password string for...

Страница 69: ...that are sent out syntax no remove_private_AS example Foundry AR1208 configure router bgp 10 group toronto internal remove_private_AS related commands applicable systems All models configure router b...

Страница 70: ...e_map route_map name route_map_options out example Foundry AR1208 configure router bgp 10 group toronto internal route_map foo out related commands applicable systems All models route_map Route map na...

Страница 71: ...p neighbor default_originate configure router bgp neighbor description configure router bgp neighbor distribute_list configure router bgp neighbor ebgp_multihop configure router bgp neighbor filter_li...

Страница 72: ...BGP4 Configure Commands June 2004 2004 Foundry Networks Inc 7 15 applicable systems All models configure router bgp redistribute...

Страница 73: ...d configures the minimum time interval for sending BGP route updates Parameter Description syntax no advertisement_interval advertisement_interval n example Foundry AR1208 configure router bgp 10 neig...

Страница 74: ...bgp neighbor allowbadid This command permits BGP sessions to be established with routers that represent their router ID as 0 0 0 0 or 255 255 255 255 syntax no allowbadid example Foundry AR1208 config...

Страница 75: ...hbor default_originate This command sends the default route to the neighbor Parameter Description syntax no default_originate route_map name example Foundry AR1208 configure router bgp 10 neighbor 101...

Страница 76: ...This command describes or identifies a neighbor router Parameter Description syntax no description neighbor_description string example Foundry AR1208 configure router bgp 10 neighbor 101 101 1 2 4 des...

Страница 77: ...gures filter updates to or from this neighbor Parameter Description syntax no distribute_list access_list n filter_option in example Foundry AR1208 configure router bgp 10 neighbor 101 101 1 2 4 distr...

Страница 78: ...tworks Inc 7 21 configure router bgp neighbor ebgp_multihop This command configures multihop EBGP on a neighbor syntax no ebgp_multihop example Foundry AR1208 configure router bgp 10 neighbor 101 101...

Страница 79: ...command configures BGP filters Parameter Description syntax no filter_list access_list n access_list_option in example Foundry AR1208 configure router bgp 10 neighbor 101 101 1 2 4 filter_list 103 in...

Страница 80: ...p This command configures neighbor route storage options Parameter Description syntax keep keep_option all none example Foundry AR1208 configure router bgp 10 neighbor 10 10 20 1 2 keep all applicable...

Страница 81: ...June 2004 configure router bgp neighbor logupdown This command configures logging of established state transition changes of a neighbor syntax no logupdown example Foundry AR1208 configure router bgp...

Страница 82: ...utes to be accepted If the neighbor sends more prefixes than are configured the connection to this neighbor will be broken Parameter Description syntax maximum_prefix prefix_number n example Foundry A...

Страница 83: ...ighbor_group This command configures a neighbor to a specific group Parameter Description syntax no neighbor_group neighbor_group name example Foundry AR1208 configure router bgp 10 neighbor 101 101 1...

Страница 84: ...s Inc 7 27 configure router bgp neighbor next_hop_self This command disables the next hop calculation for this neighbor syntax next_hop_self example Foundry AR1208 configure router bgp 10 neighbor 10...

Страница 85: ...ord This command configures a password for md5 authentication Parameter Description syntax md5_password string example Foundry AR1208 configure router bgp 10 neighbor 10 10 20 1 2 md5_password asdf ap...

Страница 86: ...under the group tree for applying route_map to a group of neighbors in the outbound direction Parameter Description syntax no route_map route_map name route_map_options in example Foundry AR1208 confi...

Страница 87: ...timers for a neighbor peer The holdtime timer value is calculated as three times the value of the keepalive timer Parameter Description syntax no timers keepalive n example Foundry AR1208 configure ro...

Страница 88: ...GP TCP connections for a specified neighbor as the IP address specified instead of the IP address of a physical interface This address will be used as the source address for routing updates syntax no...

Страница 89: ...s exported some protocols may provide additional policy features that allow the suppression of protocol routes related commands related commands configure router bgp redistribute connected configure r...

Страница 90: ...o redistribute connected metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute connected metric 5000 related commands applicable systems All models metric Default metric...

Страница 91: ...tion syntax no redistribute ospf metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute ospf metric AR1208 related commands applicable systems All models metric The defaul...

Страница 92: ...no redistribute rip metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute rip route_map east8 related commands applicable systems All models metric The default metric The...

Страница 93: ...iption syntax no redistribute static metric n route_map name example Foundry AR1208 configure router bgp 10 redistribute static metric 25 related commands applicable systems All models metric The defa...

Страница 94: ...NOTE The CLI commands show and display can be used interchangeably show ip bgp This command accesses the following next level display show commands related commands show ip bgp aggregate_address show...

Страница 95: ...f configured aggregate addresses Parameter Description syntax show ip bgp aggregate_address address IP address mask subnet mask example Foundry AR1208 show ip bgp aggregate_address address 100 12 23 0...

Страница 96: ...p bgp community aa nn 0 999 number Community number enter a list of unsigned numbers The maximum list size is 10 The range is 1 4294967294 aa nn Community number in aa nn format Enter a list of string...

Страница 97: ...nd Origin Codes Status codes valid The table entry is valid best The table entry is the best entry to use for that network i internal The table entry was learned via an internal BGP session Origin cod...

Страница 98: ...June 2004 2004 Foundry Networks Inc 8 5 show ip bgp groups This command provides information about BGP groups syntax show ip bgp groups name example Foundry AR1208 show ip bgp groups north applicable...

Страница 99: ...d transmit updates BGP state status TCP connection active or inactive Parameter Description syntax show ip bgp neighbors group name address IP address routes advertised_routes received_routes example...

Страница 100: ...local AS The local AS number of the neighbor link Identifies the link as internal or external BGP version Identifies the BGP version local router ID BGP identifier of the local router remote router ID...

Страница 101: ...8 2004 Foundry Networks Inc June 2004 applicable systems All models updates Number of sent BGP updates Maximum prefixes The maximum number of prefixes that can be received from this neighbor Table 8 3...

Страница 102: ...plicable systems All models Table 2 Interpreting BGP Paths term hash An area where path IP addresses are stored refcount The number of routes using a specific path path The AS path and origin for that...

Страница 103: ...his command displays routes matching the regular expression Parameter Description syntax show ip bgp regexp reg_exp string example Foundry AR1208 show ip bgp regexp 600 applicable systems All models r...

Страница 104: ...p bgp summary applicable systems All models Table 8 4 Header Definitions BGP router identifier The local router ID IP address local AS number The local AS number V BGP version spoken by a specific nei...

Страница 105: ...e table syntax show ip bgp table example Foundry AR1208 show ip bgp table applicable systems All models Table 8 5 Status and Origin Codes Status codes valid The table entry is valid i internal The tab...

Страница 106: ...Foundry Networks Inc 8 13 show policy This command provides access to the following next level policy display commands related commands show policy as_path show policy community_list show policy ip_a...

Страница 107: ...n syntax show policy as_path access_list n example Foundry AR1208 show policy as_path related commands applicable systems All models access_list The access list number The range is 1 199 show policy c...

Страница 108: ...on syntax show policy community_list community n example Foundry AR1208 show policy community_list related commands applicable systems All models community The community list number The range is 1 199...

Страница 109: ...dry 1450 show policy ip_access_list related commands applicable systems All models number IP access list number The range is 1 99 show policy as_path show policy community_list show policy route_map s...

Страница 110: ...tax show policy route_map name example Foundry AR1208 show policy route_map related commands applicable systems All models name The name of the route map show policy as_path show policy community_list...

Страница 111: ...Foundry AR Series Router User Guide 8 18 2004 Foundry Networks Inc June 2004...

Страница 112: ...mismatch even though the adjacency will come up route reachability issues may develop When the IP address is specified for a bundle and you later want to change the network type on that bundle to broa...

Страница 113: ...outing syntax router ospf example Foundry AR1208 configure router ospf related commands applicable systems All models configure router ospf 1583Compatability configure router ospf area configure route...

Страница 114: ...f all routers in an OSPF domain should be configured the same The default is 1583Compatibility disabled syntax 1583Compatibility example Foundry AR1208 configure router ospf 1583Compatibility related...

Страница 115: ...ed commands applicable systems All models area_id OSPF area id Enter either a decimal number or an IP address configure router ospf area area_type configure router ospf area default_cost configure rou...

Страница 116: ...el commands for configuring an area type related commands related commands applicable systems All models configure router ospf area area_type normal configure router ospf area area_type nssa configure...

Страница 117: ...area area_type normal This command specifies an area area type as normal syntax area_type normal example Foundry AR1208 configure router ospf area 0 area_type normal related commands applicable syste...

Страница 118: ...n area type as nssa not so stubby area syntax area_type nssa example Foundry AR1208 configure router ospf area 1 area_type nssa related commands related commands applicable systems All models configur...

Страница 119: ...ure router ospf area area_type nssa no_summary This command prevents an nssa area boundary router from sending summary link advertisements into an nssa area syntax no_summary example Foundry AR1208 co...

Страница 120: ...external advertisements Stub areas reduce the amount of memory required on stub area routers syntax no area_type stub example Foundry AR1208 configure router ospf area 1 area_type stub related command...

Страница 121: ...igure router ospf area area_type stub no_summary This command prevents an area boundary router from sending summary link advertisements into the stub area syntax no_summary example Foundry AR1208 conf...

Страница 122: ...te sent into a stub area Parameter Description syntax default_cost n example Foundry AR1208 configure router ospf area 1 default_cost 10 related commands applicable systems All models default_cost Ent...

Страница 123: ...range networknumber IP address mask netmask advertise_enum advertise not_advertise example Foundry AR1208 configure router ospf area 0 range 100 1 0 0 255 255 0 0 advertise related commands applicable...

Страница 124: ...ID and the virtual link neighbor s router ID Parameter Description syntax no virtual_link IP address example Foundry AR1208 configure router ospf area 1 virtual_link 100 10 1 5 related commands appli...

Страница 125: ...dry AR1208 configure router ospf area 1 virtual_link 100 10 1 5 authentication simple Foundry related commands applicable systems All models authentication type simple Uses a text password that is imb...

Страница 126: ...example Foundry AR1208 configure router opsf area 1 virtual_link 100 10 1 5 dead_interval 10 related commands applicable systems All models dead_interval The time in seconds The value configured must...

Страница 127: ...ter ospf area 1 virtual_link 100 10 1 5 hello_interval 10 related commands applicable systems All models hello_interval The time in seconds The value configured must be the same for all routers and se...

Страница 128: ...1208 configure router ospf area 1 virtual_link 100 10 1 5 retransmit_interval 5 related commands applicable systems All models retransmit_interval The time in seconds The configured value must be grea...

Страница 129: ...f area 1 virtual_link 100 10 1 5 transmit_delay 1 related commands applicable systems All models transmit_delay The time in seconds Link state advertisements in the update packet are aged by this amou...

Страница 130: ...ds to configure OSPF administrative distances for routes related commands related commands applicable systems All models configure router ospf distance ospf configure router ospf 1583Compatability con...

Страница 131: ...figure router ospf distance ospf This command accesses next level commands that configure OSPF administrative distances based on route type related commands applicable systems All models configure rou...

Страница 132: ...range is 1 255 the default is 150 Table 9 1 Default Route Preference Administrative Distance Values How Route is Learned Default Preference Command to Modify Default Preference Directly connected net...

Страница 133: ...intra area routes The range is 1 255 the default is 10 Table 9 2 Default Route Preference Administrative Distance Values How Route is Learned Default Preference Command to Modify Default Preference D...

Страница 134: ...r frame relay use The range is 16 1022 there is no default area_id OSPF area ID Enter either a decimal number or an IP address configure router ospf 1583Compatibility configure router ospf area config...

Страница 135: ...ation type simple Simple password authentication md5 MD5 authentication md5_cisco Cisco compatible md5 authentication line A 16 character maximum password string beginning with an alpha character conf...

Страница 136: ...cost of sending packets on a particular OSPF interface The range is 1 65535 the default is computed based on the interface bandwidth configure router ospf interface authentication configure router os...

Страница 137: ...x no dead_interval n example Foundry AR1208 configure router ospf interface dead_interval 50 related commands applicable systems All models dead_interval Time in seconds The range is 1 65535 the defau...

Страница 138: ...ello_interval 30 related commands applicable systems All models hello_interval Time in seconds The default is 10 the range is 1 65535 configure router ospf interface authentication configure router os...

Страница 139: ...ds applicable systems All models ip address The IP address of the neighbor router priority Sets the router priority for a non broadcast neighbor The range is 0 255 the default is 1 configure router os...

Страница 140: ...cast related commands interface type network type default PPP HDLC point to point Ethernet broadcast Frame Relay point to point network type broadcast Configures network type to broadcast multi access...

Страница 141: ...Foundry AR Series Router User Guide 9 30 2004 Foundry Networks Inc June 2004 applicable systems All models...

Страница 142: ...ospf interface toBoston poll_interval 15 related commands applicable systems All models poll_interval The time in seconds The range is 0 2147483647 the default is 120 configure router ospf interface...

Страница 143: ...nds applicable systems All models priority Number that specifies the router priority This is only used in non point to point networks The range is 0 255 the default is 1 configure router ospf interfac...

Страница 144: ...ndry AR1208 configure router ospf interface toBoston retransmit_interval 60 related commands applicable systems All models seconds Time in seconds between retransmission It must be conservatively set...

Страница 145: ...related commands applicable systems All models seconds Time in seconds Usage of this command is most appropriate for low speed links The range is 1 65535 the default is 1 configure router ospf interfa...

Страница 146: ...1208 configure router ospf redistribute related commands related commands applicable systems All models configure router ospf redistribute bgp configure router ospf redistribute connected configure ro...

Страница 147: ...tag n example Foundry AR1208 configure router ospf redistribute bgp as_number 10 related commands applicable systems All models as_number Autonomous system number The range is 1 65535 metric OSPF def...

Страница 148: ...metric n metric_type n route_map name tag n example Foundry AR1208 configure router ospf redistribute connected related commands applicable systems All models metric OSPF default metric The range is 0...

Страница 149: ...metric_type n route_map name tag n example Foundry AR1208 configure router ospf redistribute rip related commands applicable systems All models metric OSPF default metric The range is 0 16777214 the...

Страница 150: ...tric_type n route_map name tag n example Foundry AR1208 configure router ospf redistribute static related commands applicable systems All models metric OSPF default metric The range is 1 16777214 the...

Страница 151: ...tiple high bandwidth links Parameter Description syntax ref_bw n example Foundry AR1208 configure router ospf ref_bw 100000 related commands applicable systems All models reference_bandwidth Reference...

Страница 152: ..._delay 20 related commands applicable systems All models timers spf_delay Delay between receiving a change to the SPF calculation The range is 1 65535 the default is 5 spf_holdtime The hold time betwe...

Страница 153: ...Foundry AR Series Router User Guide 9 42 2004 Foundry Networks Inc June 2004...

Страница 154: ...how and display can be used interchangeably show ip ospf area This command displays configuration information about an OSPF area Parameter Description syntax area area_id example Foundry AR1208 show i...

Страница 155: ...undry Networks Inc June 2004 related commands applicable systems All models show ip ospf global show ip ospf database show ip ospf interface show ip ospf neighbor show ip ospf retransmission_list show...

Страница 156: ...stems All models show ip ospf database all show ip ospf database asbr_summary show ip ospf database database_summary show ip ospf database external show ip ospf database network show ip ospf database...

Страница 157: ...related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP address link_id OSPF link state ID En...

Страница 158: ...how ip ospf database asbr_summary related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP addr...

Страница 159: ...pf database database_summary related commands applicable systems All models show ip ospf database all show ip ospf database asbr_summary show ip ospf database external show ip ospf database network sh...

Страница 160: ...show ip ospf database external related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP address...

Страница 161: ...08 show ip ospf database network related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP addre...

Страница 162: ...08 show ip ospf database nssa_external related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP...

Страница 163: ...stems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP address link_id OSPF link state ID Enter an IP address show ip ospf...

Страница 164: ...08 show ip ospf database self_originate related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address show ip ospf database all show ip ospf databa...

Страница 165: ...AR1208 show ip ospf database summary related commands applicable systems All models area_id OSPF area ID Enter either a decimal number or an IP address advt_rtr OSPF advertisement router Enter an IP...

Страница 166: ...show ip ospf interface show ip ospf neighbor show ip ospf retransmission_list show ip ospf request_list show ip ospf virtual_links show ip ospf global Routing Process ospf 30583 with ID 10 1 1 1 It i...

Страница 167: ...erfaces syntax interface example Foundry AR1208 show ip ospf interface related commands related commands applicable systems All models show ip ospf interface all show ip ospf interface bundle show ip...

Страница 168: ...terface all This command displays configuration information about all configured OSPF interfaces syntax interface all example Foundry AR1208 show ip ospf interface all related commands applicable syst...

Страница 169: ...pf interface bundle This command displays configuration information about an OSPF bundle syntax interface bundle name pvc n example Foundry AR1208 show ip ospf interface bundle Boise related commands...

Страница 170: ...ce ethernet This command displays OSPF configuration information about an Ethernet interface syntax interface ethernet n example Foundry AR1208 show ip ospf interface ethernet 1 related commands appli...

Страница 171: ...rs syntax neighbor example Foundry AR1208 show ip ospf neighbor related commands related commands applicable systems All models show ip ospf neighbor detail show ip ospf neighbor id show ip ospf neigh...

Страница 172: ...This command displays detailed OSPF configuration information about all neighbors syntax neighbor detail example Foundry AR1208 show ip ospf neighbor detail related commands applicable systems All mo...

Страница 173: ...This command displays OSPF configuration information about a specific neighbor syntax neighbor id IP address example Foundry AR1208 show ip ospf neighbor id 10 3 1 2 related commands applicable syste...

Страница 174: ...ds that display OSPF configuration information about all neighbors in an interface syntax neighbor interface ethernet n bundle name pvc n example Foundry AR1208 show ip ospf neighbor interface etherne...

Страница 175: ...r interface bundle This command displays information about an OSPF neighbors on a bundle interface syntax neighbor interface bundle name pvc n example Foundry AR1208 show ip ospf neighbor interface bu...

Страница 176: ...ce ethernet This command displays configuration information about a neighbor on an Ethernet interface syntax neighbor interface ethernet n example Foundry AR1208 show ip ospf neighbor interface ethern...

Страница 177: ...spf neighbor list This command displays a list of neighbors attached to this router syntax neighbor list example Foundry AR1208 show ip ospf neighbor list related commands applicable systems All model...

Страница 178: ...list of the specified neighbor syntax request_list IP address example Foundry AR1208 show ip ospf request_list 10 10 10 1 related commands applicable systems All models show ip ospf area show ip ospf...

Страница 179: ...ransmission list of the specified neighbor syntax retransmission_list IP address example Foundry AR1208 show ip ospf retransmission_list 10 10 10 1 related commands applicable systems All models show...

Страница 180: ...ut configured OSPF virtual links syntax virtual_links IP address example Foundry AR1208 show ip ospf virtual_links related commands applicable systems All models show ip ospf area show ip ospf global...

Страница 181: ...Foundry AR Series Router User Guide 10 28 2004 Foundry Networks Inc June 2004...

Страница 182: ...hapter 11 RIP Configure Commands Use RIP configure commands to configure all RIP parameters NOTE See the command configure interface loopback in the Command Reference Guide Domestic Products for impor...

Страница 183: ...syntax no router rip example Foundry AR1208 configure router rip related commands applicable systems All models configure router rip default_metric configure router rip distance configure router rip...

Страница 184: ...oundry AR1208 configure router rip default_metric 4 This example configures the default metric to 4 related commands applicable systems All models metric Default metric The range is 1 4294967294 the d...

Страница 185: ...es How Route is Learned Default Preferenc e Command to Modify Default Preference Directly connected network 0 Not configurable Static 1 Not configurable OSPF internal route 10 configure router ospf di...

Страница 186: ...ure router rip interface name dlci n example Foundry AR1208 configure router rip interface ethernet0 This example configures the Ethernet 0 interface for RIP related commands applicable systems All mo...

Страница 187: ...ax no authentication auth_type line example Foundry AR1208 configure router rip interface ethernet1 authentication md5 mymd5keyvalue This example configures RIP interface Ethernet 1 for MD5 authentica...

Страница 188: ...Foundry AR1208 configure router rip interface ethernet0 distribute_list 2 in This example sets access list 2 to be used for all inbound routes for this interface related commands applicable systems A...

Страница 189: ...ip interface ethernet0 metric 3 This example configures the RIP routes metric for interface Ethernet 0 to 3 related commands applicable systems All models metric Default metric The range is 1 42949672...

Страница 190: ...syntax no mode n example Foundry AR1208 configure router rip interface ethernet0 mode 1 This example configures interface Ethernet 0 for RIP version 1 related commands applicable systems All models mo...

Страница 191: ...Parameter Description syntax no neighbor ip_address example Foundry AR1208 configure router rip interface ethernet0 neighbor 192 168 31 2 This example configures IP address 192 168 31 2 as a RIP neig...

Страница 192: ...rface syntax no passive example Foundry AR1208 configure router rip interface ethernet1 passive This example configures interface Ethernet 1 to listen only mode related commands applicable systems All...

Страница 193: ...onfigure router rip interface ethernet0 split_horizon simple This example configures interface Ethernet 0 to do simple split horizon related commands applicable systems All models splitval Split horiz...

Страница 194: ...escription syntax no mode n example Foundry AR1208 configure router rip mode 3 related commands applicable systems All models mode Enter a mode value 1 RIP version 1 2 RIP version 2 default 3 RIP vers...

Страница 195: ...is router will be sent in several small intervals instead on one burst This is useful when the number of routes to be sent is large more than 1000 syntax no pacing example Foundry AR1208 configure rou...

Страница 196: ...on a specific interface by configuring RIP mode for that specific interface syntax no passive example Foundry AR1208 configure router rip passive This example configures all RIP interfaces to listen o...

Страница 197: ...lowing next level commands that configure the system to use RIP updates to redistribute routes learned from other routing protocols related commands applicable systems All models configure router rip...

Страница 198: ...x redistribute bgp as_number metric n example Foundry AR1208 configure router rip redistribute bgp 1 related commands applicable systems All models as_number Autonomous system number The range is 1 65...

Страница 199: ...iption syntax no redistribute connected metric n example Foundry AR1208 configure router rip redistribute connected This example configures RIP to redistribute connected routes related commands applic...

Страница 200: ...outes Parameter Description syntax no redistribute ospf metric n example Foundry AR1208 configure router rip redistribute ospf related commands applicable systems All models metric Default metric The...

Страница 201: ...iption syntax no redistribute static metric n example Foundry AR1208 configure router rip redistribute static This example configures RIP to redistribute static routes related commands applicable syst...

Страница 202: ...igure router rip timers This command accesses the following next level commands that configure the global RIP timers related commands applicable systems All models configure router rip timers flush co...

Страница 203: ...g table This value should be configured to be greater than the configured holddown time value Parameter Description syntax no flush time n example Foundry AR1208 configure router rip timers flush 300...

Страница 204: ...ld be configured to be at least twice the value of the update timers Parameter Description syntax no holddown time n example Foundry 140 configure router rip timers holddown 200 This example configure...

Страница 205: ...conds for sending periodic RIP updates Parameter Description syntax no update time n example Foundry AR1208 configure router rip timers update 45 This example globally configures RIP updates to occur...

Страница 206: ...2004 2004 Foundry Networks Inc 12 1 Chapter 12 RIP show Commands Use RIP display show commands to display all configured RIP information NOTE The CLI commands show and display can be used interchange...

Страница 207: ...oundry Networks Inc June 2004 show ip rip This command accesses the following next level commands that display more specific information related commands applicable systems All models show ip rip glob...

Страница 208: ...mode distance default metric and timers for RIP syntax show ip rip global example Foundry AR1208 show ip rip global related commands applicable systems All models show ip rip interface show ip rip ro...

Страница 209: ...the following next level commands that display configuration information about mode metric authentication split horizon and routers for the RIP interface related commands applicable systems All model...

Страница 210: ...ax show ip rip interface all example Foundry AR1208 show ip rip interface all related commands applicable systems All models show ip rip interface bundle show ip rip interface ethernet show ip rip int...

Страница 211: ...w ip rip interface bundle name example Foundry AR1208 show ip rip interface bundle Dallas related commands applicable systems All models bundle_name The name of the desired bundle Enter a string of up...

Страница 212: ...ip rip interface ethernet 0 1 example Foundry AR1208 show ip rip interface ethernet0 related commands applicable systems All models show ip rip interface all show ip rip interface bundle show ip rip i...

Страница 213: ...number or bad routes received and the number of triggered updates sent syntax show ip rip interface statistics example Foundry AR1208 show ip rip interface statistics related commands applicable syste...

Страница 214: ...IP statistics such as route changes and queries syntax show ip rip statistics example Foundry AR1208 show ip rip statistics related commands applicable systems All models show ip rip global show ip ri...

Страница 215: ...Foundry AR Series Router User Guide 12 10 2004 Foundry Networks Inc June 2004...

Страница 216: ...ions regex A regex is a character string containing one of the following AS Path Terms A term is one of the following 690 Matches only the specific AS path 690 690 Matches any AS path containing 690 6...

Страница 217: ...ger matches m or more repetitions of term term m A term followed by m where m is a positive integer matches m or more repetitions of term term A term followed by matches zero or more repetitions of te...

Страница 218: ...modes of PIM protocol Dense mode DM and Sparse mode SM Foundry supports SM only PIM DM floods multicast traffic throughout the network initially and then generates prune messages as required PIM SM at...

Страница 219: ...e ip pim rp switch immediate Configure Threshold for DR Foundry configure ip pim threshold dr bps Configure Threshold for RP Foundry configure ip pim threshold rp bps Configure to calculate whole pack...

Страница 220: ...igure PIM interface hello interval Foundry configure ip pim interface wan1 hello interval time Configure PIM interface Join Prune Delay Timeout Foundry configure ip pim interface wan1 join prune timeo...

Страница 221: ...other multicast routers This reporting system allows distribution trees to be formed to deliver multicast datagrams The original version of IGMP was defined in RFC 1112 Host Extensions for IP Multicas...

Страница 222: ...ulticast traffic to the host only if its is from a specific source IGMP Commands The IGMP commands supported are TABLE 6 IGMP COMMANDS Enabling igmp Foundry configure ip igmp Disabling igmp Foundry co...

Страница 223: ...forwards it to the previous hop The first hop router the router that believes that packets from the source originate on one of its directly connected networks changes the packet type to indicate a re...

Страница 224: ...load balancing but variable path MTUs variable latencies and debugging can limit the effectiveness of these methods The following methods have been developed to deal with the load balancing limitatio...

Страница 225: ...nce both unicast and multicast IP packets appear to the IPSec protocol as IP unicast frame after GRE tunneling If all connectivity must go through the home gateway router tunnels also enable the use o...

Страница 226: ...nabling Security Features The advanced VPN and firewall advance_vpn license allows users to manage remote LANs This license also includes Basic VPN and Firewall licenses To see the license available i...

Страница 227: ...ally an always on Internet connection One of the main limitations in providing remote access is the typical remote user connects with a dynamically assigned IP address provided by the ISP IPSec uses t...

Страница 228: ...also provide WINS and DNS server addresses Upon successful IKE authentication of a VPN client the server checks whether the IKE policy used to authenticate the VPN client is enabled for mode configura...

Страница 229: ...untrusted Router1 configure ip route 10 0 2 0 24 wan1 Router1 configure crypto Router1 configure crypto ike policy Router2 172 16 0 2 Router1 configure crypto ike policy Router2 172 16 0 2 local addre...

Страница 230: ...Initiate PFS is not enabled Shared Key is Local ident 172 16 0 1 ip address Remote Ident 172 16 0 2 ip address Proposal of priority 1 Encryption algorithm 3des Hash Algorithm sha1 Authentication Mode...

Страница 231: ...Any Source ip address ip mask port 172 16 0 1 255 255 255 255 any Destination ip address ip mask port 10 0 2 0 255 255 255 0 any Proposal of priority 1 Protocol esp Mode tunnel Encryption Algorithm a...

Страница 232: ...it Router1 configure firewall internet Router1 configure firewall internet policy 1001 in service snmp self Router1 configure firewall internet policy 1001 in exit Router1 configure firewall internet...

Страница 233: ...abled Rpc Filter is disabled Nat is disabled Bytes In 0 Bytes Out 0 Policy with Priority 1002 is enabled Direction is inbound Action permit Traffic is self Logging is disable Source Address is any Des...

Страница 234: ...figure snmp community public rw Router1 configure snmp exit Router1 show snmp communities Community public privilege rw Router1 show crypto ike sa all Policy Peer State Bytes Transform Router2 172 16...

Страница 235: ...ident ip mask port 10 0 2 0 255 255 255 0 any Remote ident ip mask port 172 16 0 1 255 255 255 255 any Peer Address is 172 16 0 1 PFS Group is disabled inbound ESP sas Spi 0xe8453c2b Transform aes128...

Страница 236: ...gure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure interface bundle wan1 crypto untrusted Router1 configure interface bundl...

Страница 237: ...outer2 172 16 0 2 proposal 1 Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 encryption al algorithm 3des cbc Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 exit R...

Страница 238: ...Router1 configure crypto ipsec policy Router2 172 16 0 2 match address 10 0 1 0 24 10 0 2 0 24 Default proposal created with priority1 esp 3des sha1 tunnel and activated Router1 configure crypto ipsec...

Страница 239: ...1 Protocol esp Mode tunnel Encryption Algorithm aes256 key length 256 bits Hash Algorithm sha1 Lifetime in seconds 3600 Lifetime in Kilobytes 4608000 Policy name INRouter2 is enabled Direction is inbo...

Страница 240: ...IT SE Router1 show firewall policy internet detail Policy with Priority 1000 is enabled Direction is inbound Action permit Traffic is self Logging is disable Source Address is any Dest Address is any...

Страница 241: ...l policies in the corp map applicable only if firewall license is enabled Router1 show firewall policy corp Advanced S Self Traffic F Ftp Filter H Http Filter R Rpc Filter N Nat Ip Nat Pool L Logging...

Страница 242: ...ss is any Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled...

Страница 243: ...1 show crypto ike sa all Policy Peer State Bytes Transform Router2 172 16 0 2 SA_MATURE 1796 pre g1 3des sha1 Router1 show crypto ike sa all detail Crypto Policy name Router2 Remote ident 172 16 0 2 P...

Страница 244: ...posal As a result of quick mode negotiation the two routers are expected to converge on a mutually acceptable proposal which is the proposal IPSec ESP with AES 256 bit and HMAC SHA1 in this example Ro...

Страница 245: ...Router1 configure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure interface bundle wan1 crypto untrusted Router1 configure i...

Страница 246: ...72 16 0 2 proposal 1 Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 encryption al gorithm 3des cbc Router1 configure crypto ike policy Router2 172 16 0 2 proposal 1 exit Router1 con...

Страница 247: ...nd activated Router1 configure crypto ipsec policy Router2 172 16 0 2 proposal 1 Router1 configure crypto ipsec policy Router2 172 16 0 2 proposal 1 encryption algorithm des cbc Router1 configure cryp...

Страница 248: ...al of priority 1 Protocol esp Mode tunnel Encryption Algorithm des Hash Algorithm sha1 Lifetime in seconds 3600 Lifetime in Kilobytes 4608000 Proposal of priority 2 Protocol esp Mode tunnel Encryption...

Страница 249: ...any PERMIT SE Router1 show firewall policy internet detail Policy with Priority 1000 is enabled Direction is inbound Action permit Traffic is self Logging is disable Source Address is any Dest Addres...

Страница 250: ...s in the corp map applicable only if firewall license is enabled Router1 show firewall policy corp Advanced S Self Traffic F Ftp Filter H Http Filter R Rpc Filter N Nat Ip Nat Pool L Logging E Policy...

Страница 251: ...any Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes...

Страница 252: ...show crypto ike sa all Policy Peer State Bytes Transform Router2 172 16 0 2 SA_MATURE 1796 pre g1 3des sha1 Router1 show crypto ike sa all detail Crypto Policy name Router2 Remote ident 172 16 0 2 Pe...

Страница 253: ...P tunnel with AES256 and HMAC SHA1 Router1 show crypto ipsec sa all detail Crypto Policy name INRouter2 Protocol is Any Local ident ip mask port 10 0 2 0 255 255 255 0 any Remote ident ip mask port 10...

Страница 254: ...configure interface bundle wan1 link t1 1 Router1 configure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure interface bundle...

Страница 255: ...t proposal created with priority1 des sha1 pre_shared g1 Key String has to be configured by the user Router1 configure crypto dynamic ike policy sales remote id email id mike abc corp com mike New use...

Страница 256: ...de pre shared key DH Group group1 Lifetime in seconds 86400 Lifetime in kilobytes unlimited Router1 configure crypto dynamic ipsec policy sales Router1 configure crypto dynamic ipsec policy sales matc...

Страница 257: ...key length 256 bits Hash Algorithm sha1 Lifetime in seconds 3600 Lifetime in Kilobytes 4608000 Policy INsales is enabled User group name sales Direction is inbound Action is Apply Key Management is A...

Страница 258: ...H Http Filter R Rpc Filter N Nat Ip Nat Pool L Logging E Policy Enabled M Smtp Filter Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced Router1 show firewall policy internet deta...

Страница 259: ...cy Step 15 Display firewall policies in the corp map applicable only if firewall license is enabled Router1 configure firewall corp Router1 configure firewall corp policy 1000 in user group sales addr...

Страница 260: ...Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes In...

Страница 261: ...lients Client Address Client Id Policy Advanced 192 168 107 105 david abc corp sales UserGrp Router1 show crypto ike sa all Policy Peer State Bytes Transform Router1 show crypto ike sa all detail Cryp...

Страница 262: ...er IP header will carry the dynamic IP address assigned by the Internet Service Provider as the source address The security requirements are as follows Phase 1 3DES with SHA1 Mode Configuration Phase...

Страница 263: ...ndle Router1 configure interface bundle wan1 link t1 1 Router1 configure interface bundle wan1 encapsulation ppp Router1 configure interface bundle wan1 ip address 172 16 0 1 24 Router1 configure inte...

Страница 264: ...les added with priority1 3des sha1 tunnel Router1 configure crypto dynamic ike policy sales remote id email mike abc corp com Router1 configure crypto dynamic ike policy sales key secretkeyforsales Ro...

Страница 265: ...hm 3des Hash Algorithm sha1 Authentication Mode pre shared key DH Group group1 Lifetime in seconds 86400 Lifetime in kilobytes unlimited Router1 configure crypto Router1 configure crypto dynamic Route...

Страница 266: ...rotocol is Any Source ip address ip mask port 10 0 1 0 255 255 255 0 any Destination ip address ip mask port any any any Proposal of priority 1 Protocol esp Mode Tunnel Encryption Algorithm aes256 key...

Страница 267: ...mtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes In 0 Bytes Out 0 Policy with Priority 1024 is enabled Direction is outbound Action permit Traffic is self Lo...

Страница 268: ...Dest Address is any Source Port is any Dest Port is any any Schedule is disabled Ftp Filter is disabled Smtp Filter is disabled Http Filter is disabled Rpc Filter is disabled Nat is disabled Bytes In...

Страница 269: ...david abc corp sales 20 1 1 1 ModecfgGrp Router1 show crypto ike sa all Policy Peer State Bytes Transform sales 192 168 107 105 SA_MATURE 2052 pre g1 3des sha1 Router1 show crypto ike sa all detail C...

Страница 270: ...st IP Spi Bytes Transform INsales 172 16 0 1 0xbba97427 840 esp aes sha1 tunl sales 192 168 107 105 0xcb0e23f3 560 esp aes sha1 tunl Router1 Router1 show crypto ipsec sa all detail Crypto Policy name...

Страница 271: ...94 220 192 168 55 75 40 1 1 0 Foundry configure terminal Foundry configure interface bundle wan1 Foundry configure interface bundle wan1 link t1 1 Foundry configure interface bundle wan1 encapsulatio...

Страница 272: ...et Broadcast 103 1 1 255 Maximum Transfer Unit 1476 bytes Source Address 192 168 94 220 Destination Address 192 168 55 75 Gateway wan1 Protocol GRE Mac Address 00 50 52 60 00 00 Foundry show interface...

Страница 273: ...g if exit cisco config ip route 0 0 0 0 0 0 0 0 192 168 55 254 cisco config ip route 10 3 1 0 255 255 255 0 Tunnel0 Foundry configure terminal Foundry configure interface bundle wan1 Foundry configure...

Страница 274: ...nfiguration above 2 Add to the Cisco configuration above 3 To verify the OSPF configuration enter Foundry show ip ospf interface all Foundry configure ip route 0 0 0 0 0 0 0 0 192 168 94 254 Foundry c...

Страница 275: ...on NAT NAT allows users on the inside of the firewall to use private nonroutable IP addresses which are translated to routable IP addresses at the firewall The firewall manages the address translation...

Страница 276: ...2 1 1 24 Foundry configure interface ethernet 0 exit Foundry configure interface ethernet 1 Configuring existing Ethernet interface Foundry configure interface ethernet 1 ip address 10 3 1 1 24 Foundr...

Страница 277: ...olicy 1024 out exit Foundry configure firewall corp policy 1021 in deny Foundry configure firewall corp policy 1021 in exit Foundry configure firewall corp object Foundry configure firewall corp objec...

Страница 278: ...ewall dmz policy 100 in apply object nat pool ftpsrvr Foundry configure firewall dmz policy 100 in apply object ftp filter putdeny Foundry configure firewall dmz policy 100 in exit Foundry configure f...

Страница 279: ...t alarms linemode exit linemode exit t1 module t1 2 alarms thresholds exit thresholds exit alarms linemode exit linemode exit t1 module t1 3 alarms thresholds exit thresholds exit alarms linemode exit...

Страница 280: ...ypto trusted exit ethernet interface bundle wan link t1 1 encapsulation ppp ip address 193 168 94 220 255 255 255 0 ip multicast ospfrip2 red exit red icmp exit icmp qos exit qos aaa exit aaa crypto u...

Страница 281: ...t policy exit firewall firewall dmz interface ethernet1 object nat pool ftpsrvr static 10 3 1 100 10 3 1 100 ftp filter putdeny deny put mkdir exit object policy 100 in address any any 193 168 94 221...

Страница 282: ...port number it allocated to this session Therefore when some server com sends a reply packet to the PC the Foundry system can quickly determine how it needs to re write the packet before transmitting...

Страница 283: ...esses are utilized in a better and optimum manner dynamically If a NAT IP address cannot be allocated dynamically at the connection creation time the packet would be dropped Figure 15 6 Dynamic NAT Th...

Страница 284: ...7 includes Private network address 10 1 1 1 10 1 1 3 Public NAT IP address range 50 1 1 1 50 1 1 3 To create NAT pool with type static specify the IP address and the ending NAT IP address Add a polic...

Страница 285: ...rk address 10 1 1 1 10 1 1 3 PAT address 50 1 1 5 Method 1 Specifying NAT address with the policy command To configure this method of PAT add the policy with the source IP address range then specify t...

Страница 286: ...Encryption Algorithms for ESP Block Size Data Encryption Standard DES 56 bits Triple Data Encryption Standard 3DES 168 bits Advanced Encryption Standard AES 128 128 bits Advanced Encryption Standard A...

Страница 287: ...user must enter a pre shared key Table 15 3 Authentication Algorithms Authentication Algorithms for AH ESP Hash Size HMAC MD5 96 96 bits HMAC HSHA1 96 96 bits Table 15 4 Diffie Hellman Groups Diffie...

Страница 288: ...nagement type Automatic Hash algorithm SAH1 Encryption algorithm 3DES Protocol ESP Mode Tunnel Lifetime in seconds 3600 seconds Lifetime in kilobytes 4608000 Direction Out Position in SPD where policy...

Страница 289: ...n Rate Disabled Policing Disabled Bandwidth Disabled Table 15 9 Default Connection Limit by Security Zone Security Zone Maximum Connections Default Corp 1024 outgoing connections User Created Security...

Страница 290: ...nce Check Disabled Table 15 11 Tunnel Interface Defaults Parameter Default Value IP Address No Default Tunnel Source No Default Tunnel Destination No Default MTU 1476 Not configurable ICMP unreachable...

Страница 291: ...Foundry AR Series Router User Guide 15 66 2004 Foundry Networks Inc June 2004...

Страница 292: ...4 conventions manual 3 1 D display show command 4 7 displaying command tree 4 5 E Email Access 3 5 entering commands abbreviated 4 3 context sensitive 4 1 environment 6 2 6 3 G getting command help 4...

Страница 293: ...Foundry AR Series Router User Guide Index 2 2004 Foundry Networks Inc June 2004...

Отзывы: