RuggedCom RUGGEDBACKBONE RX5000 Скачать руководство пользователя | Manualshive

Страница: 372 / 440

background image

35. Firewall

ROX™ v2.2 User Guide

372

RuggedBackbone™ RX5000

5.

If your network interface IP is dynamically assigned, configure masquerading.

6.

If your network interface IP is statically assigned, configure Source Network address Translation
(SNAT). If a sufficient number of IP addresses are provided by the ISP, static NAT can be employed
instead.

7.

If your hosts must accept sessions from the Internet, configure the rules file to support Destination
Network address Translation (DNAT). Which hosts need to accept connections, from whom and
on which ports?

8.

Configure the rules file to override the default policies. Have external connections been limited to
approved IP address ranges. Have all but the required protocols been blocked?

9.

If you are supporting a VPN, add additional rules.

10. Validate the configuration using the method outlined in

Section 35.5.2, “Working with Firewall

Configurations”

11. Activate the firewall. It is recommended to run a port scan of the firewall after activation and verify

that any defined logging is functioning as expected.

35.3. Firewall Terminology And Concepts

This section provides background on various firewall terms and concepts. References are made to the
section where configuration applies.

35.3.1. Zones

A network zone is a collection of interfaces, for which forwarding decisions are made, for example:

Name

Description

net

The Internet

loc

Your Local Network

dmz

Demilitarized Zone

fw

The firewall itself

vpn1

IPSec connections on w1ppp

vpn2

IPSec connections on w2ppp

Table 35.2. Network Zones

New zones may be defined at any time. For example, if all of your Ethernet interfaces are part of the
local network zone, disallowing traffic from the Internet zone to the local zone will disallow it to all
Ethernet interfaces. If you wanted some interfaces (but not others) to access the Internet, you could
create another zone.

35.3.2. Interfaces

ROX™ Firewall interfaces are simply the LAN and WAN interfaces available to the router. You must
place each interface into a network zone.

If an interface supports more than one subnet, place the interface in zone ‘Any’ and use the zone hosts
setup (see below) to define a zone for each subnet on the interface.

An example follows:

Interface

Zone

switch.0001

loc

switch.0002

loc

switch.0003

Any

switch.0004

dmz

«
...
370
371
372
373
374
...
»

Содержание RUGGEDBACKBONE RX5000

Страница 1: ...v2 2 Web Interface User Guide For RuggedBackbone RX5000 November 24 2011...

Страница 2: ...ments We reserve the right to make technical improvements without notice Registered Trademarks RuggedServer RuggedWireless RuggedCom Discovery Protocol RCDP RuggedExplorer Enhanced Rapid Spanning Tree...

Страница 3: ...6 1 Uses 47 2 6 2 ROXflash Configuration 47 2 7 Scheduling Jobs 49 2 8 The Featurekey 52 2 8 1 Overview 52 2 8 2 Upgrading Feature Levels in the field 52 2 8 3 When a File based featurekey does not Ma...

Страница 4: ...for Non switched Interfaces 84 6 Alarms 86 6 1 Introduction 86 6 1 1 Alarm Subsystems 86 6 1 2 Fail Relay Behavior 86 6 1 3 Alarm LED Behavior 86 6 1 4 Clearing and Acknowledging Alarms 86 6 2 Alarm C...

Страница 5: ...142 15 2 4 DHCP Shared Networks 143 15 2 5 DHCP Hosts 143 15 2 6 DHCP Host groups 144 15 2 7 Viewing Active DHCP Leases 144 15 2 8 DHCP Options 145 15 2 9 Custom DHCP Options 150 15 2 10 Hardware Conf...

Страница 6: ...onfiguration and Status 213 22 3 1 Configuring IGMP Parameters 213 22 3 2 Configuring Static Multicast Groups 215 22 3 3 Configuring GMRP 218 22 4 Troubleshooting 220 23 Classes Of Service 222 23 1 Co...

Страница 7: ...Reduced Hardware 269 26 3 VLAN Configuration 270 26 3 1 Static VLANs 271 26 3 2 Port VLAN Parameters 272 26 3 3 VLAN Summary 273 26 3 4 Forbidden Ports 276 26 4 Troubleshooting 276 27 Network Discove...

Страница 8: ...30 31 1 3 OSPF Fundamentals 330 31 1 4 Key OSPF And RIP Parameters 331 31 1 5 OSPF And VRRP Example Network 333 31 1 6 BGP Fundamentals 335 31 2 Dynamic Routing Configuration 335 31 3 RIP 335 31 3 1 R...

Страница 9: ...7 2 1 VRRP Status 414 38 Link Failover 416 38 1 Path Failure Discovery 416 38 2 Using Routing Protocols and the Default Route 416 38 3 Configuring Link Failover 416 38 3 1 Configuring the Link Failove...

Страница 10: ...l Public License 435 E 1 Preamble 435 E 2 TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 436 E 2 1 Section 0 436 E 2 2 Section 1 436 E 2 3 Section 2 436 E 2 4 Section 3 437 E 2 5 Secti...

Страница 11: ...Administration form 36 2 10 Hostname form 36 2 11 Timezone form 37 2 12 Setting the Timezone Form in Edit Private Mode 37 2 13 Current System Time form 37 2 14 CLI Sessions form 38 2 15 Idle timeout f...

Страница 12: ...ble 72 4 6 Routable Interfaces form 72 4 7 Addresses table 73 4 8 Addresses form 73 5 1 Neighbor Discovery form 76 5 2 Neighbor Discovery IPv6 Prefix 77 5 3 Neighbor Discovery IPv6 Prefix forms 77 5 4...

Страница 13: ...ble 111 9 17 Key Settings form 111 9 18 SNMP Security Model to Group Mapping form 111 9 19 SNMP Group Access Configuration table 112 9 20 Key Settings form 112 9 21 SNMP Group Access Configuration for...

Страница 14: ...Shared Networks 146 15 13 Client Configuration form for Hosts 147 15 14 Client Configuration form for Host groups 147 15 15 Client Configuration form for DHCP Clients 148 15 16 NIS Configuration form...

Страница 15: ...tatistics Form 182 18 5 Transmit Statistics Form 182 19 1 Virtual switch with multiple interfaces 185 19 2 Adding a Virtual Switch 186 19 3 Interface Virtualswitch menu 186 19 4 Virtualswitch table 18...

Страница 16: ...18 Joined Ports form 218 22 19 GMRP form 218 22 20 GMRP Dynamic Ports table 219 22 21 GMRP Dynamic Ports form 219 22 22 Multicast Filtering form 219 23 1 Determining The CoS Of A Received Frame 223 2...

Страница 17: ...6 6 Static VLAN table 271 26 7 Static VLAN form 271 26 8 Switched Ethernet Ports submenu 272 26 9 VLAN Parameters form 272 26 10 VLAN Summary table 273 26 11 VLAN Summary form 274 26 12 Tagged Ports t...

Страница 18: ...tem form 313 30 18 System Identifier form 313 30 19 Private Subnet Behind System form 313 30 20 Network table 314 30 21 Preshared Key table 314 30 22 Preshared Key form 314 30 23 L2TP menu 315 30 24 L...

Страница 19: ...table 353 32 3 Static Route form 353 32 4 Static Route Using Gateway table 353 32 5 Static Route Using Gateway form 353 32 6 Blackhole Static Route form 354 32 7 Static Route Using Interface table 35...

Страница 20: ...5 20 Net Address Translation Main Settings table 384 35 21 Net Address Translation Main Settings form 385 35 22 FWMasq table 385 35 23 Net Address Translation Main Settings form 386 35 24 Main Rule Se...

Страница 21: ...r Information Table 417 38 3 Link Fail Over Settings form 417 38 4 Backup Settings form 419 38 5 Link Fail Over Status form 420 38 6 Link Fail Over Logs form 421 38 7 Link Fail Over Test Settings form...

Страница 22: ...d overall management of the hardware chassis and operating system including access control logging networking configuration and time synchronization Part II Network Interfaces and Ethernet Bridging Pa...

Страница 23: ...onfiguration Chapter 4 Basic Network Configuration Advanced Networking Configuration Chapter 5 IP Network Interfaces Alarms Chapter 6 Alarms Domain Name Search Chapter 7 Domain Name Search Logging Cha...

Страница 24: ...fe cm 1 Interface panel of the CM card 192 168 1 2 24 fe em 1 Front panel of the chassis optional 192 168 2 2 24 All other Ethernet ports LM and SM cards 192 168 0 2 24 Table 1 1 Default IP Address Co...

Страница 25: ...k on the Login button The switch is shipped with a default administrator password admin If authentication is successful the main menu is presented 1 2 The Structure Of The Web Interface The system con...

Страница 26: ...nfiguration editing mode where after committing your changes you can specify a timeout period to test the changes At the end of the timeout period your changes to revert back to the original settings...

Страница 27: ...nfiguration files feature keys elan certificates ipsec certificates ca certificates crl certificates log files and rollback files from the system to your workstation From the Choose file type list sel...

Страница 28: ...test results tunnel The tunnel menu is used for configuring IP tunnels using IPsec Layer 2 tunnelling functions and Generic Routing Encapsulation GRE ip The ip menu is used for configuring the ROX sys...

Страница 29: ...clicked displays context sensitive information about the corresponding data field A red asterisk appears beside fields that are mandatory for configuration when in Edit Private mode Note the red aste...

Страница 30: ...hassis Hardware table is indexed by slot name with the slot name being the key and a DNS Server table is indexed by IP address with the IP address being the key Key information can be added using the...

Страница 31: ...on in a Table The information entered in the key settings form will now appear in the table Note that the table appears on the server screen while the key settings form appears on the address screen w...

Страница 32: ...ttings form 1 3 2 Viewing More Information in Tables Occasionally a table may have more entries that are not visible in the initial view If you encounter a table that has a line of linked text at the...

Страница 33: ...2 User Guide 33 RuggedBackbone RX5000 Figure 1 9 First Table of Information Figure 1 10 Second Table of Information The second table of information shows the balance of the entries and contains a lin...

Страница 34: ...d passwords software versions upgraded and netconf As well you can link directly from the Admin menu to commands called actions see below that will clear or acknowledge all alarms shut down or reboot...

Страница 35: ...he reboot menu action and then click the Perform button on the Reboot the Device form Figure 2 6 Set New Time and Date form The Set New Time and Date form configures the current time and date settings...

Страница 36: ...nopsis A string Default System Name An administratively assigned name for this managed node By convention this is the node s fully qualified domain name If the name is unknown the value is the zero le...

Страница 37: ...rm to the POSIX style and have their signs reversed from common usage In POSIX style zones west of GMT have a positive sign zones east of GMT have a negative sign Timezone Synopsis string Selects the...

Страница 38: ...ures on the device Listen IP Synopsis IPv4 address in dotted decimal notation Synopsis IPv6 address in colon separated hexadecimal notation Default 0 0 0 0 The IP Address the CLI will listen on for CL...

Страница 39: ...I Figure 2 15 Idle timeout field Clicking on the Idle timeout field on the CLI Sessions form allows you to choose a value for this field The default value is PT30M which stands for Precision Time 30 M...

Страница 40: ...ecimal notation Default 0 0 0 0 The IP Address the SFTP will listen on for SFTP requests default 0 0 0 0 Listen Port Synopsis unsigned short integer Default 2222 The port the SFTP will listen on for S...

Страница 41: ...ecimal notation Default 0 0 0 0 The IP Address the CLI will listen on for WebUI requests default 0 0 0 0 Listen Port Synopsis unsigned short integer Default 443 The port on which the WebUI listens for...

Страница 42: ...the time when an inactive session expires or times out Only integer values corresponding to the following fields can be entered Year Month Day Hour Min Sec or Ms The example above shows the default va...

Страница 43: ...me Synopsis string User Name password Synopsis A string User Password role Synopsis string one of the following keywords guest operator administrator Default guest User Role Figure 2 23 Users Screen i...

Страница 44: ...ition Completed upgrades can be declined before the next reboot If major system failures are detected upon booting the upgraded partition the system will automatically roll back to the previous partit...

Страница 45: ...packages Copying filesystem Estimating upgrade size Inactive The current phase or state of the upgrade It is one of Estimating upgrade size Copying filesystem Downloading packages Installing packages...

Страница 46: ...Launch Upgrade form Note that the server URL and version name information must be entered in the Upgrade Settings form prior to launching the upgrade For detailed step by step instructions on how to...

Страница 47: ...ftware on the new unit Use ROXflash only to install earlier versions of the ROX software Software upgrades to later versions should be performed using the Software Upgrade function Table 2 1 Differenc...

Страница 48: ...tion Downloading image Inactive The current phase or state of the ROXflash operation It is always one of Inactive Downloading image Imaging partition Unknown state Completed successfully or Failed The...

Страница 49: ...ler menu There are two types of scheduled jobs periodic jobs launch at a defined interval Set the interval in the Minute Hour Day of Month and Month parameters Use the Day of Week parameter to launch...

Страница 50: ...launch the scheduled job periodic the job launches at a set date and time configchange the job launches when the configuration changes Minute Synopsis A string Default For periodic jobs sets the minut...

Страница 51: ...list For example to launch the job on the first fifteenth and thirtieth days of the month enter 10 15 30 To specify a range of values enter the range as comma separated values For example to launch t...

Страница 52: ...structions on how to upload the featurekey file see Section 2 8 5 Uploading a Featurekey The upgraded featurekey resides on the device s compact flash card ROX evaluates both the CM featurekey and the...

Страница 53: ...y the serial numbers for your device Procedure 2 1 Viewing RuggedCom Serial Numbers 1 Launch a web browser and navigate to your device s IP address Log in to ROX The ROX web interface appears 2 Click...

Страница 54: ...urekey After receiving your featurekey file from RuggedCom save the file to a computer that is accessible to your device through your network 2 8 5 1 Uploading a Featurekey Using the Web User Interfac...

Страница 55: ...ey from url wsmith 10 200 20 39 files keys 1_cmRX1K 12 11 0015 key 1_cmRX1K 12 11 0015 key wsmith 10 200 20 39 s password 1_cmRX1K 12 11 0015 key 100 192 0 2KB s 00 00 ruggedcom 5 To view the contents...

Страница 56: ...formation on backing up files see Section 2 9 2 Backing Up Files 2 9 Installing and Backing Up Files You can install and back up files using the following forms found under the admin menu Figure 2 40...

Страница 57: ...e and enter a URL On the Install Files To Devices form click the Perform button 2 9 2 Backing Up Files To back up a file click on backup files The Backup Files forms appear Figure 2 42 Backup Files fo...

Страница 58: ...log files click the Perform button on the Delete Log Files form This form is accessible at admin delete logs Figure 2 44 Delete Log Files form 2 11 Saving Full Configurations Save full configurations...

Страница 59: ...button in the Saving Full Configuration form 2 12 Loading Full Configurations Load full configurations to a file using the forms below These forms are accessible at admin load full configuration Figur...

Страница 60: ...n 1 You will generally configure lower stratum NTP hosts as servers and other NTP hosts at the same stratum as peers If all your configured servers fail a configured peer will help in providing the NT...

Страница 61: ...NTP Server Restrictions configure an NTP server using Multicast or Broadcast See Section 3 2 7 Configuring an NTP Server using Multicast or Broadcast configure an NTP client using Multicast See Secti...

Страница 62: ...form Enable Enables the local clock Stratum Synopsis unsigned byte integer Default 10 The stratum number of the local clock 3 2 4 Configuring NTP Servers ROX can periodically refer to an NTP server t...

Страница 63: ...eers are NTP servers of the same stratum as the router and are useful when contact is lost with the hosts in the NTP servers menu Minpoll Synopsis unsigned byte integer Default 6 Minimum poll interval...

Страница 64: ...TP Servers and NTP Broadcast Multicast Servers forms To add a server key In edit mode navigate to services time ntp key and click Add key On the Key settings form enter an identifier for the key and c...

Страница 65: ...ver Restrictions form set the restriction parameters Commit the changes Figure 3 8 Server Restrictions form Flags Synopsis string one of the following keywords version ntpport notrust notrap noserve n...

Страница 66: ...thentication be used and that a server key be set with the broadcast multicast setting For instructions on how to create server keys see Section 3 2 5 Adding Server Keys To set a multicast broadcast a...

Страница 67: ...ddress Synopsis IPv4 address in dotted decimal notation Synopsis IPv6 address in colon separated hexadecimal notation Synopsis Domain name RFC 1034 Default 224 0 1 1 The multicast address on which the...

Страница 68: ...Status To view the NTP service status In normal or edit mode navigate to services time ntp ntp status and click ntp status On the Trigger Action form click Perform Review the NTP service status in th...

Страница 69: ...fe cm 1 and switch 0001 fe em 1 an additional optional interface is also configured by default The default IP addresses for fe cm 1 fe em 1 and switch 0001 are configured under the ipv4 submenu switch...

Страница 70: ...e delete icon 4 Click Add address The Key settings form appears 5 In the IPaddress field type the new IP address 6 Click Commit 7 Click Exit Transaction To create additional interfaces see Section 5 3...

Страница 71: ...rfaces to Switched Ports For information on Dynamic IP address assignment and ProxyARP on switched and non switched ports see Section 5 3 1 1 Configuring IP Address Source and ProxyARP for VLAN Interf...

Страница 72: ...work Setup 4 Connect one of the switched ports from any available LMs to an IPv6 capable network 5 Configure the D PCs on the IPv6 network to be on the same IP subnet as switch 0001 and configure the...

Страница 73: ...ce in kbps Figure 4 7 Addresses table The path to the Addresses table is ip interface ipv4 The Addresses table provides a summary of which IP addresses are configured Figure 4 8 Addresses form The pat...

Страница 74: ...its of an IPv6 address and the address is not routable The scope for Unique Local address is within enterprise networks It identifies the boundary of private networks within an organization Example of...

Страница 75: ...s among which five types of messages are used by the ND protocol The five types of ICMPv6 messages are briefly described in the following section Router Solicitation ICMPv6 type 133 This message is se...

Страница 76: ...a home agent and includes a home agent option Home Agent Lifetime Synopsis unsigned integer Default 1800 The value to be placed in the home agent option when the home agent config flag is set which i...

Страница 77: ...seconds The default is 1800 seconds Reachable Time Millseconds Synopsis unsigned integer Default The value in milliseconds to be placed in the Reachable Time field in the router advertisement message...

Страница 78: ...fter adding an IPv6 Prefix under the Neighbor Discovery To display the forms navigate to ip interface ipv6 nd prefix 5 3 Adding Interfaces to Switched Ports For switched ports you create routable inte...

Страница 79: ...or example 2 5 Click Add 6 Click Commit 7 Click Exit Transaction The procedures below are examples of how to create implicit VLAN interfaces Procedure 5 2 Implicitly Adding a VLAN Interface at interfa...

Страница 80: ...mit it Procedure 5 5 Implicitly Adding a VLAN Interface at switch mcast filtering static mcast table 1 Enter edit mode navigate to switch mcast filtering static mcast table and click Add static mcast...

Страница 81: ...l VLANs Properties form is displayed 3 In the IP Address Source field select dynamic if you want the interface to get an IP address from a DHCP server For information on configuring RX5000 as a DHCP s...

Страница 82: ...Non switched or Route only Interface menu is accessible from the main menu Figure 5 8 Routable Ethernet Ports table The path to the Routable Ethernet Ports table is interface eth Figure 5 9 Routable...

Страница 83: ...eed mode AUTO means advertise all supported speed modes Duplex Synopsis string one of the following keywords full half If auto negotiation is enabled this is the duplex capability advertised by the au...

Страница 84: ...ure 5 10 Configuring Dynamic Address Source and ProxyARP Procedure 5 8 Configuring IP Address Source and ProxyARP for Non switched Interfaces 1 Go into Edit Private mode 2 Go to interface eth port The...

Страница 85: ...t Transaction To set ProxyARP for a static or dynamic interface follow the procedure below Procedure 5 9 Setting ProxyARP 1 Go into Edit Private mode 2 Go to interface eth port The Routable Ethernet P...

Страница 86: ...es irregular voltages at the power supply or the insertion or removal of a module Switch Subsystem these alarms pertain to layer 2 events of interests such as RSTP topology changes and link up down ev...

Страница 87: ...l relay and LED When an alarm is acknowledged by the user it de asserts the fail relay and LED but it remains in the active alarms table unless the alarm is non clearable and de asserted by the system...

Страница 88: ...Emergency Alert Critical Error Warning Notice Info Debug description Synopsis string When applicable provides further details on the alarmable event Date Time Synopsis string The date and time the ev...

Страница 89: ...the Clear action or the Acknowledge action Figure 6 5 Clear Alarm Menu Action form Figure 6 6 Acknowledge Alarm Menu Action form To clear or acknowledge ALL alarms instead of only individual alarms a...

Страница 90: ...escription Synopsis A string The name of the alarm severity Synopsis string one of the following keywords debug info notice warning error critical alert emergency The severity level can be one of emer...

Страница 91: ...m description Synopsis A string The name of the alarm severity Synopsis string one of the following keywords debug info notice warning error critical alert emergency The severity level can be one of e...

Страница 92: ...scription Synopsis A string The name of the alarm severity Synopsis string one of the following keywords debug info notice warning error critical alert emergency The severity level can be one of emerg...

Страница 93: ...h to this menu is admin dns Figure 7 1 DNS menu Figure 7 2 Domain Name Searches form The path to the Domain Name Searches form is admin dns search domain Synopsis Domain name RFC 1034 Figure 7 3 Domai...

Страница 94: ...port per collector Syslog source facility ID per collector same value for all ROX modules Filtering severity level per collector in case different collectors are interested in syslog reports with dif...

Страница 95: ...xadecimal notation Synopsis Domain name RFC 1034 The IPv4 or IPv6 address of a logging server Up to 8 logging servers can be added enabled Enables disables the feed to the remote logging server Figure...

Страница 96: ...Synopsis string one of the following keywords same same_or_higher Default same_or_higher The message severity levels to include in the log same includes only messages of the severity level selected i...

Страница 97: ...curity news mail lpr kern ftp daemon cron authpriv auth Synopsis facility list occurs in an array of at most 8 elements The subsystems generating log messages Messages from the selected subusystems ar...

Страница 98: ...source SNMPv3 provides security models and security levels A security model is an authentication strategy that is set up for a user and the group in which the user resides A security level is a permi...

Страница 99: ...as specified by the lldpNotificationInterval object linkUp A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication l...

Страница 100: ...ample below 9 2 1 Add an SNMP User ID Figure 9 1 Adding an SNMP User ID Procedure 9 1 Adding an SNMP User ID 1 Navigate to admin user 2 Click on Add userid The Key settings form appears 3 In the Name...

Страница 101: ...ity Procedure 9 2 Creating an SNMP Community 1 Navigate to admin snmp snmp community 2 Click on Add snmp community The Key settings form appears 3 In the Community Name field enter snmpv2_user and cli...

Страница 102: ...Navigate to admin snmp security to group 2 Click on Add snmp security to group The Key settings form appears 3 In the Security Model field select v2c 4 In the User Name field select snmpv2_user and cl...

Страница 103: ...he ability to configure snmp features on the device Listen IP Synopsis IPv4 address in dotted decimal notation Synopsis IPv6 address in colon separated hexadecimal notation Default 0 0 0 0 The IP Addr...

Страница 104: ...exadecimal notation If set all traffic traps originating from this device shall use the configured IP Address for the Source IP Authentication Failure Notify Name Synopsis string one of the following...

Страница 105: ...horitative SNMP engine s window Unknown User Names Synopsis unsigned integer The total number of packets received by the SNMP engine which were dropped because they referenced a user that was not know...

Страница 106: ...ID Discover and Trigger Action forms On the SNMP Engine ID Discover form enter parameters in the fields On the Trigger Action form click Perform 9 5 SNMP Community Figure 9 9 SNMPv1 v2c Community Conf...

Страница 107: ...9 10 SNMPv1 v2c Community Configuration form The path to the SNMP Community Configuration form is admin snmp snmp community private or public 9 6 SNMP Target Addresses Figure 9 11 SNMP Target Configur...

Страница 108: ...address address Target Name A descriptive name for the target ie Corportate NMS enabled Synopsis boolean Default true Enables disables this specific target Target Address Synopsis IPv4 address in dott...

Страница 109: ...incoming SNMP requests from the IPv4 or IPv6 address associated with this community Trap Type List Default snmpv2_trap Selects the type of trap communications to be sent to this target Inform Timeout...

Страница 110: ...ng The user for the SNMP key Select a user name from the list Authentication Protocol Synopsis string one of the following keywords sha1 md5 none Default none The authentication protocol providing dat...

Страница 111: ...curity Model to Group Mapping form The path to these forms is admin snmp snmp security to group user Security Model Synopsis string one of the following keywords v3 v2c v1 The SNMP security model to u...

Страница 112: ...s string one of the following keywords v3 v2c v1 any The SNMP security model to use SNMPv1 SNMPv2c or USM SNMPv3 Security Level The SNMP security level authPriv communication with authentication and p...

Страница 113: ...w Default all of mib The name of the write view to which the SNMP group has access all of mib restricted v1 mib or no view Notify View Name Synopsis string one of the following keywords all of mib res...

Страница 114: ...figuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server RADIUS is also widely used in conjunction with 802 1x for port securit...

Страница 115: ...ntication activity is logged to the authorization log file auth log Details of each authentication including the time of occurrence source and result are included 10 1 4 RADIUS ROX and Services RADIUS...

Страница 116: ...se forms are also accessible from global ppp radius address Synopsis IPv4 address in dotted decimal notation The IPv4 address of the server port udp Synopsis integer Default 1812 The network port of t...

Страница 117: ...sword Synopsis AES CFB128 encrypted string The password of the RADIUS server For more information on 802 1x Authentication please see Chapter 21 Port Security For additional information on RADIUS serv...

Страница 118: ...the NETCONF Sessions form and the NETCONF State Statistics form is admin netconf enabled Synopsis boolean Default true Provides the ability to configure NETCONF features on the device Listen IP Synops...

Страница 119: ...ff 16000 Maximum Number of NETCONF Sessions Synopsis unsigned integer Synopsis the keyword unbounded Default 10 The maximum number of concurrent NETCONF sessions Idle Timeout Default PT0S Maximum idle...

Страница 120: ...ds the NETCONF peer inSessions inBadHellos number of correctly started netconf sessions Dropped Sessions Synopsis unsigned integer The total number of NETCONF sessions dropped inSessions inBadHellos n...

Страница 121: ...11 NETCONF ROX v2 2 User Guide 121 RuggedBackbone RX5000 The total number of notification messages sent...

Страница 122: ...menu contains chassis level configuration and status features A variety of sub menus can be linked to from the Chassis menu The Chassis sub menu section is organized so that information tables appear...

Страница 123: ...e synopsis string one of the following keywords PM2_Active_PM1_Standby PM1_Active_PM2_Standby Balanced When more than one power modules are present this parameter specifies how they share the provisio...

Страница 124: ...integer The current mA sourced by the power module PM Voltage mV Synopsis integer The voltage mV sourced by the power module 12 2 Slot Hardware Figure 12 6 Slot Hardware table Figure 12 7 Slot Hardwar...

Страница 125: ...nstalled module s unique serial number 12 3 Slot Identification Figure 12 8 Slot Identification table Figure 12 9 Slot Identification form The Slot Identification table and form contain version inform...

Страница 126: ...us information about the hardware module installed in a particular chassis slot The path to the Slot CPU RAM Utilization table is chassis cpu Figure 12 10 Slot CPU RAM Utilization table The path to th...

Страница 127: ...ynopsis integer The proportion of memory RAM currently unused in percent on the installed module RAM Low Synopsis integer The lowest proportion of unused memory RAM in percent recorded for the install...

Страница 128: ...e Synopsis A string The installed module s type specifier State Synopsis string one of the following keywords disconnected failed operating resetting disabled empty unknown The current state of the in...

Страница 129: ...slot name as marked on the silkscreen across the top of the chassis Detected Module Synopsis A string The installed module s type specifier Temperature degrees C Synopsis integer The temperature in d...

Страница 130: ...of a module in a particular chassis slot slot Synopsis string one of the following keywords lm6 lm5 lm4 lm3 lm2 lm1 sm The slot name as marked on the silkscreen across the top of the chassis detected...

Страница 131: ...lm6 lm5 lm4 lm3 lm2 lm1 sm Synopsis string one of the following keywords em cm Synopsis string the keyword trnk The slot name as marked on the silkscreen across the top of the chassis Installed Modul...

Страница 132: ...12 Chassis Management ROX v2 2 User Guide 132 RuggedBackbone RX5000 Figure 12 22 Configurable Modules table Figure 12 23 Configurable Modules form...

Страница 133: ...his case the device acts as a PPP client PPP users profiles and settings are configured on forms found under the PPP menu To display the PPP menu navigate to global ppp 13 2 PPP Configuration The PPP...

Страница 134: ...out PPP Users table navigate to global ppp profiles dialout Figure 13 4 Dial out PPP Users table Dial out PPP is used to add PPP profile for dialOut users name Synopsis A string The connection name To...

Страница 135: ...ial the phone number before it stops attempting to establish a connection Zero 0 means the modem will try to connect to the PPP server forever dial interval Synopsis integer Default 30 The time in sec...

Страница 136: ...ary Radius Server form address Synopsis IPv4 address in dotted decimal notation The IPv4 address of the server port udp Synopsis integer Default 1812 password Synopsis AES CFB128 encrypted string 13 3...

Страница 137: ...erface with link failover the link failover On demand option allows link failover to bring up or take down the PPP interface as needed Link failover triggers the modem dial out to establish a PPP conn...

Страница 138: ...s 00 02 04 0F The DHCP Server supporting DHCP Option 82 sends a unicast reply and echoes Option 82 The DHCP Relay Agent removes the Option 82 field and broadcasts the packet to the port from which the...

Страница 139: ...this relay agent Figure 14 3 DHCP Relay Agent Client Ports table To display the DHCP Relay Agent Client Ports table navigate to dhcp relay agent dhcp client ports DHCP Relay Agent Client Ports are po...

Страница 140: ...ional subnets behind the relay agent or when multiple virtual networks exist on one physical interface Each subnet then gets its own subnet definition inside the shared network rather than at the top...

Страница 141: ...HCP Hosts configure host groups See Section 15 2 6 DHCP Host groups configure DHCP options See Section 15 2 8 DHCP Options Under services dhcpserver you can also view a list of active DHCP leases See...

Страница 142: ...CIDR notation The network IP address for this subnet shared network Synopsis A string The shared network that this subnet belongs to You can configure DHCP options at the subnet level Options set at...

Страница 143: ...s set at higher levels To set Lease Configuration and Client Configuration options navigate to services dhcpserver shared network shared network id options For more information see Section 15 2 8 1 Le...

Страница 144: ...type a name for the host group and click Add You can configure DHCP options at the host group level Options set at this level override options set at higher levels To set Lease Configuration and Clien...

Страница 145: ...ettings This form is used at all DHCP levels NIS Configuration form sets NIS server information This form is used at all DHCP levels NetBios Configuration form sets NetBios scope and nameserver inform...

Страница 146: ...configuration options at the subnet and shared networks levels enter edit mode and navigate to subnet options services dhcpserver subnet subnet id options shared network options services dhcpserver s...

Страница 147: ...g client unknown client Synopsis string one of the following keywords ignore deny allow The action to take for previously unregistered clients shared network Synopsis A string Shared network that this...

Страница 148: ...t the client configuration options enter edit mode and navigate to DHCP server options services dhcpserver options client subnet options services dhcpserver subnet subnet id options client shared netw...

Страница 149: ...IPv4 address in dotted decimal notation The static route that the dhcpserver offers to the client when it issues the lease to the client NIS Configuration Figure 15 16 NIS Configuration form server S...

Страница 150: ...work options services dhcpserver shared network shared network id options client custom host group options services dhcpserver host groups host group id options client custom host options services dhc...

Страница 151: ...15 DHCP Server ROX v2 2 User Guide 151 RuggedBackbone RX5000 The physical network address of the client Note that this corresponds to the hardware type for example MAC address for ethernet...

Страница 152: ...s Ethernet Statistics Chapter 17 Ethernet Statistics IP Statistics Chapter 18 IP Statistics Link Aggregation Chapter 20 Link Aggregation Port Security Chapter 21 Port Security Multicast Filtering Chap...

Страница 153: ...ection Through LFI While the link between Switch A and the Controller functions normally the Controller holds the backup link down Switch B learns that to reach the Controller it must forward frames t...

Страница 154: ...tion LFI feature for the links where no native link partner notification mechanism is available With LFI enabled the device bases generation of a link integrity signal upon its reception of a link sig...

Страница 155: ...e Switched Ethernet Ports table shows the Ethernet interfaces To display the Switched Ethernet Ports table navigate to interface switch Figure 16 4 Switched Ethernet Ports submenu The Switched Etherne...

Страница 156: ...EE 802 3 auto negotiation Enabling auto negotiation results in speed and duplex being negotiated upon link detection both end devices must be auto negotiation compliant for the best possible results S...

Страница 157: ...s full duplex Full duplex operation requires that both ends are configured as such or else severe frame loss will occur during heavy network traffic At lower traffic volumes the link may display few i...

Страница 158: ...ames on any source port is made available for analysis Select a target port that has a higher speed than the source port Mirroring a 100 Mbps port onto a 10 Mbps port may result in an improperly mirro...

Страница 159: ...port where a monitoring device should be connected Figure 16 9 Ingress Source Ports table To display the Ingress Source Ports table navigate to switch port mirroring ingress src Ingress Source Slot S...

Страница 160: ...ine module diagnostics Figure 16 11 Diagnostics menu ROX is able to perform cable diagnostics per Ethernet port and to view the results When cable diagnostics are performed on a port any established n...

Страница 161: ...s detected on the cable pairs of the selected port PassFailTotal Synopsis A string This field summarizes the results of the cable diagnostics performed so far Pass the number of times cable diagnostic...

Страница 162: ...type of fault For a typical no fault Category 5 cable plugged into a 100BASE T port Good will be incremented by two after every run of cable diagnostics once for each cable pair used by a 100BASE T p...

Страница 163: ...form To clear cable diagnostics navigate to interfaces switch line module diagnostics clear cable stats port On the Clear Port Cable Diagnostic Test Results form click Perform Figure 16 15 Clear Port...

Страница 164: ...hernet Alarms Figure 16 18 Clear All Alarms menu Alarms can be cleared by hitting the Perform button This command can be accessed from the Clear All Alarms menu action on the admin clear all alarms me...

Страница 165: ...guard Provides protection against faulty end devices generating an improper link integrity signal When a faulty end device or a mis matching fiber port is connected to the unit a large number of conti...

Страница 166: ...f response time This setting should be used with caution OFF Turning this parameter OFF will disable FAST LINK DETECTION completely The switch will need a longer time to detect a link failure This wil...

Страница 167: ...terface Status forms navigate to interfaces switch line module Slot Synopsis string one of the following keywords lm6 lm5 lm4 lm3 lm2 lm1 sm The slot of the module that contains this port Port Synopsi...

Страница 168: ...tring one of the following keywords 230 4K 115 2K 57 6K 38 4K 19 2K 9 6K 2 4K 1 2K 7 2M 3 072M 1 776M 10G 1G 100M 10M 2 4M 1 5M auto Speed in Megabits per second or Gigabits per second Duplex Synopsis...

Страница 169: ...he link is fixed to full duplex and the peer auto negotiates the auto negotiating end falls back to half duplex operation At lower traffic volumes the link may display few if any errors As the traffic...

Страница 170: ...orts ROX v2 2 User Guide 170 RuggedBackbone RX5000 Is it possible that the peer also has LFI enabled If both sides of the link have LFI enabled then both sides will withhold link signal generation fro...

Страница 171: ...these menus is interfaces switch and then clicking on any of the linked submenus from lm1 1 to lm1 14 Figure 17 1 Ethernet Port Statistics Menu 17 1 Viewing Ethernet Statistics This table provides ba...

Страница 172: ...t and dropped packets OutOctets Synopsis unsigned integer The number of octets in transmitted good packets InPkts Synopsis unsigned integer The number of received good packets Unicast Multicast Broadc...

Страница 173: ...17 Ethernet Statistics ROX v2 2 User Guide 173 RuggedBackbone RX5000 Figure 17 3 RMON Port Statistics Form InOctets Synopsis unsigned long integer...

Страница 174: ...e TotalInPkts Synopsis unsigned long integer The number of received packets This includes rejected dropped and local packets as well as packets which are not forwarded to the switching core for transm...

Страница 175: ...nt has not been detected 3 A Late Collision Event has not been detected 4 The packet has invalid CRC Jabbers Synopsis unsigned integer The number of packets which meet all the following conditions 1 T...

Страница 176: ...unsigned integer The number of received and transmitted packets with size of 512 to 1023 octets This includes received and transmitted packets as well as dropped and local received packets This does n...

Страница 177: ...ring the keyword Synopsis string one of the following keywords main pm2 pm1 Synopsis string one of the following keywords lm6 lm5 lm4 lm3 lm2 lm1 sm Synopsis string one of the following keywords em cm...

Страница 178: ...lex Synopsis string one of the following keywords full half Link duplex status MTU Synopsis integer MTU Maximum Transmission Unit value on the port MAC Synopsis Ethernet MAC address in colon separated...

Страница 179: ...rors Synopsis unsigned integer Number of error packets transmitted Dropped Synopsis unsigned integer Number of dropped packets by the transmit device Collisions Synopsis unsigned integer Number of col...

Страница 180: ...for one switched port Ports are cleared by clicking the Perform button on the Clear Switched Port Statistics form Figure 17 10 Clear All Statistics Menu Figure 17 11 Clear All Switched Port Statistic...

Страница 181: ...he main menu under interfaces ip Figure 18 2 Routable Interface Statistics Table This table appears on the same screen as the Interfaces IP menu The path to the Routable Interface Statistics form Rece...

Страница 182: ...Packets Synopsis unsigned long integer Number of packets received Errors Synopsis unsigned integer Number of error packets received Dropped Synopsis unsigned integer Number of dropped packets by the r...

Страница 183: ...Backbone RX5000 Errors Synopsis unsigned integer Number of error packets transmitted Dropped Synopsis unsigned integer Number of dropped packets by the transmit device Collisions Synopsis unsigned int...

Страница 184: ...assigned to the virtual switch can be used as the default gateway for the end devices connected to the virtual switch interface Network services such as SSH DHCP NTP VRRP etc can be configured to run...

Страница 185: ...stances of VirtualSwitch by adding the following interfaces to the virtual switch on both devices VS1 on Device 1 switch 0020 fe cm 1 0020 VS2 on Device 1 switch 0030 fe cm 1 0030 4 Use the same confi...

Страница 186: ...dd a virtual switch enter Edit Private mode Add a virtual switch and at least two interfaces You can also add VLANs Figure 19 3 Interface Virtualswitch menu The Interface Virtualswitch menu is located...

Страница 187: ...as name of the interface IP Address Source Synopsis string one of the following keywords dynamic static Default static Whether the IP address is static or dynamically assigned via DHCP or BOOTP ProxyA...

Страница 188: ...signed via DHCP or BOOTP If a virtual switch has been configured some virtual switch data will be displayed under the Interfaces Virtualswitch menu Figure 19 9 Interfaces Virtualswitch menu To display...

Страница 189: ...MAC address of the port Figure 19 12 Receive form Bytes Synopsis unsigned long integer Number of bytes received Packets Synopsis unsigned long integer Number of packets received Errors Synopsis unsig...

Страница 190: ...eger Number of collisions detected on the port Figure 19 14 VLAN table To display this table navigate to interfaces virtualswitch virtualswitch number vlan VLAN ID Synopsis integer VLAN ID Figure 19 1...

Страница 191: ...AN Transmit form Bytes Synopsis unsigned long integer Number of bytes transmitted Packets Synopsis unsigned long integer Number of packets transmitted Errors Synopsis unsigned integer Number of error...

Страница 192: ...ed on both the source and destination MAC addresses of the forwarded frames 20 1 Link Aggregation Operation Link Aggregation can be used for two purposes To obtain increased and linearly incremental l...

Страница 193: ...gregation Limitations A port mirroring target port cannot be a member of a port trunk However a port mirroring source port can be a member of a port trunk A DHCP Relay Agent Client port cannot be a me...

Страница 194: ...abled and increased bandwidth is not required Link Aggregation should not be used because it may lead to a longer fail over time 20 2 Link Aggregation Configuration To display the Link Aggregation men...

Страница 195: ...20 Link Aggregation ROX v2 2 User Guide 195 RuggedBackbone RX5000 Figure 20 4 Entering a Trunk ID Next add parameters to the Multicast Filtering CoS and VLAN forms...

Страница 196: ...ion ROX v2 2 User Guide 196 RuggedBackbone RX5000 Figure 20 5 Entering Parameters for Forms Finally add parameters for the trunk ports First click on trunk ports on the menu Next click on Add trunk po...

Страница 197: ...n Add trunk ports again to add a second trunk port Click Commit Click Exit Transaction when done Figure 20 7 Selecting a Trunk Slot After configuration the Trunk Ports table accessible at interface tr...

Страница 198: ...icking on interface switch line module Figure 20 10 Key Settings Figure 20 11 Ethernet Trunk Interfaces form Trunk ID Synopsis integer The trunk number It doesn t affect port trunk operation in any wa...

Страница 199: ...ze frames received on this port that are not prioritized based on the frames contents e g priority field in the VLAN tag DiffServ field in the IP header prioritized MAC address Inspect TOS This parame...

Страница 200: ...t untagged Specifies whether frames transmitted out of the port on its native VLAN specified by the PVID parameter will be tagged or untagged GVRP Mode synopsis token one of advertise_only learn_adver...

Страница 201: ...rce MAC addresses of received frames against the contents in the Static MAC Address Table ROX also supports a highly flexible Port Security configuration which provides a convenient means for network...

Страница 202: ...thentication methods 802 1X defines a protocol for communication between the Supplicant and the Authenticator EAP over LAN EAPOL RuggedBackbone communicates with the Authentication Server using EAP ov...

Страница 203: ...curity radius address Synopsis IPv4 address in dotted decimal notation The IPv4 address of the server UDP Port Synopsis integer Default 1812 The IPv4 port of the server password Synopsis AES CFB128 en...

Страница 204: ...nown there is still an option to configure the switch to auto learn a certain number of MAC addresses Once learned they don t age out until the unit is reset or the link goes down IEEE 802 1X standard...

Страница 205: ...ess Entity parameters quiet period Synopsis integer Default 60 The period of time not to attempt to acquire a supplicant after the authorization session failed Reauthorization Enables or disables peri...

Страница 206: ...he authentication server s EAP packet Server Timeout Synopsis integer Default 30 The time to wait for the authentication server s response to the supplicant s EAP packet Max Requests Synopsis integer...

Страница 207: ...ion 1 or 2 22 1 IGMP IGMP is used by IP hosts to report their host group memberships to multicast routers As hosts join and leave specific multicast groups streams of traffic are directed to or withhe...

Страница 208: ...ally two query intervals the router will prune the multicast stream from the given segment A more usual method of pruning occurs when consumers wishing to unsubscribe issue an IGMP leave group message...

Страница 209: ...er all other routers become non queriers participating only forward multicast traffic Switches running in Active IGMP mode participate in the querier election like multicast routers When the querier e...

Страница 210: ...ies as if it is the router Processing Joins If host C1 desires to subscribe to the multicast streams for both P1 and P2 it will generate two joins The join from C1 on VLAN 2 will cause the switch to i...

Страница 211: ...t Group Periodically the switch sends GMRP queries in the form of a leave all message If a host either a switch or an end station wishes to remain in a multicast group it reasserts its group membershi...

Страница 212: ...membership for the two Multicast Groups on the example network is as follows Host H1 is GMRP unaware but needs to see traffic for Multicast Group 1 Port E2 on Switch E therefore is statically configu...

Страница 213: ...sly become a member of Multicast Group 1 Switch B forwards the Group 1 multicast via Port B4 towards Switch E Switch E forwards the Group 1 multicast via Port E2 which has been statically configured f...

Страница 214: ...efault 60 The time interval between IGMP queries generated by the switch NOTE This parameter also affects the Group Membership Interval i e the group subscriber aging time therefore it takes effect ev...

Страница 215: ...selected ports on the module installed in the indicated slot Figure 22 8 Static Multicast Summary table If data is configured the path to the Static Multicast Summary table will be switch mcast filter...

Страница 216: ...summary then clicking on one of the linked submenus then clicking on static ports and then on a linked submenu Static ports are egress ports that have been assigned to a particular multicast MAC addr...

Страница 217: ...ups form The path to this form is switch mcast filtering ip mcast groups and then clicking on one of the linked submenus that follow VLAN ID Synopsis integer The VLAN Identifier of the VLAN upon which...

Страница 218: ...s on the module installed in the indicated slot Figure 22 17 Joined Ports table The path to this table is switch mcast filtering ip mcast groups then clicking on one of the linked submenus that follow...

Страница 219: ...kept registered Figure 22 20 GMRP Dynamic Ports table The path to this menu is switch mcast filtering mcast group summary then clicking on one of the linked submenus and then clicking on gmrp dynamic...

Страница 220: ...r the multicast stream is being delivered to the router run the Ethernet Statistics menu View Ethernet Statistics command Verify that the traffic count transmitted to the router is the same as the tra...

Страница 221: ...g to operate properly Problem Six I connect or disconnect some switch ports and multicast goes everywhere Is IGMP broken No it may be a proper switch behavior When the switch detects a change in the n...

Страница 222: ...f connectivity over the network The CoS feature has two main phases inspection and forwarding 23 1 1 Inspection Phase In the inspection phase the CoS priority of a received frame is determined from A...

Страница 223: ...ueues according to the CoS assigned to each frame CoS weighting selects the degree of preferential treatment that is attached to different priority queues The ratio of the number of higher CoS to lowe...

Страница 224: ...4 Priority to CoS Mapping table The path to the Priority to CoS Mapping table is switch class of service priority to cos This table shows the mapping of each IEEE 802 1p priority value to the Class of...

Страница 225: ...cos number TOS DSCP to CoS Mapping maps each Differentiated Services Code Point DSCP in the Type Of Service TOS field in the headers of the received IP packets to the Class of Service switch DSCP Syn...

Страница 226: ...ved on this port that are not prioritized based on the frame s contents e g the priority field in the VLAN tag DiffServ field in the IP header prioritized MAC address Inspect TOS Enables or disables p...

Страница 227: ...es mac tables menu is is accessible from the main menu under switch mac tables Figure 24 1 MAC Tables menu 1 Viewing MAC Addresses To display the MAC Address table navigate to switch mac tables mac ta...

Страница 228: ...tically unlearned CoS Synopsis string one of the following keywords crit high medium normal The Class Of Service that is assigned to frames carrying this address as source or destination address 2 Con...

Страница 229: ...m to add a new MAC address MAC Address and VLAN ID are the keys Enter other relevant parameters in the Static MAC Address Parameters form Figure 24 5 Key Settings Figure 24 6 Static MAC Address Parame...

Страница 230: ...stalled in the indicated slot CoS Synopsis string one of the following keywords crit high medium normal Default normal The priority of traffic for a specified address 4 Purging The MAC Address Table T...

Страница 231: ...e guaranteed to be aware of the new topology Using the values recommended by 802 1D this period lasts 30 seconds The Rapid Spanning Tree Protocol RSTP IEEE 802 1w was a further evolution of the 802 1D...

Страница 232: ...nd whether it can currently be used State There are three RSTP states Discarding Learning and Forwarding The discarding state is entered when the port is first put into service The port does not learn...

Страница 233: ...listen to each others messages and agree on which bridge is the Designated Bridge The ports of other bridges on the segment must become either Root Alternate or Backup ports Figure 25 2 Bridge and Por...

Страница 234: ...may configure the bridge to override the half duplex determination mechanism and force the link to be treated in the proper fashion 25 1 4 Path and Port Costs The STP path cost is the main metric by...

Страница 235: ...rameter Raise the value of the maximum age parameter if implementing very large bridged networks or rings 25 2 MSTP Operation The Multiple Spanning Tree MST algorithm and protocol provide greater cont...

Страница 236: ...spanning tree instances that may be defined in an MST region not including the IST see below An MSTI is created by mapping a set of VLANs in ROX via the VLAN configuration to a given MSTI ID The same...

Страница 237: ...s the minimum cost path to a CIST Root located outside the region A Designated Port provides the minimum cost path from an attached LAN via the bridge to the CIST Regional Root Alternate and Backup Po...

Страница 238: ...MSTIs It is possible to control the spanning tree solution for each MSTI especially the set of active links for each tree by manipulating per MSTI the bridge priority and the port costs of links in th...

Страница 239: ...gure a Region Identifier and Revision Level Note that these two items must be identical for each bridge in the MST region 5 Configure Bridge Priority per MSTI 6 Configure Port Cost and Priority per po...

Страница 240: ...to the network edge 3 Identify edge ports and ports with half duplex shared media restrictions Ports that connect to host computers IEDs and controllers may be set to edge ports in order to guarantee...

Страница 241: ...rapid recovery from link failure is required In normal operation RSTP will block traffic on one of the links for example as indicated by the double bars through link H in Figure 25 4 Example of a Rin...

Страница 242: ...ce from the root bridge If the root bridge is assigned the lowest priority of 0 the bridges on either side should use a priority of 4096 and the next bridges 8192 and so on As there are 16 levels of b...

Страница 243: ...form at the top level Spanning Tree menu configures parameters applicable to RSTP and MSTP over the whole bridge Figure 25 7 Spanning Tree Parameter form Enabled Synopsis boolean Default true Enables...

Страница 244: ...number of messages is reached RSTP will be limited to 1 message per second Larger values allow the network to recover from failed links more quickly If RSTP is being used in a ring architecture the t...

Страница 245: ...of the following keywords 4 1 Default 4 The Max Network Diameter as a muliplier of the MaxAgeTime value BPDU Guard Mode Synopsis string one of the following keywords untilreset noshutdown specify Def...

Страница 246: ...s feature is only available in RSTP mode In MSTP mode the configuration parameter is ignored In a single ring topology this feature is not needed and should be disabled to avoid longer network recover...

Страница 247: ...RSTP Parameter form The Port RSTP Parameter form appears on the same screen as the interface switch line module spanning tree submenu Enabled Synopsis boolean Default true When the box is checked the...

Страница 248: ...ses the port not to be selected as the root port for the CIST or any MSTI even it has the best spanning tree priority vector This parameter should be FALSE by default Restricted TCN If TRUE causes the...

Страница 249: ...string one of the following keywords 61440 57344 53248 49152 45960 40960 36864 32768 28672 24576 20480 16384 12288 8192 4096 0 Default 32768 Bridge Priority provides a way to control the topology of...

Страница 250: ...nstance table After data has been configured the MSTP Instance table will be displayed at switch spanning tree mstp instance Figure 25 15 MSTP ID table To display the MSTP ID table navigate to switch...

Страница 251: ...I Configuration form navigate to interface switch line module spanning tree msti number MSTP ID Synopsis integer MSTP Instance Identifier MSTP Priority Synopsis string one of the following keywords 24...

Страница 252: ...inks For MSTP this parameter applies to both external and internal path costs RSTP Cost Synopsis string the keyword auto cost Synopsis unsigned integer Default auto cost The cost to use in cost calcul...

Страница 253: ...navigate to switch spanning tree Status Synopsis string one of the following keywords none rootBridge notDesignatedForAnyLAN designatedBridge The spanning tree status of the bridge The status may be r...

Страница 254: ...slot containing the port that provides connectivity towards the root bridge of the network Root Port Port Synopsis integer If the bridge is designated this is the port of the slot that provides conne...

Страница 255: ...time from the Bridge RSTP Parameters menu Learned Max Age Synopsis integer The actual Maximum Age time provided by the root bridge as learned in configuration messages This time is used in designated...

Страница 256: ...reen of the module STP State Synopsis string one of the following keywords discarding linkDown forwarding learning listening blocking disabled Describes the status of this interface in the spanning tr...

Страница 257: ...et to RSTP 1Gbps will contribute 20 000 100 Mbps ports will contribute a cost of 200 000 and 10 Mbps ports contribute a cost of 2 000 000 Note that even if the Cost style is set to RSTP a port that mi...

Страница 258: ...ssages transmitted from this port 25 5 3 MSTI Status Figure 25 21 MSTI Status table To display this table navigate to switch spanning tree msti status Figure 25 22 MSTI Status form To display these fo...

Страница 259: ...Synopsis string the keyword trnk If the bridge is designated this is the slot containing the port that provides connectivity towards the root bridge of the network Root Port Port Synopsis integer If...

Страница 260: ...cs forms is switch spanning tree port msti id number port msti stats line module Slot Synopsis string one of the following keywords lm6 lm5 lm4 lm3 lm2 lm1 sm Synopsis string the keyword trnk The slot...

Страница 261: ...y to the root bridge It is not used but is standing by Master Only exists in MSTP The port is an MST region boundary port and the single port on the bridge which provides connectivity for the Multiple...

Страница 262: ...r the length of time the port was in forwarding If one of the switches appears to flip the root from one port to another the problem may be one of traffic prioritization See problem five Another possi...

Страница 263: ...te out to the edge and then back in order to reestablish the topology Problem Four My network is composed of a ring of bridges of which two connected to each other are managed and the rest are unmanag...

Страница 264: ...etwork statistics to determine whether the root bridge is receiving TCNs around the time of observed frame loss It may be possible that you have problems with intermittent links in your network Proble...

Страница 265: ...at specify a valid VLAN identifier VID Untagged frames are frames without tags or frames that carry 802 1p prioritization tags only having prioritization information and a VID of 0 Frames with a VID 0...

Страница 266: ...s Rules Ingress Rules The VLAN ingress rules are applied to all frames when they are received by the switch Frame received This does not depend on ingress port s VLAN configuration parameters Untagged...

Страница 267: ...on Protocol to automatically distribute VLAN configuration information in a network Each switch in a network needs only to be configured with VLANs it requires locally it dynamically learns the rest o...

Страница 268: ...ome members of VLAN 7 Ports D1 and B1 advertise VID 20 and ports B3 B4 and D1 become members of VLAN 20 26 1 9 PVLAN Edge PVLAN Edge Protected VLAN Edge port refers to a feature of the switch whereby...

Страница 269: ...ing the IP address of a host on another VLAN The use of creative bridge filtering and multiple VLANs can carve seemingly unified IP subnets into multiple regions policed by different security access p...

Страница 270: ...independent networks These hosts may be replaced by a single multi homed host supporting each network on its own VLAN This host can perform routing between VLANs Figure 26 3 Inter VLAN Communications...

Страница 271: ...igure 26 6 Static VLAN table Figure 26 7 Static VLAN form VLAN ID Synopsis integer The VLAN Identifier is used to identify the VLAN in tagged Ethernet frames according to IEEE 802 1Q IGMP Snooping Ena...

Страница 272: ...dentifier specifies the VLAN ID associated with untagged and 802 1p priority tagged frames received on this port Frames tagged with a non zero VLAN ID will always be associated with the VLAN ID retrie...

Страница 273: ...the switch configured or learned and can dynamically learn VLANs 26 3 3 VLAN Summary There are actually three ways that a VLAN can be created in the switch Explicit A VLAN is explicitly configured in...

Страница 274: ...lan summary number Figure 26 12 Tagged Ports table Tagged ports and untagged ports can be viewed To display the Tagged Ports table navigate to switch vlans vlan summary number tagged ports Figure 26 1...

Страница 275: ...module Untagged Slot Synopsis string one of the following keywords lm6 lm5 lm4 lm3 lm2 lm1 sm The name of the module location provided on the silkscreen across the top of the device Untagged Ports Syn...

Страница 276: ...gure 26 20 Forbidden Ports If forbidden ports are configured display the Forbidden Ports form by navigating to switch vlans static vlan number forbidden ports Slot Synopsis string one of the following...

Страница 277: ...26 Virtual LANs ROX v2 2 User Guide 277 RuggedBackbone RX5000 can use a router The router will treat each VLAN as a separate interface which will have its own associated IP address space...

Страница 278: ...hbors across connected network links using a standard mechanism Devices that support LLDP are able to advertise information about themselves including their capabilities configuration interconnections...

Страница 279: ...m form appear on the same screen as the menu Figure 27 3 LLDP form This form is used to configure the Network Discovery Protocol LLDP Enabled Synopsis boolean Default true Enables the LLDP protocol No...

Страница 280: ...e or status changed The recommended value is set by the following formula 1 is less than or equal to txDelay less than or equal to 0 25 Tx Interval Notification Interval sec Synopsis integer Default 5...

Страница 281: ...e of the following keywords local interfaceName networkAddress macAddress portComponent interfaceAlias chassisComponent local chassis subtype Local Chassis ID Synopsis Ethernet MAC address in colon se...

Страница 282: ...Statistics form The path to the LLDP Port Statistics form is switch net discovery lldp port lldp stats and then clicking on one of the linked submenus for example sm 1 slot Synopsis string the keyword...

Страница 283: ...d integer A counter of all LLDPDUs transmitted Ageouts Synopsis unsigned integer A counter of the times that a neighbor s information has been deleted from the LLDP remote system MIB because the txinf...

Страница 284: ...cm Synopsis string the keyword trnk The slot of the module that contains this port Port Synopsis integer The port number as seen on the front plate silkscreen of the module Chassis ID Synopsis Ethern...

Страница 285: ...x only Default rx tx no lldp The local LLDP agent can neither transmit nor receive LLDP frames rxTx The local LLDP agent can both transmit and receive LLDP frames through the port txOnly The local LLD...

Страница 286: ...hing Chapter 29 Layer 3 Switching Tunnelling Chapter 30 Tunnelling Dynamic Routing Chapter 31 Dynamic Routing Static Routing Chapter 32 Static Routing Routing Status Chapter 33 Routing Status Multicas...

Страница 287: ...be performed on router ports On the RX1500 series and RX5000 platforms all Ethernet ports except for cm 1 are switch ports On the RX1000 series platforms all Ethernet ports are router ports 28 3 Routi...

Страница 288: ...at point the ROX device routes the traffic If the traffic volume to be routed is high enough then Layer 3 switching will start provided that this feature is available Note that the devices attached to...

Страница 289: ...cated firewall rules which are not normally not supported by Layer 3 switches 29 1 2 Layer 3 Switch Forwarding table To route a packet with a specific destination IP address a router needs the followi...

Страница 290: ...nfiguration as the rule takes the protocol and TCP UDP port into consideration to make forwarding decisions Host oriented learning is when the switch uses the following information to identify a traff...

Страница 291: ...ing ASICs is significantly limited and may not be sufficient to accommodate all Layer 3 switching rules If the TCAM is full and a new static rule is created the new rule replaces some dynamically lear...

Страница 292: ...e external network VLAN 400 at the address 227 100 20 100 Servers in VLAN 300 receive IP multicast data from the external network VLAN 400 at the address 227 100 250 250 No firewall is used in this us...

Страница 293: ...er3 switching arp table and switch layer3 switching rules summary Do the same for the 10 200 60 0 24 network Even if Hw accelerate is not enabled Layer 3 switching is still performed but all switching...

Страница 294: ...le Each server in the server farm would be polling device IP addresses one after the other in order Given that each server would always be talking to at least one device we could create static ARP ent...

Страница 295: ...re Layer 3 switching do the following set the Layer 3 switching settings See Section 29 2 1 Configuring Layer 3 Switching Settings create static ARP table entries See Section 29 2 2 Creating Static AR...

Страница 296: ...ic routes have to be subject to sophisticated firewall filtering Auto Both statically configured and dynamically learned Layer3 switching rules will be used In this mode maximum routing hardware accel...

Страница 297: ...ode potentially controls multiple flows with a single rule and hence is more efficient in utilizing Layer3 switching ASIC resources Aging Time sec Synopsis integer Default 32 This parameter configures...

Страница 298: ...t resolved the MAC IP address pair and keeps sending ARP requests periodically 29 2 3 Viewing Static and Dynamic ARP Table Entries The ARP Table Summary table lists all of the ARP table entries To vi...

Страница 299: ...following keywords hidden invalid unicast multicast Identifies the type of the rule unicast multicast invalid In VLAN Synopsis integer Identifies the ingress VLAN To match the rule the packet s ingre...

Страница 300: ...ghput of all packets matching the rule in packets per second static Synopsis boolean Whether the rule is static or dynamic Static rules are configured as a result of management activity Dynamic rules...

Страница 301: ...y flush dynamic rules Static rules enabled by activating hardware acceleration never age out For more information on how to enable hardware acceleration see Section 29 1 Layer 3 Switching Fundamentals...

Страница 302: ...as part of IP version 6 Openswan is the open source implementation of IPsec used by ROX The protocols used by IPsec are the Encapsulating Security Payload ESP and Internet Key Exchange IKE protocols...

Страница 303: ...Public Key And Pre shared Keys In public key cryptography keys are created in matched pairs called public and private keys The public key is made public while the private key is kept secret Messages c...

Страница 304: ...r details 30 1 1 8 The Openswan Configuration Process Each VPN connection has two ends the local router and the remote router The Openswan configuration record describing a VPN connection can be used...

Страница 305: ...s on the same screen as the IPsec menu Figure 30 3 IPsec form The IPsec form is used in configuring IPSec VPN Enable IPSec Enables IPSec NAT Traversal Enables NAT Traversal Keep Alive Synopsis unsigne...

Страница 306: ...pr kern daemon cron authpriv auth Default daemon The log facility Log Level Synopsis string one of the following keywords warnings notifications informational errors emergencies debugging critical ale...

Страница 307: ...7 RuggedBackbone RX5000 Figure 30 6 Install Certificate forms The path to the Install Certificates forms is tunnel ipsec certificate install certificate To install the certificates enter the parameter...

Страница 308: ...gedBackbone RX5000 Figure 30 7 Install Ca Certificate forms The path to the Install Ca Certificate forms is tunnel ipsec certificate install ca certificate Enter the parameters and then click on the P...

Страница 309: ...crl file To install the files enter the parameters and then click the Perform button Figure 30 9 Show IPsec Running Status form The path to the Show IPsec Running Status form is tunnel ipsec status T...

Страница 310: ...etting for all connections Startup Operation Synopsis string one of the following keywords default route start add ignore Default default The action at IPSec startup time Authenticate By Synopsis stri...

Страница 311: ...er algorithm Hash Method Synopsis string one of the following keywords any md5 sha1 Hash method Figure 30 14 IKE table If data is configured the path to the IKE table will be tunnel ipsec connection l...

Страница 312: ...eft The System Public Key System Identifier and Nexthop to Other System forms appear on the same screen as the Public IP Address form The public ip is the system identifier Type Synopsis string one of...

Страница 313: ...type Synopsis string one of the following keywords hostname address from certificate none default Default default Type Hostname or IP Address Synopsis A string conforming to Hostname or IP address Fig...

Страница 314: ...configured the path to the Preshared Key form will be tunnel ipsec preshared key line module Figure 30 22 Preshared Key form Remote Address Synopsis string the keyword any Synopsis IPv4 address in dot...

Страница 315: ...erver forms appear on the same screen as this menu Figure 30 24 L2TP form Enable L2TP Enable L2TP Local IP Address Synopsis IPv4 address in dotted decimal notation Local IP address First IP Address Sy...

Страница 316: ...s dialin menu If you are not enabling the Authorize Locally field you need to configure the Radius server for ppp authentication under the global ppp radius menu For more information on PPP see Chapte...

Страница 317: ...eatures GOOSE traffic is bridged over the WAN via UDP IP One GOOSE traffic source can be mapped to multiple remote router Ethernet interfaces in mesh fashion To reduce bandwidth consumption GOOSE daem...

Страница 318: ...on another RuggedBackbone 30 3 2 1 Generic Tunnel Implementation Details For each tunnel configured the daemon monitors the specified Ethernet interface for Ethernet Layer 2 frames of the specified ty...

Страница 319: ...te with other daemons The Beacon interval field configures how often a Round Trip Time RTT measurement message is sent to each remote peer The interval takes the values Off to disable RTT measurement...

Страница 320: ...se tunnel interface Synopsis A string The interface to listen on for goose frames multicast mac Synopsis Multicast Ethernet MAC address in colon separated hexadecimal notation The multicast MAC addres...

Страница 321: ...interface for Ethernet type frames Figure 30 36 L2 Ethernet Type table type Synopsis string the keyword iso Synopsis A string conforming to 0x 0 9A Fa f 4 Ethernet type to be forwarded ie 0xFEFE 30 3...

Страница 322: ...imal notation Multicast Destination MAC Address of Goose message rx frames Synopsis unsigned integer The number of frames received over the tunnel tx frames Synopsis unsigned integer The number of fra...

Страница 323: ...el tx packets Synopsis unsigned integer The number of frames transmitted over the tunnel rx bytes Synopsis unsigned integer The number of bytes received over the tunnel tx bytes Synopsis unsigned inte...

Страница 324: ...ing VLAN Interface name rx frames Synopsis unsigned integer The number of frames received over the tunnel tx frames Synopsis unsigned integer The number of frames transmitted over the tunnel rx chars...

Страница 325: ...of frames received over the tunnel tx packets Synopsis unsigned integer The number of frames transmitted over the tunnel rx bytes Synopsis unsigned integer The number of bytes received over the tunne...

Страница 326: ...l problems Figure 30 46 Round Trip Time Statistics form remote ip Synopsis IPv4 address in dotted decimal notation IP address of remote goose daemon transmitted Synopsis unsigned integer The number of...

Страница 327: ...dress of 172 19 20 21 and a remote subnet of 192 168 2 0 24 If you are connecting to a CISCO router in place of Router 1 in the example above the local router address corresponds to the CISCO IOS sour...

Страница 328: ...gre0 if name Synopsis A string conforming to A Za z 1 0 9A Za z 0 9 The GRE tunnel network interface name The prefix gre will be added to this interface name local ip Synopsis IPv4 address in dotted d...

Страница 329: ...30 Tunnelling ROX v2 2 User Guide 329 RuggedBackbone RX5000 cost Synopsis integer Default The routing cost associated with networking routing that directs traffic through the tunnel...

Страница 330: ...an RFC1058 compliant implementation of RIP support RIP version 1 and 2 RIP version 1 is limited to obsolete class based networks while RIP version 2 supports subnet masks as well as simple authentica...

Страница 331: ...r of routes to be advertised may help to avoid this problem In shared access networks i e routers connected by switches or hubs a designated router and a backup designated are elected to receive route...

Страница 332: ...nets which are directly connected to the router but are not part of the OSPF area or RIP or BGP networks can be advertised if redistribute connected is enabled in the OSPF RIP or BGP Global Parameters...

Страница 333: ...By enabling authentication and configuring a shared key on all the routers only routers which have the same authentication key will be able to send and receive advertisements within the RIP network 3...

Страница 334: ...eration Router 1 and 2 have VRRP setup on their Ethernet connection so that they can both function as the gateway for the clients on their network segment Normally Router 1 is the VRRP master and only...

Страница 335: ...ute connected as OSPF would not use the subnets for routing 31 1 6 BGP Fundamentals The Border Gateway Protocol BGP RFC 4271 is a robust and scalable routing protocol BGP is designed to manage a routi...

Страница 336: ...ic route and redistributing it in RIP using the redistribute element with static type Default Metric Synopsis integer in the range 32768 to 32767 Default 1 This element modifies the default metric val...

Страница 337: ...ynopsis unsigned integer Default 30 The routing table update timer in seconds Timeout Timer Synopsis unsigned integer Default 180 The routing information timeout timer in seconds Garbage Collection Ti...

Страница 338: ...ied to multiple groups of interfaces Without key chains the same settings would have to be entered for each interface separately Key chains also allow multiple keys to be entered in a single key chain...

Страница 339: ...ation Synopsis string the keyword infinite Expire time 31 3 1 4 Redistribute This element redistributes routing information into the RIP tables from route entries specified by type Redistribute Route...

Страница 340: ...element Receive Version Synopsis string one of the following keywords 2 1 1 2 2 1 The version of RIP packets that will be accepted on this interface By default version 1 and version 2 packet will be a...

Страница 341: ...etwork The split horizon prevents advertising those routes back out the same interface which helps to control this problem Some network topologies with rings of routers will still have some issues wit...

Страница 342: ...ard shortcut ibm cisco Default cisco The OSPF ABR type Auto Cost Reference Bandwidth Synopsis unsigned integer Default 100 Calculates the OSPF interface cost according to bandwidth 1 4294967 Mbps Comp...

Страница 343: ...OSPF Area Distance form can be used to define OSPF external inter area or intra area routes distance External Routes Distance Synopsis unsigned integer The administrative distance for external routes...

Страница 344: ...stributes the route type Metric Type Synopsis integer in the range 32768 to 32767 Default 2 The OSPF exterior metric type for redistributed routes Metric Synopsis unsigned integer The metric for redis...

Страница 345: ...d byte integer Default 1 Priority of interface Passive Interface Whether an interface is active or passive Passive interfaces do not send LSAs to other routers and are not part of an OSPF area Retrans...

Страница 346: ...of submenus that follow authentication ip cost ip dead interval ip hello interval ip message digest key message digest key ip retransmit interval ip and transmit delay ip 31 5 BGP 31 5 1 BGP configura...

Страница 347: ...distance value of BGP External Routes Distance Synopsis unsigned integer Distance value for external routes Internal Routes Distance Synopsis unsigned integer Distance value for internal routes Local...

Страница 348: ...Action Network Synopsis IPv4 address and prefix in CIDR notation Network xxx xxx xxx xxx xx Less Than or Equal to Synopsis unsigned byte integer The maximum prefix length to be matched Greater Than or...

Страница 349: ...g conforming to s The prefix list name Route Source Match Prefix List Synopsis A string conforming to s The prefix list name Route Map Metric Metric Synopsis unsigned integer Match the route metric Pe...

Страница 350: ...iginator ID weight Synopsis unsigned integer Weight 31 5 1 2 Network Networks may be specified in order to add BGP routers connected to the specified subnets Note that a network specification need not...

Страница 351: ...ebgp multihop Synopsis unsigned byte integer The maximum hop count This allows EBGP neighbors not on directly connected networks Maximum Prefix Synopsis unsigned integer The maximum prefix number acc...

Страница 352: ...atched Subnet Subnet Prefix Synopsis IPv4 address and prefix in CIDR notation IP Address Prefix Distance Synopsis unsigned integer Distance value 31 5 1 6 Redistribute Redistribute Route from Other Pr...

Страница 353: ...orm The path to the Static Route form is routing static ipv4 route hw accelerate If the static unicast route can be hardware accelerated the option will be available For a static unicast route to be a...

Страница 354: ...path to the Blackhole Static Route form is routing static ipv4 route blackhole Distance optional Synopsis unsigned integer The distance for the static route Figure 32 7 Static Route Using Interface ta...

Страница 355: ...e on a locally connected broadcast network i e without a gateway without also bringing up a corresponding IP address on that interface For example it would be possible to add 192 168 1 0 24 to switch...

Страница 356: ...ive Routing table is routing status ipv6routes Subnet Synopsis string The network prefix Gateway Address Synopsis string The gateway address Interface Name Synopsis string The interface name Route Typ...

Страница 357: ...The number of used ordinary blocks in bytes Free ordinary blocks Byte Synopsis unsigned integer The number of free ordinary blocks in bytes Figure 33 5 RIP Daemon Memory Statistics Form total Synopsi...

Страница 358: ...r of free ordinary blocks in bytes Figure 33 7 OSPF Daemon Memory Statistics Form total Synopsis unsigned integer The total heap allocated in bytes used Synopsis unsigned integer The number of used or...

Страница 359: ...To display the Network table navigate to routing status ospf route network id Synopsis string Network Prefix discard Synopsis string This entry is discarded entry inter area Synopsis string Is path t...

Страница 360: ...string Router ID Figure 33 13 Area Table To display the Area table navigate to routing status ospf route router number area id Synopsis string Area ID inter area Synopsis string Is path type inter ar...

Страница 361: ...r age Synopsis integer Age seqnum Synopsis string Sequence number Figure 33 15 Summary Table To display the Summary table navigate to routing status ospf database summary id Synopsis string Link ID ar...

Страница 362: ...psis string Area ID adv router Synopsis string Advertising Router age Synopsis integer Age seqnum Synopsis string Sequence number Figure 33 17 AS External Table To display the AS External table naviga...

Страница 363: ...ute tag Figure 33 18 Neighbor Table To display the Neighbor table navigate to routing status ospf neighbor id Synopsis string Neighbor ID address Synopsis string Address priority Synopsis integer Prio...

Страница 364: ...ring Network Figure 33 21 Next Hop Table To display the Next Hop table navigate to routing status bgp route address next hop address Synopsis string Next hop address selected Synopsis boolean Selected...

Страница 365: ...ring Neighbor address version Synopsis integer BGP version as Synopsis string Remote AS number msgrcvd Synopsis integer Number of received BGP messages msgsent Synopsis integer Number of sent BGP mess...

Страница 366: ...appears on the same screen as the Multicast menu enabled Enables static multicast routing service Figure 34 3 Static menu The path to the Static menu is routing multicast static From the static menu...

Страница 367: ...A string conforming to 22 4 9 23 0 9 0 9 1 9 0 9 1 0 9 2 2 0 4 0 9 25 0 5 2 0 9 1 9 0 9 1 0 9 2 2 0 4 0 9 25 0 5 The multicast IP address to be forwarded in the format xxx xxx xxx xxx The address mus...

Страница 368: ...format xxx xxx xxx xxx U indicates that this address is uniquely paired with the multicast address set in the Multicast ip field You cannot use this IP address to create another Multicast Routing ent...

Страница 369: ...34 Multicast Routing ROX v2 2 User Guide 369 RuggedBackbone RX5000 entryStatus Synopsis string The status of the multicast routing entry...

Страница 370: ...s at and tests each packet and the tests or rules may be modified depending on packets that have already been processed This is called connection tracking Stateful firewalls can also recognize that tr...

Страница 371: ...ing a public interface of 213 18 101 62 When a connection request for http port 80 arrives at 213 18 101 62 the NAT gateway could forward the request to either of the hosts or could accept it itself P...

Страница 372: ...as expected 35 3 Firewall Terminology And Concepts This section provides background on various firewall terms and concepts References are made to the section where configuration applies 35 3 1 Zones A...

Страница 373: ...REJECT QUEUE CONTINUE and NONE The first three are the most widely used and are described here When the ACCEPT policy is used a connection is allowed When the DROP policy is used a request is simply i...

Страница 374: ...udp These can be raw port numbers or names as found in file etc services Some examples should illustrate the use of masquerading Rule Interface Subnet Address Protocol Ports 1 switch 0001 switch 0002...

Страница 375: ...Redirect the request to a local tcp port number on the local firewall This is most often used to remap port numbers for services on the firewall itself Table 35 7 The remaining fields of a rule are a...

Страница 376: ...the interfaces menu as it will be carrying both traffic for both zones Visit the Host menu and for the network interface that carries the encrypted IPSec traffic create a zone host with zone VPN the c...

Страница 377: ...CCEPT dmz net ah ACCEPT dmz net esp ACCEPT dmz net udp 500 Table 35 13 35 5 Firewall Configuration All firewall fields accept only alphanumeric characters excluding spaces Do not use punctuation or ot...

Страница 378: ...5 1 Adding a Firewall To add a firewall enter edit private mode navigate to security firewall fwconfig and click Add fwconfig Figure 35 4 Adding a Firewall In the Key settings form enter a name for th...

Страница 379: ...active config Specify work configuration Synopsis string The current work firewall is specified here Specify active configuration Synopsis string The current active firewall is specified here 35 5 2...

Страница 380: ...the fw1 firewall configuration is active you might wish to make changes to the live configuration Any changes made to a configuration that is defined as active config and enable will be reflected on t...

Страница 381: ...for same interfaces ppp Figure 35 11 Interface Options form Arp Filter Responds only to ARP requests for configured IP addresses routeback Allow traffic on this interface to be routed back out that s...

Страница 382: ...nfo level logmartians Enables logging of packets with impossible source addresses Figure 35 12 Broadcast Address form broadcast addr Optional A broadcast address 35 5 5 Host Configuration Hosts are us...

Страница 383: ...rm IPsec zone Synopsis boolean Default false 35 5 6 Policies Figure 35 16 Main Policy Settings table Figure 35 17 Main Policy Settings form Default actions for connection establishment between differe...

Страница 384: ...ion zone configuration by specifiying a zone Please choose either a pre defined zone or all Figure 35 19 Source Zone form source zone The zone from which the request originates Enter a source zone con...

Страница 385: ...a DNS name Interface Synopsis A string Interfaces that have the EXTERNAL address Internal Address Synopsis IPv4 address in dotted decimal notation The internal address must not be a DNS Name Limit Int...

Страница 386: ...outgoing interfacelist usually the internet interface Outgoing Interface Specifics Synopsis string Optional An outgoing interface list specific destinations IP for the out interface Source Hosts Synop...

Страница 387: ...is rule Action Synopsis string one of the following keywords dnat dnat redirect continue reject drop accept Default reject The final action to take on incoming packets matching this rule Destination Z...

Страница 388: ...rds none Related Any Default none Optional The tcp udp port the connection is destined for Original Destination Synopsis string Synopsis string the keyword None Default none Optional The destination I...

Страница 389: ...35 Firewall ROX v2 2 User Guide 389 RuggedBackbone RX5000 Optional Add comma separated host IPs to the destination zone may include port for DNAT or REDIRECT...

Страница 390: ...e accessed simultaneously Only the mode that is currently configured can be accessed 36 1 1 Traffic Control Basic basic configuration Configuration Mode Basic configuration mode offers a limited set o...

Страница 391: ...ble 36 2 TC Classes 36 1 2 1 3 TC Rules Mark Source Destination Protocol Source Port Dest Port Test Length TOS 2 Any Any ICMP Any Any Any Any Any RESTORE Any Any Any Any Any 0 Any Any CONTINUE Any Any...

Страница 392: ...all configuration to operate Basic or Advanced Configuration Modes Synopsis string one of the following keywords advanced basic Default basic Specifies to use either simple or advanced configuration m...

Страница 393: ...he Traffic Control Configuration form click Enabled in the Enable configuration field 4 Select basic in the Basic or Advanced Configuration Modes field 5 Click Commit 6 Click Exit Transaction 36 2 1 1...

Страница 394: ...to be treated as a single flow internal causes the traffic generated by each unique destination IP address to be treated as a single flow internal interfaces seldom benefit from simple traffic shaping...

Страница 395: ...sed on the matching ToS value in the IP header if nothing else is configured under a band or when IP traffic does not match with the rules specified in a band Speed units bps bytes per second mbps kbp...

Страница 396: ...Medium band includes Normal Service 0x0 mr 0x04 mmc mr 0x06 md Maximize Throughput mt 0x18 mmc mt md 0x1a mr mt md 0x1c mmc mr mt md 0x1e Low band includes mmc 0x02 mt 0x08 mmc mt 0x0a mr mt 0x0c mmc...

Страница 397: ...figure advanced configuration mode follow the procedure below Figure 36 8 Enabling Advanced configuration Mode Procedure 36 2 Configuring Advanced configuration Mode 1 Enter Edit Private mode 2 Click...

Страница 398: ...o qos traffic control advanced configuration tcclasses class Note that each class is associated with exactly one network interface Exactly one class for each interface must be designated as the defaul...

Страница 399: ...bandwidth is a single numerical value max bandwidth Synopsis string The maximum bandwidth this class is allowed to use when the link is idle This can be either a numeric value or a calculated expressi...

Страница 400: ...ol advanced configuration tcclasses class IP Traffic matching with the ToS options take precedence over the mark rules tos minimize delay Synopsis boolean Default false Value mask encoding 0x10 0x10 t...

Страница 401: ...the given ToS value or value mask combination of an IP packet s TOS byte Value and Value Mask are both specified in hexadecimal notation using the 0x prefix It is also possible to specify a diffserv m...

Страница 402: ...ded the packets are dropped in unit Synopsis string one of the following keywords none bps mbps mbit kbps kbit Default none Unit when incoming bandwidth is specified outbandwidth Synopsis unsigned sho...

Страница 403: ...affic classification rule Add a new rule by selecting Add tcrules Remove a tcrule by selecting next to a tcrule and click on an existing tcrule to modify it Reorder rules by clicking next to the rule...

Страница 404: ...ted list of hosts or IPs MAC addr or all When using MACs use as prefix and as separator Ex 00 1a 6b 4a 72 34 00 1a 6b 4a 71 42 destination Synopsis string IF name comma separated list of hosts or IPs...

Страница 405: ...sis string Optional Match the length of a packet against a specific value or range of values Greater than and lesser than as well as ranges are supported in the form of min max Ex Equal to 64 64 Great...

Страница 406: ...ark the connection in the PREROUTING chain This can be used with DNAT SNAT and Masquerading rule in firewall An example of such a rule is Source IP 192 168 2 101 Chain option preroute or default but t...

Страница 407: ...the operation with decimal value modify chain Synopsis string one of the following keywords prerouting postrouting forward Default forward Chain in which the operation will take place Figure 36 19 Sav...

Страница 408: ...g stops This can be used to improve efficiency in combination with the SAVE and RESTORE rules For example consider a TC Rules table organized roughly as follows and in the same order A RESTORE rule is...

Страница 409: ...ection protocol to dynamically assign responsibility for the virtual router to one of the routers in the group This router is called the VRRP Master If the Master or optionally its WAN connection fail...

Страница 410: ...osts at their real IP addresses Two or more VRRP instances can be assigned to be in the same VRRP Group in which case they can fail over together In the following network both host 1 and host 2 use a...

Страница 411: ...nds If a monitored interface goes down a master router will immediately signal an election and allow a backup router to assume mastership The router issues a set of gratuitous ARPs when moving between...

Страница 412: ...Redundancy Protocol VRRP form enable or disable the VRRP service Enable VRRP Service Enables VRRP Service Router ID Synopsis string The router ID for VRRP logs Figure 37 5 VRRP Group Table The VRRP Gr...

Страница 413: ...uter ID Synopsis unsigned byte The Virtual Router ID All routers supplying the same VRIP should have the same VRID Priority Synopsis unsigned byte The priority of VRRP instance For electing MASTER hig...

Страница 414: ...he specified interface stops running Extra Interface to Monitor Synopsis A string The interface name Figure 37 9 VRIP IP Address Table The VRIP IP Address Table shows configured VRIP IP addresses asso...

Страница 415: ...v2 2 User Guide 415 RuggedBackbone RX5000 The time of change to the current state Interface State Synopsis string The VRRP interface state Monitored Interface State Synopsis string Monitors the inter...

Страница 416: ...ts the link status of the main link and sends a regular ping to a designated host or to a dummy address on the router In this way network link failures can be discovered It is essential that the desig...

Страница 417: ...Demand After configuring link failover you can do the following view the link failover status See Section 38 3 5 Viewing Link Failover Status view the link failover log See Section 38 3 6 Viewing the...

Страница 418: ...t the main trunk is up returned to service before stopping the backup trunk The link failover feature can only be configured on a routable interface For the link failover feature to be used on a switc...

Страница 419: ...Setting a Link Failover Ping Target A link failover ping target is an IP address that link failover pings to determine if the main link is down The address can be a dedicated host or a dummy address...

Страница 420: ...e on demand option the On demand field indicates the option s status on the Backup Settings form The On demand feature is not available on switched ports even though the link failover function is avai...

Страница 421: ...d delay before starting the test You can also cancel a test while it is in progress Cancelling the test returns the interfaces to their pre test condition While the test is running monitor the Link Fa...

Страница 422: ...38 Link Failover ROX v2 2 User Guide 422 RuggedBackbone RX5000 Start test delay The amount of waiting time in minutes before running the test...

Страница 423: ...tware RADIUS Server Configuration Appendix B RADIUS Server Configuration Setting Up An Upgrade Server Appendix C Setting Up An Upgrade Server Adding and Replacing Modules Appendix D Adding and Replaci...

Страница 424: ...nfigure the location of the software upgrade repository and the version of software to which to upgrade At the top of the screen click Edit Private to access the Edit Private view The screen in Edit P...

Страница 425: ...ox will appear prompting you to commit your changes Click the OK button Figure A 3 Pending Commit A dialog box will appear informing you that the configuration has been committed Click the OK button F...

Страница 426: ...pgrade The Success and Upgrade Options messages shown below indicate that the upgrade has been launched Figure A 6 Upgrade Launched Dialogs Click the Exit Transaction button at the top of the screen t...

Страница 427: ...one of the above four phases Failed These phases are shown in real time in the Upgrade Phase field on the Upgrade Monitoring Form below Figure A 8 Upgrade Monitoring Form in Reboot pending Stage Once...

Страница 428: ...es Downloading packages Copying filesystem Estimating upgrade size Inactive The current phase or state of the upgrade filesystem copy synopsis integer in the range 0 to 100 Phase 1 of the upgrade invo...

Страница 429: ...RX5000 The date and time of completion of the last upgrade attempt last upgrade result synopsis string one of Interrupted Declined Not Applicable Reboot Pending Unknown Upgrade Failed Upgrade Success...

Страница 430: ...e must have a user ID and password The RADIUS NAS Identifier attribute may optionally be used to restrict which service an account may access login ppp ssh Accounts that do not specify a NAS Identifie...

Страница 431: ...ze of upgrade when the routers upgrade each unit s upgrade is bandwidth limited to 500kbps by default Most web servers can serve files to the limit of the network interface bandwidth so even a modest...

Страница 432: ...d NETCONF see the appropriate user guide for details The second method allows you to configure the target release version explicitly Some administrators may prefer this approach for sake of clarity bu...

Страница 433: ...that after committing this change the module will power down 2 Shut down the RuggedBackbone 3 Insert the new module into the slot and boot the unit 4 After boot up the new line module is auto detected...

Страница 434: ...min enable the SM Please note that changing the module type will result in loosing configurations for the slot Commit your modification In some cases you may encounter alarms reporting Internal Config...

Страница 435: ...ams and that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions t...

Страница 436: ...y protection in exchange for a fee E 2 3 Section 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifica...

Страница 437: ...eans all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the executable However as a special...

Страница 438: ...of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make...

Страница 439: ...can redistribute and change under these terms To do so attach the following notices to the program It is safest to attach them to the start of each source file to most effectively convey the exclusio...

Страница 440: ...ll copyright interest in the program Gnomovision which makes passes at compilers written by James Hacker signature of Ty Coon 1 April 1989 Ty Coon President of Vice This General Public License does no...

Отзывы:

Нет отзывов

Похожие инструкции для RUGGEDBACKBONE RX5000

C50FSi - VB Network Camera

Бренд: Canon Страницы: 32

Бренд: Paradyne Страницы: 22

Wireless Mini PCI Module

Бренд: E-Tech Страницы: 42

MultiConnect SE MTS2EA

Бренд: Multitech Страницы: 2

Бренд: Teac Страницы: 20

cMT-FHDX Series

Бренд: Maple Systems Страницы: 2

Бренд: NETGEAR Страницы: 2

Hollywood DV-Bridge

Бренд: Dazzle Страницы: 63

InterReach Fusion SingleStar

Бренд: LGC wireless Страницы: 154

Бренд: Zonet Страницы: 53

Бренд: insys icom Страницы: 4

Бренд: Thecus Страницы: 130

DTS 4020.timebridge

Бренд: Mobatime Страницы: 94

Бренд: Omron Страницы: 4

Бренд: Planet Страницы: 67

Бренд: Generic Страницы: 51

Network Expansion Port 2

Бренд: Navico Страницы: 17

Бренд: Lobaro Страницы: 26

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды