background image

Chapter 19: QoS Configuration Guide

266

DIGITAL GIGAswitch/Router User Reference Manual

Configuring Layer-2 QoS

When applying QoS to a layer-2 flow, priority can be assigned as follows:

The frame gets assigned a priority within the switch. Select “low, medium, high or 
control”. 

The frame gets assigned a priority within the switch, AND if the exit ports are trunk 
ports, the frame is assigned an 802.1Q priority. Select a number from 0 to 7. The 
mapping of 802.1Q to internal priorities is the following: (0 = low) (1,2,3 =medium) 
(4,5,6 = high) (7 = control).

To set a QoS policy on a layer-2 flow, enter the following command in Configure mode:

Traffic Prioritization for Layer-3 & Layer-4 Flows

QoS policies applied at layer-3 and 4 allow you to assign priorities based on specific fields 
in the IP and IPX headers. You can set QoS policies for IP flows based on source IP 
address, destination IP address, source TCP/UDP port, destination TCP/UDP port, type 
of service (TOS) and transport protocol (TCP or UCP). You can set QoS policies for IPX 
flows based on source network, source node, destination network, destination node, 
source port and destination port. A QoS policy set on an IP or IPX flow allows you to 
classify the priority of traffic based on:

Layer-3 source-destination flows

Layer-4 source-destination flows

Layer-4 application flows

Configuring IP QoS Policies

To configure an IP QoS policy, perform the following tasks:

1.

Identify the Layer-3 or 4 flow and set the IP QoS policy.

2.

Specify the precedence for the fields within an IP flow.

Set a Layer-2 QoS 
policy.

qos set l2 name 

<name>

 source-mac 

<MACaddr>

 

dest-mac 

<MACaddr>

 vlan 

<vlanID>

 

in-port-list 

<port-list>

 

priority 

control|high|medium|low|

<trunk-priority>

Summary of Contents for GIGAswitch GSR-16

Page 1: ...ITAL GIGAswitch Router User Reference Manual December 1999 This manual describes how to use the DIGITAL GIGAswitch Router GSR Revision Update Information This is a revised document Part Number 9032684...

Page 2: ...SHOULD HAVE KNOWN THE POSSIBILITY OF SUCH DAMAGES Copyright 1999 by Cabletron Systems Inc All rights reserved Printed in the United States of America Trademarks Apple AppleTalk and Macintosh are regi...

Page 3: ...prescribed in the appropriate Terminal Equipment Technical Requirements document s The department does not guarantee the equipment will operate to the user s satisfaction Before installing this equip...

Page 4: ...s Read the instructions for correct handling Taiwanese Notice Class A Computing Device CE Notice Class A Computing Device Warning This is a Class A product In a domestic environment this product may c...

Page 5: ...nse Agreement shall be interpreted and governed under the laws and in the state and federal courts of New Hampshire You accept the personal jurisdiction and venue of the New Hampshire courts Exclusion...

Page 6: ...ceivers use an optical feedback loop to maintain Class 1 operation limits This control loop eliminates the need for maintenance checks or adjustments The output is factory set and does not allow any u...

Page 7: ...land Conformance to Directive s Product Standards EC Directive 89 336 EEC EC Directive 73 23 EEC EN 55022 EN 50082 1 EN 60950 Equipment Type Environment Networking Equipment for use in a Commercial or...

Page 8: ......

Page 9: ...ted Routing Protocols 3 Configuring the DIGITAL GIGAswitch Router 4 Understanding the Command Line Interface 4 Basic Line Editing Commands 4 Access Modes 5 User Mode 6 Enable Mode 7 Configure Mode 9 B...

Page 10: ...Line Card 25 Hot Swapping One Type of Line Card With Another 25 Hot Swapping a Secondary Control Module 26 Deactivating the Control Module 26 Removing the Control Module 27 Installing the Control Modu...

Page 11: ...ring Layer 2 Filters 40 Monitoring Bridging 41 Configuration Examples 42 Creating an IP or IPX VLAN 42 Creating a non IP non IPX VLAN 42 Chapter 4 SmartTRUNK Configuration Guide 43 Overview 43 Configu...

Page 12: ...Configuring IP Services ICMP 65 Configuring IP Helper 65 Configuring Direct Broadcast 66 Configuring Denial of Service DOS 66 Monitoring IP Parameters 66 Configuring Router Discovery 67 Configuration...

Page 13: ...er Non Broadcast Multiple Access 95 Monitoring OSPF 95 OSPF Configuration Examples 97 Exporting All Interface Static Routes to OSPF 97 Exporting All RIP Interface Static Routes to OSPF 98 Chapter 10 B...

Page 14: ...nfiguring Simple Routing Policies 148 Redistributing Static Routes 148 Redistributing Directly Attached Networks 149 Redistributing RIP into RIP 149 Redistributing RIP into OSPF 149 Redistributing OSP...

Page 15: ...172 Exporting All RIP Interface Static Routes to OSPF 173 Chapter 12 Multicast Routing Configuration Guide 177 IP Multicast Overview 177 IGMP Overview 177 DVMRP Overview 178 Configuring IGMP 179 Conf...

Page 16: ...NAT 205 Dynamic Configuration 206 Using Dynamic NAT 206 Dynamic NAT with IP Overload PAT Configuration 207 Using Dynamic NAT with IP Overload 208 Dynamic NAT with Outside Interface Redundancy 208 Usin...

Page 17: ...8 Configuring IPX Addresses to Ports 228 Configuring IPX Interfaces for a VLAN 228 Specifying IPX Encapsulation Method 228 Configuring IPX Routing 229 Enabling IPX RIP 229 Enabling SAP 229 Configuring...

Page 18: ...Configuring TACACS Plus 254 Monitoring TACACS Plus 255 Configuring Passwords 255 Layer 2 Security Filters 255 Configuring Layer 2 Address Filters 256 Configuring Layer 2 Port to Address Lock Filters 2...

Page 19: ...N Configuration Guide 279 RMON Overview 279 Configuring and Enabling RMON 280 Example of RMON Configuration Commands 280 RMON Groups 281 Lite RMON Groups 282 Standard RMON Groups 282 Professional RMON...

Page 20: ...ofile 304 Applying a Service Profile to an Active Frame Relay WAN Port 304 Monitoring Frame Relay WAN Ports 305 Frame Relay Port Configuration 305 Point to Point Protocol PPP Overview 307 Use of LCP M...

Page 21: ...k administrator responsible for configuring and monitoring the GSR How to Use This Manual If You Want To See Read overview information Chapter 1 DIGITAL GIGAswitch Router Product Overview Hot swap lin...

Page 22: ...onfigure Network Address Translation Chapter 14 Network Address Translation Configuration Guide Configure web hosting Chapter 15 Web Hosting Configuration Guide Configure IPX routing Chapter 16 IPX Ro...

Page 23: ...ation refer to the DIGITAL Network Products Home Page on the World Wide Web located at the following addresses For Information About See the Installing and setting up the GSR DIGITAL GIGAswitch Router...

Page 24: ...ve please provide the following information Your Name Your Company Name Address Email Address Phone Number FAX Number Detailed description of the issue including history what you ve tried and conditio...

Page 25: ...tering and Quality of Service QoS features enabled by the software You do not need to accept performance compromises to run QoS or access control lists ACLs The following table lists the basic hardwar...

Page 26: ...ication flows Up to 800 000 Layer 2 MAC addresses 20 000 Layer 2 security and access control filters Routing protocols IP RIP v1 v2 OSPF BGP 2 3 4 IPX RIP SAP Multicast IGMP DVMRP Bridging and VLAN pr...

Page 27: ...nformation Protocol RIP Version 1 2 Chapter 6 IP Routing Configuration Guide describes these protocols in detail Exterior gateway protocol Border Gateway Protocol BGP Version 2 3 4 Chapter 10 BGP Conf...

Page 28: ...derstanding the Command Line Interface The GSR Command Line Interface CLI provides access to several different command modes Each command mode provides a group of related commands This chapter describ...

Page 29: ...gure mode first enter Enable mode enable command then enter the configure command from the Enable command prompt When you are in Configure mode the command prompt ends with config Boot This mode appea...

Page 30: ...tup configuration file in the Control Module s boot flash and therefore are not reinstated after a reboot User Mode After you log in to the GSR you are automatically in User mode The User commands ava...

Page 31: ...gn gs r aging Show L2 and L3 Aging information cli Modify the command line interface behavior dvmrp Show DVMRP related parameters enable Enable privileged user mode exit Exit current mode file File ma...

Page 32: ...d parameters ip policy Show IP policy information ip redundancy Show IP Redundancy information VRRP ip router Show unicast IP Routing related parameters ipx Show IPX related parameters l2 tables Show...

Page 33: ...ollowing example smarttrunk Show SmartTRUNK information snmp Show SNMP related parameters statistics Show or clear GSR statistics stp Show STP status system Show system wide parameters tacacs Show TAC...

Page 34: ...erface parameters pvst Configure Per Vlan Spanning Tree Protocol PVST qos Configure Quality of Service parameters radius Configure RADIUS related parameters rate limit Configure rate limits for flows...

Page 35: ...line of the active configuration to disable a feature or function which has been enabled For example Spanning Tree Protocol is disabled by default If after enabling Spanning Tree Protocol on the DIGI...

Page 36: ...on commands in any order even when dependencies exist When you activate the commands in the scratchpad the GSR sorts out the dependencies and executes the command in the proper sequence Loading System...

Page 37: ...image file the GSR will use the next time you reboot the switch Here is an example 6 Enter the system image list command to verify the change Note You do not need to activate this change gs r system i...

Page 38: ...nal memory in the Control Module Here is an example 4 Enter the system show version command to verify that the new boot PROM software is on the internal memory of the Control Module Activating the Con...

Page 39: ...SR However if you power down or reboot the GSR the new changes are lost Use the following procedure to save the changes into the Startup configuration file so that the GSR reinstates the changes when...

Page 40: ...rder that they are executed To display the configuration commands in a different order enter the following command in Configure mode Whenever you have activated commands in the scratchpad you can comp...

Page 41: ...uring DNS Connecting between the GSR and other systems Setting the GSR Name The GSR name is set to gs r by default You may customize the name for the GSR by entering the following command in Configure...

Page 42: ...clock enter the following command in Configure mode Configuring the GSR CLI You can customize the CLI display format to a desired line length or row count To configure the CLI terminal display enter t...

Page 43: ...ts up to four telnet sessions You can immediately end a particular telnet session for example an unauthorized user is logged in to the GSR To end a user s telnet session first determine the session ID...

Page 44: ...er you add configuration items and commit them to the active configuration you can display them using the following commands Configure a Syslog server system set syslog server hostname or IPaddr level...

Page 45: ...rmation system show hardware Show the GSR s location system show location Show the GSR login banner system show login banner Show the GSR name system show name Show the type of Power On Self Test POST...

Page 46: ...ct Overview 22 DIGITAL GIGAswitch Router User Reference Manual Show GSR uptime system show uptime Show the current Telnet connections to the GSR system show users Show the software version running on...

Page 47: ...move or install line cards without switching off or rebooting the GSR Swapped in line cards are recognized by the GSR and begin functioning immediately after they are installed On the GSR 8 and GSR 16...

Page 48: ...Use the system hotswap out command in the CLI For example to deactivate the line card in slot 7 enter the following command in Enable mode After you enter this command the Offline LED on the line card...

Page 49: ...ard is installed the GSR recognizes and activates it The Online LED button lights Hot Swapping One Type of Line Card With Another You can hot swap one type of line card with another type For example y...

Page 50: ...ually slot CM contains the primary Control Module and slot CM 1 contains the secondary Control Module On the primary Control Module the Online LED is lit and on the secondary Control Module the Offlin...

Page 51: ...both the upper and lower tracks 2 Tighten the captive screws on each side of the Control Module or line card to secure it to the chassis On a line card the Online LED lights indicating it is now acti...

Page 52: ...ric Module Figure 3 Location of Offline LED and Hot Swap button on a Switching Fabric Module To remove the Switching Fabric Module 1 Loosen the captive screws on each side of the Switching Fabric Modu...

Page 53: ...t a transparently bridged network into virtual local area networks VLANs based on physical ports or protocol IP or IPX or bridged protocols like Appletalk Frame filtering based on MAC address for brid...

Page 54: ...perform both types of bridging at the same time The GSR performance is equivalent when performing flow based bridging or address based bridging However address based bridging is more efficient because...

Page 55: ...AC address based VLANs In this type of VLAN each switch or a central VLAN information server keeps track of all MAC addresses in a network and maps them to VLANs based on information configured by the...

Page 56: ...database which determines the VLAN to which the frame belongs For example you could set up a policy which creates a special VLAN for all email traffic between the management officers of a company so t...

Page 57: ...that belong to different subnets should be routed The GSR switching routers use VLANs to achieve this behavior This means that a L3 subnet i e an IP or IPX subnet is mapped to a VLAN A given subnet m...

Page 58: ...1 is classified as belonging to VLAN IP_VLAN Trunk ports 802 1Q are usually used to connect one VLAN aware switch to another They carry traffic belonging to several VLANs For example suppose that GSR...

Page 59: ...xample the following illustration shows a GSR with traffic being sent from port A to port B port B to port A port B to port C and port A to port C The corresponding bridge tables for address based and...

Page 60: ...you want spanning tree enabled Adjusting Spanning Tree Parameters You may need to adjust certain spanning tree parameters if the default values are not suitable for your bridge configuration Paramete...

Page 61: ...er the bridge s priority the more likely the bridge will be selected as the root bridge This priority is determined by default however you can change it To set the bridge priority enter the following...

Page 62: ...he interval between hello time To adjust this interval enter the following command in Configure mode Defining the Forward Delay Interval The forward delay interval is the amount of time spent listenin...

Page 63: ...a Port or Protocol Based VLAN To create a VLAN enter the following command in Configure mode Adding Ports to a VLAN To add ports to a VLAN enter the following command in Configure mode Set the defaul...

Page 64: ...s for details Configuring Layer 2 Filters Layer 2 security filters on the GSR allow you to configure ports to filter specific MAC addresses When defining a Layer 2 security filter you specify to which...

Page 65: ...provides display of bridging statistics and configurations contained in the GSR To display bridging information enter the following commands in Enable mode Show IP routing table ip show routes Show a...

Page 66: ...nnected to port gi 1 1 2 on the GSR need to communicate with clients connected to et 4 1 8 You can associate all the ports containing the clients and servers to an IP VLAN called BLUE First create an...

Page 67: ...n devices are aggregated into a single logical high speed path that acts as a single link Traffic is balanced across all interfaces in the combined link increasing overall available system bandwidth S...

Page 68: ...ontrol protocol is to be used If you are connecting the SmartTRUNK to another GSR or to other DIGITAL devices such as the DIGITAL GIGAswitch Router specify the DEC Hunt Group Control Protocol The DEC...

Page 69: ...onfigure mode Specify Traffic Distribution Policy Optional The default policy for distributing traffic across the ports in a SmartTRUNK is round robin where the GSR selects the port on a rotating basi...

Page 70: ...out all SmartTRUNKs and the control protocol used smarttrunk show trunks Display statistics on traffic distribution on SmartTRUNK smarttrunk show distribution smarttrunk list all smarttrunks Display i...

Page 71: ...s the configuration for the Cisco 7500 router The following is the configuration for the Cisco Catalyst 5K switch Cisco 7500 Router Router R1 Cisco Catalyst 5K Switch Server Switch S2 10 1 1 1 24 st 1...

Page 72: ...protocol huntgroup smarttrunk add ports et 1 1 2 to st 1 smarttrunk add ports et 2 1 2 to st 2 smarttrunk add ports et 3 1 2 to st 3 interface create ip to cisco address netmask 10 1 1 2 24 port st 1...

Page 73: ...lar IP address is valid for a system is called a lease The GSR maintains a lease database which contains information about each assigned IP address the MAC address to which it is assigned the lease ex...

Page 74: ...cessed through a single port you can also define multiple scopes on the same interface and group the scopes together into a superscope Configuring an IP Address Pool To define a pool of IP addresses t...

Page 75: ...on different subnets that all are accessed through the same GSR port In this case scopes that use the same interface must be grouped together into a superscope To attach a scope to a superscope enter...

Page 76: ...cp global set commit interval command to specify this interval the default is one hour To force the DHCP server to immediately update its lease database enter the following command in Enable mode Moni...

Page 77: ...0 1 1 10 through 10 1 1 20 6 Define another IP address pool for addresses 10 1 1 40 through 10 1 1 50 7 Define a static IP address for 10 1 7 5 8 Define another static IP address for 10 1 7 7 and give...

Page 78: ...e it must be a router on the client s local subnet The following example shows a simple configuration to support secondary subnets 10 1 x x and 10 2 x x 1 Define the network parameters for scope1 with...

Page 79: ...connected clients on a secondary subnet you must configure the secondary subnet using the interface add ip command The interface add ip command configures a secondary address for an interface that wa...

Page 80: ...he client must be capable of reaching the GSR s DHCP server The GSR must also be capable of reaching the client s network The route must be configured with static routes for example or learned with RI...

Page 81: ...DIGITAL GIGAswitch Router User Reference Manual 57 DHCP Configuration Examples 4 Define the address pool for scope1 dhcp scope1 define pool 10 5 1 10 10 5 1 20...

Page 82: ......

Page 83: ...uch as TCP or UDP interoperate over a routed network The Transmission Control Protocol TCP is built upon the IP layer TCP is a connection oriented protocol that specifies the data format buffering and...

Page 84: ...s before routing activities can begin A routing process listens to updates from other routers on these networks and broadcasts its own routing information on those same networks The GSR supports the f...

Page 85: ...epresenting multiple subnets connected to the physical port To configure an IP interface to a port enter one of the following commands in Configure mode Configuring IP Interfaces for a VLAN You can co...

Page 86: ...mines the associated MAC address Once a media or MAC address is determined the IP address media address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated i...

Page 87: ...he mappings of MAC addresses to IP addresses Specifying IP Interfaces for RARP To specify the interfaces that the RARP server on the GSR should respond to enter the following command in Configure mode...

Page 88: ...s To configure DNS servers enter the following command in Configure mode You can also specify a domain name for the GSR The domain name is used by the GSR to respond to DNS requests To configure a dom...

Page 89: ...roadcast packets with that destination port number will be forwarded By default if no UDP port number is specified the GSR will forward UDP broadcast packets for the following six services BOOTP DHCP...

Page 90: ...e if directed broadcast is not enabled on the interface where the packet is received You can disable this feature causing directed broadcast packets to be processed on the GSR even if directed broadca...

Page 91: ...4 0 0 1 by default You can specify that broadcast be used even if IP multicasting is available When router advertisements are sent to the all hosts multicast address or an interface is configured for...

Page 92: ...an IP interface RED to physical port et 3 4 perform the following Define IP address to be included in router advertisements rdisc add address hostname or ipaddr Enable router advertisement on an inte...

Page 93: ...er become isolated on the network VRRP provides a way to ensure the availability of an end host s default router This is done by assigning IP addresses that end hosts use as their default route to a v...

Page 94: ...RID 1 Router R1 serves as the Master and Router R2 serves as the Backup The four end hosts are configured to use 10 0 0 1 16 as the default route IP address 10 0 0 1 16 is associated with virtual rout...

Page 95: ...in Figure 4 The configuration for Router R2 is nearly identical to Router R1 The difference is that Router R2 does not own IP address 10 0 0 1 16 Since Router R2 does not own this IP address it is the...

Page 96: ...is associated with virtual router VRID 1 and IP address 10 0 0 2 16 is associated with virtual router VRID 2 If Router R1 the Master for virtual router VRID 1 goes down Router R2 would take over the I...

Page 97: ...o Router R2 is the Master for virtual router VRID 2 Line 4 associates IP address 10 0 0 1 16 with virtual router VRID 1 making Router R2 the Backup for virtual router VRID 1 1 interface create ip test...

Page 98: ...routers VRID 2 and VRID 3 If Router R2 or R3 were to go down Router R1 would assume the IP addresses associated with virtual routers VRID 2 and VRID 3 Router R2 is the Master for virtual router VRID...

Page 99: ...255 When a Master router goes down the router with the next highest priority takes over the virtual router If more than one router has the next highest priority the router that has the highest number...

Page 100: ...uter VRID 1 On line 9 the backup priority for virtual router VRID 3 is set to 100 Since Router R1 s backup priority for this virtual router is 200 Router R1 is the primary Backup and Router R2 is the...

Page 101: ...routers VRID 1 and VRID 2 Virtual Router Default Priority Configured Priority VRID 1 IP address 10 0 0 1 16 100 200 see line 8 VRID 2 IP address 10 0 0 2 16 255 address owner 255 address owner VRID 3...

Page 102: ...Backup router enter the following command in Configure mode The priority can be between 1 lowest and 254 The default is 100 The priority for the IP address owner is 255 and cannot be changed Setting...

Page 103: ...ng command in Configure mode Note If the IP address owner is available then it will always take over as the Master regardless of whether pre empt mode is on or off Setting an Authentication Key By def...

Page 104: ...ation To display VRRP information enter the following commands in Enable mode Display a message when any VRRP event occurs Disabled by default ip redundancy trace vrrp events enabled Display a message...

Page 105: ...lt advertisement interval 1 second Default Backup router priority 100 Master down interval time it takes a Backup to detect the Master is down 3 adv interval skew time 3 1 second 256 100 256 3 6 secon...

Page 106: ...ied in RFC 2338 a Backup router that has transitioned to Master will not respond to pings accept telnet sessions or field SNMP requests directed at the virtual router s IP address Not responding allow...

Page 107: ...and an integer distance to that network RIP uses a hop count metric to measure the distance to a destination The DIGITAL GIGAswitch Router provides support for RIP Version 1 and 2 The GSR implements p...

Page 108: ...to inform RIP about attached interfaces To add RIP interfaces enter the following commands in Configure mode Enable RIP rip start Disable RIP rip stop Add interfaces to the RIP process rip add interfa...

Page 109: ...e to RIP V1 rip set interface interfacename or IPaddr all version 1 Set RIP Version on an interface to RIP V2 rip set interface interfacename or IPaddr all version 2 Specify that RIP V2 packets should...

Page 110: ...nter the following command in Configure mode For num you must specify a number between 1 and 16 Specify the metric to be used when advertising routes that were learned from other protocols rip set def...

Page 111: ...P interface policy information rip show interface policy Show detailed information of all RIP packets rip trace packets detail Show detailed information of all packets received by the router rip trace...

Page 112: ...reate ip GSR1 if1 address netmask 1 1 1 1 16 port et 1 1 Configure rip on GSR 1 rip add interface GSR1 if1 rip set interface GSR1 if1 version 2 rip start Set authentication method to md5 rip set inter...

Page 113: ...k The GSR supports the following OSPF functions Stub Areas Definition of stub areas is supported Authentication Simple password and MD5 authentication methods are supported within an area Virtual Link...

Page 114: ...g tasks Enable OSPF Create OSPF areas Create an IP interface or assign an IP interface to a VLAN Add IP interfaces to OSPF areas Configure OSPF interface parameters if necessary Note By default the pr...

Page 115: ...non broadcast Router dead interval 4 times the hello interval Poll Interval 120 seconds Key chain N A Authentication Method None Enable OSPF state on interface ospf set interface name or IPaddr all s...

Page 116: ...nto other areas as inter area routes Instead the specified ranges are advertised as summary network LSAs Specify the number of seconds required to transmit a link state update on an OSPF interface osp...

Page 117: ...or OSPF packets can be specified on a per area basis To configure OSPF area parameters enter the following commands in the Configure mode Create an OSPF area ospf create area area num backbone Add an...

Page 118: ...ting routes from the routing table into OSPF ASEs To specify AS external link advertisements parameters enter the following commands in the Configure mode Create a virtual link ospf add virtual link n...

Page 119: ...IP routing table ip show table routing Monitor OSPF error conditions ospf monitor errors destination hostname or IPaddr Show information on all interfaces configured for OSPF ospf monitor interfaces...

Page 120: ...xported routes Show all OSPF global parameters ospf show globals Show information about OSPF import policies ospf show import policies Show OSPF interfaces ospf show interfaces Shows information about...

Page 121: ...various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask...

Page 122: ...to redistribute these RIP routes as OSPF type 2 routes and associate the tag 100 with them Router R1 would also like to redistribute its static routes as type 2 OSPF routes The interface routes would...

Page 123: ...pe2 type 2 metric 4 ip router policy create ospf export destination ospfExpDstType2t100 type 2 tag 100 metric 4 ip router policy export destination ripExpDst source ripExpSrc network all ip router pol...

Page 124: ...RIP ip router policy export destination ripExpDst source statExpSrc network all ip router policy export destination ripExpDst source ripExpSrc network all ip router policy export destination ripExpDs...

Page 125: ...R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130...

Page 126: ......

Page 127: ...t designed to handle multi AS policy and security issues Similarly using static routes may not be the best choice for exchanging AS AS routing information because there may be a large number of routes...

Page 128: ...at the GSR Enable prompt VLANs interfaces ACLs and many other GSR configurable entities and functionality can only be configured using the GSR CLI Therefore a gated conf file is dependent upon some G...

Page 129: ...ary address being 127 0 0 1 is the most preferred candidate for selection as the GSR s router ID If there are no secondary addresses on the loopback interface then the default router ID is set to the...

Page 130: ...hop received with a route from a peer as a forwarding address and using this to look up an immediate next hop in an IGP s routes Such groups support distant peers but need to be informed of the IGP wh...

Page 131: ...ways to add BGP peers to peer groups You can explicitly add a peer host or you can add a network Adding a network allows for peer connections from any addresses in the range of network and mask pairs...

Page 132: ...lement or on a regular expression enclosed in parentheses An AS path operator is one of the following aspath_term m n A regular expression followed by m n where m and n are both non negative integers...

Page 133: ...rence To export all active routes from 284 or 813 or 814 or 815 or 816 or 3369 or 3561 to autonomous system 64800 ip router policy create bgp import source mciRoutes aspath regular expression 3561 ori...

Page 134: ...pecific prefix always is preferable On the GSR the number of instances of an AS that are put in the route advertisement is controlled by the as count option of the bgp set peer host command The follow...

Page 135: ...nship between BGP speakers The first step in creating a BGP neighbor relationship is the establishment of a TCP connection using TCP port 179 between peers A BGP Open message can then be sent between...

Page 136: ...ress netmask 10 0 0 1 16 port et 1 1 Set the AS of the router ip router global set autonomous system 1 Set the router ID ip router global set router id 10 0 0 1 Create EBGP peer group pg1w2 for peerin...

Page 137: ...uccessfully provide transit services all EBGP speakers in the transit AS must have a consistent view of all of the routes reachable through their AS Multihomed transit ASs can use IBGP between EBGP sp...

Page 138: ...s An IBGP Routing group will determine the immediate next hops for routes by using the next hop received with a route from a peer as a forwarding address and using this to look up an immediate next ho...

Page 139: ...ample BGP configuration that uses the Routing group type Figure 9 Sample IBGP Configuration Routing Group Type GSR6 GSR1 Cisco GSR4 lo0 172 23 1 25 30 10 12 1 6 30 10 12 1 5 30 172 23 1 10 30 172 23 1...

Page 140: ...we want CISCO to peer with our loopback address This will make sure that the loopback address gets announced into OSPF domain ospf add stub host 172 23 1 26 to area backbone cost 1 ospf set interface...

Page 141: ...rectly attached to a shared subnet so that like external peers the next hops received in BGP advertisements may be used directly for forwarding All Internal group peers should be L2 adjacent router bg...

Page 142: ...outer GSR1 is as follows AS 1 GSR2 GSR1 17 122 128 2 24 17 122 128 1 24 16 122 128 1 24 16 122 128 1 24 16 122 128 8 24 16 122 128 9 24 C2 C1 Physical Link Legend Peering Relationship ip router global...

Page 143: ...update group type internal peeras 1 peer 16 122 128 2 peer 16 122 128 8 peer 16 122 128 9 ip router global set autonomous system 1 bgp create peer group int ibgp 1 type internal autonomous system 1 bg...

Page 144: ...eighbor 16 122 128 1 remote as 1 neighbor 16 122 128 1 next hop self neighbor 16 122 128 1 soft reconfiguration inbound neighbor 16 122 128 2 remote as 1 neighbor 16 122 128 2 next hop self neighbor 1...

Page 145: ...nship GSR1 16 122 128 1 16 GSR3 AS 64800 AS 64801 GSR4 GSR2 16 122 128 3 16 17 122 128 3 16 17 122 128 4 16 18 122 128 3 16 18 122 128 4 16 bgp create peer group ebgp_multihop autonomous system 64801...

Page 146: ...nal peeras 64801 peer 18 122 128 2 gateway 16 122 128 3 static 18 122 0 0 masklen 16 gateway 16 122 128 3 interface create ip to R1 address netmask 16 122 128 3 16 port et 1 1 interface create ip to R...

Page 147: ...GP configuration where the specific community attribute is used Figure 12 shows a BGP configuration where the well known community attribute is used static 16 122 0 0 masklen 16 gateway 17 122 128 3 b...

Page 148: ...R11 172 26 1 2 16 172 25 1 2 16 192 168 20 2 16 172 25 1 1 16 1 1 R13 1 6 R10 192 169 20 1 16 192 169 20 2 16 100 200 13 1 24 10 200 15 1 24 1 6 R14 AS 64901 AS 64900 AS 64899 1 6 1 1 1 1 1 3 1 8 ISP1...

Page 149: ...BGP update If multiple communities are specified in the optional attributes list option only updates carrying all of the specified communities will be matched If well known community none is specified...

Page 150: ...sequence number 1 ip router policy create bgp import source 901color1 optional attributes list color1 autonomous system 64900 sequence number 1 ip router policy create bgp import source 901color2 opti...

Page 151: ...nity id 155 autonomous system 64902 ip router policy create bgp import source 902color1 optional attributes list color1 autonomous system 64899 sequence number 1 ip router policy create bgp import sou...

Page 152: ...This export destination has an identifier 900to899dest ip router policy create bgp export destination 900to899dest autonomous system 64899 optional attributes list color1 ip router policy create bgp e...

Page 153: ...its neighbor However if a packet is received with this attribute it cannot be transmitted to another BGP peer Well known community no export subconfed Well known community no export subconfed is a spe...

Page 154: ...on with two autonomous systems The local preference is not set directly in the CLI but rather is a function of the GateD preference and setpref metric The setpref option allows GateD to set the local...

Page 155: ...ute Figure 13 Sample BGP Configuration Local_Pref Attribute AS 64900 Physical Link Legend Peering Relationship AS 64901 GSR10 Information Flow 10 200 12 1 24 10 200 13 1 24 10 200 14 1 24 10 200 15 1...

Page 156: ...s For example if the import policy sets GateD preferences ranging from 170 to 200 a setpref metric of 170 would make sense You should set the metric high enough to avoid conflicts between BGP routes a...

Page 157: ...10 Router GSR4 has the following CLI configuration Router GSR6 has the following CLI configuration bgp create peer group pg752to751 type external autonomous system 64751 bgp add peer host 10 200 12 1...

Page 158: ...19 199 62 24 port et 1 2 interface create ip xenosite address netmask 212 19 198 1 24 port et 1 7 interface add ip lo0 address netmask 212 19 192 1 30 bgp create peer group webnet type external auton...

Page 159: ...tion the clients peer with the route reflector and exchange routing information with it In turn the route reflector passes on reflects information between clients The IBGP peers of the route reflector...

Page 160: ...r and router GSR11 is the route reflector for the second cluster Router GSR10 has router GSR9 as a client peer and router GSR11 as a non client peer The following line in router GSR10 s configuration...

Page 161: ...2 as shown below bgp set peer group rtr11 reflector client Route Table FIB of Router 8 rtr 8 ip show routes Destination Gateway Owner Netif 10 50 0 0 16 directly connected en 127 0 0 0 8 127 0 0 1 Sta...

Page 162: ...two or more may also be configured to be reflectors for the same cluster In this case a cluster ID should be selected to identify all reflectors serving the cluster using the clusterid option Gratuit...

Page 163: ...on autonomous system Source and destination interface Previous hop router Autonomous system path Tag associated with routes Specific destination address The network administrator can specify a prefere...

Page 164: ...to the same destination in a single routing database The active route is chosen by the lowest preference value A default preference is assigned to each source from which the GSR routing process receiv...

Page 165: ...ecified using the optional attributes list only updates carrying all of the specified communities will be matched If the specified optional attributes list has the value none for the well known commun...

Page 166: ...configurable parameter that specifies the default preference associated with routes imported to that protocol If a preference is not explicitly specified with the route filter as well as the import s...

Page 167: ...t tags All other protocols have a tag of zero In some cases a combination of the associated attributes can be specified to identify the routes to be exported Route Filter This component specifies the...

Page 168: ...n exact refines between number number Matching usually requires both an address and a mask although the mask is implied in the shorthand forms listed below These three forms vary in how the mask is sp...

Page 169: ...ctually used for packet forwarding by the originator of the aggregate route but only by the receiver if it wishes Instead of requiring a route peer to know about individual subnets which would increas...

Page 170: ...e explicitly specified using this component The contributing routes are ordered according to the aggregation preference that applies to them If there is more than one contributing route with the same...

Page 171: ...d Key Management An authentication key permits the generation and verification of the authentication field in protocol packets In many situations the same primary and secondary keys are used on severa...

Page 172: ...e exported The values for the to proto parameter can be rip ospf and bgp The network parameter provides a means to define a filter for the routes to be distributed The network parameter defines a filt...

Page 173: ...wing commands in Configure mode Redistributing RIP into RIP The GSR routing process requires RIP redistribution into RIP if a protocol is redistributed into RIP To redistribute RIP into RIP enter the...

Page 174: ...gregate route must first be created using the aggr gen command This command creates a specified aggregate route for routes that match the aggregate To redistribute aggregate routes enter one of the fo...

Page 175: ...1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure static routes to the 135 3 0 0 subnets reachable through R3 ip add route 135 3 1 0 24 g...

Page 176: ...hese routes except the default route to all RIP interfaces Example 2 Redistribution into OSPF For all examples given in this section refer to the configurations shown in Figure 18 on page 164 The foll...

Page 177: ...necting routers R1 and R2 Create the various IP interfaces interface create ip to r2 address netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 inter...

Page 178: ...rence to routes learned from a trusted peer Export Policies Advanced export policies can be constructed from one or more of the following building blocks Export Destinations This component specifies t...

Page 179: ...one or more building blocks they are tied together by the ip router policy export command To create route export policies enter the following command in Configure mode The exp dest id is the identifi...

Page 180: ...can be done using one of two methods Creating a route filter and associating an identifier with it A route filter has several network specifications associated with it Every route is checked against...

Page 181: ...an Import Source Import sources specify the routing protocol from which the routes are imported The source may be RIP or OSPF To create an import source enter one of the following commands in Configur...

Page 182: ...f two methods Creating a route filter and associating an identifier with it A route filter has several network specifications associated with it Every route is checked against the set of network speci...

Page 183: ...To create an aggregate source enter the following command in Configure mode Examples of Import Policies Example 1 Importing from RIP The importation of RIP routes may be controlled by any of protocol...

Page 184: ...igure 17 Exporting to RIP Internet R6 R42 R41 R1 R2 R3 R7 135 3 1 1 24 135 3 2 1 24 135 3 3 1 24 140 1 1 4 24 140 1 1 1 24 130 1 1 1 16 130 1 1 3 16 120 190 1 1 16 120 190 1 2 16 202 1 0 0 10 160 1 5...

Page 185: ...address netmask 170 1 1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure default routes to the 135 3 0 0 subnets reachable through R3 ip ad...

Page 186: ...uter R1 has several RIP peers Router R41 has an interface on the network 10 51 0 0 By default router R41 advertises network 10 51 0 0 16 in its RIP updates Router R1 would like to import all routes ex...

Page 187: ...10 If a tag is specified the import clause will only apply to routes with the specified tag It is only possible to restrict the importation of OSPF ASE routes when functioning as an AS border router L...

Page 188: ...SPF BGP R1 R2 R3 R41 R42 R6 R11 A r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 140 1 4 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3...

Page 189: ...interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface create ip to r6 address netmask 140 1 3 1 24 port et...

Page 190: ...ported RIP version 1 assumes that all subnets of the shared network have the same subnet mask so it is only able to propagate subnets of that network RIP version 2 removes that restriction and is capa...

Page 191: ...h 170 1 1 7 ip add route default gateway 170 1 1 7 Configure default routes to the 135 3 0 0 subnets reachable through R3 ip add route 135 3 1 0 24 gateway 130 1 1 3 ip add route 135 3 2 0 24 gateway...

Page 192: ...RIP routes 4 Create a Direct export source since we would like to export direct interface routes 5 Create the export policy redistributing the statically created default route and all RIP Direct rout...

Page 193: ...0 1 1 1 since we intend to change the rip export policy for interface 140 1 1 1 2 Create a Static export source since we would like to export static routes 3 Create a RIP export source since we would...

Page 194: ...rce of the routes contributing to the aggregate Since in this case we do not care about the source of the contributing routes we would specify the protocol as all 3 Create the aggregate summarized rou...

Page 195: ...set ase defaults type 1 2 command This may be overridden by a specification in the ip router policy create ospf export destination command OSPF ASE routes also have the provision to carry a tag This...

Page 196: ...ress netmask 120 190 1 1 16 port et 1 2 interface create ip to r3 address netmask 130 1 1 1 16 port et 1 3 interface create ip to r41 address netmask 140 1 1 1 24 port et 1 4 interface create ip to r4...

Page 197: ...like to redistribute these RIP routes as OSPF type 2 routes and associate the tag 100 with them Router R1 would also like to redistribute its static routes as type 2 OSPF routes The interface routes...

Page 198: ...pfExpDstType2 type 2 metric 4 ip router policy create ospf export destination ospfExpDstType2t100 type 2 tag 100 metric 4 ip router policy export destination ripExpDst source ripExpSrc network all ip...

Page 199: ...o RIP ip router policy export destination ripExpDst source statExpSrc network all ip router policy export destination ripExpDst source ripExpSrc network all ip router policy export destination ripExpD...

Page 200: ......

Page 201: ...col IGMP Provides an overview of the GSR s implementation of the Distance Vector Multicast Routing Protocol DVMRP Discusses configuring DVMRP routing on the GSR Discusses configuring IGMP on the GSR I...

Page 202: ...run both DVMRP and IGMP You can start and stop DVMRP independently from other multicast routing protocols IGMP starts and stops automatically with DVMRP The GSR supports up to 64 multicast interfaces...

Page 203: ...art the multicast routing protocol i e DVMRP Configuring IGMP on an IP Interface By default IGMP is disabled on the GSR To enable IGMP on an interface enter the following command in Configure mode Con...

Page 204: ...he per interface membership control enter the following commands in Configure mode Configuring DVMRP You configure DVMRP routing on the GSR by performing the following DVMRP configuration tasks Creati...

Page 205: ...enter the following command in the Configure mode Configuring DVMRP Parameters In order to support backward compatibility DVMRP neighbor timeout and prune time can be configured on a per interface bas...

Page 206: ...cted to a site TTL 64 Threshold 64 Application restricted to a region TTL 128 Threshold 128 Application restricted to a continent TTL 255 Application not restricted To configure the TTL Threshold ente...

Page 207: ...he GSR s multitasking ASICs DVMRP tunnels need to be created before being enabled Tunnels are recognized by the tunnel name Once a DVMRP tunnel is created you can enable DVMRP on the interface The GSR...

Page 208: ...MRP routing table dvmrp show routes Shows all the interfaces and membership details running IGMP igmp show interface Shows all IGMP group memberships on a port basis igmp show memberships Show all IGM...

Page 209: ...1 interface create ip test address netmask 10 135 89 10 25 port et 1 8 interface create ip rip address netmask 190 1 0 1 port et 1 4 interface create ip mbone address netmask 207 135 122 11 29 port e...

Page 210: ......

Page 211: ...uting allows network managers to engineer traffic to make the most efficient use of their network resources IP policies forward packets based on layer 3 or layer 4 IP header information You can define...

Page 212: ...l telnet packets going from network 9 1 0 0 16 to network 15 1 0 0 16 You then associate the profile with an IP policy The IP policy specifies what to do with the packets that match the profile For ex...

Page 213: ...command creates an IP policy called p2 that prevents packets matching prof1 from being forwarded using an IP policy Creating Multi statement IP Policies An IP policy can contain more than one ip poli...

Page 214: ...o set the load distribution for next hop gateways enter one of the following commands in Configure mode Setting the IP Policy Action You can specify when to apply the IP policy route with respect to d...

Page 215: ...on Cause packets matching the profile to use the IP policy route first If the next hop gateway is not reachable use the dynamic route instead ip policy name permit acl profile action policy first Rout...

Page 216: ...IP Policy Configuration Examples This section presents some examples of IP policy configurations The following uses of IP policies are demonstrated Routing traffic to different ISPs Prioritizing servi...

Page 217: ...the IP policy configuration for the Policy Router in Figure 19 interface create ip user a address netmask 10 50 1 1 16 port et 1 1 interface create ip user b address netmask 11 50 1 1 16 port et 1 2 a...

Page 218: ...e 20 Using an IP policy to prioritize service to customers Traffic from the premium customer is load balanced across two next hop gateways in the high cost high availability network If neither of thes...

Page 219: ...cannot be reached packets from the contractors group are dropped Packets from users defined in the full timers group do not have to go through the firewall interface create ip premium customer addres...

Page 220: ...on One session should always go to a particular firewall for persistence interface create ip mls0 address netmask 10 50 1 1 16 port et 1 1 acl contractors permit ip 10 50 1 0 24 any any any 0 acl full...

Page 221: ...ave been forwarded to each next hop gateway vlan create firewall vlan add ports et 1 1 5 to firewall interface create ip firewall address netmask 1 1 1 5 16 vlan firewall acl firewall permit ip any an...

Page 222: ...nformation about IP policies that have been applied to all interfaces ip policy show interface all Clear statistics gathered for IP policies ip policy clear all policy name name all gs r ip policy sho...

Page 223: ...ents are listed in the order they are evaluated lowest sequence number to highest 12 The rule to apply to the packets matching the profile either permit or deny 13 The name of the profile ACL of the p...

Page 224: ......

Page 225: ...in the public global Internet NAT provides the following benefits Limits the number of IP addresses used for private intranets that are required to be registered with the Internet Assigned Numbers Au...

Page 226: ...l PAT allows port address translation for each address in the global pool The ports are dynamically assigned between the range of 1024 to 4999 Hence you have about 4 000 ports per global IP address Dy...

Page 227: ...amic address bindings for a specific address pool or delete all dynamic address bindings To set the timeout for dynamic address bindings enter the following command in Configure mode To flush dynamic...

Page 228: ...ter the following commands in Configure mode Monitoring NAT To display NAT information enter the following command in Enable mode Configuration Examples This section shows examples of NAT configuratio...

Page 229: ...irst packet is coming from outside to inside This could be the case when you have a server in the local network and clients located remotely Dynamic NAT would not work for this case as bindings are al...

Page 230: ...cket is sent from a local network as defined by the NAT dynamic local ACl pool The network administrator does not have to worry about the way in which the bindings are created the network administrato...

Page 231: ...for inside addresses 10 1 1 0 24 to outside address 192 50 20 0 24 The first step is to create the interfaces Next define the interfaces to be NAT inside or outside Then define the NAT dynamic rules b...

Page 232: ...ed when the flow count goes to zero or the timeout has been reached The removal of bindings frees the port for that global and the port is available for reuse When all the ports for that global are us...

Page 233: ...le when you have two ISPs connected on two different interfaces to the Internet Through a routing protocol some routes will result in traffic going out of one interface and for others going out on the...

Page 234: ......

Page 235: ...the GSR provide ways to improve Web access for external and internal users Load balancing allows incoming HTTP requests to a company s Web site to be distributed across several physical servers If one...

Page 236: ...iguring load balancing on the GSR 1 Create a logical group of load balancing servers and define a virtual IP for the group 2 Specify the policy for distributing workload for this group of load balanci...

Page 237: ...ent request directed to the virtual server address it redirects the request to the actual server address and port Server selection is done according to the specified policy To add servers to the serve...

Page 238: ...addresses to be translated on the GSR It may be undesirable in some cases for a source address to be translated for example when data is to be updated on an individual server Specified hosts can be al...

Page 239: ...cing information enter the following commands in Enable mode Specify the timeout for source destination mappings load balance set mappings age timer timer Show the groups of load balancing servers loa...

Page 240: ...g four separate servers as shown below The network shown above can be created with the following load balance commands Router Internet 10 1 1 1 10 1 1 2 10 1 1 3 10 1 1 4 www goodcompany com Web reque...

Page 241: ...d to the server www quick com ftp quick com User Queries www quick com 10 1 1 2 ftp quick com Domain Name Virtual IP TCP Port Real Server IP TCP Port www quick com 207 135 89 16 80 10 1 1 1 80 ftp qui...

Page 242: ...he load balance add host to vip range command These two commands combined help ISPs take advantage of web servers like Apache which serve different web pages based on the destination address in the ht...

Page 243: ...k as cache servers with the GSR s web caching function Configuring Web Caching The following are the steps in configuring Web caching on the GSR 1 Create the cache group a list of cache servers to cac...

Page 244: ...a specific outbound interface This interface is typically an interface that connects to the Internet Note By default the GSR redirects HTTP requests on port 80 Secure HTTP https requests do not run o...

Page 245: ...P requests from all hosts in the network are redirected as there are no web cache permit or web cache deny commands Other Configurations This section discusses other commands that may be useful in con...

Page 246: ...d by the proxy server To redirect HTTP requests to a non standard HTTP port number enter the following command in Configure mode Distributing Frequently Accessed Sites Across Cache Servers The GSR use...

Page 247: ...Web caching information enter the following commands in Enable mode Show information for all caching policies and all server lists web cache show all Show caching policy information web cache show ca...

Page 248: ......

Page 249: ...and SAP perform these Network Layer Task These tasks include addressing routing and switching information packets from one location to another on the internetwork IPX defines internetwork and intrano...

Page 250: ...ternetwork configuration Routers perform broadcasting whenever they detect a change in the internetwork configurations GSR s RIP implementation follows the guidelines given in Novell s IPX RIP and SAP...

Page 251: ...ill keep multiple SAPs having the lowest hop count Static SAPs can be configured on the GSR using the CLI s ipx add sap command Through the use of SAP filters the GSR can control the acceptance and ad...

Page 252: ...nfiguring IPX Interfaces for a VLAN You can configure one IPX interface per VLAN To configure a VLAN with an IPX interface enter the following command in Configure mode Specifying IPX Encapsulation Me...

Page 253: ...services Configuring Static Routes In a Novell NetWare network the GSR uses RIP to determine the best paths for routing IPX However you can add static RIP routes to RIP routing table to explicitly spe...

Page 254: ...ricts advertisements or learning of SAP services These lists are used for SAP filters They can also be used for Get Nearest Server GNS replies RIP access control list Restricts advertisements or learn...

Page 255: ...NS Access Control List IPX GNS access control lists control which SAP services the GSR can reply with to a get nearest server GNS request To create an IPX GNS access control list enter the following c...

Page 256: ...ts IPX interface information and RIP or SAP routing information To display IPX information enter the following command in Enable mode Create an IPX RIP access control list acl name permit deny ipxrip...

Page 257: ...x2 address BBBBBBBB port et 1 2 output mac encapsulation ethernet_802 3 Add static route to network 9 ipx add route 9 BBBBBBBB 01 02 03 04 05 06 1 1 Add static sap ipx add sap 0004 FILESERVER1 9 03 04...

Page 258: ......

Page 259: ...oing through the router This chapter contains the following sections ACL Basics on page 236 explains how ACLs are defined and how the GSR evaluates them Creating and Modifying ACLs on page 240 describ...

Page 260: ...owing ACL has a rule that permits all IP packets from subnet 10 2 0 0 16 to go through the GSR Defining Selection Criteria in ACL Rules Selection criteria in the rule describe characteristics about a...

Page 261: ...specified it is treated as a wildcard or don t care condition However if a field is specified that particular field will be matched against the packet Each protocol can have a number of different fiel...

Page 262: ...u were to reverse the order of the two rules all TCP packets would be allowed to go through including traffic from subnet 10 2 0 0 16 This is because TCP traffic coming from 10 2 0 0 16 would match th...

Page 263: ...d to go through The first rule is simply a subset of the second rule To allow packets from subnets other than 10 1 20 0 24 to go through you would have to explicitly define a rule to permit other pack...

Page 264: ...to accept outside TCP responses into the internal network provided that the TCP connection was initiated internally Otherwise it will be rejected To do this enter the following command in Configure M...

Page 265: ...caused by the addition of new ACL rules to existing rules Basically the no acl command cleans up the system for the new ACL rules Once the negation command is executed the second and the third comman...

Page 266: ...from the interface before making changes and reapply it after changes are made The process is automatic Using ACLs It is important to understand that an ACL is simply a definition of packet characteri...

Page 267: ...herwise the GSR will have to process the packet determine where the packet should go only to find out that the packet should be dropped at the outbound interface In some cases however it may not be si...

Page 268: ...as Profile ACLs ACLs for non IP protocols cannot be used as Profile ACLs The permit deny keywords while required in the ACL rule definition are disregarded in the configuration commands for the above...

Page 269: ...0 24 to destination network 15 1 1 0 24 to be forwarded to destination address 10 10 10 10 You use a Profile ACL to define the selection criteria in this case telnet packets travelling from source ne...

Page 270: ...selection criteria that is traffic from 1 2 2 2 to be restricted to 10 Mbps for each flow If this rate limit is exceeded the packets are dropped When the rate limit definition is applied to an interfa...

Page 271: ...probe can be attached In addition to mirroring traffic on one or more ports the GSR can mirror traffic that matches selection criteria defined in a Profile ACL For example you can mirror all IGMP traf...

Page 272: ...t and never to the cache servers The following commands illustrate this example This command creates a Profile ACL called prof4 that uses as its selection criteria all packets with a source address of...

Page 273: ...Logging is turned on the router prints out a message on the console about whether a packet is forwarded or dropped If you have a Syslog server configured for the GSR the same information will also be...

Page 274: ...n the system To display ACL information enter the following commands in Enable mode Show all ACLs acl show all Show a specific ACL acl show aclname name all Show an ACL on a specific interface acl sho...

Page 275: ...he GSR enables Layer 2 security filters Perform filtering on source or destination MAC addresses Layer 3 Access Control Lists Perform filtering on source or destination IP address source or destinatio...

Page 276: ...rity enter the following commands in Configure mode Specify a RADIUS server radius set server hostname or IP addr Set the RADIUS time to wait for a RADIUS server reply radius set timeout number Determ...

Page 277: ...vide authentication You can configure up to five TACACS server targets on the GSR A timeout is set to tell the GSR how long to wait for a response from TACACS servers To configure TACACS security ente...

Page 278: ...eply tacacs plus set timeout number Determine the GSR action if no server responds tacacs plus set last resort password succeed Enable TACACS Plus tacacs plus enable Cause TACACS Plus authentication a...

Page 279: ...n specify the following security filters Address filters These filters block traffic based on the frame s source MAC address destination MAC address or both source and destination MAC addresses in flo...

Page 280: ...n MAC address A flow which filters out any frame coming from a specific source MAC address that is also destined to a specific destination MAC address To configure Layer 2 address filters enter the fo...

Page 281: ...estined to specific destination MAC address will be allowed disallowed or forced to go to a set of ports To configure Layer 2 static entry filters enter the following commands in Configure mode Config...

Page 282: ...ined to specific destination MAC address to go through To configure Layer 2 secure port filters enter the following commands in Configure mode Monitoring Layer 2 Security Filters The GSR provides disp...

Page 283: ...is restricted access to one of the finance file servers Note that port et 1 1 should be operating in flow bridging mode for this filter to work Static Entries Example Source static entry The consultan...

Page 284: ...all other ports enter the following command To allow ONLY the engineering manager access to the engineering servers you must punch a hole through the secure port wall A source static entry overrides...

Page 285: ...ct Layer 3 traffic going through the GSR Each ACL consists of one or more rules describing a particular type of IP or IPX traffic An ACL can be simple consisting of only one rule or complicated with m...

Page 286: ......

Page 287: ...different priority queues from non critical network traffic Once a packet has been identified it can be assigned into any one of four priorities in order to ensure delivery Priority can be allocated...

Page 288: ...source port UDP TCP destination port TOS Type of Service transport protocol TCP or UDP and a list of incoming interfaces The IPX fields are source network source node destination network destination...

Page 289: ...idging mode Any source MAC address to a specific destination MAC address Before applying a QoS policy to a layer 2 flow you must first determine whether a port is in address bridging mode or flow brid...

Page 290: ...ased on specific fields in the IP and IPX headers You can set QoS policies for IP flows based on source IP address destination IP address source TCP UDP port destination TCP UDP port type of service T...

Page 291: ...the Layer 3 or 4 flow and set the IPX QoS policy 2 Specify the precedence for the fields within an IPX flow Setting an IPX QoS Policy To set a QoS policy on an IPX traffic flow enter the following com...

Page 292: ...mmand in Configure mode ToS Rewrite In the Internet IP packets that use different paths are subject to delays as there is little inherent knowledge of how to optimize the paths for different packets f...

Page 293: ...you can access the value in the ToS octet which includes both the Precedence and ToS fields in each packet The upper layer application can then decide how to handle the packet based on either the Pre...

Page 294: ...only the upper three bits of the ToS byte are changed If you set tos precedence rewrite to any and specify a value for tos rewrite then the upper three bits remain unchanged and the lower five bits a...

Page 295: ...s the ToS rewrite for the example Monitoring QoS The GSR provides display of QoS statistics and configurations contained in the GSR To display QoS information enter the following commands in Enable mo...

Page 296: ...nd traffic rate limitations A single rate limiting profile can have multiple ACLs to define different traffic profiles and traffic rate limitations When there are multiple traffic profiles a sequence...

Page 297: ...1 vlan add ports et 1 2 to client2 vlan add ports et 1 8 to backbone interface create ip ipclient1 vlan client1 address netmask 1 1 1 1 8 interface create ip ipclient2 vlan client2 address netmask 3 3...

Page 298: ......

Page 299: ...nd in the CLI Layer 3 and 4 performance statistics are accessible to SNMP through RMON RMON2 and can be displayed by using the statistics show command in the CLI In addition to the monitoring commands...

Page 300: ...w IP interface s statistics statistics show ip Show unicast routing statistics statistics show ip routing Show IPX statistics statistics show ipx Show IPX interface s statistics statistics show ipx in...

Page 301: ...ort by port basis You can only configure port mirroring for the entire WAN card Only IP ACLs can be specified for port mirroring Monitoring Broadcast Traffic The GSR allows you to monitor broadcast tr...

Page 302: ......

Page 303: ...e management station s processing load are reduced The GSR provides support for both RMON 1 and RMON 2 MIBs as specified in RFCs 1757 and 2021 respectively While non RMON SNMP products allow the monit...

Page 304: ...mmand to enable RMON on the GSR Example of RMON Configuration Commands The following are examples of the commands to configure and enable RMON on the GSR gs r config show Running system configuration...

Page 305: ...To specify the support level for RMON groups use the following CLI command line in Configure mode To specify the ports on which RMON is to be enabled use the following CLI command line in Configure mo...

Page 306: ...Table 6 Lite RMON Groups Group Function EtherStats Records Ethernet statistics for example packets dropped packets sent etc for specified ports Event Controls event generation and the resulting action...

Page 307: ...trol tables for the data you wish to collect Even if you use the default control tables you can always use the rmon commands to modify control table entries Table 8 Professional RMON Groups Group Func...

Page 308: ...han the default control tables must be configured with CLI commands as described in Configuring RMON Groups Using RMON RMON on the GSR allows you to analyze network traffic patterns set up alarms to d...

Page 309: ...only need to turn on the default tables when you specify the RMON groups Lite Standard or Professional you do not need to configure entries in the default tables gs r rmon show protocol distribution e...

Page 310: ...l action lock wrap slice size number download slice size number download offset number max octets number owner string status enable disable To configure the Filter group you must configure both the Ch...

Page 311: ...s enable disable To configure the Host group rmon host index index number port port owner string status enable disable To configure the Host Top N entries rmon host top n index index number host index...

Page 312: ...iguration with the following attributes Index number 20 to identify this entry in the Alarm control table The OID 1 3 6 1 2 1 31 1 5 0 identifies the attribute to be monitored Samples taken at 300 sec...

Page 313: ...all ports To show all channels rmon show channels To show all filters rmon show filters To show all packet captures and logs rmon show packet capture To display the RMON 2 Protocol Directory rmon show...

Page 314: ...CLI filter can only be applied to a current Telnet or Console session The following shows Host table output without a CLI filter To show all user history logs rmon show user history To show probe con...

Page 315: ...ers To see and use RMON CLI filters use the following CLI command in User or Enable mode gs r rmon apply cli filter 4 gs r rmon show hosts et 5 4 RMON I Host Table Filter inpkts 500 Address Port InPkt...

Page 316: ...e standard professional command 3 Make sure that RMON is enabled on the port for which you want statistics Use the rmon set ports command to specify the port on which RMON will be enabled 4 Make sure...

Page 317: ...n out of memory Allocating Memory to RMON RMON allocates memory depending on the number of ports enabled for RMON the RMON groups that have been configured and whether or not default tables have been...

Page 318: ...mmand in User or Enable mode gs r rmon show status RMON Status RMON is ENABLED RMON initialization successful RMON Group Status Group Status Default Lite On Yes Std On Yes Pro On Yes RMON is enabled o...

Page 319: ...face using two basic protocols Frame Relay and point to point protocol PPP Both protocols have their own set of configuration and monitoring CLI commands described in the DIGITAL GIGAswitch Router Com...

Page 320: ...LAN interfaces WAN interfaces can have primary and secondary IP addresses For Frame Relay you can configure primary and secondary addresses which are static or dynamic For PPP however the primary addr...

Page 321: ...dress The following command lines display two examples for Frame Relay The following command line displays two examples for PPP Dynamic Addresses If the peer IP IPX address is unknown you do not need...

Page 322: ...me Relay VCs and for PPP ports however both ends of a link must be configured to use packet compression Enabling compression on WAN serial links should be decided on a case by case basis Important fac...

Page 323: ...h compression enabled If this is the situation on your network you should not enable compression histories this applies only to PPP compressions in Frame Relay compression histories are always used Co...

Page 324: ...there is a limited albeit huge supply Therefore making the most effective use of existing bandwidth is now a more critical issue than ever before The fact that IP communications to the desktop are cle...

Page 325: ...by specifying source and destination IP addresses with appropriate subnet masks you can achieve your intended level of control Weighted Fair Queueing Through the use of Weighted Fair Queueing QoS poli...

Page 326: ...sive return to the negotiated information transfer rate upon congestion abatement The CLI command related to adaptive shaping allows you to set threshold values for triggering the adaptive shaping fun...

Page 327: ...administrators can use PVCs in an internal network to set aside bandwidth for critical connections such as videoconferencing with other corporate departments Configuring Frame Relay Interfaces for th...

Page 328: ...r when handling Frame Relay traffic The following command line displays all of the possible attributes used to define a Frame Relay service profile Applying a Service Profile to an Active Frame Relay...

Page 329: ...pecification To define the location and identity of a serial frame relay WAN port located at slot 5 port 1 with a speed rating of 45 million bits per second To define the location and identity of a Hi...

Page 330: ...IR of 20 million bits per second Leave high low and medium priority queue depths set to factory defaults Random Early Discard RED disabled RMON enabled The command line necessary to set up a service p...

Page 331: ...otocols have been configured both the host and remote peer can send packets to one another using any and all of the configured network layer protocols The link will remain active until explicit LCP or...

Page 332: ...ing command line displays a simplified example of a PPP WAN port definition If the port is an HSSI port that will be connected to a HSSI port on another router you can specify clock clock source in th...

Page 333: ...tive PPP ports on the GSR The following command line displays a simplified example of this process Define a PPP service profile ppp define service service name bridging enable disable ip enable disabl...

Page 334: ...will be compressed after the MLP processing In general choose bundle compression over link compression whenever possible Compressing packets before they are split by MLP is much more efficient for bo...

Page 335: ...he steps necessary for a typical PPP WAN interface specification To define the location and identity of a High Speed Serial Interface HSSI PPP WAN port located at router slot 5 port 1 with a speed rat...

Page 336: ...ximum allowable number of unanswered improperly answered connection termination requests before declaring the link to a peer lost set to 4 Random Early Discard disabled The number of seconds between s...

Page 337: ...e Multi Router WAN Configuration next port set hs 5 1 wan encapsulation frame relay speed 45000000 port set hs 5 2 wan encapsulation ppp speed 45000000 interface create ip fr1 address netmask 10 1 1 1...

Page 338: ...P packets Video Server Win NT SmartBits IP packets 50 50 50 5 50 50 50 15 et 1 1 100 100 100 5 100 100 100 4 100 100 100 4 100 100 100 3 se 4 1 se 6 3 se 6 1 se 2 1 hs 4 2 hs 4 1 hs 7 2 hs 3 1 et 1 1...

Page 339: ...frame relay create vc port hs 7 1 106 frame relay create vc port hs 3 1 103 frame relay define service CIRforR1toR6 cir 45000000 bc 450000 frame relay apply service CIRforR1toR6 ports hs 7 1 106 vlan...

Page 340: ...30 130 130 2 16 peer address 130 130 130 3 port hs 7 2 interface create ip SBitsLAN address netmask 20 20 20 2 16 port et 1 1 vlan add ports hs 7 1 to s2 interface create ip s2 address netmask 120 120...

Page 341: ...te vc port se 2 1 304 frame relay create vc port hs 4 1 103 vlan create s1 id 200 interface create ip SBitsLAN address netmask 30 30 30 3 16 port et 1 1 vlan add ports hs 4 1 103 se 2 1 304 to s1 inte...

Page 342: ...to s1 interface create ip s1 address netmask 100 100 100 4 16 vlan s1 rip add interface all rip set interface all version 2 rip set interface all xmt actual enable rip set broadcast state always rip...

Page 343: ...R6 ports hs 3 1 106 vlan create BridgeforR1toR6 port based id 106 interface create ip FRforR1toR6 address netmask 100 100 100 6 16 vlan BridgeforR1toR6 interface create ip lan1 address netmask 60 60 6...

Page 344: ......

Page 345: ......

Page 346: ...9032684 03 Printed in U S A...

Reviews: