- DL manuals
- Cabletron Systems
- Switch
- IA1100
- User's Reference Manual
Cabletron Systems IA1100 User's Reference Manual
Summary of IA1100
Page 1
Internet appliance user reference manual 9033371.
Page 2
Changes cabletron systems, inc., reserves the right to make changes in specifications and other information contained in this document without prior notice. The reader should in all cases consult cabletron systems, inc., to determine whether any such changes have been made. The hardware, firmware, o...
Page 3
Regulatory compliance information internet appliance user reference manual iii regulatory compliance information this product complies with the following: safety ul 1950; csa c22.2, no. 950; 73/23/eec; en 60950; iec 950 electromagnetic fcc part 15; csa c108.8; 89/336/eec; en 55022; en 61000-3-2 comp...
Page 4
Regulatory compliance statements iv internet appliance user reference manual notice: the industry canada label identifies certified equipment. This certification means that the equipment meets telecommunications network protective, operational, and safety requirements as prescribed in the appropriat...
Page 5
Safety information: class 1 laser transceivers internet appliance user reference manual v safety information: class 1 laser transceivers this product may use class 1 laser transceivers. Read the following safety information before installing or operating this product. The class 1 laser transceivers ...
Page 6: Cabletron Systems, Inc.
Cabletron systems, inc. Program license agreement vi internet appliance user reference manual cabletron systems, inc. Program license agreement important: this license applies for use of product in the following geographical regions: canada mexico central america south america before opening or util...
Page 7
Cabletron systems, inc. Program license agreement internet appliance user reference manual vii sections 1 or 2 of this agreement, you agree not to (i) reexport or release the program, the source code for the program or technology to a national of a country in country groups d:1 or e:2 (albania, arme...
Page 8: Program License Agreement
Cabletron systems sales and service, inc. Program license agreement viii internet appliance user reference manual cabletron systems sales and service, inc. Program license agreement important: this license applies for use of product in the united states of america and by united states of america gov...
Page 9
Cabletron systems sales and service, inc. Program license agreement internet appliance user reference manual ix republic of china, romania, russia, rwanda, tajikistan, turkmenistan, ukraine, uzbekistan, vietnam, or such other countries as may be designated by the united states government), (ii) expo...
Page 10: Cabletron Systems Limited
Cabletron systems limited program license agreement x internet appliance user reference manual cabletron systems limited program license agreement important: this license applies for the use of the product in the following geographical regions: europe middle east africa asia australia pacific rim be...
Page 11
Cabletron systems limited program license agreement internet appliance user reference manual xi if the program is exported from the united states pursuant to the license exception tsr under the u.S. Export administration regulations, in addition to the restriction on transfer set forth in sections 1...
Page 12: Declaration Of Conformity
Declaration of conformity addendum xii internet appliance user reference manual declaration of conformity addendum application of council directive(s) 89/336/eec 73/23/eec manufacturer’s name cabletron systems, inc. Manufacturer’s address 35 industrial way po box 5005 rochester, nh 03867 european re...
Page 13: Contents
Internet appliance user reference manual xiii contents preface .................................................................................................. Xxiii about this manual ............................................................................................................ Xx ii...
Page 14
Contents xiv internet appliance user reference manual configuring ia bridging functions.................................................................................... 40 configuring address-based or flow-based bridging .............................................. 40 configuring spanning tree ...
Page 15
Internet appliance user reference manual xv contents chapter 5: vrrp configuration guide................................................... 63 vrrp overview .....................................................................................................................63 configuring vrrp .........
Page 16
Contents xvi internet appliance user reference manual chapter 8: bgp configuration guide ..................................................... 97 bgp overview ................................................................................................................... .... 97 the internet appl...
Page 17
Internet appliance user reference manual xvii contents configuring simple routing policies................................................................................142 redistributing static routes ........................................................................................142 redis...
Page 18
Contents xviii internet appliance user reference manual chapter 10: ip policy-based forwarding configuration guide .......... 171 overview .............................................................................................................................. 171 configuring ip policies..........
Page 19
Internet appliance user reference manual xix contents setting server status .....................................................................................................200 load balancing and ftp ..............................................................................................20...
Page 20
Contents xx internet appliance user reference manual chapter 14: security configuration guide .......................................... 227 security overview............................................................................................................... 227 configuring ia access secu...
Page 21
Internet appliance user reference manual xxi contents configuring rmon groups...............................................................................................254 configuration examples ..............................................................................................256 dis...
Page 23: Preface
Internet appliance user reference manual xxiii preface about this manual this manual provides detailed information and procedures for configuring the software for the cabletron ™ internet appliance (ia). If you have not yet installed the ia, follow the instructions in the internet appliance 1100/120...
Page 25: Chapter 1
Internet appliance user reference manual 25 chapter 1 introduction this chapter provides information that you need to know before configuring the internet appliance (ia) software. If you have not yet installed the ia, follow the instructions in the internet appliance 1100/1200 getting started guide ...
Page 26
Chapter 1: introduction 26 internet appliance user reference manual using the command line interface the cli allows you to enter and execute commands from the ia console or from telnet sessions. Up to four simultaneous telnet sessions are allowed. Cli commands are grouped by subsystems. For example,...
Page 27
Internet appliance user reference manual 27 chapter 1: introduction enable mode enable mode provides more facilities than user mode. You can display critical features within enable mode including router configuration, access control lists, and snmp statistics. To enter enable mode from the user mode...
Page 28
Chapter 1: introduction 28 internet appliance user reference manual getting help with cli commands interactive help is available from the cli by entering the question mark (?) character at any time. The help is context-sensitive; the help provided is based on where in the command you are. For exampl...
Page 29
Internet appliance user reference manual 29 chapter 1: introduction if you are entering several commands for the same subsystem, you can enter the subsystem name from the cli. Then, execute individual commands for the subsystem without typing the subsystem name each time. For example, if you are con...
Page 30
Chapter 1: introduction 30 internet appliance user reference manual ctrl-k kill line from cursor to end of line ctrl-l refresh current line ctrl-m carriage return (executes command) ctrl-n next command from history buffer ctrl-o none ctrl-p previous command from history buffer ctrl-q none ctrl-r ref...
Page 31
Internet appliance user reference manual 31 chapter 1: introduction displaying and changing configuration information the ia provides many commands for displaying and changing configuration information. For example, the cli allows for the disabling of a command in the active configuration. Use the n...
Page 32
Chapter 1: introduction 32 internet appliance user reference manual the following figure illustrates the configuration files and the commands you can use to save your configuration: figure 1. Commands to save configurations save scratchpad to the active configuration. Save active save the active con...
Page 33
Internet appliance user reference manual 33 chapter 1: introduction identifying ports on the ia-1100 and ia-1200 the term port refers to a physical connector installed in the ia-1100 and ia-1200. Each port in the ia is referred to by the type of connector (ethernet or gigabit ethernet) and its locat...
Page 35: Chapter 2
Internet appliance user reference manual 35 chapter 2 bridging configuration guide bridging overview the internet appliance (ia) provides the following bridging functions: • compliance with the ieee 802.1d standard • wire-speed address-based bridging or flow-based bridging • ability to logically seg...
Page 36: Vlan Overview
Chapter 2: bridging configuration guide 36 internet appliance user reference manual bridging modes (flow-based and address-based) the ia provides the following types of wire-speed bridging: address-based bridging - the ia performs this type of bridging by looking up the destination address in a laye...
Page 37
Internet appliance user reference manual 37 chapter 2: bridging configuration guide the type of vlan depends upon one criterion: how a received frame is classified as belonging to a particular vlan. Vlans can be categorized into the following types: • port-based • mac address-based • protocol-based ...
Page 38: Ia Vlan Support
Chapter 2: bridging configuration guide 38 internet appliance user reference manual subnet-based vlans subnet-based vlans are a subset of protocol-based vlans and determine the vlan of a frame based on the subnet to which the frame belongs. To do this, the switch must look into the network layer hea...
Page 39
Internet appliance user reference manual 39 chapter 2: bridging configuration guide the ia can also be used purely as a router, that is, each physical port of the ia is a separate routing interface. Packets received at any interface are routed and not bridged. In this case, no vlan configuration is ...
Page 40
Chapter 2: bridging configuration guide 40 internet appliance user reference manual are classified as belonging to a particular vlan based on the protocol of the frame and the vlan configured on the receiving port for that protocol. For example, if port 1 belongs to vlan ip_vlan for ip and vlan othe...
Page 41
Internet appliance user reference manual 41 chapter 2: bridging configuration guide for example, the following illustration shows an ia with traffic being sent from port a to port b, port b to port a, port b to port c, and port a to port c. The corresponding bridge tables for address-based and flow-...
Page 42
Chapter 2: bridging configuration guide 42 internet appliance user reference manual configuring spanning tree the ia supports per vlan spanning tree. By default, all the vlans defined belong to the default spanning tree. You can create a separate instance of spanning tree using the following command...
Page 43
Internet appliance user reference manual 43 chapter 2: bridging configuration guide setting the bridge priority you can globally configure the priority of an individual bridge when two bridges tie for position as the root bridge, or you can configure the likelihood that a bridge will be selected as ...
Page 44
Chapter 2: bridging configuration guide 44 internet appliance user reference manual adjusting bridge protocol data unit (bpdu) intervals you can adjust bpdu intervals as described in the next three sections: • “adjusting the interval between hello times” • “defining the forward delay interval” • “de...
Page 45
Internet appliance user reference manual 45 chapter 2: bridging configuration guide defining the maximum age if a bridge does not hear bpdus from the root bridge within a specified interval, it assumes that the network has changed and recomputes the spanning-tree topology. To change the default inte...
Page 46: Monitoring Bridging
Chapter 2: bridging configuration guide 46 internet appliance user reference manual configuring vlan trunk ports the ia supports standards-based vlan trunking between multiple ias as defined by ieee 802.1q. 802.1q adds a header to a standard ethernet frame that includes a unique vlan id per trunk be...
Page 47: Configuration Examples
Internet appliance user reference manual 47 chapter 2: bridging configuration guide configuration examples vlans are used to associate physical ports on the ia with connected hosts that may be physically separated but need to participate in the same broadcast domain. To associate ports to a vlan, yo...
Page 49: Chapter 3
Internet appliance user reference manual 49 chapter 3 smarttrunk configuration guide overview this chapter explains how to configure and monitor smarttrunks on the internet appliance (ia). A smarttrunk is cabletron’s technology for load balancing and load sharing. For a description of the smarttrunk...
Page 50: Configuring Smarttrunks
Chapter 3: smarttrunk configuration guide 50 internet appliance user reference manual configuring smarttrunks to create a smarttrunk 1. Create a smarttrunk, and specify a control protocol for it. 2. Add physical ports to the smarttrunk. 3. Specify the policy for distributing traffic across smarttrun...
Page 51
Internet appliance user reference manual 51 chapter 3: smarttrunk configuration guide add physical ports to the smarttrunk you can add any number of ports to a smarttrunk. The limit is the number of ports on the ia. Any port on any module can be part of a smarttrunk. If one module fails, the remaini...
Page 52: Monitoring Smarttrunks
Chapter 3: smarttrunk configuration guide 52 internet appliance user reference manual monitoring smarttrunks statistics are gathered for data flowing through a smarttrunk and each port in the smarttrunk. To display smarttrunk statistics, enter one of the following commands in enable mode: to clear s...
Page 53: Example Configurations
Internet appliance user reference manual 53 chapter 3: smarttrunk configuration guide example configurations the following illustration shows a network design based on smarttrunks. R1 is an ia operating as a router, while s1 and s2 are ias operating as switches. The following is the configuration fo...
Page 54
Chapter 3: smarttrunk configuration guide 54 internet appliance user reference manual the following is the smarttrunk configuration for the ia labeled r1 in the diagram: the following is the smarttrunk configuration for the ia labeled s1 in the diagram: the following is the smarttrunk configuration ...
Page 55: Chapter 4
Internet appliance user reference manual 55 chapter 4 ip routing configuration guide this chapter describes how to configure ip interfaces and general non-protocol-specific routing parameters. Ip routing overview internet protocol (ip) is a packet-based protocol used to exchange data over computer n...
Page 56
Chapter 4: ip routing configuration guide 56 internet appliance user reference manual tcp and udp also specify ports that identify the application that is using tcp/udp. For example, a web server would typically use tcp/udp port 80, which specifies http-type traffic. The ia supports standards-based ...
Page 57
Internet appliance user reference manual 57 chapter 4: ip routing configuration guide configuring ip interfaces for a vlan you can configure one ip interface per vlan. Once an ip interface has been assigned to a vlan, you can add a secondary ip addresses to the vlan. To configure a vlan with an ip i...
Page 58
Chapter 4: ip routing configuration guide 58 internet appliance user reference manual configuring arp cache entries you can add and delete entries in the arp cache. To add or delete static arp entries, enter one of the following commands in configure mode: configuring proxy arp the ia can be configu...
Page 59
Internet appliance user reference manual 59 chapter 4: ip routing configuration guide configuring ip services (icmp) the ia provides icmp message capabilities, including ping and traceroute. Ping allows you to determine the reachability of a certain ip host. Traceroute allows you to trace the ip gat...
Page 60
Chapter 4: ip routing configuration guide 60 internet appliance user reference manual configuring direct broadcast you can configure the ia to forward all directed broadcast traffic from the local subnet to a specified ip address or all associated ip addresses. This is a more efficient method than d...
Page 61: Configuration Examples
Internet appliance user reference manual 61 chapter 4: ip routing configuration guide monitoring ip parameters the ia provides display of ip statistics and configurations contained in the routing table. Information displayed provides routing and performance information. To display ip information, en...
Page 63: Chapter 5
Internet appliance user reference manual 63 chapter 5 vrrp configuration guide vrrp overview this chapter explains how to set up and monitor the virtual router redundancy protocol (vrrp) on the internet appliance (ia). Vrrp is defined in rfc 2338. En- host systems on a lan are often configured to se...
Page 64: Configuring Vrrp
Chapter 5: vrrp configuration guide 64 internet appliance user reference manual configuring vrrp this section presents three sample vrrp configurations: • a basic vrrp configuration with one virtual router • a symmetrical vrrp configuration with two virtual routers • a multi-backup vrrp configuratio...
Page 65
Internet appliance user reference manual 65 chapter 5: vrrp configuration guide configuration of router r1 the following is the configuration file for router r1 in figure 4 : line 1 adds ip address 10.0.0.1/16 to interface test, making router r1 the owner of this ip address. Line 2 creates virtual r...
Page 66
Chapter 5: vrrp configuration guide 66 internet appliance user reference manual this configuration allows you to load-balance traffic coming from the hosts on the 10.0.0.0/16 subnet and provides a redundant path to either virtual router. Note: this is the recommended configuration on a network using...
Page 67
Internet appliance user reference manual 67 chapter 5: vrrp configuration guide configuration of router r1 the following is the configuration file for router r1 in figure 5 : router r1 is the owner of ip address 10.0.0.1/16. Line 4 associates this ip address with virtual router vrid=1 , so router r1...
Page 68
Chapter 5: vrrp configuration guide 68 internet appliance user reference manual multi-backup configuration figure 6 shows a vrrp configuration with three routers and three virtual routers. Each router serves as a master for one virtual router and as a backup for each of the others. When a master rou...
Page 69
Internet appliance user reference manual 69 chapter 5: vrrp configuration guide configuration of router r1 the following is the configuration file for router r1 in figure 6 : router r1’s ip address on interface test is 10.0.0.1. There are three virtual routers on this interface: • vrid=1 – ip addres...
Page 70
Chapter 5: vrrp configuration guide 70 internet appliance user reference manual the following table shows the priorities for each virtual router configured on router r1: configuration of router r2 the following is the configuration file for router r2 in figure 6 : line 8 sets the backup priority for...
Page 71
Internet appliance user reference manual 71 chapter 5: vrrp configuration guide the following table shows the priorities for each virtual router configured on router r2: note: since 100 is the default priority, line 9, which sets the priority to 100, is actually unnecessary. It is included for illus...
Page 72
Chapter 5: vrrp configuration guide 72 internet appliance user reference manual the following table shows the priorities for each virtual router configured on router r3: note: since 100 is the default priority, lines 8 and 9, which set the priority to 100, are actually unnecessary. They are included...
Page 73
Internet appliance user reference manual 73 chapter 5: vrrp configuration guide setting pre-empt mode when a master router goes down, the backup with the highest priority takes over the ip addresses associated with the master. By default, when the original master comes back up, it takes over from th...
Page 74: Monitoring Vrrp
Chapter 5: vrrp configuration guide 74 internet appliance user reference manual monitoring vrrp the ia provides two commands for monitoring a vrrp configuration: ip-redundancy trace , which displays messages when vrrp events occur, and ip-redundancy show , which reports statistics about virtual rout...
Page 75: Vrrp Configuration Notes
Internet appliance user reference manual 75 chapter 5: vrrp configuration guide vrrp configuration notes • the master router sends keep-alive advertisements. The frequency of these keep-alive advertisements is determined by setting the advertisement interval parameter. The default value is 1 second....
Page 76
Chapter 5: vrrp configuration guide 76 internet appliance user reference manual • as specified in rfc 2338, a backup router that has transitioned to master will not respond to pings, accept telnet sessions, or field snmp requests directed at the virtual router's ip address. Not responding allows net...
Page 77: Chapter 6
Internet appliance user reference manual 77 chapter 6 rip configuration guide rip overview this chapter describes how to configure the routing information protocol (rip) on the internet appliance (ia). Rip is a distance-vector routing protocol for use in small networks. Rip is described in rfc 1723....
Page 78: Configuring Rip
Chapter 6: rip configuration guide 78 internet appliance user reference manual configuring rip by default, rip is disabled on the ia and on each of the attached interfaces. To configure rip on the ia, follow these steps: 1. Start the rip process by entering the rip start command. 2. Use the rip add ...
Page 79
Internet appliance user reference manual 79 chapter 6: rip configuration guide configuring rip parameters no further configuration is required, and the system default parameters will be used by rip to exchange routing information. These default parameters may be modified to suit your needs by using ...
Page 80
Chapter 6: rip configuration guide 80 internet appliance user reference manual configuring rip route preference you can set the preference of routes learned from rip. To configure rip route preference, enter the following command in configure mode: configuring rip route default-metric you can define...
Page 81: Monitoring Rip
Internet appliance user reference manual 81 chapter 6: rip configuration guide monitoring rip the rip trace command can be used to trace all rip request and response packets. To monitor rip information, enter the following commands in enable mode: show all rip information. Rip show all show rip expo...
Page 82: Configuration Example
Chapter 6: rip configuration guide 82 internet appliance user reference manual configuration example ! Example configuration ! ! Create interface ia 1-if1 with ip address 1.1.1.1/16 on port et.1.1 on ia -1 interface create ip ia 1-if1 address-netmask 1.1.1.1/16 port et.1.1 ! ! Configure rip on ia -1...
Page 83: Chapter 7
Internet appliance user reference manual 83 chapter 7 ospf configuration guide ospf overview open shortest path first (ospf) is a link-state routing protocol that supports ip subnetting and authentication. The internet appliance (ia) supports ospf version 2.0 as defined in rfc 1583. Each link-state ...
Page 84: Configuring Ospf
Chapter 7: ospf configuration guide 84 internet appliance user reference manual ospf multipath the ia also supports ospf and static multi-path. If multiple equal-cost ospf or static routes have been defined for any destination, then the ia discovers and uses all of them. The ia will automatically le...
Page 85
Internet appliance user reference manual 85 chapter 7: ospf configuration guide configuring ospf interface parameters you can configure the ospf interface parameters shown in table 1 . To configure ospf interface parameters, enter one of the following commands in configure mode: table 1. Ospf interf...
Page 86
Chapter 7: ospf configuration guide 86 internet appliance user reference manual configuring an ospf area ospf areas are a collection of subnets that are grouped in a logical fashion. These areas communicate with other areas via the backbone area. Once ospf areas are created, you can add interfaces, ...
Page 87
Internet appliance user reference manual 87 chapter 7: ospf configuration guide to create areas and assign interfaces, enter the following commands in the configure mode: configuring ospf area parameters the ia allows configuration of various ospf area parameters, including stub areas, stub cost, an...
Page 88
Chapter 7: ospf configuration guide 88 internet appliance user reference manual creating virtual links in ospf, virtual links can be established: • to connect an area via a transit area to the backbone • to create a redundant backbone connection via another area each area border router must be confi...
Page 89: Monitoring Ospf
Internet appliance user reference manual 89 chapter 7: ospf configuration guide configuring ospf over non-broadcast multiple access you can configure ospf over nbma circuits to limit the number of link state advertisements (lsas). Lsas are limited to initial advertisements and any subsequent changes...
Page 90: Ospf Configuration Examples
Chapter 7: ospf configuration guide 90 internet appliance user reference manual ospf configuration examples for all examples in this section, refer to the configuration shown in figure 7 on page 95 . The following configuration commands for router r1: • determine the ip address for each interface • ...
Page 91
Internet appliance user reference manual 91 chapter 7: ospf configuration guide • determine its ospf configuration exporting all interface and static routes to ospf router r1 has several static routes. We would export these static routes as type-2 ospf routes. The interface routes would be redistrib...
Page 92
Chapter 7: ospf configuration guide 92 internet appliance user reference manual 3. Create a static export source since we would like to export static routes. 4. Create a direct export source since we would like to export interface/direct routes. 5. Create the export-policy for redistributing all int...
Page 93
Internet appliance user reference manual 93 chapter 7: ospf configuration guide 4. Create a ospf export destination for type-2 routes with a tag of 100. 5. Create a rip export source. 6. Create a static export source. 7. Create a direct export source. 8. Create the export-policy for redistributing a...
Page 94
Chapter 7: ospf configuration guide 94 internet appliance user reference manual 12. Create the export-policy for redistributing all interface, rip, static, ospf and ospf-ase routes into rip. Ip-router policy export destination ripexpdst source statexpsrc network all ip-router policy export destinati...
Page 95
In te rnet ap plian ce user re ferenc e man u al 9 5 ch apt e r 7: ospf conf iguration guide figure 7. Exporting to ospf bgp r1 r2 r3 r41 r42 r6 r11 a r e a b a c k b o n e a r e a 140.1.0.0 (r ip v 2 ) 140.1.1.1/24 140.1.2.1/24 140.1.5/24 140.1.4/24 190.1.1.1/16 120.190.1.1/16 160.1.5.2/24 r10 r5 r...
Page 97: Chapter 8
Internet appliance user reference manual 97 chapter 8 bgp configuration guide bgp overview the border gateway protocol (bgp) is an exterior gateway protocol that allows ip routers to exchange network reachability information. Bgp became an internet standard in 1989 (rfc 1105) and the current version...
Page 98: Basic Bgp Tasks
Chapter 8: bgp configuration guide 98 internet appliance user reference manual the internet appliance (ia) bgp implementation the internet appliance (ia) routing protocol implementation is based on gated 4.0.3 code ( http://www.Gated.Org ). Gated is a modular software program consisting of core serv...
Page 99
Internet appliance user reference manual 99 chapter 8: bgp configuration guide setting the autonomous system number an autonomous system number identifies your autonomous system to other routers. To set the ia’s autonomous system number, enter the following command in configure mode: the a utonomous...
Page 100
Chapter 8: bgp configuration guide 100 internet appliance user reference manual configuring a bgp peer group a bgp peer group is a group of neighbor routers that have the same update policies. To configure a bgp peer group, enter the following command in configure mode: where: peer-group is a group ...
Page 101
Internet appliance user reference manual 101 chapter 8: bgp configuration guide proto specifies the interior protocol to be used to resolve bgp next hops. Specify one of the following: any use any igp to resolve bgp next hops. Rip use rip to resolve bgp next hops. Ospf use ospf to resolve bgp next h...
Page 102
Chapter 8: bgp configuration guide 102 internet appliance user reference manual using as-path regular expressions an as-path regular expression is a regular expression where the alphabet is the set of as numbers. An as-path regular expression is composed of one or more as-path expressions. An as-pat...
Page 104
Chapter 8: bgp configuration guide 104 internet appliance user reference manual using the as path prepend feature when bgp compares two advertisements of the same prefix that have differing as paths, the default action is to prefer the path with the lowest number of transit as hops; in other words, ...
Page 105: Bgp Configuration Examples
Internet appliance user reference manual 105 chapter 8: bgp configuration guide d. Re-enter configure mode. E. Add the peer-host back to the peer-group. If the as-count option is part of the startup configuration, the above steps are unnecessary. Bgp configuration examples this section presents samp...
Page 106
Chapter 8: bgp configuration guide 106 internet appliance user reference manual bgp keepalive messages are sent between peers periodically to ensure that the peers stay connected. If one of the routers encounters a fatal error condition, a bgp notification message is sent to its bgp peer, and the tc...
Page 107
Internet appliance user reference manual 107 chapter 8: bgp configuration guide the gated.Conf file for router ia1 is as follows: the cli configuration for router ia2 is as follows: the gated.Conf file for router ia2 is as follows: ibgp configuration example connections between bgp speakers within t...
Page 108
Chapter 8: bgp configuration guide 108 internet appliance user reference manual an igp, like ospf, could possibly be used instead of ibgp to exchange routing information between ebgp speakers within an as. However, injecting full internet routes (50,000+ routes) into an igp puts an expensive burden ...
Page 109
Internet appliance user reference manual 109 chapter 8: bgp configuration guide figure 9 shows a sample bgp configuration that uses the routing group type. Figure 9. Sample ibgp configuration (routing group type) ia6 ia1 cisco ia4 lo0 172.23.1.25/30 10.12.1.6/30 10.12.1.5/30 172.23.1.10/30 172.23.1....
Page 110
Chapter 8: bgp configuration guide 110 internet appliance user reference manual in this example, ospf is configured as the igp in the autonomous system. The following lines in the router ia6 configuration file configure ospf: the following lines in the cisco router configure ospf: the following line...
Page 111
Internet appliance user reference manual 111 chapter 8: bgp configuration guide the following lines on the cisco router set up ibgp peering with router ia6. Ibgp internal group example the ibgp internal group expects all peers to be directly attached to a shared subnet so that, like external peers, ...
Page 112
Chapter 8: bgp configuration guide 112 internet appliance user reference manual figure 10 illustrates a sample ibgp internal group configuration. Figure 10. Sample ibgp configuration (internal group type) the cli configuration for router ia1 is as follows: as-1 ia2 ia1 17.122.128.2/24 17.122.128.1/2...
Page 113
Internet appliance user reference manual 113 chapter 8: bgp configuration guide the gated.Conf file for router ia1 is as follows: the cli configuration for router ia2 is as follows: the gated.Conf file for router ia2 is as follows: autonomoussystem 1 ; routerid 16.122.128.1 ; bgp yes { traceoptions ...
Page 114
Chapter 8: bgp configuration guide 114 internet appliance user reference manual the configuration for router c1 (a cisco router) is as follows: the configuration for router c2 (a cisco router) is as follows: ebgp multihop configuration example ebgp multihop refers to a configuration where external b...
Page 115
Internet appliance user reference manual 115 chapter 8: bgp configuration guide the sample configuration in figure 11 shows external bgp peers, ia1 and ia4, which are not connected to the same subnet. Figure 11. Ebgp multihop configuration example the cli configuration for router ia1 is as follows: ...
Page 116
Chapter 8: bgp configuration guide 116 internet appliance user reference manual the gated.Conf file for router ia1 is as follows: the cli configuration for router ia2 is as follows: the gated.Conf file for router ia2 is as follows: the cli configuration for router ia3 is as follows: autonomoussystem...
Page 117
Internet appliance user reference manual 117 chapter 8: bgp configuration guide the gated.Conf file for router ia3 is as follows: the cli configuration for router ia4 is as follows: the gated.Conf file for router ia4 is as follows: community attribute example the following configuration illustrates ...
Page 118
Chapter 8: bgp configuration guide 118 internet appliance user reference manual figure 12. Sample bgp configuration (specific community) as-64902 r11 172.26.1.2/16 172.25.1.2/16 192.168.20.2/16 172.25.1.1/16 1.1 r13 1.6 r10 192.169.20.1/16 192.169.20.2/16 100.200.13.1/24 10.200.15.1/24 1.6 r14 as-64...
Page 119
Internet appliance user reference manual 119 chapter 8: bgp configuration guide figure 13. Sample bgp configuration (well-known community) the community attribute can be used in three ways: 1. In a bgp group statement: any packets sent to this group of bgp peers will have the communities attribute i...
Page 120
Chapter 8: bgp configuration guide 120 internet appliance user reference manual in figure 13 , router ia11 has the following configuration: # # create an optional attribute list with identifier color1 for a community # attribute (community-id 160 as 64901) # ip-router policy create optional-attribut...
Page 121
Internet appliance user reference manual 121 chapter 8: bgp configuration guide in figure 13 on page 119 , router ia13 has the following configuration: 3. In an export statement: the optional-attributes-list option of the ip-router policy create bgp-export-destination command may be used to send the...
Page 122
Chapter 8: bgp configuration guide 122 internet appliance user reference manual in figure 13 on page 119 , router ia10 has the following configuration: in figure 13 , router ia14 has the following configuration: any communities specified with the optional-attributes-list option are sent in addition ...
Page 123
Internet appliance user reference manual 123 chapter 8: bgp configuration guide the community attribute may be a single community or a set of communities. A maximum of 10 communities may be specified. The community attribute can take any of the following forms: • specific community the specific comm...
Page 124
Chapter 8: bgp configuration guide 124 internet appliance user reference manual notes on using communities when originating bgp communities, the set of communities that is actually sent is the union of the communities received with the route (if any), those specified in group policy (if any), and th...
Page 125
Internet appliance user reference manual 125 chapter 8: bgp configuration guide in the sample network in figure 14 , all the traffic exits autonomous system 64901 through the link between router ia13 and router ia11. This is accomplished by setting the local_pref attribute. Figure 14. Sample bgp con...
Page 126
Chapter 8: bgp configuration guide 126 internet appliance user reference manual in router ia12’s cli configuration file, the import preference is set to 160: using the formula for local preference [local_pref = 254 - (global protocol preference for this route) + metric], the local_pref value put out...
Page 127
Internet appliance user reference manual 127 chapter 8: bgp configuration guide figure 15. Sample bgp configuration (med attribute) routers ia4 and ia6 inform router c1 about network 172.16.200.0/24 through external bgp (ebgp). Router ia6 announced the route with a med of 10, whereas router ia4 anno...
Page 128
Chapter 8: bgp configuration guide 128 internet appliance user reference manual ebgp aggregation example figure 16 shows a simple ebgp configuration in which one peer is exporting an aggregated route to its upstream peer and restricting the advertisement of contributing routes to the same peer. The ...
Page 129
Internet appliance user reference manual 129 chapter 8: bgp configuration guide router ia9 has the following cli configuration: route reflection example in some isp networks, the internal bgp mesh becomes quite large, and the ibgp full mesh does not scale well. For such situations, route reflection ...
Page 130
Chapter 8: bgp configuration guide 130 internet appliance user reference manual figure 17 shows a sample configuration that uses route reflection. Figure 17. Sample bgp configuration (route reflection) in this example, there are two clusters. Router ia10 is the route reflector for the first cluster ...
Page 131
Internet appliance user reference manual 131 chapter 8: bgp configuration guide router ia11 has router ia12 and router ia13 as client peers and router ia10 as non-client peer. The following line in router ia11’s configuration file specifies it to be a route reflector even though the ibgp peers are n...
Page 132
Chapter 8: bgp configuration guide 132 internet appliance user reference manual notes on using route reflection • two types of route reflection are supported: – by default, all routes received by the route reflector from a client are sent to all internal peers (including the client’s group, but not ...
Page 133: Chapter 9
Internet appliance user reference manual 133 chapter 9 routing policy configuration guide route import and export policy overview the internet appliance (ia) family of routers supports extremely flexible routing policies. The ia allows the network administrator to control import and export of routin...
Page 134
Chapter 9: routing policy configuration guide 134 internet appliance user reference manual preference preference is the value the ia routing process uses to order preference of routes from one protocol or peer over another. Preference can be set using several different configuration commands. Prefer...
Page 135
Internet appliance user reference manual 135 chapter 9: routing policy configuration guide import policies import policies control the importation of routes from routing protocols and their installation in the routing databases (routing information base and forwarding information base). Import polic...
Page 136
Chapter 9: routing policy configuration guide 136 internet appliance user reference manual it is only possible to restrict the importation of ospf ase routes when functioning as an as border router. Like the other interior protocols, preference cannot be used to choose between ospf ase routes. That ...
Page 137
Internet appliance user reference manual 137 chapter 9: routing policy configuration guide export-source this component specifies the source of the exported routes. It can also specify the metric to be associated with the routes exported from this source. The routes to be exported can be identified ...
Page 138
Chapter 9: routing policy configuration guide 138 internet appliance user reference manual specifying a route filter routes are filtered by specifying a route-filter that will match a certain set of routes by destination, or by destination and mask. Among other places, route filters are used with ma...
Page 139
Internet appliance user reference manual 139 chapter 9: routing policy configuration guide aggregates and generates route aggregation is a method of generating a more general route, given the presence of a specific route. It is used, for example, at an autonomous system border to generate a route to...
Page 140
Chapter 9: routing policy configuration guide 140 internet appliance user reference manual the routes contributing to an aggregate can be identified by their associated attributes: • protocol type (rip, ospf, bgp, static, direct, aggregate). • autonomous system from which the route was learned. • as...
Page 141
Internet appliance user reference manual 141 chapter 9: routing policy configuration guide authentication methods there are mainly two authentication methods: simple password: in this method, an authentication key of up to 8 characters is included in the packet. If this does not match what is expect...
Page 142
Chapter 9: routing policy configuration guide 142 internet appliance user reference manual configuring simple routing policies simple routing policies provide an efficient way for routing information to be exchanged between routing protocols. The redistribute command can be used to redistribute rout...
Page 143
Internet appliance user reference manual 143 chapter 9: routing policy configuration guide redistributing directly attached networks routes to directly attached networks are redistributed to another routing protocol such as rip or ospf by the following command. The network parameter specifies a set ...
Page 144
Chapter 9: routing policy configuration guide 144 internet appliance user reference manual redistributing ospf to rip for the purposes of route redistribution and import-export policies, ospf intra- and inter- area routes are referred to as ospf routes, and external routes redistributed into ospf ar...
Page 145
Internet appliance user reference manual 145 chapter 9: routing policy configuration guide • determine its rip configuration !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! Create the various ip interfaces. !++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
Page 146
Chapter 9: routing policy configuration guide 146 internet appliance user reference manual exporting a given static route to all rip interfaces router r1 has several static routes of which one is the default route. We would export this default route over all rip interfaces. Exporting all static rout...
Page 147
Internet appliance user reference manual 147 chapter 9: routing policy configuration guide • determine its ospf configuration exporting all interface & static routes to ospf router r1 has several static routes. We would like to export all these static routes and direct-routes (routes to connected ne...
Page 148
Chapter 9: routing policy configuration guide 148 internet appliance user reference manual exporting all rip, interface & static routes to ospf note: also export interface, static, rip, ospf, and ospf-ase routes into rip. In the configuration shown in figure 19 on page 158 , suppose we decide to run...
Page 149
Internet appliance user reference manual 149 chapter 9: routing policy configuration guide export policies advanced export policies can be constructed from one or more of the following building blocks: • export destinations - this component specifies the destination where the routes are to be export...
Page 150
Chapter 9: routing policy configuration guide 150 internet appliance user reference manual the , if specified, is the identifier of the route-filter associated with this export- policy. If there is more than one route-filter for any export-destination and export-source combination, then the ip-route...
Page 151
Internet appliance user reference manual 151 chapter 9: routing policy configuration guide if you want to create a complex route-filter, and you intend to use that route-filter in several import policies, then the first method is recommended. It you do not have complex filter requirements, then use ...
Page 152
Chapter 9: routing policy configuration guide 152 internet appliance user reference manual creating an aggregate route route aggregation is a method of generating a more general route, given the presence of a specific route. The routing process does not perform any aggregation unless explicitly requ...
Page 153
Internet appliance user reference manual 153 chapter 9: routing policy configuration guide the is the identifier of the route-filter associated with this aggregate. If there is more than one route-filter for any aggregate-destination and aggregate-source combination, then the ip-router policy aggr-g...
Page 154
Chapter 9: routing policy configuration guide 154 internet appliance user reference manual the following configuration commands for router r1 • determine the ip address for each interface. • specify the static routes configured on the router. • determine its rip configuration. F igu re 18. Ex por ti...
Page 155
Internet appliance user reference manual 155 chapter 9: routing policy configuration guide importing a selected subset of routes from one rip trusted gateway router r1 has several rip peers. Router r41 has an interface on the network 10.51.0.0. By default, router r41 advertises network 10.51.0.0/16 ...
Page 156
Chapter 9: routing policy configuration guide 156 internet appliance user reference manual 1. Add the peer 140.1.1.41 to the list of trusted and source gateways. 2. Create a rip import source with the gateway as 140.1.1.4 since we would like to import all routes except the 10.51.0.0/16 route from th...
Page 157
Internet appliance user reference manual 157 chapter 9: routing policy configuration guide example 2: importing from ospf due to the nature of ospf, only the importation of ase routes may be controlled. Ospf intra- and inter-area routes are always imported into the ia routing table with a preference...
Page 158
Cha pt er 9: rout ing polic y conf iguration guide 1 5 8 inte rn e t appl ianc e us e r refe renc e m a nu al figure 19. Exporting to ospf bgp r1 r2 r3 r41 r42 r6 r11 a r e a b a c k b o n e a r e a 140.1.0.0 (ri p v2 ) 140.1.1.1/24 140.1.2.1/24 140.1.5/24 140.1.4/24 190.1.1.1/16 120.190.1.1/16 160....
Page 159
Internet appliance user reference manual 159 chapter 9: routing policy configuration guide the following configuration commands for router r1: • determine the ip address for each interface • specify the static routes configured on the router • determine its ospf configuration importing a selected su...
Page 160
Chapter 9: routing policy configuration guide 160 internet appliance user reference manual examples of export policies example 1: exporting to rip exporting to rip is controlled by any of protocol, interface or gateway. If more than one is specified, they are processed from most general (protocol) t...
Page 161
Internet appliance user reference manual 161 chapter 9: routing policy configuration guide • determine its rip configuration exporting a given static route to all rip interfaces router r1 has several static routes, of which one is the default route. We would export this default route over all rip in...
Page 162
Chapter 9: routing policy configuration guide 162 internet appliance user reference manual 2. Create a static export source since we would like to export static routes. As mentioned above, if no export policy is specified, rip and interface routes are exported into rip. If any policy is specified, t...
Page 163
Internet appliance user reference manual 163 chapter 9: routing policy configuration guide 4. Create a direct export source since we would like to export direct/interface routes. 5. Create the export-policy redistributing the statically created default route, and all (rip, direct) routes into rip. E...
Page 164
Chapter 9: routing policy configuration guide 164 internet appliance user reference manual 5. Create the export-policy, redistributing all static routes reachable over interface 130.1.1.1 and all (rip, direct) routes into rip. Exporting aggregate-routes into rip in the configuration shown in figure ...
Page 165
Internet appliance user reference manual 165 chapter 9: routing policy configuration guide 5. Create a aggregate export source since we would to export/redistribute an aggregate/summarized route. 6. Create a rip export source since we would like to export rip routes. 7. Create a direct export source...
Page 166
Chapter 9: routing policy configuration guide 166 internet appliance user reference manual • determine its ospf configuration exporting all interface & static routes to ospf router r1 has several static routes. We would export these static routes as type-2 ospf routes. The interface routes would red...
Page 167
Internet appliance user reference manual 167 chapter 9: routing policy configuration guide 4. Create a direct export source since we would like to export interface/direct routes. 5. Create the export-policy for redistributing all interface routes and static routes into ospf. Exporting all rip, inter...
Page 168
Chapter 9: routing policy configuration guide 168 internet appliance user reference manual 5. Create a rip export source. 6. Create a static export source. 7. Create a direct export source. 8. Create the export-policy for redistributing all interface, rip and static routes into ospf. 9. Create a rip...
Page 169
Internet appliance user reference manual 169 chapter 9: routing policy configuration guide 12. Create the export-policy for redistributing all interface, rip, static, ospf and ospf- ase routes into rip. Ip-router policy export destination ripexpdst source statexpsrc network all ip-router policy expo...
Page 171: Chapter 10
Internet appliance user reference manual 171 chapter 10 ip policy-based forwarding configuration guide overview you can configure the internet appliance (ia) to route ip packets according to policies that you define. Ip-policy-based routing allows network managers to engineer traffic to make the mos...
Page 172: Configuring Ip Policies
Chapter 10: ip policy-based forwarding configuration guide 172 internet appliance user reference manual for example, you can set up an ip policy to send packets originating from a certain network through a firewall, while letting other packets bypass the firewall. Using ip policies, sites that have ...
Page 173
Internet appliance user reference manual 173 chapter 10: ip policy-based forwarding configuration guide associating the profile with an ip policy once you have defined a profile with the acl command, you associate the profile with an ip policy by entering one or more ip-policy statements. An ip-poli...
Page 174
Chapter 10: ip policy-based forwarding configuration guide 174 internet appliance user reference manual for example, the following commands create an ip policy called p3 , which consists of two ip policy statements. The ip policy permit statement has a sequence number of 1, which means it is evaluat...
Page 175
Internet appliance user reference manual 175 chapter 10: ip policy-based forwarding configuration guide to set the ip policy action with respect to dynamic or statically configured routes, enter one of the following commands in configure mode: checking the availability of next-hop gateways the ia ca...
Page 176
Chapter 10: ip policy-based forwarding configuration guide 176 internet appliance user reference manual applying an ip policy to an interface after you define the ip policy, it must be applied to an inbound ip interface. Once the ip policy is applied to the interface, packets start being forwarded a...
Page 177
Internet appliance user reference manual 177 chapter 10: ip policy-based forwarding configuration guide in the sample configuration in figure 20 , the policy router is configured to divide traffic originating within the corporate network between different isps (100.1.1.1 and 200.1.1.1). Figure 20. U...
Page 178
Chapter 10: ip policy-based forwarding configuration guide 178 internet appliance user reference manual prioritizing service to customers an isp can use policy-based routing on an access router to supply different customers with different levels of service. The sample configuration in figure 21 show...
Page 179
Internet appliance user reference manual 179 chapter 10: ip policy-based forwarding configuration guide the following is the ip policy configuration for the policy router in figure 21 : authenticating users through a firewall you can define an ip policy that authenticates packets from certain users ...
Page 180
Chapter 10: ip policy-based forwarding configuration guide 180 internet appliance user reference manual the following is the ip policy configuration for the policy router in figure 22 : firewall load balancing the next-hop gateway can be selected by the following information in the ip packet: source...
Page 181: Monitoring Ip Policies
Internet appliance user reference manual 181 chapter 10: ip policy-based forwarding configuration guide the following is the configuration for policy router 1 in figure 23 . The following is the configuration for policy router 2 in figure 23 . Monitoring ip policies the ip-policy show command report...
Page 182
Chapter 10: ip policy-based forwarding configuration guide 182 internet appliance user reference manual for example, to display information about an active ip policy named p1 , enter the following command in enable mode: legend: 1. The name of the ip policy. 2. The interface where the ip policy was ...
Page 183
Internet appliance user reference manual 183 chapter 10: ip policy-based forwarding configuration guide 5. The source address and filtering mask of this flow. 6. The destination address and filtering mask of this flow. 7. For tcp or udp, the number of the source tcp or udp port. 8. For tcp or udp, t...
Page 185: Chapter 11
Internet appliance user reference manual 185 chapter 11 network address translation configuration guide overview network address translation (nat) allows an ip address used within one network to be translated into a different ip address used within another network. Nat is often used to map addresses...
Page 186: Configuring Nat
Chapter 11: network address translation configuration guide 186 internet appliance user reference manual the ia allows you to create the following nat address bindings: • static, one-to-one binding of inside, local address or address pool to outside, global address or address pool. A static address ...
Page 187: Managing Dynamic Bindings
Internet appliance user reference manual 187 chapter 11: network address translation configuration guide setting nat rules static you create nat static bindings by entering the following command in configure mode: dynamic you create nat dynamic bindings by entering the following command in configure...
Page 188: Nat And Ftp
Chapter 11: network address translation configuration guide 188 internet appliance user reference manual nat and ftp file transfer protocol (ftp) packets require special handling with nat, because the ftp port command packets contain ip address information within the data portion of the packet. It i...
Page 189: Configuration Examples
Internet appliance user reference manual 189 chapter 11: network address translation configuration guide configuration examples this section shows examples of nat configurations. Static configuration the example in figure 24 configures a static address binding for inside address 10.1.1.2 to outside ...
Page 190
Chapter 11: network address translation configuration guide 190 internet appliance user reference manual using static nat static nat can be used when the local and global ip addresses are to be bound in a fixed manner. These bindings never get removed nor time out until the static nat command itself...
Page 191
Internet appliance user reference manual 191 chapter 11: network address translation configuration guide next, define the interfaces to be nat inside or outside : then, define the nat dynamic rules by first creating the source acl pool and then configuring the dynamic bindings: using dynamic nat dyn...
Page 192
Chapter 11: network address translation configuration guide 192 internet appliance user reference manual dynamic nat with ip overload (pat) configuration the example in figure 26 configures a dynamic address binding for inside addresses 10.1.1.0/24 to outside address 192.50.20.0/24: figure 26. Dynam...
Page 193
Internet appliance user reference manual 193 chapter 11: network address translation configuration guide using dynamic nat with ip overload dynamic nat with ip overload can be used when the local network (inside network) will be initializing the connections using tcp or udp protocols. It creates a b...
Page 194
Chapter 11: network address translation configuration guide 194 internet appliance user reference manual the first step is to create the interfaces: next, define the interfaces to be nat inside or outside : then, define the nat dynamic rules by first creating the source acl pool and then configuring...
Page 195: Chapter 12
Internet appliance user reference manual 195 chapter 12 web hosting configuration guide overview accessing information on web sites for both work or personal purposes is becoming a normal practice for an increasing number of people. For many companies, fast and efficient web access is important for ...
Page 196: Load Balancing
Chapter 12: web hosting configuration guide 196 internet appliance user reference manual load balancing you can use the load balancing feature on the ia to distribute session load across a group of servers. If you configure the ia to provide load balancing, client requests that go through the ia can...
Page 197
Internet appliance user reference manual 197 chapter 12: web hosting configuration guide adding servers to the load balancing group once a logical server group is created, you specify the servers that can handle client requests. When the ia receives a client request directed to the virtual server ad...
Page 198
Chapter 12: web hosting configuration guide 198 internet appliance user reference manual specifying a connection threshold by default, there is no limit on the number of sessions that a load balancing server can service. You can configure a maximum number of connections that each server in a group c...
Page 199
Internet appliance user reference manual 199 chapter 12: web hosting configuration guide you can change the handshake intervals and the number of retries by entering the following configure-mode commands: verifying extended content you can also have the ia verify the content of an application on one...
Page 200
Chapter 12: web hosting configuration guide 200 internet appliance user reference manual application verification, whether a simple tcp handshake or a user-defined action- response check, involves opening and closing a connection to a load-balancing server. Some applications require specific command...
Page 201
Internet appliance user reference manual 201 chapter 12: web hosting configuration guide load balancing and ftp file transfer protocol (ftp) packets require special handling with load balancing, because the ftp port command packets contain ip address information within the data portion of the packet...
Page 202
Chapter 12: web hosting configuration guide 202 internet appliance user reference manual specifying the vpn port number you can specify the port number to be used for secure key transfer in virtual private networks (vpn). The default port number for this usage is 500. To specify a vpn port number, e...
Page 203
Internet appliance user reference manual 203 chapter 12: web hosting configuration guide configuration examples this section shows examples of load balancing configurations. Web hosting with one virtual group and multiple destination servers in figure 28 , a company web site is established with a ur...
Page 204
Chapter 12: web hosting configuration guide 204 internet appliance user reference manual the following is an example of how to configure a simple verification check where the ia will issue an http command to retrieve an html page and check for the string “ok”: the read-till-index option is not neces...
Page 205
Internet appliance user reference manual 205 chapter 12: web hosting configuration guide the network shown above can be created with the following load-balance commands: if no application verification options are specified, the ia will do a simple tcp handshake to check that the application is up . ...
Page 206: Web Caching
Chapter 12: web hosting configuration guide 206 internet appliance user reference manual the network shown in the previous example can be created with the following load- balance commands: web caching web caching provides a way to store frequently accessed web objects on a cache of local servers. Ea...
Page 207
Internet appliance user reference manual 207 chapter 12: web hosting configuration guide configuring web caching the following are the steps in configuring web caching on the ia: 1. Create the cache group (a list of cache servers) to cache web objects. 2. Specify the hosts whose http requests will b...
Page 208
Chapter 12: web hosting configuration guide 208 internet appliance user reference manual redirecting http traffic on an interface to start the redirection of http requests to the cache servers, you need to apply a caching policy to a specific outbound interface. This interface is typically an interf...
Page 209
Internet appliance user reference manual 209 chapter 12: web hosting configuration guide the following commands configure the cache group cache1 that contains the servers shown in the figure above and applies the caching policy to the interface ip1 : note that in this example, http requests from all...
Page 210
Distributing frequently-accessed sites across cache servers the ia uses the destination ip address of the http request to determine which cache server to send the request. However, if there is a web site that is being accessed very frequently, the cache server serving requests for this destination a...
Page 211: Chapter 13
Internet appliance user reference manual 211 chapter 13 access control list configuration guide this chapter explains how to configure and use access control lists (acls) on the ia. Acls are lists of selection criteria for specific types of packets. When used in conjunction with certain ia functions...
Page 212: Acl Basics
Chapter 13: access control list configuration guide 212 internet appliance user reference manual acl basics an acl consists of one or more rules describing a particular type of ip traffic. Acls can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the ia to eith...
Page 213
Internet appliance user reference manual 213 chapter 13: access control list configuration guide not all fields of an acl rule need to be specified. If a particular field is not specified, it is treated as a wildcard or don't-care condition. However, if a field is specified, that particular field wi...
Page 214
Chapter 13: access control list configuration guide 214 internet appliance user reference manual if you were to reverse the order of the two rules: all tcp packets would be allowed to go through, including traffic from subnet 10.2.0.0/16. This is because tcp traffic coming from 10.2.0.0/16 would mat...
Page 215
Internet appliance user reference manual 215 chapter 13: access control list configuration guide if a packet comes in from a network other than 10.1.20.0/24, you might expect the packet to go through because it doesn’t match the first rule. However, that is not the case because of the implicit deny ...
Page 216
Chapter 13: access control list configuration guide 216 internet appliance user reference manual the following acl illustrates this feature: any incoming tcp packet on interface int1 is examined, and if the packet is in response to an internal request, it is permitted; otherwise, it is rejected. Not...
Page 217
Internet appliance user reference manual 217 chapter 13: access control list configuration guide if the changes are accessible from a tftp server, you can upload and make the changes take effect by issuing commands like the following: the first copy command uploads the file acl.Changes from a tftp s...
Page 218: Using Acls
Chapter 13: access control list configuration guide 218 internet appliance user reference manual using acls it is important to understand that an acl is simply a definition of packet characteristics specified in a set of rules. An acl must be enabled in one of the following ways: • applying an acl t...
Page 219
Internet appliance user reference manual 219 chapter 13: access control list configuration guide to apply an acl to an interface, enter the following command in configure mode: applying acls to services acls can also be created to permit or deny access to system services provided by the ia; for exam...
Page 220
Chapter 13: access control list configuration guide 220 internet appliance user reference manual table 3 lists the ia features that use acl profiles: note the following about using profile acls: • only ip acls can be used as profile acls. Acls for non-ip protocols cannot be used as profile acls. • t...
Page 221
Internet appliance user reference manual 221 chapter 13: access control list configuration guide for example, you can define an ip policy that causes all telnet packets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24 to be forwarded to destination address 10.10.10.10. Yo...
Page 222
Chapter 13: access control list configuration guide 222 internet appliance user reference manual when the rate limit definition is applied to an interface (with the rate-limit apply interface command), packets in flows originating from source address 1.2.2.2 are dropped if their bandwidth usage exce...
Page 223
Internet appliance user reference manual 223 chapter 13: access control list configuration guide for example, you can mirror all igmp traffic on the ia. You use a profile acl to define the selection criteria (in this example, all igmp traffic). Then you use a port mirroring command to copy packets t...
Page 224
Chapter 13: access control list configuration guide 224 internet appliance user reference manual the following command creates a web caching policy that prevents packets matching profile acl prof4’s selection criteria (that is, packets with a source address of 10.10.10.10 and a destination address o...
Page 225: Enabling Acl Logging
Internet appliance user reference manual 225 chapter 13: access control list configuration guide enabling acl logging to see whether incoming packets are permitted or denied because of an acl, you can enable acl logging when applying the acl. When acl logging is turned on, the router prints out a me...
Page 227: Chapter 14
Internet appliance user reference manual 227 chapter 14 security configuration guide security overview the internet appliance (ia) provides security features that help control access to the ia. Access to the ia can be controlled by: • enabling radius • enabling tacacs • enabling tacacs plus • passwo...
Page 228
Chapter 14: security configuration guide 228 internet appliance user reference manual configuring ia access security this section describes the following methods of controlling access to the ia: • radius • tacacs • tacacs plus • passwords configuring radius you can secure login or enable mode access...
Page 229
Internet appliance user reference manual 229 chapter 14: security configuration guide monitoring radius you can monitor radius configuration and statistics within the ia. To monitor radius, enter the following commands in enable mode: configuring tacacs in addition, enable mode access to the ia can ...
Page 230
Chapter 14: security configuration guide 230 internet appliance user reference manual configuring tacacs plus you can secure login or enable mode access to the ia by enabling a tacacs plus client. A tacacs plus server responds to the ia tacacs plus client to provide authentication. You can configure...
Page 231
Internet appliance user reference manual 231 chapter 14: security configuration guide monitoring tacacs plus you can monitor tacacs plus configuration and statistics within the ia. To monitor tacacs plus, enter the following commands in enable mode: configuring passwords the ia provides password aut...
Page 233: Chapter 15
Internet appliance user reference manual 233 chapter 15 qos configuration guide qos & layer-2, -3, and -4 flow overview the internet appliance (ia) allows network managers to identify traffic and set quality of service (qos) policies without compromising wire speed performance. The ia can guarantee ...
Page 234
Chapter 15: qos configuration guide 234 internet appliance user reference manual within the ia, qos policies are used to classify layer-2, -3, and -4 traffic into the following priorities: • control • high • medium • low by assigning priorities to network traffic, you can ensure that critical traffi...
Page 235
Internet appliance user reference manual 235 chapter 15: qos configuration guide ia queuing policies you can use one of two queuing policies on the ia: • strict priority : assures the higher priorities of throughput but at the expense of lower priorities. For example, during heavy loads, low-priorit...
Page 236
Chapter 15: qos configuration guide 236 internet appliance user reference manual configuring layer-2 qos when applying qos to a layer-2 flow, priority can be assigned as follows: • the frame gets assigned a priority within the switch. Select low, medium, high or control. • the frame gets assigned a ...
Page 237
Internet appliance user reference manual 237 chapter 15: qos configuration guide setting an ip qos policy to set a qos policy on an ip traffic flow, enter the following command in configure mode: for example, the following command assigns control priority to any traffic coming from the 10.10.11.0 ne...
Page 238: Tos Rewrite
Chapter 15: qos configuration guide 238 internet appliance user reference manual allocating bandwidth for a weighted-fair queuing policy if you enable the weighted-fair queuing policy on the ia, you can allocate bandwidth for the queues on the ia. To allocate bandwidth for each ia queue, enter the f...
Page 239
Internet appliance user reference manual 239 chapter 15: qos configuration guide with the tos rewrite command, you can access the value in the tos octet (which includes both the precedence and tos fields) in each packet. The upper-layer application can then decide how to handle the packet, based on ...
Page 240
Chapter 15: qos configuration guide 240 internet appliance user reference manual for example, the following command will rewrite the tos precedence field to 7 if the tos precedence field of the incoming packet is 6: in the above example, the value of 222 (binary value 1101 1110) and the value of 224...
Page 241: Monitoring Qos
Internet appliance user reference manual 241 chapter 15: qos configuration guide monitoring qos the ia provides display of qos statistics and configurations contained in the ia. To display qos information, enter the following commands in enable mode: limiting traffic rate traffic rate limiting provi...
Page 242
Chapter 15: qos configuration guide 242 internet appliance user reference manual example configuration figure 32 presents an example of configuring rate limiting on the ia. Figure 32. Configuring rate limiting on the ia traffic from two interfaces, ipclient1 with ip address 1.2.2.2 and ipclient2 wit...
Page 243: Chapter 16
Internet appliance user reference manual 243 chapter 16 performance monitoring guide performance monitoring overview the internet appliance (ia) is a full wire-speed layer-2, -3 and -4 switching router. As packets enter the ia, layer-2, -3, and -4 flow tables are populated on each line card. The flo...
Page 244
Chapter 16: performance monitoring guide 244 internet appliance user reference manual show information about the master mac table. L2-tables show mac-table-stats show information about a particular mac address. L2-tables show mac show info about multicasts registered by igmp. L2-tables show igmp-mca...
Page 245
Internet appliance user reference manual 245 chapter 16: performance monitoring guide configuring the ia for port mirroring the ia allows you to monitor activity with port mirroring. Port mirroring allows you to monitor the performance and activities of one or more ports on the ia or for traffic def...
Page 247: Chapter 17
Internet appliance user reference manual 247 chapter 17 rmon configuration guide rmon overview you can employ remote network monitoring (rmon) in your network to help monitor traffic at remote points on the network. With rmon, data collection and processing is done with a remote probe , namely the i...
Page 248
Chapter 17: rmon configuration guide 248 internet appliance user reference manual configuring and enabling rmon by default, rmon is disabled on the ia. To configure and enable rmon on the ia, follow these steps: 1. Turn on the lite, standard, or professional rmon groups by entering the rmon set lite...
Page 249
Internet appliance user reference manual 249 chapter 17: rmon configuration guide the next sections describe lite, standard, and professional rmon groups and control tables. Rmon groups the rmon mib groups are defined in rfcs 1757 (rmon 1) and 2021 (rmon 2). On the ia, you can configure one or more ...
Page 250
Chapter 17: rmon configuration guide 250 internet appliance user reference manual lite rmon groups this section describes the rmon groups that are enabled when you specify the lite support level. The lite rmon groups are shown in table 4 . Standard rmon groups this section describes the rmon groups ...
Page 251
Internet appliance user reference manual 251 chapter 17: rmon configuration guide the professional rmon groups are shown in table 6 . Control tables many rmon groups contain both control and data tables. Control tables specify what statistics are to be collected. For example, you can specify the por...
Page 252: Using Rmon
Chapter 17: rmon configuration guide 252 internet appliance user reference manual if you choose to create default control tables, entries are created in the control tables for each port on the ia for the following groups: lite groups: etherstats history standard groups: host matrix professional grou...
Page 253
Internet appliance user reference manual 253 chapter 17: rmon configuration guide for example, use the rmon show protocol-distribution command to see the kinds of traffic received on a given port: in the example output above, only http and icmp traffic is being received on this port. To find out whi...
Page 254: Configuring Rmon Groups
Chapter 17: rmon configuration guide 254 internet appliance user reference manual configuring rmon groups as mentioned previously, control tables in many rmon groups specify the data that is to be collected for the particular rmon group. If the information you want to collect is in the default contr...
Page 256
Chapter 17: rmon configuration guide 256 internet appliance user reference manual configuration examples this section shows examples of configuration commands that specify an event that generates an snmp trap and the alarm condition that triggers the event. The rmon alarm group allows the ia to poll...
Page 257: Displaying Rmon Information
Internet appliance user reference manual 257 chapter 17: rmon configuration guide • rising and falling event index values are 15, which will trigger the previously configured event. Displaying rmon information the cli rmon show commands allow you to display the same rmon statistics that can be viewe...
Page 258
Chapter 17: rmon configuration guide 258 internet appliance user reference manual rmon cli filters because a large number of statistics can be collected for certain rmon groups, you can define and use cli filters to limit the amount of information displayed with the rmon show commands. An rmon cli f...
Page 259
Internet appliance user reference manual 259 chapter 17: rmon configuration guide the following shows the same rmon show hosts command with a filter applied so that only hosts with inpkts greater than 500 are displayed: rmon cli filters can only be used with the following groups: • hosts • matrix • ...
Page 260: Troubleshooting Rmon
Chapter 17: rmon configuration guide 260 internet appliance user reference manual troubleshooting rmon if you are not seeing the information you expected with an rmon show command, or if the network management station is not collecting the desired statistics, first check that the port is up. Then, u...
Page 261: Allocating Memory to Rmon
Internet appliance user reference manual 261 chapter 17: rmon configuration guide 4. Make sure that the control table is configured for the report that you want. Depending upon the rmon group, default control tables may be created for all ports on the ia. Or, if the rmon group is not one for which d...
Page 262
Chapter 17: rmon configuration guide 262 internet appliance user reference manual any memory allocation failures are reported. The following is an example of the information shown with the rmon show status command: to set the amount of memory allocated to rmon, use the following cli command in user ...