+ All Categories
Home > Documents > Enterasys Routing 2010

Enterasys Routing 2010

Date post: 02-Nov-2014
Category:
Upload: bereniluvatar
View: 346 times
Download: 5 times
Share this document with a friend
Popular Tags:
73
“There is nothing more important than our customers” Enterprise Routing Course Overview
Transcript
Page 1: Enterasys Routing 2010

“There is nothing more important than our customers”

Enterprise Routing

Course Overview

Page 2: Enterasys Routing 2010

Enterprise Routing – Course OverviewCourse Prerequisites

Student prerequisite knowledge/skills

• Experienced PC user

• Operational knowledge of

Topics not covered in this course• In depth discussion of 802.1D• TCP/IP• Network design- Ethernet

- 802.1D standard

- 802.1Q standard

C h i d t di f

• Network design• Wireless• NetSight NMS• Dragon

• Comprehensive understanding of TCP/IP protocol

• Comprehensive understanding of various types of routing

• STP• In depth discussion of the following

Protocols, OSPF, DVMRP, IGMP, and VRRP or other routing protocols.

© 2007 Enterasys Networks, Inc. All rights reserved. 2

Page 3: Enterasys Routing 2010

“There is nothing more important than our customers”

Enterprise Routing

Routing Products OverviewOverview

Page 4: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewRouting Review

• Routers / Layer 3 Switching: • Bridges / Layer 2 Switching:- Switch packets between different physical

networks, based upon Network-layer addressing

- Do not flood MAC-layer broadcasts from one attached network to another

- Switch packets within the same physical network, based upon Data Link-layer (MAC) addressing

- Flood all MAC-layer broadcasts out all attached ports in the same physical network

- Are protocol dependent (IP routed to IP; IPX routed to IPX, etc.)

- Support packet fragmentation

- Support multiple Physical- and Mac-layer packet encapsulation types and have the ability to

- Are protocol transparent (i.e. -- unaware of IP, IPX, etc., protocols embedded in the datagrams)

- Do not support packet fragmentation

- Support multiple Physical- and Mac-layer packet encapsulation types and have the ability to encapsulation types, and have the ability to

translate from one type to anotherencapsulation types, and have the ability to translate from one type to another

© 2007 Enterasys Networks, Inc. All rights reserved.

Page 5: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewWhen Should Routing be Implemented?

• When communication is needed between VLANs

• When MAC-layer multicast/broadcast traffic is adversely effecting network performance

• When packet switching based upon upper-layer protocols (ie. -- IP, IPX, AppleTalk, etc.) is desired

• Where multiple active paths between systems is required

© 2007 Enterasys Networks, Inc. All rights reserved.

Page 6: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewEnterasys Routing Support

• The following Enterasys switch products support both Layer 2 (the Data Link layer of the OSI model) switching and Layer 3 (the Network layer) IP routing functionality:- SecureStack B3/C2/C3SecureStack B3/C2/C3

- Matrix E1

- G Series

- Matrix N-Series DFE

› Matrix Gold

› Matrix Platinum

› Matrix Diamond

- Matrix X

© 2007 Enterasys Networks, Inc. All rights reserved. 6

Page 7: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewSecurestack B3/C2/C3

• B3 Supports only basic IP layer 3 routing (static routes, RIP, basic ACL’s)

• C2/C3 Series• Supports basic IP layer 3 routing (static routes, RIP, basic ACL’s)• Optional License C2 L3-LIC (Layer 3 Routing License)

- Enables OSPF, PIM, DVMRP, VRRP. - License will need to be re-entered if configuration is clearedg

• Optional License C3 L3-LIC (Layer 3 Routing License)- Enables OSPF, PIM, DVMRP, VRRP. - Requires the purchase and activation of a advance routing license for each unit in a stack. - License will NOT need to be re-entered if configuration is cleared

© 2007 Enterasys Networks, Inc. All rights reserved.

License will NOT need to be re entered if configuration is cleared

• Optional License C3 IPv6-LIC (IPv6 License)

7

Page 8: Enterasys Routing 2010

Enterprise Routing –Routing Products OverviewE1

• Policy management for layer 2/3/4 classification• Policy management for layer 2/3/4 classification• Supports advanced Layer 3 IP routing • Can be managed via a CLI, WebView, or a Network Management

application• The Matrix E1 supports up to 256 routing interfaces

© 2007 Enterasys Networks, Inc. All rights reserved. 8

Page 9: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewOverview of Routing Support

• Summary of routing support on the Matrix platforms

Routing Functionality

Matrix N-series (Platinum and

Gold)

Matrix N-Series Diamond

Matrix E1 SecureStackB3/C2/C3 &

G-Series

Matrix X

RIP v1/v2

Summary of routing support on the Matrix platforms

RIP v1/v2

OSPF * *

BGP

IS-IS

DVMRP * *

PIM-SM * ** *

IPv6 ***

IRDP IRDP

VRRP *

LSNAT * **

Standard ACL’s

Extended ACL’s * *

PBR

DoS Prevention

DHCP S

© 2007 Enterasys Networks, Inc. All rights reserved. 9

DHCP Server * Requires advanced routing features software license.** Requires extended memory of 256 MB*** Supported only the SecureStack C3 and G-Series

Page 10: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewMatrix Family - Sizes and tables

Feature X N -Plat N -Gold N -Dia E1 C2/C3Feature X N Plat N Gold N Dia E1 C2/C3

IP Interfaces 1024 256 96 256 256 24

Secondary addresses / per IF 64 50 50 50 8 31

Maximum 2ndary IF’s 2000 2 000 2000 2 000 2048 744Maximum 2ndary IF s 2000 2,000 2000 2,000 2048 744

Loopback Interfaces 100 3 20 20 20 20 1 3

ARP Cache total 128k 16k 1 4k 1 16k1/32k4 8.5k 2,048

ARP Dynamic 128k 16k 4k 16k1/32k4 8k 2,024

Default ARP timeout –sec’s 21,600 14,400 14,400 14,400 14,40

0 14,400

ARP Static 1,024 1,024 512 1,024 512 512

Access Control Lists 1,024 198 198 198 199 100

Maximum Rules per ACL 2,048 999 999 999 999 9

Maximum ACL Rules 32,000* 5,000 1,000 5,000 1,000 100

Route Table ~265k 25,000 2 10,000 25,000 2 10,000 2,500

ECMP paths 4 8 4 8 8 4

Static routes 2,048 1,024 512 1,024 512 64

© 2007 Enterasys Networks, Inc. All rights reserved. 10

RIP routes 10,000 3,000 1,000 3,000 1,000 2,5001 per router module 3 Includes internal loopback of 127.0.0.1 2 256MB RAM – half the amount with 128MB 4 per chassis

*Dependant on the number of forwarding engines per chassis

Page 11: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewMatrix Family - Sizes and tables

Feature X N - Plat N -Gold N-Dia E1 C2/C3

OSPF Areas 16 6 4 6 4 4

Total OSPF LSA LSDB 30,048 15,664 10k 15,664 10,576 2,500

Type 1 LSA’s 1024 512 100 512 200 2,500

Type 2 LSA’s 1024 512 400 512 400 2,500

Type 3 LSA’s 6000 3,000 18,000 2 2,000 3,000 1

8,000 2 2,000 2,500

Type 4 LSA’s 6000 3,000 2,000 3,000 2,000 2,500

Type 5 LSA’s 80004,000 110,000

23,000

4,000 110,000

23,000 2,500

Type 7 LSA’s 8000 4 000 3 000 4 000 3 000 2 500Type 7 LSA’s 8000 4,000 3,000 4,000 3,000 2,500

Type 9 LSA’s n/s 64 64 512 64 n/s

Type 10 LSA’s n/s 512 512 512 512 n/s

Type 11 LSA’s n/s 64 64 512 64 n/syp / /

OSPF Neighbor’s 24 60 60 60 8No

hardware limit

Router Links per area 24 100 100 100No

hardware limit

© 2007 Enterasys Networks, Inc. All rights reserved. 11

1 128 MB RAM2 256 MB RAM

Page 12: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewMatrix Family - Sizes and tables

Feature X N -Plat N -Gold N-Dia E1 C2/C3

VRRP IDs 1,024 1,024 128 1,024 128 480

VRRP IPs per Interface 128 16 16 16 9 1

VRRP IDs per Interface 7 4 4 4 4 20VRRP IDs per Interface 7 4 4 4 4 20

IGMP Groups 1,000 64 64 64 1,000 256

DVMRP Routes 10k 10k 10k 10k 10k 256

Multicast Flows 8,000 2,000 2,000 2,000 1,000 256, , , , ,

IP Helper Address / router 2,048 5,120 2,048 5,120 5,520 1

IP Helper Address / IF 20 20 8 20 20 0

DHCP Server Leases 1 000 1 000 1 000 1 000 n/s n/sDHCP Server Leases 1,000 1,000 1,000 1,000 n/s n/s

© 2007 Enterasys Networks, Inc. All rights reserved. 12

Page 13: Enterasys Routing 2010

Enterprise Routing – Routing Products OverviewSecureStack C3- IPv6

• IPv6 OverviewIPv6 Overview- IPv6 is the next generation of the Internet Protocol.

- With 128-bit addresses, IPv6 solves the address depletion issues seen with IPv4 and removes the requirement for NATS.

- The ability to aggregate addresses reduces the size of the global routing table dramatically.

- Security is more integrated, and network configuration is simplified, yet more flexible.

• IPv6 will coexist with IPv4. - As with IPv4, IPv6 routing can be enabled on VLAN interfaces.

› Each L3 routing interface can be used for IPv4, IPv6, or both.

- IP protocols running over L3, for example UDP and TCP, do not change with IPv6. › For this reason, a single CPU stack is used for transport of both IPv4 and IPv6, and a single sockets For this reason, a single CPU stack is used for transport of both IPv4 and IPv6, and a single sockets

interface provides access to both.

- Routing protocols are capable of computing routes for either IP version or both.

• This release will provide unicast routing using OSPFv3 and static routes.

© 2007 Enterasys Networks, Inc. All rights reserved. 13

Page 14: Enterasys Routing 2010

“There is nothing more important than our customers”

Enterprise Routing

Basic Routing Config

Page 15: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigModule Topics

• Basic Routing Configuration

- VLAN Review

Router Configuration / Direct Routes- Router Configuration / Direct Routes

- Static Routes

- Rip Routes

- ARP ConfigurationARP Configuration

- File Management

- Additional information

© 2007 Enterasys Networks, Inc. All rights reserved. 15

Page 16: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigVLAN Review

• When creating an IP interface on a VLAN the following steps are recommended:• When creating an IP interface on a VLAN, the following steps are recommended:

1. Create the VLAN used for IP routing from the switch CLISecureStackC2(su)-> set vlan create 15 VLAN idSecureStackC2(su) > set vlan create 15

2. Assign ports to the VLANSecureStackC2(su)-> set port vlan fe.1.6 15

Port String

VLAN id

VLAN id

Then answer “Y” to add port to the egress list and clear the existing PVID

OR

3. Assign ports to the VLANSecureStackC2(su)-> set port vlan fe.1.6 15

Then answer “N” to not add port to the egress list and not clear the PVID

VLAN id

Port St i4. Assign ports to the VLAN’s egress list

SecureStackC2(su)-> set vlan egress 15 fe.1.6 untagged

5. Remove (default) ports from default VLAN 1’s egress list

id String

© 2007 Enterasys Networks, Inc. All rights reserved. 16

SecureStackC2(su)-> clear vlan egress 1 fe.1.2-10

VLAN id

Port String

Page 17: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigVLAN Review Matrix X

• When creating an IP interface on a VLAN for the Matrix X-series, the following g , gsteps are recommended:1. Create the VLAN used for IP routing from the switch CLI

matrix-x(switch-rw)-> set vlan create 5

2 Configure physical ports to be used for layer 2 switching as ingress and egress ports on the 2. Configure physical ports to be used for layer 2 switching as ingress and egress ports on the VLANmatrix-x(switch-rw)-> set port mode ge.1.1 switched

3. Assign ports to the VLAN’s egress list and configure port VLAN settings from the switch CLI1 1matrix-x(switch-rw)-> set vlan egress 5 ge.1.1 [untagged |tagged | forbidden]

matrix-x(switch-rw)-> set port vlan ge.1.1 5

4. In the router configuration mode, create an IP interface on the VLAN and configure an IP addressmatrix-x(switch-rw)-> router

matrix-x(router-exec)# configure terminal

matrix-x(router-config)# interface vlan.1.5

matrix-x(router-config-if-vlan-vid)# ip address 192 168 18 18 255 255 255 0matrix-x(router-config-if-vlan-vid)# ip address 192.168.18.18 255.255.255.0

• IP interfaces bound to VLAN’s are referenced in Matrix X-series CLI with syntax vlan.<bridgeDomain>.<vid>

© 2007 Enterasys Networks, Inc. All rights reserved. 17

- Matrix X-series currently supports one bridge domain, defaulting to a value of 1.

Page 18: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigModule Topics

• Basic Routing Configuration

- VLAN Review

- Router Configuration / Direct Routes- Router Configuration / Direct Routes

- Static Routes

- Rip Routes

- ARP ConfigurationARP Configuration

- File Management

- Additional information

© 2007 Enterasys Networks, Inc. All rights reserved. 18

Page 19: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigPre-routing Considerations

• To configure the ports for routing it may be necessary to turn off switching • To configure the ports for routing, it may be necessary to turn off switching features on the appropriate ports

• (All Routers except Matrix X):

1. Disable Spanning Tree (optional).› set spantree disable

2. Disable GVRP (optional).( p )› set gvrp disable

• Matrix X1 O ti ll t S i T t t t f th t t b i d t th VLAN 1. Optionally set Spanning Tree state per port for the ports to be assigned to the VLAN

from the switch CLI1. matrix-x(switch-rw)-> set spantree portadmin ge.1.1 disable

2 O ti ll t GVRP t t t f th t t b i d t th VLAN f th 2. Optionally set GVRP state per port for the ports to be assigned to the VLAN from the switch CLI.1. matrix-x(switch-rw)-> set gvrp disable ge.1.1 disable

© 2007 Enterasys Networks, Inc. All rights reserved. 19

Page 20: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigRouter Configuration Modes

• As soon as 2 or more Routing interfaces are created, routing

• Enter Router mode- matrix(su)->router

VLAN 10 VLAN 5between VLANs is available.

matrix(su) >router

• Enter Router privileged mode- matrix(su)->router>enable

• Enter configuration mode

(Not needed on E1)

• Enter configuration mode- matrix(su)->router#configure

• Enter Interface configuration mode- matrix(su)->router(Config)# interface vlan 31- matrix(su)->router(Config)# interface vlan 31

- matrix(su)->router(Config-if(Vlan))#ip address 192.168.1.2 255.255.255.0

- matrix(su)->router(Config-if(Vlan))#no shutdown

• Enter Router protocol configuration mode

© 2007 Enterasys Networks, Inc. All rights reserved. 20

• Enter Router protocol configuration mode- matrix(su)->router(Config-if)# router rip

- matrix(su)->router(Config-router)#network 192.168.1.0 255.255.255.0

Page 21: Enterasys Routing 2010

• A loopback is an internal interface not associated with any physical port

Enterprise Routing – Basic Routing ConfigLoopback Interface Configuration

• A loopback is an internal interface not associated with any physical port

• When creating an IP interface on a loopback for the Matrix X, N, or E1, the following steps are recommended:Matrix>Router(config)# interface loopback 2

Matrix>Router(config-if(Lpbk 1))# ip address 2.2.2.2 255.255.255.255

Matrix>Router(config-if(Lpbk 1))# no shutdown

• By default, when IP interfaces on a loopback is created on SecureStack, N, X, & E1 the interface is in a down stateE1, the interface is in a down state.- Therefore, no shutdown must be entered to bring up the loopback.

• Loopback interfaces are not associated with any VLAN.

The loopback can be used for remote administration of the router in lieu of the • The loopback can be used for remote administration of the router in lieu of the host interface.

• You must use a routing protocol or static routing

• Use the loopback IP address for BGP router identifier• Use the loopback IP address for BGP router identifier

© 2007 Enterasys Networks, Inc. All rights reserved. 21

Page 22: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigModule Topics

• Basic Routing Configuration

- VLAN Review

Router Configuration / Direct Routes- Router Configuration / Direct Routes

- Static Routes

- Rip Routes

- ARP ConfigurationARP Configuration

- File Management

- Additional information

© 2007 Enterasys Networks, Inc. All rights reserved. 22

Page 23: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigStatic and Dynamic Routing Support

• Routers use routing protocols to maintain their routing tables. Routing tables can be maintained either statically or dynamically.

• Static RoutesStatic routes are manually configured and entered into a switch’s routing table Static - Static routes are manually configured and entered into a switch s routing table. Static routes take default precedence over routes chosen by dynamic routing protocols.

• Dynamic Routes- Dynamic routes are learned when routers send routing table information to each other.

- The three forms of dynamic routing that are most commonly used are Distance Vector, Link State and Path vector protocols.

› Distance Vector Protocols- RIPv1 and RIPv2- DVMRP, PIM-SM, PIM-SSM (multicast)

› Link State Protocols- OSPFv2- IS-IS

› Path Vector Protocols- BGP4

© 2007 Enterasys Networks, Inc. All rights reserved. 23

Page 24: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigConfiguring Static Routes

Router 172 129 10 1Router 172.129.10.1

Router 10.10.1.1

Router 172.129.10.100

• Configuring Static Routes- Static routes are manually configured and entered into a device’s routing table.

Destination Network Mask Next Hop

C2(su)router->(Config)# ip route 10.10.1.0 255.255.255.0 172.129.10.1

matrix-x(router-config)# ip route prefix {mask | masklen} {ipv4-address | interface-name | next-hop} [distance] [tag

© 2007 Enterasys Networks, Inc. All rights reserved. 24

{ipv4 address | interface name | next hop} [distance] [tag tag] [metric value] [unicast] [multicast] [noinstall] [reject] [retain] [blackhole]

Page 25: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigRouting Table Overview

• There are two show ip route commands, one in switch mode and one in router mode

• Switch mode- “show ip route” command shows Host routes:

SecureStackC2(su)->show ip route

ROUTE TABLE

Destination Gateway Mask Tos Flags Refcnt Use InterfaceDestination Gateway Mask Tos Flags Refcnt Use Interface

-----------------------------------------------------------------------------

default 192.168.0.1 00000000 0 UGC 0 0 host

127.0.0.1 127.0.0.1 00000000 0 UH 0 0 loopback

192.168.0.0 192.168.0.2 ffffff00 0 UC 1 0 host

-----------------------------------------------------------------------------

• The host interface maintains a separate routing table from the VLAN interfaces

• Each can be separately viewed and maintained

• Each can have a separate and distinct default route

© 2007 Enterasys Networks, Inc. All rights reserved. 25

Page 26: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigRouting Table overview

• Routing Mode- “show ip route” shows all static and dynamic routes

• To see the routing table for the Routed IP interfaces, you must be in router mode.SecureStackC2(su) >router> show ip routeSecureStackC2(su)->router> show ip route

Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2N1 OSPF NSSA external type 1, N2 OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2

* - candidate default, U - per user static route

C 10.1.50.0/24 [cost 0] directly connected, Vlan 5

C 10.1.100.0/24 [cost 0] directly connected, Vlan 10

C 10.1.150.0/24 [cost 0] directly connected, Vlan 15

C 172.16.0.0/24 [cost 0] directly connected, Vlan 123

S 192.168.1.0/24 [cost 0] via 172.16.0.51, Vlan 123

© 2007 Enterasys Networks, Inc. All rights reserved. 26

S 192.168.100.0/24 [cost 0] via 172.16.0.37, Vlan 123

Page 27: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigModule Topics

• Basic Routing Configuration

- VLAN Review

Router Configuration / Direct Routes- Router Configuration / Direct Routes

- Static Routes

- RIP Routes

- ARP ConfigurationARP Configuration

- File Management

- Additional information

© 2007 Enterasys Networks, Inc. All rights reserved. 27

Page 28: Enterasys Routing 2010

Matrix Routing Configuration Guide – RIPOverview

• RIP is a standard based form of distance vector routing using the • RIP is a standard-based form of distance-vector routing, using the “Bellman-Ford” algorithm.

• Two versions of RIP available today:- RIP version 1, defined by RFC 1058 (STD 34) 6/88, y ( ) /

- RIP version 2, defined by RFC 2453 (STD 56) 8/99

• Routing decision is select shortest path based on “hop count.”- Each router is one “hop.”p

- RIP has a 15 hop-count limitation.

• RIP updates occur every 30 seconds and sends the entire routing table contents.- IP/UDP port 520

- Up to 25 routes per packet

• Subsequent to topology change, convergence time increases significantly with network sizesignificantly with network size

• RIPv2 Differences from RIPv1:- Includes the network mask which supports variable-length subnet masking.

T it RIP 2 d t lti t th th b d t (b th t d)

© 2007 Enterasys Networks, Inc. All rights reserved. 28

- Transmits RIPv2 updates as multicast, rather than broadcast (both are supported).

- Provides an authentication mechanism not supported by RIPv1.

Page 29: Enterasys Routing 2010

Matrix Routing Configuration Guide – RIPSimple RIPv1 Configuration

l Steps to configure a simple RIPv1 configurationl Steps to configure a simple RIPv1 configuration— Create IP Interfaces

— Add IP Address to IP interfaces

— Create RIP Instance

— Add RIP Networks

— Enable RIP

© 2007 Enterasys Networks, Inc. All rights reserved. 29

Page 30: Enterasys Routing 2010

Matrix Routing Configuration Guide – RIPSimple RIPv1 Configuration

Router1>Router#show running-config

interface vlan 11ip address 10.1.1.1 255.255.255.0

Router1>Router(config)# interface vlan 11Router1>Router(config-if(Vlan 11))# ip address 10.1.1.1/24Router1>Router(config-if(Vlan 11))# no shutdownRouter1>Router(config-if(Vlan 11))# exitR t 1>R t ( fi ) p

no shutdowninterface vlan 12ip address 10.1.2.1 255.255.255.0no shutdown

!

Router1>Router(config)Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))# ip address 10.1.2.1/24Router1>Router(config-if(Vlan 12))# no shutdownRouter1>Router(config-if(Vlan 12))# exit !

router ripnetwork 10.1.1.0network 10.1.2.0

( g ( ))Router1>Router(config)Router1>Router(config)# router rip Router1>Router(config-router)# network 10.1.1.0Router1>Router(config-router)# network 10.1.2.0Router1>Router(config router)# exit

© 2007 Enterasys Networks, Inc. All rights reserved. 30

Router1>Router(config-router)# exitRouter1>Router(config)

Note: Matrix E1 all IP interfaces are automatically enabled for RIP

Page 31: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigModule Topics

• Basic Routing Configuration

- VLAN Review

Router Configuration / Direct Routes- Router Configuration / Direct Routes

- Static Routes

- Rip Routes

- ARP ConfigurationARP Configuration

- File Management

- Additional information

© 2007 Enterasys Networks, Inc. All rights reserved. 31

Page 32: Enterasys Routing 2010

di Use this command to list files sto ed in the file s stem

Enterprise Routing – Basic Routing ConfigFile Management – SecureStack

• dir - Use this command to list files stored in the file system.- dir [filename]

• matrix-x(switch-su)-> dir usb:base/config/*usb:base/config/• ==================================================• Name : myconfig_2Feb• Type : Unknown• Size : 43 bytes• Last Access : Thu Feb 2 12:30:00 2006• Modification: Thu Feb 2 12:30:00 2006• Last Change : Thu Feb 2 12:30:00 2006• Available space on USB drive: 71237632 bytes

• show config - Use this command to display the system configuration or write the configuration to a file.

- show config [all | facility] [outfile {configs/filename}]

C3( ) > h fi ll tfil fi / fi 2• C3(rw)->show config all outfile configs/save_config2

• C3(rw)->show config port

© 2007 Enterasys Networks, Inc. All rights reserved. 32

Page 33: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigFile Management – SecureStack

• configure - Use this command to execute a previously downloaded configuration file stored on the device.

- configure filename [append]

• C2/C3(su)->configure configs/myconfig

• E1(su)->configure myconfig.cfg

• DFE(su)->configure slot1/myconfig

• copy - Use this command to upload or download an image or a CLI configuration file.

- copy source destinationcopy source destination

• C3(su)-> copy tftp://134.141.89.34/ets-mtxe7-msi newimage

• delete - Use this command to remove an image or a CLI configuration file from the Matrix system.

- delete filename

• C3(su)->delete configs/Jan1_2004.cfg

© 2007 Enterasys Networks, Inc. All rights reserved. 33

Page 34: Enterasys Routing 2010

h fil h d d l h f f l l d d h

Enterprise Routing – Basic Routing ConfigFile Management

• show file - This command displays the contents of a text file located in a directory in the file system on the active or standby CM, or on a USB drive connected to the active or standby CM.

- show file {core | images | public | local | log | trace}/filename

show file standby:{core | local | log | trace}/filename- show file standby:{core | local | log | trace}/filename

- show file usb:pathname

- show file standby:usb:pathname

• Example - show file• The following example displays the contents of a text file named “myfile” in the

public/ directory on the active CM:• matrix-x(switch-su)-> show file public/myfile• set width 150• set banner motd "no message today"• set prompt "matrix-x“• set prompt matrix x

© 2007 Enterasys Networks, Inc. All rights reserved. 34

Page 35: Enterasys Routing 2010

• show config This command displays the system configuration or writes the

Enterprise Routing – Basic Routing ConfigFile Management

• show config - This command displays the system configuration or writes the configuration to a file.

- show config [all] [outfile path-to/outfilename] [plain] [prettyprint] [| search regexp]

• configure - This command executes a configuration file stored on the X Router or on a remote server. (Matrix X only)

- configure {public | local}/filename [append]

- configure standby:local/filename [append]

- configure service://[username@]remote-host/path-to-remote-file [append]g [ @] p [ pp ]

- configure usb:pathname

- configure standby:usb:pathname

• write file – This command saves the router configuration (E1 and N Series)- write file

© 2007 Enterasys Networks, Inc. All rights reserved. 35

Page 36: Enterasys Routing 2010

Enterprise Routing – Basic Routing ConfigModule Topics

• Basic Routing Configuration

- VLAN Review

Router Configuration / Direct Routes- Router Configuration / Direct Routes

- Static Routes

- Rip Routes

- ARP ConfigurationARP Configuration

- File Management

- Additional information

© 2007 Enterasys Networks, Inc. All rights reserved. 36

Page 37: Enterasys Routing 2010

Th h i f b i d VLAN (VLAN 1 i h d f l )

Enterprise Routing – Basic Routing ConfigAdditional Information about the Host Interface

• The host interface must be assigned to a VLAN (VLAN 1 is the default).

• The host interface is always up and utilizes a route table independent from the route table used for forwarding data

• On the E1 and N the host interface may be on the same network as the routed • On the E1 and N, the host interface may be on the same network as the routed VLAN IP interface

• The C2/C3 host interface address can not be assigned to the same network as the local routed VLAN interface. For device connectivity, use the router interface t i t t th d ito communicate to the device.

• The Matrix X has a dedicated Ethernet port for LAN access to host interfacematrix> set host vlan vlan-id

matrix> show host vlanmatrix> show host vlan

matrix> clear host vlan

Matrix E7 Platinum(su)-> set port vlan host.0.1 vlan-id

© 2007 Enterasys Networks, Inc. All rights reserved. 37

Page 38: Enterasys Routing 2010

“There is nothing more important than our customers”

Enterprise RoutingOSPF Configurations

Page 39: Enterasys Routing 2010

Enterprise Routing - OSPFModule Topics

• Overview of OSPF Routing Protocol

• OSPF Features & Limits

C fi ti• Configuration- Simple Configuration

- Advance Configuration

© 2007 Enterasys Networks, Inc. All rights reserved. 39

Page 40: Enterasys Routing 2010

Enterprise Routing - OSPFOverview of OSPF Routing Protocol

• OSPF primary characteristics:p y- It is “open” in that its specification is in the public domain

- It is based on Dijkstra’s Shortest Path First algorithm

• Developed by the Interior Gateway Protocol (IGP) working group of the IETF (mid-p y y ( ) g g p (1980s)- RFC 2328

- RFC 1583

• OSPF was created because RIP was increasingly unable to serve large, heterogeneous networks- Routing loops occurred with sudden topology changes

- Using distance metric to determine reachability resulted in count to Infinity delaysUsing distance metric to determine reachability resulted in count to Infinity delays

- Slow convergence

• Uses the best effort transport mechanism of IP- Protocol number 89Protocol number 89

- Uses both IP Unicast and Multicast addresses› 224.0.0.5

› 224.0.0.6

© 2007 Enterasys Networks, Inc. All rights reserved. 40

Page 41: Enterasys Routing 2010

Enterprise Routing - OSPFOverview of OSPF Routing Protocol

• Faster convergence than distance vector algorithmsFaster convergence than distance vector algorithms

• A more descriptive routing metric- Configurable per outbound interface

- Interface value between 1 and 65,535Interface value between 1 and 65,535

• Equal-cost multipath- If multiple equal cost paths to a destination exist, the paths are inserted in routing table

- Load balancing among the routesoad ba a g a o g ou s

• Routing Hierarchy- Routing domain can be divided into areas for ease of management and control

- Support for route summarization and aggregation by areapp gg g y

• Security- Simple or MD5 Authentication

© 2007 Enterasys Networks, Inc. All rights reserved. 41

Page 42: Enterasys Routing 2010

Enterprise Routing - OSPFOverview of OSPF Routing Protocol

• Link State Advertisements (LSA’s)- Describe local piece of routing topology

- As accumulated from all routers in area/domain, form a link state database

• Link State Database- Describes complete routing topology

- Identical for all the routers within the same area, when a network has converged

- Distributed, replicated database model

- Routing table is re-computed from database only when topology changes occur

• Distribution of LSAs uses reliable flooding- Link State Update’s advertise topology changes and keep entries up-to-date

- Large RIP update packets advertise entire route table every 30 seconds age out in 90 sec

- Individual entries are refreshed every 30 minutes – age out after 60 minutes

Uses multicasting to minimize network disruption- Uses multicasting to minimize network disruption

- Has its own acknowledgement protocol to ensure reliable packet delivery

© 2007 Enterasys Networks, Inc. All rights reserved. 42

Page 43: Enterasys Routing 2010

Enterprise Routing - OSPFOverview of OSPF Routing Protocol

Th t k t l t i t t th li k t t d t b t b• The network topology must appear consistent - the link state database must be identical on all routers

• All entities in the routing domain use unique 32 bit numbers for identification- Routers are assigned a ‘router ID’ normally based on their IP addressRouters are assigned a router ID normally based on their IP address

- Networks either use their network id or IP address of a router interface on that network

- Areas are strictly administratively assigned

• Routers use OSPF Hello protocol to identify neighbors and maintain neighborRouters use OSPF Hello protocol to identify neighbors and maintain neighbor relationships

• Only Routers in an “adjacency” state of are permitted to exchange link state information- The necessity of ensuring consistency in the LSDB prohibits simple broadcasting on route information.

- Flooding information uses a split horizon technique

• In multi-access networks, a Designated Router (DR) is ‘elected’ to ensure reliable distribution of LSA’sdistribution of LSA s.- Backup Designated Router (BDR) is also elected

© 2007 Enterasys Networks, Inc. All rights reserved. 43

Page 44: Enterasys Routing 2010

The OSPF “Area” - Definition

• Definition of an OSPF areaDefinition of an OSPF area- Identified by dotted-decimal format (Ex: 0.0.0.1)

› No association with IPv4 addresses of IPv4 nodes in the area

› When an IPv4 interface enabled with OSPF, it is associated with an area

- Each router’s interface belongs to only 1 area; therefore,

- Each network belongs to only 1 area

- A router may belong to multiple areas having interfaces in different areas

l l k d f b l l- Multiple networks and router interfaces may belong to a single area

• Example:

10.10.10.1/2420 30 20 1/24 20 30 20 2/24 50 30 20 2/24

AREA 0.0.0.34 AREA 0.0.0.0

AREA 0 0 0 34 20.30.20.1/24 20.30.20.2/24 50.30.20.2/24

10.10.10.2/24AREA: 0.0.0.34

AREA: 0.0.0.34AREA: 0.0.0.0 AREA: 0.0.0.0 AREA: 0.0.0.0

© 2007 Enterasys Networks, Inc. All rights reserved.

44

10.10.10.0/24 20.30.20.0/24 50.30.20.0/24

Page 45: Enterasys Routing 2010

The OSPF “Area” - Implications

OSPF R t Cl ifi ti• OSPF Router Classification:- Area Border Router (referred to as ABR’s)

› Router that has interfaces in at least two different areas

- Autonomous System Border Router (referred to as ASBR’s)Autonomous System Border Router (referred to as ASBR s)› Router that has interface running a different routing protocol

- Internal Router:› Router’s interfaces completed contained within an OSPF area

• Example:

OSPF IGP D i

BGP IGP Domain

10.10.10.1/24AREA 0 0 0 34 20 30 20 1/24 20 30 20 2/24 50 30 20 2/24

OSPF IGP Domain

AREA 0.0.0.34 AREA 0.0.0.0AREA: 0.0.0.34 20.30.20.1/24

AREA: 0.0.0.020.30.20.2/24AREA: 0.0.0.0

50.30.20.2/24AREA: 0.0.0.0

10 10 10 0/24 50 30 20 0/24

10.10.10.2/24AREA: 0.0.0.34

© 2007 Enterasys Networks, Inc. All rights reserved.

45

10.10.10.0/24

20.30.20.0/24

50.30.20.0/24

Page 46: Enterasys Routing 2010

The OSPF Backbone Example

CArea 1.1.1.1

A Area 0.0.3.5

BackboneBackboneArea 0.0.0.0B EArea 0.0.0.12

D

© 2007 Enterasys Networks, Inc. All rights reserved. 46

Area 1.0.4.232

Page 47: Enterasys Routing 2010

Inter-Area Routing Example

Intra-Area Routes

Inter-Area Routes

40.0.0.0/24 10.0.0.0/24

Area 0.0.0.2

30.0.0.0/24 20.0.0.0/2450.0.0.0/2460.0.0.0/24

Area 0 0 0 1

Area Border Routers F

G

50.0.0.0/24

60.0.0.0/24

Intra-Area Inter-Area Backbone

Area 0.0.0.1B E

G

10.0.0.0/2430.0.0.0/24

Area 0.0.0.1

Routes Routes

50.0.0.0/24 10.0.0.0/24

60.0.0.0/24 20.0.0.0/24

Area 0.0.0.0

Area 0.0.0.2A

C D

20.0.0.0/2440.0.0.0/24

I t A I t AArea 0.0.0.0

30.0.0.0/24

40.0.0.0/24

Intra-Area Route

Inter-Area Route

10.0.0.0/24 30.0.0.0/2420.0.0.0/24 40.0.0.0/24

© 2007 Enterasys Networks, Inc. All rights reserved.

47

50.0.0.0/2460.0.0.0/24

Page 48: Enterasys Routing 2010

OSPF Designated Router (DR)

DR BDR

10.0.0.0/24

DR BDR

• Example:

Router A

• Example:- Router A has new routing information, in the form of an LSA, to flood to all on-link routers,

but Router A is adjacent to DR and BDR, not all on-link routes- Router A floods an OSPF packet that includes the LSA to DR (and BDR) by using the

AllDRouters multicast address of 224.0.0.6AllDRouters multicast address of 224.0.0.6› Only DR and BDR OSPF routers listen to the AllDRouters multicast address

- DR floods LSA to all on-link OSPF routers by using the AllSPFRouters multicast address of 224.0.0.5

- BDR monitors the LSA flooding from the DR and will flood the LSA itself if it does not BDR monitors the LSA flooding from the DR and will flood the LSA itself if it does not receive the LSA from the DR’s flooding if a certain amount of time

- Note that all routing information exchange occurred over established adjacencies

© 2007 Enterasys Networks, Inc. All rights reserved. 48

Page 49: Enterasys Routing 2010

Example: SPF Algorithm performed by Router 1.1.1.3

1.1.1.1 1.1.1.2 1.1.1.4 1.1.1.66

61

18

8222

244

22

Iteration Destination Added Candidate List1.1.1.3 1.1.1.5

81

1

2

Iterationto Shortest-Path Tree Destination (cost, next hops)

1 1.1.1.3 1.1.1.5 (1, 1.1.1.5)1.1.1.2 (2, 1.1.1.2)1.1.1.1 (4, 1.1.1.1)

2 1.1.1.5 (Next-Hop 1.1.1.5) 1.1.1.2 (2, 1.1.1.2)1.1.1.4 (3, 1.1.1.5)1.1.1.1 (4, 1.1.1.1)1.1.1.6 (9, 1.1.1.5)

3 1 1 1 2 (Next Hop 1 1 1 2) 1 1 1 4 (3 1 1 1 5; 1 1 1 2)3 1.1.1.2 (Next-Hop 1.1.1.2) 1.1.1.4 (3, 1.1.1.5; 1.1.1.2)1.1.1.1 (4, 1.1.1.1; 1.1.1.2)1.1.1.6 (9, 1.1.1.5)

4 1.1.1.4 (Next-Hop 1.1.1.5,2) 1.1.1.1 (4, 1.1.1.1; 1.1.1.2)1.1.1.6 (9, 1.1.1.5; 1.1.1.2)

© 2007 Enterasys Networks, Inc. All rights reserved. 49

1.1.1.6 (9, 1.1.1.5; 1.1.1.2)

5 1.1.1.1 (Next-Hop 1.1.1.1,2) 1.1.1.6 (9, 1.1.1.5; 1.1.1.2)

6 1.1.1.6 (Next-Hop 1.1.1.5,2) Empty

Page 50: Enterasys Routing 2010

Enterprise Routing - OSPFModule Topics

• Overview of OSPF Routing Protocol

• OSPF Features & Limits

• Configuration• Configuration - Simple Configuration

- Advance Configuration

© 2007 Enterasys Networks, Inc. All rights reserved. 50

Page 51: Enterasys Routing 2010

Enterprise Routing - OSPFOSPF Features

• Common OSPF Features • Common OSPF Features Supported on Matrix X, DFE, E1, & C2/C3 - ECMP

- Timers› Hello

- Authentication› Simple

› MD5

- Redistribution

› Dead

› Transmit Interval

› Transmit delay

› spfRedistribution› Static

› Rip

› Direct

BGP *

- Cost

- Priority

- Stub› BGP *› IS-IS*› Aggregate*› OSPF*

OSPF ASE*

› NSSA

› Totally Stub

- Virtual Links

- Summarization› OSPF-ASE*

- Route Administrative Distance

- Specify Neighbor router› Not supported in C2/C3

- Summarization

* Supported only on the Matrix X Router

© 2007 Enterasys Networks, Inc. All rights reserved. 51

Not supported in C2/C3

- Passive Interface

Page 52: Enterasys Routing 2010

Enterprise Routing - OSPFModule Topics

• Overview of OSPF Routing Protocol• Overview of OSPF Routing Protocol

• OSPF Features & Limits

• Configuration- Simple Configuration

- Advance Configuration

© 2007 Enterasys Networks, Inc. All rights reserved. 52

Page 53: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

OSPF Process• OSPF Process

• Disable GVRP and spanning tree

• Create VLANs and assign ports to VLANsVLAN setup

• Configure VLAN interfaces

• Create an OSPF instance

• Configure OSPF networks and areasOSPFConfiguration

• Ensure the advanced routing license is setup

• Enable OSPF

• Setup Router ID

Co gu at o

C2/C3 additional up ouOSPF steps

© 2007 Enterasys Networks, Inc. All rights reserved. 53

Page 54: Enterasys Routing 2010

Enterprise Routing – OSPFOSPF config C2/C3 only

• From router config mode(C2/C3)

• The C2 requires an advanced license to Route OSPF

- router# license advanced 140b7d4541c8812c

• Create an OSPF instance

- router ospf 10

• Create a Router ID• Create a Router ID

- Router id 5.5.5.5

F h l i t f (C2/C3)• From each vlan interface (C2/C3)

• Create an ip-proxy-arp default-route

- ip proxy-arp default-route

• Associate the vlan to an area

- ip ospf areaid 0.0.0.0

• Be sure to enable OSPF on each VLAN

© 2007 Enterasys Networks, Inc. All rights reserved.

- ip ospf enable

54

Page 55: Enterasys Routing 2010

Enterprise Routing - OSPFCreate an OSPF config

• From router config mode

• Create an OSPF instance

- router ospf 10p

• Create an ospf network associated it with a subnet use a reverse mask and tell it which area it is a part of.

- network 20.1.2.0 0.0.0.255 area 0.0.0.0

- network 20.1.3.0 0.0.0.255 area 1

Note: For N-Series routers ensure that that the advanced router license is installed

© 2007 Enterasys Networks, Inc. All rights reserved. 55

Page 56: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

OSPF Information• OSPF Information

• Show ip route

• Show ip ospf

• Show ip ospf interface

• Show ip ospf area 0.0.0.0

• Show ip ospf database

© 2007 Enterasys Networks, Inc. All rights reserved. 56

Page 57: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

Show ip route• Show ip route

Router1>Router#show ip route

Codes: C-connected, S-static, R-RIP, B-BGP, O-OSPF, IA-OSPF interareaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - 0SPF external type 1, E2 - 0SPF external type 2E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2* - candidate default, U - per-user static route, o - ODR

S 111.1.3.0/24 [20/0] via 10.1.1.2, Vlan 11S 111.1.2.0/24 [20/0] via 10.1.1.2, Vlan 11S 111.1.1.0/24 [20/0] via 10.1.1.2, Vlan 11O IA 30 1 3 0/24 [110/40] via 10 1 2 2 Vlan 12O IA 30.1.3.0/24 [110/40] via 10.1.2.2, Vlan 12O IA 30.1.2.0/24 [110/40] via 10.1.2.2, Vlan 12O IA 30.1.1.0/24 [110/40] via 10.1.2.2, Vlan 12C 20.1.3.0/24 [0/1] directly connected, Vlan 11C 20 1 2 0/24 [0/1] directly connected Vlan 11C 20.1.2.0/24 [0/1] directly connected, Vlan 11C 20.1.1.0/24 [0/1] directly connected, Vlan 11O IA 10.3.2.0/24 [110/30] via 10.1.2.2, Vlan 12O IA 10.2.1.0/24 [110/20] via 10.1.2.2, Vlan 12O IA 10 3 1 0/24 [110/40] via 10 1 2 2 Vlan 12

© 2007 Enterasys Networks, Inc. All rights reserved. 57

O IA 10.3.1.0/24 [110/40] via 10.1.2.2, Vlan 12C 10.1.2.0/24 [0/1] directly connected, Vlan 12C 10.1.1.0/24 [0/1] directly connected, Vlan 11

Page 58: Enterasys Routing 2010

Enterprise Routing - OSPFAdvanced Configuration Process

Redistribute Routes• Redistribute Routes

Router1>Router(config)#Router1>Router(config)# router ospf 10

New Path CostRouter1>Router(config)# router ospf 10Router1>Router(config-router)# redistribute static metric 22 subnets Router1>Router(config-router)# exit Router1>Router(config)# Include all subnets

© 2007 Enterasys Networks, Inc. All rights reserved. 58

Page 59: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

Setting the Router ID to the loopback address• Setting the Router ID to the loopback address

Router1>Router(config)#Router1>Router(config)# interface loopback 2Router1>Router(config)# interface loopback 2Router1>Router(config-if(Lpbk 2))# ip address 1.1.1.1 255.255.255.255Router1>Router(config-if(Lpbk 2))# no shutdownRouter1>Router(config-if(Lpbk 2))# exitR t 1>R t ( fi )#Router1>Router(config)#Router1>Router(config)# router id 1.1.1.1

© 2007 Enterasys Networks, Inc. All rights reserved. 59

Page 60: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

Set the Designated Router priority• Set the Designated Router priority

• All Others

Router1>Router(config)# interface vlan 12Router1>Router(config)# interface vlan 12Router1>Router(config-if(Vlan 12))#ip ospf priority 100Router1>Router(config-if(Vlan 12))#exit

Matrix X

Router1>Router(config)#network ospf 10Router1>Router(config)#network ospf 10Router1>Router(config-router-ospf)#ip ospf priority 100Router1>Router(config-router-ospf))#exit

© 2007 Enterasys Networks, Inc. All rights reserved. 60

Page 61: Enterasys Routing 2010

Enterprise Routing - OSPFAdvanced Configuration Process

Summarization• Summarization

Router1>Router(config)# router ospf 10( g) pRouter1>Router(config-router)# area 0.0.0.1 range 20.1.0.0 255.255.0.0Router1>Router(config-router)# exit

© 2007 Enterasys Networks, Inc. All rights reserved. 61

Page 62: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

Setup Authentication (Simple)• Setup Authentication (Simple)

• C2/C3

Router1>Router(config)# interface vlan 12( g)Router1>Router(config-if(Vlan 12))#ip ospf authentication-key redsox

• Matrix X

Router1>Router(config)# interface vlan 12Router1>Router(config)# interface vlan 12Router1>Router(config-if(Vlan 12))#ip ospf authentication simple redsox

• All Others• All Others

Router1>Router(config)# router ospf 10Router1>Router(config-router)# area 0.0.0.1 authentication simple( g )Router1>Router(config-router)# exit

Router1>Router(config)# interface vlan 12

© 2007 Enterasys Networks, Inc. All rights reserved. 62

Router1>Router(config)# interface vlan 12Router1>Router(config-if(Vlan 12))#ip ospf authentication redsoxRouter1>Router(config-if(Vlan 12))#exit

Page 63: Enterasys Routing 2010

Enterprise Routing - OSPFSimple Configuration Process

Setup Authentication (MD5)• Setup Authentication (MD5)

• Matrix X and C2/C3

Router3(rw) >Router1(config)#interface vlan 32Router3(rw)->Router1(config)#interface vlan 32Router3(rw)->Router1(config-if(Vlan 32))#ip ospf message-digest-key 22 md5 pats05Router3(rw)->Router1(config-if(Vlan 32))#exit

• All OthersAll Others

Router3(rw)->Router1(config)#router ospf 10Router3(rw)->Router1(config-router)#area 0.0.0.2 authentication message-digestR t 3( ) >R t 1( fi t )# itRouter3(rw)->Router1(config-router)#exit

Router3(rw)->Router1(config)#interface vlan 32Router3(rw)->Router1(config-if(Vlan 32))#ip ospf message-digest-key 22 md5 pats05

© 2007 Enterasys Networks, Inc. All rights reserved. 63

( ) ( g ( )) p p g g y pRouter3(rw)->Router1(config-if(Vlan 32))#exit

Page 64: Enterasys Routing 2010

“There is nothing more important than our customers”

Enterprise RoutingACL Configurations

Page 65: Enterasys Routing 2010

Enterprise Routing – ACLs Module Topics

• Access Control Lists

• Policy Based Routing

© 2007 Enterasys Networks, Inc. All rights reserved. 65

Page 66: Enterasys Routing 2010

• Access Control List (ACL) Configuration

ESE Enterprise Routing – ACLsBasic IP ACLs

Access Control List (ACL) Configuration- Enterasys routers support the configuration of both standard and extended ACL’s.

› A standard ACL supports traffic control based on only the source IP address.

› An extended ACL supports traffic control based on both the source and destination IP address, as well as protocol and layer 4 portwell as protocol and layer 4 port.

› All ACL’s are set with an implicit deny all rule as the last rule upon ACL creation.

- ACL’s may be created in two different ways 1. Numbered ACL Configuration

ACL l dd d d d l t d t ACL th h CLI d f t fi ti CLI d< ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode.

2. Named ACL Configuration – Matrix X only< ACL rules are added, deleted, and re-sequenced in an ACL group from router’s ACL configuration CLI mode.

© 2007 Enterasys Networks, Inc. All rights reserved. 66

Page 67: Enterasys Routing 2010

• An ACL Filters traffic to permit or deny on a packet basis

ESE Enterprise Routing – ACLsAccess Control List (ACL) Configuration

• An ACL Filters traffic to permit or deny on a packet basis

• Support for inbound or outbound filtering based on platform

• Configuration LimitsO l ACL d d d d b i ll li d i f - Only one ACL, standard or extended, may be statically applied per interface.

- An ACL can contain up to a set maximum number of rules plus the implicit deny all rule.

- ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode.

- On Matrix X, each layer 2 classification rule configured on an IOM subtracts from total number of supported layer 3 ACL’s

© 2007 Enterasys Networks, Inc. All rights reserved. 67

Page 68: Enterasys Routing 2010

ESE Enterprise Routing – ACLsACL Configuration

• Standard ACL rule creationSecureStackC2(su)->router(Config)# access-list number {deny | permit} <src-addr>

Example:

SecureStackC2(su)->router(Config)# access-list 15 deny 172.158.12.23

- Valid number values are between 1 and 99 for standard ACL’s.

• Extended ACL rule creationF TCP UDP ith d d ti ti IP dd- For TCP or UDP with source and destination IP addressesSecureStackC2(su)->router(Config)#access-list number {deny | permit} {tcp | udp} <src-addr> eq port <dst-addr>

Example:

SecureStackC2(su)->router(Config)# access-list 108 deny tcp 10.1.2.0 0.0.0.255 eq 80 any

- For just source and destination IP addressesSecureStackC2(su)->router(Config)#access-list number {deny | permit} ip <src-addr>

<dst-addr>

Example:

SecureStackC2(su)->router(Config)# access-list 101 permit ip any any

- Valid number values are between 100 and 199 for extended ACL’s.

© 2007 Enterasys Networks, Inc. All rights reserved. 68

Page 69: Enterasys Routing 2010

Numbered ACL Configuration

ESE Enterprise Routing – ACLsMatrix X ACL Configuration

Numbered ACL Configuration- Standard ACL rule creation

matrix-x(router-config)# access-list number [sequence seq_value] {deny | permit} {ip4_addr wildcard | any | host ip4_addr }

› Valid number values are between 1 and 99 for standard ACL’s.

- Extended ACL rule creation › For TCP,

matrix-x(router-config)# access-list number {deny | permit} tcp {src ip4 addr ( g)# { y | p } p { _ p _wildcard | any | host ip4_addr } [eq|gt|lt|neq|{range int} int] {dst_ip4_addr wildcard | any | host ip4_addr } [eq|gt|lt|neq|{range int} int] [established] [precedence prec] [tos tos] [dscp dscp]

› Additional extended ACL’s can be created with specification of SIP, DIP, precedence, TOS and DSCP field settings and:- Any IP Protocol- UDP ports- ICMP type and code- All IP Protocols

IP in IP Protocol- IP in IP Protocol

› Valid number values are between 100 and 199 for extended ACL’s.

© 2007 Enterasys Networks, Inc. All rights reserved. 69

Page 70: Enterasys Routing 2010

ESE Enterprise Routing – ACLsApplying ACL’s

• SecureStack C2/C3- ACL’s can only be applied to packets inbound on IP interfaces.

- ACL’s are applied to VLAN-based IP interfaces.

- To apply an access list to an interface, use the following commands from the router interface configuration moderouter(Config)# interface vlan vlan-id

router(Config-if(Vlan id))# ip access-group number inrouter(Config if(Vlan id))# ip access group number in

- To remove an ACL from an interfacerouter(Config-if(Vlan id))#no ip access-group number in

- Rule changes take effect immediatelyg y

© 2007 Enterasys Networks, Inc. All rights reserved. 70

Page 71: Enterasys Routing 2010

ESE Enterprise Routing – ACLsACL Configuration

• Amending ACL rules- To change a rule use

...# access-list number replace number <rule...>

To create a rule out of sequence- To create a rule out of sequence...# access-list number insert number <rule...>

- To reorder a rule or group of rules by moving them before a specific rule...# access-list number move number number [ number ]

• Removing ACL rules- Remove the ACL and all its rules

...# no access-list acl-number

- Remove a specific rule in an acl...# no access-list acl-number rule#

- Remove a range of rules in an ACL# no access-list acl-number rule# rule#...# no access-list acl-number rule# rule#

© 2007 Enterasys Networks, Inc. All rights reserved. 71

Page 72: Enterasys Routing 2010

• Displaying ACL’s

ESE Enterprise Routing – ACLsDisplay Configured Access Lists

• Displaying ACL s- To display the current ACL’s configured on the SecureStack C2/C3, use the following

command from router mode:SecureStackC2(su)->router> show access-lists [number]

- Example:SecureStackC2(su)->router> show access-lists

Standard IP access-list 101: permit 192 168 100 0 0 0 0 2551: permit 192.168.100.0 0.0.0.2552: permit 192.168.200.0 0.0.0.2553: permit host 192.168.30.14: deny 192.168.0.0 0.0.255.255

2 6 0 0 0 0 2 25: deny 172.16.0.0 0.0.255.2556: permit any

Extended IP access list 1101: permit tcp host 10.1.2.3 eq 17 any2: deny udp host 14.9.123.52 eq 512 14.0.0.0 0.255.255.2553: permit tcp host 125.34.12.4 eq 25 host 15.23.19.3

© 2007 Enterasys Networks, Inc. All rights reserved. 72

Page 73: Enterasys Routing 2010

ESE Enterprise Routing – ACLsAdditional Product Information

• Access Control Lists filter incoming IP packets based upon specified gcharacteristics

• Enterasys Platform Support of Access ListMatrix N-series

PlatinumMatrix N-series

GoldMatrix E1 SecureStack

C2 / C3Matrix X

Access-List Standard

Access-List Extended * *

Interface Inbound

Interface Outbound

Max ACL Rules 5,000 1,000 1,000 100 32,000

Maximum Rules per group 999 999 999 9 2,048

• Depending on the product ACL’s may be applied as access groups either inbound, outbound or both

* Requires advanced routing features software license.

- Example DFE Configuration:› access-list 100 permit udp host 140.2.1.10 range 161 162

› access-list 100 permit udp 171.1.0.0 0.0.0.255 host 140.2.1.10 range 161 162

› interface vlan 92

© 2007 Enterasys Networks, Inc. All rights reserved. 73

interface vlan 92

› ip address 171.1.0.1 255.255.255.0

› ip access-group 100 in

› ip access-group 100 out


Recommended