Enterasys Routing 2010

There is nothing more important than our customers
Enterprise Routing Course Overview
Enterprise Routing Course Overview

Course Prerequisites
Student prerequisite knowledge/skills Experienced PC user Operational knowledge of Ethernet 802.1D standard 802.1Q standard
Topics not covered in this course In depth discussion of 802.1D TCP/IP Network design Wireless NetSight NMS Dragon STP In depth discussion of the following Protocols, OSPF, DVMRP, IGMP, and VRRP or other routing protocols.
Comprehensive understanding of C h i d t di f TCP/IP protocol Comprehensive understanding of various types of routing
2007 Enterasys Networks, Inc. All rights reserved.
Enterprise Routing
Routing Products Overview
Enterprise Routing Routing Products Overview

Routing Review
Routers / Layer 3 Switching:

-
Bridges / Layer 2 Switching:

Switch packets within the same physical network, based upon Data Link-layer (MAC) addressing Flood all MAC-layer broadcasts out all attached ports in the same physical network Are protocol transparent (i.e. -- unaware of IP, IPX, etc., protocols embedded in the datagrams) Do not support packet fragmentation Support multiple Physical- and Mac-layer packet encapsulation types and have the ability to types, translate from one type to another
Switch packets between different physical networks, based upon Network-layer addressing Do not flood MAC-layer broadcasts from one attached network to another Are protocol dependent (IP routed to IP; IPX routed to IPX, etc.) Support packet fragmentation Support multiple Physical- and Mac-layer packet encapsulation types and have the ability to types, translate from one type to another

When Should Routing be Implemented?
When communication is needed between VLANs When MAC-layer multicast/broadcast traffic is adversely effecting network performance When packet switching based upon upper-layer protocols (ie. -- IP, IPX, AppleTalk, etc.) is desired Where multiple active paths between systems is required

Enterasys Routing Support
The following Enterasys switch products support both Layer 2 (the Data Link layer of the OSI model) switching and Layer 3 (the Network layer) IP routing functionality:
- SecureStack B3/C2/C3 - Matrix E1 - G Series - Matrix N-Series DFE Matrix Gold Matrix Platinum Matrix Diamond - Matrix X

Securestack B3/C2/C3
B3 Supports only basic IP layer 3 routing (static routes, RIP, basic ACLs) C2/C3 Series Supports basic IP layer 3 routing (static routes, RIP, basic ACLs) Optional License C2 L3-LIC (Layer 3 Routing License)
Enables OSPF, PIM, DVMRP, VRRP. License will need to be re-entered if configuration is cleared g Enables OSPF, PIM, DVMRP, VRRP. Requires the purchase and activation of a advance routing license for each unit in a stack. License will NOT need to be re-entered if configuration is cleared re entered
Optional License C3 L3-LIC (Layer 3 Routing License)
Optional License C3 IPv6-LIC (IPv6 License)

E1 Policy management for layer 2/3/4 classification Supports advanced Layer 3 IP routing Can be managed via a CLI, WebView, or a Network Management application
The Matrix E1 supports up to 256 routing interfaces

Overview of Routing Support Summary of routing support on the Matrix platforms
Routing Functionality
RIP v1/v2 OSPF BGP IS-IS DVMRP PIM-SM IPv6 IRDP VRRP LSNAT Standard ACLs Extended ACLs PBR DoS Prevention DHCP S Server
Matrix N-series (Platinum and Gold) * * * ** * ** *
Matrix N-Series Diamond
Matrix E1
SecureStack B3/C2/C3 & G-Series * * * *** * *
Matrix X
* Requires advanced routing features software license. ** Requires extended memory of 256 MB *** Supported only the SecureStack C3 and G-Series

Matrix Family - Sizes and tables
Feature IP Interfaces Secondary addresses / per IF Maximum 2ndary IF s IFs Loopback Interfaces ARP Cache total ARP Dynamic Default ARP timeout secs ARP Static Access Control Lists Maximum Rules per ACL Maximum ACL Rules Route Table ECMP paths Static routes RIP routes
1 per router module
2 256MB
X 1024 64 2000 100 3 128k 128k 21,600 1,024 1,024 2,048 32,000 * ~265k 4 2,048 10,000
N -Plat Plat 256 50 2,000 2 000 20 16k 1 16k 14,400 1,024 198 999 5,000 25,000 2 8 1,024 3,000
3 4
N -Gold Gold 96 50 2000 20 4k 1 4k 14,400 512 198 999 1,000 10,000 4 512 1,000
N -Dia Dia 256 50 2,000 2 000 20 16k1/32k4 16k1/32k4 14,400 1,024 198 999 5,000 25,000 2 8 1,024 3,000
E1 256 8 2048 20 8.5k 8k 14,40 0 512 199 999 1,000 10,00 0 8 512 1,000
C2/C3 24 31 744 13 2,048 2,024 14,400 512 100 9 100 2,500 4 64 2,500
RAM half the amount with 128MB
Includes internal loopback of 127.0.0.1 per chassis *Dependant on the number of forwarding engines per chassis 10

Feature OSPF Areas Total OSPF LSA LSDB Type 1 LSAs Type 2 LSAs Type 3 LSAs Type 4 LSAs Type 5 LSAs Type 7 LSAs Type 9 LSAs Type 10 LSAs Type 11 LSAs yp OSPF Neighbors Router Links per area
1 128 2 256
X 16 30,048 1024 1024 6000 6000 8000 8000 n/s n/s n/s / 24 24
N - Plat 6 15,664 512 512 3,000 1 8,000 2 3,000 4,000 1 10,000

2
N -Gold 4 10k 100 400 2,000 2,000 3,000 3,000 3 000 64 512 64 60 100
N-Dia 6 15,664 512 512 3,000 1 8,000 2 3,000 4,000 1 10,000

2
E1 4 10,576 200 400 2,000 2,000 3,000 3,000 3 000 64 512 64 8
C2/C3 4 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2 500 n/s n/s n/s /
No hardwar e limit No hardwar e limit
4,000 4 000 64 512 64 60 100
4,000 4 000 512 512 512 60 100
MB RAM MB RAM
11

Feature VRRP IDs VRRP IPs per Interface VRRP IDs per Interface IGMP Groups DVMRP Routes Multicast Flows IP Helper Address / router IP Helper Address / IF DHCP Server Leases
X 1,024 128 7 1,000 10k 8,000 , 2,048 20 1,000 1 000
N -Plat 1,024 16 4 64 10k 2,000 , 5,120 20 1,000 1 000
N -Gold 128 16 4 64 10k 2,000 , 2,048 8 1,000 1 000
N-Dia 1,024 16 4 64 10k 2,000 , 5,120 20 1,000 1 000
E1 128 9 4 1,000 10k 1,000 , 5,520 20 n/s
C2/C3 480 1 20 256 256 256 1 0 n/s
12

SecureStack C3- IPv6 IPv6 Overview
- IPv6 is the next generation of the Internet Protocol. - With 128-bit addresses, IPv6 solves the address depletion issues seen with IPv4 and removes the requirement for NATS. - The ability to aggregate addresses reduces the size of the global routing table dramatically. - Security is more integrated, and network configuration is simplified, yet more flexible.
IPv6 will coexist with IPv4.

- As with IPv4, IPv6 routing can be enabled on VLAN interfaces.
Each L3 routing interface can be used for IPv4, IPv6, or both.
- IP protocols running over L3, for example UDP and TCP, do not change with IPv6.
For this reason, a single CPU stack is used for transport of both IPv4 and IPv6, and a single sockets interface provides access to both.
- Routing protocols are capable of computing routes for either IP version or both.
This release will provide unicast routing using OSPFv3 and static routes.
13
Enterprise Routing
Basic Routing Config
Enterprise Routing Basic Routing Config

Module Topics
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - Rip Routes - ARP Configuration - File Management - Additional information
15

VLAN Review When creating an IP interface on a VLAN, the following steps are recommended: VLAN
1. Create the VLAN used for IP routing from the switch CLI SecureStackC2(su) > SecureStackC2(su)-> set vlan create 15 2. Assign ports to the VLAN
Port String VLAN id VLAN id
SecureStackC2(su)-> set port vlan fe.1.6 15 Then answer Y to add port to the egress list and clear the existing PVID OR 3. Assign ports to the VLAN SecureStackC2(su)-> set port vlan fe.1.6 15 Then answer N to not add port to the egress list and not clear the PVID 4. Assign ports to the VLANs egress list
VLAN id Port String St i
SecureStackC2(su)-> set vlan egress 15 fe.1.6 untagged 5. Remove (default) ports from default VLAN 1s egress list SecureStackC2(su)-> clear vlan egress 1 fe.1.2-10
VLAN id Port String
16

VLAN Review Matrix X g , g When creating an IP interface on a VLAN for the Matrix X-series, the following steps are recommended:
1. Create the VLAN used for IP routing from the switch CLI matrix-x(switch-rw)-> set vlan create 5 2. 2 Configure physical ports to be used for layer 2 switching as ingress and egress ports on the VLAN matrix-x(switch-rw)-> set port mode ge.1.1 switched 3. Assign ports to the VLANs egress list and configure port VLAN settings from the switch CLI matrix-x(switch-rw)-> set vlan egress 5 ge.1.1 [untagged |tagged | forbidden] 1 1 matrix-x(switch-rw)-> set port vlan ge.1.1 5 4. In the router configuration mode, create an IP interface on the VLAN and configure an IP address matrix-x(switch-rw)-> router matrix-x(router-exec)# configure terminal matrix-x(router-config)# interface vlan.1.5 matrix-x(router-config-if-vlan-vid)# ip address 192 168 18 18 255.255.255.0 192.168.18.18 255 255 255 0
IP interfaces bound to VLANs are referenced in Matrix X-series CLI with syntax vlan.<bridgeDomain>.<vid>
Matrix X-series currently supports one bridge domain, defaulting to a value of 1.
17

Module Topics
18

Pre-routing Considerations To configure the ports for routing, it may be necessary to turn off switching routing features on the appropriate ports (All Routers except Matrix X):
1. Disable Spanning Tree (optional).
set spantree disable
2.
Disable GVRP (optional). ( p )

set gvrp disable
Matrix X
1. Optionally set Spanning Tree state per port f the ports t be assigned to the VLAN 1 O ti ll tS i T t t t for th t to b i d t th from the switch CLI 1. matrix-x(switch-rw)-> set spantree portadmin ge.1.1 disable 2. Optionally set GVRP state per port for the ports to be assigned to the VLAN from the 2 O ti ll t t t t f th t t b i d t th f th switch CLI. 1. matrix-x(switch-rw)-> set gvrp disable ge.1.1 disable
19

Router Configuration Modes
As soon as 2 or more Routing interfaces are created, routing between VLANs is available.
Enter Router mode
- matrix(su)->router matrix(su) >router
VLAN 10
VLAN 5
Enter Router privileged mode (Not needed on E1)

- matrix(su)->router>enable
Enter configuration mode

- matrix(su)->router#configure
Enter Interface configuration mode

- matrix(su)->router(Config)# interface vlan 31 - matrix(su)->router(Config-if(Vlan))#ip address 192.168.1.2 255.255.255.0 - matrix(su)->router(Config-if(Vlan))#no shutdown
Enter Router protocol configuration mode

- matrix(su)->router(Config-if)# router rip - matrix(su)->router(Config-router)#network 192.168.1.0 255.255.255.0
20

Loopback Interface Configuration A loopback is an internal interface not associated with any physical port When creating an IP interface on a loopback for the Matrix X, N, or E1, the following steps are recommended:
Matrix>Router(config)# interface loopback 2 Matrix>Router(config-if(Lpbk 1))# ip address 2.2.2.2 255.255.255.255 Matrix>Router(config-if(Lpbk 1))# no shutdown
By default, when IP interfaces on a loopback is created on SecureStack, N, X, & E1, E1 the interface is in a down state. state
Therefore, no shutdown must be entered to bring up the loopback.
Loopback interfaces are not associated with any VLAN. The loopback can be used for remote administration of the router in lieu of the host interface. You must use a routing protocol or static routing Use the loopback IP address for BGP router identifier
21

Module Topics
22

Static and Dynamic Routing Support Routers use routing protocols to maintain their routing tables. Routing tables can be maintained either statically or dynamically. Static Routes
- Static routes are manually configured and entered into a switch s routing table Static switchs table. routes take default precedence over routes chosen by dynamic routing protocols.
Dynamic Routes
- Dynamic routes are learned when routers send routing table information to each other. - The three forms of dynamic routing that are most commonly used are Distance Vector, Link State and Path vector protocols. Distance Vector Protocols - RIPv1 and RIPv2 - DVMRP, PIM-SM, PIM-SSM (multicast) Link State Protocols - OSPFv2 - IS-IS Path Vector Protocols - BGP4
23

Configuring Static Routes
Router 172 129 10 1 172.129.10.1
Router 10.10.1.1 Router 172.129.10.100
Configuring Static Routes - Static routes are manually configured and entered into a devices routing table.
Destination Network Mask Next Hop
C2(su)router->(Config)# ip route 10.10.1.0 255.255.255.0 172.129.10.1
matrix-x(router-config)# ip route prefix {mask | masklen} {ipv4 address {ipv4-address | interface-name | next-hop} [distance] [tag interface name next hop} tag] [metric value] [unicast] [multicast] [noinstall] [reject] [retain] [blackhole]
24

Routing Table Overview
There are two show ip route commands, one in switch mode and one in router mode Switch mode- show ip route command shows Host routes:
SecureStackC2(su)->show ip route
ROUTE TABLE Destination Gateway Mask Tos Flags Refcnt Use Interface
----------------------------------------------------------------------------default 127.0.0.1 192.168.0.0 192.168.0.1 127.0.0.1 192.168.0.2 00000000 00000000 ffffff00 0 0 0 UGC UH UC 0 0 1 0 0 0 host loopback host
-----------------------------------------------------------------------------
The host interface maintains a separate routing table from the VLAN interfaces Each can be separately viewed and maintained Each can have a separate and distinct default route
25

Routing Table overview Routing Mode- show ip route shows all static and dynamic routes To see the routing table for the Routed IP interfaces, you must be in router mode.
SecureStackC2(su)->router> SecureStackC2(su) >router> show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2 * - candidate default, U - per user static route
C C C C S S
10.1.50.0/24 [cost 0] directly connected, Vlan 5 10.1.100.0/24 [cost 0] directly connected, Vlan 10 10.1.150.0/24 [cost 0] directly connected, Vlan 15 172.16.0.0/24 [cost 0] directly connected, Vlan 123 192.168.1.0/24 [cost 0] via 172.16.0.51, Vlan 123 192.168.100.0/24 [cost 0] via 172.16.0.37, Vlan 123
26

Module Topics
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - RIP Routes - ARP Configuration - File Management - Additional information
27
Matrix Routing Configuration Guide RIP

Overview
RIP is a standard based form of distance vector routing using the standard-based distance-vector routing, Bellman-Ford algorithm. Two versions of RIP available today:
RIP version 1, defined by RFC 1058 (STD 34) 6/88 , y ( ) / RIP version 2, defined by RFC 2453 (STD 56) 8/99
Routing decision is select shortest path based on hop count.

Each router is one hop. p RIP has a 15 hop-count limitation.
RIP updates occur every 30 seconds and sends the entire routing table contents.
IP/UDP port 520 Up to 25 routes per packet
Subsequent to topology change, convergence time increases significantly with network size
RIPv2 Differences from RIPv1:

- Includes the network mask which supports variable-length subnet masking. - T Transmits RIPv2 updates as multicast, rather than broadcast (both are supported). it RIP 2 d t lti t th th b d t (b th t d) - Provides an authentication mechanism not supported by RIPv1.
28

Simple RIPv1 Configuration
l
Steps to configure a simple RIPv1 configuration

Create IP Interfaces Add IP Address to IP interfaces Create RIP Instance Add RIP Networks Enable RIP
29

Simple RIPv1 Configuration
Router1>Router(config)# interface vlan 11 Router1>Router(config-if(Vlan 11))# ip address 10.1.1.1/24 Router1>Router(config-if(Vlan 11))# no shutdown Router1>Router(config-if(Vlan 11))# exit Router1>Router(config) R t 1>R t ( fi ) Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))# ip address 10.1.2.1/24 Router1>Router(config-if(Vlan 12))# no shutdown Router1>Router(config-if(Vlan 12))# exit ( g ( )) Router1>Router(config) Router1>Router(config)# router rip Router1>Router(config-router)# network 10.1.1.0 Router1>Router(config-router)# network 10.1.2.0 Router1>Router(config-router)# Router1>Router(config router)# exit Router1>Router(config) Note: Matrix E1 all IP interfaces are automatically enabled for RIP
Router1>Router#show running-config interface vlan 11 ip address 10.1.1.1 255.255.255.0 p no shutdown interface vlan 12 ip address 10.1.2.1 255.255.255.0 no shutdown ! router rip network 10.1.1.0 network 10.1.2.0
30

Module Topics
31

File Management SecureStack di - Use this command to list files stored in the file s stem dir sto ed system.
dir [filename] matrix-x(switch-su)-> dir usb:base/config/*usb:base/config/ ================================================== Name : myconfig_2Feb Type : Unknown Size : 43 bytes Last Access : Thu Feb 2 12:30:00 2006 Modification: Thu Feb 2 12:30:00 2006 Last Change : Thu Feb 2 12:30:00 2006 Available space on USB drive: 71237632 bytes
show config - Use this command to display the system configuration or write the configuration to a file.
show config [all | facility] [outfile {configs/filename}]
C3( ) > h C3(rw)->show config all outfile configs/save_config2 fi ll tfil fi / fi 2 C3(rw)->show config port
32

File Management SecureStack
configure - Use this command to execute a previously downloaded configuration file stored on the device.
configure filename [append]
C2/C3(su)->configure configs/myconfig E1(su)->configure myconfig.cfg DFE(su)->configure slot1/myconfig
copy - Use this command to upload or download an image or a CLI configuration file.
copy source destination
C3(su)-> copy tftp://134.141.89.34/ets-mtxe7-msi newimage
delete - Use this command to remove an image or a CLI configuration file from the Matrix system.
delete filename
C3(su)->delete configs/Jan1_2004.cfg
33

File Management
show fil - This command displays the contents of a text file located in a d h file h dd l h f fl l d directory in the h file system on the active or standby CM, or on a USB drive connected to the active or standby CM.
show file {core | images | public | local | log | trace}/filename show file standby:{core | local | log | trace}/filename show file usb:pathname show file standby:usb:pathname
Example - show file The following example displays the contents of a text file named myfile in the public/ directory on the active CM: matrix-x(switch-su)-> show file public/myfile set width 150 set banner motd "no message today" set prompt "matrix-x matrix x
34

File Management show config - This command displays the system configuration or writes the configuration to a file.
show config [all] [outfile path-to/outfilename] [plain] [prettyprint] [| search regexp]
configure - This command executes a configuration file stored on the X Router or on a remote server. (Matrix X only)
configure {public | local}/filename [append] configure standby:local/filename [append] configure service://[username@]remote-host/path-to-remote-file [append] g [ @] p [ pp ] configure usb:pathname configure standby:usb:pathname
write file This command saves the router configuration (E1 and N Series)
- write file
35

Module Topics
36

Additional Information about the Host Interface The host i Th h interface must be assigned to a VLAN (VLAN 1 i the default). f b i d is h d f l ) The host interface is always up and utilizes a route table independent from the route table used for forwarding data On the E1 and N, the host interface may be on the same network as the routed N VLAN IP interface The C2/C3 host interface address can not be assigned to the same network as the local routed VLAN interface. For device connectivity, use the router interface to t communicate t the device. i t to th d i The Matrix X has a dedicated Ethernet port for LAN access to host interface
matrix> set host vlan vlan-id matrix> show host vlan matrix> clear host vlan Matrix E7 Platinum(su)-> set port vlan host.0.1 vlan-id
37
Enterprise Routing
OSPF Configurations
Enterprise Routing - OSPF

Module Topics
Overview of OSPF Routing Protocol OSPF Features & Limits C fi Configuration ti

Simple Configuration Advance Configuration
39

OSPF primary characteristics: p y
Overview of OSPF Routing Protocol
- It is open in that its specification is in the public domain - It is based on Dijkstras Shortest Path First algorithm
Developed by the Interior Gateway Protocol ( p y y (IGP) working group of the IETF (mid) gg p ( 1980s)
- RFC 2328 - RFC 1583
OSPF was created because RIP was increasingly unable to serve large, heterogeneous networks
- Routing loops occurred with sudden topology changes - Using distance metric to determine reachability resulted in count to Infinity delays - Slow convergence
Uses the best effort transport mechanism of IP

- Protocol number 89 - Uses both IP Unicast and Multicast addresses
224.0.0.5 224.0.0.6
40
Faster convergence than distance vector algorithms A more descriptive routing metric
- Configurable per outbound interface - Interface value between 1 and 65,535
Equal-cost multipath
- If multiple equal cost paths to a destination exist, the paths are inserted in routing table oad balancing among the routes ga o g ou s - Load ba a
Routing Hierarchy
- Routing domain can be divided into areas for ease of management and control pp gg g y - Support for route summarization and aggregation by area
Security
- Simple or MD5 Authentication
41
Link State Advertisements (LSAs)

- Describe local piece of routing topology - As accumulated from all routers in area/domain, form a link state database
Link State Database

- Describes complete routing topology - Identical for all the routers within the same area, when a network has converged - Distributed, replicated database model - Routing table is re-computed from database only when topology changes occur
Distribution of LSAs uses reliable flooding

- Link State Updates advertise topology changes and keep entries up-to-date - Large RIP update packets advertise entire route table every 30 seconds age out in 90 sec - Individual entries are refreshed every 30 minutes age out after 60 minutes - Uses multicasting to minimize network disruption - Has its own acknowledgement protocol to ensure reliable packet delivery
42
Th network topology must appear consistent - th li k state database must be The t kt l t i t t the link t t d t b tb identical on all routers All entities in the routing domain use unique 32 bit numbers for identification
- Routers are assigned a router ID normally based on their IP address router ID - Networks either use their network id or IP address of a router interface on that network - Areas are strictly administratively assigned
Routers use OSPF Hello protocol to identify neighbors and maintain neighbor relationships Only Routers in an adjacency state of are permitted to exchange link state information
- The necessity of ensuring consistency in the LSDB prohibits simple broadcasting on route information. - Flooding information uses a split horizon technique
In multi-access networks, a Designated Router (DR) is elected to ensure reliable distribution of LSA s. LSAs
- Backup Designated Router (BDR) is also elected
43
The OSPF Area - Definition

Definition of an OSPF area
- Identified by dotted-decimal format (Ex: 0.0.0.1)
No association with IPv4 addresses of IPv4 nodes in the area When an IPv4 interface enabled with OSPF, it is associated with an area
- Each routers interface belongs to only 1 area; therefore, - Each network belongs to only 1 area - A router may belong to multiple areas having interfaces in different areas - Multiple networks and router interfaces may b l l l k d f belong to a single area l
Example:
AREA 0.0.0.34
10.10.10.1/24 AREA: 0.0.0.34 AREA 0 0 0 34 10.10.10.2/24 AREA: 0.0.0.34 10.10.10.0/24
AREA 0.0.0.0
20.30.20.1/24 20 30 20 1/24 20.30.20.2/24 20 30 20 2/24 AREA: 0.0.0.0 AREA: 0.0.0.0 50.30.20.2/24 50 30 20 2/24 AREA: 0.0.0.0
20.30.20.0/24
50.30.20.0/24
44
The OSPF Area - Implications

OSPF R t Cl Router Classification: ifi ti
- Area Border Router (referred to as ABRs)
Router that has interfaces in at least two different areas
- Autonomous System Border Router (referred to as ASBRs) ASBR s)

Router that has interface running a different routing protocol
- Internal Router:
Routers interfaces completed contained within an OSPF area
Example:
BGP IGP Domain OSPF IGP Domain D i

AREA 0.0.0.34
10.10.10.1/24 AREA: 0.0.0.34 AREA 0 0 0 34 10.10.10.2/24 AREA: 0.0.0.34 10.10.10.0/24 10 10 10 0/24 20.30.20.0/24
45
AREA 0.0.0.0
20.30.20.1/24 20 30 20 1/24 AREA: 0.0.0.0 20.30.20.2/24 20 30 20 2/24 AREA: 0.0.0.0 50.30.20.2/24 50 30 20 2/24 AREA: 0.0.0.0
50.30.20.0/24 50 30 20 0/24
The OSPF Backbone Example

Area 1.1.1.1
Area 0.0.3.5
Area 0.0.0.12
Backbone Area 0.0.0.0
D
Area 1.0.4.232
46
Inter-Area Routing Example

Area 0.0.0.2
Intra-Area Routes 40.0.0.0/24 30.0.0.0/24 Inter-Area Routes 10.0.0.0/24 20.0.0.0/24 50.0.0.0/24 60.0.0.0/24
B E
50.0.0.0/24
Area Border Routers
60.0.0.0/24 Area 0 0 0 1 0.0.0.1 10.0.0.0/24 Backbone 20.0.0.0/24 Area 0.0.0.0

C D
Area 0.0.0.1
Intra-Area Routes 50.0.0.0/24 60.0.0.0/24 Inter-Area Routes 10.0.0.0/24 20.0.0.0/24 30.0.0.0/24 40.0.0.0/24
30.0.0.0/24 40.0.0.0/24
A
Area 0.0.0.2
Area 0.0.0.0
Intra-Area I t A Route 10.0.0.0/24 20.0.0.0/24 Inter-Area I t A Route 30.0.0.0/24 40.0.0.0/24 50.0.0.0/24 60.0.0.0/24
47
OSPF Designated Router (DR)

DR 10.0.0.0/24 BDR
Router A
Example:
- Router A has new routing information, in the form of an LSA, to flood to all on-link routers, but Router A is adjacent to DR and BDR, not all on-link routes - Router A floods an OSPF packet that includes the LSA to DR (and BDR) by using the AllDRouters multicast address of 224.0.0.6
Only DR and BDR OSPF routers listen to the AllDRouters multicast address
- DR floods LSA to all on-link OSPF routers by using the AllSPFRouters multicast address of 224.0.0.5 - BDR monitors the LSA flooding from the DR and will flood the LSA itself if it does not receive the LSA from the DRs flooding if a certain amount of time - Note that all routing information exchange occurred over established adjacencies
48
Example: SPF Algorithm performed by Router 1.1.1.3

1.1.1.1 1.1.1.2 1.1.1.4 1.1.1.6
2 4 2 4 2 2
1.1.1.3
1 1 1 1 6 2 2
6 8 8
1.1.1.5
Iteration
1
Destination Added to Shortest-Path Tree

1.1.1.3
Candidate List Destination (cost, next hops)

1.1.1.5 (1, 1.1.1.5) 1.1.1.2 (2, 1.1.1.2) 1.1.1.1 (4, 1.1.1.1) 1.1.1.2 (2, 1.1.1.2) 1.1.1.4 (3, 1.1.1.5) 1.1.1.1 (4, 1.1.1.1) 1.1.1.6 (9, 1.1.1.5) 1.1.1.4 (3, 1.1.1.5; 1.1.1.2) 1 1 1 4 (3 1 1 1 5; 1 1 1 2) 1.1.1.1 (4, 1.1.1.1; 1.1.1.2) 1.1.1.6 (9, 1.1.1.5) 1.1.1.1 (4, 1.1.1.1; 1.1.1.2) 1.1.1.6 (9, 1.1.1.5; 1.1.1.2) 1.1.1.6 (9, 1.1.1.5; 1.1.1.2) Empty
49
1.1.1.5 (Next-Hop 1.1.1.5)
1.1.1.2 (Next-Hop 1 1 1 2) 1 1 1 2 (Next Hop 1.1.1.2)
1.1.1.4 (Next-Hop 1.1.1.5,2)
5 6
1.1.1.1 (Next-Hop 1.1.1.1,2) 1.1.1.6 (Next-Hop 1.1.1.5,2)

Module Topics
Overview of OSPF Routing Protocol OSPF Features & Limits Configuration

50

OSPF Features
Common OSPF Features Supported on Matrix X, DFE, E1, & C2/C3

- ECMP - Authentication
Simple MD5
- Timers
Hello Dead Transmit Interval Transmit delay spf
- Redistribution
Static Rip Direct BGP * IS-IS* Aggregate* OSPF* OSPF ASE* OSPF-ASE*
- Cost - Priority - Stub

NSSA Totally Stub
- Virtual Links - Summarization
- Route Administrative Distance - Specify Neighbor router

Not supported in C2/C3
Supported only on the Matrix X Router
- Passive Interface
51

Module Topics
Overview of OSPF Routing Protocol OSPF Features & Limits Configuration

52

Simple Configuration Process
OSPF Process Disable GVRP and spanning tree
VLAN setup Create VLANs and assign ports to VLANs

Configure VLAN interfaces Create an OSPF instance
OSPF Co gu at o Configuration Configure OSPF networks and areas

Ensure the advanced routing license is setup
C2/C3 additional OSPF steps
Enable OSPF Setup Router ID up ou
53
Enterprise Routing OSPF

OSPF config C2/C3 only
From router config mode(C2/C3) The C2 requires an advanced license to Route OSPF - router# license advanced 140b7d4541c8812c Create an OSPF instance - router ospf 10 Create a Router ID - Router id 5.5.5.5 F From each vlan interface (C2/C3) h l i t f Create an ip-proxy-arp default-route - ip proxy-arp default-route Associate the vlan to an area - ip ospf areaid 0.0.0.0 Be sure to enable OSPF on each VLAN - ip ospf enable
54

Create an OSPF config
From router config mode Create an OSPF instance - router ospf 10 p Create an ospf network associated it with a subnet use a reverse mask and tell it which area it is a part of. - network 20.1.2.0 0.0.0.255 area 0.0.0.0 - network 20.1.3.0 0.0.0.255 area 1
Note: For N-Series routers ensure that that the advanced router license is installed
55

OSPF Information Show ip route Show ip ospf Show ip ospf interface Show ip ospf area 0.0.0.0 Show ip ospf database
56

Show ip route Router1>Router#show ip route Codes: C-connected, S-static, R-RIP, B-BGP, O-OSPF, IA-OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - 0SPF external type 1, E2 - 0SPF external type 2 E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2 * - candidate default, U - per-user static route, o - ODR S S S O O O C C C O O O C C 111.1.3.0/24 111.1.2.0/24 111.1.1.0/24 IA 30.1.3.0/24 30 1 3 0/24 IA 30.1.2.0/24 IA 30.1.1.0/24 20.1.3.0/24 20 1 2 0/24 20.1.2.0/24 20.1.1.0/24 IA 10.3.2.0/24 IA 10.2.1.0/24 IA 10.3.1.0/24 10 3 1 0/24 10.1.2.0/24 10.1.1.0/24 [20/0] via 10.1.1.2, Vlan 11 [20/0] via 10.1.1.2, Vlan 11 [20/0] via 10.1.1.2, Vlan 11 [110/40] via 10 1 2 2 Vlan 12 10.1.2.2, [110/40] via 10.1.2.2, Vlan 12 [110/40] via 10.1.2.2, Vlan 12 [0/1] directly connected, Vlan 11 [0/1] directly connected Vlan 11 connected, [0/1] directly connected, Vlan 11 [110/30] via 10.1.2.2, Vlan 12 [110/20] via 10.1.2.2, Vlan 12 [110/40] via 10 1 2 2 Vlan 12 10.1.2.2, [0/1] directly connected, Vlan 12 [0/1] directly connected, Vlan 11
57

Advanced Configuration Process
Redistribute Routes
Router1>Router(config)# New Path Cost Router1>Router(config)# router ospf 10 Router1>Router(config-router)# redistribute static metric 22 subnets Router1>Router(config-router)# exit Include all subnets Router1>Router(config)#
58

Setting the Router ID to the loopback address
Router1>Router(config)# Router1>Router(config)# interface loopback 2 Router1>Router(config-if(Lpbk 2))# ip address 1.1.1.1 255.255.255.255 Router1>Router(config-if(Lpbk 2))# no shutdown Router1>Router(config-if(Lpbk 2))# exit Router1>Router(config)# R t 1>R t ( fi )# Router1>Router(config)# router id 1.1.1.1
59

Set the Designated Router priority All Others
Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))#ip ospf priority 100 Router1>Router(config-if(Vlan 12))#exit
Matrix X Router1>Router(config)#network ospf 10 Router1>Router(config-router-ospf)#ip ospf priority 100 Router1>Router(config-router-ospf))#exit
60

Advanced Configuration Process
Summarization
Router1>Router(config)# router ospf 10 ( g) p Router1>Router(config-router)# area 0.0.0.1 range 20.1.0.0 255.255.0.0 Router1>Router(config-router)# exit
61

Setup Authentication (Simple) C2/C3
Router1>Router(config)# interface vlan 12 ( g) Router1>Router(config-if(Vlan 12))#ip ospf authentication-key redsox

Matrix X
Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))#ip ospf authentication simple redsox

All Others
Router1>Router(config)# router ospf 10 ( g ) Router1>Router(config-router)# area 0.0.0.1 authentication simple Router1>Router(config-router)# exit
Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))#ip ospf authentication redsox Router1>Router(config-if(Vlan 12))#exit
62

Setup Authentication (MD5) Matrix X and C2/C3 Router3(rw)->Router1(config)#interface Router3(rw) >Router1(config)#interface vlan 32 Router3(rw)->Router1(config-if(Vlan 32))#ip ospf message-digest-key 22 md5 pats05 Router3(rw)->Router1(config-if(Vlan 32))#exit
All Others Router3(rw)->Router1(config)#router ospf 10 Router3(rw)->Router1(config-router)#area 0.0.0.2 authentication message-digest Router3(rw)->Router1(config-router)#exit R t 3( ) >R t 1( fi t )# it Router3(rw)->Router1(config)#interface vlan 32 Router3(rw)->Router1(config-if(Vlan 32))#ip ospf message-digest-key 22 md5 p ( ) ( g ( )) p p g g y pats05 Router3(rw)->Router1(config-if(Vlan 32))#exit
63
Enterprise Routing
ACL Configurations
Enterprise Routing ACLs

Module Topics
Access Control Lists Policy Based Routing
65
ESE Enterprise Routing ACLs

Basic IP ACLs Access Control List (ACL) Configuration
Enterasys routers support the configuration of both standard and extended ACLs.
A standard ACL supports traffic control based on only the source IP address. An extended ACL supports traffic control based on both the source and destination IP address, as well as protocol and layer 4 port port. All ACLs are set with an implicit deny all rule as the last rule upon ACL creation.
ACLs may be created in two different ways

1. 2. Numbered ACL Configuration
< < ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode. l dd d dd l t dt th h d f t fi ti d ACL rules are added, deleted, and re-sequenced in an ACL group from routers ACL configuration CLI mode.
Named ACL Configuration Matrix X only
66

Access Control List (ACL) Configuration An ACL Filters traffic to permit or deny on a packet basis Support for inbound or outbound filtering based on platform Configuration Limits
Only O l one ACL standard or extended, may be statically applied per interface. ACL, d d d d b i ll li d i f An ACL can contain up to a set maximum number of rules plus the implicit deny all rule. ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode. On Matrix X, each layer 2 classification rule configured on an IOM subtracts from total number of supported layer 3 ACLs
67

ACL Configuration Standard ACL rule creation
SecureStackC2(su)->router(Config)# access-list number {deny | permit} <src-addr>
Example:
SecureStackC2(su)->router(Config)# access-list 15 deny 172.158.12.23
Valid number values are between 1 and 99 for standard ACLs.
Extended ACL rule creation

For F TCP or UDP with source and d ti ti ith d destination IP addresses dd
SecureStackC2(su)->router(Config)#access-list number {deny | permit} {tcp | udp} <srcaddr> eq port <dst-addr> Example: SecureStackC2(su)->router(Config)# access-list 108 deny tcp 10.1.2.0 0.0.0.255 eq 80 any
For just source and destination IP addresses

SecureStackC2(su)->router(Config)#access-list number {deny | permit} ip <src-addr> <dst-addr>
Example:
SecureStackC2(su)->router(Config)# access-list 101 permit ip any any
Valid number values are between 100 and 199 for extended ACLs.
68

Matrix X ACL Configuration Numbered ACL Configuration
Standard ACL rule creation
matrix-x(router-config)# access-list number [sequence seq_value] {deny | permit} {ip4_addr wildcard | any | host ip4_addr } Valid number values are between 1 and 99 for standard ACLs.
Extended ACL rule creation

For TCP, matrix-x(router-config)# access-list number {deny | permit} tcp {src_ip4_addr ( g)# { y p } p { p wildcard | any | host ip4_addr } [eq|gt|lt|neq|{range int} int] {dst_ip4_addr wildcard | any | host ip4_addr } [eq|gt|lt|neq|{range int} int] [established] [precedence prec] [tos tos] [dscp dscp] Additional extended ACLs can be created with specification of SIP, DIP, precedence, TOS and DSCP field settings and: - Any IP Protocol - UDP ports - ICMP type and code - All IP Protocols - IP in IP Protocol Valid number values are between 100 and 199 for extended ACLs.
69

Applying ACLs
SecureStack C2/C3
ACLs can only be applied to packets inbound on IP interfaces. ACLs are applied to VLAN-based IP interfaces. To apply an access list to an interface, use the following commands from the router interface configuration mode router(Config)# interface vlan vlan-id router(Config if(Vlan router(Config-if(Vlan id))# ip access-group number in access group To remove an ACL from an interface router(Config-if(Vlan id))#no ip access-group number in g y Rule changes take effect immediately
70

ACL Configuration Amending ACL rules
- To change a rule use
...# access-list number replace number <rule...>
- To create a rule out of sequence

...# access-list number insert number <rule...>
- To reorder a rule or group of rules by moving them before a specific rule

...# access-list number move number number [ number ]
Removing ACL rules

- Remove the ACL and all its rules
...# no access-list acl-number
- Remove a specific rule in an acl

...# no access-list acl-number rule#
- Remove a range of rules in an ACL

...# no access-list acl-number rule# rule# #
71

Display Configured Access Lists Displaying ACLs ACL s
To display the current ACLs configured on the SecureStack C2/C3, use the following command from router mode:
SecureStackC2(su)->router> show access-lists [number]
Example: SecureStackC2(su)->router> show access-lists Standard IP access-list 10 1: permit 192.168.100.0 0 0 0 255 192 168 100 0 0.0.0.255 2: permit 192.168.200.0 0.0.0.255 3: permit host 192.168.30.1 4: deny 192.168.0.0 0.0.255.255 5: deny 172.16.0.0 0 0 2 2 6 0 0 0.0.255.255 2 6: permit any Extended IP access list 110 1: permit tcp host 10.1.2.3 eq 17 any 2: deny udp host 14.9.123.52 eq 512 14.0.0.0 0.255.255.255 3: permit tcp host 125.34.12.4 eq 25 host 15.23.19.3
72

Additional Product Information g Access Control Lists filter incoming IP packets based upon specified characteristics Enterasys Platform Support of Access List
Matrix N-series Platinum Access-List Standard Access-List Extended Interface Inbound Interface Outbound Max ACL Rules Maximum Rules per group Matrix N-series Gold Matrix E1 SecureStack C2 / C3 Matrix X
*
5,000 999
*
1,000 999

1,000 999

100 9

32,000 2,048
* Requires advanced routing features software license.
Depending on the product ACLs may be applied as access groups either inbound, outbound or both
- Example DFE Configuration:
access-list 100 permit udp interface vlan 92 ip address 171.1.0.1 255.255.255.0 ip access-group 100 in ip access-group 100 out
host 140.2.1.10 range 161 162
access-list 100 permit udp 171.1.0.0 0.0.0.255 host 140.2.1.10 range 161 162
73

Enterasys Routing 2010

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Enterasys Routing 2010

Hochgeladen von

Copyright:

Verfügbare Formate

There is nothing more important than our customers

Enterprise Routing Course Overview

Enterprise Routing Course Overview

Comprehensive understanding of C h i d t di f TCP/IP protocol Comprehensive understanding of various types of routing

2007 Enterasys Networks, Inc. All rights reserved.

There is nothing more important than our customers

Routing Products Overview

Enterprise Routing Routing Products Overview

Routers / Layer 3 Switching:

Bridges / Layer 2 Switching:

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

Optional License C3 L3-LIC (Layer 3 Routing License)

Optional License C3 IPv6-LIC (IPv6 License)

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

Matrix N-series (Platinum and Gold) * * * ** * ** *

Matrix N-Series Diamond

SecureStack B3/C2/C3 & G-Series * * * *** * *

Enterprise Routing Routing Products Overview

RAM half the amount with 128MB

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

N - Plat 6 15,664 512 512 3,000 1 8,000 2 3,000 4,000 1 10,000

N-Dia 6 15,664 512 512 3,000 1 8,000 2 3,000 4,000 1 10,000

E1 4 10,576 200 400 2,000 2,000 3,000 3,000 3 000 64 512 64 8

4,000 4 000 64 512 64 60 100

4,000 4 000 512 512 512 60 100

Enterprise Routing Routing Products Overview

X 1,024 128 7 1,000 10k 8,000 , 2,048 20 1,000 1 000

N -Plat 1,024 16 4 64 10k 2,000 , 5,120 20 1,000 1 000

N -Gold 128 16 4 64 10k 2,000 , 2,048 8 1,000 1 000

N-Dia 1,024 16 4 64 10k 2,000 , 5,120 20 1,000 1 000

E1 128 9 4 1,000 10k 1,000 , 5,520 20 n/s

C2/C3 480 1 20 256 256 256 1 0 n/s

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Routing Products Overview

IPv6 will coexist with IPv4.

2007 Enterasys Networks, Inc. All rights reserved.

There is nothing more important than our customers

Basic Routing Config

Enterprise Routing Basic Routing Config

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Basic Routing Config

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Basic Routing Config

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Basic Routing Config

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Basic Routing Config

Disable GVRP (optional). ( p )

2007 Enterasys Networks, Inc. All rights reserved.

Enterprise Routing Basic Routing Config

Enter Router privileged mode (Not needed on E1)

Enter configuration mode

Enter Interface configuration mode

Enter Router protocol configuration mode