Erik Auerswald | 18 May 14:34 2015
Picon

Re: Fwd: XSR - VPN

Hi,

both end points have static (and official) IP addresses in my setup.
The "isakmp peer" IP address defines the peer router. It might be possible
to use a range of IP addresses there. This IP address defines the VPN
configuration to use.

In my setup both sides are practically identical, just the ACL 100 has
swapped source and destination ranges.

The XSRs support a simplified VPN setup for dynamic clients, but I have
never configured this.

Erik

On Mon, May 18, 2015 at 02:24:04PM +0200, Frank Miller wrote:
> Hi,
> 
> what is the IP-address 131.246.223.129 in your sample?
> 
> we have one dynamic and one static address...
> 
> it´ s possible to give me an sample-config for each site?
> 
> Thanks
> Frank Miller
> 
> 2015-05-18 11:20 GMT+02:00 Erik Auerswald <auerswald <at> fg-networking.de>:
> 
> > Hi,
(Continue reading)

Frank Miller | 18 May 14:24 2015

Re: Fwd: XSR - VPN

Hi,

what is the IP-address 131.246.223.129 in your sample?

we have one dynamic and one static address...

it´ s possible to give me an sample-config for each site?

Thanks
Frank Miller

2015-05-18 11:20 GMT+02:00 Erik Auerswald <auerswald <at> fg-networking.de>:
Hi,

the XSR configuration is very similar to Cisco IOS routers. For a basic
IPsec VPN (with NAT traversal) you can orient yourself on any Cisco
configuration you find on the net.

A basic config from software version 7.5.0.0 looks as follows (no NAT-T):
[This connects the networks 172.28.0.0/17 and 172.29.0.0/17.]

--- snip ---

!ACCESS-LIST
access-list 100 permit ip   172.28.0.0 0.0.127.255 172.29.0.0 0.0.127.255

!IKE
crypto isakmp proposal AES-PSK
authentication pre-share
encryption aes
group 5
lifetime 3600

crypto isakmp peer 131.246.223.129 255.255.255.255
proposal AES-PSK

!IPSEC
crypto ipsec transform-set AES-PSK esp-aes esp-sha-hmac
set pfs group2
no set security-association lifetime kilobytes

crypto map LAB 10
set transform-set AES-PSK
match address 100
set peer <IP_ADDRESS>

aaa user <IP_ADDRESS>
password <PASSWORD>

!INTERFACE AND SUB-INTERFACE
interface FastEthernet1
crypto map LAB

--- snip ---

HTH,
Erik
--
Dipl.-Inform. Erik Auerswald         http://www.fg-networking.de/
auerswald <at> fg-networking.de T:+49-631-4149988-0 M:+49-176-64228513

Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630

On Mon, May 18, 2015 at 10:07:52AM +0200, Frank Miller wrote:
> Hi Everyone,
>
> we try to establish an VPN-connection  between two XSR-1805 (FW:
> 7.6.13.0007 with VPN and FW):
>
> - one XSR with an public-IP-adress (e.g. 213.141.213.x)
> - one XSR with an private IP-address behind an ISP-Router (e.g. 171.121.1.x)
>
> Have everyone an manual or an sample config with step-for-step-instructions?
> [?]
>
> Thanks
>
> Frank Miller
>
> ---
> To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys auerswald <at> fg-networking.de

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys fcmmiller <at> googlemail.com

  • --To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org
Erik Auerswald | 18 May 11:20 2015
Picon

Re: Fwd: XSR - VPN

Hi,

the XSR configuration is very similar to Cisco IOS routers. For a basic
IPsec VPN (with NAT traversal) you can orient yourself on any Cisco
configuration you find on the net.

A basic config from software version 7.5.0.0 looks as follows (no NAT-T):
[This connects the networks 172.28.0.0/17 and 172.29.0.0/17.]

--- snip ---

!ACCESS-LIST
access-list 100 permit ip   172.28.0.0 0.0.127.255 172.29.0.0 0.0.127.255

!IKE    
crypto isakmp proposal AES-PSK
authentication pre-share
encryption aes
group 5
lifetime 3600

crypto isakmp peer 131.246.223.129 255.255.255.255
proposal AES-PSK

!IPSEC
crypto ipsec transform-set AES-PSK esp-aes esp-sha-hmac
set pfs group2
no set security-association lifetime kilobytes

crypto map LAB 10
set transform-set AES-PSK
match address 100
set peer <IP_ADDRESS>

aaa user <IP_ADDRESS>
password <PASSWORD>

!INTERFACE AND SUB-INTERFACE
interface FastEthernet1
crypto map LAB

--- snip ---

HTH,
Erik
-- 
Dipl.-Inform. Erik Auerswald         http://www.fg-networking.de/
auerswald <at> fg-networking.de T:+49-631-4149988-0 M:+49-176-64228513

Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630

On Mon, May 18, 2015 at 10:07:52AM +0200, Frank Miller wrote:
> Hi Everyone,
> 
> we try to establish an VPN-connection  between two XSR-1805 (FW:
> 7.6.13.0007 with VPN and FW):
> 
> - one XSR with an public-IP-adress (e.g. 213.141.213.x)
> - one XSR with an private IP-address behind an ISP-Router (e.g. 171.121.1.x)
> 
> Have everyone an manual or an sample config with step-for-step-instructions?
> [?]
> 
> Thanks
> 
> Frank Miller
> 
> ---
> To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys auerswald <at> fg-networking.de

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org

Frank Miller | 18 May 10:07 2015

Fwd: XSR - VPN

Hi Everyone,

we try to establish an VPN-connection  between two XSR-1805 (FW: 7.6.13.0007 with VPN and FW):

- one XSR with an public-IP-adress (e.g. 213.141.213.x)
- one XSR with an private IP-address behind an ISP-Router (e.g. 171.121.1.x)

Have everyone an manual or an sample config with step-for-step-instructions?

Thanks

Frank Miller 

  • --To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org
James Andrewartha | 12 May 03:58 2015
Picon

Re: eduroam and NAC

On 12/05/15 09:54, James Andrewartha wrote:
> Has anyone here done eduroam with NAC? It looks pretty straightforward
> but I thought I'd ask to see if there's any gotchas, eg with domain
> stripping or similar.

Of course, seconds after posting I find
http://extrcdn.extremenetworks.com/wp-content/uploads/2014/07/IdentiFi-and-Eduroam-Roaming-Wireless-Service-Integration.pdf
however I'm still interested in hearing from anyone who's done it in
production.

Thanks,

--

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org

James Andrewartha | 12 May 03:54 2015
Picon

eduroam and NAC

Hi all,

Has anyone here done eduroam with NAC? It looks pretty straightforward
but I thought I'd ask to see if there's any gotchas, eg with domain
stripping or similar.

Thanks,

--

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org

Justice ANANABOUH YARO | 23 Mar 00:35 2015
Picon

Re: SYSLOG, Applications

Sheriff

On 9 Mar 2015 22:30, "Lucas Hazel" <Lucas.Hazel <at> une.edu.au> wrote:
ec-c3-c34s4(su)->show port trap
Link traps disabled on port ge.1.1.
Link traps disabled on port ge.1.2.
Link traps disabled on port ge.1.3.
Link traps disabled on port ge.1.4.
Link traps disabled on port ge.1.5.
Link traps disabled on port ge.1.6.
Link traps disabled on port ge.1.7.
Link traps disabled on port ge.1.8.
Link traps disabled on port ge.1.9.
Link traps disabled on port ge.1.10.
Link traps disabled on port ge.1.11.
Link traps disabled on port ge.1.12.
Link traps disabled on port ge.1.13.
Link traps disabled on port ge.1.14.
Link traps disabled on port ge.1.15.
Link traps disabled on port ge.1.16.
Link traps disabled on port ge.1.17.
Link traps disabled on port ge.1.18.
Link traps disabled on port ge.1.19.
Link traps disabled on port ge.1.20.
Link traps enabled  on port ge.1.21.
Link traps enabled  on port ge.1.22.
Link traps enabled  on port ge.1.23.
Link traps enabled  on port ge.1.24.

On 6 Mar 2015, at 12:11 pm, Jolyon Ansuz <Jolyon.Ansuz <at> une.edu.au> wrote:

Hello all,

I'm working on refining our syslog settings for switches across our network.

It's my intentions to set the application System to seven to catch the interfaces going up and down. The conflicting information that I don't want is as below:

---8<-- snip ----------------------------------
ec-d2-c34s98(su)->set logging application System level 7
ec-d2-c34s98(su)->
<190>Mar  6 21:31:18     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1005 % dsPacketIntercept : creating a ds binding for vlan 1600 in interface 14
...
<190>Mar  6 21:31:27     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1014 % dsPacketIntercept : creating a ds binding for vlan 1601 in interface 14
<190>Mar  6 21:31:31     172.21.6.197-1 TRAPMGR[53608264]: traputil.c(466) 1015 % Link Down: Unit: 1 Slot: 0 Port: 11
<190>Mar  6 21:31:34     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1016 % dsPacketIntercept : creating a ds binding for vlan 1600 in interface 14
...
<190>Mar  6 21:31:39     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1026 % dsPacketIntercept : creating a ds binding for vlan 1604 in interface 14
---8<-- snip ----------------------------------

I'm using the below templates at the moment.

---8<-- snip ----------------------------------
# Clear any previous logging servers
clear logging server 1
clear logging server 2

# Set external logging servers, levels to be set according to application level requirements.
set logging server 1 ip-addr x.x.x.x facility local7 severity x descr 'syslog01' state enable
set logging server 2 ip-addr x.x.x.x facility local7 severity x descr 'syslog02' state enable

# Set default levels
set logging application all level 6

# Refine levels
set logging application CLIWEB level 5
set logging application SNMP level 4
set logging application STP level 7
set logging application Driver level 7
set logging application System level 6
set logging application Stacking level 5
set logging application UPN level 6
set logging application Router level 6
---8<-- snip ----------------------------------

Is anyone able to shed some light or share an example for/with me please?

Sincerely,

Jolyon Ansuz

Senior Network and Communications Administrator
Communications Infrastructure
Information Technology
University of New England
Armidale NSW 2351

P: +61 2 6773 3568
M: +61 412 735 836

"If you want something new, you have to stop doing something old.", Peter Drucker (IEEE)

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

"Most of the things worth doing in the world had been declared impossible before they were done.", Louis D. Brandeis


---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys Lucas.Hazel <at> une.edu.au

--
Lucas Hazel <lucas.hazel <at> une.edu.au>

Senior Network and Communications Administrator
Infrastructure Services Group

Information Technology
University of New England
Armidale NSW 2351

Phone  +61267732666
Mobile +61407569330

  • --To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org
Lucas Hazel | 9 Mar 23:29 2015
Picon
Picon

Re: SYSLOG, Applications

ec-c3-c34s4(su)->show port trap
Link traps disabled on port ge.1.1.
Link traps disabled on port ge.1.2.
Link traps disabled on port ge.1.3.
Link traps disabled on port ge.1.4.
Link traps disabled on port ge.1.5.
Link traps disabled on port ge.1.6.
Link traps disabled on port ge.1.7.
Link traps disabled on port ge.1.8.
Link traps disabled on port ge.1.9.
Link traps disabled on port ge.1.10.
Link traps disabled on port ge.1.11.
Link traps disabled on port ge.1.12.
Link traps disabled on port ge.1.13.
Link traps disabled on port ge.1.14.
Link traps disabled on port ge.1.15.
Link traps disabled on port ge.1.16.
Link traps disabled on port ge.1.17.
Link traps disabled on port ge.1.18.
Link traps disabled on port ge.1.19.
Link traps disabled on port ge.1.20.
Link traps enabled  on port ge.1.21.
Link traps enabled  on port ge.1.22.
Link traps enabled  on port ge.1.23.
Link traps enabled  on port ge.1.24.

On 6 Mar 2015, at 12:11 pm, Jolyon Ansuz <Jolyon.Ansuz <at> une.edu.au> wrote:

Hello all,

I'm working on refining our syslog settings for switches across our network.

It's my intentions to set the application System to seven to catch the interfaces going up and down. The conflicting information that I don't want is as below:

---8<-- snip ----------------------------------
ec-d2-c34s98(su)->set logging application System level 7
ec-d2-c34s98(su)->
<190>Mar  6 21:31:18     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1005 % dsPacketIntercept : creating a ds binding for vlan 1600 in interface 14
...
<190>Mar  6 21:31:27     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1014 % dsPacketIntercept : creating a ds binding for vlan 1601 in interface 14
<190>Mar  6 21:31:31     172.21.6.197-1 TRAPMGR[53608264]: traputil.c(466) 1015 % Link Down: Unit: 1 Slot: 0 Port: 11
<190>Mar  6 21:31:34     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1016 % dsPacketIntercept : creating a ds binding for vlan 1600 in interface 14
...
<190>Mar  6 21:31:39     172.21.6.197-1 DTL[65189344]: ds_main.c(545) 1026 % dsPacketIntercept : creating a ds binding for vlan 1604 in interface 14
---8<-- snip ----------------------------------

I'm using the below templates at the moment.

---8<-- snip ----------------------------------
# Clear any previous logging servers
clear logging server 1
clear logging server 2

# Set external logging servers, levels to be set according to application level requirements.
set logging server 1 ip-addr x.x.x.x facility local7 severity x descr 'syslog01' state enable
set logging server 2 ip-addr x.x.x.x facility local7 severity x descr 'syslog02' state enable

# Set default levels
set logging application all level 6

# Refine levels
set logging application CLIWEB level 5
set logging application SNMP level 4
set logging application STP level 7
set logging application Driver level 7
set logging application System level 6
set logging application Stacking level 5
set logging application UPN level 6
set logging application Router level 6
---8<-- snip ----------------------------------

Is anyone able to shed some light or share an example for/with me please?

Sincerely,

Jolyon Ansuz

Senior Network and Communications Administrator
Communications Infrastructure
Information Technology
University of New England
Armidale NSW 2351

P: +61 2 6773 3568
M: +61 412 735 836

"If you want something new, you have to stop doing something old.", Peter Drucker (IEEE)

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

"Most of the things worth doing in the world had been declared impossible before they were done.", Louis D. Brandeis


---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys Lucas.Hazel <at> une.edu.au

--
Lucas Hazel <lucas.hazel <at> une.edu.au>

Senior Network and Communications Administrator
Infrastructure Services Group

Information Technology
University of New England
Armidale NSW 2351

Phone  +61267732666
Mobile +61407569330

  • --To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org
Mir Anjum | 9 Mar 09:54 2015

RE: WCCP in N7

Thanks a lot let me check both on ENS

-----Original Message-----
From: Erik Auerswald [mailto:auerswald <at> fg-networking.de] 
Sent: 09 March 2015 11:52
To: Enterasys Customer Mailing List
Subject: Re: [enterasys] WCCP in N7

Hi,

On Mon, Mar 09, 2015 at 08:40:10AM +0000, Mir Anjum wrote:
> WCCP method in Enterasys N7 if not any other method for traffic 
> redirection

Did you ask a question?

Perhaps you want to look into TWCB (Transparent Web Cache Balancing) or LSNAT (Load Sharing Network
Address Translation). There are feature guides available in addition to the configuration guide and
command reference via the Extreme Networks web site.

HTH,
Erik
--

-- 
Dipl.-Inform. Erik Auerswald         http://www.fg-networking.de/
auerswald <at> fg-networking.de T:+49-631-4149988-0 M:+49-176-64228513

Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys mir.anjum <at> abdulla-fouad.com

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org

Erik Auerswald | 9 Mar 09:51 2015
Picon

Re: WCCP in N7

Hi,

On Mon, Mar 09, 2015 at 08:40:10AM +0000, Mir Anjum wrote:
> WCCP method in Enterasys N7 if not any other method for traffic redirection

Did you ask a question?

Perhaps you want to look into TWCB (Transparent Web Cache Balancing) or
LSNAT (Load Sharing Network Address Translation). There are feature guides
available in addition to the configuration guide and command reference via
the Extreme Networks web site.

HTH,
Erik
--

-- 
Dipl.-Inform. Erik Auerswald         http://www.fg-networking.de/
auerswald <at> fg-networking.de T:+49-631-4149988-0 M:+49-176-64228513

Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630

---
To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org

Mir Anjum | 9 Mar 09:40 2015

WCCP in N7

WCCP method in Enterasys N7 if not any other method for traffic redirection  

  • --To unsubscribe from enterasys, send email to listserv <at> unc.edu with the body: unsubscribe enterasys gneu-enterasys <at> gmane.org

Gmane