This chapter describes how to configure the Internet Protocol (IP). It includes the following sections:
This section outlines the initial steps required to get the IP protocol up and running. Details about making further configuration changes are covered in other sections of this chapter. Details about individual configuration commands are covered in the command section of this chapter. The following list outlines the initial configuration tasks to bring up IP on the router. After completing these tasks, you must restart the router for the new configuration to take effect.
Use the IP configuration add address command to assign IP addresses to the network interfaces. The arguments for this command include the interface number (obtained from the Config> list devices command) and the IP address with its associated address mask.
In the following example, network interface 2 has been assigned the address 128.185.123.22 with the associated address mask 255.255.255.0 (using the third byte for subnetting).
IP config> add address 2 128.185.123.22 255.255.255.0
Multiple IP addresses can be assigned to a single network interface.
By default the IP addresses assigned to the network interfaces must each be in a different network or subnet. The enable same-subnet command removes the restriction.
IP allows you to use a serial line interface for IP traffic without assigning a real IP address to the line. However, you must still assign each serial line a pseudo IP address; this address is used by the router to refer to the interface but is never used externally. Use the add address command to assign the serial line an address of the form 0.0.0.n, where n is the interface number (again obtained from the Config> list devices command). This address format tells the router that the interface in question is an unnumbered serial line.
To enable IP on serial-line interface number 2 without assigning the interface an IP address, use the following command:
IP config> add address 2 0.0.0.2
Dynamic Address can be used to identify an interface that will learn its IP address from the remote end of a Point-to-Point Protocol (PPP) link using Internet Protocol Control Protocol (IPCP). The interface must first be added as an unnumbered serial line (0.0.0.n). At the time of IPCP completion IP will be notified and the negotiated IP address will be installed on the specified interface. To enable Dynamic Address, use the following steps:
PPP 3 Config>set ipcp IP COMPRESSION [no]: Request an IP address [no]: yes Interface remote IP address to offer if requested (0.0.0.0 for none) [0.0.0.0]?
IP config>add address Which net is this address for [0]? 3 New address []? 0.0.0.3 Address mask [0.0.0.0]? 255.255.255.255
IP config>enable dynamic-address
Interface address []? 0.0.0.3
IP config>list address
IP addresses for each interface:
intf 0 192.168.8.1 255.255.255.0 Local wire broadcast, fill 1
intf 1 IP disabled on this interface
intf 2 IP disabled on this interface
intf 3 0.0.0.3 255.255.255.0 Local wire broadcast, fill 1
DYNAMIC-ADDRESS Enabled
The 2210 routes IP packets on the network interfaces to which IP addresses are assigned (routing interfaces) and bridges IP packets on the network interfaces on which bridging is configured, but on which no IP address is assigned (bridging interfaces). The 2210 can receive IP datagrams from the bridging interfaces, send IP datagrams to the bridging interfaces, and route IP packets between the bridging interfaces and the routing interfaces. You can enable these functions on the 2210 by adding one or more IP addresses to the Bridge Network Interface. The Bridge Network Interface is a logical interface that connects IP to the bridged network to which the 2210 is connected.
To add IP addresses to the Bridge Network Interface, use the add address command, specifying bridge as the network interface:
IP config> add address bridge ip-address ip-address-mask
This command does not assign an IP address to any individual bridging interface but, in effect, to all of the bridging interfaces.
Assigning IP addresses to the Bridge Network Interface can free up one of the physical network interfaces (physical ports) on the 2210. To understand this, first consider Figure 28, which illustrates an IP internetwork with separate devices performing the router and bridge functions. LAN 2 and LAN 3 are connected by the bridge to form a bridged network; to the router, this bridged network is a single IP subnet defined by the IP address 9.67.5.1 and the mask 255.255.255.0.
Figure 28. Routing to a Bridged Network-Alternative 1
Figure 29 illustrates the same internetwork with the router and bridge functions merged into a single device. In this figure, the router still has its own physical network interface (Interface 2) to the bridged network.
Figure 29. Routing to a Bridged Network-Alternative 2
Finally, in Figure 30, the physical network interface of the router to the bridged network is replaced by the Bridge Network Interface, which is an internal interface. This is the same internetwork illustrated in Figures Figure 28 and Figure 29, but the router no longer requires its own physical network interface to the bridged network.
Figure 30. Routing to a Bridged Network-Alternative 3
| Note: | If IP addresses are configured on the bridge network interface, you cannot configure IP addresses on any token-ring interface on which source route bridging is configured. |
This is an IP address that is independent of the state of any interface and is set without reference to any interface. Some IP configurations require it. See the command set internal-IP-address on page *** for more information.
Use the following procedures to enable dynamic routing on the router. The router software supports OSPF, RIPv1, and RIPv2 for interior gateway protocols (IGPs) as well as BGP, which is an external gateway protocol.
All routing protocols can run simultaneously. However, most routers will probably run only a single routing protocol (one of the IGPs). The OSPF protocol is recommended because of its robustness and the additional IP features (such as equal-cost multipath and variable-length subnets) that it supports.
The routing table size determines the number of entries in the routing table from all sources, including dynamic routing protocols and static routes. The default size is 768 entries.
To change the size of the routing table, use the set routing table-size configuration command. Setting the routing table size too small results in routes being discarded. Setting it too large results in inefficient use of memory resources. After operation, use the console dump command to view the contents of the table and then adjust the size as necessary, allowing some room for expansion.
OSPF configuration is done via its own configuration console (entered via the Config> protocol ospf command). To enable OSPF, use the following command:
OSPF Config> enable OSPF
After enabling the OSPF protocol, you are prompted for size estimates for the OSPF link state database. This gives the router some idea how much memory must be reserved for OSPF. You must supply the following two values that will be used to estimate the size of the OSPF link state database:
Enter these values at the following prompts (sample values have been provided):
OSPF Config> enable ospf
Estimated # external routes[0]? 200
Estimated # OSPF routers [50]? 60
Maximum LSA size [2048]?
Next, configure each IP interface that is to participate in OSPF routing. To configure an IP interface for OSPF, use the following command:
OSPF Config> set interface
You are prompted to enter a series of operating parameters. Each interface is assigned a cost as well as other OSPF operating parameters.
When running other IP routing protocols besides OSPF, you may want to enable the exchange of routes between OSPF and the other protocols. To do this, use the following command:
OSPF Config> enable AS-boundary-routing
For more information on the OSPF configuration process, see "Using OSPF".
This section describes how to initially configure the RIP protocol. When configuring the RIP protocol, you can specify which set of routes the router will advertise and/or accept on each IP interface.
RIP is not supported on X.25 or on native ATM (RFC 1577) network interfaces. For these types of interfaces, use OSPF instead of RIP for an interior gateway protocol (IGP). RIP is supported on ATM LAN Emulation network interfaces.
First, enable the RIP protocol with the following command:
IP config> enable RIP
When RIP is enabled, the following default behavior is established:
To change any of the default sending/receiving behaviors, use the following IP configuration commands, which are defined on a per-IP-interface basis.
IP config> enable/disable sending net-routes
IP config> enable/disable sending subnet-routes
IP config> enable/disable sending static-routes
IP config> enable/disable sending host-routes
IP config> enable/disable sending default-routes
IP config> enable/disable receiving rip
IP config> enable/disable receiving dynamic nets
IP config> enable/disable receiving dynamic subnets
IP config> enable/disable receiving host-routes
IP config> enable/disable override default
IP config> enable/disable override static-routes
IP config> set originate-rip-default
| Note: | These commands are not displayed when IP routing policies are configured. See Route Filtering With Policies for more information. |
The BGP protocol is enabled from its own configuration prompt, BGP Config> For more information about configuring BGP, refer to the discussion on using and configuring BGP4 in Protocol Configuration and Monitoring Reference Volume 1.
This procedure is necessary only for routing information you cannot obtain from any of the above dynamic routing protocols. Static routing information persists over power failures and is used for routes that never change or cannot be learned dynamically.
The destination of a static route is described by an IP address (dest-addr) and an IP address mask (dest-mask). The mask indicates the range of IP addresses to which the route applies; for example, a route with IP address 10.0.0.0 and mask 255.0.0.0 applies to IP addresses from 10.0.0.0 through 10.255.255.255. The route to the destination is described by the IP address of the next hop router (next-hop) and the cost of forwarding a packet on this route (cost).
To create, modify, or delete a static route, use the following commands:
IP config> add route dest-addr dest-mask next-hop cost IP config> change route dest-addr dest-mask next-hop cost IP config> delete route dest-addr dest-mask
These commands allow you to define up to four static routes per IP destination, allowing for alternative routes if one or more of the routes fail. These commands take effect immediately without the need to reboot the router.
Because the destination of a route includes the IP address mask, it is possible for more than one route to match a particular IP address; for example, for the IP address 10.1.2.3, a route with IP address 10.0.0.0 and mask 255.0.0.0 and a route with IP address 10.1.0.0 and mask 255.255.0.0 both match. To determine which route to use, the longest match rule is applied. The route with the largest mask is used (in this case the route with IP address 10.1.0.0 and mask 255.255.0.0).
Routes can be classified as default, network, subnet, or host, according to their destination IP address and mask.
A default route has an IP address/mask of 0.0.0.0/0.0.0.0. This route matches all destination IP addresses, but because of the longest match rule, it is used only if there is no other matching route. The following command creates a static default route:
IP config> add route
IP destination [ ]? 0.0.0.0
Address mask [255.0.0.0]? 0.0.0.0
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
The static default route may also be set by the set default network-gateway command; however, this command does not take effect immediately, and it allows you to define only one default static route. The following example creates the same static default route as the above add route command:
IP config> set default network-gateway
Default gateway [ ]? 192.9.1.4
gateway's cost [1]? 5
IP config>
A network route has a mask that depends on the value of the
route's destination IP address as specified by the IP address classes
defined in RFC 791:
| IP Address Class | IP Address Range | Network Mask |
|---|---|---|
| A | 0.0.0.0 - 127.255.255.255 | 255.0.0.0 |
| B | 128.0.0.0 - 191.255.255.255 | 255.255.0.0 |
| C | 192.0.0.0 - 223.255.255.255 | 255.255.255.0 |
The add route, change route, and delete route commands use the network mask that corresponds to the destination IP address as the default mask value. The following command creates a static network route:
IP config> add route 172.16.0.0
Address mask [255.255.0.0]?
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
A static network route may also be set by the set default subnet-gateway command; however, this command does not take effect immediately, and it allows you to define only one static route per destination. The following example creates the same static network route as the above add route command:
IP config> set default subnet-gateway
For which subnetted network [ ]? 172.16.0.0
Default gateway [ ]? 192.9.1.4
gateway's cost [1]? 5
IP config>
A subnet route has a mask that is larger than the network mask for the route's destination IP address. The following command creates a static subnet route:
IP config> add route 172.16.1.0
Address mask [255.255.0.0]? 255.255.255.0
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
A host route is a route to a specific IP address; it has a mask of 255.255.255.255. The following command creates a static host route:
IP config> add route 172.16.1.2
Address mask [255.255.0.0]? 255.255.255.255
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
Routes dynamically learned through the OSPF and RIP protocols can override static routes. For the RIP protocol, you can disable this override behavior. See the RIP section of this chapter concerning the enable/disable override static-routes commands.
You can configure both OSPF and RIP to advertise configured static routes over interfaces where these dynamic protocols are enabled.
To configure RIP to advertise static routes, enter the following command at the IP config> prompt:
IP config> enable sending static-routes ip-interface-address
To configure OSPF to advertise static routes, enter the following command at the OSPF Config> prompt:
OSPF Config>enable as boundary
Use Route Policy [No]?
Import BGP routes [No]?
Import RIP routes [No]?
Import static routes [No]? yes
Import direct routes [No]?
Import subnet routes [Yes]?
Nexthop Awareness allows the router to sense whether a neighboring router is up or down. When this option is enabled, the router makes a more accurate determination of whether a static route that uses the neighboring router as its next hop will function. It also allows the router to determine over which network interface a static route's next hop can be reached when that next hop is in an IP subnet that is defined on multiple network interfaces.
To enable Nexthop Awareness on a particular IP interface, enter the following command at the IP configuration prompt:
IP config> enable nexthop-awareness ip-interface-address
To disable Nexthop Awareness on a particular IP interface, enter the following command at the IP configuration prompt:
IP config> disable nexthop-awareness ip-interface-address
Nexthop Awareness is supported only on frame relay networks on which the neighboring routers support inverse ARP.
The Address Resolution Protocol (ARP) is used to map protocol addresses to hardware addresses before a packet is forwarded by the router. ARP is always active on the router, so you do not need to do any additional configuration to enable it with its default characteristics. However, if you need to alter any ARP configuration parameters (such as enable auto-refresh or set refresh-timer, which changes the default refresh timer), or if you need to add, change, or delete permanent address mappings, see "Using ARP".
If LAN Emulation is configured on an interface, the defaults apply. You can effectively use the ARP protocol without any changes. If RFC 1577 (Classical IP and ARP over ATM) is used, additional configuration for ARP Clients and ARP Servers is required for each IP address configured on that ATM interface (as described in "ARP Over ATM Configuration Commands").
If there are hosts on attached subnetted networks that do not support IP subnetting, use Address Resolution Protocol (ARP) subnet routing (described in RFC 1027). When the router is configured for ARP subnet routing, it will reply by proxy to ARP requests for destination (that is, off the LAN if the router is itself the best route to the destination, and the destination is in the same natural network as the source). For correct operation, all routers attached to a LAN containing subnetting-ignorant hosts should be configured for ARP subnet routing.
To enable ARP subnet routing, use the following command:
IP config> enable arp-subnet-routing
Some IP hosts use ARP for all destinations, whether or not the destination is in the same natural network as the source. For these hosts, ARP subnet routing is not enough, and the router can be configured to reply by proxy to any ARP request as long as the destination is reachable through the router and the destination is not on the same local network segment as the source.
To enable ARP network routing, use the following command:
IP config> enable arp-network-routing
Filtering allows you to specify certain criteria that the router uses to control packet forwarding. The following main types of filtering are provided to help you achieve your security and administrative goals:
| Note: | For IPv4, you now have the option to configure access control rules in a policy database to designate access control and determine how IP packets are filtered. See the chapter "Using Policy" in Using and Configuring Features for details. |
Access control allows the IP router to control the processing of individual packets based upon the following parameters:
Access control can limit the ability of particular sets of IP hosts and services to communicate with one another.
You can define access controls by configuring access control lists. One global list and two lists per interface can be specified. The global list applies to the router as a whole. Interface lists, also known as packet filters, are assigned names and apply only to the designated interface. For each interface, one list applies to incoming packets, and the other applies to outgoing packets. The lists are applied independently of each other. A packet might pass an incoming interface list, and be dropped by the global list.
Figure 31 illustrates the series of access control lists through which a packet must pass before being forwarded.
Figure 31. Access Control Lists in the Packet Forwarding Path
 |
Each access control list consists of one or more access control rules that set the filtering criteria. Some access control rules define the global filters that affect all the interfaces on the router and others define the interface-specific access control lists (also called packet filters). The global access control rules are configured using the add access command at the IP config> prompt. The packet filters are set using two commands at the IP config> prompt: the add packet-filter command to define the filter and the update packet-filter command to configure it.
As IP packets flow through the router, IP packet fields are compared to the access control rules. A packet matches a rule if every specified field in the rule matches a corresponding field in the packet. If a packet matches a rule, and the rule filter type is inclusive, the packet passes. If the rule filter type is exclusive, the packet is dropped and is not processed any further by the router. If no rules match after going through the entire list, the packet is also dropped.
When defining records in access control lists, it is important to remember the following information:
IP config> add access-control Enter type [E]? i
IP Access Control (including global and interface access control) is enabled with the set access-control on command and disabled with the set access-control off command. You can use the enable packet-filter and the disable packet-filter commands to enable and disable specific packet filters when IP access control is enabled.
If IP access control is enabled, you must be careful with packets that the router originates and receives. Be sure not to filter out the RIP or OSPF packets being sent or received by the router. The easiest way to do this is to add a wildcard inclusive rule as the last in the access control list. Alternatively, you can add specific rules for RIP and OSPF, perhaps with restrictive addresses and masks. Note that some OSPF packets are sent to the Class D multicast addresses 224.0.0.5 and 224.0.0.6, which is important if address checking is being done for routing protocols. See the add command for more information on access control.
The global access control list is defined when rules are added at the IP config> prompt:
IP config> add access-control...
Global access control rules can be listed, moved, or deleted using the list, move, or delete commands. See these commands for further information.
To define packet filters, which are interface-specific, use the add packet-filter command at the IP config> prompt. The router prompts you for the filter name, direction (input or output), and the interface number to which it applies.
IP config> add packet filter
Packet-filter name [ ]? test
Filter incoming or outgoing traffic? [IN]? in
Which interface is this filter for [0]? 1
You can use the list packet-filter command to list all interface-specific access control lists configured in the router.
You must define access control rules for each defined list (packet filter). Otherwise, defined packet filters will have no effect on incoming or outgoing traffic. Use the update packet-filter command at the IP config> prompt to define access control rules. The router first prompts you for the name of the packet filter that you want to update. The IP config> prompt then changes to Packet-filter 'name' Config> where 'name' is the list name that you provide.
IP config> update packet-filter
Packet-filter name [ ]? test
Packet-filter 'test' Config>
From this prompt, you can issue add, list, move, and delete commands. These commands are similar to those used to modify the global access control list.
Access control rules consist of multiple parameters. Some parameters can be specified in all access control rules, while others can be specified only in the rules for packet filters. The following parameters can be specified in all access control rules:
The following parameters are for packet filters only:
Additional types:
Type:
The type designation of an access control rule determines how it affects packets that match it, as follows:
NAT rules are valid only in packet filters and only when specified in combination with inclusive (IN). Use the Configuration Program to first specify Inclusive, and then to specify NAT.
IP Source and Destination Addresses and Masks:
Each rule has an IP address and mask pair for both the IP source and destination addresses. When an IP packet is compared to an access control rule, the IP address in the packet is ANDed with the mask in the rule, and the result compared with the address in the rule. For example, a source address of 26.0.0.0 with a mask of 255.0.0.0 in an access control rule will match any IP source address with 26 in the first byte. A destination address of 192.67.67.20 and a mask of 255.255.255.255 will match only IP destination host address 192.67.67.20. An address of 0.0.0.0 with mask 0.0.0.0 is a wildcard that matches any IP address.
Each record can also have an IP protocol number range. This range is compared to the protocol byte in the IP header; a protocol value within the range specified by the access control rule will match (including the first and last numbers of the range). If you specify a range of 0 to 255, any protocol will match. Commonly used protocol numbers are 1 (ICMP), 6 (TCP), 17 (UDP), and 89 (OSPF).
TCP/UDP Source and Destination Port Number Range:
If the IP protocol number range includes 6 (TCP) or 17 (UDP), TCP/UDP port number ranges can also be specified in an access control rule, for both source and destination ports. These ranges are compared to the port number field in the TCP or UDP header of the IP packet; a port number value within the specified range (including the first and last numbers) will match. These fields are ignored for IP packets that are not TCP or UDP packets. If you specify a range of 0 to 65535, any port number will match. Commonly used port numbers are 21 (FTP), 23 (Telnet), 25 (SMTP), 513 (rlogin) and 520 (RIP). See RFC 1700 (Assigned Numbers) for a list of IP protocol and port numbers.
TCP Connection Establishment (SYN) Filtering:
If the protocol number range includes 6 (for TCP) and the filter type is exclusive, you can set TCP connection establishment filtering. When TCP connection establishment filtering is enabled, the access control rule is applied to a TCP packet only if that packet establishes a TCP connection. (These are the packets in which the TCP SYN bit is 1 and the ACK bit is 0.)
If the protocol number range includes 1 (for ICMP), you can specify the ICMP message type and code. The default is to apply the access control rule to all ICMP message types and codes.
Precedence and TOS Filtering Support:
The router that supports TOS has identified certain routes that provide the requested levels of service. The router sends packets over the routes according to the setting of their TOS bits.
TOS in IP is not a guarantee of any particular type of service, but a request to the router to provide service of the type requested. For example, a packet with a TOS field requiring maximum throughput can be sent over several hops that have different bandwidths. It will get normal service - no special treatment - if it should pass over a hop managed by a router that does not support TOS. See the add access-controls command on page "Add" for descriptions of these parameters.
You can also set filters to provide QoS based on TOS bits using the Bandwidth Reservation System (BRS) feature. BRS is used with PPP and frame relay interfaces. Refer to "Using Bandwidth Reservation and Priority Queuing" and "Configuring and Monitoring Bandwidth Reservation" in Using and Configuring Features.
Parameters for TOS-Based Routing Support: To enable the router to interpret TOS bits and route packets according to those bits, you create an access control rule from which the router will receive TOS packets for filtering and Type of Service routing. This access control rule applies to all the interfaces on the router. The following parameters are used to define the TOS bits that the router will compare:
Modification of the TOS Bits: To enable the router to modify the TOS bits of incoming packets, you create a global access control rule from which the router will receive TOS packets that are to be modified. Modifying the value of the TOS bits is a separate activity from interpreting them and routing the packet. If both interpretation and modification are configured, the modification will be done after the interpretation. The following parameters are used to define the TOS bits to be modified:
Policy-Based Routing (Selecting the Next-Hop Gateway):
You can filter inbound packets to direct them to a manually selected next hop gateway address (known as policy-based routing). To do this, create an inclusive inbound access control rule either globally, for the router, or for a particular interface, and provide the following parameters:
SysLog is a logging option that generates a SysLog message to a remote logging server. If SysLog is enabled, the SysLog facility option specifies the SysLog facility that is used for remote logging. This option, which has a default of User, defines the remote logging file where the SysLog messages can be stored and later analyzed. The SysLog facility option is displayed both in the Configuration Program and in the command line interface.
If you enable security logging, you can specify any or all of these logging options:
If specified, ELS messages and SysLog can use short or long message format. SNMP traps can be enabled or disabled. If no logging option is specified, security logging is disabled.
The SysLog priority level can also be configured. It specifies the level of the error message that will be displayed, such as Emergency or Information. The default is the router system default value. The SysLog priority levels are displayed both in the Configuration Program and in the command line interface.
The SysLog messages are sent to a remote server and saved to the SysLog files of the current SysLog facility option.
This interface-specific parameter can consist of any name. It can be up to 16 characters long and can include dashes (-) and underscores (_). Up to two access control record lists can be configured for each packet filter name, one for outgoing packets and one for incoming packets.
This input packet filter option verifies that a received packet's source IP address is consistent, based on the IP routing table, with the interface from which it was received. This option helps prevent the forwarding of packets from a misbehaving IP host that is using a source IP address that does not belong to it, a behavior known as spoofing.
Examples: The following example allows any host to send packets to the SMTP TCP socket on 192.67.67.20.
add access-control inclusive 0.0.0.0 0.0.0.0 192.67.67.20 255.255.255.255 6 6 25 25
The next example prevents any host on subnet 1 of Class B network 150.150.0.0 from sending packets to hosts on subnet 2 of Class B network 150.150.0.0 (assuming a 1-byte subnet mask).
add access-control exclusive 150.150.1.0 255.255.255.0 150.150.2.0 255.255.255.0 0 255 0 65535
This command allows the router to send and receive all RIP packets.
add access-control inclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 17 17 520 520
This example shows how to create a global access control rule. Values are entered to enable the interpretation of TOS bits of packets arriving from IP address 9.1.2.3 and to change the values of these bits before sending the packets. See Add for an explanation of the meaning of the parameters that create TOS filtering and policy-based routing.
IP config> add access-control Enter type [E]? i Internet source [0.0.0.0]? 9.1.2.3 Source mask [255.255.255.255]? Internet destination [0.0.0.0]? Destination mask [0.0.0.0]? Enter starting protocol number ([0] for all protocols) [0]? Enter starting DESTINATION port number ([0] for all ports) [0]? Enter starting SOURCE port number ([0] for all ports) [0]? Filter on ICMP Type ([-1] for all types) [-1]? TOS/Precedence filter mask (00-FF - [0] for none) [0]? e0 TOS/Precedence start value (00-FF) [0]? TOS/Precedence end value [0]? TOS/Precedence modification mask (00-FF - [0] for none) [0]? 1f New TOS/Precedence value (00-FF) [0]? 08 Use policy-based routing? [No]: y Next hop gateway address [ ]? 9.2.160.1 Use default route if next hop gateway unreachable? [Yes]: Enable Logging (Yes or [No]):
Route filtering impacts packet forwarding by influencing the content of the routing table. In general, route filtering is more efficient but less flexible than access control. Filtering based on packet fields other than the destination IP address can be done using access control, described above, or by using route filtering policies as described in Route Filtering With Policies.
The following methods are used in this router to influence the content of the routing table.
You can designate an IP destination to be inserted in the routing table as a filter route. IP packets will not be forwarded to these destinations, and routing information concerning them will not be advertised. Filter routes are not recommended when OSPF is used in your network; OSPF-learned internal routes will override filtered routes in the routing table.
To configure a filter route, enter the following command at the IP config> prompt:
IP config> add filter dest-IP-address address-mask
Filter routes will be listed as an entry with the type fltr when the dump command is used to view the IP routing table.
| Note: | If a more specific route is available, packets will be forwarded. For example, if a filter route is defined for network 9.0.0.0 (mask 255.0.0.0), but a route is learned for a subnet of the network (for example 9.1.0.0, mask 255.255.0.0), then packets will be forwarded to subnet 9.1.0.0 but not to other subnets of that network. |
When RIP is used as the dynamic routing protocol, you can configure certain interfaces to ignore routes in RIP updates.
The following command results in ignoring all RIP updates received on an interface:
IP config> disable receiving rip ip-interface-address
The following commands result in ignoring certain types of routes received on an interface:
IP config> disable receiving dynamic nets ip-interface-address
IP config> disable receiving dynamic subnets ip-interface-address
IP config> disable receiving dynamic host ip-interface-address
If more granular filtering of RIP routes is required, the route policies that are described in the following command can be utilized:
IP config> add accept-rip-route ip-network/subnet/host
When route table filtering is enabled and route filters are defined, checking is performed before adding routes to the IP routing table. If the route to be added matches on an inclusive route filter, it will be added to the IP route table. If it matches on an exclusive route filter, it will not be added to the IP route table. Direct and static routes will never be filtered.
This function can be used to prevent routes from being added to the IP route table in situations where the network administrator does not want all routes advertised by routing protocols to be available. This function could be used in a service provider environment to prevent customers from having access to each other's networks.
Route filter policies are definitions that describe a route or set of routes. A route filter policy consists of the name of the route filter policy and at least one entry that defines an address or range of addresses for the routes to be filtered. Each entry includes instructions to include or exclude the routes defined in that entry from the routing table. Route filter policies can be used to filter the routes that RIP and OSPF install in the IP forwarding table and advertise from the IP forwarding table.
A route filter policy is identified by a 15-character ASCII string, for example, ospf-import. After the route filter policy is named, you need to configure at least one entry that is associated with that route filter policy. Use the add route-policy command at the IP config> prompt to add the policy, the change route-policy command to bring up the IP Route Policy Config> prompt, and the add entry command at the IP Route Policy Config> prompt to define each entry for the policy.
You are required to assign an index number to each entry when you configure it. This number is used to identify the entry for matching.
Matching is done either by linear match or by longest match lookup. You select one of these methods when you use the add route policy command to create the route filter policy. If you choose linear match, the route being filtered will be compared to the entries in the list one after the other, based upon the index number. As soon as a match is found, the route is filtered. If you choose longest match lookup, the route being filtered is compared to the filter entries according to the longest match lookup. If more than one entry specifies the same IP address and mask, then the route being filtered is compared in ascending order by index number.
For example, suppose that you want to exclude the addresses for the network 9.8.0.0 with the mask 255.255.0.0 but you want to include the host address 9.8.1.8 with the mask 255.255.255.255. According to the longest match lookup filtering method, you can include 9.8.1.8 with the mask 255.255.255.255 and exclude address 9.8.0.0 with the mask 255.255.0.0. Then, of all the addresses in that subnet, only 9.8.1.8 will be included.
To get the same result using linear match, you would have to assign a lower index number to the inclusive filter than to the exclusive one. For example, the address 9.8.1.8 with the mask 255.255.255.255 requires a lower index number than the address 9.8.0.0 with the mask 255.255.0.0. Otherwise, the rule that excludes 9.8.0.0 will also exclude the address 9.8.1.8.
The match type is a parameter that determines how the address mask for the entry will be processed. If this parameter is exact, the software will match the route only on the exact address and mask specified by the entry and will not regard the address as a range. If the match type is range, the router will read the address and mask as a range and match the route if it falls within the range.
In addition to entries, you can configure actions and match conditions associated with each entry. Actions are changes made to the route before it is advertised, such as setting a metric on a route. Match conditions change the rules according to which the route is selected. After a match is found based on the destination address, the match condition puts further constraints on the match. For example, if the match condition is protocol BGP, routes are not matched unless the entry address matches and the packet belongs to the BGP protocol. These are the match conditions:
Actions and match conditions, which fine tune the filtering of the entry, are optional.
If a route filter policy is used to control OSPF routing tables, it is configured during the configuration of OSPF. See the enable command on page "Enable" for more information.
You can use route filter policies to define which routes RIP will send or receive. These route filter policies can be configured globally, for all the IP interfaces on the router, or per IP interface. If a send route filter policy is enabled, all routes that conform to the policy are advertised and the values for default-routes, host-routes, net-routes, subnet-routes, and static-routes are ignored. The values for poison-reverse-routes, ripv1-only routes, and outage-only routes are not affected by the send route filter policy. If sending all-routes is disabled, no routes will be advertised, even if a global send policy is specified.
If a receive route filter policy is configured and receiving RIP is enabled, the configured policy will take the place of any enabled or disabled dynamic route types. In other words, all routes included by the route filter policy and conforming to the constraints of the RIP protocol will be accepted.
BOOTP (documented in RFC 951 and RFC 1542) is a bootstrap protocol used by a diskless workstation to learn its IP address, the location of its boot file, and the boot server name. Dynamic Host Configuration Protocol (DHCP), documented in RFC 2131, is used to allocate reusable network addresses and host-specific configuration parameters from a server.
The following terms are useful when discussing the BOOTP/DHCP forwarding process:
The following steps outline an example of the BOOTP forwarding process. (DHCP exchanges proceed in a similar way):
| Note: | If multiple hops are required before reaching the BOOTP agent, the packet is routed normally via IP. All other routers would not examine the packet to determine whether it is a BOOTP packet. |
To enable or disable BOOTP forwarding on the router, enter the following command at the IP configuration prompt. (Enable BOOTP Forwarding to allow the router to forward BOOTP and/or DHCP requests and replies between Clients and Servers on different segments of your network.)
IP config> enable/disable bootp
| Note: | The DHCP Server feature described in "Using DHCP Server" in Using and Configuring Features and this BOOTP forwarding process should not both be enabled on the same router. If both are enabled, the DHCP Server feature will take precedence and BOOTP forwarding will not occur. |
When enabling BOOTP, you are prompted for the following values:
After accepting a BOOTP request, the router forwards the BOOTP request to each BOOTP server. If there are multiple servers configured for BOOTP, the router replicates the packet.
To add a BOOTP or DHCP server to the router's relay agent configuration, enter the following command at the IP configuration prompt:
IP config> add bootp-server server-IP-address
Multiple servers can be configured. In addition, if only the network number of the server is known or if multiple servers reside on the same network segment, a broadcast address can be configured for the server.
You can use TN3270E to integrate IP and SNA. Refer to the chapter entitled "Using APPN" in the Protocol Configuration and Monitoring Reference Volume 2 and the chapter entitled "Configuring and Monitoring APPN" in the Protocol Configuration and Monitoring Reference Volume 2 for more information about TN3270E.
User datagram protocol (UDP), documented in RFC 768, is a transport layer protocol providing connectionless service using the Internet Protocol. With UDP Forwarding, locally delivered UDP packets (such as UDP Broadcast on an IBM 2210-attached LAN) can be forwarded to a specific IP destination or to a destination network as a directed broadcast.
For example, NetBIOS uses UDP broadcasts in some client-server applications to broadcast Name-Query packets. Unless you set up UDP Forwarding, the router drops those packets; thus, the router will not forward the broadcast packets beyond the local network.
Follow these steps to configure UDP Forwarding:
IP config> add udp-destination
UDP port number [-1] 36
Destination IP address [0.0.0.0] 20.1.2.2
IP config>enable udp-forwarding
For which UDP port number [-1] 36
In the above example, the router forwards packets it receives for UDP port 36 to IP address 20.1.2.2.
Enter list udp-forwarding to see the UDP Forwarding configuration.
To enable or disable UDP Forwarding on the router, enter the following command at the IP configuration prompt. (Enable UDP Forwarding to allow the router to forward UDP Broadcast packets to a given address on a per-UDP port basis.)
IP config> enable/disable udp-forwarding port-number
Add UDP Forwarding destinations by specifying the IP address to which the packets are to be forwarded followed by the port number. To add a UDP destination, enter the following command at the IP configuration prompt:
IP config> add udp-destination port-number dest-ip-address
The use of a statically configured default route is popular for host IP configurations. It minimizes configuration and processing overhead and is supported by virtually every IP implementation. This mode of operation is likely where dynamic host configuration protocols are deployed that typically provide configuration for an end-host IP address and default gateway. However, this creates a single point of failure. Loss of the default router results in a catastrophic event, isolating all end-hosts that are unable to detect any alternate path that may be available.
The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically allows a set of routers to backup each other. The VRRP router controlling one or more IP addresses is called the Master router, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the Master become unavailable. Any of the IP addresses on a virtual router can then be used as the default first hop router by end-hosts. The advantage gained from using the VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host.
In order to use and configure VRRP you must first define a Virtual Router ID (VRID) on each LAN segment running VRRP. For each VRRP, one router will be the owner of the default IP address configured for hosts on the LAN segment. This router will respond to ARP requests for that address and forward packets as long as it is available. Other routers on the LAN segment may be configured to backup the router owning the IP address. The VRID will imply a unicast or multicast MAC address. A common MAC address is required in order to minimize disruptions when a backup router takes over. The following is an example of a very simple VRRP topology:
A complicated topology would be one where there are multiple VRRP routers and the desire is to balance the load between the routers but still have complete backup capability. In this case 2 VRIDs would need to be defined and each router would the master for one and the backup for the other. This illustration follows:
Figure 33. Multiple VRRP Routers
VRRP is supported on Ethernet, Fast Ethernet, and Token Ring.
Multicast VRRP is not supported on the bridge network when source-routed LANs are part of the bridged network. The restriction is only applicable in topologies where IP is configured on the bridge network.
This section outlines the steps used to configure redundant default IP gateways on ELANs. Configuration of a redundant gateway allows end stations with manually configured default gateways to continue passing traffic to other subnets after their primary gateway goes down.
To configure a device with a primary gateway or backup gateway:
| Note: | The primary gateway and the backup gateway must have the same MAC address |
IP multicast is an extension of LAN multicasting to a TCP/IP Internet. It is the ability of an IP host to send a single datagram (called IP multicast datagram) that will be delivered to multiple destinations. IP multicast datagrams are identified as those packets whose destinations are class D IP addresses (that is, whose first byte lies in the range 224 to 239). Each class D address defines a multicast group.
The extensions required of an IP host to participate in IP multicasting are specified in RFC 1112 (Host Extensions for IP Multicasting.) That document defines a protocol, the Internet Group Management Protocol (IGMP), that enables hosts to dynamically join and leave multicast groups. This router implements the IGMP protocol functions that enable it to keep track of IP group membership on its local physical and on its emulated LANs by sending IGMP Host Membership Queries and receiving IGMP Host Membership Reports.
A router must also be able to route IP multicast datagrams between the source and (multiple) destination hosts. This router supports the Multicast Open Shortest Path First (MOSPF) protocol as defined by RFC 1584 (Multicast Extensions to OSPF), and the Distance Vector Multicast Routing Protocol (DVMRP).
A MOSPF router distributes group location information throughout the routing domain by flooding a new type of link state advertisement, the group-membership-LSA (type 6). This in turn enables the MOSPF routers to most efficiently forward a multicast datagram to its multiple destinations: each router calculates the path of the multicast datagram as a tree whose root is the datagram source, and whose terminal branches are LANs containing group members. For more information, see "Multicast OSPF".
DVMRP is a multicast routing protocol derived from the Routing Information Protocol (RIP). This router provides support for DVMRP so that you can exchange multicast routing information with other routing entities that do not support MOSPF. This router's DVMRP implementation also allows tunneling of DVMRP information over an MOSPF-capable network and over a non-multicast-capable IP network.
This router also allows you to "enroll" the router itself as a member of one or more multicast groups. As a member of a multicast group, the router will respond to "pings" and SNMP queries addressed to the group address (one command could be used to query multiple routers).
Additionally, the device's IP multicasting support is used to establish and manage DLSw groups, which reduces the amount of configuration needed for DLSw. For additional information, refer to "Using DLSw".
To enable the router to track IP multicast group memberships and forward multicast datagrams, you must enable MOSPF, DVMRP, or both MOSPF and DVMRP.
To enable DVMRP:
DVMRP config> dvmrp on
DVMRP config> phyint interface-address metric threshold
The 2210 supports IVMP version 2 and DVMRP version 3. IGMP can be configured to operate in version 1 mode.
Refer to the discussion on configuring DVMRP in Protocol Configuration and Monitoring Reference Volume 1 for details on these commands and other configuration commands used to set the interaction between DVMRP and MOSPF when both are active on the router.
If the router itself is to join one or more multicast groups, the following join/leave commands are used:
These join and leave commands are accessible from the OSPF Config prompt and the OSPF monitoring prompt. They are also available on the DVMRP monitoring console.
Note that these commands are not necessary for the router to perform its IP multicast forwarding or IGMP group tracking functions; they are used to add the router to groups so that it can respond to "pings" and SNMP queries addressed to these groups.
Simple Internet Access is a means of quickly configuring many of the options required to give Internet access to a group of Dynamic Host Configuration Protocol (DHCP) clients. Enabling this option, and adding a LAN interface are all that are required to configure IP. When it is combined with a PPP interface configured to access an Internet Service Provider (ISP) account, multiple DHCP clients can access the Internet using a single public IP address. This is accomplished using both the DHCP Server feature and Network Address Translation (NAT) feature.
| Note: | This option will only be available on router software loads which include both the DHCP feature and the NAT feature. If similar connectivity to the Internet is required on loads that do not include the DHCP Server feature but do include the NAT feature, Dynamic-Address (see "Using Dynamic Address") should be used with a configuration that is similar to the one shown in the example. |
Example:
PPP 3 Config>set ipcp IP COMPRESSION [no]: Request an IP address [no]: yes Interface remote IP address to offer if requested (0.0.0.0 for none) [0.0.0.0]?
IP config>enable simple-internet-access
Interface to Service Provider [0]? 3
SIMPLE-INTERNET-ACCESS enabled on interface 3
IP config>add address
Which net is this address for [0]? 0
New address []? 192.168.8.1
Address mask [255.255.255.0]?
IP config>list address
IP addresses for each interface:
intf 0 192.168.8.1 255.255.255.0 Local wire broadcast, fill 1
intf 1 IP disabled on this interface
intf 2 IP disabled on this interface
intf 3 0.0.0.3 255.255.255.255 Local wire broadcast, fill 1
SIMPLE-INTERNET-ACCESS Enabled
IP config>list packet-filter List of packet-filter records: Name Direction Interface State Src-Addr-Ver simple-in In 3 On Off simple-out Out 3 On N/A Access Control is: enabled
IP config> list packet-filter simple-in
Name Direction Interface State Src-Addr-Ver
simple-in In 3 On Off
Access Control is: enabled
Access Control facility: USER
List of access control records:
1 Type=IN Source=0.0.0.0 Dest =0.0.0.0 Prot= 0-255
SMask =0.0.0.0 DMask =0.0.0.0
SPorts= 0-65535 DPorts= 0-65535
T/C= **/** Log=N
IP config>list packet-filter simple-out
Name Direction Interface State Src-Addr-Ver
simple-out Out 3 On N/A
Access Control is: enabled
Access Control facility: USER
List of access control records:
1 Type=IN Source=0.0.0.0 Dest =0.0.0.0 Prot= 0-255
SMask =0.0.0.0 DMask =0.0.0.0
SPorts= 0-65535 DPorts= 0-65535
T/C= **/** Log=N
IP config>list routes route to 0.0.0.0 ,0.0.0.0 via 0.0.0.3 cost 1
NAT config>list all
NAT Globals:
Current State TCP Timeout Non-TCP Timeout
ENABLED 24:00:00 0:01:00
NAT Reserve Pool(s):
Index First Address Reserve Mask Size NAPT Address Pool Name
1 Dynamic 255.255.255.255 1 FromNet: 3 simple-net
NAT Translate Range(s):
Index Base Address Range Mask Associated Reserve Pool
1 192.168.8.0 255.255.255.0 simple-net
NAT Static Mapping(s):
Index Private Address//Port Public Address//Port
None.
DHCP Server enabled: Yes DHCP Server config>list subnet all subnet subnet subnet starting ending name address mask IP Addr IP Addr ------------------------------------------------------------------------- simple-net 192.168.8.0 255.255.255.0 192.168.8.2 192.168.8.50 DHCP Server config>list option subnet Enter the subnet name []? simple-net option option code data --------------------------------------------------------------- 1 255.255.255.0 3 192.168.8.1 6 0.0.0.3