View figure.
This chapter describes how to configure the Internet Protocol (IP). It includes the following sections:
This section outlines the initial steps required to get the IP protocol up and running. Details about making further configuration changes are covered in other sections of this chapter. Details about individual configuration commands are covered in the command section of this chapter. The following list outlines the initial configuration tasks to bring up IP on the router. After completing these tasks, you must restart the router for the new configuration to take effect.
Use the IP configuration add address command to assign IP addresses to the network interfaces. The arguments for this command include the interface number (obtained from the Config> list devices command) and the IP address with its associated address mask.
In the following example, network interface 2 has been assigned the address 128.185.123.22 with the associated address mask 255.255.255.0 (using the third byte for subnetting).
IP config> add address 2 128.185.123.22 255.255.255.0
Multiple IP addresses can be assigned to a single network interface.
This is an IP address that is independent of the state of any interface and is set without reference to any interface. Some IP configurations require it. See the command set internal-IP-address on page *** for more information.
Use the following procedures to enable dynamic routing on the router. The router software supports OSPF, RIPv1, and RIPv2 for interior gateway protocols (IGPs) as well as BGP, which is an external gateway protocol.
All routing protocols can run simultaneously. However, most routers will probably run only a single routing protocol (one of the IGPs). The OSPF protocol is recommended because of its robustness and the additional IP features (such as equal-cost multipath and variable-length subnets) that it supports.
The routing table size determines the number of entries in the routing table from all sources, including dynamic routing protocols and static routes. The default size is 768 entries.
To change the size of the routing table, use the set routing table-size configuration command. Setting the routing table size too small results in routes being discarded. Setting it too large results in inefficient use of memory resources. After operation, use the console dump command to view the contents of the table and then adjust the size as necessary, allowing some room for expansion.
OSPF configuration is done via its own configuration console (entered via the Config> protocol ospf command). To enable OSPF, use the following command:
OSPF Config> enable OSPF
After enabling the OSPF protocol, you are prompted for size estimates for the OSPF link state database. This gives the router some idea how much memory must be reserved for OSPF. You must supply the following two values that will be used to estimate the size of the OSPF link state database:
Enter these values at the following prompts (sample values have been provided):
OSPF Config> enable ospf
Estimated # external routes[0]? 200
Estimated # OSPF routers [50]? 60
Maximum LSA size [2048]?
Next, configure each IP interface that is to participate in OSPF routing. To configure an IP interface for OSPF, use the following command:
OSPF Config> set interface
You are prompted to enter a series of operating parameters. Each interface is assigned a cost as well as other OSPF operating parameters.
When running other IP routing protocols besides OSPF, you may want to enable the exchange of routes between OSPF and the other protocols. To do this, use the following command:
OSPF Config> enable AS-boundary-routing
For more information on the OSPF configuration process, see "Using OSPF".
This section describes how to initially configure the RIP protocol. When configuring the RIP protocol, you can specify which set of routes the router will advertise and/or accept on each IP interface.
RIP is supported on ATM LAN Emulation network interfaces.
First, enable the RIP protocol with the following command:
IP config> enable RIP
When RIP is enabled, the following default behavior is established:
To change any of the default sending/receiving behaviors, use the following IP configuration commands, which are defined on a per-IP-interface basis.
IP config> enable/disable sending net-routes
IP config> enable/disable sending subnet-routes
IP config> enable/disable sending static-routes
IP config> enable/disable sending host-routes
IP config> enable/disable sending default-routes
IP config> enable/disable receiving rip
IP config> enable/disable receiving dynamic nets
IP config> enable/disable receiving dynamic subnets
IP config> enable/disable receiving host-routes
IP config> enable/disable override default
IP config> enable/disable override static-routes
IP config> set originate-rip-default
The BGP protocol is enabled from its own configuration prompt, BGP Config> For more information about configuring BGP, refer to the discussion on using and configuring BGP4 in 8371 Interface Configuration and Software User's Guide.
This procedure is necessary only for routing information you cannot obtain from any of the above dynamic routing protocols. Static routing information persists over power failures and is used for routes that never change or cannot be learned dynamically.
The destination of a static route is described by an IP address (dest-addr) and an IP address mask (dest-mask). The mask indicates the range of IP addresses to which the route applies; for example, a route with IP address 10.0.0.0 and mask 255.0.0.0 applies to IP addresses from 10.0.0.0 through 10.255.255.255. The route to the destination is described by the IP address of the next hop router (next-hop) and the cost of forwarding a packet on this route (cost).
Because the destination of a route includes the IP address mask, it is possible for more than one route to match a particular IP address; for example, for the IP address 10.1.2.3, a route with IP address 10.0.0.0 and mask 255.0.0.0 and a route with IP address 10.1.0.0 and mask 255.255.0.0 both match. To determine which route to use, the longest match rule is applied. The route with the largest mask is used (in this case the route with IP address 10.1.0.0 and mask 255.255.0.0).
Routes can be classified as default, network, subnet, or host, according to their destination IP address and mask.
A default route has an IP address/mask of 0.0.0.0/0.0.0.0. This route matches all destination IP addresses, but because of the longest match rule, it is used only if there is no other matching route. The following command creates a static default route:
IP config> add route
IP destination [ ]? 0.0.0.0
Address mask [255.0.0.0]? 0.0.0.0
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
The static default route may also be set by the set default network-gateway command; however, this command does not take effect immediately, and it allows you to define only one default static route. The following example creates the same static default route as the above add route command:
IP config> set default network-gateway
Default gateway [ ]? 192.9.1.4
gateway's cost [1]? 5
IP config>
A network route has a mask that depends on the value of the
route's destination IP address as specified by the IP address classes
defined in RFC 791:
| IP Address Class | IP Address Range | Network Mask |
|---|---|---|
| A | 0.0.0.0 - 127.255.255.255 | 255.0.0.0 |
| B | 128.0.0.0 - 191.255.255.255 | 255.255.0.0 |
| C | 192.0.0.0 - 223.255.255.255 | 255.255.255.0 |
The add route, change route, and delete route commands use the network mask that corresponds to the destination IP address as the default mask value. The following command creates a static network route:
IP config> add route 172.16.0.0
Address mask [255.255.0.0]?
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
A static network route may also be set by the set default subnet-gateway command; however, this command does not take effect immediately, and it allows you to define only one static route per destination. The following example creates the same static network route as the above add route command:
IP config> set default subnet-gateway
For which subnetted network [ ]? 172.16.0.0
Default gateway [ ]? 192.9.1.4
gateway's cost [1]? 5
IP config>
A subnet route has a mask that is larger than the network mask for the route's destination IP address. The following command creates a static subnet route:
IP config> add route 172.16.1.0
Address mask [255.255.0.0]? 255.255.255.0
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
A host route is a route to a specific IP address; it has a mask of 255.255.255.255. The following command creates a static host route:
IP config> add route 172.16.1.2
Address mask [255.255.0.0]? 255.255.255.255
Via gateway 1 at [ ]? 192.9.1.4
Cost [1]? 5
Via gateway 2 at [ ]?
IP config>
Routes dynamically learned through the OSPF and RIP protocols can override static routes. For the RIP protocol, you can disable this override behavior. See the RIP section of this chapter concerning the enable/disable override static-routes commands.
You can configure both OSPF and RIP to advertise configured static routes over interfaces where these dynamic protocols are enabled.
To configure RIP to advertise static routes, enter the following command at the IP config> prompt:
IP config> enable sending static-routes ip-interface-address
To configure OSPF to advertise static routes, enter the following command at the OSPF Config> prompt:
OSPF Config>enable as boundary
Use Route Policy [No]?
Import BGP routes [No]?
Import RIP routes [No]?
Import static routes [No]? yes
Import direct routes [No]?
Import subnet routes [Yes]?
OSPF Config>enable as boundary
Import static routes [yes]?
Nexthop Awareness allows the router to sense whether a neighboring router is up or down. When this option is enabled, the router makes a more accurate determination of whether a static route that uses the neighboring router as its next hop will function. It also allows the router to determine over which network interface a static route's next hop can be reached when that next hop is in an IP subnet that is defined on multiple network interfaces.
To enable Nexthop Awareness on a particular IP interface, enter the following command at the IP configuration prompt:
IP config> enable nexthop-awareness ip-interface-address
To disable Nexthop Awareness on a particular IP interface, enter the following command at the IP configuration prompt:
IP config> disable nexthop-awareness ip-interface-address
Nexthop Awareness is supported only on frame relay networks on which the neighboring routers support inverse ARP.
The Address Resolution Protocol (ARP) is used to map protocol addresses to hardware addresses before a packet is forwarded by the router. ARP is always active on the router, so you do not need to do any additional configuration to enable it with its default characteristics. However, if you need to alter any ARP configuration parameters (such as enable auto-refresh or set refresh-timer, which changes the default refresh timer), or if you need to add, change, or delete permanent address mappings, see "Using ARP".
If LAN Emulation is configured on an interface, the defaults apply. You can effectively use the ARP protocol without any changes.
If there are hosts on attached subnetted networks that do not support IP subnetting, use Address Resolution Protocol (ARP) subnet routing (described in RFC 1027). When the router is configured for ARP subnet routing, it will reply by proxy to ARP requests for destination (that is, off the LAN if the router is itself the best route to the destination, and the destination is in the same natural network as the source). For correct operation, all routers attached to a LAN containing subnetting-ignorant hosts should be configured for ARP subnet routing.
To enable ARP subnet routing, use the following command:
IP config> enable arp-subnet-routing
Some IP hosts use ARP for all destinations, whether or not the destination is in the same natural network as the source. For these hosts, ARP subnet routing is not enough, and the router can be configured to reply by proxy to any ARP request as long as the destination is reachable through the router and the destination is not on the same local network segment as the source.
To enable ARP network routing, use the following command:
IP config> enable arp-network-routing
Filtering allows you to specify certain criteria that the router uses to control packet forwarding. The following main types of filtering are provided to help you achieve your security and administrative goals:
Access control allows the IP router to control the processing of individual packets based on source and destination IP addresses, IP protocol number, and by destination port number for the TCP and UDP protocols. This can control access to particular sets of IP hosts and services.
You can define access controls by configuring access control lists. One global list and two lists per interface can be specified. The global list applies to the router as a whole. Interface lists, also known as packet filters, are assigned names and apply only to the designated interface. For each interface, one list applies to incoming packets, and the other applies to outgoing packets. The lists are applied independently of each other. A packet might pass an incoming interface list, and be dropped by the global list.
Figure 23 illustrates the series of access control lists through which a packet must pass before being forwarded.
Figure 23. Access Control Lists in the Packet Forwarding Path
| View figure. |
Each access control list consists of one or more access control rules that set the filtering criteria. Some access control rules define the global filters that affect all the interfaces on the router and others define the interface-specific access control lists (also called packet filters). The global access control rules are configured using the add access command at the IP config> prompt. The packet filters are set using two commands at the IP config> prompt: the add packet-filter command to define the filter and the update packet-filter command to configure it.
As IP packets flow through the router, IP packet fields are compared to the access control rules. A packet matches a rule if every specified field in the rule matches a corresponding field in the packet. If a packet matches a rule, and the rule filter type is inclusive, the packet passes. If the rule filter type is exclusive, the packet is dropped and is not processed any further by the router. If no rules match after going through the entire list, the packet is also dropped.
When defining records in access control lists, it is important to remember the following information:
IP config> add access-control Enter type [E]? i
IP Access Control (including global and interface access control) is enabled with the set access-control on command and disabled with the set access-control off command. You can use the enable packet-filter and the disable packet-filter commands to enable and disable specific packet filters when IP access control is enabled.
If IP access control is enabled, you must be careful with packets that the router originates and receives. Be sure not to filter out the RIP or OSPF packets being sent or received by the router. The easiest way to do this is to add a wildcard inclusive rule as the last in the access control list. Alternatively, you can add specific rules for RIP and OSPF, perhaps with restrictive addresses and masks. Note that some OSPF packets are sent to the Class D multicast addresses 224.0.0.5 and 224.0.0.6, which is important if address checking is being done for routing protocols. See the add command for more information on access control.
The global access control list is defined when rules are added at the IP config> prompt:
IP config> add access-control...
Global access control rules can be listed, moved, or deleted using the list, move, or delete commands. See these commands for further information.
To define packet filters, which are interface-specific, use the add packet-filter command at the IP config> prompt. The router prompts you for the filter name, direction (input or output), and the interface number to which it applies.
IP config> add packet filter
Packet-filter name [ ]? test
Filter incoming or outgoing traffic? [IN]? in
Which interface is this filter for [0]? 1
You can use the list packet-filter command to list all interface-specific access control lists configured in the router.
You must define access control rules for each defined list (packet filter). Otherwise, defined packet filters will have no effect on incoming or outgoing traffic. Use the update packet-filter command at the IP config> prompt to define access control rules. The router first prompts you for the name of the packet filter that you want to update. The IP config> prompt then changes to Packet-filter 'name' Config> where 'name' is the list name that you provide.
IP config> update packet-filter
Packet-filter name [ ]? test
Packet-filter 'test' Config>
From this prompt, you can issue add, list, move, and delete commands. These commands are similar to those used to modify the global access control list.
Access control rules consist of multiple parameters. Some parameters can be specified in all access control rules, while others can be specified only in the rules for packet filters. The following parameters can be specified in all access control rules:
The following parameter is for packet filters only:
The type designation of an access control rule defines what it does to packets that match it. An exclusive (E) rule discards packets. An inclusive (I) rule allows packets to be processed further by the router.
Each rule has an IP address and mask pair for both the IP source and destination addresses. When an IP packet is compared to an access control rule, the IP address in the packet is ANDed with the mask in the rule, and the result compared with the address in the rule. For example, a source address of 26.0.0.0 with a mask of 255.0.0.0 in an access control rule will match any IP source address with 26 in the first byte. A destination address of 192.67.67.20 and a mask of 255.255.255.255 will match only IP destination host address 192.67.67.20. An address of 0.0.0.0 with mask 0.0.0.0 is a wildcard that matches any IP address.
Each record can also have an IP protocol number range. This range is compared to the protocol byte in the IP header; a protocol value within the range specified by the access control rule will match (including the first and last numbers of the range). If you specify a range of 0 to 255, any protocol will match. Commonly used protocol numbers are 1 (ICMP), 6 (TCP), 17 (UDP), and 89 (OSPF).
TCP/UDP port number ranges can also be specified in an access control rule. This range is compared to the port number field in the TCP or UDP header of the IP packet; a port number value within the specified range (inclusive) will match. This field is ignored for IP packets that are not TCP or UDP packets. If you specify a range of 0 to 65535, any port number will match. Commonly used port numbers are 21 (FTP), 23 (Telnet), 25 (SMTP), 513 (rlogin) and 520 (RIP). See RFC 1700 (Assigned Numbers) for a list of IP protocol and port numbers.
The router that supports TOS has identified certain routes that provide the requested levels of service. The router sends packets over the routes according to the setting of their TOS bits.
TOS in IP is not a guarantee of any particular type of service, but a request to the router to provide service of the type requested. For example, a packet with a TOS field requiring maximum throughput can be sent over several hops that have different bandwidths. It will get normal service - no special treatment - if it should pass over a hop managed by a router that does not support TOS. See the add access-controls command on page "Add" for descriptions of these parameters.
To enable the router to interpret TOS bits and route packets according to those bits, you create an access control rule from which the router will receive TOS packets for filtering and Type of Service routing. This access control rule applies to all the interfaces on the router. The following parameters are used to define the TOS bits that the router will compare:
To enable the router to modify the TOS bits of incoming packets, you create a global access control rule from which the router will receive TOS packets that are to be modified. Modifying the value of the TOS bits is a separate activity from interpreting them and routing the packet. If both interpretation and modification are configured, the modification will be done after the interpretation. The following parameters are used to define the TOS bits to be modified:
You can filter inbound packets to direct them to a manually selected next hop gateway address (known as policy-based routing). To do this, create an inclusive inbound access control rule either globally, for the router, or for a particular interface, and provide the following parameters:
The following example allows any host to send packets to the SMTP TCP socket on 192.67.67.20.
add access-control inclusive 0.0.0.0 0.0.0.0 192.67.67.20 255.255.255.255 6 6 25 25
The next example prevents any host on subnet 1 of Class B network 150.150.0.0 from sending packets to hosts on subnet 2 of Class B network 150.150.0.0 (assuming a 1-byte subnet mask).
add access-control exclusive 150.150.1.0 255.255.255.0 150.150.2.0 255.255.255.0 0 255 0 65535
This command allows the router to send and receive all RIP packets.
add access-control inclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 17 17 520 520
This example shows how to create a global access control rule. Values are entered to enable the interpretation of TOS bits of packets arriving from IP address 9.1.2.3 and to change the values of these bits before sending the packets. See Add for an explanation of the meaning of the parameters that create TOS filtering and policy-based routing.
IP config> add access-control Enter type [E]? i Internet source [0.0.0.0]? 9.1.2.3 Source mask [255.255.255.255]? Internet destination [0.0.0.0]? Destination mask [0.0.0.0]? Enter starting protocol number ([0] for all protocols) [0]? Enter starting DESTINATION port number ([0] for all ports) [0]? Enter starting SOURCE port number ([0] for all ports) [0]? Filter on ICMP Type ([-1] for all types) [-1]? TOS/Precedence filter mask (00-FF - [0] for none) [0]? e0 TOS/Precedence start value (00-FF) [0]? TOS/Precedence end value [0]? TOS/Precedence modification mask (00-FF - [0] for none) [0]? 1f New TOS/Precedence value (00-FF) [0]? 08 Use policy-based routing? [No]: y Next hop gateway address [ ]? 9.2.160.1 Use default route if next hop gateway unreachable? [Yes]: Enable Logging (Yes or [No]):
Route filtering impacts packet forwarding by influencing the content of the routing table. In general, route filtering is more efficient but less flexible than access control. Filtering based on packet fields other than the destination IP address can be done using access control, described above.
The following methods are used in this router to influence the content of the routing table.
You can designate an IP destination to be inserted in the routing table as a filter route. IP packets will not be forwarded to these destinations, and routing information concerning them will not be advertised. Filter routes are not recommended when OSPF is used in your network; OSPF-learned internal routes will override filtered routes in the routing table.
To configure a filter route, enter the following command at the IP config> prompt:
IP config> add filter dest-IP-address address-mask
Filter routes will be listed as an entry with the type fltr when the dump command is used to view the IP routing table.
| Note: | If a more specific route is available, packets will be forwarded. For example, if a filter route is defined for network 9.0.0.0 (mask 255.0.0.0), but a route is learned for a subnet of the network (for example 9.1.0.0, mask 255.255.0.0), then packets will be forwarded to subnet 9.1.0.0 but not to other subnets of that network. |
When RIP is used as the dynamic routing protocol, you can configure certain interfaces to ignore routes in RIP updates.
The following command results in ignoring all RIP updates received on an interface:
IP config> disable receiving rip ip-interface-address
The following commands result in ignoring certain types of routes received on an interface:
IP config> disable receiving dynamic nets ip-interface-address
IP config> disable receiving dynamic subnets ip-interface-address
IP config> disable receiving dynamic host ip-interface-address
If more granular filtering of RIP routes is required, the route policies that are described in the following command can be utilized:
IP config> add accept-rip-route ip-network/subnet/host
When route table filtering is enabled and route filters are defined, checking is performed before adding routes to the IP routing table. If the route to be added matches on an inclusive route filter, it will be added to the IP route table. If it matches on an exclusive route filter, it will not be added to the IP route table. Direct and static routes will never be filtered.
This function can be used to prevent routes from being added to the IP route table in situations where the network administrator does not want all routes advertised by routing protocols to be available. This function could be used in a service provider environment to prevent customers from having access to each other's networks.
BOOTP (documented in RFC 951 and RFC 1542) is a bootstrap protocol used by a diskless workstation to learn its IP address, the location of its boot file, and the boot server name. Dynamic Host Configuration Protocol (DHCP), documented in RFC 2131, is used to allocate reusable network addresses and host-specific configuration parameters from a server.
The following terms are useful when discussing the BOOTP/DHCP forwarding process:
The following steps outline an example of the BOOTP forwarding process. (DHCP exchanges proceed in a similar way):
| Note: | If multiple hops are required before reaching the BOOTP agent, the packet is routed normally via IP. All other routers would not examine the packet to determine whether it is a BOOTP packet. |
To enable or disable BOOTP forwarding on the router, enter the following command at the IP configuration prompt. (Enable BOOTP Forwarding to allow the router to forward BOOTP and/or DHCP requests and replies between Clients and Servers on different segments of your network.)
IP config> enable/disable bootp
When enabling BOOTP, you are prompted for the following values:
After accepting a BOOTP request, the router forwards the BOOTP request to each BOOTP server. If there are multiple servers configured for BOOTP, the router replicates the packet.
To add a BOOTP or DHCP server to the router's relay agent configuration, enter the following command at the IP configuration prompt:
IP config> add bootp-server server-IP-address
Multiple servers can be configured. In addition, if only the network number of the server is known or if multiple servers reside on the same network segment, a broadcast address can be configured for the server.
The use of a statically configured default route is popular for host IP configurations. It minimizes configuration and processing overhead and is supported by virtually every IP implementation. This mode of operation is likely where dynamic host configuration protocols are deployed that typically provide configuration for an end-host IP address and default gateway. However, this creates a single point of failure. Loss of the default router results in a catastrophic event, isolating all end-hosts that are unable to detect any alternate path that may be available.
The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically allows a set of routers to back up each other. The VRRP router controlling one or more IP addresses is called the master router, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the master become unavailable. Any of the IP addresses on a virtual router can then be used as the default first hop router by end-hosts. The advantage gained from using the VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host.
In order to use and configure VRRP you must first define a Virtual Router ID (VRID) on each LAN segment running VRRP. The VRID is a number in the range of 1 to 255. This VRID identifies the routers that will back one another up. Therefore, all VRRP routers that are backups for one another must have the same VRID. For each VRRP segment, one router called the master router owns the default IP address configured for hosts on the LAN segment. As long as the master is available, it responds to ARP requests for that address and forwards packets. One of the backup routers takes the place of the master router if the master router becomes unavailable. When a backup router takes over, it becomes accessible at the default IP address so that the hosts now use it as the master router.
The VRID represents a unicast or multicast virtual MAC address. You can configure the backup routers with a virtual MAC address or configure each VRRP router to use its own unique burned-in hardware MAC address. If you use the multicast option, you cannot use the hardware MAC address. If you use the hardware MAC address, the hosts that communicate with the VRRP router must support gratuitous ARPs. Using the hardware MAC address can provide improved performance in your network.
The following is an example of a very simple VRRP topology. In this example, the virtual MAC address is used. If the hardware MAC address were used, the master router and the backup router would each use its own hardware MAC address.
Figure 24. Ethernet LAN with subnet 10.1.1.0/255.255.255.0 All Host Configured with Default Gateway 10.1.1.1
View figure.
A complicated topology would be one where there are multiple VRRP routers and the desire is to balance the load between the routers but still have complete backup capability. In this case 2 VRIDs would need to be defined and each router would the master for one and the backup for the other. This illustration follows:
Figure 25. Multiple VRRP Routers
View figure.
This section outlines the steps used to configure redundant default IP gateways on ELANs. Configuration of a redundant gateway allows end stations with manually configured default gateways to continue passing traffic to other subnets after their primary gateway goes down.
To configure a device with a primary gateway or backup gateway:
| Note: | The primary gateway and the backup gateway must have the same MAC address |