|
|
This chapter describes how to configure IP routing for each interface and sub-interface. To configure IP filters, see the IP, IP Filter, and IP Route Filter sections in the Cisco VPN 5000 Concentrator Series Command Reference Guide.
 |
Note For commands that require the interface slot and port, slot 0 is the far left slot for the VPN 5008 chassis, and the top slot for the VPN 5002 chassis. Ports are numbered starting with 0, so for a module with one port, the port is 0. |
Sub-interfaces allow you to have separate subnets connecting to the same physical port, allowing you to maximize your ports and bandwidth.
To configure the IP section for a sub-interface, use the following syntax to enter the sub-interface number along with the slot and port:
configure IP {Ethernet | WAN} slot:port.sub-interface
For example:
configure IP WAN 1:0.1
The primary interface is sub-interface 0, which you do not have to specify in syntax. For example:
configure IP WAN 1:0
To turn on IP routing, follow these steps:
| Command | Purpose | |
|---|---|---|
Step 1 | configure IP {Ethernet slot:port| WAN slot:port[.sub-interface]} | Identifies the port for which you want to enable routing. Only WAN ports allow you to enable routing independently on sub-interfaces. On Ethernet ports, you enable routing for all sub-interfaces. |
Step 2 | Mode = Routed | Turns on routing. |
If you need to conserve IP addresses or want to simplify your configuration, you do not need to assign an IP address to a PPP link. To extend this functionality to Frame Relay, you can identify a Frame Relay link as a point-to-point link.
| Command | Purpose | |
|---|---|---|
Step 1 | If you have not already entered the IP section, enter: configure IP WAN slot:port[.sub-interface] | Specifies the port for which you want to configure IP. |
Step 2 | Numbered = Off | Specifies that the interface does not have an IP address. |
Step 3 | For Frame Relay: PointToPointFrame = On | Specifies that the Frame Relay link is point-to-point. |
Step 4 | For Frame Relay: InterfaceDLCI = number | number is the local interface DLCI assigned by your Frame Relay provider. The DLCI can be a number between 16 and 1007. |
For unnumbered PPP and Frame Relay links, complete the "Configuring a PPP or Point-to-Point Frame Relay Link" section instead of setting an IP address according to this section. To set an IP address for numbered links:
| Command | Purpose | |
|---|---|---|
Step 1 | If you have not already entered the IP section, enter: configure IP {Ethernet | WAN}
slot:port[.sub-interface]
| Specifies the port for which you want to configure IP. |
Step 2 | IPAddress = IP_Address | Specifies the interface IP address. |
Step 3 | SubnetMask = IP_Address | Specifies the interface subnet mask. |
Step 4 | IPBroadcast = IP_Address | (Optional) Specifies the interface broadcast address. If you do not set a broadcast address, the system derives one from the IP address and subnet mask you entered. |
The default gateway is the router IP address to which the concentrator sends all IP packets for which it does not have a route. To configure the default gateway, follow these steps:
edit config IP Static
|
Note The edit config text editor allows you to add lines to the configuration exactly as entered. Unlike the configure configuration editor used elsewhere in this guide, you do not enter keywords and values. |
Step 2 Enter:
append 1
Adds a line after the section name and changes the prompt to Append>.
Step 3 (Optional) Add a comment by starting the line with a pound sign (#), and press the Enter key at the end of the comment to go to a new line.
Step 4 Enter the default route:
0.0.0.0 0.0.0.0 {Gateway | Port} Metric
The destination and mask of 0.0.0.0 are wild cards that indicate that any packet that is not routed according to the routing table is sent to the Gateway address or through the specified Port.
| Option | Description |
|---|---|
Gateway | The address on the upstream router. |
Port | The port name {VPN VPN_port_number | WAN slot:port[.subinterface]} for a VPN LAN-to-LAN connection or for a PPP or point-to-point Frame Relay link where you do not need to specify the other end's IP address. |
Metric | A value between 1 (recommended) and 15 that specifies the distance or cost to the destination address. A route with a lower metric supersedes a competing route, for example one learned through a routing protocol. The metric loosely corresponds with the number of hops to the destination. You can artificially inflate or deflate the cost for a route. For example, if there is more than one route to a destination, but the route with the shortest number of hops is over a slow WAN link, you can add a non-WAN route with a deflated metric to supersede the slow WAN route. |
Step 5 Press the Enter key to go to a new line, enter a period (.) and press Enter.
Step 6 Enter the following command to exit the editor and save your changes:
exit
Use quit to exit the editor without making any changes.
IP routing protocols create and update routing tables that tell routers where to send a particular packet. For the VPN 5002 or 5008 concentrator, a dynamic routing protocol:
You can specify the following protocols:
If you do not use a routing protocol, configure static routes using the steps in the "Configuring Static Routes" section.
For a VPN-only port, as described in the "Using a VPN-Only Port" section, do not specify a protocol because it cannot send or accept routing protocol packets.
You can only apply a dynamic routing protocol to the primary interface and not to individual sub-interfaces. For example, if you apply OSPF to Ethernet 0:0, then OSPF is also active on Ethernet 0:0.1 and Ethernet 0:0.2.
Gateways and routers that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the routers and gateways can reach, as well as the number of routers/gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure initially.
| Command | Purpose | |
|---|---|---|
Step 1 | If you have not already entered the IP section, enter: configure IP {Ethernet | WAN}
slot:port
| Specifies the primary interface for which you want to configure RIP. You cannot specify a sub-interface. |
Step 2 | RIPVersion = {V1 | V2}
|
Use RIP V2 unless a neighboring router uses V1, in which case all routers should use V1. |
To learn more about these and other settings, see the IP section in the Cisco VPN 5000 Concentrator Series Command Reference Guide.
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each router's usable interfaces and reachable neighbors.
The advantage of OSPF over RIP is OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly rather than gradually as stale information is timed out.
Also, routing decisions are based on "cost," which is an indication of the overhead required to send packets across a certain interface. The cost of an interface is calculated based on link bandwidth rather than the number of hops to the destination. The cost can also be configured to specify preferred paths.
The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.
To enable and configure OSPF, see the IP section and the OSPF Area section in the Cisco VPN 5000 Concentrator Series Command Reference Guide. See the OSPF Virtual Link section to configure a virtual link, which is the only way to allow an area that is not contiguous to the backbone area (area 0) to operate.
If you do not use a dynamic routing protocol to learn and propagate routes, use static routes. You might want to use static routes if:
On the concentrator, you need to identify routes for all networks the concentrator needs to reach, for example, all networks that VPN clients need to reach. You might also need to set up static routes on neighboring routers to inform them of the path to the VPN client networks identified by the LocalIPNet in the VPN group section. You do not need to identify the VPN client network if you use StartIPAddress. See "Configuring VPN Groups," for more information.
The simplest option is to use only the default route for all traffic, relying on the default gateway to route the traffic for you. However, this approach is not as efficient as explicit static routes.
To configure static routes, follow these steps:
edit config IP Static
|
Note The edit config text editor allows you to add lines to the configuration exactly as entered. Unlike the configure configuration editor used elsewhere in this guide, you do not enter keywords and values. |
Step 2 Enter:
append $
Adds a line at the end of the section and changes the prompt to Append>.
Step 3 (Optional) Add a comment by starting the line with a pound sign (#), and press the Enter key at the end of the comment to go to a new line.
Step 4 Enter the static route:
Destination Mask {Gateway | Port} Metric [Redist={RIP | OSPF1 | OSPF2
| none}]
| Option | Description |
|---|---|
Destination | The IP address for the destination network in dotted decimal notation. |
Mask | The subnet mask for the Destination address. |
Gateway | The IP address of the upstream router responsible for this network. |
Port | The port name {VPN VPN_port_number | WAN slot:port[.subinterface]} for a VPN LAN-to-LAN connection or for an unnumbered PPP or point-to-point Frame Relay link where you do not need to specify the other end's IP address. |
Metric | A value between 1 (recommended) and 15 that specifies the distance or cost to the destination address. A route with a lower metric supersedes a competing route, for example one learned through a routing protocol. The metric loosely corresponds with the number of hops to the destination. You can artificially inflate or deflate the cost for a route. For example, if there is more than one route to a destination, but the route with the shortest number of hops is over a slow WAN link, you can add a non-WAN route with a deflated metric to supersede the slow WAN route. |
Redist | Indicates whether this static route should be redistributed using a routing protocol, enabling other routers to use the concentrator as the gateway for packets with the static route's destination address. Do not enter a spaces around the equals sign in Redist=value.
|
For example, the following route sends all traffic destined for the 167.56.7.0 network to the router IP address 189.5.6.1:
167.56.7.0 255.255.255.0 189.5.6.1 1 Redist=RIP
Step 5 To enter additional routes, press the Enter key to go to a new line.
Step 6 After entering the last route, press the Enter key to go to a new line, enter a period (.) and press Enter.
Step 7 Enter the following command to exit the editor and keep your changes:
exit
Use quit to exit the editor without making any changes.
Posted: Wed Sep 27 10:24:21 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.