cc/td/doc/product/aggr/vpn5000/5000sw/conc52x/ref52x
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

IP

IP

This section sets parameters that control how IP packets are handled on each interface of the device. Cisco Systems devices support IP Version 4 routing. All references to IP on this manual page refer to this set of protocols.

configure IP {{Ethernet | WAN} slot:port[.sub-interface] | VPN number | Bridge [0.sub-interface]}

Syntax Description

Ethernet | WAN

Identifies the type of port for which you want to configure this section.

slot:port[.sub-interface]

For a modular platform, identify the slot:

  • For theVPN 5008 chassis, slot 0 is the far left slot.

  • For the VPN 5002 chassis, slot 0 is the top slot.

For the VPN 5001 concentrator, enter only the port number. For a module with one port, the port is 0.

You can have up to 255 sub-interfaces per IP port. Sub-interfaces allow you to have separate subnets connecting to the same physical port, allowing you to maximize your ports and bandwidth. You can use sub-interfaces only for Frame Relay and Ethernet connections.

The primary interface is sub-interface 0, which you do not have to specify in syntax:

configure IP WAN 1:0

VPN number

Identifies the VPN port you configured in the Tunnel Partners section for a LAN-to-LAN tunnel.

Bridge [0.sub-interface]

If you enabled bridging on one or more IP ports, you can bridge all the ports together and assign a single IP address to the bridge. You can create multiple Bridge sections with unique IP addresses by using sub-interface numbers, from 1 to 255.

Keywords

After entering the configure command for the section, enter one or more of the following keywords.

Mode = {Routed | Bridged | Brouted | Off}

The Mode keyword describes the method the device is to use to handle IP packets when received by the device.

  • Routed enables the port of the device. It specifies that the device is attached to a routed network and the device will forward packets to its other ports if it is a router or to the virtual private networks if it is a VPN access server.

  • Bridged enables the port of a router and specifies that it is attached to a bridged network and will forward packets based on the physical address using the router's bridge cache, which is maintained through the IEEE Spanning Tree Protocol or through active listening. If Bridged is specified, bridging must be enabled globally in the router in the Bridging Global section and on the interface in the Bridging section. It is possible to assign an IP address to the router using the IP Bridge section if it is to be managed by either VPN 5000 Manager, telnet or SNMP using the IP protocol while bridging.

  • Brouted is only available on WAN interfaces and allows the device to accept both bridged and routed IP packets over the interface. This is particularly useful for Frame Relay networks with multiple PVCs attached to the same physical WAN interface. The Brouted mode allows the device to demultiplex the packet stream for processing by the bridge or router modules as appropriate.

  • Off disables the port of the device. If Off is specified, then IP packets received on the interface will be silently discarded.

IPAddress = IP_Address

The IPAddress keyword specifies the IP address for this interface.

Every network interface on an IP internetwork must have a unique IP address that identifies that interface to other devices on the internetwork. Part of this address identifies the network segment the interface is connected to, and the remainder uniquely identifies the interface itself.

Most IP networks use subnetting in order to subdivide a large network into smaller logical subnetworks. The subnet mask address is used to tell the device what part of the IP address identifies the network segment (the "network" portion), and what part identifies individual interfaces (the "host" portion).

Additionally, an IP subinterface may be assigned to a port. IP subinterfaces allow the device to service more than one IP address range on a single physical network segment. A subinterface may be specified by adding a decimal point to the primary interface (e.g., WAN 1.1, Ethernet 2.1, etc.) A port's primary interface is always assumed to be .0, although it will not appear as such in the configuration editor (i.e., it will appear as WAN 1 or Ethernet 2, etc.).

Because a routed IP packet does not contain any information regarding which networks it has passed across, the router must associate all IP packets received from a physical segment with the primary interface connected to the segment. As a result of this, the only IP parameters which may be set for subinterfaces greater than .0 are IPAddress, SubnetMask, and IPBroadcast.

Note: Subinterfaces are only allowed on WAN ports configured for Frame Relay operation. They are not allowed on WAN ports configured for PPP. Frame Relay DLCIs (Data Link Connection Identifiers) must be statically mapped when subinterfaces are in use because IARP (Inverse ARP) can only resolve a physical port, not a logical subinterface on that port. See the Frame Relay section for more information.

SubnetMask = IP_Address

The SubnetMask keyword specifies the IP subnet mask for this interface.

There are three "classes" of subnetted IP networks: A, B and C. Each class uses a different amount of the 32-bit IP address for the network and host portions. These classes may also be further divided (subnetted) by increasing the number of bits used for the network portion and reducing the number of bits used for the host portion.

Class A addresses use 8 bits for the network portion and 24 for the host portion, Class B addresses use 16 bits for the network portion and 16 for the host portion, and Class C addresses use 24 bits for the network portion and 8 bits for the host portion.

Example: Assuming that you want a single network for all of the available host addresses, the corresponding subnet masks would be as follows: 255.0.0.0 for Class A, 255.255.0.0 for Class B, and 255.255.255.0 for Class C.

IPBroadcast = IP_Address

The IPBroadcast keyword specifies the IP broadcast address of this interface.

The IPBroadcast keyword is used to tell the device what address to use to send any IP broadcast messages. The standard broadcast address has all 1 bits set in the host portion of the address. A few networks use all zeroes for the broadcast address. If you are unsure which type your network uses, check with your network administrator.

If you do not set a broadcast address, the device will derive one from the IP address you entered and the subnet mask.

RIPVersion = {V1 | V2 | None}

The RIPVersion keyword specifies which version of the Routing Information Protocol (RIP) is used by the router. RIP is used by routers to exchange information between themselves about the most effective path for forwarding packets between various end points. RIP is the most widely used routing protocol on IP networks. All gateways and routers that support RIP periodically broadcast routing information packets. These RIP packets contain information concerning the networks that the routers and gateways can reach, as well as the number of routers/gateways that a packet must travel through to reach the destination address.

  • RIP version 1 (V1) will send and accept RIP packets and will then periodically update its routing table with the information provided from these packets. On a large network, an up-to-date routing table will enhance network performance, since the router will always be aware of the optimal path to use when sending packets.

  • RIP version 2 (V2) is an enhancement of RIP version 1 which allows IP subnet information to be shared among routers, and provides for authentication of routing updates. When RIP V2 is chosen, the router will use the multicast address 224.0.0.9 to send and/or receive RIP V2 packets for this network interface. As with RIP V1, the routing table will be periodically updated with information provided in these packets.

It is recommended that on any segment where all routers can use the same IP routing protocol, RIP V2 be used. If one or more routers on a segment must use RIP V1, then all other routers on that segment should also be set to use RIP V1.

  • If None is specified for this keyword, the router will not update its routing table and should always direct traffic to addresses for which it does not have a route (addresses not on one of the networks connected to its interfaces) to the "gateway/port" defined in the IP Static section. It will then be the responsibility of that router to direct the packets to the correct address.

Note   Some routers, in particular those designed to create very large corporate backbones, may use other routing protocols such as OSPF (Open Shortest Path First). These routers can simultaneously use RIP to communicate with smaller routers, or each of the smaller routers can be set to use one of these backbone routers as their default gateway/port.

NatMap = {On | Off}

The NatMap keyword, when set to On, enables this interface to perform Network Address Translation. NAT should only be enabled for this interface if it is to serve as the external NAT port.

RIPOut = {On | Off}

The RIPOut keyword, when set to On, allows the interface to send RIP.

RIPIn = {On | Off}

The RIPIn keyword, when set to On, allows the interface to receive RIP.

SplitHorizon = {SplitHorizon | PoisonReverse | None}

The SplitHorizon keyword specifies the technique used by RIP to avoid routing loops and allow smaller update packets.

  • SplitHorizon specifies that when sending a RIP update out a particular network interface, it never includes routing information acquired from that interface.

  • PoisonReverse is a variation of the Split Horizon technique that specifies that all routes should be included in an update out a particular interface. It also sets the metric to infinity for those routes acquired over that interface. One drawback is that routing update packet sizes will be increased when using Poison Reverse.

  • If None is selected, all routes are included in an output packet regardless of where they originated and will use a normal metric value.

ProxyARP = {On | Off}

The ProxyARP keyword is used to allow the network portion of a group of IP addresses to be shared between several physical network segments. An example would be sharing one Class C address range between two physical Ethernets.

The ARP protocol itself provides a way for devices on an IP network to create a mapping between physical (i.e., Ethernet) addresses and logical IP addresses.

Proxy ARP makes use of this mapping feature by instructing a device to answer ARP requests as a "proxy" for the IP addresses behind one of its interfaces. The device which sent the ARP request will then correctly assume that it can reach the requested IP address by sending packets to the physical address that was returned to it. This technique effectively hides the fact that a network has been (further) subnetted.

  • If ProxyARP is On, then when an ARP request is received on this interface, the address is looked up in the IP routing table (applying the normal rules of IP routing). If the forwarding interface for the route isn't the one the ARP request was received on and doesn't resolve to the IP default route, the device will answer (i.e., become a proxy for) the ARP request.

  • If ProxyARP is Off, then the device will only respond to ARP requests received for its own IP interface address.

Note   Using Proxy ARP requires an in-depth understanding of the workings of the IP protocol, along with careful manipulation of the IP subnet masks for the interfaces on a router. A more straightforward method of achieving similar results is to use bridging when using a multiprotocol router.

Relay = relay-address [port_number] [port_number] [...] [DHCP] [TFTP] [DNS] [NTP] [NB_NS] [NB_DG] [BOOTP]

The Relay keyword is used to add a relay agent for User Datagram Protocol (UDP) broadcast packets. Normally, the router will not forward UDP broadcast packets. However, many network applications use UDP broadcasts to configure addresses, hostnames, and other information. If hosts using these protocols are not on the same network segment as the servers providing the information, the hosts will not receive a response without enabling a relay agent on the interface.

By enabling an IP relay on an interface, the router is instructed to forward UDP broadcast packets to the relay server specified by an IP address in the string. It is common for BOOTP and DHCP clients to broadcast on their local segments looking for a server to assign them an IP address. This feature of the router allows the BOOTP and DHCP server to reside on segments which are non-local to the client.

The syntax of the string is as follows:

  • A relay-address is the IP address of the server that will receive the relayed packet. The address is entered in the standard dotted decimal notation for IP addresses. However, values can be entered in hexadecimal as well. Hexadecimal numbers should be preceded by a "0x".

  • The port_number specifies the UDP port service which will be relayed. Multiple services may be entered. Services may be entered as a number from 1 to 65535 to specify the UDP port being relayed.

  • You can also enter the protocol name: DHCP, TFTP, DNS, NTP (Network Time Protocol, port 123), NB_NS (NetBIOS Name Server, port 137), NB_DG (NetBIOS Datagram, port 138), and BOOTP. Multiple port names and numbers must be separated by white space.

By default, if no port_number or protocols are specified then the following protocols are forwarded:

  • Domain Name Service (UNIX named), UDP port 53.

  • BOOTP Server, UDP port 67.

  • Dynamic Host Configuration (DHCP), UDP port 67.

  • Trivial File Transfer (TFTP), UDP port 69.

Up to four IP relays may be installed per interface using separate keywords. Distinct port_numbers and protocols may be specified for each relay-address. The UDP broadcast packet will be forwarded to each relay-address which exists for the service specified in the packet. To see a sample IP relay, see the "Examples" section.

OutFilters = "filter_name" ["filter_name"] ["filter_name"] ["filter_name"]

The OutFilters keyword allows a named set of IP packet filtering rules to be associated with the output side of the interface. OutFilters allows the device to accomplish packet filtering on packets that will be forwarded out this interface. Any packet not explicitly allowed by the rule set is dropped silently.

Up to four filter sets may be specified, each enclosed in double quotes and separated by white space.

If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword.

See the IP Filter section for a definition of the rules that may be included in an IP packet filter.

InFilters = "filter_name" ["filter_name"] ["filter_name"] ["filter_name"]

The InFilters keyword allows a named set of IP packet filtering rules to be associated with the input side of the interface. InFilters allows the device to accomplish packet filtering to packets that are received on this interface. Any packet not explicitly allowed by the rule set is dropped silently.

Up to four filter sets may be specified, each enclosed in double quotes and separated by white space.

If no string is specified, then no filtering takes place. This feature can be used to turn off a filter set (or sets) without deleting the keyword.

See theIP Filter section for a definition of the rules that may be included in an IP packet filter.

Numbered = {On | Off}

The Numbered keyword specifies whether the wide area network connected to this interface will have an IP address associated with it. On indicates that the WAN interface will have a numbered interface. Off indicates that the WAN interface will be unnumbered.

Many wide area network connections are simple point-to-point (PPP) links. These links do not generally require numbered WAN interfaces because there are only two devices on the link. All traffic sent from one end is, by definition, destined for the other end.

In contrast, Frame Relay networks may have a number of participating devices connected through a single physical interface. Because of this, a WAN interface set for Frame Relay must be set up in one of two ways. It can be set as a numbered interface, which requires that an IP address, subnet mask, and IP broadcast address also be set; or, it can be set as an unnumbered interface, which requires that you set the PointToPointFrame keyword to On and set the local DLCI (Data Link Connection Identifier) using the InterfaceDLCI keyword.

Note   If you are connecting the device to an Internet Service Provider using PPP, you may be required to use a numbered interface for compatibility reasons. Check with their technical support staff.

PointToPointFrame = {On | Off}

The PointToPointFrame keyword specifies whether a WAN interface is part of a point-to-point Frame Relay link. If setting up an unnumbered Frame Relay connection, this must be set to On. This is in contrast with numbered Frame Relay links, which may have a number of participating devices connected through a single physical interface.

When set to On, the device will recognize that the link is not multi-point and that a static frame Relay DLCI will be specified for the PVC. The device will not perform any dynamic Inverse ARP for the PVC (Permanent Virtual Circuit), as it would for a numbered Frame Relay link. A static DLCI must also be set for the interface using the InterfaceDLCI keyword.

InterfaceDLCI = number

The InterfaceDLCI keyword specifies the DLCI that is the local endpoint for an unnumbered Frame Relay link. This provides a mapping between the protocol address and the physical (hardware) address on the link. This keyword must be set when a Frame Relay link is being set as an unnumbered interface. The number can be between 16 and 991, and will be provided to you by your Frame Relay carrier.

Updates = {Periodic | Triggered}

The Updates keyword specifies the way in which the device sends RIP information over its link

  • When updates are designated as Periodic, the device will use the standard RIP protocol, which sends RIP packets over the link every 30 seconds. If periodic update packets are sent across a dial-on-demand link, this will cause a WAN interface to stay up indefinitely.

  • When updates are designated as Triggered, the device will modify the standard RIP behavior for this interface to send RIP packets only when there has been an update to its routing table information, or when it has detected a change in the accessibility of the next hop router.

VJHeaderComp = {On | Off}

The VJHeaderComp keyword specifies whether to use Van Jacobson Header Compression (VJHC) on the WAN link. VJHC is a standard method of reducing the amount of redundant IP header information which is transferred over a wide area connection. VJHC reduces the size of the IP header to as few as three bytes.

There is a trade-off between the amount of time it takes to compress the header information, and the amount of time it would take to simply send it in native form across the WAN link.

Note   A general rule of thumb for Cisco Systems devices would be to use VJHC on uncompressed links at up to 56K rates, but to turn it off at higher speeds or if other means of compression (such as the V.42 compression built into modems) are in use. A few simple FTP transfer tests over your particular WAN setup will yield a more exact answer.

DirectedBroadcast = {On | Off}

The DirectedBroadcast keyword sets whether the interface will forward network-prefix-directed broadcasts. This is a security feature which can help prevent your network from being used as an intermediary in certain kinds of attacks which use ICMP echo traffic (pings) or UDP echo packets with fake (i.e., "spoofed") source addresses to inundate a victim with erroneous traffic. The default is Off.

OSPFenabled = {On | Passive | Off}

The OSPFenabled keyword sets how the interface will function on a network utilizing OSPF (Open Shortest Path First). OSPF uses a link-state algorithm in order to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each router's usable interfaces and reachable neighbors.

Unlike RIP updates, OSPF link-state database updates are only sent when routing changes occur, instead of periodically, and the link-state database is updated instantly rather than gradually as stale information is timed out. Also, routing decisions are based on "cost" which is an indication of the overhead required to send packets across a certain interface. The cost of an interface is calculated based on link bandwidth rather than the number of hops to the destination. The cost can also be configured to specify preferred paths.

  • If On is specified, the interface will serve as an active interface on an OSPF network. This router will establish adjacencies with other routers. Adjacent routers exchange database information with the Designated Router, which then floods the information to all other routers in their area.

  • If Passive is specified, the interface will not send out Hello packets and thus will not establish any adjacencies with other routers on that network, even if they are running OSPF. A Passive interface will, however, have its network advertised to other OSPF networks. This can be used to have a non-OSPF interface's network advertised into OSPF. A Passive interface must also be associated with an OSPF Area.

  • If Off is specified, the interface's network is not advertised to the router's other interfaces.

OSPFareaID = {Number | IP_address}

The OSPFareaID keyword sets the area to which this interface belongs. An area is a generalization of an IP subnetted network. It can be specified as a number between 0 and 0xFFFFFFFF or as an IP address in dotted-decimal notation. Area 0 is the backbone area and is the default setting.

All routers within an area have the same link-state database. An interface can only belong to one area, although different interfaces on a router can belong to different areas, making the router an Area Border Router. Area Border Routers disseminate routing information or routing changes between areas.

The other routers which are connected to this router on this interface must also be configured with the same OSPFareaID in order for the routers to communicate.

OSPFcost = Number

The OSPFcost keyword specifies the priority of one particular path over another path. An OSPF router will choose the gateway with the lowest cost to enter into its routing table. To give preference to a path, set a lower cost on that interface. The value can be a number between 1 and 65,535. The default is 10.

OSPFRtrPri = Number

The OSPFRtrPri keyword sets the router priority and is only used on multi-access networks such as LANs. This establishes whether the router is eligible to become the Designated Router for the LAN. The Designated Router is the single router within an area which broadcasts the Link State Advertisement for the area. A priority of 0 means that the router is not eligible. The router with the highest priority becomes the Designated Router, however, if a router with a lower priority is the Designated Router and a new router with a higher priority comes on-line, the Designated Router will not change.

The value can be a number between 0 and 255. The default priority is 1; if all routers have the same priority, they will negotiate with each other for the Designated Router election. At least one router on a LAN must have a priority greater than 0 in order for OSPF to work, since there must be a Designated Router.

AuthKey = "String"

The AuthKey keyword sets the OSPF packet authentication key. In order to use authentication, the OSPFAuthType for this interface's area should be set to Simple in the OSPF Area section. The authentication key must match for each router connected to the interface and belonging to the area.

The string may be between one and 8 alphanumeric characters. If the string contains spaces or other special characters, it must be enclosed in quotes.

HelloInterval = Number

The HelloInterval keyword sets the interval, in seconds, that the router sends out OSPF keepalive packets which let other routers know the router is up. The value must be greater than one. The default settings of 10 seconds for a LAN and 30 seconds for a point-to-point connection are recommended for most applications.

RtrDeadInterval = Number

The RtrDeadInterval keyword sets the length of time, in seconds, that OSPF neighbors will wait without receiving an OSPF keepalive packet from a neighbor before assuming the router is down. The value must be at least twice the HelloInterval. The default is 40 seconds on a LAN and 120 seconds for a point-to-point connection.

Note   The HelloInterval and RtrDeadInterval for each connected router must match or the routers will not be able to communicate. If you change the defaults on one router, you must change them on all attached routers within an area.

Transdelay = Number

The Transdelay keyword sets the amount of time added to the age of OSPF Link State Update packets before transmission. It is the estimated number of seconds to transmit a packet over the interface. The value can be between 1 and 65,535 seconds. The default is 1.

RetransInterval = Number

The RetransInterval keyword sets the interval, in seconds, between retransmission of Link State Update packets. The value can be between 2 and 65,535 seconds. The default is 5.

Examples

This example shows an IP configuration for Ethernet interface 0 on a 4000S. 

[ IP Ethernet 0 ]
Mode            = Routed
IPAddress       = 192.168.9.1
SubnetMask      = 255.255.255.224
IPBroadcast     = 192.168.9.31
RIPVersion      = V1

This example shows an IP configuration for Ethernet interface 3 on a 4000S. The configuration specifies an input filter set, RIP to output only, and an IP relay to 192.15.2.1 for DNS, BOOTP, DHCP and TFTP requests. 

[ IP Ethernet 3:0 ]
Mode         = Routed
IPAddress    = 192.15.1.1
SubnetMask   = 255.255.255.0
RIPVersion   = V1
RIPOut       = ON
RIPIn        = OFF
InFilters    = "no-ftp" "permit-all"
Relay        = 192.15.2.1 DNS BOOTP DHCP TFTP

This example shows an IP configuration for Ethernet interface running OSPF. 

[ IP Ethernet 0:0 ]
Mode            = Routed
IPAddress       = 198.41.9.1
SubnetMask      = 255.255.255.224
IPBroadcast     = 198.41.9.31
OSPFenabled     = On  
OSPFAreaID      = 0     
OSPFcost        = 10
OSPFRtrPri      = 1 
AuthKey         = "Franny"
HelloInterval   = 10    
RtrDeadInterval = 40

This example shows a WAN interface set as an unnumbered Frame Relay interface. The link configuration is included.

[ IP Wan 1:0 ]
Mode                     = Routed
Numbered                 = Off
PointToPointFrame        = On
InterfaceDLCI            = 500
 
[ Link Config Wan 1:0 ]
ConnectMode              = Dedicated
Mode                     = FrameRelay

Related Commands

Command Description

configure Bridging

Configures bridging parameters for an interface

configure Bridging Global

Enables bridging for the device

configure Frame Relay

Configures Frame Relay interface parameters

configure General

Sets general parameters for the device

configure NAT Global

Configures NAT parameters

configure OSPF Area

Configures OSPF area parameters

edit config IP Filter

Creates IP packet filters

edit config IP Static

Creates static routes

edit config NAT Mapping

Creates NAT mappings

show IP

Shows IP configuration and statistics


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Sep 27 10:38:23 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.