Swconfig Routing Vol1
Swconfig Routing Vol1
Swconfig Routing Vol1
1
Release 5.1.x
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net
Part No. 162-00734-00 Rev. A00
Juniper Networks is registered in the U.S. Patent and Trademark Office and in other countries as a trademark of Juniper Networks, Inc. Broadband Cable Processor, ERX, ESP, E-series, G1, G10, G-series, Internet Processor, J-Protect, Juniper Your Net, JUNOS, JUNOScript, JUNOSe, M5, M10, M20, M40, M40e, M160, M-series, NMC-RX, SDX, ServiceGuard, T320, T640, T-series, UMC, and Unison are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Products made or sold by Juniper Networks (including the G1 and G10 CMTSs, ERX-310, ERX-705, ERX-710, ERX-1410, ERX-1440, M5, M10, M20, M40, M40e, M160, and T320 routers, T640 routing node, and the JUNOS, SDX-300, and ServiceGuard software) or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,333,650, 6,359,479, and 6,406,312. E-Series Routers Routing Protocols Configuration Guide, Vol. 1, Release 5.1.x Copyright 2003, Juniper Networks, Inc. All rights reserved. Printed in USA. Writers: Mark Barnard, Bruce Gillham, Justine Kangas, Helen Shaw, Brian Wesley Simmons, Michael Taillon, Nathaniel Woodward Editor: Fran Mues Revision History August 2003 The information in this document is current as of the date listed in the revision history above. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
a. If you and Juniper Networks, Inc., have executed another license agreement for the Program which is now in effect, then such agreement (Negotiated Agreement) shall supersede this Software License Agreement and shall exclusively govern the use and license terms of the Program.
must return the Software, including any User Documentation, and all copies or portions thereof to Juniper Networks. Termination of this License Agreement shall not prejudice Juniper Networks' rights to damages or other available remedy. 5. Limited Software Warranty: Juniper Networks warrants, for your benefit alone, that for a period of ninety (90) days from the date of shipment from Juniper Networks that the Software substantially conforms to its published specifications. The limited warranty extends only to you as the original licensee. Your exclusive remedy and the entire liability of Juniper Networks and its suppliers under this limited warranty will be, at Juniper Networks' option, repair or replacement of the Software, or refund of the amounts paid by you under this License Agreement. You agree that this is your sole and exclusive remedy for breach by Juniper Networks, its suppliers or its licensors of any warranties made under this License Agreement. In no event does Juniper Networks warrant that the Software is error free or that you will be able to operate the Software without problems or interruptions. Juniper Networks does not warrant: 1) that the functions contained in the software will meet your requirements; 2) that the Software will operate in the hardware or software combination that you may select; 3) that the operation of the Software will be uninterrupted or error free; or 4) that all defects in the operation of the Software will be corrected. This warranty does not apply if the product: 1) has been altered, except by Juniper Networks; 2) has not been installed, operated, repaired, or maintained in accordance with instruction supplied by Juniper Networks; or 3) has been subjected to or damaged by improper environment, abuse, misuse, accident, or negligence. EXCEPT FOR THE WARRANTIES SET FORTH ABOVE, THE SOFTWARE IS LICENSED AS IS, AND JUNIPER NETWORKS DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS, CONDITIONS, AND WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES FOR NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. ANY AND ALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. JUNIPER NETWORKS' SUPPLIERS AND LICENSORS DO NOT MAKE OR PASS ON TO YOU OR ANY THIRD PARTY ANY EXPRESS, IMPLIED, OR STATUTORY WARRANTY OR REPRESENTATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES FOR NONINFRINGEMENT. 6. Proprietary Rights Indemnification. Juniper Networks shall at its expense defend you against and, subject to the limitations set forth elsewhere herein, pay all costs and damages made in settlement or awarded against you resulting from a claim that the Program as supplied by Juniper Networks infringes a United States copyright or a United States patent, or misappropriates a United States trade secret, provided that you: (a) provide prompt written notice of any such claim, (b) allow Juniper Networks to direct the defense and settlement of the claim, and (c) provide Juniper Networks with the authority, information, and assistance that Juniper Networks reasonably deems necessary for the defense and settlement of the claim. You shall not consent to any judgment or decree or do any other act in compromise of any such claim without first obtaining Juniper Networks written consent. In any action based on such a claim, Juniper Networks may, at its sole option, either: (1) obtain for you the right to continue using the Program, (2) replace or modify the Program to avoid the claim, or (3) if neither (1) nor (2) can reasonably be effected by Juniper Networks, terminate the license granted hereunder and give you a pro rata refund of the license fee paid for such Program, calculated on the basis of straight-line depreciation over a five-year useful life. Notwithstanding the preceding sentence, Juniper Networks will have no liability for any infringement or misappropriation claim of any kind if such claim is based on: (i) the use of other than the current unaltered release of the Program and Juniper Networks has provided or offers to provide such release to you for its then current license fee, or (ii) use or combination of the Program with programs or data not supplied or approved by Juniper Networks if such use or combination caused the claim. 7. Limitation of Liability. IN NO EVENT WILL JUNIPER NETWORKS OR ITS SUPPLIERS OR LICENSORS BE LIABLE FOR ANY COST FOR SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN IF JUNIPER NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Juniper Networks' cumulative liability to you or any other party for any loss or damages resulting from any claims, demands, or actions arising out of or relating to this License Agreement shall not exceed the total fees paid to Juniper Networks for the Software. 8. Export Control. Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to
export or import regulations in other countries. You agree to comply strictly with all such regulations and acknowledge that you have the responsibility to obtain licenses to export, re-export, or import Software. 9. Government Licensees: If any Software or associated documentation is acquired by or on behalf of a unit or agency of the United States government, the government agrees that such Software or documentation is a commercial item as that term is defined in 48 C.F.R. 2.101, consisting of commercial computer software or commercial computer software documentation as such terms are used in 48 C.F.R. 12.212 of the Federal Acquisition Regulations and its successors and 48 C.F.R. 227.7202-1 through 227.7202-4 of the DoD FAR Supplement and its successors. The use, duplication, or disclosure by the United States government of technical, data, computer software and documentation is subject to the restrictions set forth in FAR section 12.212(a), FAR section 52.227-14(g)(2), FAR section 52.227-19, DFARS section 252.227-7015(b), DFARS section 227.7202-1(a), and DFARS section 227.7202-3(a), as applicable. All United States government end users acquire the Software with only the rights set forth in this License Agreement. 10. General: This License shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any dispute arising out of this Agreement shall be referred to an arbitration proceeding in Boston, Massachusetts, in accordance with the commercial arbitration rules of the American Arbitration Association (the AAA). If the parties cannot agree upon an arbitrator, arbitration shall be conducted by a neutral arbitrator selected by the AAA who is knowledgeable in electronics equipment manufacturing and software licensing. The parties shall share the procedural costs of arbitration equally, and each party shall pay its own attorneys' fees and other costs and expenses associated with the arbitration, unless the arbitrator decides otherwise. The arbitrator's award shall be in writing and shall include a statement of reasons, but the arbitrator shall not be permitted to award punitive or indirect damages. The arbitrator's decision and award shall be final and binding and may be entered in any court having jurisdiction. The terms of this section shall not prevent any party from seeking injunctive relief in any court of competent jurisdiction in order to protect its proprietary and confidential information. If any term or provision hereof is found to be void or unenforceable by a court of competent jurisdiction, the remaining provisions of this License Agreement shall remain in full force and effect. This License Agreement constitutes the entire agreement between the parties with respect to the use of the Software and User Documentation and supersedes any and all prior oral or written agreements, discussions, negotiations, commitments, or understandings. No amendment, modification, or waiver of any provision of this License Agreement will be valid unless in writing and signed by the authorized representative of the party against which such amendment, modification, or waiver is sought to be enforced. The waiver by either party of any default or breach of this License Agreement shall not constitute a waiver of any other or subsequent default or breach. This License Agreement shall be binding upon the parties and their respective successors and permitted assigns. Should you have any questions about this agreement, please contact: Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 Attn: Contracts Administrator
Contents
About This Guide E-Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi MIBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Comments About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
viii Contents
Prefix Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Using a Prefix Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 Extended Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35 Using Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37 AS-path Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37 Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Community Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Metacharacters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Using Metacharacters as Literal Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39 Regular Expression Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40 Managing the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43 Troubleshooting Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43 Monitoring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
ix E-Series Routers
Broadcast Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19 Broadcast Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 Routing Information Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 Setting the Administrative Distance for a Route . . . . . . . . . . . . . . . . . . . . . . . 2-23 Setting the Metric for a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Routing Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Identifying a Router Within an Autonomous System . . . . . . . . . . . . . . . . . . . 2-25 Establishing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Setting Up Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 Setting Up an Unnumbered Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 Adding a Host Route to a Peer on a PPP Interface . . . . . . . . . . . . . . . . . . . . 2-26 Enabling Source Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Shutting Down an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Removing the IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Clearing IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Clearing IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Setting a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Disabling Forwarding of Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Enabling Forwarding of Source-Routed Packets . . . . . . . . . . . . . . . . . . . . . . 2-29 Forcing an Interface to Appear Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Specifying a Debounce Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Enabling Link Status Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31 Configuring the Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31 Configuring Equal-Cost Multipath Load Sharing . . . . . . . . . . . . . . . . . . . . . 2-31 Setting a TTL Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Configuring Prefixes for Dynamic Shared IP Interfaces . . . . . . . . . . . . . . . . 2-34 Configuring Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 Moving IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 IP Shared Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Internet Control Message Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38 ICMP Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38 Specifying a Source Address for ICMP Messages . . . . . . . . . . . . . . . . . . . . . . 2-39 Reachability Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40 Response Time Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 Configuring the Probe Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 Configuring Optional Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44 Capturing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46 Collecting History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46 Setting Reaction Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47 Scheduling the Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48 Shutting Down the Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49 Monitoring RTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50
x Contents
Monitoring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-55 Establishing a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-55 IP show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-56 Chapter 3 Configuring IPv6 and Neighbor Discovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv6 Packet Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv4 and IPv6 Header Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Standard IPv6 Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Extension Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Address Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 IPv6 Address Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 IPv6 Address Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Address Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Address Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 ICMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Understanding Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Before You Configure IPv6 or Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . 3-10 IPv6 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Configuring an IPv6 License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Creating an IPv6 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Assigning a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Establishing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Specifying an IPv6 Hop Count Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Managing IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14 Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16 Removing an IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16 Clearing IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Creating Static IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Neighbor Discovery Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Configuring Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Configuring Proxy Neighbor Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . 3-19 Configuring Duplicate Address Detection Attempts . . . . . . . . . . . . . . . . . . . . 3-19 Clearing IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 Monitoring IPv6 and Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 Establishing a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 IPv6 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21 Chapter 4 Configuring NAT Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 NAT Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Traditional NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
xi E-Series Routers
Bidirectional NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Twice NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Network and Address Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Inside Local Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Inside Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Outside Local Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Outside Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Understanding Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Inside Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Outside Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Address Assignment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Static Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Order of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Limiting Translation Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Specifying Inside and Outside Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Defining Static Address Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Creating Inside Source Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Creating Outside Source Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Defining Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Creating Access List Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Defining Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Defining Translation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Creating Dynamic Inside Source Translations . . . . . . . . . . . . . . . . . . . . . 4-13 Creating Dynamic Outside Source Translations . . . . . . . . . . . . . . . . . . . 4-14 Defining Translation Time-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 Clearing Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 NAPT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Bidirectional NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 Twice NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19 Cross-VRF Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21 Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Displaying Translation Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Displaying Translation Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
xii Contents
Multicast Packet Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Disabling RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Using Unicast Routes for RPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Monitoring IP Multicast Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Support for Multicast Router Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14 IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 IGMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 Group Membership Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 Group Membership Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 Leave Group Membership Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 Configuring Static and Dynamic IGMP Interfaces . . . . . . . . . . . . . . . . . . . . 5-17 Enabling IGMP on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18 Configuring IGMP Settings for an Interface . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Assigning a Multicast Group to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . 5-21 Specifying Multicast Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22 Limiting the Number of Accepted IGMP Groups . . . . . . . . . . . . . . . . . . . . . 5-22 Including and Excluding Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 Accepting IGMP Reports from Remote Subnets . . . . . . . . . . . . . . . . . . . . . . 5-24 Disabling and Removing IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 Monitoring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 Configuring IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30 Setting the IGMP Proxy Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 Monitoring IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 PIM DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Overriding Prunes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36 Preventing Duplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37 PIM SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37 Joining Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-41 PIM S-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 PIM SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 Enabling and Disabling PIM on a VR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 Enabling PIM on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 Configuring an RP Router for PIM SM and PIM S-DM . . . . . . . . . . . . . . . 5-44 Configuring a Static RP Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 Configuring an Auto-RP Router for PIM SM . . . . . . . . . . . . . . . . . . . . . 5-44 Configuring an Auto-RP Router for PIM S-DM . . . . . . . . . . . . . . . . . . . 5-45 Switching to an SPT for PIM SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46 Configuring PIM SM Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48 Configuring PIM SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 Removing PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 Resetting PIM Counters and Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-50 Monitoring PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51 Monitoring PIM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51 Monitoring PIM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51
DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59 Identifying Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59 Advertising Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-60 Enabling DVMRP on a VR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Activating DVMRP on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Configuring DVMRP Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-62 Filtering DVMRP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-62 Configuring DVMRP Summary Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 5-63 Changing the Metric for a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64 Importing Routes from Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-65 Specifying Routes to Be Advertised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66 Preventing Dynamic Route Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66 Exchanging DVMRP Unicast Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66 Disabling and Removing DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-67 Deleting DVMRP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-68 Configuring DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-68 Monitoring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-69 BGP Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74 Investigating Multicast Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74 Chapter 6 Configuring IP Tunnels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Line Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Managing TSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Configuring IP Tunnels to Forward IP Frames . . . . . . . . . . . . . . . . . . . . . . . . 6-6 Preventing Recursive Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Monitoring IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 Chapter 7 IP Reassembly for Tunnels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Reassembly Processing Within the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Configuring IP Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Monitoring IP Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Chapter 8 Configuring RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 RIP Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 RIP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Route Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
xiv Contents
Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Route Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Split Horizon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Equal-Cost Multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Applying Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Before You Run RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Relationship Between address and network Commands . . . . . . . . . . . . . . . . . 8-9 Using RIP Routes for Multicast RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 Monitoring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22 debug Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23 Chapter 9 Configuring OSPF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Intra-area, Interarea, and External Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Routing Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Opaque LSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Route Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Equal-Cost Multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 OSPF MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Interacting with Other Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 With IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 With RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 With BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 Configuring OSPF Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 Creating a Range of OSPF Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 Creating a Single OSPF Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11 Aggregating OSPF Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12 Configuring OSPF Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13 address Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13 ip ospf Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16 Comparison Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18 Precedence of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18 Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19 Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22 Authentication Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23 Configuring Additional Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 Default Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-33
xv E-Series Routers
Configuring OSPF for NBMA Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34 Traffic Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35 Configuring OSPF for TE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35 Using OSPF Routes for Multicast RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 OSPF and BGP/MPLS VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 Disabling and Reenabling Incremental SPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-40 Configuring OSPF Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-41 Monitoring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42 debug Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-43 Chapter 10 Configuring IS-IS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 ISO Network Layer Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Level 1 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Level 2 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Dynamic Hostname Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Specifying Start and Stop Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Halting MD5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Managing and Replacing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Extensions for Traffic Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Integrated IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 Equal-Cost Multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Before You Run IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Enabling IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12 Summary Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Configuring IS-IS Interface-Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Summary Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19 Configuring Global IS-IS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20 Setting Authentication Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20 Configuring Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21 Redistributing Routes Between Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23 Controlling Granularity of Routing Information . . . . . . . . . . . . . . . . . . . . . 10-24 Configuring Metric Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25 Setting the Administrative Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Configuring Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Setting Router Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Configuring the Router to Be Ignored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Ignoring LSP Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Logging Adjacency State Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Configuring LSP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30
xvi Contents
Specifying the SPF Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining the SPF Route Calculation Level . . . . . . . . . . . . . . . . . . . . . . . . . . Setting CLNS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting the Maximum Parallel Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Virtual Multiaccess Network . . . . . . . . . . . . . . . . . . . . . . . . . Summary Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IS-IS for MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using IS-IS Routes for Multicast RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring IS-IS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying CLNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 11 Configuring VRRP
10-31 10-32 10-33 10-34 10-34 10-34 10-35 10-36 10-37 10-37 10-47
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 How VRRP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Basic VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Commonly Used VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 VRRP Configuration Without the Real Address Owner . . . . . . . . . . . . . 11-6 How VRRP Is Implemented in the E-Series Router . . . . . . . . . . . . . . . . . . . . . . . 11-7 Router Election Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8 Configuring the IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8 Creating VRIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Monitoring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Other Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESP Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AH Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec Maximums Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Main Mode and Aggressive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aggressive Mode Negotiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diffie-Hellman Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE SA Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring an IPSec License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IPSec Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining an ISAKMP/IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Refreshing SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 13 Configuring Digital Certificates
12-14 12-14 12-15 12-15 12-15 12-15 12-16 12-17 12-17 12-18 12-18 12-18 12-19 12-19 12-19 12-20 12-20 12-20 12-21 12-24 12-28 12-31 12-31 12-31 12-31 12-36 12-42 12-42 12-42
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 IKE Authentication Using Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Signature Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Generating Private/Public Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Obtaining a Public Key Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Obtaining a Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Authenticating the Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Checking CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6 File Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 Monitoring Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12 Chapter 14 Configuring L2TP with IPSec Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
xviii Contents
How Secure Remote Access Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Setting Up the Secure Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 L2TP with IPSec Control and Data Frames . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Compatibility and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 End-to-End Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Client Software Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Interactions with NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Tunnel Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Interaction Between IPSec and PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Number of L2TP/IPSec Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 LNS Change of Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 LNS Change of Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 Group Preshared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 Configuration Tasks for Client PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Configuration Tasks for E-Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Configuring L2TP Destination Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Configuring IPSec Transport Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8 Monitoring L2TP over IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 Index
This E-Series Routing Protocols Configuration Guide, Vol. 1 provides the information you need to configure certain routing protocols (primarily IP and IPv6 protocols) on your E-series router.
Note: If the information in the latest E-Series Release Notes differs from the information in this guide, follow the E-Series Release Notes.
The E-series router is shipped with the latest system software installed. If you need to install a future release or reinstall the system software, refer to the procedures in the E-Series Installation and User Guide, Appendix B, Installing JUNOSe Software.
E-Series Routers
Five models of E-series routers are available: ERX-1440 router ERX-1410 router ERX-710 router ERX-705 router ERX-310 router All models use the same software. For information about the differences between the models, see E-Series Installation and User Guide, Chapter 1, E-Series Overview. In the E-series documentation, the term ERX-14xx models refers to both the ERX-1440 router and the ERX-1410 router. Similarly, the term ERX-7xx models refers to both the ERX-710 router and the ERX-705
router. The terms ERX-1440 router, ERX-1410 router, ERX-710 router, ERX-705 router, and ERX-310 router refer to the specific models.
Audience
This guide is intended for experienced system and network specialists working with E-series routers in an Internet access environment.
Conventions
Table 1 defines notice icons used in this guide, and Table 2 defines text conventions used throughout the book, except for command syntax. Table 3 provides command syntax conventions used primarily in the E-Series Command Reference Guide. For more information about command syntax, see E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface.
Table 1 Notice icons Icon Meaning Informational note Caution Description Indicates important features or instructions. Indicates that you may risk losing data or damaging your hardware.
Warning
Table 2 Text conventions (except for command syntax) Convention Bold typeface Description Represents commands and keywords in text. Examples Bold Courier typeface Key name in angle brackets Key names linked with a plus sign (+) in angle brackets. Represents text that the user must type. Indicates the name of a key on the keyboard. Indicates that you must press two or more keys simultaneously. Command example: Issue the clock source command. Keyword example: Specify the keyword exp-msg.
xxi
Table 2 Text conventions (except for command syntax) (continued) Convention Plain Courier typeface Description Represents information as displayed on your terminals screen. Examples host1#show ip ospf 2 Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an Area Border Router (ABR) Italics Emphasize words. Identify variables. Identify chapter, appendix, and book names. There are two levels of access, user and privileged. clusterId, ipAddress. Appendix A, System Specifications.
Table 3 Syntax conventions in Command Reference Guide Convention Words in plain text Words in italics Words separated by the | symbol Description Represent keywords. Represent variables. Represent a choice to select one keyword or variable to the left or right of this symbol. (The keyword or variable may be either optional or required.) Represent optional keywords or variables. Represent optional keywords or variables that can be entered more than once. Represent required keywords or variables. Examples terminal length mask, accessListName diagnostic | line
Documentation
The E-Series Installation Quick Start poster is shipped in the box with all new routers. This poster provides the basic procedures to help you get the router up and running quickly. With each software release, we provide the E-Series Routers Documentation CD (formerly ERX Edge Routers Documentation CD). The documentation CD contains the document set in PDF format and HTML format (with and without frames). From the HTML files, you can also access PDF files of individual chapters and appendixes. The documentation is also available on the Web. You can order a set of printed documents from your Juniper Networks sales representative.
The document set comprises the following books: E-Series Installation and User Guide Provides the necessary procedures for getting the router operational, including information on installing, cabling, powering up, configuring the router for management access, and general troubleshooting. Describes SRP modules, line modules, and I/O modules available for the E-series routers, and provides information about the compatibility of line modules and I/O modules with software releases. Lists the layer 2 protocols, layer 3 protocols, and applications that line modules and their corresponding I/O modules support. E-Series System Basics Configuration Guide Describes planning and configuring your network, managing the router, configuring passwords and security, configuring the router clock, and configuring virtual routers. Includes a list of references that provide information on the protocols and features supported by the router. E-Series Physical Layer Configuration Guide Describes configuring physical layer interfaces. E-Series Link Layer Configuration Guide Describes configuring link layer interfaces. E-Series Routing Protocols Configuration Guide, Vol. 1 Provides information about configuring routing policy and configuring IP, IP routing, and IP security. E-Series Routing Protocols Configuration Guide, Vol. 2 Describes BGP routing, MPLS, BGP-MPLS VPNs, and encapsulation of layer 2 services. E-Series Policy and QoS Configuration Guide Provides information about configuring policy management and quality of service (QoS). E-Series Broadband Access Configuration Guide Provides information about configuring remote access. E-Series Command Reference Guide A to M; E-Series Command Reference Guide N to Z Together comprise the E-Series Command Reference Guide. Contain important information about commands implemented in the system software. Use to look up command descriptions, command syntax, a commands related mode, or a description of a commands parameters. Use with the E-series configuration guides. E-Series Product Overview Guide Gives a thorough overview of the router from a software and hardware perspective. It provides illustrations and configuration examples that present the big picture.
xxiii
MIBS
Copies of the MIBs available in a software release are included on the JUNOSe Software CD (formerly ERX Edge Routers Software CD) and on the Web.
Release Notes
Release notes are included on the corresponding software CD and are available on the Web. In the Release Notes, you will find the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notes differs from the information found in the documentation set, follow the Release Notes.
Abbreviations
A complete list of abbreviations used in this document set, along with their spelled-out terms, is provided in the E-Series System Basics Configuration Guide, Appendix A, Abbreviations and Acronyms.
Web Access
Part 1
Routing Policy
1
Page 1-1 1-2 1-2 1-16 1-26 1-27 1-30 1-31 1-37 1-43 1-43 1-43
This chapter provides information on configuring routing policy for your E-series router. It describes routing policy configuration in general as it might be used with various routing protocols, such as BGP, IS-IS, OSPF, and RIP.
Topic Overview References Route Maps Access Lists Using the Null Interface Prefix Lists Prefix Trees Community Lists Using Regular Expressions Managing the Routing Table Troubleshooting Routing Policy Monitoring Routing Policy
Overview
Routing policy determines how the system handles the routes it receives from and sends to neighboring routers. In many cases, routing policy consists of filtering routes, accepting certain routes, accepting and modifying other routes, rejecting some routes, and determining the
1-2
routing protocol used to distribute the routes. You can think of routing policy as a way to control the flow of routes into and out of the router. The decision about which routes to accept from and advertise to various neighbors has an important impact on the traffic that crosses a network. Routing policy is used to enforce business agreements between two or more ISPs concerning the amount and type of traffic that is allowed to pass between them. You can use one or more of the following mechanisms to configure routing policy: Route maps Access lists Prefix lists Prefix trees Community lists
References
For more information about the protocols discussed in this chapter, refer to their respective chapters in this guide and in E-Series Routing Protocols Configuration Guide, Vol. 2, and to the References sections within those chapters.
Route Maps
You can use route maps to control and modify routing information and to define conditions for redistributing routes between routing domains. You can apply route maps to inbound, outbound, or redistribution routes. A route map consists of match clauses and set clauses. Match clauses specify the attribute values that determine whether a route matches the route map. A route that has the same attribute values passes the match condition. Routes that pass all the match conditions match the route map. You issue match commands to define the match conditions for a route map. You can specify the match conditions in any order. If you do not specify any match conditions in a route map, that route map then matches all routes. Set clauses define how the attributes are modified for matching routes. The set conditions apply only to routes that pass all the match conditions (or a route map with no match conditions). When a route passes all the
1-3
match conditions, all set conditions are applied. You issue set commands to define the set conditions for a route map. You assign a unique string called the map tag to identify each route map. You can have multiple instances of a route map, where each instance consists of a different group of clauses. Each instance is identified by a sequence number. When you apply a route map, the routing protocol evaluates routes against the instance of the route map with the lowest sequence number. If the routes pass all the match conditions specified in the lowest-numbered instance, and if all set commands are successfully applied, then no other instance of the route map is considered. However, any routes that do not pass all the match conditions are evaluated against the next instance of the route map. For example, suppose you create two instances of route map boston5, one with sequence number 10 and one with sequence number 25. When you apply boston5, routes are evaluated first against instance 10; any that do not match are evaluated against instance 25. When you apply a route map, you specify the permit or deny keyword. If you specify permit, routes that match the route map are accepted, forwarded, or redistributed. Routes that do not match the route map are rejected or blocked. If you specify deny, routes that match the route map are rejected or blocked. Routes that do not match the route map are accepted, forwarded, or redistributed. A route map must have at least one match clause or one set clause. If you have no match clauses, all routes match the route map, and the set conditions apply to all routes. If you have no set clauses, no action is taken other than that specified by the permit or deny keyword.
1-4
Consider the network structure shown in Figure 1-1. Suppose you do not want router Boston to receive any routes that originate in or pass through router Chicago.
AS 32
10.5.5.2
EBGP
10.5.5.3
Chicago
10.72.4.2
EBGP
10.72.4.3
AS 293
192.168.5.0/24
NY
10.2.2.1
10.16.22.0/23
EBGP
10.2.2.2
LA
AS 873
10.2.2.3
EBGP
10.2.2.4
172.24.160.0/19
You can use a route map to filter routes based on the AS path to accomplish this goal. Use the following commands to configure router NY:
host1(config)#router bgp 293 host1(config-router)#network 192.168.5.0 mask 255.255.255.0 host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.2.2.2 remote-as 873 host1(config-router)#neighbor 10.2.2.4 remote-as 17 host1(config-router)#neighbor 10.2.2.4 route-map block1 out host1(config-router)#exit host1(config)#ip as-path access-list boston deny _32_ host1(config)#route-map block1 deny 1 host1(config-route-map)#match as-path boston
g013108
192.168.144.0/20
Boston
AS 17
1-5
You can specify more than one value in each match entry of a route map using any of the match commands shown in Table 1-1. A clause with multiple values matches a route having any of the values; that is, the multiple values are logical ORed.
Table 1-1 Match commands enabling multiple values match as-path match community match distance match extcommunity-list match ip address match ip next-hop match ipv6 address host1(config-route-map)#match ip address lisbon madrid host1(config-route-map)#match as-path 10 20 30 match ipv6 next-hop match ipv6 route-source match level match metric match route-type match tag
You can also issue successive match commands to add new values to a route map entry for any of the commands in Table 1-1.
host1(config-route-map)#match ip address boston host1(config-route-map)#match ip address newyork
You cannot specify multiple values for the match metric-type command, because it has only two acceptable values, which are mutually exclusive. Specifying both values would have the same effect as not specifying a metric type at all; specifying the same value more than once has no meaning.
Negating Match Clauses
If you specify a value when you negate a match command configured in a route map, only that value for the match entry is deleted. The entire match entry is deleted only if no other values are specified by the entry. In earlier releases, any value specified with a no match command was ignored, and the entire match entry was deleted. This change applies to all match commands configured in a route map. For example, consider the following match entry to route map miami:
host1(config)#ip community-list corporate5 permit 32 463 21 host1(config)#ip community-list dade2 permit 41 53 22
1-6
host1(config)#route-map miami permit 1 host1(config-route-map)#match community corporate5 dade2 host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5 dade2
In earlier releases, issuing a command to remove a community not specified in the entry deleted the whole entry, but now nothing happens:
host1(config-route-map)#no match community southbeach host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5 dade2
If you instead issue the following commands, the specified value is deleted:
host1(config-route-map)#no match community dade2 host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5
You could delete the entire match community entry by issuing either of the following commands:
host1(config-route-map)#no match community host1(config-route-map)#no match community corporate5 dade2
You can use the exact-match keyword for the match community command to specify that a match exists only for the exact community numbers specified in the community list. The exact-match keyword applies only to a standard community listthat is, one not specified by a regular expression. You cannot use the exact-match keyword with a community list that is specified by a regular expression. Consider the following example:
host1(config)#ip community-list 1 permit 100 200 300 host1(config)#exit
1-7
host1#show ip community-list Community standard list 1 permit 0:100 0:200 0:300 host1(config)#route-map example1 permit 10 host1(config-route-map)#match community 1 exact-match host1(config)#exit host1#show route-map example1 route-map example, permit, sequence 10 Match clauses: community (community-list filter): 1 exact-match
The route map example1 permits a route only if the route contains community 100 and community 200 and community 300 and no additional communities. If you do not specify the exact-match option, the route map also permits a match on a route containing additional communities. For example, a route containing communities 100, 200, 300, 400, and 450 would match.
Removing Community Lists from a Route Map
You can use the set comm-list delete command to remove the specified community list from routes matching the route map, provided that you created the community list with a single community number per list entry. For example, you cannot remove the community lists 231:10 and 231:20 with the set comm-list delete command if you created them with the following command:
host1(config)#ip community list 1 permit 231:10 231:20
You can, however, remove the lists with the set comm-list delete command if you created them separately:
host1(config)#ip community list 1 permit 231:10 host1(config)#ip community list 1 permit 231:20
Configure redistribution into BGP of the access routes with route map 1.
host1(config)#router bgp testnet host1(config-router)#redistribute access
1-8
match as-path
Use to match an AS-path access list. The implemented weight is based on the first matched AS path. Example
host1(config-route-map)#match as-path pathlist5
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match community
Use to match a community list. Supported for inbound and outbound route maps. Example
host1(config-route-map)#match community comm5
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match distance
Use to match any routes being redistributed out of the routing table that have the specified administrative distance. Distance is used to determine the relative preference between routes to the same prefix in order to pick the best route to that prefix in the routing table. Distance has no meaning in any other circumstance, and any attempt to match distance will fail. Example
host1(config-route-map)#match distance 25
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match extcommunity
Use to match an extended community list in a route map. You can specify one or more extended community list names in a match clause. If you specify more than one extended community list, the lists are logically ORed. Example
host1(config-route-map)#match extcommunity topeka10
Use the no version to remove the match clause from a route map or a specified value from the match clause.
1-9
match ip address
Use to match any route that has a destination network number that is permitted by an access list, a prefix list, or a prefix tree, or that performs policy routing on packets. Example
host1(config-route-map)#match ip address prefix-tree boston
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match ip next-hop
Use to match any routes that have a next-hop router address passed by the specified access list, prefix list, or prefix tree. Example
host1(config-route-map)#match ip next-hop 5 192.54.24.1
Use the no version to delete the match clause from a route map or a specified value from the match clause.
Use the no version to delete all address match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.
Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.
1-10
Use the no version to delete all route-source match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.
match level
Use to match routes for the specified type. Example
host1(config-route-map)#match level-1
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match metric
Use to match a route for the specified metric value. Example
host1(config-route-map)#match metric 10
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match metric-type
Use to match a route for the specified metric type. Example
host1(config-route-map)#match metric-type external
Use the no version to delete the match clause from a route map.
match route-type
Use to match a route for the specified route type. Example
host1(config-route-map)#match route-type level-1
Use the no version to delete the match clause from a route map or a specified value from the match clause.
1-11
Use the no version to disable the use of the prefix tree by the route map.
match tag
Use to match the tag value of the destination routing protocol. Example
host1(config)#route-map 1 host1(config-route-map)#match tag 25
Use the no version to delete the match clause from a route map or a specified value from the match clause.
route-map
Use to define the conditions for redistributing routes from one routing protocol into another, and for filtering or modifying updates sent to or received from peers. Each route-map command has a list of match and set commands associated with it. That is, the route map itself consists of a set of clauses; each clause (also called an entry) consists of a match or set command. match commands specify the match criteria, the conditions under which redistribution is allowed for the current route map. set commands specify the set actions, the redistribution actions to perform if the criteria enforced by the match commands are set. You can specify match and set clauses to modify attributes of redistributed routes. Use route maps when you wish to have detailed control over how routes are redistributed between routing processes.
You specify the destination routing protocol with the router command. You specify the source routing protocol with the redistribute command.
Example
host1(config)#route-map nyc1 permit 10 host1(config-route-map)#match ip address list1 host1(config-route-map)#set metric-type internal
1-12
Use the no version to delete the set clause from a route map.
set automatic-tag
Use to automatically compute the tag value of the destination routing protocol. Example
host1(config-route-map)#set automatic-tag
Use the no version to delete the set clause from a route map.
Router Test receives the same route from 10.6.2.5 and applies the indelete route map. BGP compares each list entry with the community attribute. A match is found for the list entry 231:10, and this community is deleted from the community attribute. Similarly, a match is found for the list entry of 231:20, and this community is deleted from the community attribute. Use the no version to delete the set clause from a route map.
1-13
set community
Use to set the community attribute in BGP updates. You can specify a community list number in the range 14294967295, or in the new community format of AA:NN, or one of the following well-known communities:
local-as prevents advertisement outside the local AS no-advertise prevents advertisement to any peer no-export prevents advertisement beyond the BGP confederation
boundary Alternatively, you can use the list keyword to specify the name of a community list that you previously created with the ip community-list command. Example
host1(config-route-map)#set community no-advertise
Use the none keyword to remove the community attribute from a route. Use the no version to delete the set clause from a route map.
set dampening
Use to enable BGP route flap dampening only on routes that pass the match clauses of, and are redistributed by, a particular route map. BGP creates a dampening parameter block for each unique set of dampening parameterssuch as suppress threshold, reuse threshold, and so onused by BGP. For example, if you have a route map that sets the dampening parameters to one set of values for some routes and to another set of values for the remaining routes, BGP uses and stores two dampening parameter blocks, one for each set. Example
host1(config-route-map)#set dampening 5 1000 1500 45 15
Use the no version to delete the set clause from a route map.
set distance
Use to set the administrative distance on routes being installed into the routing table that match the route map. Distance establishes preference between routes to the same prefix to identify the best route to that prefix. Setting distance in any other circumstance has no effect. Example
host1(config-route-map)#set distance 5
Use the no version to delete the set clause from a route map.
1-14
set extcommunity
Use to set the extended community attributes in a route map for BGP updates. You can specify a site-of-origin (soo) extended community and a route target (rt) extended community at the same time in a set clause without overwriting the other. Example
host1(config-route-map)#set extcommunity rt 10.10.10.2:325
Use the no version to delete the set clause from a route map.
set ip next-hop
Use to set the next hop attribute of a route that matches a route map. You can specify an IP address or an interface as the next hop. Use the peer-address keyword to have the following effect:
Use the no version to delete the set clause from a route map.
Use the no version to delete the set clause from a route map.
set level
Use to specify where to import routes when all of a route maps match criteria are met. Example
host1(config-route-map)#set level level-2
Use the no version to delete the set clause from a route map.
set local-preference
Use to specify a preference value for the AS path. Example
host1(config-route-map)#set local-preference 200
Use the no version to delete the set clause from a route map.
1-15
set metric
Use to set the metric valuefor BGP, the MEDfor a route. To establish an absolute metric, do not enter a plus or minus sign before the metric value. Example
host1(config-route-map)#set metric 10
To establish a relative metric, specify a plus or minus sign immediately preceding the metric value. The value is added to or subtracted from the metric of any routes matching the route map. The relative metric value range is 04294967295. Example
host1(config-route-map)#set metric -25
You cannot use both an absolute metric and a relative metric within the same route map sequence. Setting either metric overrides any previously configured value. Use the no version to delete the set clause from a route map.
set metric-type
Use to set the metric type for a route. For BGP, this command affects BGP behavior only in outbound route maps and has no effect on other types of route maps. If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence. If you specify the internal metric type in a BGP outbound route map, BGP sets the MED of the advertised routes to the IGP cost of the next hop of the advertised route. If the cost of the next hop changes, BGP is not forced to readvertise the route. For BGP, you can specify:
external reverts to the normal BGP rules for propagating the MED; this is
the BGP default
external only the metric of the route itself is considered for comparison internal both the metric of the route and the cost to the router that
advertised the route are considered for comparison; this is the IS-IS default For OSPF, you can specify:
1 cost of the external routes is equal to the sum of all internal costs and the
external cost
2 cost of the external routes is equal to the external cost alone; this is the
OSPF default Example
host1(config-route-map)#set metric-type internal
Use the no version to delete the set clause from a route map.
1-16
set origin
Use to set the BGP origin of the advertised route. Example
host1(config-route-map)#set origin egp
Use the no version to delete the set clause from a route map.
set route-type
Use to set the routes of the specified type. Example
host1(config-route-map)#set route-type internal
Use the no version to delete the set clause from a route map.
set tag
Use to set the tag value of the destination routing protocol. Example
host1(config-route-map)#set tag 23
Use the no version to delete the set clause from a route map.
set weight
Use to specify the BGP weight for the routing table. The weights assigned with the set weight command in a route map override the weights assigned using the neighbor weight and neighbor filter-list weight commands. Example
host1(config-route-map)#set weight 200
Use the no version to delete the set clause from a route map.
Access Lists
An access list is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on either the prefix or the AS path.
1-17
Filtering Prefixes
To filter routes based on the prefix, you can do any of the following: Define an access list with the access list command, and apply the list to routes received from or passed to a neighbor with the neighbor distribute-list command Define a prefix list with the ip prefix-list command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-list command Define a prefix tree with the ip prefix-tree command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-tree command The router compares each routes prefix against the conditions in the list or tree one by one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes. The implicit rule is displayed by show access-list and show config commands. You cannot selectively place conditions in or remove conditions from an access list, prefix list, or prefix tree. You can insert a new condition only at the end of a list or tree.
Example 1
The following example shows the how the implicit deny condition is displayed.
host1(config)#access-list 1 permit 10.10.10.1 0.0.0.255 host1(config)#access-list 2 permit 10.25.25.1 0.0.0.255 host1(config)#access-list 3 permit any any host1(config)#show access-list IP Access List 1: permit ip 10.10.10.1 0.0.0.255 any deny ip any any IP Access List 2: permit ip 10.25.25.1 0.0.0.255 any deny ip any any IP Access List 3: permit ip any any
Note that the implicit deny rule does not appear in the display for access list 3, because any prefix will match access list 3.
1-18
Example 2
The following example demonstrates how to use a route map and an access list to redistribute static routes to IS-IS.
1
Configure an access list, fltra, that filters routes 20.20.20.0/24 and 20.20.21.0/24.
host1(config)#access-list fltra permit 20.20.0.0 0.0.255.255
Configure route map 1 to match access list fltra, and apply an internal metric type.
host1(config)#route-map 1 host1(config-route-map)#match ip address fltra host1(config-route-map)#set metric-type internal
Configure redistribution into IS-IS of the static routes with route map 1.
host1(config)#router isis testnet host1(config-router)#redistribute static route-map 1
Verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes).
host1#show isis database detail l2 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum 0x000002B7 LSP Holdtime ATT/P/OL 0000.0000.6666.00-00 NLPID: IP Address: 0xcc 192.168.1.105 0x3E1F 1198 0/0/0
Metric: 10 IS 0000.0000.6666.01 Metric: 10 IS 0000.0000.3333.00 Metric: 10 IS 0000.0000.7777.00 Metric: 30 IP 20.20.20.0 255.255.255.0 Metric: 30 IP 20.20.21.0 255.255.255.0
1-19
Example 3
The following example demonstrates how to use an access list to filter routes advertised to a BGP speaker. Consider the network structure in Figure 1-2.
AS 873
172.24.160.0/19 172.24.48.0/20
LA
10.2.2.3
AS 17
10.5.5.1
IBGP
10.2.2.4 172.24.24.0/21 10.5.5.4
192.168.144.0/20
The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19.
host1(config)#router bgp 17 host1(config-router)#neighbor 10.5.5.4 remote-as 873 host1(config-router)#neighbor 10.5.5.4 distribute-list reject1 in host1(config-router)#exit host1(config)#access-list reject1 permit 172.24.48.0 0.0.255 host1(config)#access-list reject1 deny 172.24.160.0 0.0.0.255 host1(config)#access-list reject1 permit 172.24.24.0 0.0.0.255
Filtering AS Paths
You can use a filter list to filter incoming and outgoing routes based on the value of the AS-path attribute. Whenever a BGP route passes through an AS, BGP prepends its AS number to the AS-path attribute. The AS-path attribute is the list of ASs that a route has passed through to reach a destination. To filter routes based on the AS path, define the access list with the ip as-path access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor filter-list command. AS-path access lists use regular expressions to describe the AS path to be matched.
g013109
Boston
EBGP
SanJose
1-20
A regular expression uses special charactersoften referred to as metacharactersto define a pattern that is compared with an input string. For a full discussion of regular expressions, with examples of how to use them, see Using Regular Expressions later in this chapter. The router compares each routes AS path against each condition in the access list. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the route; that is, the last action of any list is an implicit deny condition for all routes. You cannot selectively place conditions in or remove conditions from an AS-path access list. You can insert a new condition only at the end of an AS-path access list.
Example 1
Consider the network structure in Figure 1-3. Suppose you want router London to behave in the following way: Accept routes originated in AS 621 only if they pass directly to router London. Accept routes originated in AS 11 only if they pass directly to router London. Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11, but not both AS 621 and AS 11.
192.168.33.0/24 172.21.10.0/23
AS 621 Paris
192.168.33.0/24 10.2.9.2
AS 435
Madrid
10.2.7.2
Zurich
EBGP
10.2.9.1 10.2.8.1
EBGP AS 47
AS 282
EBGP
172.19.0.0/16
London
10.2.7.1
g013081
172.28.8.0/21
1-21
The following commands configure router London to apply filters based on AS path to routes received from router Berlin and router Paris and to routes forwarded to router Madrid.
host1(config)#router bgp 47 host1(config-router)#neighbor 10.2.9.2 remote-as 621 host1(config-router)#neighbor 10.2.9.2 filter-list 1 in host1(config-router)#neighbor 10.2.8.2 remote-as 11 host1(config-router)#neighbor 10.2.8.2 filter-list 2 in host1(config-router)#neighbor 10.2.7.2 remote-as 435 host1(config-router)#neighbor 10.2.7.2 filter-list 3 out host1(config-router)#exit host1(config)#ip as-path access-list 1 deny ^11 host1(config)#ip as-path access-list 1 permit .* host1(config)#ip as-path access-list 2 deny ^621 host1(config)#ip as-path access-list 2 permit .* host1(config)#ip as-path access-list 3 deny [621 11] host1(config)#ip as-path access-list 3 permit .*
AS-path access list 1 is applied to routes that router London receives from router Paris. Router London rejects routes with the AS path 11 621 or 11 282 621. AS-path access list 2 is applied to routes that router London receives from router Berlin. Router London rejects routes with the AS path 621 11 or 621 282 11. Router London accepts routes with the AS path 282 11, 282 621, 282 621 11, or 282 11 621. However, it applies AS-path access-list 3 to routes it forwards to router Madrid, and filters out routes with the AS path 282 621 11 or 282 11 621.
1-22
You can use a route map instead of the neighbor filter-list command to apply access lists for filtering routes. In Figure 1-4, a route map is used to determine the weight for routes learned by router Chicago.
AS 32 10.5.5.2 EBGP 10.5.5.3 AS 293 192.168.5.0/24 Chicago 10.2.2.3 EBGP 10.2.2.4 AS 17 AS 451 10.16.22.0/23
AS 837 EBGP
NY
LA
Boston
EBGP
SanJose
192.168.144.0/20
Figure 1-4 Route map filtering
Access list 1 permits any route whose AS-path attribute includes 32 or 837. This condition permits routes that originate in (or pass through from elsewhere) AS 32 or AS 837. When these routes are advertised through AS 451 and AS 17 to router Chicago, instance 1 of route map 1 matches such routes and sets their weight to 25, overriding the neighbor weight set for updates received from 10.2.2.4. Access list 2 permits any route whose AS-path attribute indicates that it originates in AS 74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2.
g013110
1-23
The result of this configuration is that router Chicago prefers routes learned via router Boston (weight 150) over routes learned through router NY (weight 50), except that: Router Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 (weight 50) over the same routes learned via router Boston (weight 25 according to route map 1). Router Chicago prefers routes originating in AS 74 learned via router NY that passed through AS 837 and AS 32 (weight 175 according to route map 2) over the same routes learned via router Boston (weight 150).
access-list
Use to define an IP access list to permit or deny routes based on the prefix. Each access list is a set of permit or deny conditions for routes based on matching a routes prefix. A zero in the wildcard mask means that the corresponding bit in the address must be exactly matched by the route. A one in the wildcard mask means that the corresponding bit in the address does not have to be matched by the route. Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
1-24
Use the log keyword to log an Info event in the ipAccessList log whenever an access-list rule is matched. Use the no version to delete an IP access list (no other options specified), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
default-information originate
Use to enable RIP, OSPF, or BGP to advertise a default route (0.0.0.0/0) that exists in the IP routing table. If you specify the always option for OSPF, OSPF generates a default route if it does not exist in the IP routing table and advertises it. Use to generate a default route into an IS-IS domain. Example
host1(config-router)#default-information originate
ip as-path access-list
Use to define an AS-path access list to permit or deny routes based on the AS path. Each access list is a set of permit or deny conditions for routes based on matching a routes AS path to a regular expression. If the regular expression matches the representation of the AS path of the route as an ASCII string, then the permit or deny condition applies. The AS path does not contain the local AS number. The AS path allows substring matching. For example, the regular expression 20 matches AS path = 20 and AS path = 100 200 300, because 20 is a substring of each path. To disable substring matching and constrain matching to only the specified attribute string, place the underscore (_) metacharacter on both sides of the string; for example _20_. Use the neighbor filter-list command to apply the AS-path access list. You can apply access list filters to inbound and outbound BGP routes. You can assign weights to routes matching the AS-path access list. Use the no version to remove the AS-path access list; all entries belonging to this list are removed.
neighbor distribute-list
Use to filter routes to selected prefixes as specified in an access list. Distribute lists are applied only to external peers. Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy). Using distribute lists is one of several ways to filter BGP advertisements. Other methods are to:
Use AS path filters with the ip as-path access-list and the neighbor
filter-list commands
1-25
Use route map filters with the route-map and the neighbor route-map
commands Use the no version to disassociate the access list from a neighbor.
neighbor filter-list
Use to assign an AS-path access list to matching inbound or outbound routes. Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy). You can specify an optional weight value with the weight keyword to assign a relative importance to incoming routes matching the AS-path access list. Access list values can range from 065535. Use the no version to disassociate the access list from a neighbor.
neighbor prefix-list
Use to assign an inbound or outbound prefix list. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. Example
host1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in
neighbor prefix-tree
Use to assign an inbound or outbound prefix tree. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. Example
host1(config-router)#neighbor 192.168.1.158 prefix-tree newyork out
redistribute
Use to redistribute routes from one routing domain into another routing domain. Example
host1(config)#router bgp 100 host1(config-router)#neighbor 192.56.10.2 remote-as 200 host1(config-router)#redistribute static host1(config-router)#exit host1(config)#ip route 155.30.0.0 0.0.255.255
1-26
For access routes, you can configure and apply a table map that filters routes before an access list adds them to the routing table. You can use the ip access-route table-map command when triggering on the following policy values:
Match ip address metric distance tag Set metric distance tag
For example, you can configure an access list and route map to filter, based on IP address, any routes that appear in the routing table:
host1(config)#ip access-route table-map just10net host1(config)#access-list permit10 permit 10.0.0.0 0.255.255.255 host1(config)#access-list permit10 deny any host1(config)#route-map just10net host1(config-route-map)#match ip address permit10
Using the same name for both the table map and the route map creates an association specifying (in this case) that only IP addresses matching the access list criterion appear in the routing table.
ip access-route table-map
Use to filter access routes before an access list adds them to the routing table. Example
host1(config)#ip access-route table-map just10net
1-27
ip route
Use to configure a static route and redirect traffic from it to the null interface. Example
host1(config-if)#ip route 10.10.20.5 null 0
Prefix Lists
A prefix list is a sequential collection of permit and deny conditions that apply to IP or IPv6 addresses. Like an access list, the router tests addresses one by one against the conditions in a prefix list. The first match determines whether the router accepts or rejects the address. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the address. An empty prefix list results in an automatic permit of the tested address. Unlike access lists, the prefix list specifies a base IP or IPv6 address and a length (the number of bits applied to the base to determine the network prefix). The tested address is matched against the prefix. Use the ip prefix-list command to define an IP prefix list, or the ipv6 prefix-list command to define an IPv6 prefix list. The prefix-list keyword with either the match { ip | ipv6 } address or match { ip | ipv6 } next-hop commands allow you to add a clause to a route map.
Using a Prefix List
The following example creates a prefix list that permits routes with a prefix length up to 24 in the 151.0.0.0/8 network:
host1(config)#ip prefix-list abc permit 151.0.0.0/8 le 24
clear ip prefix-list
Use to clear all hit counts in the prefix lists, or the specified entry from the specified prefix list. (The hit count is incremented +1 each time an entry matches.) Example
host1#clear ip prefix-list abc
There is no no version.
1-28
There is no no version.
ip prefix-list
Use to create a prefix list for route filtering and to specify a list entrya deny or permit clause for a network addressto the prefix list. Use to add entries to prefix lists. The prefix list name can be up to 32 characters long. Specify the position of each entry in the list with the seq keyword. If a sequence number is not specified, the value of the last sequence number plus 5 is used. Use the ge and le keywords to specify a range of network prefixes. These keywords have the following values:
Use the no version to remove the specified prefix list or the specified list entry.
ipv6 prefix-list
Use to create an IPv6 prefix list for route filtering and to specify a list entrya deny or permit clause for a network addressto the prefix list. Use to add entries to prefix lists. The prefix list name can be up to 32 characters long. Specify the position of each entry in the list with the seq keyword. If a sequence number is not specified, the value of the last sequence number plus 5 is used. Use the ge and le keywords to specify a range of network prefixes. These keywords have the following values:
Use the no version to remove the specified prefix list or the specified list entry.
1-29
match ip address
Use with the prefix-list keyword to match routes that have a destination network number address that is permitted by the prefix list. Example
host1(config-route-map)#match ip address prefix-list abc
Use the no version to delete the match clause from a route map or a specified value from the match clause.
Use the no version to delete all address match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.
match ip next-hop
Use with the prefix-list keyword to match routes that have a next-hop router address passed by the specified prefix list. Example
host1(config-route-map)#match ip next-hop prefix-list abc
Use the no version to delete the match clause from a route map or a specified value from the match clause.
Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.
1-30
Prefix Trees
A prefix tree is a nonsequential collection of permit and deny conditions that apply to IP addresses. Like a prefix list, the prefix tree specifies a base IP address and a length, the number of bits applied to the base to determine the network prefix. The tested address is matched against the prefix. The prefix tree also enables route summarization. However, the prefix tree does not match addresses one by one in sequence against the listed conditions. The router performs a binary search against the tree structure of the entries. If the tested address is less than a particular entry, it branches one way to another test pair; if it is greater than the entry, it branches the other way to another mutually exclusive test pair. The router stops testing conditions when it finds the best match. If no conditions match, the router rejects the address. An empty prefix tree results in an automatic permit of the tested address. The prefix tree provides a faster search methodology and matches the test address more closely than either the access list or the prefix list. Use the ip prefix-tree command to define an IP prefix tree. Use the prefix-tree keyword with the match ip address or match ip next-hop commands to add a clause to a route map. Use the match-set summary prefix-tree command to specify the prefix tree that summarizes routes for a particular route map.
Using a Prefix Tree
The following example creates a prefix tree that permits routes with a prefix length of 24 or larger in the 10.10.2.0/24 network:
host1(config)#ip prefix-tree xyz permit 10.10.2.0/24
clear ip prefix-tree
Use to clear all hit counts in the prefix trees, or the specified entry from the specified prefix tree. (The hit count is incremented +1 each time an entry matches.) Example
host1#clear ip prefix-tree xyz
There is no no version.
ip prefix-tree
Use to create a prefix tree for best route filtering; specifies a tree entrya deny or permit clause for a network address. The prefix tree name can be up to 32 characters long.
1-31
Example
host1(config)#ip prefix-tree boston42 permit 10.10.2.0/24
Use the no version to remove the specified prefix tree or the specified tree entry.
match ip address
Use with the prefix-tree keyword to match routes that have a destination network number address that is permitted by the prefix tree. Example
host1(config-route-map)#match ip address prefix-tree xyz
Use the no version to delete the match clause from a route map or a specified value from the match clause.
match ip next-hop
Use with the prefix-tree keyword to match routes that have a next-hop router address passed by the specified prefix tree. Example
host1(config-route-map)#match ip next-hop prefix-tree xyz
Use the no version to delete the match clause from a route map or a specified value from the match clause.
Use the no version to disable use of the prefix tree by the route map.
Community Lists
A community is a logical group of prefixes that share some common attribute. Community members can be on different networks and in different ASs. BGP allows you to define the community to which a prefix belongs. A prefix can belong to more than one community. The community attribute lists the communities to which a prefix belongs. You can use communities to simplify routing policies by configuring the routing information that a BGP speaker will accept, prefer, or distribute to other neighbors according to community membership. When a route is learned, advertised, or redistributed, a BGP speaker can set, append, or
1-32
modify the community of a route. When routes are aggregated, the resulting BGP update contains a community attribute that contains all communities from all of the aggregated routes (if the aggregate is an AS-set aggregate). Several well-known communities are predefined. Table 1-2 describes how a BGP speaker handles a route based on the setting of its community attribute.
Table 1-2 Action based on well-known community membership If the well-known community is... The BGP speaker... no-export no-advertise local-as (also known as no-export-subconfed) internet Does not advertise the route beyond the BGP confederation boundary Does not advertise the route to any peers, IBGP, or EBGP Does not advertise the route to any external peers Advertises this route to the Internet community; by default, all prefixes are members of the Internet community
In addition to the well-known communities, you can define local-use communities, also known as private communities or general communities. These communities serve as a convenient way to categorize groups of routes to facilitate the use of routing policies. The community attribute consists of four octets, but it is common practice to designate communities in the AA:NN format. The autonomous system number (AA) comprises the higher two octets, and the community number (NN) comprises the lower two octets. Both are expressed as decimal numbers. For example, if a prefix in AS 23 belongs to community 411, the attribute could be expressed as 23:411. Use the ip bgp-community new-format command to specify that the show commands display communities in this format. You can also use a regular expression to specify the community attribute. Use the set community command in route maps to configure the community attributes. You can add one or more communities to the attribute, or use the list keyword to add a list of communities to the attribute. By default, the community attribute is not sent to BGP peers. To send the community attribute to a neighbor, use the neighbor send community command. A community list is a sequential collection of permit and deny conditions. Each condition describes the community number to be matched. If you issued the ip bgp-community new-format command, the community
1-33
number is in AA:NN format; otherwise it is in decimal format (the hexadecimal octets converted to decimal). The router tests the community attribute of a route against each condition in a community list. The first match determines whether the router accepts (the route is permitted) or rejects (the route is denied) a route having the specified community. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the route. Consider the network structure shown in Figure 1-5.
AS 32 AS 873 10.5.5.2 EBGP 10.5.5.3 AS 293 192.168.5.0/24 10.2.2.3 EBGP 10.2.2.4 AS 17 172.31.24.0/21
Figure 1-5 Community lists
NY
10.72.4.2 EBGP
10.72.4.3
LA
172.24.160.0/19
Albany
AS 451
192.168.144.0/20
Suppose you want router Albany to set metrics for routes that it forwards to router Boston based on the communities to which the routes belong. You can create community lists and filter the routes with a route map that matches on the community list. To configure router Albany:
host1(config)#router bgp 293 host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.2.2.1 remote-as 451 host1(config-router)#neighbor 10.2.2.4 remote-as 17 host1(config-router)#neighbor 10.2.2.4 route-map commtrc out host1(config-router)#exit host1(config)#route-map commtrc permit 1 host1(config-route-map)#match community 1 host1(config-route-map)#set metric 20 host1(config-route-map)#exit
g013111
Boston
1-34
host1(config)#route-map commtrc permit 2 host1(config-route-map)#match community 2 host1(config-route-map)#set metric 75 host1(config-route-map)#exit host1(config)#route-map commtrc permit 3 host1(config-route-map)#match community 3 host1(config-route-map)#set metric 85 host1(config-route-map)#exit host1(config)#ip community-list 1 permit 25 host1(config)#ip community-list 2 permit 62 host1(config)#ip community-list 3 permit internet
Community list 1 comprises routes with a community of 25; their metric is set to 20. Community list 2 comprises routes with a community of 62; their metric is set to 75. Community 3 catches all remaining routes by matching the internet community; their metric is set to 85.
ip bgp-community new-format
Use to specify that communities must be displayed in AA:NN format, where AA is a number that identifies the autonomous system and NN is a number that identifies the community within the autonomous system. Example
host1(config)#ip bgp-community new-format
ip community-list
Use to create a community list for BGP and control access to it. The list name can be up to 32 characters long. A route can belong to any number of communities, so a community list can have many entries comprising many communities. You can specify one or more community values when you create a community list. A clause in a route map that includes a list having more than one value matches only a route having all of the values; that is, the multiple values are logical ANDed. You can specify community values with a number or a regular expression. Example
host1(config)#ip community-list 1 permit 100:2 100:3 100:4 host1(config)#route-map marengo permit 10 host1(config-route-map)#match community 1
A route matches this community list only if it belongs to at least all three communities in community list 1: communities 100:2, 100:3, and 100:4. Use the no version to remove the specified community list, including all list entries.
1-35
neighbor send-community
Use to specify that a community attribute should be sent to a BGP neighbor. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command. Use the no version to specify that common attributes should not be sent to a BGP neighbor.
set community
Use to set the community attribute in BGP updates. You can specify a community list number in the range 14294967295, or in the new community format of AA:NN, or one of the following well-known communities:
local-as prevents advertisement outside the local AS no-advertise prevents advertisement to any peer no-export prevents advertisement beyond the BGP confederation
boundary Alternatively, you can use the list keyword to specify the name of a community list that you previously created with the ip community-list command. Supported for inbound, outbound, and redistribution route maps. Example
host1(config)#route-map 1 host1(config-route-map)#set community no-advertise
Use the none keyword to remove the community attribute from a route. Use the no version to delete the entry.
The router supports the BGP extended community attribute defined in the Internet draft, BGP Extended Communities Attribute draft-ietf-idr-bgp-ext-communities-05.txt (November 2002 expiration). This attribute enables the definition of a new type of IP extended community and extended community list unrelated to the community list that uses regular expressions.
Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.
BGP speakers can use the extended community attribute to control routes much like they use the community attribute to determine routes they accept, reject, or redistribute. A BGP speaker can append the extended community attribute to a route that does not have the attribute before advertising the route. For routes that do have the attribute, BGP can modify the attribute.
1-36
ip extcommunity-list
Use to create an extended community list for BGP and control access to it. A route can belong to any number of communities, so an extended community list can have many entries comprising many communities. You can specify one or more community values when you create an extended community list. A clause in a route map that includes a list having more than one value matches only a route having all of the values; that is, the multiple values are logical ANDed. Use the rt keyword to specify a route target community, which consists of one or more routers that can receive a set of routes advertised by BGP that carry the extended community attribute. Use the soo keyword to specify a site-of-origin community, which consists of one or more routers that inject into BGP a set of routes that carry the extended community attribute. Example
host1(config)#ip extcommunity-list boston1 permit rt 100:2 rt 100:3 rt 100:4 host1(config)#route-map marengo permit 10 host1(config-route-map)#match extcommunity boston1
A route matches this community list only if it belongs to at least all three communities in extended community list boston1: communities 100:2, 100:3, and 100:4. Use the no version to remove a single extended community list entry if permit or deny and a path-expression are specified. Otherwise, the entire community list is removed.
match extcommunity
Use to match an extended community list in a route map. You can specify one or more extended community list names in a match clause. If you specify more than one extended community list, the lists are logically ORed. Example
host1(config-route-map)#match extcommunity topeka10
Use the no version to remove the match clause from a route map or a specified value from the match clause.
set extcommunity
Use to set the extended community attributes in a route map for BGP updates. Use the rt keyword to specify a route target community, which consists of one or more routers that can receive a set of routes advertised by BGP that carry the extended community attribute. Use the soo keyword to specify a site-of-origin community, which consists of one or more routers that inject into BGP a set of routes that carry the extended community attribute.
1-37
You can specify both a route target community and a site-of-origin community at the same time in a set clause without overwriting each other. Example
host1(config)#route-map 1 host1(config-route-map)#set extcommunity rt 10.10.10.2:325
Use the no version to remove the set clause from the route map.
show ip extcommunity-list
Use to display information about a specific extended community list or all extended community lists. Example
host1#show ip extcommunity-list IP Extended Community List dresden1: permit soo 10.10.10.10:15 IP Extended Community List bonn: deny rt 12:12
For an AS-path access list, the input string is the AS path of the routes to which the list is applied via the route-map or neighbor filter-list commands. If the AS path matches the regular expression in the access list, then the route matches the access list.
Example
The following commands apply access list 1 to routes inbound from BGP peer 10.5.5.2. Access list 1 uses a regular expression to deny routes originating in AS 32.
host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.5.5.2 filter-list 1 in host1(config-router)#exit host1(config)#ip as-path access-list 1 deny 32$
1-38
Community Lists
For a community list, the input string is the community attribute of the routes to which the list is applied via a route-map command. If the community attribute matches the regular expression in the community list, then the route matches the community list.
Example
The following commands apply route map 5 to routes forwarded to BGP peer 10.5.5.4. Route map 5 uses a regular expression to match community numbers ending with 305, setting the weight of matching routes to 150.
host1(config-router)#neighbor 10.5.5.4 remote-as 425 host1(config-router)#neighbor 10.5.5.4 route-map 5 out host1(config-router)#exit host1(config)#route-map 5 permit 10 host1(config-route-map)#match community 305$ host1(config-route-map)#set weight 150
Community Numbers
When you use a regular expression to match a community number, use the appropriate format for the community number in the community list. If you issue the ip bgp-community new-format command, the community number has the format AA:NN where AA is a number that identifies the autonomous system, and NN is a number that identifies the community within the autonomous system. Otherwise, the community number is an integer in the range 14294967295.
Metacharacters
Each regular expression consists of one or more metacharacters and zero or more complete or partial AS or community numbers. Table 1-3 describes the metacharacters supported for regular expression pattern-matching.
Table 1-3 Supported regular expression metacharacters Metacharacter Description ^ Matches the beginning of the input string. Alternatively, when used as the first character within brackets[^ ]matches any number except the ones specified within the brackets. $ . * Matches the end of the input string. Matches any single character, including white space. Matches 0 or more sequences of the immediately previous character or pattern.
1-39
Table 1-3 Supported regular expression metacharacters (continued) Metacharacter Description + ? () [] (hyphen) _ (underscore) Matches 1 or more sequences of the immediately previous character or pattern. Matches 0 or 1 sequence of the immediately previous character or pattern. Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? Matches any enclosed character; specifies a range of single characters. Used within brackets to specify a range of AS or community numbers. Matches a ^, a $, a comma, a space, a {, or a }. Placed on either side of a string to specify a literal and disallow substring matching. Numerals enclosed by underscores can be preceded or followed by any of the characters listed above. Matches characters on either side of the metacharacter; logical OR.
You can remove the special meaning of a metacharacter by preceding it with a backslash (\). Such a construction denotes that the metacharacter is not treated as a metacharacter for that regular expression. It is simply a character or token with no special meaning, just as a numeral has no special meaning. The backslash applies only to the character immediately following it in the regular expression. On the E-series router, you are likely to use the backslash only for the parentheses characters, ( or ). BGP indicates a segment of an AS path that is of type AS-confed-set or AS-confed-seq by enclosing that segment within parentheses.
Example
The following AS-path access list uses a regular expression to match routes having an AS-path attribute that begins with any AS-confed-set or AS-confed-seq:
host1(config)#ip as-path access-list 1 permit ^\(
The following AS-path access list uses a regular expression to match routes having an AS-path attribute that ends with any AS-confed-set or AS-confed-seq:
host1(config)#ip as-path access-list 1 permit \)$
1-40
The following AS-path access list uses a regular expression to match routes having an AS-path attribute that includes the specific AS-confed-set or AS-confed-seq, (100 200):
host1(config)#ip as-path access-list 1 permit \(100 200\)
Table 1-4 shows some representative regular expressions that might be used in an AS-path access list or community list, along with sample attribute values that match or do not match the regular expression.
Table 1-4 Sample regular expressions Regular Expression Matches Any AS-path or Community Attribute That... ^12 Begins with 12, such as the following: 12 23 42 12 but not 58 12 7 [^12] Includes any numeral except 1 or 2, such as the following: 44 73 46 8 but not 1145 19 2 49 305$ 89 611 305 42 305 6666:305 .5 5 69 12 629 1245 19
12
Includes any one character followed by numeral 5, such as the following: 89 611 35 600:500 33 252 12 998
1.9
Includes a sequence of three characters where the first character is numeral 1 and the third character is numeral 9, such as the following: 179 35 24 2129 14 321:94 33 252 129 48 600:2129
.* 42*
Includes any character; matches all AS paths and community lists Includes a number having a numeral 4 followed by zero or more instances of numeral 2, such as the following: 67 42 51 33 252 422 48 4 339 78 314 3142 31422
1-41
Table 1-4 Sample regular expressions (continued) Regular Expression Matches Any AS-path or Community Attribute That... 1(37)* Includes a sequence having a numeral 1 followed by zero or more instances of the pattern 37, such as the following: 137 42 21 1 but not 4 3737 78 42+ Includes a number having a numeral 4 immediately followed by one or more instances of numeral 2, such as the following: 67 42 21 but not 4 329 78 1(37)+ Includes a sequence having a numeral 1 immediately followed by one or more instances of the pattern 37, such as the following: 1373737 29 4 137 42 21 but not 4 372 21 1 456 88 42? 4 37137 78 33 252 422 48 1373737 29 4
21 37 5 1
Includes a number having a numeral 4 followed by zero or only one instance of numeral 2, such as the following: 67 42 71 but not 33 252 422 48 4 359 78
1(37)?
Includes a sequence having a numeral 1 followed by zero or only one instance of the pattern 37, such as the following: 137 42 21 1 but not 4 13737 78 53 612 49
7..
Includes a sequence of three characters where the first character is numeral 7, such as the following: 600 700 100 25 7771 In the following examples, the three characters are 7, space, 8: 307 800 6127 888 999
^7..
Includes a number ranging from 700 to 799, such as the following: 6127 723 999 but not 25 7771 700 100 600 307 800
1-42
Table 1-4 Sample regular expressions (continued) Regular Expression Matches Any AS-path or Community Attribute That... ^7..$ Consists only of a number ranging from 700 to 799, such as the following: 723 but not 25 7771 6127 723 999 [621] 60 43 200 86 53 [0-9] ^\(22 431\) 700 307 800 700 100 600 34 545 92 710
The regular expression [162] has the same results. Includes any number in the range 09 (AS-path attribute only) Begins with the AS-confed-set or AS-confed-seq (22 431), such as the following: (22 431) 102 but not 43 (22 431) 5 {41 19} (22 431) 55 76 22 431 59
(AS-path attribute only) Includes the AS-set or AS-seq {41 19}, such as the following: {41 19} 53 255 {41 19} but not 3 41 19 76 {41 19} 17
41 19 532
Includes either sequence 101 102 or sequence 103 105, such as the following: 43 101 102 5 but not 19 102 101 103 105 22 102 103
_200_
Includes the number 200 (as opposed to the pattern consisting of numeral 2, numeral 0, numeral 0), such as the following: 33 200 422 48 ^200 500$ but not 33 20 422 48 ^200$
51 2005
Our implementation of regular expressions is not literal. Substring matching is enabled by default. Specifying 200 (no underscores) results in a match on 200 and on 2005. The underscore metacharacter disables substring matching.
For information on using AS-path access lists, see Access Lists on page 1-16. For information on using community lists, see Community Lists on page 1-31.
1-43
There is no no version.
ip refresh-route
Use to reinstall routes removed from the IP routing table by the clear ip route command. Example
host1#ip refresh-route
There is no no version.
Community lists
host1#show ip community-list
Prefix lists
host1#show ip prefix-list
1-44
Prefix trees
host1#show ip prefix-tree
Protocols
host1#show ip protocols
Redistribution policies
host1#show ip redistribute
Routes
host1#show ip route
Route maps
host1#show route-map
Static routes
host1#show ip static
IP traffic
host1#show ip traffic
You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. Refer to E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
show access-list
Use to display information about access lists. The displayed information includes the instances of each access list. Use the detail keyword to display the automatically assigned element ID for each access-list entry. Only rules that you explicitly create have element IDs. Example
host1#show access-list IP Access List 1: permit ip host 172.31.192.217 any permit ip 12.40.0.0 0.0.0.3 any deny ip any any IP Access List 2: permit ip 172.19.0.0 0.0.255.255 any deny ip 0.0.0.0 255.255.255.255 any IP Access List 10: permit ip any any
1-45
IP Access List 11: deny ip any any host1#show access-list detail IP Access List 1: 1: permit ip host 172.31.192.217 any 2: permit ip 12.40.0.0 0.0.0.3 any deny ip any any
show ip as-path-access-list
Use to display information about AS-path access lists. Example
host1#show ip as-path-access-list AS Path Access List 1: permit deny permit deny permit deny deny permit deny .* .* _109$ ^108_ .* _109$ .* _109_ .* AS Path Access List 2: AS Path Access List 3:
show ip community-list
Use to display community list information. Display varies based on whether you issued the ip bgp community new-format command. Example 1. If you did not issue the ip bgp community new-format command, the display appears as follows:
host1#show ip community-list Community List 1: permit permit permit deny permit permit 81200109 81200110 81200108 81200109 81200110 81200108
Community List 2:
1-46
Community List 5: permit no-advertise Community List 6: permit no-export Community List 7: permit internet
Example 2. If you did issue the ip bgp community new-format command, the display appears as follows:
host1#show ip community-list Community List 1: permit 1239:1005 permit 1239:1006 permit 1239:1004 Community List 2: deny 1239:1005 permit 1239:1006 permit 1239:1004 Community List 4: permit local-as Community List 5: permit no-advertise Community List 6: permit no-export Community List 7: permit internet
show ip prefix-list
Use to display information about the prefix lists currently configured on the router. Example
host1#show ip prefix-list Prefix-list with the last deletion/insertion: def ip prefix-list name abc: 4 entries seq 5 permit 192.168.0.0/16 le 24 seq 10 permit 192.178.0.0/16 le 24 seq 15 deny 195.178.0.0/16 le 24 seq 20 deny 195.178.0.0/16 le 32 ip prefix-list name def: 1 entries seq 5 deny 192.170.0.0/16
Example
host1#show ip prefix-list summary Total memory used for prefix-list: 310 bytes Prefix-list with the last deletion/insertion: def ip prefix-list name abc: count: 4, range entries: 4, sequences: 5-20
1-47
show ip prefix-tree
Use to display information about the prefix trees currently configured on the router. Example
host1#show ip prefix-tree Prefix-tree with the last deletion/insertion: t_abc5 ip prefix-tree name t_abc1: 1 entries permit 108.243.0.0/16 ip prefix-tree name t_abc2: 3 entries permit 101.10.254.0/24 permit 102.10.248.0/21 permit 103.10.192.0/18 permit 108.109.0.0/16 permit 108.109.241.0/24 ip prefix-tree name t_abc3: 1 entries deny 108.0.0.0/8
Example
host1#show ip prefix-tree summary Total memory used for prefix-tree: 860 bytes Prefix-tree with the last deletion/insertion: t_abc5 ip prefix-tree name t_abc1: count: 1 ip prefix-tree name t_abc2: count: 5 ip prefix-tree name t_abc3: count: 1
show ip protocols
Use to display detailed information about the protocols currently configured on the router. Use the summary keyword to display only a list of the configured protocols. For field descriptions, see the show commands for the individual routing protocols in their respective Configuration Guide chapters. Example
host1#show ip protocols Routing Protocol is bgp 1 Default local preference is 100 IGP synchronization is enabled Always compare MED is disabled Router flap damping is disabled Administrative Distance: external 20 internal 200 local 200
1-48
Neighbor(s): No neighbors are configured Routing for Networks: Routing Protocol is ospf 255 with Router ID 100.100.100.1 Distance is 110 Address Summarization: None Routing for Networks: Routing Protocol is rip Router Administrative State: enable System version RIP1: send = 1, receive = 1 or 2 Update interval: 30 seconds Invalid after: 180 seconds hold down time: 120 seconds flushed interval: 300 seconds Filter applied to outgoing route update is not set Filter applied to incoming route update is not set No global route map Distance is 120 Interface Tx Rx Auth
show ip redistribute
Use to display configured route redistribution policy. Field descriptions
To protocol into which routes are distributed From protocol from which routes are distributed status redistribution status route map number number of the route map
host1#show ip redistribute To ospf, From static is enabled with route map 4 To ospf, From connected is enabled with route map 3
Example
1-49
show ip route
Use to display the current state of the routing table, including routes not used for forwarding. You can display all routes, a specific route, all routes beginning with a specified address, routes for a particular protocol (BGP, IS-IS, OSPF, or RIP), locally connected routes, internal control routes, static routes, or summary counters for the routing table. Field descriptions
Prefix IP address prefix Length prefix length Type protocol type Next Hop IP address of the next hop Dist distance metric for the route Met number of hops Intf interface type and interface specifier
Example 1
host1#show ip route Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------172.16.2.0/24 10.10.0.112/32 10.1.1.0/24 Type ---Bgp Static Next Hop -------192.168.1.102 192.168.1.1 Dist/Met -------20/1 1/1 0/1 Intf -----fastEthernet0/0 fastEthernet0/0 atm3/0.100
Connect 10.1.1.1
Example 2
host1#show ip route static Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------10.10.0.112/32
Type ---Static
Dist/Met --------
Intf ------
fastEthernet0/0
1-50
Example 3
host1#show ip route summary 5 total routes, 720 bytes in route entries 0 isis routes 0 rip routes 1 static routes 1 connected routes 0 bgp routes 0 ospf routes 3 other internal routes 0 access routes 0 internally created access host routes Last route added/deleted: 0.0.0.0/0 by StaticLow At THU MAR 09 2000 05:22:49 UTC
slotNumber number of slot containing the line module for which the
information is displayed
IP address address reachable via the interface Interface interface type and specifier associated with the IP address;
displays Local Interface if a special interface index is present in the routing table for special IP addresses, such as broadcast addresses
Next Hop next hop to reach the IP address; displays --- if no next hop is
associated with the IP address Example 1
host1#show ip route slot 6 10.10.0.231 IP address -----------10.10.0.231 Interface ---------------fastEthernet 6/0 Next Hop -----------10.10.0.231
Example 2
host1#show ip route slot 9 90.248.1.2 IP address -----------90.248.1.2 Interface ---------------serial9/23:2 Next Hop --------------
Example 3
host1#show ip route slot 9 90.249.255.255 IP address -----------Interface ---------------Next Hop --------------
1-51
show ip static
Use to display the status of static routes in the routing table. You can specify an optional IP mask that filters specific routes. Field descriptions
Prefix IP address prefix Length prefix length Next Hop IP address of the next hop Met number of hops Dist administrative distance or weight assigned to the route Tag tag value assigned to the route Intf interface type and interface specifier
host1#show ip static Prefix/Length 10.2.0.0/24 10.2.1.0/24 172.31.1.48/32 Next Hop: 192.168.1.1 192.168.1.1 172.18.2.2 Met: Dist: 1 1 1 1 1 1 Tag: 0 1 0 Intf: ethernet6/0 ethernet6/0 atm5/1.1
Example
show ip traffic
Use to display statistics about IP traffic. Field descriptions
IP Statistics Rcvd:
Router Id router ID number total number of frames received local destination frames with this router as their destinations hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets
IP Statistics Frags:
reassembled number of reassembled packets reasm timed out number of reassembled packets that timed out reasm req number of requests for reassembly reasm fails number of reassembly failures frag ok number of fragmented packets reassembled successfully frag fail number of fragmented packets reassembled unsuccessfully frag creates number of packets created by fragmentation
1-52
IP Statistics Sent:
forwarded number of packets forwarded generated number of packets generated out disc number of outbound packets discarded no routes number of packets that could not be routed routing discards number of packets that could not be routed that were discarded
IP Statistics Route:
routes in table number of routes in the routing table timestamp req number of requests for a timestamp timestamp rpy number of replies to timestamp requests addr mask req number of address mask requests addr mask rpy number of address mask replies
1-53
OSPF Statistics not supported for this version of the router IGMP Statistics not supported for this version of the router ARP Statistics not supported for this version of the router
Example
host1#show ip traffic IP statistics: Router Id: 172.31.192.217 Rcvd: 97833 total, 171059 local destination 167 unkn proto, 0 discards Frags: 4 reassembled, 30 reasm timed out, 8 reasm req 0 reasm fails, 145 frag ok, 0 frag fail 290 frag creates 0 hdr errors, 0 addr errors
1-54
Sent:
Route: 57680 routes in table 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy ICMP statistics: Rcvd: 561 total, 0 errors, 15 dst unreach 0 time exceed, 0 param probs, 0 src quench 0 redirects, 0 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy Sent: 0 total, 0 errors, 0 dest unreach 0 time excd, 0 param prob, 0 src quench 0 redirects, 0 echo req, 0 echo rpy UDP Statistics: Rcvd: 93326 total, 0 checksum errors, 90610 no port Sent: 0 total, 0 errors TCP Global Statistics: Connections: 7358 attempted, 4 accepted, 7362 established 0 dropped, 14718 closed Rcvd: 75889 total pkts, 53591 in-sequence pkts, 3120283 bytes 0 chksum err pkts, 0 authentication err pkts, 0 bad offset 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: ARP Statistics:
show route-map
Use to display the configured route maps. The displayed information includes the instances of each access list such as match and set commands. Example
host1(config)#route-map 1 permit 10 host1(config-route-map)#match community 44 host1(config-route-map)#set local-pref 400 host1(config-route-map)#exit host1(config)#exit host1#show route-map 1
1-55
route-map 1, permit, sequence 10 Match clauses: match community 44 Set clauses: set local-pref 400
1-56
Part 2
Internet Protocol
Configuring IP
2
Page 2-2 2-4 2-5 2-6 2-11 2-11 2-14 2-19 2-20 2-21 2-33 2-38 2-40 2-42 2-55
This chapter describes how to configure Internet Protocol (IP) routing on your E-series router.
Topic Overview References IP Features IP Addressing Before You Configure IP Creating a Profile Address Resolution Protocol (ARP) Broadcast Addressing Fragmentation IP Routing Shared IP Interfaces Internet Control Message Protocol Reachability Commands Response Time Reporter Monitoring IP
2-2
CHAPTER 2 Configuring IP
Overview
TCP/IP is a suite of data communications protocols. Two of the more important protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). IP provides the basic packet delivery service for all TCP/IP networks. IP is a connectionless protocol, which means that it does not exchange control information to establish an end-to-end connection before transmitting data. A connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. IP relies on protocols in other layers to establish the connection if connection-oriented services are required and to provide error detection and error recovery. IP is sometimes called an unreliable protocol, because it contains no error detection or recovery code.
IP Packets
A packet is a block of data that carries with it the information necessary to deliver it to a destination address. A packet-switching network uses the addressing information in the packets to switch packets from one physical network to another, moving them toward their final destination. Each packet travels the network independently of any other packet. The datagram is the packet format defined by IP.
IP Functions
Some of the functions IP performs include: Moving data between the network access layer and the host-to-host transport layer Routing datagrams to remote hosts Fragmenting and reassembling datagrams
Moving Data Between Layers
When IP receives a datagram that is addressed to the local host, it must pass the data portion of the datagram to the correct host-to-host transport layer protocol. IP uses the protocol number in the datagram header to select the transport layer protocol. Each host-to-host transport layer protocol has a unique protocol number that identifies it to IP.
2-3
Internet gateways are commonly referred to as IP routers because they use IP to route packets between networks. In traditional TCP/IP terms, there are only two types of network devices: gateways and hosts. Gateways forward packets between networks, and hosts do not. However, if a host is connected to more than one network (called a multihomed host), it can forward packets between the networks. When a multihomed host forwards packets, it acts like any other gateway and is considered to be a gateway.
Fragmenting and Reassembling Datagrams
As a datagram is routed through different networks, it may be necessary for the IP module in a gateway to divide the datagram into smaller pieces. A datagram received from one network may be too large to be transmitted in a single packet on a different network. This condition occurs only when a gateway interconnects dissimilar physical networks. Each type of network has a maximum transmission unit (MTU) that determines the largest packet it can transfer. If the datagram received from one network is longer than the other networks MTU, it is necessary to divide the datagram into smaller fragments for transmission in a process called fragmentation. See Fragmentation later in this chapter.
IP Layering
TCP/IP is organized into four conceptual layers (as shown in Figure 2-1).
Application Transport
g013300
The network interface layer is the lowest level of the TCP/IP protocol stack. It is responsible for transmitting datagrams over the physical medium to their final destinations.
2-4
CHAPTER 2 Configuring IP
Internet Layer
The Internet layer is the second level of the TCP/IP protocol stack. It provides host-to-host communication. In this layer, packets are encapsulated into datagrams, routing algorithms are run, and the datagram is passed to the network interface layer for transmission on the attached network.
Transport Layer
The transport layer is the third level of the TCP/IP protocol stack. It is responsible for providing communication between applications residing in different hosts. By placing identifying information in the datagram (such as socket information), the transport layer enables process-to-process communication. The transport layer provides either a reliable transport service (TCP) or an unreliable service (User Data Protocol). In a reliable delivery service, the destination station acknowledges the receipt of a datagram.
Application Layer
The application layer is the fourth and highest level of the TCP/IP protocol stack. Some applications that run in this layer are: Telnet File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Domain Name System (DNS)
References
For more information about IP, consult the following resources: RFC 768 User Datagram Protocol (August 1980) RFC 791 Internet Protocol DARPA Internet Program Protocol Specification (September 1981) RFC 792 Internet Control Message Protocol (September 1981) RFC 793 Transmission Control Protocol (September 1981) RFC 854 Telnet Protocol Specification (May 1983) RFC 919 Broadcasting Internet Datagrams (October 1984)
2-5
RFC 922 Broadcasting Internet Datagrams in the Presence of Subnets (October 1984) RFC 950 Internet Standard Subnetting Procedure (August 1985) RFC 1112 Host Extensions for IP Multicasting (August 1989) RFC 1122 Requirements for Internet HostsCommunication Layers (October 1989) RFC 1812 Requirements for IP Version 4 Routers (June 1995) E-Series Release Notes, Appendix A, System Maximums Refer to the Release Notes corresponding to your software release for information on maximum values.
IP Features
The E-series router supports the following IP features: Internet Control Message Protocol (ICMP) Traceroute User Datagram Protocol (UDP) Transmission Control Protocol (TCP) Classless interdomain routing (CIDR) Maximum transmission unit (MTU) Support for simultaneous multiple logical IP stacks on the same router Flexible IP address assignment to support any portion of a physical interface (for example, a channel or circuit), exactly one physical interface, or multilink PPP interfaces Packet segmentation and reassembly Loose source routing to specify the IP route Strict source routing to specify the IP route for each hop Record route to track the route taken Internet timestamp Broadcast addressing, both limited broadcast and directed broadcast
2-6
CHAPTER 2 Configuring IP
Support for 32,000 discrete, simultaneous IP interfaces per router to support thousands of logical connections Capability of detecting and reporting changes in the up or down state of any IP interface IP policy support. See Chapter 1, Configuring Routing Policy, for more information on policy configuration.
IP Addressing
This section provides an overview of IP addressing in general and includes a discussion of CIDR, which your router fully supports.
Physical and Logical Addresses
Physical node addresses are used at the network access layer to identify physical devices in a network. For example, each Ethernet controller comes from the manufacturer with a physical address, called a MAC address. IP implements a system of logical host addresses called IP addresses. The IP addresses are used by the internetwork and higher layers to identify devices and to perform internetwork routing. The Address Resolution Protocol (ARP) enables IP to identify the physical (MAC) address that matches a given IP address. You can use ARP only on Ethernet and bridged IP 1483 interfaces. IP is used by all protocols in the layers above and below it to deliver data. This means that all TCP/IP data flows through IP when it is sent and received, regardless of its final destination.
Internet Addresses
Internet addressing uses a 32-bit address field. The bits in this address field are numbered 0 to 31. The 32-bit address field consists of two parts: a network number and a host number whose boundaries are defined based on the class of IP address. Hosts attached to the same network must share a common prefix designating their network number. Four types of IP classes lend themselves to different network configurations, depending on the desired ratio of networks to hosts. Figure 2-2 shows the format of IP address classes.
2-7
1 0 1 0 1 1 1 1 2 1 2 0 3 0 3 Network 2
7 8 Local host address 15 16 Network Local host address 23 24 Network 4 Multicast address Local host address
31
31
31
31
Class A The leading bit is set to 0, a 7-bit number, and a 24-bit local host address. Up to 125 class A networks can be defined, with up to 16,777,214 hosts per network. Class B The two highest-order bits are set to 1 and 0, a 14-bit network number, and a 16-bit local host address. Up to 16,382 class B networks can be defined, with up to 65,534 hosts per network. Class C The three leading bits are set to 1, 1, and 0, a 21-bit network number, and an 8-bit local host address. Up to 2,097,152 class C networks can be defined, with up to 254 hosts per network. Class D The four highest-order bits are set to 1, 1, 1, and 0. Class D is used as a multicast address.
Subnet Addressing
A subnet is a subset of a class A, B, or C network. Subnets cannot be used with class D (multicast) addresses. A network mask is used to separate the network information from the host information on an IP address. Figure 2-3 shows the network mask 255.0.0.0 applied to network 10.0.0.0. The mask in binary notation is a series of 1s followed by a series of contiguous 0s. The 1s represent the network number; the 0s represent the host number. The sample address splits the IP address 10.0.0.1 into a network portion of 10 and a host portion of 0.0.1.
Note: The router supports a 31-bit mask on point-to-point links. This means that the IP address 1.2.3.4 255.255.255.254 is valid. A point-to-point link in which only one end supports the use of 31-bit prefixes may not operate correctly.
g013301
2-8
CHAPTER 2 Configuring IP
Decimal IP Address Mask 40. 0.0.1 255. 0.0.0 00101000 11111111 Network portion
Figure 2-3 Basic network masking
00000000
Host portion
Classes A, B, and C have the following natural masks, which define the network and host portions of each class: Class A natural mask 255.0.0. Class B natural mask 255.255.0.0 Class C natural mask 255.255.255.0 The use of masks can divide networks into subnetworks by extending the network portion of the address into the host portion. Subnetting increases the number of subnetworks and reduces the number of hosts. For example, a network of the form 10.0.0.0 accommodates one physical segment with about 16 million hosts on it. Figure 2-4 shows how the mask 255.255.0.0. is applied to network 10.0.0.0. The mask divides the IP address 10.0.0.1 into a network portion of 10, a subnet portion of 0, and a host portion of 0.1. The mask has borrowed a portion of the host space and has applied it to the network space. The network space of the class 10 has increased from a single network 10.0.0.0 to 256 subnetworks, ranging from 10.0.0.0 to 10.255.0.0. This process decreases the number of hosts per subnet from 16,777,216 to 65,536.
Decimal IP Address Mask 40. 0 .0.1 00101000 11111111 Network portion
Figure 2-4 Subnetting
Binary 00000000 00000000 00000001 00000000 00000000 00000000 Subnet portion Host portion
Classless interdomain routing (CIDR) is a system of addressing that improves the scaling factor of routing in the Internet. CIDR does not use an implicit mask based on the class of network. In CIDR, an IP network is represented by a prefix, which is an IP address and an indication of the leftmost contiguous significant bits within this address.
2-9
For example, without CIDR, the class C network address 192.56.0.0 would be an illegal address. With CIDR, the address becomes valid with the notation: 192.56.0.0/16. The /16 indicates that 16 bits of mask are being used (counting from the far left). This would be similar to an address 198.32.0.0. with a mask of 255.255.0.0. A network is called a supernet when the prefix boundary contains fewer bits than the networks natural mask. For example, a class C network 192.56.10.0 has a natural mask of 255.255.255.0. The representation 192.56.0.0/16 has a shorter mask than the natural mask (16 is less than 24), so it is a supernet. Figure 2-5 shows how CIDR can reduce the number of entries globally in Internet routing tables. A service provider has a group of customers with class C addresses that begin with 192.56. Despite this relationship, the service provider announces each of the networks individually into the global Internet routing mesh.
192.56.0.0 192.56.1.0 192.56.2.0
Service provider
192.56.255.0
192.56.255.0
Service provider
192.56.0.0/16
192.56.255.0
This section provides information on adding or deleting IP addresses. Multinetting is adding more than one IP address to an IP interfacethat is, a primary address and one or more secondary addresses. To make an interface unnumbered, see Setting Up an Unnumbered Interface later in this chapter.
2-10
CHAPTER 2 Configuring IP
The primary address must be the first address added to the interface. Adding a new primary address overwrites the existing primary address. You can change a secondary address to be the primary address on an interface only via SNMP. An unnumbered address is always the primary address; adding an unnumbered address, therefore, overwrites any other numbered address.
Deleting a Primary Address
You must always remove the primary address from an interface last. You cannot delete the primary address if the interface still has assigned secondary addresses.
Adding a Secondary (Multinet) Address
You cannot add a secondary address until you add the primary address. You cannot add a secondary address to bridged Ethernet interfaces. You cannot change a primary address to a secondary address. An interface can have multiple secondary addresses.
Deleting a Secondary Address
You must delete secondary addresses before deleting the primary address.
ip address Command
Use the following command to add addresses to or delete addresses from an interface:
ip address
Use to add a primary address or to add secondary addresses to an interface. To add multiple addresses to a single IP interface, use the secondary keyword. (Remember, if you add an address using the ip address command and do not include the secondary keyword, the new address becomes the primary address.)
2-11
Example this example adds a primary address (192.168.2.77) and two secondary addresses (172.31.7.22 and 10.8.7.22); the Fast Ethernet interface now has addresses in three networks.
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip address 192.168.2.77 255.255.255.0 host1(config-if)#ip address 172.31.7.22 255.255.255.0 secondary host1(config-if)#ip address 10.8.7.22 255.255.255.0 secondary Note: You can use this command in Interface Configuration, Subinterface Configuration, or Profile Configuration mode.
Use the no version to remove an IP address. If you remove a primary IP address, IP processing is disabled on the interface.
Refer to the appropriate chapters for information on configuring a specific type of interface.
Note: If you choose to configure VRRP, we recommend that you complete all IP address configurations before you configure VRRP. See Chapter 11, Configuring VRRP, for additional information.
Creating a Profile
You can configure an IP interface dynamically by creating a profile. A profile is a set of characteristics that acts as a pattern that can be dynamically assigned to an IP interface. You can manage a large number of IP interfaces efficiently by creating a profile with a specific set of characteristics. In addition, you can create a profile to assign an IP interface to a virtual router.
2-12
CHAPTER 2 Configuring IP
A profile can contain one or more of the following characteristics: access-route Enables the creation of host access routes on an interface address Configures an IP address on an interface directed-broadcast Enables directed broadcast forwarding mtu Configures the maximum transmission unit for a network nat Configures the interface as inside or outside for Network Address Translation (NAT) redirects Enables transmission of ICMP redirect messages unnumbered Configures IP on this interface without a specific address virtual-router Specifies a virtual router to which interfaces created by this profile will be attached Use the profile command from Global Configuration mode to create or edit a profile. See E-Series Link Layer Configuration Guide, Chapter 13, Configuring Dynamic Interfaces for information on creating profiles and on other characteristics that can be applied to the profile.
host1(config)#profile acton host1(config-profile)#ip virtual-router warf host1(config-profile)#ip unnumbered atm 3/0
ip access-routes
Use to enable an access route in a profile. Example
host1(config)#profile foo host1(config-profile)#ip access-routes
ip address
Use to assign an IP address to a profile. You must first specify the layer 2 encapsulation before you can set the IP address for serial interfaces. Use the no version to remove the IP address assigned to the profile.
ip directed-broadcast
Use to enable a directed broadcast address in a profile. Use the no version to remove the directed broadcast address from the profile.
2-13
ip mtu
Use to assign the MTU size sent on an IP interface. Use the no version to remove the assignment from the profile.
ip redirects
Use to enable the sending of redirect messages if the software is forced to resend a packet through the same interface on which it was received. Use the no version to remove the assignment from the profile.
ip unnumbered
Use to specify the numbered interface with which dynamic unnumbered interfaces created with the profile are associated. You can specify an unnumbered interface using RADIUS instead of using the ip unnumbered command in a profile. Example
host1(config-profile)#ip unnumbered fastEthernet 0/0
ip virtual-router
Use to assign a virtual router to a profile. You can configure a virtual router using RADIUS instead of adding one to the profile by using the ip virtual-router command. Use the no version to remove the virtual router assignment.
profile
Use to create a profile. You specify a profile name with up to 80 characters. Example
host1(config)#profile foo
2-14
CHAPTER 2 Configuring IP
Assigning a Profile
To assign a profile to an interface, use the profile command from Interface mode.
profile
Use to assign a profile to a PPP interface. The profile configuration is used to dynamically create an upper IP interface. Example
host1(config-if)#interface serial 2/1 host1(config-if)#encapsulation ppp host1(config-if)#profile acton
2-15
The way ARP works can best be explained in a simple example. As shown in Figure 2-6, host 1 wants to send an IP packet to host 2 on a different subnet. To complete this transmission, host 1 needs the MAC address of router 1, to be used as the forwarding gateway. A typical scenario is:
1
Host 1 broadcasts an ARP request to all devices on subnet 1, composed by a query with the IP address of router 1. The IP address of router 1 is needed because host 2 is on a different subnet. All devices on subnet 1 compare their IP address with the enclosed IP address sent by host 1. Having the matching IP address, router 1 sends an ARP response, which includes its MAC address, to host 1.
host 1 2
10.0.0.10
2 3
1 subnet 1
MAC
10.0.0.10
?
10.0.0.10
00-90-1A-00-72-E0
3
MAC
2-16
CHAPTER 2 Configuring IP
4 5
Host 1 proceeds with its intended transmission of IP packet to layer 3 DA (host 2) using router 1s MAC address. Router 1 forwards IP packet to host 2. Router 1 may send an ARP request to identify the MAC of host 2.
host 1 4 subnet 1 interface address: 10.0.0.10/8 router 1 interface address: 20.0.0.10/8 5 host 2
g013113
IP packet
subnet 2
ARP forces all receiving hosts to compare their IP addresses with the IP address of the ARP request. Keeping the above example in mind, if host 1 sent another IP packet to host 2, host 1 would first check its ARP table for router 1s MAC address. If the default router/gateway becomes unavailable, then all the routing/packet forwarding to remote destinations ceases. Usually, it requires manual intervention to restore connectivity, even though alternative paths may be available. Alternatively, Virtual Router Redundancy Protocol (VRRP) may be used to prevent loss of connectivity. See Chapter 11, Configuring VRRP.
2-17
arp
Use to add a static (permanent) entry in the ARP cache. You specify one of the following:
ipAddress and macAddress of the interface ipAddress, interfaceType and interfaceSpecifier, and an optional MAC
address You can issue this command only for an Ethernet or bridged IP 1483 interface. Example
host1(config)#arp 192.56.20.1 0090.1a00.0170
arp timeout
Use to specify how long an entry remains in the ARP cache. On the FE-2 module, you can set the ARP timeout only on bridged IP 1483 and Fast Ethernet interfaces. You cannot set the timeout on the SRP module. The default value is 21,600 seconds (6 hours). Use the show config command to display the current value. If you specify a timeout of 0 seconds, entries are never cleared from the ARP cache. Example
host1(config-if)#arp timeout 8000
clear arp
Use to clear dynamic entries from the ARP cache. To clear a particular entry, specify all of the following:
There is no no version.
2-18
CHAPTER 2 Configuring IP
ip proxy-arp
Use the ip proxy-arp command to enable proxy ARP on an Ethernet or bridge1483 interface. Proxy ARP is enabled by default. Example
host1(config-if)#ip proxy-arp unrestricted
MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packets source IP address with its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.
Note: MAC address validation for bridged Ethernet interfaces is supported only on OC12a line modules.
MAC address validation on the E-series router can be accomplished in two ways: You can statically configure it on a physical interface via the arp validate command You can allow DHCP to perform the function independently and dynamically. See DHCP in E-Series Link Layer Configuration Guide, Chapter 8, Configuring Bridged IP. The arp validate command adds the IP-MAC address pair to the validation table maintained on the physical interface. If the validation is added statically via the CLI, the IP addressMAC address pairs are stored in NVS. The entries are used for MAC validation only if MAC validation is enabled on the interface via the ip mac-validate command.
Caution: When you configure an interface using the arp validate command, you cannot overwrite the ARP values that were added by DHCP.
You can enable or disable MAC address validation on a per interface basis by issuing the ip mac-validate command. See E-Series Physical Layer Configuration Guide, Chapter 6, Configuring Ethernet Interfaces or E-Series Link Layer Configuration Guide, Chapter 9, Configuring Bridged Ethernet for information.
2-19
arp validate
Use to add IP addressMAC address validation pairs. When validation is enabled, all packets with the source IP address received on this IP interface are validated against the IP-MAC entries. You specify one of the following:
ipAddress and macAddress of the interface ipAddress, interfaceType and interfaceSpecifier, and an optional MAC
address You can issue this command only for an IP Ethernet-based interface. For subscriber interface configurations, the IP addressMAC address pair must have a matching source prefix that already exists on the subscriber interface. If the matching source prefix does not exist, the IPMAC address pair is rejected. See E-Series Broadband Access Configuration Guide, Chapter 8, Configuring Subscriber Interfaces for information about using subscriber interfaces. The following example shows packets originating from host 192.56.20.1 and validated at Gigabit Ethernet interface with the MAC address 0090.1a00.0170.
host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170 validate
The following example shows the subscriber interface MAC address validation enabled.
host1(config)#arp 192.168.32.0 ip subsc 1 000.0001.8100
Broadcast Addressing
A broadcast is a data packet destined for all hosts on a particular physical network. Network hosts recognize broadcasts by special addresses. The router supports the following kinds of broadcast types: Limited broadcast A packet is sent to a specific network or series of networks. A limited broadcast address includes the network or subnet fields. In a limited broadcast packet destined for a local network, the network identifier portion and host identifier portion of the destination address is either all ones (255.255.255.255) or all zeros (0.0.0.0). Flooded broadcast A packet is sent to every network. Directed broadcast A packet is sent to a specific destination address where only the host portion of the IP address is either all ones or all zeros (such as 192.20.255.255 or 190.20.0.0). Several early IP implementations do not use the current broadcast address standard. Instead, they use the old standard, which calls for all zeros instead of all ones to indicate broadcast addresses. Many of these implementations do not recognize a broadcast address of all ones and fail
2-20
CHAPTER 2 Configuring IP
to respond to the broadcast correctly. Others forward broadcasts of all ones, which causes a serious network overload known as a broadcast storm. Implementations that exhibit these problems include systems based on versions of BSD UNIX before version 4.3. Routers provide some protection from broadcast storms by limiting their extent to the local cable. Bridges (including intelligent bridges), because they are layer 2 devices, forward broadcasts to all network segments, thus propagating all broadcast storms. The best solution to the broadcast storm is to use a single broadcast address scheme on a network. Most IP implementations allow the network manager to set the address to be used as the broadcast address. Many implementations of IP, including the one on your router, can accept and interpret all possible forms of broadcast addresses.
Broadcast Tasks
There are two broadcast-related IP commands you can use to perform broadcast-related tasks.
ip broadcast-address
Use to broadcast to all addresses in the host portion of an IP address. You specify an IP address to set the broadcast address. Example
host1(config-if)#ip broadcast-address 255.255.255.255
ip directed-broadcast
Use to enable translation of directed broadcasts to physical broadcasts. Example
host1(config-if)#ip directed-broadcast
Fragmentation
Fragmentation is the process of segmenting a large IP datagram into several smaller pieces. Fragmentation is required when IP must transmit a large packet through a network that transmits smaller packets, or when the MTU size of the other network is smaller. By default, the router does not fragment the packet if the dont-fragment bit (DF bit) is set in the IP header. You can specify that the router not consider the DF bit before determining whether to fragment a packet.
2-21
Note: It is possible that lower-layer protocols may also set the MTU value. If MTU values set in lower layers differ from the one set at the IP layer, the router always uses the MTU lower-layers value.
ip ignore-df-bit
Use to force the router to ignore the DF bit if it is set in the IP packet header for packets on an interface. Example
host1(config-if)#ip ignore-df-bit
Use the no version to restore the default behavior, which is to consider the DF bit before fragmentation.
ip mtu
Use to set the MTU size of IP packets sent on an interface. The range is 12810240. Example
host1(config-if)#ip mtu 1000
IP Routing
The Internet is a large collection of hosts that communicate with each other and use routers as intermediate packet switches. Routers forward a packet through the interconnected system of networks and routers until the packet reaches a router that is attached to the same network as the destination host. The router delivers the packet to the specified host on its local network.
Routing Information Tables
A router makes forwarding decisions based on the information that is contained in its routing table. Routers announce and receive route information to and from other routers. They build tables of routes based on the collected information on all the best paths to all the destinations they know how to reach. Each configured protocol has one or more local routing tables, sometimes referred to as a routing information base (RIB). This table is a database local to the protocol that contains all the routes known by that protocol to the prefixes in the table. For example, OSPF might have four different routes to 10.23.40.5.32. Only one of these routes is the best route to that prefix known to OSPF, but all four routes are in the OSPF local routing table.
2-22
CHAPTER 2 Configuring IP
The global routing table is a database maintained by IP on the SRP module. It contains at most one route per protocol to each prefix in the table. Each of these routes is the best route known by a given protocol to get to that prefix. The IP routing table does not, for example, have two OSPF routes to 10.5.11.0/24; it will have only one (if any) OSPF route to that prefix. It might also have a BGP route to the prefix, and a RIP route to the prefix, but no more than one route to a prefix per protocol. IP compares the administrative distances for the routes to each prefix and selects the overall best route regardless of protocol. The best route to 10.5.11.0/24 might be via IS-IS. The best route to 192.168.0.0/16 might be via EBGP, and so on. These selected overall best routes to each prefix are used to create the forwarding table. The forwarding table is pushed to each line module. The line modules use their local instance of the forwarding table to forward the packets that they receive. When the global IP routing table is updated, so are the forwarding tables on the line modules. Figure 2-8 illustrates a very simple network composed of three networks and two routers. The hosts that are attached to each network are not shown, because each router makes its forwarding decisions based on the network number and not on the address of each individual host. The router uses ARP to find the physical address that corresponds to the Internet address for any host or router on networks directly connected to it.
10.1.0.0/16 10.5.0.0/30 10.2.0.0/16
10.1.0.1
NY 10.5.0.2
10.5.0.3
LA
g013456
10.2.0.1
Table 2-1 and Table 2-2 represent information from the routing tables for routers NY and LA. Each routing table contains one entry for each route for each protocol or route type. Each routing table entry includes the following information: The destination IP network address. The IP address of the next-hop router. The type of network, such as static, directly connected, or the particular protocol.
2-23
An administrative distance that is used to select the least-cost route among multiple routes to the same destination network. The least-cost (best) route is placed in the forwarding table. The administrative distance is not included in the forwarding table. A metric that is used by protocols to which the route is redistributed to select the least-cost route among multiple routes to the same destination network. The metric is not used to determine the best route to be placed in the forwarding table. The metric is also not listed in the forwarding table.
Table 2-1 Routing table for router NY Destination Network 10.1.0.0/16 10.2.0.0/16 10.2.0.0/16 10.2.0.0/16 10.2.0.0/16 10.5.0.0/30 Next-Hop Router 10.1.0.1 10.5.0.3 10.5.0.3 10.5.0.3 10.5.0.3 10.5.0.2 Route type connected OSPF IS-IS EBGP RIP connected Administrative Distance 0 110 115 20 120 0 Metric 0 10 10 15 5 0
Table 2-2 Routing table for router LA Destination Network 10.1.0.0/16 10.1.0.0/16 10.1.0.0/16 10.2.0.0/16 10.5.0.0/30 Next-Hop Router 10.5.0.2 10.5.0.2 10.5.0.2 10.2.0.1 10.5.0.3 Route type static OSPF RIP connected connected Administrative Distance 1 110 120 0 0 Metric 0 10 4 0 0
The administrative distance is an integer that is associated with each route known to a router. The distance represents how reliable the source of the route is considered to be. A lower value is preferred over a higher value. An administrative distance of 255 indicates no confidence in the source; routes with this distance are not installed in the routing table. Table 2-3 shows the default distance for each type of source from which a route can be learned.
2-24
CHAPTER 2 Configuring IP
Table 2-3 Default administrative distances for route sources Route Source Connected interface Static route Internal access route Access route External BGP OSPF IS-IS RIP Internal BGP Unknown Default Distance 0 1 2 3 20 110 115 120 200 255
If the IP routing table contains several routes to the same prefixfor example, an OSPF route and a RIP routethe route with the lowest administrative distance is used for forwarding. To set the administrative distance for BGP routes, see Setting the Administrative Distance for a Route in E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing. To set the administrative distance for RIP, IS-IS, and OSPF, use the following distance commands in Router Configuration mode.
distance
Use to set an administrative distance for RIP or OSPF routes in the range 0255. For RIP routes, the default value is 120. For OSPF routes, the default value is 110. Example
host1(config)#router rip host1(config-router)#distance 100
distance ip
Use to set the administrative distance for IS-IS routes in the range 1255. Example
host1(config)#router isis host1(config-router)#distance 80 ip
2-25
For information on how to set a metric for a route, see E-Series Routing Protocols Configuration Guide, Vol. 1, Chapter 1, Configuring Routing Policy as well as the individual routing protocol chapters in E-Series Routing Protocols Configuration Guide, Vol. 1 and E-Series Routing Protocols Configuration Guide, Vol. 2.
Routing Operations
Routers keep track of next-hop information that enables a data packet to reach its destination through the network. A router that does not have a direct physical connection to the destination checks its routing table and forwards packets to another next-hop router that is closer to that destination. This process continues until the packet reaches its final destination.
Identifying a Router Within an Autonomous System
The router ID is commonly one of the routers defined IP addresses. Although the router ID is, by convention, formatted as an IP address, it is not required to be a configured address of the router. If you do not use the ip router-id command to assign a router ID, the router uses one of its configured IP addresses as the router ID.
ip router-id
Use to assign a router IDa unique identifier that IP routing protocols use to identify the router within an autonomous system. Example
host1(config)#ip router-id 192.32.15.23
You can set a destination to receive and send traffic by a specific route through the network.
ip route
Use to establish a static route. Example
host1(config)#ip route 192.56.15.23 255.255.255.0 192.66.0.1
Use the no version to remove a static route from the routing table.
2-26
CHAPTER 2 Configuring IP
A router examines its routing table to find a path for each packet. If the router cannot locate a route, it must discard the packet. You can set up a default route using the special address: 0.0.0.0. If the router cannot locate a path to a destination network and a default route is defined, the router forwards the packet to the default router. For example:
host1(config)#ip route 0.0.0.0 0.0.0.0 192.56.21.3
Default routes are typically used to reduce the size of the routing table. Routing is simplified because the router can test for a few local networks or use the default route. However, a disadvantage of default routes is the possible creation of multiple paths and routing loops.
Setting Up an Unnumbered Interface
An unnumbered interface does not have an IP address assigned to it. Unnumbered interfaces are often used in point-to-point connections where an IP address is not required.
ip unnumbered
Use to set up an unnumbered interface. This command enables IP processing on an interface without assigning an explicit IP address to the interface. You supply an interface location, which is the type and number of another interface on which the router has an assigned IP address. This interface cannot be another unnumbered interface. Example
host1(config-if)#ip unnumbered fastEthernet 0/0
You can enable the ability to create host access routes on a PPP interface. This feature is useful in B-RAS applications.
ip access-routes
Use to enable the ability to create host access routes on a PPP interface. Example
host1(config-if)#ip access-routes
2-27
Source address validation verifies that a packet has been sent from a valid source address. When a packet arrives on an interface, the router performs a routing table lookup using the source address. The result from the routing table lookup is an interface to which packets destined for that address are routed. This interface must match the interface on which the packet arrived. If it does not match, the router drops the packet.
ip sa-validate
Use to enable source address validation. Example
host1(config-if)#ip sa-validate
The router lets you disable an interface at the IP level without removing it.
ip shutdown
Use to shut down an IP interface. Example
host1(config-if)#ip shutdown
Clearing IP Routes
The router enables you to clear the specified routing entries from the routing table. You must specify the IP address prefix and the mask of the IP address prefix to clear specific routes. You can later reinstall the routes you have cleared.
2-28
CHAPTER 2 Configuring IP
clear ip routes
Use to clear specified IP routes according to an IP prefix or a VPN routing and forwarding (VRF) table. Use an asterisk (*) to clear all dynamic routes from the routing table. Example
host1#clear ip routes *
There is no no version.
ip refresh-route
Use to enable the owning protocols (BGP, IS-IS, OSPF) to reinstall routes removed from the IP routing table by the clear ip routes command. Example
host1#ip refresh-route
There is no no version.
Clearing IP Interfaces
The router enables you to clear the counters on the specified IP interface(s).
clear ip interface
Use to clear a specified IP interface. Example
host1#clear ip interface pos 2/0
There is no no version.
Setting a Baseline
There is no no version.
2-29
The router allows you to disable forwarding of packets on an SRP Ethernet interface.
ip disable-forwarding
Use to disable forwarding of packets on the SRP Ethernet interface. The purpose of this command is to maintain router performance by maximizing the CPU time available for routing protocols. Although you can allow data forwarding on the SRP Ethernet interface, router performance will be affected. You see an error message if you try to set this command for interfaces other than the SRP Ethernet interface. Example
host1(config-if)#ip disable-forwarding
IP packets are normally routed according to the destination address they contain based on the routing table at each hop through a path. The originator or source of the source-routed packets specifies the path (the series of hops) that the packets must traverse; the source makes the routing decisions. The source can specify either of the following types of source routing: Strict-source routing specifies every hop that the packet must traverse. The specified path consists of adjacent hops. The source generates an ICMP error if the exact path cannot be followed. For example, for a path going from source router A to router B to router C to router D, router A would specify a strict-source route as B, C, D. Loose-source routing specifies a set of hops that the packet must traverse, but not necessarily every hop in the path. That is, the specified hops do not have to be adjacent. For example, for a path going from source router A to router B to router C to router D, router A would specify a loose-source route as B, D or C, D, or B, C, D.
ip source-route
Use to enable forwarding of source-routed packets. Forwarding is enabled by default. Example
host1#ip source-route
2-30
CHAPTER 2 Configuring IP
The router enables you to force an IP interface to appear as if it is up, regardless of the state of the lower layers.
ip alwaysup
Use to force an IP interface to appear as up regardless of the state of lower layers. This command reduces route topology changes when the network attached to this link is single-homed. Example
host1(config-if)#ip alwaysup
Use the no version to make the interface appear in the current state.
You can set a debounce time that requires an IP interface to be in a given statefor example, up or downfor the specified time before the state is reported. This feature prevents a link that briefly goes up or down from causing an unnecessary topology change, for example by causing an interface down condition.
ip debounce-time
Use to set the interval for which an interface must maintain a given state before the state change is reported. Example
host1(config)#ip debounce-time 5000
Adding a Description
The router enables you to add a text description or an alias to an IP interface or subinterface. Adding a description helps you identify the interface and keep track of interface connections.
Note: The ip description command is replacing the description command to assign a description to an IP interface.
ip description
Use to assign a text description or an alias to an IP interface or subinterface. The description or alias can be a maximum of 256 characters. Use the show ip interface command to display the text description.
2-31
Examples
host1(config-if)#ip description canada01 ip interface host1(config-subif)#ip description montreal011 ip subinterface
Equal-cost multipath (ECMP) sets are formed when the router finds routing table entries for the same destination with equal cost. You can add routing table entries manually (as static routes), or they are formed as routers discover their neighbors and exchange routing tables (via OSPF, BGP, and other routing protocols). The router then balances traffic across these sets of equal-cost paths by using one of the following ECMP modes: Hashed uses hashing of source and destination addresses to determine which of the available paths in the ECMP set to use Round-robin distributes packets equally among the available paths in the ECMP set
2-32
CHAPTER 2 Configuring IP
ip multipath round-robin
Use to specify round-robin as the mode for ECMP load sharing on an interface. ECMP uses the round-robin mode when you have configured all interfaces in the set to round-robin. Otherwise, ECMP defaults to hashed mode because round-robin mode could cause reordering of packets. You must explicitly ensure that the possible reordering is acceptable on all the member interfaces by setting them to round-robin mode. Use the no version to set the ECMP mode to the default, hashed. Example
host1(config)#virtual-router router_0 host1:router_0(config)#interface serial 4/0:1/22.22 host1:router_0(config-subif)#ip multipath round-robin host1:router_0(config-subif)#exit host1:router_0(config)#exit host1:router_0#show ip interface serial 4/0:1/22.22 serial4/0:1/22.22 is up, line protocol is up Network Protocols: IP Internet address is 190.121.1.1/255.255.0.0 Broadcast address is 255.255.255.255 Operational MTU = 1600 Administrative MTU = 0 Administrative speed = 0 Operational speed = 64000
Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = round-robin In Received Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 Out Forwarded Packets 0, Bytes 0 Out Scheduler Drops Packets 0, Bytes 0 = disabled
maximum-paths
Use to control the maximum number of parallel routes that the routing protocol (BGP, IS-IS, OSPF, or RIP) can support. The maximum number of routes can range from 16 for BGP and from 116 for IS-IS, OSPF, or RIP. Example
host1(config-router)#maximum-paths 2
Use the no version to restore the default value, 1 for BGP or 4 for IS-IS, OSPF, or RIP.
2-33
You can use the ip ttl command to set the TTL (time-to-live) field in the IP header for all IP operations. The TTL specifies a hop count. This configured TTL value can be overridden by other commands that specify a TTL.
ip ttl
Use to set a default value for the IP header TTL field for all IP operations. Example
host1(config)#ip ttl 255
Shared IP Interfaces
You can create multiple shared IP interfaces over the same layer 2 logical interfacefor example, atm 5/3.101enabling more than one IP interface to share the same logical resources. This capability is useful, for example, when data received in one VPN routing and forwarding (VRF) needs to be forwarded out an interface in another VRF, such as for BGP/MPLS VPNs (see E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs, for more information). You can configure one or more shared IP interfaces. Data sent over shared interfaces uses the same layer 2 interface. You can configure shared interfaces as you would unshared IP interfaces. Each shared interface has its own statistics. Some layer 2 interfaces require a primary IP interface to negotiate certain IP parametersfor example, IPCP for PPP, ARP for Ethernet, and Inverse ARP for Frame Relay. If you do not configure a primary IP interface in such cases, the layer 2 interface cannot become operationally up. A primary IP interface is the default interface for receiving data that arrives on the layer 2 interface. If you configure shared IP interfaces for the same layer 2 interface as your primary IP interface, by default data received on the layer 2 interface is received on the virtual router corresponding to the primary IP interface. A primary IP interface and all of its shared IP interfaces have the same interface location. You cannot configure a shared IP interface to receive data on the same layer 2 interface as a primary IP interface. You can delete primary and shared IP interfaces independently of each other.
2-34
CHAPTER 2 Configuring IP
You can create a primary IP interface as you do any other IP interface, as shown in the following example:
host1(config)#virtual-router vr-a:vrf-2 host1:vr-a:vrf-2:(config)#interface atm 5/3.101 host1:vr-a:vrf-2:(config-if)#ip address 10.1.1.1 255.255.255.255 host1:vr-a:vrf-2:(config-if)#exit
You do not have to configure a primary IP interface if you do not need one as described above. In the absence of a primary interface, you can still configure shared IP interfaces; however, in this scenario, data received on the layer 2 interface is discarded. You cannot create shared IP interfaces for the following kinds of interface: IP floating interfaces (IP interfaces that stack over MPLS stacked tunnels) Loopback interfaces Null interfaces For information about configuring shared IP interfaces to receive data on the same layer 2 interface as a primary IP interface, see E-Series Broadband Access Configuration Guide, Chapter 8, Configuring Subscriber Interfaces.
Configuring Prefixes for Dynamic Shared IP Interfaces
For the typical BGP/MPLS VPN scenario, shared interfaces are created dynamically based on VPN membership in support of overlapping VPNs. In screen output, dynamic interfaces are distinguished from those you configure statically by a prefix (default prefix is dyn). You can define the prefix with the ip dynamic-interface-prefix command. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs, for more information on VPNs and shared IP interfaces.
Configuring Shared IP Interfaces
To share IP interfaces:
1
2-35
Associate the shared IP interface with the layer 2 interface by one of the following methods: Statically
host1(config-if)#ip share-interface atm5/3.101
Dynamically
host1:vr-a:vrf-1(config-if)#ip share-nexthop 10.0.0.1
To fully configure the shared interface, assign an address (or make the interface unnumbered).
host1(config-if)#ip address 2.2.2.2 255.0.0.0
(Optional) For BGP/MPLS VPNs, configure a prefix for the shared IP interfaces.
host1(config-if)#ip dynamic-interface-prefix vrf2 rt66
interface ip
Use to create an IP interface for interface sharing. Use the specified name to refer to the shared IP interface; you cannot use the layer 2 interface to refer to them, because the shared interface can be moved. Example
host1(config)#interface ip si0
ip dynamic-interface-prefix
Use to specify the prefix that distinguishes dynamic shared IP interfaces (created for overlapping BGP/MPLS VPNs) from static shared IP interfaces. You can specify the VRF in which the shared IP interface is created. Dynamic shared IP interfaces are represented in screen output as
ipprefixvrfName-number
where prefix is the prefix you specified, vrfName is the VRF where the primary interface is located, and number is incremented as these interfaces are created.
2-36
CHAPTER 2 Configuring IP
Example
host1:pe1(config)#ip dynamic-interface-prefix vrf pe12 vpnsh host1:pe1(config)#exit host1:pe1#show ip vrf VRF Name pe11 Default RD 1:1 Interfaces null0 atm4/0.2 ipdynpe12-6 pe12 1:2 null0 ipvpnshpe11-5 atm4/0.3
ip share-interface
Use to specify the layer 2 interface used by a shared IP interface. The command fails if the layer 2 interface does not yet exist. If you issue this command on a shared IP interface, you cannot issue the ip share-nexthop command for the interface. After creating the shared IP interface, you can configure it as you would any other IP interface. The shared interface is operationally up when the layer 2 interface is operationally up. You can create operational shared IP interfaces in the absence of a primary IP interface. Example
host1(config-if)#ip share-interface atm5/3.101
Use the no version to remove the association between the layer 2 interface and the shared IP interface. You can delete shared and primary IP interfaces independently.
ip share-nexthop
Use to specify that the shared IP interface dynamically tracks a next hop. If the next hop changes, the shared IP interface moves to the new layer 2 interface associated with the IP interface toward the new next hop. If you issue this command on a shared IP interface, you cannot issue the ip share-interface command for the interface. If you specify a virtual router, the command fails if the VR does not already exist. If you do not specify a VR, the current VR is assumed. After creating the shared IP interface, you can configure it as you would any other IP interface. The shared interface is operationally up when the layer 2 interface associated with the specified next hop is operationally up. Use the no version to halt tracking of the next hop.
2-37
Moving IP Interfaces
You cannot directly move a primary IP interface. However, primary IP interfaces created dynamically by MPLS move when the underlying MPLS minor interface moves or changes. You can move an IP shared interface from one layer 2 interface to another by issuing the ip share-interface command to specify a different layer 2 interface. Moving an IP interface does not affect interface statistics, packets forwarded through the interface, or policies attached to the IP interface.
Example
The following commands create shared interface si0 on the layer 2 interface atm5/3.101:
host1(config)#virtual-router vr-a:vrf-1 host1:vr-a:vrf-1(config)#interface ip si0 host1:vr-a:vrf-1(config-if)#ip share-interface atm5/3.101 host1:vr-a:vrf-1(config-if)#exit
The following commands move shared interface si0 to the layer 2 interface atm5/3.201:
host1:vr-a:vrf-1(config)#interface ip si0 host1:vr-a:vrf-1(config-if)#ip share-interface atm5/3.201
Each shared interface has its own statistics. Packets transmitted on a shared IP interface are always counted only in the shared IP interface.
Subscriber Interfaces
A subscriber interface is an extension of a shared IP interface. Shared IP interfaces are unidirectionalthey can transmit but not receive traffic. In contrast, subscriber interfaces are bidirectionalthey can both receive and transmit traffic. For details about configuring and using subscriber interfaces, see E-Series Broadband Access Configuration Guide, Chapter 8, Configuring Subscriber Interfaces.
2-38
CHAPTER 2 Configuring IP
You can enable the following ICMP features: ICMP Router Discovery Protocol (IRDP) ICMP netmask reply Sending of IP redirects Generation of ICMP unreachable messages
2-39
ip irdp
Use to enable IRDP processing on an interface. Example
host1(config-if)#ip irdp
ip mask-reply
Use to enable ICMP netmask reply. Example
host1(config-if)#ip mask-reply
ip redirects
Use to enable the sending of redirect messages if software is forced to resend a packet through the same interface on which it was received. Example
host1(config-if)#ip redirects
ip unreachables
Use to enable the generation of an ICMP unreachable message when a packet is received that the router cannot deliver. Example
host1(config-if)#ip unreachables
By default, ICMP uses the IP address of the outgoing interface as the source IP address for the ICMP message. However, you can use the ip icmp update-source command to instruct ICMP to use an already configured interface or a specified IP address, as the source address of the ICMP message. For example, you can specify that ICMP use Fast Ethernet interface 1 in slot 0 as the source for any messages that it sends:
host1(config)#ip icmp update-source fastEthernet 0/1
You must use an already configured interface or an existing IP address when using the ip icmp update-source command. Also, you cannot specify a multicast address when using this command.
2-40
CHAPTER 2 Configuring IP
ip icmp update-source
Use to define an update source address for all ICMP messages that the E-series router generates from the specified interface. Example
host1#ip icmp update-source 192.35.42.1
Reachability Commands
Use the ping and traceroute commands to determine reachability of destinations in the network. Use the ping command to send an ICMP or ICMPv6 echo request packet. In the following example, the request packet is sent to IP address 192.35.42.1, with a packet count of 10 and a timeout value of 10 seconds:
host1#ping 192.35.42.1 10 timeout 10
Use the traceroute command to discover routes that router packets follow when traveling to their destination. In the following example, the trace destination IP address is 192.56.20.1, the maximum number of hops of the trace is 20, and the timeout value is 10 seconds:
host1#traceroute 192.56.20.1 20 timeout 10
ping
Use to send an ICMP or ICMPv6 echo request packet to the IP address that you specify. You can specify a VRF context. Use the source interface keywords to specify a source interface other than the one from which the probe originates. Use the source address keywords to specify a source IP address other than the one from which the probe originates. You can specify the following options:
data-pattern sets the type of bits contained in the packet to all ones, all
zeros, a random mixture of ones and zeros, or a specific hexadecimal data pattern that can range from 0x00xFFFFFFFF. The default is all zeros.
data-size sets the number of bytes comprising the IP packet and reflected
in the IP header in the range 064000; the default is 100 bytes
2-41
Dont-fragment bit to prevent IP from fragmenting the packet if it is too long for the MTU of a given link; if the nonfragmented packet cannot be delivered, it is discarded. Strict-source or loose-source routing, including the IP address of the hops the packets must traverse. For loose-source-route, you specify some or all of the hops, but they do not have to be adjacent. For strict-source-route, you must specify every adjacent hop through which the packet must traverse. The IP addresses to be recorded for a specified number of routers that the packets traverse The time that a packet traverses a router to be recorded for a specified number of routers An interface type and specifier of a destination address on the router that is configured for external loopback; the command succeeds only if the specified interface is configured for external loopback
sweep-sizes enables you to vary the sizes of the echo packets being sent.
This capability is useful for determining the minimum sizes of the MTUs configured on the nodes along the path to the destination address. Determining the minimum size reduces packet fragmentation, which contributes to performance problems. The default is not to sweep (all packets are the same size).
timeout sets the number of seconds to wait for an ICMP echo reply packet
before the connection attempt times out
ttl sets the time-to-live hop count in the range 1255; the default is 32
The following characters can appear in the display after issuing the ping command:
! reply received . timed out while waiting for a reply ? unknown packet type A address mask request message a address mask reply message D router discovery advertisement message d router discovery request message H host unreachable I information request message i information reply message L TTL expired message M could not fragment, DF bit set m parameter problem message
2-42
CHAPTER 2 Configuring IP
N network unreachable P protocol unreachable Q source quench r redirect message T timestamp request message t timestamp reply message U destination unreachable
host1(config)#interface serial 5/2:1/1 host1(config-if)#ip address 172.16.1.1 255.255.255.0 host1(config-if)#exit host1#ping 172.16.1.1 extended interface serial 5/2:1/1
Example
There is no no version.
traceroute
Use to discover the routes that router packets follow when traveling to their destination. You can specify:
A VRF context Destination IP or IPv6 address Source interface for each of the transmitted packets Source address for each of the transmitted packets Maximum number of hops of the trace and a timeout value Size of the IP packets (not the ICMP payload) in the range 064000 bytes sent with the traceroute command. Including a size might help locate any MTU problems that exist between your router and a particular device. DF bit for the transmitted packets
Extended IP header attributes, including the ToS byte and whether to set the
You can also force transmission of the packets on a specified interface regardless of what the IP address lookup indicates. Example
host1#traceroute 172.20.13.1 20 timeout 10
There is no no version.
2-43
Configuration Tasks
To configure RTR:
1 2
Configure the probe typean echo probe or a path echo probe. (Optional) Configure probe characteristics: frequency hops-of-statistics-kept (path echo) max-response-failure (path echo) operations-per-hop (path echo) owner request-data-size samples-of-history-kept tag timeout (echo) tos
Note: You cannot set any of these characteristics until you have set the probe type. The default values of these characteristics depend on the type of the entry.
3 4 5 6
(Optional) Set reaction conditions. Schedule the probe. (Optional) Capture statistics and collect error information. (Optional) Collect history.
Note: RTR configuration is associated with a specific virtual router, distinct from any other virtual router.
To begin configuring RTR, enter RTR Configuration mode and configure the probe typeeither an echo probe or a path echo probe.
rtr
Use to configure an RTR probe and to enter RTR Configuration mode. Example
host1(config)#rtr 1
Use the no version to delete all configuration information for an RTR probe.
2-44
CHAPTER 2 Configuring IP
type
Use to set an echo or path echo probe:
echo limited to end-to-end RTR operations; corresponds to SNMP ping pathEcho finds a path to the destination and echoes each device in the
path; corresponds to SNMP traceroute You must specify this value before any other. If you change the type for an existing RTR entry, all values are reset, including the administrative status. There is no default value. More than one RTR entry can become active, provided each entrys target address is unique. If you use a target address already configured for another RTR entry that is active, the test will not run if both entries are in the same virtual router. If they are in distinct virtual routers, however, there is no restriction. Example
host1(config-rtr)#type echo protocol ipIcmpEcho 10.10.0.9
Use the no version to remove the type configured for the probe.
In addition to configuring the probes type, you can configure the probe characteristics presented in Table 2-4.
Table 2-4 Probe characteristics Characteristic frequency hops-of-statistics-kept max-response-failure operations-per-hop owner request-data-size samples-of-history-kept tag timeout tos Description Time between tests (in seconds) Hops per path for which statistics are gathered Maximum number of consecutive failures Number of probes per hop Owner of the probe Requests payload size Maximum number of history samples User-defined tag Probe timeout (in milliseconds) A value for the TOS byte
frequency
Use to set the rate (in seconds) the RTR probe uses to start a response time operation. Example
host1(config-rtr)#frequency 90
2-45
operations-per-hop
Use to set the number of RTR probe operations sent to a given hop. You can apply this option only to a pathEcho type. Example
host1(config-rtr)#operations-per-hop 5
owner
Use to identify the owner of the probe. If the SNMP agent is the owner of the probe, the owners name may begin with agent. Example
host1(config-rtr)#owner 192.10.27.6 rtc.boston.com 555.1212
request-data-size
Use to set the protocol data size in the request packet. Example
host1(config-rtr)#request-data-size 20
tag
Use to set an identifier for the probe. Example
host1(config-rtr)#tag westford
timeout
Use to set the time (in milliseconds) that the probe waits for a response. You can apply this option only to an echo type. Do not set the value for timeout to more than the value set for frequency. If you do, it will be ignored. Example
host1(config-rtr)#timeout 3000
If you set the timeout to 0, no timeout is set. Use the no version to return to the default value, 5000 milliseconds.
2-46
CHAPTER 2 Configuring IP
tos
Use to set the type of service (ToS) byte in the probes IP header. Example
host1(config-rtr)#tos 16
Use the no version to return to the default value, 0. The default applies to both the echo and pathEcho types.
Capturing Statistics
The primary objective of RTR is to collect statistics and information on network performance. You can control the number and type of statistics collected.
hops-of-statistics-kept
Use to set the number of hops per path for which statistics are collected. When the number of hops reaches the specified number (that is, size), no additional statistical information on the path is stored. This option applies only to pathEcho entries. Example
host1(config-rtr)#hops-of-statistics-kept 5
To turn off this feature, set the value to 0. Use the no version to set the default, 16 hops.
max-response-failure
Use to set the maximum number of consecutive failures to respond to a probes request. When the maximum number is reached, the test stops. This option applies only to pathEcho entries. Example
host1(config-rtr)#max-response-failure 2
To turn off this feature, set the value to 0. Use the no version to set the default, 5 consecutive failures.
Collecting History
RTR can collect data samples for a given probe. These samples are referred to as history data. When RTR collects history, it refers to tests. A test is the lifetime of a probe operation.
2-47
samples-of-history-kept
Use to set the maximum number of entries in the history table for each RTR probe. This command enables you to control the number of samples saved in the history table. Because collecting history increases memory usage, you should do so only when there is a problem in your network. Example
host1(config-rtr)#samples-of-history-kept 5
If you set the number of samples to 0, no samples will be kept. Use the no version to set the default, 16 hops for pathEcho type; 1 hop for echo type.
You can set the RTR probe to react to events that take place and to send notifications about these events.
Note: The only no version for all the rtr reaction-configuration commands is no rtr reaction-configuration rtrIndex. Use the no version to clear all traps. This works for all the options.
There is no no version.
There is no no version.
2-48
CHAPTER 2 Configuring IP
Example
host1(config)#rtr reaction-configuration 1 path-change
There is no no version.
For echo, a successful test means that all probes were sent. For pathEcho, a successful test means that the destination was reached at
least once. At most, there can be one such event per test. Example
host1(config)#rtr reaction-configuration 1 test-completion
There is no no version.
If Echo, this event is triggered after testFailureValue probes are either not
received or are received after a timeout.
If PathEcho, this event is triggered when the test ends and no responses are
received from the destination. At most, there can be one such event per test. Example
host1(config)#rtr reaction-configuration 1 test-failure
There is no no version.
When you have configured the RTR probe, you must schedule the operation to begin collecting statistics and other information on problems that may arise.
rtr schedule
Use to create an RTR schedule. Example
host1(config)#rtr schedule 5
Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state. The no version also resets the restart-time attribute and the life attribute.
2-49
If the type is echo, life relates to the number of probes sent until a test
finishes.
If the type is pathEcho, life relates to the maximum number of hops used by
the traceRoute trap. Example
host1(config)#rtr schedule 5 life 1800
Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state. The no version also resets the life attribute.
Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state. The no version also resets the restart-time attribute.
Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state.
2-50
CHAPTER 2 Configuring IP
Monitoring RTR
numberOfEntries number of RTR entries according to type entriesEnabled RTR entries with administrative status enabled entriesActive RTR entries with operational status enabled
Example
host1#show rtr application numberOfEntries -----------------echo pathEcho total 1 1 2 entriesEnabled ----------------1 1 2 entriesActive --------------1 1 2
rtrIndex index number of the RTR probe operationsSent number of probe operations sent operationsRecvd number of probe operations received lastGoodResponse time when last valid probe operation was received operStatus operational status of the probe: enabled, disabled minRtt minimum round-trip time in milliseconds maxRtt maximum round-trip time in milliseconds avgRtt average round-trip time in milliseconds rttSumSqr sum of the square of all round-trip times in milliseconds testAttempts number of times the test ran testSuccesses number of times the test ran successfully currentHop current hop (TTL) used in the test currentOperation current probe operation index sent to the hop
2-51
Example
host1#show rtr collection-statistics Echo Entries: rtrIndex ---------1 rtrIndex ---------1 operationsSent -------------5208 operStatus ---------enabled PathEcho Entries: rtrIndex ---------2 rtrIndex ---------2 testAttempts -----------156 operStatus ---------enabled testSuccesses ------------156 currentHop ---------2 lastGoodResponse ---------------08/30/2000 05:09 currentOperation ---------------4 operationsRcvd -------------5187 minRtt -----0 lastGoodResponse ----------------
maxRtt -----1785
rtrIndex index number of the RTR probe type probe type: echo, pathEcho targetAddress address of the probes target reqSize protocol data size in the request packet freq rate in seconds that the RTR probe uses to start a response time operation life length of the test source interface from which the probe is sent restartTime restart time of the test in seconds owner owner of the probe samples maximum number of entries saved in the history table for this RTR probe admin administrative status of the probe: enabled, disabled tos setting of the type of service (ToS) byte in the probes IP header reactionConfiguration RTR reactions that are configured for the probe operFail operation failure event is triggered when this number of consecutive probe operations is not received or when the operations are received after a time-out
2-52
CHAPTER 2 Configuring IP
testFail test failure event is triggered when this number of probe operations
is not received or when the operations are received after a timeout
timeout time in milliseconds that the probe waits for a response tag identifier configured for the probe operPerHop number of RTR probe operations sent to a given hop maxFail maximum number of consecutive failures to respond to a probes request. When the maximum number is reached, the test stops. Applies only to pathEcho entries. this number is reached, no additional statistical information on the path is stored. Applies only to pathEcho entries.
hopKpt number of hops per path for which statistics are collected. When
rtrIndex ------1 2 rtrIndex ---------1 2 rtrIndex ---------1 2 rtrIndex ---------1 rtrIndex ---------2 samples ------5 5 operFail -------1 operPerHop ---------5 maxFail ------3 admin -------enabled enabled testFail -------1 tos --0 0 timeout ------10000 hopKpt -----16 tag -----tag ------
Example
type targetAddress reqSize freq -----------10.5.0.200 10.5.0.11 -----1 1 1 1 owner ---------life 20 30
restartTime ----------10 60
reactionConfiguration ------------------------
rtrIndex index number of the RTR probe operation index number of the probe operation rtt round-trip time in milliseconds statusDescription concurrentLimitFail target already being used by another rtrIndex ifInactiveToTarget interface used to reach target is not operational
2-53
invalidHostAddress target address is not supported noRouteToTarget target address is not reachable responseReceived probe operation replied by target requestTimedOut probe operation not replied to by target or reply received after timeout unknownDestAddress target address is invalid unableToResolveName target address could not be looked up
timeStamp date and time when the RTR entry was created test index number of the pathEcho test hop index number of the hop count operation index number of the probe operation address address of router at the hop
Example
host1#show rtr history Echo Entries: rtrIndex -------1 1 1 1 1 operation --------5476 5477 5478 5479 5480 rtt --0 0 0 0 0 statusDescription timeStamp ----------------- --------responseReceived responseReceived responseReceived responseReceived responseReceived 08/30/2000 05:17 08/30/2000 05:17 08/30/2000 05:17 08/30/2000 05:17 08/30/2000 05:17
PathEcho Entries: rtrIndex ---------2 2 2 2 2 rtrIndex ---------2 2 2 2 2 test -----165 165 165 165 165 test -----165 165 165 165 165 hop ---3 3 3 3 3 hop ---3 3 3 3 3 operation --------5 1 2 3 4 operation --------5 1 2 3 4 rtt -----0 0 0 0 0 timeStamp ---------------08/30/2000 20:39 08/30/2000 20:40 08/30/2000 20:40 08/30/2000 20:40 08/30/2000 20:40 statusDescription ----------------responseReceived responseReceived responseReceived responseReceived responseReceived address -------10.5.0.11 10.5.0.11 10.5.0.11 10.5.0.11 10.5.0.11
2-54
CHAPTER 2 Configuring IP
rtrIndex index number of the RTR probe hop index number of the hop count address address of the router at the hop minRtt minimum round-trip time in milliseconds maxRtt maximum round-trip time in milliseconds avgRtt average round-trip time in milliseconds rttSumSqr sum of the square of all round-trip times in milliseconds operationsSent number of probe operations sent operationsRcvd number of probe operations received lastGoodResponse time when last valid probe operation was received
Example
host1#show rtr hops rtrIndex ---------2 2 hop ---1 2 address 192.168.1.1 10.2.0.3 minRtt 1 0 maxRtt -----276 1109 avgRtt -----1 2 rttSumSqr -------955363 10094451
----------- ------
rtrIndex hop operationsSent operationsRcvd -------- --- -------------- -------------2 2 1 2 36985 30717 36838 21494
rtrIndex index number of the RTR probe type type of RTR probe: echo, pathEcho entryStatus if the entry was created via the SNMP DISMAN MIB, the row
may be partially constructed; if that is the case, the CLI displays notReady as the entrys status
2-55
Example
host1#show rtr operational-state rtrIndex ---------1 2 type -------echo pathEcho entryStatus ----------active active adminStatus enabled enabled operStatus enabled enabled ----------- ----------
Monitoring IP
This section shows how to set a statistics baseline and use the show commands to view your IP configuration and monitor IP interfaces and statistics.
Establishing a Baseline
IP statistics are stored in system counters. The only way to reset the system counters is to reboot the router. You can, however, establish a baseline for IP statistics by setting a group of reference counters to zero.
baseline ip
Sets a statistics baseline for IP statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. Example
host1#baseline ip
There is no no version.
baseline ip tcp
Sets a statistics baseline for TCP statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. Example
host1#baseline ip tcp
There is no no version.
2-56
CHAPTER 2 Configuring IP
baseline ip udp
Sets a statistics baseline for UDP statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. Example
host1#baseline ip udp
There is no no version.
IP show Commands
Prefix for the names of dynamic IP shared show ip dynamic-interface-prefix interfaces Routing table Interfaces Shared IP interfaces Protocols Redistribution policies Routes Interfaces and next hops Static routes TCP statistics Traffic UDP statistics Profiles Route maps show ip forwarding-table slot show ip interface show ip interface shares show ip protocols show ip redistribute show ip route show ip route slot show ip static show ip tcp statistics show ip traffic show ip udp statistics show ip profile show route-map
2-57
To set a statistics baseline for IP interfaces, use the baseline ip tcp and baseline ip udp commands. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
show access-list
Use to display information about access lists, including the instances of each access list. Example
host1#show access-list IP Access List 1: permit ip 172.31.192.217 0.0.0.0 0.0.0.0 255.255.255.255 permit ip 12.40.0.0 0.0.0.3 0.0.0.0 255.255.255.255 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 IP Access List 2: permit ip 172.19.0.0 0.0.255.255 0.0.0.0 255.255.255.255 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 IP Access List 10: permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 IP Access List 11: deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
show arp
Use to display information about ARP. Field descriptions
Address IP address of the entry Age time to live for this entry in seconds Hardware Addr physical (MAC) address of the entry Interface interface-specifier of the entry (for example, fastEthernet6/0 is an Ethernet interface on slot 6, port 0) command, rather than just an arp command.
2-58
CHAPTER 2 Configuring IP
show ip
Use to display general information on IP. Example
host1#show ip IP Router Id: 192.168.1.155 Router Name: default Default TTL: 60 Reassemble Timeout: 30
show ip address
Use to display detailed or summary information on a particular IP interface. Field descriptions
Network Protocols network protocols configured on this interface Internet address IP address and subnet mask of this interface Broadcast address broadcast address of this interface Operational MTU MTU of this interface Administrative MTU value of the MTU if it has been administratively overridden using the configuration
Operational speed speed of the interface Administrative speed value of the speed if it has been administratively
overridden using the configuration
Proxy Arp status of the feature: enabled, disabled Administrative debounce-time configured time in milliseconds that an
interface event has to be in the same state before being reported
Access routing access route addition: enabled, disabled Multipath mode equal cost multipath mode method: hashed, round-robin In Received Packets, Bytes total number of packets and bytes received on
this interface Unicast Packets, Bytes unicast packets and bytes received on the IP interface; link-local received multicast packets (non-multicast-routed frames) are counted as unicast packets Multicast Packets, Bytes multicast packets and bytes received on the IP interface which are then multicast-routed are counted as multicast packets
2-59
In Policed Packets, Bytes packets and bytes that were received and
dropped because of rate limits
In Error Packets number of packets received with errors In Invalid Source Address Packets packets received with invalid source
address (for example, spoofed packets)
Out Forwarded Packets, Bytes total number of packets and bytes that
were sent from this interface Unicast Packets, Bytes unicast packets and bytes that were sent from this interface Multicast Routed Packets, Bytes multicast packets and bytes that were sent from this interface
Out Policed Packets, Bytes outgoing packets and bytes dropped because
of rate limiters
Out Discarded Packets outgoing packets that were discarded for reasons
other than those dropped by the scheduler and those dropped because of rate limits Example
host1#show ip address 10.6.136.73 fastEthernet0/0 is up, line protocol is up Network Protocols: IP Internet address is 10.6.136.73/255.255.128.0 Broadcast address is 255.255.255.255 Operational MTU = 0 Operational speed = 1 Administrative MTU = 0 Administrative speed = 0
Discontinuity Time = 5766 Router advertisement = disabled Proxy Arp = disabled Administrative debounce-time = 10 mSecs Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 2849, Bytes 759428 Unicast Packets 2849, Bytes 759428 Multicast Packets 0, Bytes 0 = disabled
2-60
CHAPTER 2 Configuring IP
In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 1866, Bytes 84650 Unicast Packets 1866, Bytes 84650 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 Out Discarded Packets 0 Packets 0, Bytes 0
show ip as-path-access-list
Use to display information about AS-path access lists. Example
host1#show ip as-path-access-list AS Path Access List 1: permit deny permit deny permit deny deny permit deny .* .* _109$ ^108_ .* _109$ .* _109_ .* AS Path Access List 2: AS Path Access List 3:
show ip community-list
Use to display routes that are permitted by a BGP community list. Example
host1#show ip community-list Community List 1: permit 752877569 (11488:1) permit 752877570 (11488:2) permit 752877571 (11488:3) permit 752877572 (11488:4) Community List 2: permit 4294967043 (local-as)
2-61
show ip dynamic-interface-prefix
Use to display the prefix for the names of dynamic IP shared interfaces. Example
host1#show ip dynamic-interface-prefix Dynamic Interface Prefix: dyn
Free Memory amount of routing table memory free on the line module, in
kilobytes
Virtual Router name of the virtual router(s) configured on the line module Memory (KB) amount of routing table memory consumed by the virtual
router, in kilobytes
Load Errors count of errors made while loading the routing table on the line
module
Status indicates whether the routing table for the virtual router is valid
Example
host1#show ip forwarding-table slot 9 Free Memory = 3,166KB Virtual Router ---------------vr1 vr2 vr3 vr4 default Memory (KB) --------4128 3136 2256 1512 1024 ------------0 0 0 0 0 -------Valid Valid Valid Valid Valid Load Errors Status
-----------------------------------------------------------
show ip interface
Use to display the current state of all IP interfaces or the IP interfaces you specify. The default is all interface types and all interfaces. Field descriptions
2-62
CHAPTER 2 Configuring IP
interface status status of the interface line protocol status of the line protocol Description text description or alias if configured for the interface Link up/down trap status of SNMP link up/down traps on the interface Internet address IP address of the interface IP Statistics Rcvd: local destination frames with this router as their destinations hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets
IP Statistics Frags:
reasm ok number of reassembled packets reasm req number of requests for reassembly reasm fails number of reassembly failures frag ok number of packets fragmented successfully frag req number of frames requiring fragmentation frag fails number of packets unsuccessfully fragmented
IP Statistics Sent:
generated number of packets generated no routes number of packets that could not be routed discards number of packets that could not be routed that were discarded
2-63
src quench source quench packets sent redirect send packet redirects timestamp req requests for a timestamp timestamp rpy replies to timestamp requests addr mask req address mask requests addr mask rpy address mask replies
In Total Dropped Packets, Bytes total number of packets and bytes that
were dropped on the interface; sum of all the drop reasons indented below this field In Policed Packets packets discarded on a receive IP interface due to token bucket limiting In Invalid Source Address Packets packets discarded on a receive IP interface due to invalid IP source address (sa-validate enabled) In Error Packets packets discarded on a receive IP interface due to IP header errors In Discarded Packets packets discarded on the ingress interface due to a configuration problem rather than a problem with the packet itself In Fabric Dropped Packets packets discarded on a receive IP interface due to internal fabric congestion
Out Total Dropped Packets, Bytes total number of packets and bytes that
were discarded on the egress interface; sum of all the drop reasons indented below this field Out Scheduler Drops Committed Packets, Bytes packets and bytes dropped by the scheduler even though they had a committed traffic contract Out Scheduler Drops Conformed Packets, Bytes packets and bytes dropped by the scheduler even though they conformed to the traffic contract
2-64
CHAPTER 2 Configuring IP
Out Scheduler Drops Exceeded Packets, Bytes packets and bytes dropped by the scheduler because they exceeded the contract Out Policed Packets packets discarded on the egress interface due to rate limiting Out Discarded Packets packets discarded on the egress interface due to a configuration problem rather than a problem with the packet itself Out Fabric Dropped Packets packets dropped due to internal fabric congestion Example 1
host1#show ip interface detail fastEthernet 0/0 fastEthernet0/0 is up, line protocol is up Description: boston00 fast ethernet interface Link up/down trap is disabled Internet address is 1.1.1.2/255.255.255.0 IP statistics: Rcvd: 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Frags: 0 reasm ok, 0 reasm req, 0 reasm fails 0 frag ok, 0 frag creates, 0 frag fails Sent: Rcvd: 31656835 generated, 0 no routes, 0 discards 0 errors, 0 dst unreach, 0 time exceed 0 param probs, 0 src quench, 0 redirect, 0 echo req, 31656816 echo rpy 0 timestmp req, 0 timestmp rpy 0 addr mask req, 0 addr mask rpy Sent: 0 errors, 0 dst unreach, 0 time excd 0 param probs, 0 src qnch, 0 redirect 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy In Received Packets 246220, Bytes 344624800 Unicast Packets 246162, Bytes 344621410 Multicast Packets 58, Bytes 3390 In Forwarded Packets 245464, Bytes 343566400 In Total Dropped Packets 756, Bytes 1058400 In Policed Packets 756 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 In Fabric Dropped Packets 0 Out Forwarded Packets 117, Bytes 87297 Unicast Packets 117, Bytes 87297 Multicast Routed Packets 0, Bytes 0 ICMP statistics:
2-65
Out Requested Packets 117, Bytes 87297 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0 Out Discarded Packets 0 Out Fabric Dropped Packets 0 Packets 0, Bytes 0
If you are losing packets because of fabric congestion, you can use the In Fabric Dropped Packets and Out Fabric Dropped Packets statistics to help determine the location of the bottleneck. Both statistics count the same thingthe same packets dropped because of fabric congestionbut in different directions. At any given time, the total number of packets dropped in the fabric for all interfaces in the chassis is equal to the sum of all In Fabric Dropped Packets for all interfaces in the chassis, which equals the sum of all Out Fabric Dropped Packets for all interfaces in the chassis. Packets not dropped for another listed reason are considered to have been dropped in the fabric. The router calculates In Fabric Dropped Packets by subtracting the total number of inbound packets dropped for all other reasons from the In Total Dropped Packets number. The router calculates Out Fabric Dropped Packets by subtracting the total number of outbound packets dropped for all other reasons from the Out Total Dropped Packets number. The router calculates In Total Dropped Packets by subtracting In Forwarded Packets from In Received Packets. The router calculates Out Total Dropped Packets by subtracting Out Forwarded Packets from Out Received Packets. These statistics are reported as traffic is moving through the router. It is possible to get false statistics based on packets being forwarded and/or received after polling and based on which of the statistics is reported first. For example, In Forwarded Packets could be reported as greater than In Received Packets. Rather than displaying In Total Dropped Packets as a negative value, the command displays it as the sum of all drop reasons other than fabric drops; fabric drops are reported as 0, but might actually be nonzero. If you halt traffic, the In Total Dropped Packets and Out Total Dropped Packets values are always correct.
show ip interface shares
Use to display information about shared IP interfaces. If you specify an IP interface specifier, the command displays information only for that interface and any shared IP interfaces associated with it.
2-66
CHAPTER 2 Configuring IP
Field descriptions
Interface interface specifier or name of the interface IP-Address IP address associated with the interface Status operational state of the interface Protocol state of the protocol running on the interface Virtual Router virtual router in which the interface is configured
Example 1
host1#show ip interface shares brief Interface null0 fastEthernet0/0 loopback100 atm4/0.1 ip si0 ip si1 IP-Address 255.255.255.255/32 10.13.5.17/24 202.1.1.1/24 10.1.1.1/24 Unnumbered Unnumbered Status up up up up up up Protocol up up up up up up vr-a vr-b:vrf-1 Virtual Router
Example 2
host1#show ip interface shares brief atm 4/0.1 Interface atm4/0.1 ip si0 ip si1 IP-Address 10.1.1.1/24 Unnumbered Unnumbered Status up up up Protocol up up up vr-a vr-b:vrf-1 Virtual Router
Example 3 for a description of the following fields, see the show ip address command
host1#show ip interface shares atm 4/0.1 atm4/0.1 is up, line protocol is up Network Protocols: IP Unnumbered Interface on loopback100 ( IP address 202.1.1.1 ) Administrative MTU = 0 Administrative speed = 0 Operational MTU = 1500 Discontinuity Time = 0 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 120, Bytes 12000 Unicast Packets 60, Bytes 6000 Multicast Packets 60, Bytes 6000 In Policed Packets 0, Bytes 0 In Error Packets 0 = disabled
2-67
In Invalid Source Address Packets 0 Out Forwarded Packets 101, Bytes 5252 Unicast Packets 101, Bytes 5252 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 ip si0 is up, line protocol is up Network Protocols: IP Virtual Router vr-a Layer 2 interface atm4/0.1 Unnumbered Interface on loopback100 ( IP address 202.1.1.1 ) Administrative MTU = 0 Administrative speed = 0 Operational MTU = 1500 Discontinuity Time = 0 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 Out Forwarded Packets 101, Bytes 5252 Unicast Packets 101, Bytes 5252 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 ip si1 is up, line protocol is up Network Protocols: IP Virtual Router vr-b:vrf-1 Layer 2 interface atm4/0.1 . . . Out Policed Packets 0, Bytes 0 Packets 0, Bytes 0 = disabled Packets 0, Bytes 0
2-68
CHAPTER 2 Configuring IP
Example 4 You can also display statistics for shared IP interfaces with the show ip interface command
host1#show ip interface ip si0 ip0 is up, line protocol is up Network Protocols: IP Layer 2 interface atm4/0.1 Unnumbered Interface on loopback100 ( IP address 202.1.1.1 ) Administrative MTU = 0 Administrative speed = 0 Operational MTU = 1500 Discontinuity Time = 0 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 Out Forwarded Packets 101, Bytes 5252 Unicast Packets 101, Bytes 5252 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 Packets 0, Bytes 0 = disabled
show ip profile
Use to display information about a specific IP profile. Field descriptions
IP profile profile name IP address IP address and subnet mask of the interface or none if the
interface is unnumbered
Router router name Directed Broadcast enabled or disabled ICMP Redirects enabled or disabled Access Route Addition enabled or disabled Network Address Translation enable or disable; domain location (inside or outside)
2-69
Source-Address Validation enabled or disabled Ignore DF Bit enabled or disabled Administrative MTU MTU size
Example
host1#show ip profile foo IP profile : foo IP address Unnumbered interface Router Directed Broadcast ICMP Redirects Access Route Addition Source-Address Validation Ignore DF Bit Administrative MTU : none : none : : Enabled : Disabled : Enabled : Enabled : Disabled : 0
show ip protocols
Use to display configured protocols. Field descriptions
For BGP:
Redistributing protocol to which BGP is redistributing routes Default local preference local preference value IGP synchronization status of IGP synchronization: enabled, disabled Always compare MED status of multiexit discrimination: enabled, disabled Router flap damping status of route dampening: enabled, disabled Administrative Distance external, internal, and local administrative distances Neighbor Address IP address of the BGP neighbor Neighbor Incoming/Outgoing update distribute list number of the access list for outgoing routes Neighbor Incoming/Outgoing update prefix list number of the prefix list for incoming or outgoing routes Neighbor Incoming/Outgoing update prefix tree number of the prefix tree for incoming or outgoing routes Neighbor Incoming/Outgoing update filter list number of filter list for incoming routes Routing for Networks network for which BGP is currently injecting routes
For IS-IS:
System Id 6-byte value of the system IS-Type routing type of the router: Level 1, Level 2 Distance administrative distance for IS-IS learned routes
2-70
CHAPTER 2 Configuring IP
Address Summarization aggregate addresses defined in the routing table for multiple groups of addresses at a given level or routes learned from other routing protocols Routing for Networks network for which IS-IS is currently injecting routes
For OSPF:
Router ID OSPF process ID for the router Distance administrative distance for OSPF learned routes Redistributing protocol to which OSPF is redistributing routes Address Summarization aggregate addresses defined in the routing table for multiple groups of addresses at a given level or routes learned form other routing protocols Routing for Networks network for which OSPF is currently injecting routes
For RIP:
Router Administrative State RIP protocol state. Enable means that the interface is allowed to send and receive updates. Disable means that the interface may be configured but it is not allowed to run yet. System version RIP versions allowed for sending and receiving RIP updates. The router version is currently set to RIP1, which sends RIP version 1 but will receive version 1 or 2. If the version is set to RIP2, the router will send and receive version 2 only. The default is configured for RIP1. Update interval current setting of the update timer (in seconds) Invalid after current setting of the invalid timer (in seconds) hold down time current setting of the hold down timer (in seconds) flushed interval current setting of the flush timer (in seconds) Filter applied to outgoing route update access list applied to outgoing RIP route updates Filter applied to incoming route update access list applied to incoming RIP route updates Global route map route map that specifies all RIP interfaces on the router Distance value added to RIP routes added to the IP routing table; the default is 120. Interface interface type on which RIP protocol is running Redistributing protocol to which RIP is redistributing routes Routing for Networks network for which RIP is currently injecting routes Example
host1#show ip protocols Routing Protocol is bgp 100 Redistributing: ospf Default local preference is 100 IGP synchronization is enabled Always compare MED is disabled
2-71
Router flap damping is disabled Administrative Distance: external 20 internal 200 local 200 Neighbor(s): Address 1.1.1.1 Outgoing update distribute list is 2 Outgoing update prefix list is efg Incoming update prefix tree is abc Incoming update filter list is 1 Routing for Networks: 192.168.1.0/24 Routing Protocol is isis isisOne System Id: 0000.0000.0011.00 Distance: 115 Address Summarization: None Routing for Networks: fastEthernet0/0 Routing Protocol is ospf 1 with Router ID 192.168.1.151 Distance is 110 Redistributing: isis Address Summarization: None Routing for Networks: 192.168.1.0/255.255.255.0 area 0.0.0.0 Routing Protocol is rip Router Administrative State: enable System version RIP1: send = 1, receive = 1 or 2 Update interval: 30 seconds Invalid after: 180 seconds hold down time: 120 seconds flushed interval: 300 seconds Filter applied to outgoing route update is not set Filter applied to incoming route update is not set No global route map Distance is 120 Interface fastEthernet0/0 Tx 1 Rx 1,2 Auth none IS-Type: level-1-2
2-72
CHAPTER 2 Configuring IP
show ip redistribute
Use to display configured route redistribution policy. Field descriptions
To protocol that routes are distributed into From protocol that routes are distributed from status redistribution status route map number number of the route map
host1#show ip red To ospf, From static is enabled with route map 4 To ospf, From connected is enabled with route map 3
Example
show ip route
Use to display the current state of the routing table, including routes not used for forwarding. You can display all routes, a specific route, best route to a resolved domain name, all routes beginning with a specified address, routes for a particular protocol (BGP, IS-IS, OSPF, or RIP), locally connected routes, internal control routes, static routes, or summary counters for the routing table. Field descriptions
Type type of route; protocol or other Prefix IP address prefix of network destination Length network mask length for prefix Next Hop IP address of the next hop to the route, whether it is a local interface or another router
Dist administrative distance for the route; see Table 2-3 Met number of hops Intf interface type and interface specifier
Example 1
host1#show ip route Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------172.16.2.0/24 10.10.0.112/32 10.1.1.0/24 Type ---Bgp Static Next Hop -------192.168.1.102 192.168.1.1 Dist/Met -------20/1 1/1 0/1 Intf -----fastEthernet0/0 fastEthernet0/0 atm3/0.100
Connect 10.1.1.1
2-73
Example 2
host1#show ip route static Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------10.10.0.112/32 Type ---Next Hop -------Dist/Met -------1/1 Intf -------------fastEthernet0/0
Static 192.168.1.1
Example 3
host1#show ip route summary 5 total routes, 720 bytes in route entries 0 isis routes 0 rip routes 1 static routes 1 connected routes 0 bgp routes 0 ospf routes 3 other internal routes 0 access routes 0 internally created access host routes Last route added/deleted: 0.0.0.0/0 by StaticLow At THU MAR 09 2000 05:22:49 UTC
Example 4
host1#show ip route all Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------0.0.0.0/0 1.1.1.1/32 6.6.6.0/24 6.33.5.0/24 8.8.8.0/24 9.9.9.9/32 10.0.0.0/8 10.10.0.156/32 11.1.1.1/32 11.11.11.12/32 22.2.0.0/16 Type ---Static I2-E-i Static Static I2-E-i I2-E-i I2-E-i Static I2-E-i I2-I-i I2-I-i Next Hop -------192.168.1.1 192.168.1.105 192.168.1.1 0.0.0.0 192.168.1.105 192.168.1.105 192.168.1.105 192.168.1.1 192.168.1.105 192.168.1.105 92.168.1.105 Dist/Met -------1/1 115/10 1/1 1/1 115/10 115/10 115/10 1/1 115/10 115/10 115/10 Intf ------
fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 loopback2 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0
2-74
CHAPTER 2 Configuring IP
34.0.0.0/8 172.20.32.0/24 174.20.32.0/24 176.20.32.0/24 192.168.1.0/24 201.1.1.0/24 201.2.1.0/24 201.3.1.0/24 202.1.1.1/32 207.1.1.0/24
I2-E-i Static I2-I-i Connect Connect I2-E-i I2-E-i I2-E-i I2-E-i I2-E-i
192.168.1.105 192.168.1.1 192.168.1.105 176.20.32.1 192.168.1.214 192.168.1.105 192.168.1.105 192.168.1.105 192.168.1.105 192.168.1.105
115/10 1/1 115/20 0/1 0/1 115/10 115/10 115/10 115/10 115/10
fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 loopback1 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0
IP address address reachable via the interface Interface interface type and specifier associated with the IP address;
displays Local Interface if a special interface index is present in the routing table for special IP addresses, such as broadcast addresses
Next Hop IP address of the next hop router to reach the IP address;
displays --- if no next hop is associated with the IP address Example 1
host1#show ip route slot 6 10.10.0.231 IP address -----------10.10.0.231 Interface ---------------fastEthernet 6/0 Next Hop -----------10.10.0.231
Example 2
host1#show ip route slot 9 90.248.1.2 IP address -----------90.248.1.2 Interface ---------------serial9/23:2 Next Hop --------------
Example 3
host1#show ip route slot 9 90.249.255.255 IP address -----------Interface ---------------Next Hop --------------
show ip static
Use to display the status of static routes in the routing table. You can specify an IP mask that filters specific routes. Field descriptions
Prefix IP address prefix Length prefix length Next Hop IP address of the next hop
2-75
Met number of hops Dist administrative distance of the route; see Table 2-3 Tag tag value of the route Intf interface type and interface specifier
host1#show ip route static Prefix/Length: 10.2.0.0/24 10.2.1.0/24 172.31.1.48/32 Next Hop: 192.168.1.1 192.168.1.1 172.18.2.2 Met: 1 1 1 Dist: Tag: 1 1 1 0 1 0 Intf: ethernet6/0 ethernet6/0 atm5/1.1
Example
2-76
CHAPTER 2 Configuring IP
2-77
Local addr: 192.168.1.250, Local port: 23 Remote addr: 10.10.0.77, Remote port: 2170 State: ESTABLISHED Authentication: None Rcvd: 61 total pkts, 34 in-sequence pkts, 41 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 64 total pkts, 45 data Local addr: 192.168.1.250, Local port: 23 Remote addr: 10.10.0.77, Remote port: 2170 State: ESTABLISHED Authentication: None Rcvd: 61 total pkts, 34 in-sequence pkts, 41 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 64 total pkts, 45 data pkts, 2304 bytes 0 retransmitted pkts, 0 retransmitted bytes Local addr: 192.168.1.250, Local port: 23 Remote addr: 192.168.1.139, Remote port: 1038 State: ESTABLISHED Authentication: None Rcvd: 295 total pkts, 159 in-sequence pkts, 299 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 281 total pkts, 210 data pkts, 3089 bytes 0 retransmitted pkts, 0 retransmitted bytes
show ip traffic
Use to display statistics about IP traffic. You can use the ipTraffic log to show consumable IP traffic to the SRP module; the traffic is filterable per router and IP interface. You can show ICMP, TCP, and UDP traffic with the icmpTraffic, udpTraffic, and tcpTraffic logs. Field descriptions
IP Statistics Rcvd:
router Id router ID number total number of frames received local destination frames with this router as their destination hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets
IP Statistics Frags:
reassembled number of reassembled packets reasm timed out number of reassembled packets that timed out reasm req number of requests for reassembly reasm fails number of reassembly failures
2-78
CHAPTER 2 Configuring IP
frag ok number of fragmented packets reassembled successfully frag fail number of fragmented packets reassembled unsuccessfully frag creates number of packets created by fragmentation
IP Statistics Sent:
forwarded number of packets forwarded generated number of packets generated out disc number of outbound packets discarded no routes number of packets that could not be routed routing discards number of packets that could not be routed and were discarded
IP Statistics Route:
routes in table number of routes in the routing table
2-79
OSPF Statistics provides statistics on OSPF IGMP Statistics provides statistics about queries, reports sent or received ARP Statistics not supported for this version of the router
Example
host1#show ip traffic IP statistics: Router Id: 172.31.192.217 Rcvd: 97833 total, 171059 local destination 167 unkn proto, 0 discards Frags: 4 reassembled, 30 reasm timed out, 8 reasm req 0 reasm fails, 145 frag ok, 0 frag fail 0 hdr errors, 0 addr errors
2-80
CHAPTER 2 Configuring IP
290 frag creates Sent: 15 forwarded, 25144 generated, 0 out disc 0 no routes,0 routing discards Route: 57680 routes in table 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy ICMP statistics: Rcvd: 561 total, 0 errors, 15 dst unreach 0 time exceed, 0 param probs, 0 src quench 0 redirects, 0 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy Sent: 463866 total, 0 errors, 163676 dest unreach 0 time excd, 0 param prob, 0 src quench 20 redirects, 463846 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy UDP Statistics: Rcvd: 93326 total, 0 checksum errors, 90610 no port Sent: 0 total, 0 errors TCP Global Statistics: Connections: 7358 attempted, 4 accepted, 7362 established 0 dropped, 14718 closed Rcvd: 75889 total pkts, 53591 in-sequence pkts, 3120283 bytes 0 chksum err pkts, 0 authentication err pkts, 0 bad offset 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: ARP Statistics:
2-81
Example
host1#show ip udp statistics UDP Statistics: Rcvd: 39196 total, 0 checksum errors, 29996 no port Sent: 210 total, 0 errors
show route-map
Use to display the configured route maps. The displayed information includes the instances of each access list such as match and set commands. Example
host1(config)#route-map westford permit 10 host1(config-route-map)#match community 44 host1(config-route-map)#set local-pref 400 host1(config-route-map)#exit host1(config)#exit host1#show route-map westford route-map 1, permit, sequence 10 Match clauses: match community 44 Set clauses: set local-pref 400
2-82
CHAPTER 2 Configuring IP
3
Page 3-2 3-3 3-3 3-5 3-9 3-10 3-11 3-17 3-17 3-20 3-20
This chapter describes how to configure Internet Protocol version 6 (IPv6) routing and Neighbor Discovery (ND) on your E-series router.
Topic Overview References IPv6 Packet Headers IPv6 Addressing Understanding Neighbor Discovery Before You Configure IPv6 or Neighbor Discovery IPv6 Configuration Tasks Creating Static IPv6 Neighbors Neighbor Discovery Configuration Tasks Clearing IPv6 Neighbors Monitoring IPv6 and Neighbor Discovery
3-2
Overview
Internet Protocol version 6 (IPv6) is designed to eventually supersede IP version 4 (IPv4). The intent of this design change is not to take a radical step away from IPv4, but to enhance IP addressing and maintain other IPv4 functions that work well. The differences between IPv4 and IPv6 include the following: Expanded addressing capabilities IPv6 increases the size of the IP address from 32 bits to 128 bits. This increased size allows for a larger address space and a much larger number of addressable nodes. Simplified header format Reducing some common processing costs associated with packet handling and streamlining the bandwidth cost of the larger IPv6 header, some IPv4-specific header fields either no longer exist or are now optional in the IPv6 header. Traffic flow labelling capabilities The ability to label packets for specific traffic flows exists in the IPv6 packet. These labels allow for nondefault quality of service (QoS) or the possibility of real-time services. Authentication capabilities Authentication provides the ability to use extensions for some authentication and data integrity applications. IPv6 continues to provide the basic packet delivery service for all TCP/IP networks. As a connectionless protocol, IPv6 does not exchange control information to establish an end-to-end connection before transmitting data. Instead, just like its IPv4 predecessor, IPv6 continues to rely on protocols in other layers to establish the connection if connection-oriented services are required and to provide error detection and error recovery. In addition to supporting a revised header structure and an expanded addressing format, the E-series router supports the following IPv6 features: Static routes ICMPv6 Ping Traceroute
3-3
Routing policy (see Chapter 1, Configuring Routing Policy for details) IPv6 BRAS (see Broadband Access Configuration Guide for details).
References
For more information about IPv6, consult the following resources: RFC 2373 IP Version 6 Addressing Architecture (July 1998) RFC 2460 Internet Protocol, Version 6 (IPv6) (December 1998) RFC 2461 Neighbor Discovery for IP Version 6 (IPv6) (December 1998) RFC 2462 IPv6 Stateless Address Autoconfiguration (December 1998) RFC 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification (December 1998) RFC 2464 Transmission of IPv6 Packets over Ethernet Networks (December 1998) RFC 2465 Management Information Base for IP Version 6: Textual Conventions and General Group (December 1998) RFC 2466 Management Information Base for IP Version 6: ICMPv6 Group (December 1998) You can access these and other Internet RFCs and drafts at the following URL: http://www.ietf.org
The main difference between IPv4 and IPv6 resides in their headers. Figure 3-1 provides a comparison between the two protocol versions.
3-4
32 bits
Ver. Ver. HL HL 4 4 Ver. Traffic class Ver. Traffic class 6 8 bits 8 bits 6
32 bits
Flow label Flow label 20 bits 20 bits Next Hdr. Next Hdr. 8 bits 8 bits Hop Limit Hop Limit 8 bits 8 bits
TOS
Datagram Length Datagram Length Flags Flags Flag Offset Flag Offset
Header Checksum Header Checksum Source Address Source Address 128 bits 128 bits
IP Options (with padding if necessary) IP Options (with padding if necessary) Destination Address Destination Address 128 bits 128 bits
IPv4 header
IPv6 header
Figure 3-1 IPv4 and IPv6 header comparison
IPv6 packet headers contain many of the fields found in IPv4 packet headers; some of these fields differ from IPv4. (See Figure 3-1.) The 40-byte IPv6 header consists of the following eight fields: Version Indicates the version of the Internet Protocol. Traffic class Previously the type-of-service (ToS) field in IPv4, the traffic class field defines the class-of-service (CoS) priority of the packet. However, the semantics for this field (for example, DiffServ code points) are identical to IPv4. Flow label The flow label identifies all packets belonging to a specific flow (that is, packet flows requiring a specific class of service [CoS]); routers can identify these packets and handle them in a similar fashion. Payload length Previously the total length field in IPv4, the payload length field specifies the length of the IPv6 payload. Next header Previously the protocol field in IPv4, the Next Header field indicates the next extension header to examine. Hop limit Previously the time-to-live (TTL) field in IPv4, the hop limit indicates the maximum number of hops allowed.
3-5
Source address Identifies the address of the source node sending the packet. Destination address Identifies the final destination node address for the packet.
Extension Headers
In IPv6, extension headers are used to encode optional Internet-layer information. Extension headers are placed between the IPv6 header and the upper-layer header in a packet. IPv6 allows you to chain extension headers together by using the next header field. The next header field, located in the IPv6 header, indicates to the router which extension header to expect next. If there are no more extension headers, the next header field indicates the upper-layer header (TCP header, UDP header, ICMPv6 header, an encapsulated IP packet, or other items).
IPv6 Addressing
IPv6 increases the size of the IP address from the 32 bits found in IPv4 to 128 bits. This increased size allows for a broader range of addressing hierarchies and a much larger number of addressable nodes. In addition to the increased size, IPv6 addresses can be of different scopes that categorize what types of applications are suitable for the address. IPv6 does not support broadcast addresses, but uses multicast addresses to serve this role. In addition, IPv6 also defines a new type of address called anycast.
Address Representation
IPv6 addresses consist of eight hexadecimal groups. Each hexadecimal group, separated by a colon (:), consists of a 16-bit hexadecimal value. The following is an example of the IPv6 format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx A group of xxxx represents the 16-bit hexadecimal value. Each individual x represents a 4-bit hexadecimal value. The following is an example of a possible IPv6 address: 4FDE:0000:0000:0002:0022:F376:FF3B:AB3F
Note: Hexadecimal letters in IPv6 addresses are not case sensitive.
3-6
IPv6 addresses often contain consecutive hexadecimal fields of zeros. To simplify address entry, you can use two colons (::) to represent the consecutive fields of zeros when typing the IPv6 address. Table 3-1 provides compressed IPv6 address format examples.
Table 3-1 Compressed IPv6 formats IPv6 Address Type Unicast Multicast Loopback Unspecified Full Format 10FB:0:0:0:C:ABC:1F0C:44DA FD01:0:0:0:0:0:0:1F 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:0 Compressed Format 10FB::C:ABC:1F0C:44DA FD01::1F ::1 ::
Note: You can use two colons (::) only once in an IPv6 address to represent hexadecimal fields of consecutive zeros.
An IPv6 address prefix is a combination of an IPv6 prefix (address) and a prefix length. The prefix takes the form ipv6-prefix/prefix-length and represents a block of address space (or a network). The ipv6-prefix variable follows general IPv6 addressing rules (see RFC 2373 for details). The /prefix-length variable is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. For example, 10FA:6604:8136:6502::/64 is a possible IPv6 prefix.
Address Types
IPv6 can use several types of addresses: Unicast Used to identify a single interface, this release of the E-series router product supports the following unicast address types:
> Global aggregatable Allows for aggregation of routing prefixes to
a domain portion.
Note: IPv6 routers must not forward packets that have site-local source or destination addresses outside the site.
3-7
lower-order 32 bits of the address and zeros in the higher-order 96 bits of the address. For example, the format of an IPv4-compatible IPv6 address is 0:0:0:0:0:0:A.B.C.D (or condensed as ::A.B.C.D). In other words, devices using IPv6 use the entire 128-bit IPv4-compatible IPv6 address, whereas IPv4 devices use the IPv4 address embedded within the lower-order 32-bits of the address. You would use IPv4-compatible IPv6 addresses for devices that must support both IPv4 and IPv6 protocols. Multicast Used for sending packets to multiple destinations. A multicast transmission sends packets to all interfaces that are part of a multicast group. The group is represented by the IPv6 destination address of the packet. Anycast Used for a set of interfaces on different nodes. An anycast transmission sends packets to only one of the interfaces associated with the address, not to all of the interfaces. This interface is typically the closest interface, as defined by the routing protocol. Loopback Used by a node to send an IPv6 packet to itself. An IPv6 loopback address functions the same as an IPv4 loopback address. Unspecified Indicates the absence of an IPv6 address. For example, newly initialized IPv6 nodes may use the unspecified address as the source address in their packets until they receive an IPv6 address.
Note: IPv6 does not use broadcast addresses; instead, IPv6 uses multicast addresses.
Address Scope
Some unicast and multicast IPv6 addresses contain a value known as scope. This value identifies the application suitable for the address. Unicast addresses support two types of scopeglobal and local. In addition, there are two types of local scopelink-local addresses and site-local addresses. Link-local unicast addresses, identified by the first ten bits of the prefix, function within a single network link. You cannot use link-local addresses outside a network link. Site-local unicast addresses function within a site or an intranet. A site consists of multiple network links, and site-local addresses identify nodes inside the intranet. You cannot use site-local addresses outside the site.
3-8
Multicast addresses support 16 different types of scope, including node, link, site, organization, and global scope. A four-bit field in the prefix identifies the scope.
Address Structure
Unicast addresses identify a single interface. The address consists of n bits for the prefix and 128-n bits for the interface ID. Multicast addresses identify a set of interfaces. The address is made up of the first 8 bits of all ones, a 4-bit flag field, a 4-bit scope field, and a 112-bit group ID. 11111111 | flgs | scop | group ID The first octet of ones identifies the address as a multicast address. The flags field identifies whether the multicast address is a well-known address or whether it is a transient multicast address. The scope field identifies the scope of the multicast address. The 112-bit group ID identifies the multicast group. Similar to multicast addresses, anycast addresses identify a set of interfaces. However, packets are sent to only one of the interfaces, not to all interfaces. Anycast addresses are allocated from the normal unicast address space and cannot be distinguished from a unicast address in format. Therefore, each member of an anycast group must be configured to recognize certain addresses as anycast addresses.
ICMP Support
Internet Control Message Protocol (ICMP) provides a mechanism that enables a router or destination host to report an error in data traffic processing to the original source of the packet. For this release, the E-series router supports ICMP for use in the IPv6 ping and traceroute commands. The ping and traceroute commands help you determine destination reachability within a network. Use the ping ipv6 command to send an ICMP echo request packet. In the following example, the request packet is sent to address 1::1 with a data size of 200 and a timeout value of 10 seconds:
host1#ping ipv6 1::1 data-size 200 timeout 10
Use the traceroute ipv6 command to discover routes that router packets follow when traveling to their destination. In the following
3-9
example, the trace destination address is 1::1, the maximum number of hops of the trace is 20, and the timeout value is 10 seconds:
host1#traceroute ipv6 1::1 hop-limit 20 timeout 10
3-10
Refer to E-Series Link Layer Configuration Guide, Chapter 1, Configuring ATM for information on configuring an ATM interface. Refer to E-Series Link Layer Configuration Guide, Chapter 6, Configuring Ethernet Interfaces for information on configuring an Ethernet interface. Configuring Ethernet interfaces to function with IPv6 requires Neighbor Discovery configuration for the interface. In this release, only the 8-port Fast Ethernet (FE-8) and Gigabit Ethernet (GE) modules support Neighbor Discovery. ND is required for IPv6 to function on Ethernet interfaces. For information about configuring Neighbor Discovery, see Neighbor Discovery Configuration Tasks.
3-11
You must configure an IPv6 license before you can use any IPv6 commands on the E-series router.
license ipv6
Use to specify an IPv6 license. Purchase an IPv6 license to allow IPv6 configuration on the E-series router.
Note: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative.
Example
host1(config)#license ipv6 <license-value>
You can configure an IPv6 interface dynamically by creating a profile. A profile is a set of characteristics that acts as a pattern that can be dynamically assigned to an IPv6 interface. You can manage a large number of IPv6 interfaces efficiently by creating a profile with a specific set of characteristics. In addition, you can create a profile to assign an IPv6 interface to a virtual router. A profile can contain one or more of the following characteristics: address configures an IPv6 address on an interface mtu configures the MTU for a network policy attaches (or removes) a policy to (or from) an interface unnumbered configures IPv6 on this interface without a specific address ipv6 virtual-router specifies a virtual router to which interfaces created by this profile will be attached
Note: You can also configure any of these IPv6 characteristics outside the profile configuration mode.
Use the profile command from Global Configuration mode to create or edit a profile. See E-Series Link Layer Configuration Guide, Chapter 13,
3-12
Configuring Dynamic Interfaces for information on creating profiles and on other characteristics that can be applied to the profile.
host1(config)#profile boston host1(config-profile)#ipv6 virtual-router warf host1(config-profile)#ipv6 unnumbered atm 3/0
ipv6 address
Use to add an IPv6 address to an interface or a subinterface. Example
host1(config)#interface atm 1/0.25 host1(config-if)#ipv6 address 1::1/64 Note: You can use this command in Interface Configuration or Subinterface Configuration mode.
ipv6 mtu
Use to set the MTU size of IPv6 packets sent on an interface. The range is 12810240. Example
host1(config-if)#ipv6 mtu 1000
ipv6 unnumbered
Use to set up an unnumbered interface. An unnumbered interface does not have an IPv6 address assigned to it. Unnumbered interfaces are often used in point-to-point connections where an IPv6 address is not required. This command enables IPv6 processing on an interface without your having to assign an explicit IPv6 address to the interface. You supply an interface location that is the type and number of another interface on which the router has an assigned IPv6 address. This interface cannot be another unnumbered interface. Example
host1(config-if)#ipv6 unnumbered loopback
ipv6 virtual-router
Use to assign a virtual router to a profile. You can configure a virtual router using RADIUS instead of adding one to the profile by using the ipv6 virtual-router command. Use the no version to remove the virtual router assignment.
3-13
Assigning a Profile
To assign a profile to an interface, use the profile command from Interface mode.
profile
Use to assign a profile to a PPP interface. The profile configuration is used to dynamically create an upper IP interface. Example
host1(config-if)#interface atm 3/1.50 host1(config-if)#encapsulation ppp host1(config-if)#profile boston
You can set a destination to receive and send traffic by a specific route through the network.
ipv6 route
Use to establish a static IPv6 route. You can set a destination to receive and send traffic from and to a network or to use a specific route through the network.
Note: In this release, IPv6 supports only static routes and loopback configurations.
Example
host1(config)#ipv6 route 7fff::0/16 1::1
Use the no version of this command to remove a static route from the routing table.
You can specify the maximum number of hops that the router can use in router advertisements and all IPv6 packets.
ipv6 hop-limit
Use to set the maximum number of hops that the router can use in router advertisements and all IPv6 packets. Example
host1(config)#ipv6 hop-limit 50
Use the no version to set the hop limit for IPv6 packets to 255 hops and router advertisements to zero [0] hops (or unspecified).
3-14
You can manage IPv6 interfaces in the following ways: Disable or reenable an IPv6 interface.
host1(config-if)#no ipv6 enable host1(config-if)#ipv6 enable
There is no no version.
ipv6 enable
Use to enable or disable an IPv6 interface at any time.
Note: By default, an IPv6 interface is enabled when you first create it.
Example
host1(config-if)#ipv6 enable
ping ipv6
Use to send an ICMP echo request packet to the IPv6 address that you specify. Use the source interface keywords to specify a source interface other than the one from which the probe originates. Use the source address keywords to specify a source IP address other than the one from which the probe originates. You can specify the following options:
data-pattern sets the type of bits contained in the packet to all ones, all
zeros, a random mixture of ones and zeros, or a specific hexadecimal data pattern that can range from 0x00xFFFFFFFF. The default is all zeros.
data-size sets the number of bytes comprising the IPv6 packet and
reflected in the IPv6 header in the range 064000; the default is 100 bytes
3-15
sweep-sizes enables you to vary the sizes of the echo packets being sent.
This capability is useful for determining the minimum sizes of the MTUs configured on the nodes along the path to the destination address. This reduces packet fragmentation, which contributes to performance problems. The default is not to sweep (all packets are the same size).
timeout sets the number of seconds to wait for an ICMP echo reply packet
before the connection attempt times out
hop-limit sets the time-to-live hop count in the range 1255; the default is
255 The following characters can appear in the display after you issue the ping command:
! reply received . timed out while waiting for a reply ? unknown packet type A admin unreachable b packet too big H host unreachable N network unreachable P port unreachable p parameter problem S source beyond scope t hop limit expired (TTL expired)
host1#ping ipv6 1::1
Example
There is no no version.
traceroute
Use to discover the routes that router packets follow when traveling to their destination. You can specify:
Destination IPv6 address Source interface for each of the transmitted packets Source IPv6 address for each of the transmitted packets
3-16
Maximum number of hops of the trace and a time-out value Size of the IPv6 packets (not the ICMP payload) in the range 064000 bytes
sent with the traceroute command. Including a size might help locate any MTU problems that exist between your router and a particular device.
There is no no version.
Adding a Description
The router enables you to add a text description or an alias to an IPv6 interface or subinterface. Adding a description helps you identify the interface and keep track of interface connections.
ipv6 description
Use to assign a text description or an alias to an IPv6 interface or subinterface. The description or alias can be a maximum of 256 characters. Use the show ipv6 interface command to display the text description. Examples
host1(config-if)#ipv6 description boston01 ipv6 interface host1(config-subif)#ipv6 description dallas05 ipv6 subinterface
To remove an IPv6 configuration from the virtual router, issue the no ipv6 command.
no ipv6
Use to remove IPv6 configuration from the virtual router. Example
host1(config)#no ipv6 Note: The E-series router automatically starts IPv6 processing when you begin configuring an IPv6 interface. However, by issuing the ipv6 command without using the no option, you can create an IPv6 processing instance with no IPv6 configuration.
3-17
To clear IPv6 routes from the routing table, use the clear ipv6 routes command. To clear the routes for a specific IPv6 network, specify the IPv6 prefix. To clear all dynamic IPv6 routes, using the * (asterisk) option.
clear ipv6 routes
Use to clear IPv6 routes. To clear routes in a specific IPv6 network, specify an IPv6 prefix. To clear all dynamic IPv6 routes, use the * (asterisk) option. Example
host1(config)#clear ipv6 routes *
There is no no version.
3-18
Configure the current IPv6 interface to send neighbor solicitations and to respond with neighbor advertisements.
host1(config)#ipv6 nd
Note: This command is redundant when configuring Neighbor Discovery over Ethernet, because router advertisements are automatically sent on Ethernet interfaces. However, unless explicitly enabled, IPv6 router advertisements are not sent on other types of interfaces.
(Optional) Configure the interface to retry sending neighbor solicitations using a specified interval.
host1(config-if)#ipv6 nd ns-interval 500
(Optional) Configure the interface to assume that a neighbor is reachable for a specified time after a reachable confirmation event.
host1(config-if)#ipv6 nd reachable-time 30000
ipv6 nd
Use to enable the IPv6 Neighbor Discovery process on an interface. Example
host1(config)#interface fastEthernet 3/0 host1(config-if)#ipv6 nd
Use the no version of this command to disable the Neighbor Discovery process.
ipv6 nd ns-interval
Use to specify the interval between IPv6 neighbor solicitation retransmissions on an interface. Example
host1(config-if)#ipv6 nd ns-interval 500
Use the no version of this command to return the interval between neighbor solicitation retransmission to its default value (zero [0] milliseconds for router advertisements and 1000 milliseconds for Neighbor Discovery activity of the E-series router).
ipv6 nd reachable-time
Use to specify the amount of time that the E-series router can reach a remote IPv6 node after some reachability confirmation event has occurred. Example
host1(config-if)#ipv6 nd reachable-time 30000
Use the no version of this command to restore the default value (zero [0] milliseconds for router advertisements and 60000 milliseconds for Neighbor Discovery activity of the E-series router).
3-19
Much like proxy ARP, proxy Neighbor Discovery is a means by which one interface responds to a Neighbor Discovery query on behalf of another interface. To configure proxy Neighbor Discovery:
1
Note: This command is redundant when configuring Neighbor Discovery over Ethernet, because neighbor solicitations and advertisements are automatically sent on Ethernet interfaces.
ipv6 nd proxy
Use to enable or disable Neighbor Discovery proxy. Example
host1(config-if)#ipv6 nd proxy
The duplicate address detection feature helps to verify that a new unicast IPv6 address is unique in the network. The router sends the IPv6 address in its neighbor solicitation messages. However, the router relies on the receiving device to understand the address duplication and does not prompt a conflict if the address already exists. The CLI allows you to specify the number of consecutive neighbor solicitation messages that the router sends from the IPv6 interface.
ipv6 nd dad attempts
Use to specify the number of consecutive neighbor solicitation messages that the router sends from the IPv6 interface. Use an attempt value of zero (0) to disable duplicate address detection on the current interface. The router suspends duplicate address detection on interfaces that are administratively down.
3-20
Example
host1(config-if)#ipv6 nd dad attempts 10
Use the no version of this command to restore the default number of attempts to one (1).
There is no no version.
IPv6 statistics are stored in system counters. The only way to reset the system counters is to reboot the system. You can, however, establish a baseline for IPv6 statistics by setting a group of reference counters to zero.
baseline ipv6
Sets a baseline for IPv6 statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the udp keyword to set a baseline for UDP statistics Use the delta keyword with IPv6 show commands to specify that baselined statistics are to be shown.
3-21
Example
host1#baseline ipv6
There is no no version.
There is no no version.
You can monitor the following aspects of IPv6 using show ipv6 commands:
To Display General IPv6 information IPv6 addresses IPv6 Interfaces IPv6 neighbors IPv6 profile information Active IPv6 protocol information IPv6 route redistribution configuration IPv6 routes IPv6 static routes IPv6 statistics/traffic IPv6 UDP information IPv6 license string Command show ipv6 show ipv6 address show ipv6 interface show ipv6 neighbors show ipv6 profile show ipv6 protocols show ipv6 redistribute show ipv6 route show ipv6 static show ipv6 traffic show ipv6 udp statistics show license ipv6
You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
3-22
show ipv6
Use to display general IPv6 information. Example
host1#show ipv6 Ipv6 Unicast Routing: Enabled Default hop limit: not specified Number of interfaces: 2 Default interface source address/mask: fe80::90:1a00:210:fd0/128
Network Protocols network protocols configured on this interface Link local address local IPv6 address of this interface Internet address external address of this interface IP statistics Rcvd: local destination frames with this router as their destination hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets
IP statistics Sent:
generated number of packets generated no routes number of packets that could not be routed discards number of packets that could not be routed that were discarded
3-23
redirects received packet redirects echo requests echo request (ping) packets echo replies echo replies received rtr solicits number of received router solicitations rtr advertisements number of received router advertisements neighbor solicits number of received neighbor solicitations neighbor advertisements number or received neighbor advertisements Group membership (queries, responses, reductions) number of queries, responses, and reduction requests received from within a group to which the interface is assigned
Operational MTU value of the MTU Administrative MTU value of the MTU if it has been administratively
overridden using the configuration
Operational speed speed of the interface Administrative speed value of the speed if it has been administratively
overridden using the configuration
3-24
Multicast Packets, Bytes multicast packets and bytes received on the IPv6 interface which are then multicast-routed are counted as multicast packets
Out Forwarded Packets, Bytes total number of packets and bytes that
were sent from this interface Unicast Packets, Bytes unicast packets and bytes that were sent from this interface Multicast Routed Packets, Bytes multicast packets and bytes that were sent from this interface
Out Total Dropped Packets total number of outbound packets and bytes
dropped by this interface Out Scheduler Dropped Packets, Bytes number of outbound packets and bytes dropped by the scheduler Out Policed Packets, Bytes number of outbound packets and bytes dropped because of rate limits Out Discarded Packets number of outbound packets that were discarded for reasons other than those dropped by the scheduler and those dropped because of rate limits Example 1
host1#show ipv6 address 1::1 loopback0 line protocol IpLoopback is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1a00:210:fd0 Internet address: 1::1/64 Operational MTU 1500 Administrative MTU 0 Operational speed 100000000 Administrative speed 0 Creation type Static Neighbor Discovery is disabled In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0
3-25
Out Forwarded Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0
Example 2
host1#show ipv6 address detail 5::1 ATM4/0.15 line protocol Atm1483 is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1a00:4440:1d44 Internet address: 5::1/64 IP statistics: Rcvd: 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Sent: 0 generated, 0 no routes, 0 discards
ICMP statistics: Rcvd: 2914 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 21 echo requests, 2893 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Sent: 2914 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 2893 echo requests, 21 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Operational MTU 9180 Administrative MTU 0 Operational speed 155520000 Administrative speed 0 In Received Packets 2914, Bytes 430372 Unicast Packets 2914, Bytes 430372 Multicast Packets 0, Bytes 0
3-26
In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 2914, Bytes 430372 Unicast Packets 2914, Bytes 430372 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0
Example 3
host1#show ipv6 interface ATM4/0.15 line protocol Atm1483 is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1aff:fe01:725 Internet address: 1::2/60 Operational MTU 1500 Administrative MTU 0 Operational speed 100000000 Administrative speed 0 In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 5, Bytes 740 Unicast Packets 5, Bytes 740 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0
Example 4
host1#show ipv6 int detail ATM4/0.15 line protocol Atm1483 is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1aff:fe01:725
3-27
Internet address: 1::2/60 IP statistics: Rcvd: 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Sent: 0 generated, 0 no routes, 0 discards
ICMP statistics: Rcvd: 0 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 0 echo requests, 0 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Sent: 5 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 5 echo requests, 0 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Operational MTU 1500 Administrative MTU 0 Operational speed 100000000 Administrative speed 0 In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 5, Bytes 740 Unicast Packets 5, Bytes 740 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0
3-28
Interface ATM4/0.15
Example 5
IPv6-Address 1::2/60 Status up Protocol up Description
Prefix IPv6 address prefix Length prefix length Type protocol type (possible route types include: Bgp, Connect, Idrp, Igrp,
Invalid, Isis, Ndisc, Ospf, Other, Rip, Static)
Dst (or Distance) administrative distance for the route Met (or Metric) number of hops Intf (or Interface) interface type and interface specifier NextHop configured next hop address for this interface IfIndex autogenerated value for the next-hop interface
Example 1
IP profile profile name Unnumbered interface specifier for the unnumbered interface or none if the
interface is numbered
Router router name Access Route Addition enabled or disabled Source-Address Validation enabled or disabled Administrative MTU MTU size
host1#show ip profile foo IPv6 profile : foo Unnumbered interface on : loopback 0 Router Access Route Addition Source-Address Validation Administrative MTU : r1 : Enabled : Disabled : 0
Example
3-29
Local router ID router ID of the local router Local AS AS number of local router Administrative state administrative state of the protocol Operational state operational state of the protocol Shutdown in overload state status of shutdown in an overload state Default local preference default value for local preference IGP synchronization indicates whether synchronization is enabled or disabled BGP
Default originate indicates whether network 0.0.0.0 is redistributed into Auto summary status of autosummary Always compare MED status of always compare MED Compare MED within confederation status of compare MED within a
confederation
Advertise inactive routes status of Advertise inactive routes Advertise best external router to internal peers status of Advertise best
external router to internal peers
Enforce first AS status of Enforce first AS Missing MED as worst status of Missing MED as worst Route flap dampening status of route dampening Log neighbor changes status of Log neighbor changes Fast External Fallover status of Fast External Fallover Maximum received AS-path length maximum AS-path length received BGP administrative distances external, internal, and local BGP administrative distances Client-to-client reflection whether client-to-client reflection is configured Cluster ID cluster IDs Route-target filter status of Route-target filter Default IPv4-unicast status of Default IPv4-unicast Local-RIB version RIB version Local-FIB version FIB version Neighbor (s) BGP neighbors (if configured) Networks for which routing is occurring Aggregate Generation for Unicast Routes
host1#show ipv6 protocols Routing Protocol is "bgp 100" Local router ID 1.1.1.1, local AS 100 Administrative state is Start Operational state is Up
Example 1
3-30
Shutdown in overload state is disabled Default local preference is 100 IGP synchronization is enabled Default originate is disabled Auto summary is enabled Always compare MED is disabled Compare MED within confederation is disabled Advertise inactive routes is disabled Advertise best external route to internal peers is disabled Enforce first AS is disabled Missing MED as worst is disabled Route flap dampening is disabled Log neighbor changes is disabled Fast External Fallover is disabled No maximum received AS-path length BGP administrative distances are 20 (ext), 200 (int), and 200 (local) Client-to-client reflection is enabled Cluster ID is 1.1.1.1 Route-target filter is enabled Default IPv4-unicast is enabled Local-RIB version 8. FIB version 8. Neighbor(s): No neighbors are configured Routing for Networks: Aggregate Generation for Unicast Routes:
Example 2
host1#show ipv6 protocols summary bgp 100
To protocol that routes are distributed into From protocol that routes are distributed from status redistribution status route map name name of the route map
host1#show ipv6 redistribute To bgp, From static is enabled with route map foo To bgp, From connected is enabled without a route map
Example
3-31
Dst (or Distance) administrative distance for the route Met (or Metric) number of hops Intf (or Interface) interface type and interface specifier NextHop the configured next hop address for this interface IfIndex an autogenerated value for the next hop interface
Example 1
Type Dst/Met Intf loopback1 ATM4/0.15 ATM4/0.15 ATM4/0.15
host1#show ipv6 route Prefix/Length 1::/16 5::/64 6::/64 2003::/16 -------------------------------- ------- ------- -------------------Connect 0/0 Connect 0/0 Static Static 1/0 1/0
Example 2
host1#show ipv6 route summary 6 total routes, 408 bytes in route entries 0 isis routes 0 rip routes 2 static routes 2 connected routes 0 bgp routes 0 ospf routes 2 other internal routes 0 access routes 0 internally created access host routes Last route added/deleted: null by Local At WED JAN 22 2003 09:53:33 UTC
Example 3
host1#show ipv6 route 5::/64 detail 5::/64 Type local Distance 0 Metric 0 NextHop 1::2 IfIndex 10007 Intf ATM4/0.15
3-32
Prefix IP address prefix Length prefix length Next Hop IP address of the next hop Dst administrative distance of the route Met number of hops Interface interface type and interface specifier
Example
NextHop 5::2 5::1 Dst/Met 1/0 1/0 Interface ATM4/0.15 ATM4/0.15
IPv6 statistics (Routes) number of routes currently in the routing table ICMPv6 statistics Rcvd:
total total number of received packets errors error packets received destination unreach packets received with destination unreachable
3-33
admin unreach packets received because the destination was administratively unreachable (for example, the packet encountered a firewall filter) parameter problem packets received with parameter errors time exceeded packets received with time-to-live exceeded pkt too big number of packet-too-big messages received that indicate a packet was too large to forward because of the allowed MTU size redirects received packet redirects echo requests echo request (ping) packets echo replies echo replies received rtr solicits number of received router solicitations rtr advertisements number of received router advertisements neighbor solicits number of received neighbor solicitations neighbor advertisements number of received neighbor advertisements Group membership (queries, responses, reductions) number of queries, responses, and reduction requests received from within a group to which the interface is assigned
3-34
3-35
3-36
Configuring NAT
4
Page 4-2 4-2 4-4 4-5 4-6 4-7 4-7 4-8 4-8 4-8 4-9 4-10 4-15 4-15 4-23
This chapter describes how to configure Network Address Translation (NAT) on your E-series router.
Topic Overview NAT Configurations Network and Address Terms Understanding Address Translation Address Assignment Methods Order of Operations References Before You Begin Limiting Translation Entries Specifying Inside and Outside Interfaces Defining Static Address Translations Defining Dynamic Translations Clearing Dynamic Translations Configuration Examples Monitoring NAT
4-2
Overview
The Internet faces the challenge of conserving IP address space while continuing to provide scalability in routing. Network Address Translation (NAT) helps to address these challenges by allowing the conservation of registered IP addresses within private networks and simplifying IP addressing management tasks through a form of transparent routing. NAT allows you to translate IP addresses between two address realms (for example, between an intranet network that uses private, not publicly routable addresses and the Internet or between two overlapping, private networks). On receiving incoming traffic, the IP addresses are translated back for delivery within the private network. Using NAT at the edge of your intranet provides the following advantages: Allows unregistered private addresses to connect to the Internet by translating those addresses into globally registered IP addresses Increases network privacy by hiding internal IP addresses from external networks
NAT Configurations
You can configure NAT in several different ways. Each configuration method provides a solution for different configuration requirements. These methods include: Traditional NAT Bidirectional NAT Twice NAT
Traditional NAT
Traditional NAT (sometimes called outbound NAT) is the most common method of using address translation. Its primary use is translating private addresses to legal addresses for use in an external network. When configured for dynamic operation, hosts within a private network can initiate access to the external (public) network, but external nodes on the outside network cannot access the private network. Addresses on the private network and public network must not overlap. Also, route destination advertisements on the public network (for example, the Internet) can appear within the inside network, but the
4-3
NAT router does not propagate advertisements of local routes that reference private addresses out to the public network. Two types of traditional NAT exist basic NAT and NAPT.
Basic NAT
Basic NAT provides translation for IP addresses only (called a simple translation) and places the mapping into a NAT table. In other words, for packets outbound from the private network, the NAT router translates the source IP address and related fields (for example, IP, TCP, UDP, and ICMP header checksums). For inbound packets, the NAT router translates the destination IP address (and related checksums) for entries that it finds in its translation table.
Caution: Although it is the simplest and most common, basic NAT is the least secure translation method. By not defining the translation to the port level, and accepting return information on any port, basic NAT can leave private hosts open to port access.
NAPT
Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation). This process combines the transport identifiers and addresses of any number of private hosts into one transport identifier of one or more external addresses. Similar to basic NAT, for outbound packets, NAPT translates the source IP address, source transport identifier, and related checksum fields. For inbound packets, NAPT translates the destination IP address, destination transport identifier, and checksum fields.
Bidirectional NAT
Bidirectional (or two-way) NAT uses traditional NAT in conjunction with the Domain Name System Application Level Gateway (DNS-ALG). When using bidirectional NAT, hosts can initiate sessions from both the private network and the public network. The translation, installed by DNS, maps private network addresses to globally unique addresses, statically or dynamically, as hosts establish connections in either direction. Hosts in the public network can access hosts in the private network by using DNS address resolution. This requires an end-to-end unique fully qualified domain name (FQDN) for
4-4
each host. In other words, the NAT router intercepts any DNS message (using the DNS-ALG) and assigns a global address to reach the intended host. When a public (outside) host initiates a session with a private host, the NAT router intercepts the packet and substitutes the advertised public address with the actual private (inside) address. On the return path the NAT router replaces the local private address (now the source) with the advertised public host address. Some additional configuration may be required to allow public access from the Internet to a DNS server that resides in the private domain (see Bidirectional NAT Example on page 4-17). The same address space requirements and routing restrictions apply to bidirectional NAT as were described for traditional NAT. The difference between these two methods is that the DNS exchange may create entries within the translation table.
Twice NAT
In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. For example, you would use twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public).
4-5
The terms local and global refer to where the address appears on the NAT network.
Inside Local Addresses
The inside local address is a configured IP address that is assigned to a host on the inside network. Addresses may be globally unique (not requiring translation), allocated from the private address space defined in RFC 1918, or officially allocated to some other organization.
Inside Global Addresses
The inside global address is the translated IP address of an inside host as seen by an outside host and network. Addresses may be allocated from a globally unique address space (often provided by the ISP, if the inside address is connected to the global Internet).
Outside Local Addresses
The outside local address is the translated IP address of an outside host as it appears to the inside network. Addresses may be globally unique (not requiring translation), allocated from the private address space defined in RFC 1918, or officially allocated to some other organization.
Outside Global Addresses
The outside global address is the configured, publicly routable IP address assigned to a host on the outside network.
Inside source translation is the most commonly used in NAT configuration. In this method, the NAT router performs translation between an inside (private) network address and an outside network address (for example, the Internet). The NAT router replaces the private source address with a globally unique address (either statically or dynamically). When the external destination responds, the NAT router, after successfully locating the address translation in its translation table, untranslates the global address (now the destination address) back to the local, private address.
4-6
You use inside source translation in traditional and bidirectional NAT configurations.
Outside Source Translation
Outside source translation is less often used in NAT configuration because you are configuring the translation of an outside source to access an inside network. Normally, outside hosts have globally unique IP addresses, making translation unnecessary. You use outside source translation along with inside source translation to configure translation in both directions, from both sides of the NAT router (not just translation of outbound information and untranslation of returning information).
Note: Dynamic outside source translations are established by inbound traffic.
Cases that require this type of translation method occur in twice NAT configurations that set up translation between two networks that contain nonunique or not publicly routable IP addresses (for example, two separate networks that use overlapping IP address blocks).
You enter static translations as direct configuration settings that remain in the translation table until you remove them. You use static translations when you must initiate connections from both the inside and outside interfaces or when the translation is not subject to change.
Dynamic Translations
Dynamic translations use access list rules (to determine whether or not to apply NAT to incoming traffic) and NAT address pools (from which a NAT translation can use one of several available IP addresses). You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.
4-7
Order of Operations
Table 4-1 displays the order of operations for both inside-to-outside and outside-to-inside translation.
Table 4-1 NAT Order of Operations Inside-to-Outside Translation 1 Inside (privately addressed) traffic enters the router on an interface marked as inside. A route lookup is performed. If the next interface is marked as outside, the router sends the traffic to the server module. 3 The server module performs the appropriate translation. The router forwards the packet to the appropriate egress line card. The line card sends the packet as outbound traffic using a globally unique source address (inside source translation), destination address (outside source translation), or ports (NAPT). 4 Outside-to-Inside Translation 1 2 Traffic from the outside, public domain enters the router. All traffic from an interface that is marked outside, whether or not it requires NAT, is sent to the server module. The server card looks for an associated NAT match. If the server module:
2 3
4 5 6
References
For more information about IP, consult the following resources: RFC 2663 IP Network Address Translator (NAT) Terminology and Considerations (August 1999) RFC 2694 DNS extensions to Network Address Translators (DNS_ALG) (September 1999) RFC 2993 Architecture Implications of NAT (November 2000) RFC 3022 Traditional IP Network Address Translator (Traditional NAT) (January 2001) RFC 3027 Protocol Complications with the IP Network Address Translator (January 2001)
4-8
4-9
You use the ip nat inside source static command to create static translations from a local IP address to a global IP address, and to untranslate the destination address when a packet returns from the outside network to the inside network. When configuring traditional NAT (both basic NAT and NAPT), you need only use this command alone. However, when configuring twice NAT, you must also use the ip nat outside source static command. The ip nat inside source static command creates a simple (IP address only) or extended (IP address, protocol, and port) entry in the translation table that maps the two addresses.
ip nat inside source static
Use to create static translations for a source address when routing a packet from the inside network to the outside network, and to untranslate the destination address when a packet returns from the outside network to the inside network. Example 1 simple NAT table entry host (config) # ip nat inside source static 10.1.2.3 171.69.68.10 Example 2 extended NAT table entry host (config) # ip nat inside source static tcp 10.1.2.3 15 171.69.68.10 30 Use the no version to remove the static translation and purge the associated translations from the translation table.
Note: Creating a static translation with the ip nat inside source static command allows any outside host to contact the inside host by using the inside global address of the inside host. This means that a static translation can be initiated in either direction.
4-10
Less commonly used, outside source translation allows you to set up translation between two nonunique or not publicly routable networks (for example, two separate networks that use overlapping IP address blocks). This command creates a simple (IP address only) or extended (IP address, protocol, and port) entry in the translation table that maps the two addresses.
ip nat outside source static
Use to translate the source address when routing a packet from the outside network to the inside network, and to untranslate the destination address when a packet travels from the inside network to the outside network. Example 1 simple NAT table entry host (config) # ip nat outside source static 171.69.68.10 10.1.2.3 Example 2 extended NAT table entry host (config) # ip nat outside source static tcp 171.69.68.10 56 10.1.2.3 24 Use the no version to remove the static translation and purge the associated translations from the translation table.
Note: Creating a static translation with the ip nat outside source static command allows any inside host to contact the outside host by using the address of the outside host. This means that a static translation can be initiated in either direction.
Before creating a dynamic translation, you should create the access list rules that you plan to apply to the translation. For information about configuring access lists, see Chapter 1, Configuring Routing Policy. The router evaluates multiple commands for the same access list in the order they were created. An undefined access list implicitly contains a
4-11
rule to permit any. A defined access list implicitly ends with a rule to deny any.
Note: The access lists do not filter any packets; they determine whether or not the packet requires translation.
For reference, you can configure an access list using the access-list command.
access-list
Use to define an IP access list to permit or deny translation based on the addresses in the packets. Each access list is a set of permit or deny conditions for routes that are candidates for translation (that is, moving from the inside network to the outside network). A zero in the wildcard mask means that the route must exactly match the corresponding bit in the address. A one in the wildcard mask means that the route does not have to match the corresponding bit in the address. Use the log keyword to log an Info event in the ipAccessList log whenever matching an access-list rule. Use the no version to delete the access list (by not specifying any other options), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
Before you can configure dynamic translation, you should first create an address pool. An address pool is a group of IP addresses from which the NAT router obtains an address when performing a dynamic translation. You can create address pools with either a single range or multiple, nonoverlapping ranges. When creating a single range, you specify the optional starting and ending IP address for the range in the root ip nat pool command. However, when creating multiple, nonoverlapping ranges, you omit the optional starting and ending IP address in the root ip nat pool command; this launches the IP NAT Pool Configuration mode. The config-ipnat-pool mode uses an address command to specify a range of IP addresses. You can repeat this command to create multiple, nonoverlapping ranges. When creating or editing address pools, keep the following in mind: Specified-range starting and ending IP addresses are inclusive and must reside on the same subnet.
4-12
Address ranges are verified against other ranges in the specified pool to exclude range overlaps. Additional verification occurs when the pool is associated with a translation rule and the router can determine whether the rule is inside or outside. You cannot change the network mask if configured ranges already exist. The subnetwork mask excludes host addresses that end in either all zeros or all ones. These addresses are reserved as broadcast addresses. You cannot remove an address pool if the pool is part of a translation rule or if any of the ranges within the pool are still in use. You must issue the clear ip nat translation command to clear any ranges before you can remove the pool to which they apply.
ip nat pool
Use to create address pools. Example 1 creating a single, continuous range host (config) #ip nat pool singlerange 171.69.40.1 171.69.40.100 prefix-length 30 Example 2 creating a multiple, discontinuous range host (config) #ip nat pool multiplerange prefix-length 30 host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115 host (config-ipnat-pool)#address 171.69.40.116 171.69.40.120 host (config-ipnat-pool)#exit The no version removes the range designation.
address
Use to specify a range of IP addresses in IP NAT Pool Configuration mode; you can repeat the address command to create multiple ranges. Example host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115 The no version removes the range for the current address pool.
The CLI allows you to define dynamic translations for inside and outside sources.
Caution: You must mark interfaces that participate in NAT translation as on the inside or the outside network. See Specifying Inside and Outside Interfaces for details.
You can create dynamic translation rules for either an inside source translation or an outside source translation. The router determines if source addresses from a named access list require translation. If they do,
4-13
the router translates the addresses by substituting addresses from a specified address pool. When creating dynamic translations, keep the following in mind: You can associate a list with one pool at any given time. Associating a list with a different pool replaces the previous association. The optional overload keyword for inside source translations specifies that the router employ NAPT translation. You can configure dynamic NAPT for inside source translation only; you cannot configure dynamic NAPT for outside source translation. An access list mismatch results in the NAT routers not translating the packet. An empty pool results in the NAT routers dropping the packet. Access lists and pools do not have to exist when you are defining dynamic translations; you may create them after defining the dynamic translations.
Creating Dynamic Inside Source Translations
Use the ip nat inside source list command to create a dynamic inside source translation rule. This command dynamically translates inside local source addresses to inside global addresses when packets from the inside network are routed to the outside network (and vice versa when a packet returns before a translation table entry times out). Use the overload keyword to specify that the translation create NAPT entries (protocol, port, and address) in the NAT table. The no version of this command removes the dynamic translation rule, but does not remove any previously created translations (resulting from the rule evaluation) from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations on page 4-15.
ip nat inside source list
Use to create dynamic translations for a source address when routing a packet from the inside network to the outside network, and to translate the destination address when a packet returns from the outside network to the inside network. Example host (config) #ip nat inside source list translation1 pool pool1 Use the overload keyword to specify that the translation create extended entries (protocol, port, and address) in the translation table for NAPT. Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.
4-14
Use the ip nat outside source list command to create a dynamic outside source translation rule. This command dynamically translates outside global source addresses to outside local addresses when packets are routed from the outside network to the inside network (and untranslates the destination address when a packet returns before a translation table entry times out). The no version of this command removes the dynamic translation rule, but does not remove any previously created translations from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations.
ip nat outside source list
Use to create dynamic translations for a source address when routing a packet from the outside network to the inside network, and to translate the destination address when a packet returns to the outside network from the inside network. Example host (config) # ip nat outside source list translation1 pool pool1 Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.
Dynamic translations in the translation table age out if the router does not use them. Use the ip nat translation command to change or disable NAT translation time-outs. You can set the aging time to some value (in seconds) for any one of the specified timers: timeout Dynamic simple translations, except for overloaded translations; default is 86400 seconds (24 hours). udp-timeout UDP protocol extended translations; default is 300 seconds (5 minutes). dns-timeout DNS-created protocol translations; default is 120 seconds. These dynamic translations are installed by the DNS but not yet used; as soon as the translation is used, the router applies the timeout. tcp-timeout TCP protocol extended translations; default is 86400 seconds (24 hours). finrst-timeout TCP connections terminated with reset (RST) or bidirectional finished (FIN) flags; default is 120 seconds. This time-out
4-15
applies only to TCP overload translations. It more gracefully ages out closed translations. icmp-timeout ICMP protocol extended translations; default is 300 seconds (5 minutes). All time-outs for this command support a maximum value of 2147483 seconds (about 25 days). The no version of this command resets the timer to its default value.
ip nat translation
Use to change translation time-outs for old translations in the translation table. All time-outs for this command support a maximum value of 2147483 seconds (about 25 days). Example host1 (config) # ip nat translation timeout 23200
Configuration Examples
This section contains NAT configuration examples for a single virtual router configuration and NAT translation between two virtual routers.
NAPT Example
This example illustrates a NAPT configuration for a private network with two inside sub-networks, a field office, and a corporate office.
4-16
Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).
Virt blue 0
i Corporate HQ 10.10.2.0/24 Address pool: 192.32.6.10 192.32.6.12 Access list: permit 10.10.1.0 0.0.0.255 permit 10.10.2.0 0.0.0.255 Static translations: 190.22.8.18.21 190.22.8.18 :21
The address pool consists of three addresses (the number of addresses is small, since NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool using NAPT. To configure this example:
1
host1:blue(config)#interface serial 1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit host1:blue(config)#interface serial 1/2 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit
g013229
4-17
Create a static nil-translation for the FTP server on the corporate network.
host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 21
Create the access list for addresses eligible for dynamic translation.
host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255 host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255
Configure a null route for the inside global addresses (prevents routing loops when no matching translation exists)
host1:blue(config)#ip route 192.32.6.0 255.255.255.252 null 0
All hosts using private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because we are using NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.
Bidirectional NAT Example
In this example, outside hosts can initiate conversations with inside hosts through the use of a DNS server that resides on the inside network. The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses.
4-18
DNS 192.168.22.2
Create the access list for addresses eligible for dynamic translation (that is, private addresses).
host1:blue(config)#access-list entA permit 192.168.22.0 0.0.0.255
g013230
Address pool: 192.32.6.2 192.32.6.63 Access list: permit 192.168.22.0 0.0.0.255 Static Translations: 192.168.22.2 192.32.6.1
4-19
Configure a null route for the inside global addresses (to prevent routing loops when no matching translation exists).
host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0
Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and desires connectivity to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router. In this example, the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this sub-network that wish to access the inside network will need their global addresses translated.
Outbound address pool: 12.220.1.0 12.220.255.255 Outbound access list: permit 15.12.0.0 0.255.255 Inbound address pool: 10.1.32.1 10.1.32.255 Inbound access list: 15.12.0.0 0.0.255.255
Figure 4-3 Twice NAT example
g013231
4-20
Create the access list for addresses eligible for dynamic translation.
host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255
Note: Using a private address range avoids any overlap with the public network.
Configure the access list for global addresses that overlap with inside addresses.
host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255
Note: An inside host cannot directly access hosts on the outside network that use addresses that overlap with the inside subnetwork. However, by using DNS name resolution to reference translated addresses, inside hosts can access these outside hosts.
4-21
Cross-VRF Example
In MPLS VPN configurations, it may be desirable to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, we can use NAT to enable access to the public network since NAT is both VR and VRF aware. In this example, we will use the subscriber interface feature of the router in conjunction with NAT to connect the VPNs to the public network.
VR1 Enterprise A 10.16.5.0/24 VRF11
g013232
Inside
0utside DA=128.13.44.0/24 Address pool: 128.13.44.1 128.13.44.255 Access List: permit 10.16.5.0 0.0.0.255
VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. EnterpriseA communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). The VR, of which the VRF is administratively a member, represents the public network. The interface to enterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off of the uplink to the core network and anchored in the VRF. A DA-based demultiplex matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface. To configure this example:
1
4-22
Set the primary interface to DA-type demultiplex (for subsequent shared interfaces).
host1:vr1(config)#interface atm 12/0.101 host1:vr1(config-interface)#ip demux-type da-prefix host1:vr1(config-interface)#exit
Create the access list for addresses eligible for dynamic translation.
host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255
Configure a group of destination prefixes with which the device can communicate on the public network.
host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0 255.255.255.0
11 Install a null route to avoid routing loops to the inside global address.
host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0
4-23
Monitoring NAT
This section explains how to view NAT statistics, NAT translation entries, and determine what IP interfaces have a NAT inside or outside setting.
Displaying Translation Statistics
The show ip nat statistics command displays statistics that apply to NAT operation.
show ip nat statistics
Use to display internal NAT statistics. Field descriptions
4-24
Example
host1#show ip nat statistics NAT database statistics for virtual router vr1: -------------------------------------------------------------Last dynamic allocation failure: normal, successful completion Dynamic entry limit was reached 0 times Current static translation entries: ----------------------------------------Inside Source Simple: Outside Source Simple: Inside Source Extended: Outside Source Extended: Dynamic Translation Type ---------------------------Inside Source Simple Outside Source Simple Inside Source Extended 1 1 2 2 Current ---------2 2 2 Peak ---------2 2 2 Accumulated ----------2 2 2 Failed ---------0 0 0
The show ip nat translations command displays current translations that reside in the translation table. Simple translation entries appear with inside/outside and local/global address information. Extended entries appear with added protocol and port numbers (or query ID). Using verbose mode additionally provides the time since creation and time since last use for each translation entry.
show ip nat translations
Use to display current translations that reside in the NAT translation table. Field descriptions
Prot protocol (TCP, UDP, or ICMP) for this translation entry; this field
appears only for extended table entries
Inside local inside local IP address for this translation entry; this field also
provides the port number, separated by a colon ( : ) for extended entries
Inside global inside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended entries
Outside global outside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended entries
Outside local outside local IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended entries
4-25
Time since creation amount of time elapsed since the translation entry
appeared in the translation table
Time since last use amount of time elapsed since the translation entry was
used
Prot Inside local 20.0.0.3 21.0.0.3 21.0.0.4 ------UDP UDP UDP TCP UDP TCP --22.0.0.4:63 22.0.0.3:63 --20.50.0.3:87 20.50.0.3:80
Example 1
Inside global 30.0.0.3 30.208.0.3 30.208.0.4 --------30.224.0.3:4097 30.224.0.3:4096 --30.50.0.3:8108 30.50.0.3:8008 Outside global ------50.0.0.3 51.0.0.3 51.0.0.4 50.50.0.3:87 ----50.50.0.3:80 ----Outside local ------70.0.0.3 70.208.0.3 70.208.0.4 70.50.0.3:8108 ----70.50.0.3:8008 -----
Example 2
Time Time since last use 00:00:01 00:00:01 00:00:01 Never 00:00:01 00:00:01 Never 00:00:01 00:00:01 Never Never Never
host1#show ip nat translation verbose Inside Prot Inside local 20.0.0.3 21.0.0.3 21.0.0.4 ------UDP UDP UDP TCP UDP TCP --22.0.0.4:63 22.0.0.3:63 --global 30.0.0.3 30.208.0.3 30.208.0.4 --------Outside global ------50.0.0.3 51.0.0.3 51.0.0.4 7 30.224.0.3: --4097 30.224.0.3: --4096 --50.50.0.3:8 70.50.0.3:8 00:03:10 0 20.50.0.3:87 30.50.0.3:8 --108 20.50.0.3:80 30.50.0.3:8 --008 --00:03:35 008 --00:03:35 --00:02:12 ------70.0.0.3 70.208.0.3 70.208.0.4 108 --00:02:12 Outside local since creation 00:04:50 00:02:12 00:02:12 00:03:24 00:01:44 00:01:44
4-26
Part 3
Configuring IP Multicasting
5
Page 5-2 5-3 5-4 5-4 5-4 5-5 5-6 5-8 5-15 5-29 5-34 5-59 5-74 5-74
IP multicasting allows a device to send packets to a group of hosts rather than to a list of individual hosts. This chapter describes how to configure IP multicasting on the E-series router.
Topic Overview References Before You Begin Enabling IP Multicasting Deleting Multicast Forwarding Entries Reverse-Path Forwarding Multicast Packet Forwarding Monitoring IP Multicast Settings IGMP IGMP Proxy PIM DVMRP BGP Multicasting Investigating Multicast Routes
5-2
Overview
IPv4 defines three types of addresses: unicast, broadcast, and multicast. Each type of address enables a device to send datagrams to selected recipients: A unicast address enables a device to send a datagram to a single recipient. A broadcast address enables a device to send a datagram to all hosts on a subnetwork. A multicast address enables a device to send a datagram to a specified set of hosts, known as a multicast group, in different subnetworks. Multicast IP packets contain a class D address in the Destination Address fields of their headers. A class D address is the IP address of a multicast group. Refer to Chapter 2, Configuring IP, and to IGMP, later in this chapter, for information about class D addresses. IP multicasting improves network efficiency by allowing a host to transmit a datagram to a targeted group of receivers. For example, a host may want to send a large video clip to a group of selected recipients. It would be time-consuming for the host to unicast the datagram to each recipient individually. If the host broadcasts the video clip throughout the network, network resources are not available for other tasks. The host uses only the resources it needs by multicasting the datagram. Routers use multicast routing algorithms to determine the best route and transmit multicast datagrams throughout the network. The E-series router supports a number of IP multicasting protocols on virtual routers (VRs). Each VR handles the interoperability of IP multicasting protocols automatically. To start multicast operation on a VR, you access the context for that VR and configure the desired protocols on the selected interfaces. Table 5-1 lists the protocols the router supports and the function of each protocol.
Table 5-1 Function of multicast protocols on a router Protocol Internet Group Membership Protocol (IGMP) Protocol Independent Multicast Protocol (PIM) Distance Vector Multicast Routing Protocol (DVMRP) Function Discovers hosts that belong to multicast group.
Discovers other multicast routers that should receive multicast packets. Routes multicast datagrams within autonomous systems.
5-3
The router supports up to 16,384 multicast forwarding entries (multicast routes) at any time.
References
This implementation of IP multicasting meets the following specifications: A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (January 2001 expiration) An Overview of Source-Specific Multicast (SSM) draft-ietf-ssm-overview-05.txt (November 2003 expiration) Distance Vector Multicast Routing Protocol draft-ietf-idmr-dvmrp-v3-10.txt (February 2001 expiration) IGMP-based Multicast Forwarding (IGMP Proxying) draft-ietf-magma-igmp-proxy-00.txt (May 2002 expiration) Protocol Independent Multicast MIB for IPv4 draft-ietf-idmr-pim-mib-10.txt (July 2000 expiration) RFC 2236 Internet Group Management Protocol, Version 2 (November 1997) RFC 2362 Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (June 1998) RFC 2858 Multiprotocol Extensions for BGP-4 (June 2000) RFC 2932 IPv4 Multicast Routing MIB (October 2000) RFC 2933 Internet Group Management Protocol MIB (October 2000) RFC 3376 Internet Group Management Protocol (October 2002) Source-Specific Multicast for IP draft-ietf-ssm-arch-03.txt (November 2003 expiration) Source-Specific Protocol Independent Multicast in 232/8 draft-ietf-mboned-ssm232-05.txt (November 2003 expiration)
5-4
Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.
Enabling IP Multicasting
In this implementation, IP multicasting works on VRs. By default, IP multicasting is disabled on a VR. To enable IP multicasting on a VR, access the context for a VR, and then issue the ip multicast-routing command.
ip multicast-routing
Use to enable IP multicast routing on the VR. By default, IP multicasting is disabled on the VR. In the disabled state, all multicast protocols are disabled, and the VR forwards no multicast packets. Example
host1(config)#ip multicast-routing
There is no no version.
5-5
Reverse-Path Forwarding
IP multicasting uses reverse-path forwarding (RPF) to verify that a router receives a multicast packet on the correct incoming interface. The RPF algorithm allows a router to accept a multicast datagram only on the interface from which the router would send a unicast datagram to the source of the multicast datagram. Figure 5-1 illustrates RPF in a network where all routers run dense-mode multicasting protocols. Routers that receive a multicast datagram associated with a group for which they have no hosts return prune messages upstream toward the source of the datagram. Upstream routers do not forward subsequent multicast datagrams to routers from which they receive prune messages. This technique creates a source-rooted tree (SRT), also known as a shortest-path tree (SPT) a structure that connects the source of a datagram to subnetworks of a multicast group through the shortest path. For more information on dense-mode protocols, see PIM DM, later in this chapter.
Prune
When all routers in a network are running sparse-mode multicast protocols, the routers forward a multicast datagram only to other routers with downstream members of the groups associated with the datagram. Routers running sparse-mode protocols forward multicast traffic only when explicitly requested to do so, whereas routers running dense-mode protocols forward multicast traffic except when explicitly requested not to do so. For more information on sparse-mode protocols, see PIM SM, later in this chapter.
g013115
Prune
5-6
RPF may take place through static routes, dynamic routes, or local subnets. You can define static routes for this purpose and view information associated with RPF routes.
show ip rpf-route
Use to display routes that the router can use for RPF. Specify the IP address and the network mask to view routes to a particular destination. Specify a unicast routing protocol to view routes associated with that protocol.
5-7
Field descriptions
Proto
Connect subnet directly connected to the interface Static static route protocol-name route learned through the named protocol
Prefix value of the logical AND of the IP address of the destination network
and the subnet address
Length length of the subnet mask in bits Next Hop IP address of the next hop for this route Dist distance configured for this route Met learned or configured cost associated with this route Intf type of interface and interface specifier for the next hop. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
Example
Next Hop: 10.5.3.149 21.1.1.2 21.1.1.2 25.25.25.25 Dist/Met: 0/1 1/1 0/1 0/1 Intf: fastEthernet0/0 atm4/0.1 atm4/0.1 loopback0
By default, the router accepts multicast packets for each (S,G) pair on an incoming interface (IIF), which satisfies the RPF check (RPF-IIF). When the router performs RPF checks, only the interface that first accepts traffic for an (S,G) pair accepts subsequent traffic for that pair. If traffic stops coming on that interface and starts arriving on another interface, the router does not accept or forward the traffic. Some network configurations require the router to accept traffic on any interface that is the next-hop point of an equal-cost multipath (ECMP) route. To do so, you can disable the RPF check on a specified set of (S,G) pairs by issuing the ip multicast-routing disable-rpf-check command. When you disable RPF checks, the router accepts multicast packets for (S,G) pairs on any incoming interface of an ECMP route. When the router has added the new route to its multicast routing table, it will then accept multicast packets for these pairs on any interface in the virtual router and forward them accordingly. Multicast routes established before you issue this command are not affected.
5-8
ip multicast-routing disable-rpf-check
Use to disable RPF checks for specified (S,G) pairs. Specify a standard IP access list that defines the (S,G) pairs. Example
host1(config)#ip multicast-routing disable-rpf-check boston-list
Use the no version to restore the default situation, in which the router performs RPF checks for all (S,G) pairs.
You can use the ip route-type command to specify that IS-IS, OSPF, or RIP routes should be available for RPF. Routes available for RPF appear in the multicast view of the routing table.
ip route-type
Use to specify whether IS-IS, OSPF, or RIP routes are available only for unicast forwarding, only for multicast reverse-path forwarding checks, or for both. Use the show ip rpf-routes command to view the routes available for RPF. By default, IS-IS, OSPF, and RIP routes are available both for unicast forwarding and multicast reverse-path forwarding checks. Example
host1(config)#router ospf host1(config-router)#ip route-type multicast
There is no no version.
5-9
Use the statistics option to display statistics for packets received through all multicast forwarding entries that the router has added to the multicast routing table and established on the appropriate line modules. Field descriptions
(S,G) IP addresses of the multicast source and the multicast group Uptime length of time in days minutes:hours:seconds format that the (S,G)
pair has been active
RPF Route IP address and prefix of the RPF route Incoming interface type and specifier of the incoming interface for the RPF
route
5-10
Example
host1#show ip mroute IP Multicast Routing Table (S, G) uptime d h:m:s[, expires d h:m:s] RPF route: addr/mask, incoming interface neighbor address, owner route-owner Incoming interface list: Interface (addr/mask), State/Owner [(RPF IIF)] Outgoing interface list: Interface (addr/mask), State/Owner, Uptime/Expires (10.0.10.1, 225.1.1.1) uptime 0 00:10:31 RPF route: 10.0.10.0/24, incoming interface atm5/3.1010 neighbor 10.0.10.8, owner Local Incoming interface list: atm5/3.1010 (10.0.10.8/24), Accept/Pim (RPF IIF) Outgoing interface list: atm5/1.108 (108.0.8.5/8), Forward/Pim, 0 00:02:52/never atm5/1.109 (107.0.8.4/8), Forward/Pim, 0 00:10:07/never
5-11
See show ip mroute command for descriptions of all fields except the
statistics field.
Statistics
Note: The display shows statistics after the VR has added the multicast route to the multicast routing table and established the route on the appropriate line module. Statistics for interactions before the route is established on the line module are not displayed.
Received number of packets and bytes that the VR received for this multicast route Forwarded number of packets and statistics that the VR has forwarded for this multicast route Rcvd on OIF number of packets and statistics that the VR has received on the OIF for this multicast route
#show ip mroute statistics IP Multicast Routing Table (S, G) uptime d h:m:s[, expires d h:m:s] RPF route: addr/mask, incoming interface neighbor address, owner route-owner Incoming interface list: Interface (addr/mask), State/Owner [(RPF IIF)] Outgoing interface list: Interface (addr/mask), State/Owner, Uptime/Expires (11.0.0.1, 225.1.1.1) uptime 0 00:00:24 RPF route: 11.0.0.0/8, incoming interface ATM5/1.200 neighbor 21.1.1.1, owner Netmgmt Incoming interface list: ATM5/1.200 (21.2.2.2/8), Accept/Pim (RPF IIF) Outgoing interface list: ATM5/1.300 (31.2.2.2/8), Forward/Pim, 0 00:00:24/never Statistics: Received Forwarded : 19 pkts, 9880 bytes : 19 pkts, 9880 bytes
5-12
Group Address IP address of the multicast group Source Address IP address of the multicast source RPF Route IP address and network mask of the RPF route RPF Iif type and identifier for the incoming interface for the RPF route #Oifs number of outgoing interfaces Counts numbers of types of (S,G) mappings (S,G) number of (S,G) entries (*,G) number of (*,G) entries
Example
host1#show ip mroute summary IP Multicast Routing Table
#Oifs ---0 1
Protocol name of the multicast protocol Type mode of the multicast protocol
For DVMRP dense For PIM sparse, dense, or sparse-dense For IGMP local
Interfaces
registered number of interfaces on which the protocol is configured owned number of interfaces that a protocol owns. If you configure only IGMP on an interface, IGMP owns the interface. However, if you configure IGMP and either PIM or DVMRP on the same interface, PIM or DVMRP owns the interface.
5-13
Protocol name of the multicast protocol Registered Interfaces number of interfaces on which the protocol is
configured.
5-14
Example
host1#show ip multicast protocols brief show ip multicast protocols brief Protocol Registered Interfaces --------- ---------Pim Igmp 2 1 Owned Interfaces ---------2 0 ------------------Sparse Dense Local Type
Count: 2 protocols
When you enable multicast routing on a virtual router, the router now acts as a multicast router information (mrinfo) server. This feature enables the E-series router to respond to mrinfo requests from other network hosts. Specifically, E-series virtual routers respond to DVMR ask neighbors and DVMR ask neighbors2 requests. Each virtual router responds to mrinfo requests with a list of multicast interfaces and their IP addresses. If appropriate, the virtual router also supplies the following information for each interface: Interface is currently not functional (down) Interface is disabled, either because IP is not configured on it or because it has been disabled through the software Interface is the IGMP querier for this subnet Information about PIM neighbors If PIM is configured on the interface, the virtual router supplies a list of the interfaces PIM neighbors and indicates which neighbors are leaf neighbors. Information about DVMRP and GRE tunnels If the interface is an endpoint of a tunnel, the virtual router specifies the IP address of the endpoint of the tunnel.
5-15
IGMP
IP hosts use Internet Group Management Protocol (IGMP) to report their multicast group memberships to neighboring routers. Similarly, multicast routers, such as the E-series router, use IGMP to discover which of their hosts belong to multicast groups. The IPv4 address scheme assigns class D addresses for IP multicasting. IGMP is the protocol that uses these addresses, which can be in the range 224.0.0.0 to 239.255.255.255. The following addresses have specific functions or are unavailable: 224.0.0.0 is reserved, and you cannot assign it to a group. 224.0.0.1 is the all-hosts address a packet sent to this address reaches all hosts on a subnet. 224.0.0.2 is the all-routers address a packet sent to this address reaches all routers on a subnet. This implementation of IGMP complies with IGMP versions 1, 2, and 3. IGMPv3 allows for source-specific join and leave messages and is backward compatible with IGMPv1, IGMPv2, and IGMPv3.
IGMP Operation
IGMPv2 mode interfaces exchange the following types of messages between routers and hosts: Group membership queries Group membership reports Leave group membership messages IGMPv3 mode interfaces exchange the following types of messages with IGMPv3 hosts: Group membership queries IGMPv3 group membership reports
Group Membership Queries
A multicast router can be a querier or a nonquerier. There is only one querier on a network at any time. Multicast routers monitor queries from other multicast routers to determine the status of the querier. If the querier hears a query from a router with a lower IP address, it relinquishes its role to that router.
5-16
IGMPv1 and IGMPv3 mode interfaces send two types of group membership queries to hosts on the network: General queries to the all-hosts group address (224.0.0.1) Specific queries to the appropriate multicast group address IGMPv3 mode interfaces send the following type of queries to IGMPv3 hosts: Group-specific and source-specific queries The purpose of a membership group query is to discover the multicast groups to which a host belongs. IGMPv2 and IGMPv3 group membership queries have a Max Response Time field. This response time is the maximum that a host can take to reply to a query.
Group Membership Reports
When a host receives a group membership query, it identifies the groups associated with the query and determines to which groups it belongs. The host then sets a timer, with a value less than the Max Response Time field in the query, for each group to which it belongs. When the timer expires, the host multicasts a group membership report to the group address. When a multicast router receives a report, it adds the group to the membership list for the network and sets a timer to the group membership interval. If this timer expires before the router receives another group membership report, the router determines that the group has no members left on the network. If the router does not receive any reports for a specific multicast group within the maximum response time, it assumes that the group has no members on the network. The router does not forward subsequent multicasts for that group to the network. IGMPv3 supports an extended report format that allows you to report multiple groups and source lists in a single report.
Leave Group Membership Messages
When a host leaves a group, it sends a leave group membership message to multicast routers on the network. A host generally addresses leave group membership messages to the all-routers group address, 224.0.0.2.
5-17
The router supports static and dynamic IGMP interfaces. Unlike static interfaces, dynamic interfaces are not restored when you reboot the router. For some protocols, dynamic layers can build on static layers in an interface; however, in a dynamic IGMP interface, all the layers are dynamic. See Figure 5-2 for examples of static and dynamic IGMP interfaces.
IGMP
IGMP
IP PVC
ATM 1483
PVC
ATM 1483
ATM AAL5
ATM AAL5
Static IGMP interfaces are configured with software such as the CLI or an SNMP application; dynamic IGMP interfaces are configured with a profile. A profile comprises a set of attributes for an interface; a profile for dynamic IGMP interfaces contains attributes for configuring all the layers in the interface. You define a profile using the same CLI commands that you use to configure a static IGMP interface; however, the mode in which you use the commands differs. Use the commands in Interface Configuration mode to configure a static IGMP interface and in Profile Configuration mode to define a profile. When you have defined a profile, you can apply it to an interface or a group of interfaces. Profiles provide an efficient method of creating and managing large numbers of dynamic interfaces. For detailed information about creating and assigning profiles, see E-Series Link Layer Configuration Guide, Chapter 13, Configuring Dynamic Interfaces. When you create a profile for dynamic IGMP interfaces, specify attributes for configuring all layers in the interface.
g013304
ATM
ATM
5-18
You use the following IGMP commands to configure a static IGMP interface. You also use these commands to define the attributes for the IGMP layer when you create a profile for dynamic IGMP interfaces. ip igmp ip igmp group limit ip igmp immediate-leave ip igmp last-member-query-interval ip igmp promiscuous ip igmp querier ip igmp querier-timeout ip igmp query-interval ip igmp query-max-response-time ip igmp robustness ip igmp static-include ip igmp static-exclude ip igmp static-group ip igmp version The following sections describe the tasks associated with these commands.
Enabling IGMP on an Interface
You must start IGMP on each interface that you want to use the protocol. You can configure IGMP and either PIM or DVMRP on the same interface. If you configure only IGMP on an interface, the router considers that IGMP owns that interface. If you configure IGMP and either PIM or DVMRP on an interface, the router considers that PIM or DVMRP owns the interface. For networks that use only IGMPv1, you can configure an interface to operate in IGMPv1 mode. However, IGMPv2 and IGMPv3 interfaces will support IGMPv1 hosts. In an IGMPv1 network, you must configure one interface to act as a querier. In an IGMPv2 or IGMPv3 network, the querier is the router with the lowest IP address.
5-19
Enable IGMP on the interface (IGMPv2 is the default version). (IGMPv1 or IGMPv3) Specify the IGMP version for the interface. (IGMPv1 only) Specify that the interface will act as the querier for the network.
ip igmp
Use to enable IGMP on an interface and sets the IGMP version to IGMPv2. Use the ip igmp version command to specify a different IGMP version. Example
host1:boston(config-if)#ip igmp
ip igmp querier
Use to specify that this IGMPv1 interface will act as a querier.
Note: This command is valid only for interfaces on which you configured IGMPv1.
Example
host1:boston(config-if)#ip igmp querier
Use the no version to restore the default situation, in which the interface does not act as a querier.
ip igmp version
Use to set the IGMP version (1, 2, or 3) for the interface. Example
host1:boston(config-if)#ip igmp version 1
When you start IGMP on an interface, it operates with the default settings. You can, however, modify: The method that the router uses to remove hosts from multicast groups (IGMPv2 and IGMPv3 interfaces only) The time interval at which the querier multicasts group membership queries The time that a querier waits before sending a new query to hosts from which it receives leave group membership messages The time that a new querier waits before sending query messages after it assumes responsibility from another querier
5-20
The time that a host can take to reply to a query (maximum response time) The number of times that the router sends each IGMP messages from this interface
ip igmp immediate-leave
Use to specify that when the router receives a leave group membership message from a host associated with this interface, the router will immediately remove that host from the multicast group.
Caution: Issue this command only on IGMPv2 and IGMPv3 interfaces to which one IGMP host is connected. If there is more than one IGMP host connected to a LAN through the same interface, and one host sends a leave group message, the router will remove all hosts on the interface from the multicast group. The router will lose contact with the hosts that should remain in the multicast group until they send join requests in response to the routers next general group membership query.
Example
host1:boston(config-if)#ip igmp immediate-leave
Use the no version to restore the default situation, in which the router removes a host from a multicast group if that host does not return a group membership report within a certain length of time of receiving a group membership query from the router.
ip igmp last-member-query-interval
Use to specify the last-member-query-interval value, in tenths of a second. When the router receives an IGMPv2 leave message or an IGMPv3 state change report, it sends out a query and expects a response within the time specified by this value. Using a lower value allows members to leave groups more quickly. Example
host1:boston(config-if)#ip igmp last-member-query-interval 90
ip igmp querier-timeout
Use to set the time in seconds that the interface waits before sending query messages after it becomes the querier. Example
host1:boston(config-if)#ip igmp querier-timeout 200
Use the no version to set the time to the default, twice the query interval.
5-21
ip igmp query-interval
Use to specify how often the interface sends group membership queries. Example
host1:boston(config-if)#ip igmp query-interval 100
Use the no version to set the polling interval to the default, 125 seconds.
ip igmp query-max-response-time
Use to specify the period in tenths of a second during which the host is expected to respond to a group membership query. IGMPv2 and IGMPv3 include this value in IGMP query messages sent out on the interface. You cannot set this value on interfaces running IGMPv1. Using a lower value allows members to join and leave groups more quickly. Example
host1:boston(config-if)#ip igmp query-max-response-time 120
ip igmp robustness
Use to specify the number of times that the router sends each IGMP message from this interface. Use a higher value to ensure high reliability from IGMP. Specify a number in the range 14. Example
host1:boston(config-if)#ip igmp robustness 2
You can assign an interface to send and receive all traffic for a particular multicast group. This feature allows you to control the IGMP traffic and to test the behavior of multicast protocols in the network.
ip igmp static-group
Use to send and receive all traffic for a multicast group from a specific interface. The interface sets no timers for this group. Example
host1:boston(config-if)#ip igmp static-group 225.1.2.3
5-22
You can use a standard IP access list to specify the multicast groups that a host can join.
ip igmp group limit
Use to restrict hosts on this subnet to joining only multicast groups that appear on the specified IP access list. Example
host1:boston(config-if)#ip igmp access-group boston-list
Use the no version to disassociate the interface from an access list and to allow hosts on the interface to join any multicast group.
By default, there is no limit on the number of IGMP groups that an IGMP interface can accept. However, you can manage multicast traffic on the router by restricting the number of IGMP groups accepted by: A specific port on an I/O module A specific IGMP interface If you set limits for both a port and interfaces on that port, the router uses the lower of the two limits when determining how many IGMP groups an interface can accept. For example, if you set a limit of 10 groups for the port and 15 groups for each interface, the router allows only 10 groups to be accepted among the interfaces. However, if you set a limit for a port and that limit is lower than the number of groups currently accepted by the interfaces on that port, the router does not disassociate the groups from the interfaces. The router enforces the new limit on the port when the number of groups associated with the interfaces falls to that limit. For example, if the interfaces on the port have accepted a total of 15 groups, and you set a limit of 10 groups on the port, the router does not disconnect any of the groups and does not allow the interfaces to accept any more groups. Over time, some groups leave the interfaces and, eventually, a maximum of ten groups remains connected.
ip igmp group limit
Use to limit the number of IGMP groups that an interface can accept. Example:
host1:boston(config-if)#ip igmp group limit 5
Use the no version to restore the default situation, in which there is no limit on the number of IGMP groups that an interface can accept.
5-23
slot number of the chassis slot in the range 06 (ERX-7xx models) and
013 (ERX-14xx models)
Use the no version to restore the default situation, in which there is no limit on the number of IGMP groups that a port can accept.
IGMPv3 extends IGMPv2 functionality with the ability to include or exclude specific multicast traffic sources. That is, with IGMPv3, hosts signal (S,G) pairs that they want to include or exclude. For hosts that cannot signal group membership dynamically, you can use the ip igmp static-include or ip igmp static-exclude command to either statically include or exclude multicast traffic (respectively). IGMPv3 is the industry-designated standard protocol for hosts to signal channel subscriptions in Source Specific Multicast (SSM). For additional information about SSM, see PIM SSM later in this chapter.
ip igmp static-exclude
Use to statically exclude the IGMP (S,G) membership for a host that is not capable of dynamically signalling group membership. Example:
host1:boston(config-if)#ip igmp static-exclude 10.1.1.5 225.1.2.3
ip igmp static-include
Use to statically include the IGMP (S,G) membership for a host that is not capable of dynamically signalling group membership. Example:
host1:boston(config-if)#ip igmp static-include 10.1.1.1 225.1.2.3
5-24
By default, IGMP interfaces accept IGMP reports only from associated subnets. You can configure the router to accept IGMP reports from subnets that are not associated with its interfaces. The igmp promiscuous command in Router Configuration mode specifies whether or not interfaces on the router should accept IGMP reports from indirectly connected subnets. To override this global setting on a particular interface, use the ip igmp promiscuous command in Interface Configuration mode.
Example
In the following example, the router is configured to accept IGMP reports from indirectly connected subnets on all interfaces. The interface on port 0 of the line module in slot 4 is then configured to accept IGMP reports only from directly connected subnets.
host1(config)#virtual-router boston host1:boston(config)#router igmp host1:boston(config-router)#igmp promiscuous host1:boston(config-router)#exit host1:boston(config)#interface serial 4/0 host1:boston(config-if)#ip igmp promiscuous off
igmp promiscuous
Use to allow all IGMP interfaces on the router to accept IGMP reports from hosts on any subnet. Example
host1:boston(config-router)#igmp promiscuous
Use the no version to allow IGMP interfaces on the router to accept IGMP reports only from hosts on their associated subnets.
ip igmp promiscuous
Use to specify whether or not the interface should accept IGMP reports from hosts on any subnet.
Use the on keyword to enable the interface to accept IGMP reports from
hosts on any subnet.
Use the off keyword to allow the interface to accept IGMP reports only from
hosts on subnets associated with this interface Example
host1:boston(config-if)#ip igmp promiscuous on
Use the no version mode to configure an IGMP interface to use the Router Configuration mode setting to determine the subnets from which it can accept IGMP reports.
5-25
You can disable and reenable IGMP on the VR. You can also remove IGMP from the VR and recreate it on the VR.
igmp disable
Use to disable IGMP on a VR. Example
host1(config)#virtual-router boston host1:boston(config)#router igmp host1:boston(config-router)#igmp disable
router igmp
Use to create and enable IGMP on a VR or to access IGMP Router Configuration mode. Example
host1(config)#virtual-router boston host1:boston(config)#router igmp
Use the no version to delete IGMP and IGMP proxy from the VR.
Monitoring IGMP
You can establish a reference point for IGMP statistics by setting the statistics counters to zero. To display IGMP parameters, use the show commands described in this section.
baseline ip igmp
Use to set the counters for IGMP statistics to zero. Example
(host1)#baseline ip igmp
There is no no version.
show ip igmp
Use to display IGMP information for a VR. Field descriptions
Administrative state status of IGMP in the software: enabled or disabled Operational state status of IGMP on the VR: enabled or disabled Total interfaces number of interfaces on which you started IGMP Enabled number of interfaces on which IGMP is enabled Disabled number of interfaces on which IGMP is disabled
5-26
Learnt groups number of multicast groups that the VR has discovered IGMP Statistics Rcvd statistics for IGMP messages received
Total number of IGMP messages received Checksum errors number of IGMP messages received with checksum errors Unknown types number of messages received that are not group membership queries, group membership reports, or leave group membership messages Queries number of group member queries Reports number of group membership reports Leaves number of leave group membership messages
Grp Address address of the multicast group Interface interface that discovered the multicast group State IGMP version on the interface ExpTim time, in seconds, at which the router decides there are no more members of this group members of a group. If this value is 0, the interface has received no IGMPv1 reports for the group.
v1HTim time at which the router decides there are no more IGMPv1
Example
host1:boston#show ip igmp groups Grp Address ----------225.1.1.1 232.1.1.1 Count: 2 Groups (Note: 225.1.1.1 is a static group) Interface --------------fastEthernet0/0 fastEthernet0/0 State ---------Version2 Version2 ExpTim -----never 359 v1HTim -----0 0
5-27
Address IP address of the interface Administrative state status of the interface in the software: enabled or
disabled
Operational state physical status of the interface: enabled or disabled Version IGMP version State function of the interface: querier or nonquerier Query Interval time interval at which this interface sends query messages Other querier present interval time that the interface waits before declaring itself as the querier host to respond
Maximum response time time interval during which this interface expects a Last member query interval time that this interface waits before sending a
new query to a host that sends a group leave message
Robustness number of times this interface sends IGMP messages Information about whether interface accepts IGMP reports from hosts on any
subnet Interface defaults to global promiscuous mode interface uses the setting of the igmp promiscuous command to determine whether it accepts IGMP reports from hosts on any subnet
Max-Group limit number of IGMP groups that the interface can accept, as
configured with the ip igmp group limit command
Group Count number of IGMP groups that the interface has accepted Interface statistics Rcvd information about IGMP messages received on
this interface Reports number of group membership reports received Leaves number of group leave messages received Wrong Version Queries number of group membership queries received from devices running a different version of IGMP
5-28
Interface statistics Sent number of IGMP messages this interface has sent Interface statistics Groups learned number of groups this interface has
discovered
Intf Address IP address of the interface Ver IGMP version State function of the interface: querier or nonquerier Querier IP address of the querier on the network to which this interface connects
QTime time interval at which this interface sends query messages QPTime time that the interface waits before declaring itself as the querier
5-29
Example
Ver --2 2 State -----Querier Querier Querier ------------192.168.1.250 21.1.1.1 QTime ----28 26 QPTime --0 0
Count: 2 interfaces
limit maximum number of IGMP groups that the port can accept. A value of
-1 indicates that no limit has been specified.
IGMP Proxy
IGMP proxy enables the router to issue IGMP host messages on behalf of hosts that the router discovered through standard IGMP interfaces. The router acts as a proxy for its hosts. The E-series router supports IGMP proxy versions 2 and 3.
Overview
Figure 5-3 shows a router in an IGMP proxy configuration. You enable IGMP proxy on one interface, which connects to a router closer to the root of the tree. This interface is the upstream interface. The router on the upstream interface should be running IGMP.
5-30
You enable IGMP on the interfaces that connect the router to its hosts that are farther away from the root of the tree. These interfaces are known as downstream interfaces.
PC
PC
PC
Figure 5-3 Upstream and downstream interfaces
As described in IGMP Operation, earlier in this chapter, hosts interact with the router through the exchange of IGMP messages. Similarly, when you configure IGMP proxy, the router interacts with the router on its upstream interface through the exchange of IGMP messages. However, when acting as the proxy, the router performs the host portion of the IGMP task on the upstream interface as follows: When queried, sends group membership reports to the group. When one of its hosts joins a multicast address group to which none of its other hosts belong, sends unsolicited group membership reports to that group. When the last of its hosts in a particular multicast group leaves the group, sends an unsolicited leave group membership report to the all-routers group (244.0.0.2).
Configuring IGMP Proxy
To configure a downstream interface, enable IGMP on that interface. To configure IGMP proxy on the router, complete the following tasks:
1 2
Enable IP multicasting. Identify the interface that you want to act as the upstream interface.
g013116
5-31
3 4 5
Enable IGMP proxy on that interface. (Optional) Specify how often the router should send unsolicited reports to routers on the upstream interface. (Optional) Specify how long the router should assume that there is an IGMPv1 querier router on the subnet after the router receives an IGMP v1 query on this interface.
ip igmp-proxy
Use to enable IGMP proxy on an interface. You can specify either IGMP proxy version 2 or 3. The default is version 2.
Note: You can enable only one upstream interface.
The interface for which you enable IGMP proxy is the upstream interface. Example
host1(config)#ip multicast-routing host1(config-if)#ip igmp-proxy
ip igmp-proxy unsolicited-report-interval
Use to specify how often the upstream interface should transmit unsolicited reports.
Note: Issue this command only on the upstream interface. Otherwise, this command will have no effect.
Example
host1(config-if)#ip igmp-proxy unsolicited-report-interval 600
Use the no version to transmit unsolicited reports using the default value, 400 seconds.
ip igmp-proxy V1-router-present-time
Use to specify how long the router assumes that there is an IGMPv1 querier router on the subnet after the router receives an IGMP V1 query on this interface.
Note: Issue this command only on the upstream interface. Otherwise, this command will have no effect.
Example
host1(config-if)#ip igmp-proxy V1-router-present-time 600
Use the no version to set the time to the default value, 10 seconds.
5-32
You can set the counters for the numbers of queries received and reports sent on the upstream interface to zero. This feature allows you to establish a reference point for IGMP proxy statistics.
baseline ip igmp-proxy interface
Use to set the counters for the numbers of queries received and reports sent on the upstream interface to zero.
Note: Issue this command only on the upstream interface. Otherwise, this command will have no effect.
Example
(host1)#baseline ip igmp-proxy interface
There is no no version.
Routing Process IGMP proxy protocol Administrative state state of IGMP proxy in the software Operational state operational state of IGMP proxy: enabled or disabled Total interfaces number of IGMP proxy interfaces on the VR; currently only one upstream interface per VR
State operational state of the IGMP proxy interfaces: up or down Multicast group number of multicast groups associated with IGMP proxy
interfaces Example
host1#show ip igmp-proxy Routing Process IGMP Proxy, Administrative state enabled, Operational state enabled total 1 upstream interface, state enabled 6 multicast group
Grp Address address of the multicast group Interface type and identifier of the upstream interface associated with the
multicast group
5-33
Member State
Idle interface is going to send a group membership report to respond to a group membership query for this group Delay interface has responded to the latest group membership query for this group
Example 2
host1#show ip igmp-proxy group 225.1.1.1 Grp Address 225.1.1.1 Interface atm3/0.2 Member State Idle --------------- --------------- --------------
Example 3
host1#show ip igmp-proxy group count Count: 6 groups
Interface type of upstream interface. For details about interface types, see
E-Series Command Reference Guide, About This Guide.
Address address of upstream interface Administrative state state of upstream interface in the software: enabled or
disabled
Operational state physical state of upstream interface: enabled or disabled Version IGMP version on this interface
5-34
Version 1 router present timeout how long the upstream interface assumes
there is an IGMPv1 router on the subnet after that interface receives an IGMPv1 group membership query
Interface statistics Sent statistics for messages sent from this interface
v1 reports number of IGMPv1 leave group reports sent v2 reports number of IGMPv2 leave group reports sent leaves number of leave group membership messages sent Example
host1#show ip igmp-proxy interface atm 3/0.2 Interface atm3/0.2 address 21.1.1.1/255.0.0.0 Administrative state enabled, Operational state enabled Interface parameters: Version 2 State No v1 Router Present Unsolicited report interval 10 secs Version 1 router present timeout 400 secs 0 multicast group Interface statistics: Rcvd: Sent: 0 v1 query, 6 v2 queries 0 v1 report, 0 v2 report 0 v1 report, 48 v2 reports, 0 leave
PIM
Protocol Independent Multicast (PIM) is the protocol that allows multicast routers to identify other multicast routers that should receive packets. This implementation of PIM supports PIM dense mode (PIM DM), PIM sparse mode (PIM SM), PIM sparse-dense mode (PIM S-DM), and PIM Source-Specific Multicast (PIM SSM). Figure 5-4 represents how PIM builds an (S,G) entry in an SRT. When multiple routers are connected to a multiaccess network, one router must assume the role of the designated router (DR). The DR receives data from
5-35
the source on interface 1/0 and multicasts the data to its downstream neighbors on interfaces 1/1, 2/0, and 2/1. In the DR routing table, the entry for this operation lists the source as the IP address of the source and the group as the IP address of the multicast group. Neighbors exchange hello messages periodically to determine the DR. The router with the highest network layer address assumes the role of the DR. If the DR subsequently receives a hello message from a neighbor with a higher network layer address, that neighbor becomes the DR.
PC Source 128.5.4.33 1/0 DR 1/1 2/0 PC PC PC PC PIM PIM PIM PC PC 2/1 PC PC DR Routing Table Entry Source Group Register RP Input Interface Output Interface 128.5.4.33 225.1.3.5 1/0 1/1, 2/0, 2/1 1/0 1/1, 2/0, 2/1
PIM DM
PIM DM uses a reverse path multicast, flood and prune mechanism. The protocol was developed for situations that meet one or more of the following criteria: Sources and receivers are close together, and there are many more receivers than senders. There is a constant stream of multicast data. There is a lot of multicast data. Dense-mode routing protocols use SRT algorithms. An SRT algorithm establishes a tree that connects each source in a multicast group to the members of the group. All traffic for the multicast group passes along this tree.
5-36
Figure 5-5 illustrates how PIM DM works. When a source sends a multicast packet to a first-hop router, the first-hop router multicasts that packet to its neighbors. Those neighbors in turn forward the packet to their neighbors and their hosts that belong to the multicast group. If a neighbor has no hosts that belong to the multicast group and has no other PIM neighbors, it returns a prune message to the first-hop router. The first-hop router does not multicast subsequent packets for that group to neighbors who respond with prune messages.
Prune
Overriding Prunes
If a host on a previously pruned branch wants to join a multicast group, it sends an IGMP message to its first-hop router. The first-hop router then sends a graft message upstream. PIM routers send join messages on multiaccess interfaces to override prune messages. For example, if a PIM router sent a prune message to indicate that it had no hosts for a multicast group, and one of its hosts subsequently wants to send a packet to that group, the router sends a join message to the first-hop router.
g013115
Prune
5-37
Preventing Duplication
If there are parallel paths to a source, duplicate packets can travel through different routers downstream to the network. If a forwarding router receives a multicast packet on its outgoing interface, the router knows that the packet is a duplicate and notifies the upstream routers. See Figure 5-6.
The upstream routers responsible for the duplication send assert messages to determine which router should be the forwarder. Downstream routers listen to the assert messages to discover which router becomes the forwarder.
PIM SM
This implementation of PIM SM supports the following features: Rendezvous point (RP) routers DRs and DR election Join/prune messages, hello messages, assert messages, register messages Switching from a shared tree to an SPT (*,*,RP) support for interoperation with dense-mode protocols RPF checks of multicast entries when unicast routing configuration changes
g013117
5-38
Timers for tree maintenance Border, null, RPT, SPT, and wildcard flags Remote neighbors PIM SM was developed for situations that meet one or more of the following criteria: The multicast group contains few receivers. Multicast traffic is infrequent. WANs separate sources and receivers. Sparse-mode routing protocols use shared trees. In a shared tree, sources forward multicast datagrams to a directly connected router, the DR. The DR encapsulates the datagram and unicasts it to an assigned RP router, which then forwards the datagram to members of multicast groups.
Source
DR
DR unicasts datagram to RP
RP
In PIM SM, an RP announces a source and establishes paths from the source to members of a multicast group before multicasting any datagrams. RPs transmit join messages to become part of the shared tree that allows distribution of packets to the multicast group. However, when a source starts multicasting datagrams, PIM SM can switch to an SRTknown in PIM SM as an SPTto improve the networks efficiency. Although shared trees minimize the traffic in the
5-39
network and the costs associated with unnecessary transmission of data, the routes in a shared tree may be longer than those in an SPT. See Figure 5-8. The DRs on the network determine when the source switches from a shared tree to an SPT. A DR switches to the SPT when it receives a certain number of packets, which you can configure using the ip pim-spt threshold command. This command has a default value of zero, which causes a DR to switch to an SPT immediately after it receives it first multicast data packet. When all DRs associated with a specific RP router have switched to the SPT, the RP router sends a join/prune message toward the multicast source. When the multicast source receives this message, it starts sending multicast data through the SPT.
Source
DR
Target
Joining Groups
A hosts DR sends join messages to the RP when that host wants to join a group. When a host wants to leave a group, it communicates with its DR through IGMP. When the DR no longer has any hosts that belong to a particular group, it sends a prune message to the RP.
Remote Neighbors
You can create remote neighbors in PIM SM. This feature enables an E-series router to establish neighbor adjacencies with other E-series
g013119
5-40
routers through a pair of unidirectional interfaces, such as the endpoints of an MPLS tunnel. Multicasting over BGP/MPLS VPNs is achieved via PIM SM remote neighbors. Figure 5-9 shows an example in which two E-series routers, called boston and chicago, are remote neighbors connected by two unidirectional MPLS tunnels.
Source
DR unicasts datagram to RP
172.16.78.3
Unidirectional tunnels
g013120
10.2.23.45 Chicago Router Chicago receives datagram from tunnel and forwards it to RP RP
On each E-series router, you must specify the location of the interface that PIM uses as the source address for the connection to the remote neighbor. You must also specify that the other router is a remote neighbor, and identify the IP address of the other router that PIM uses as the source address for the connection from the remote neighbor. Bear the following issues in mind when configuring remote neighbors: A route to the source RP must exist in the unicast view of the routing table to ensure that the PIM router can detect the remote neighbor. For information about configuring routes in the unicast routing tables, see the chapters on unicast routing protocols in this book and E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing.
5-41
A route to the source must be present in the multicast view of the IP routing table to ensure that the PIM router can perform an RPF check for that source in a VPN. To add a route to the multicast IP routing table across a VPN, you can:
> Configure a multicast static route by issuing the ip rpf-route
table by issuing the ip route-type both command. (see E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing)
> Configure OSPF or RIP to learn the route through the protocols
remote neighbor features (see Chapter 8, Configuring RIP and Chapter 9, Configuring OSPF). If a route is more specific than the route used to reach the remote neighbor originally, OSPF and RIP do not insert that route in the unicast and multicast views of the IP routing table. This feature prevents OSPF and RIP from masking the original route. If you require PIM to use such a route to reach a remote neighbor, add that route to the multicast view of the IP routing table using one of the methods described in the preceding paragraphs.
Timers
PIM SM uses timers to maintain the networking trees. PIM SM routers poll their neighbors and hosts for various pieces of information at set intervals. If a PIM SM router does not receive information from a neighbor or host within a specific time, known as the hold time, it removes the associated information from its routing tables. You can configure how often an interface sends hello messages (hello interval) and how often routers send RP announce messages (RP announce interval). The hold-time associated with hello messages is 3.5 times the hello interval and the holdtime associated with RP announce messages is 2.5 times the RP announce interval. All other timers are fixed and take the default values recommended in: RFC 2934 Protocol Independent Multicast MIB for IPv4 (October 2000)
5-42
PIM S-DM
In PIM S-DM, if an RP is not known for a group, the router sends data using PIM DM. However, if the router discovers an RP or you configure an RP statically, PIM SM takes over. You can configure both PIM DM and PIM SM commands in PIM S-DM.
PIM SSM
PIM SSM is an extension of the PIM protocol. Using SSM, a client can receive multicast traffic directly from the source. PIM SSM uses PIM SM functionality to create an SPT between the client and the source, but builds the SPT without using an RP. By default, the SSM group multicast address is limited to the IP address range 232.0.0.0 to 232.255.255.255. However, you can extend SSM operations into another class D range by including the address statement at the [edit routing-options multicast ssm-groups] hierarchy level. Advantages that an SSM-configured network has over a traditionally configured PIM SM network include the following: No need for shared trees or RP mapping (no RP is required) No need for RP-to-RP source discovery through Multicast Source Discovery Protocol (MSDP) Simplified administrative deployment; you need only configure PIM SM on all router interfaces and issue the necessary SSM commands (including specifying IGMPv3 on the receiver LAN) Support for source lists; you can use source lists, supported in IGMPv3, where only specified sources send traffic to the SSM group. In a PIM SSM-configured network, the E-series router subscribes to an SSM channel (by means of IGMP version 3), announcing a desire to join group G and source S. The directly connected PIM SM router, the designated router (DR) of the receiver, sends an (S,G) join message to its RPF neighbor for the source. For PIM SSM, the RP is not contacted in this process by the receiver (as happens in normal PIM SM operations).
Enabling and Disabling PIM on a VR
5-43
router pim
Use to create and enable PIM processing on a VR or to access Router Configuration mode. Example
host1:boston(config)#router pim
You can enable PIM on an interface in one of the allowed modes and specify how often the interface should send hello messages to neighbors. You can configure PIM and IGMP on the same interface. If you configure IGMP and PIM on an interface, the router considers that PIM owns the interface.
Note: You cannot configure DVMRP and PIM on the same interface.
ip pim
Use to enable PIM on an interface. Example
host1(config-if)#ip pim sparse-dense-mode
ip pim query-interval
Use to specify how often the router should send hello messages to neighbors. Example
host1(config-if)#ip pim query-interval
5-44
When you use the router for PIM SM or PIM S-DM, some VRs must act as RP routers. You can configure static RP routers or configure the router to assign RP routers automatically. To configure the router to assign RP routers automatically, you must define several VRs as RP routers and one VR as an RP mapping agent. RP routers send their announcement messages to the RP mapping agent, which assigns groups to RP routers and resolves any conflicts. The RP mapping agent notifies neighbors of the RP assigned to each group.
Configuring a Static RP Router
If you want to control PIM more tightly, you can configure a static RP router. To do so:
1
Configure an access list that details the multicast groups that will use the static RP router.
host1(config)#access-list boston permit 224.0.0.0 15.255.255.255
Two multicast groups, 224.0.1.39 and 224.0.1.40, are reserved for forwarding auto-RP messages through the network. When you configure an auto-RP router for PIM SM, you must assign a static RP router to these two groups. You can then specify an RP mapping agent for other multicast groups. To configure an auto-RP router for PIM SM:
1
Configure a static RP to have priority over the auto-RP for the groups that send auto-RP multicast messages.
host1(config)#access-list 11 permit 224.0.1.39 0.0.0.0 host1(config)#access-list 11 permit 224.0.1.40 0.0.0.0 host1(config)#ip pim rp-address 192.48.1.22 76 override
5-45
In PIM S-DM mode, you must prevent routers from advertising auto-RP messages to the multicast groups 224.0.1.39 and 224.0.1.40, which are reserved for forwarding auto-RP messages through the network. To configure an auto-RP router for PIM S-DM:
1
Configure an access list that details the multicast groups that will use the static RP router.
host1(config)access-list boston permit 224.0.0.0 15.255.255.255
Prevent routers from advertising auto-RP messages to the multicast groups that are reserved for forwarding auto-RP messages through the network.
host1(config)#access-list 1 host1(config)#access-list 1 deny 224.0.1.39 deny 224.0.1.40
ip pim rp-address
Use to specify a static PIM RP router. Specify a standard IP access list of multicast groups to control which multicast groups should use this RP router. Specify the override keyword if you want this static RP router to have priority over auto-RP routers. Example
host1(config)#ip pim rp-address 192.48.1.22 76 override
ip pim send-rp-announce
Use to send auto-RP announcement messages from a router you configured as an RP. Specify an interface type and specifier, such as atm 3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. The auto-RP announcement messages will contain the IP address for the interface you specify. Specify the number of hops for which the announcement is valid. The default value is 64.
5-46
Specify an access list that details which multicast groups the RP should include in announcement messages. Specify a time interval in the range 165536 seconds to control how often the router sends announcements. The default is 60 seconds. Example
host1(config)#ip pim send-rp-announce loopback 2 scope 23 group-list boston interval 200
Use the no version to clear the specified filters from this interface.
Use the no version to stop the router from acting as an RP mapping agent.
PIM SM initiates multicasting using a shared tree. You can configure PIM SM to switch to an SPT when a source starts sending multicast messages, or you can prevent PIM SM from switching to an SPT. Multicasting over an SPT may be more efficient than multicasting over a shared tree (see PIM SM, earlier in this chapter).
ip pim spt-threshold
Use to specify when PIM SM switches from a shared tree to an SPT. Specify a nonzero integer or the keyword infinity to prevent PIM SM from switching to an SPT. Specify a value of 0 to configure PIM to switch to an SPT when a source starts sending multicast messages. Example
host1(config)#ip pim spt-threshold 4
5-47
You must use PIM SM remote neighbors to run multicast services over BGP/MPLS VPNs.
Note: If you want to run IP multicasting over MPLS tunnels in a VRF, you must issue the ip mpls vpn-interface per-label command. IP multicasting over MPLS tunnels in a VRF is not supported in the default mode, in which MPLS allocates VPN interfaces per next hop. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs.
On one router, specify that the other router will be a remote neighbor, and identify the IP address of the interface on the other router that is used for the connection to this router.
host1(config-router):boston#remote-neighbor 10.2.23.45 sparse-mode
Specify the location of the local interface whose address is used as the source address for the PIM connection to a remote neighbor.
host1(config-router-rn):boston#update-source atm 2/1.108
(Optional) Specify how often the router should send hello messages to the remote neighbor.
host1(config-router-rn):boston#query-interval 40
4 query-interval
Use to specify how often the router should send hello messages to remote neighbors. Example
host1(config-router-rn)#ip pim query-interval 40
remote-neighbor
Use to specify a remote neighbor for PIM sparse mode. Specify the IP address of the interface on the remote neighbor that PIM uses as the source address for the connection to this router. Example
host1(config-router)#remote-neighbor 10.25.100.14 sparse-mode
Use the no version to remove the remote neighbor and any attributes configured for the remote neighbor.
5-48
update-source
Use to specify the PIM interface whose local address is used as the source address for the PIM connection to a remote neighbor. You can use the same source address to form neighbor adjacencies with more than one PIM remote neighbor. You must use the IP address of this interface when issuing the remote-neighbor command on the remote neighbor. Example
host1(config-router-rn)#update-source loopback 5
Use the no version to delete the source address from the connection to the remote neighbor.
Configuration Example
This example uses the configuration shown in Figure 5-9. Two E-series routers called router boston and router chicago are running PIM and are connected by MPLS tunnels. To configure the routers as PIM remote neighbors:
1
Specify that router chicago will be a remote neighbor of router boston, and identify the IP address on router chicago that will transmit datagrams to router boston.
boston(config-router)#remote-neighbor 10.2.23.45 sparse-mode
Specify the location of the interface that will transmit datagrams from router boston to router chicago.
boston(config-router-rn)#update-source atm 2/1.108
Specify that router boston will send hello messages to router chicago every 40 seconds.
boston(config-if)#ip pim query-interval 40
Specify that router boston will be a remote neighbor of router chicago, and identify the IP address on router boston that will transmit datagrams to router chicago.
chicago(config-router)#remote-neighbor 172.16.78.3 sparse-mode
Specify the location of the interface that will transmit datagrams from router chicago to router boston.
chicago(config-router-rn)#update-source atm 2/1.95
Specify that router chicago will send hello messages to router boston every 40 seconds.
chicago(config-if)#ip pim query-interval 40
5-49
To configure PIM SSM, you enable PIM SSM on the router and define the SSM range of IP multicast addresses. To use PIM SSM, IGMPv3 must be configured on CPE-facing interfaces to receivers, and PIM SM must be configured on CPE-facing interfaces to sources and on core-facing interfaces. After configuring SSM, you can use the show ip pim sparse-mode sg-state command to display SSM group membership information. To configure PIM SSM:
1
Enable PIM SSM on the E-series router, and specify the access list that defines the SSM address range.
host1(config)#ip pim ssm range 15
2 3 ip pim ssm
Enable PIM SM on the CPE-facing interface. Enable IGMPv3 on the core-facing interface.
Use to enable PIM SSM and define the SSM range of IP multicast addresses. Example
host1(config)#access-list 15 permit 212.100.13.85 host1(config)#ip pim ssm range 15
Removing PIM
5-50
You can use the clear ip pim commands to reset PIM counters and mappings.
clear ip pim auto-rp
Use to clear the group-to-RP router mappings the router learned through auto-RP. Specify the IP address of an RP to clear the group-to-RP mappings for a particular RP. If you do not specify an IP address, the router clears the group-to-RP mappings on all RP routers learned through auto-RP. Example
host1(config)#clear ip pim auto-rp 192.34.56.7
There is no no version.
There is no no version.
There is no no version.
5-51
Monitoring PIM
You can use the debug PIM commands to view information about PIM events.
debug ip pim
Use to show information on the selected event. To control the type of events displayed, specify a severity level. To control how much information to display, specify a verbosity level. Example
host1#debug ip pim events severity 1 verbosity low
undebug ip pim
Use to turn off the display of information previously enabled with the debug ip pim command.
host1#undebug ip pim events
There is no no version.
You can use the show ip pim commands to display information about PIM settings.
show ip pim auto-rp
Use to display information about RP routers and the RP mapping agent in a PIM SM environment. Field descriptions
Configured with ttl number of hops for which the RP discovery message is
valid
Using interface addr IP address of the interface from which the router
sends RP discovery messages
Interval time interval at which the router sends RP discovery messages PIM auto-RP candidate RP mapping(s) routers that the RP mapping agent
is evaluating to determine an RP router for this interface
5-52
Example 1
host1:1#show ip pim auto-rp This PIM router is an Auto RP mapping agent. Configured with ttl 64 [ Using interface addr 121.0.0.1, interval 60 ]. PIM AutoRP candidate RP mapping(s)
Example 2
host1:1#show ip pim auto-rp This PIM router is _not_ an Auto RP mapping agent. PIM AutoRP candidate RP mapping(s) Candidate RP 122.0.0.1 Group(s) 224.0.0.0/4, AutoRP, ttl 64, interval 60, from access List 1 Candidate RP 122.0.0.1 Group(s) 224.0.1.39/32 (negative), AutoRP, ttl 64, interval 60, from access List 1 Candidate RP 122.0.0.1 Group(s) 224.0.1.40/32 (negative), AutoRP, ttl 64, interval 60, from access List 1
(Source, Group) pair IP addresses of multicast source and group EntryExpires time until the (S,G) pair entry expires RPF Route reverse-path forwarding route IIF IP address of incoming interface UpNbr IP address of upstream neighbor Pruned Oifs outgoing interfaces that have been pruned Address IP address of outgoing interface IfId index of the interface Pruned due to reason for prune: assert or explicit prune Pruned time remaining time in seconds until the prune expires
Example
host1:8#show ip pim dense-mode sg-state PIM DM route table and pruned oif information <122.0.0.1, 224.0.1.39> Pruned Oifs: Address: 108.0.8.5 Pruned due to assert Pruned time remaining 129 <130.0.0.2, 224.0.1.39> Pruned Oifs: Address: 108.0.8.5 IfId: 95 EntryExpires: 100 IIF: 107.0.8.4 UpNbr: 107.0.4.8 RPF Route: 130.0.0.0/255.0.0.0 IfId: 95 EntryExpires: 99 IIF: 107.0.8.4 UpNbr: 107.0.4.8 RPF Route: 122.0.0.0/255.0.0.0
5-53
Pruned due to assert Pruned time remaining 130 <121.0.0.1, 224.0.1.40> Pruned Oifs: Address: 108.0.8.5 Pruned due to assert Pruned time remaining 133 IfId: 95 EntryExpires: 102 IIF: 107.0.8.4 UpNbr: 107.0.4.8 RPF Route: 121.0.0.0/255.0.0.0
Interface Addr IP address of the interface Interface Name type and identifier of the interface. For details about
interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
Ver version of PIM running on this interface Mode PIM mode running on this interface: sparse, dense, or sparse-dense Nbr Count number of neighbors connected to this interface Hello Intvl time interval at which the interface sends hello messages to neighbors DR Address address of the DR SM number of PIM SM interfaces DM number of PIM DM interfaces SM/DM number of PIM S-DM interfaces enabled number of interfaces administratively enabled disabled number of interfaces administratively disabled
ControlPkt Count In | Out PIM messages received on and sent from this
interface Hello number of hello messages JoinPrune number of join and prune messages Assert number of assert messages
5-54
Examples
host1#show ip pim interface Interface Name atm2/1.108 atm2/1.109 atm2/0.110 loopback8 Ver Mode 2 2 2 2 Nbr Hello 30 30 30 30 DR Addr 108.0.8.5 107.0.8.4 111.0.9.8 110.0.8.12
host1#show ip pim interface summary PIM Interface Summary SM: DM: 0, 0 enabled, 0 disabled 0, 0 enabled, 0 disabled
SM/DM: 1, 0 enabled, 1 disabled host1#show ip pim interface count PIM Interface Count Interface Addr 192.32.10.20 Interface Name ATM3/0.20 ControlPktCount In|Out Hello 0 0 JoinPrune 0 0 Assert 0 0
Neighbor Addr IP address of the neighbor Interface Name type and specifier of the interface to which the neighbor
connects. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
Uptime time since the router discovered this neighbor Expires time available for the neighbor to send a hello message to the
interface. If the neighbor does not send a hello message during this time, it will no longer be a neighbor.
Ver version of PIM that the neighbor is running Mode PIM mode that the neighbor is using: dense, sparse, or
sparse-dense
5-55
Example
host1#show ip pim neighbor Interface Name atm2/1.109 atm2/1.108 atm2/0.110 Uptime 1d15:47:35 1d15:47:34 1d15:48:02 Expires Ver Mode SparseDense SparseDense SparseDense
Remote Nbr Addr IP address of remote neighbor OurEnd Addr IP address of local interface, such as the local endpoint of a
tunnel, that transmits data to remote neighbor
Ver version of PIM running on the local interface Mode PIM mode running on the local interface; always PIM sparse mode Nbr Count number of remote neighbors detected: 0 or 1 Hello Intvl time interval at which the interface sends hello messages to neighbors
DR Addr address of DR In interface type and identifier of the interface on which PIM router receives
packets from remote neighbor. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
Out interface type and identifier of the interface on which PIM router sends
packets to remote neighbor. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
host1:boston#show ip pim remote-neighbor PIM RemoteNbr Table RemoteNbr Addr 10.2.23.45 OurEnd Addr 172.16.78.3 Ver Mode 2 Sparse Nbr 1 Hello 30 DR Addr 192.168.3.41 Count Intvl In interface : atm2/1.109 Out interface: atm2/1.108
show ip pim rp
Use to display information about PIM group-to-RP mappings. Specify the address of a group to view PIM group-to-RP mappings for a particular group. To display all RP-to-group mappings that the router has recorded, specify the mapping keyword. Field descriptions
Group prefix of the multicast group RP IP address of RP router for the multicast group priority this field is not functional
5-56
via Auto RP/static RP method by which the RP router was assigned expiryTime time in seconds at which the RP mapping becomes invalid,
unless the mapping agent reassigns the RP router to this group Example
host1:8#show ip pim rp mapping PIM Group-to-RP mapping(s) Group(s) 224.0.0.0/4 RP 122.0.0.1, RP 122.0.0.1, RP 122.0.0.1, priority 0, priority 0, priority 0, via via via AutoRP, expiryTime 88 AutoRP (Negative), expiryTime 88 AutoRP (Negative), expiryTime 88 Group(s) 224.0.1.39/32 (negative) Group(s) 224.0.1.40/32 (negative)
Group multicast group RP RP router for the multicast group priority this field is not functional via Auto RP/static RP method by which the RP router was assigned expiryTime time in seconds at which the RP mapping becomes invalid, unless it is renewed by the mapping agent
host1:2#show ip pim rp-hash 232.1.1.1 Group(s) 224.0.0.0/4 RP 122.0.0.1, priority 0, via AutoRP, expiryTime 128
Example
Register Oif to RP IP address of RP router for the outgoing interface; Address IP address of outgoing interface
5-57
Interface type and specifier of the interface. For details about interface
types and specifiers, see E-Series Command Reference Guide, About This Guide.
Join expires number of seconds before the (S,G) membership expires Count of entries total count of (S,G) pair mappings
Example
host1:2#show ip pim sparse-mode sg-state PIM SM route table and oif information <*, 224.0.1.40> Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 123.0.0.0/255.0.0.0 106.0.3.7 Oifs: Auto RP Discovery SELF oif. Joined as <*, G> <*, 225.1.2.3> Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 123.0.0.0/255.0.0.0 106.0.3.7 Oifs: Address: 78.7.7.7 <*, 235.1.1.1> Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 123.0.0.0/255.0.0.0 106.0.3.7 Oifs: Address: 78.7.7.7 Interface: loopback7 Local group membership present. <118.1.33.34, 232.0.0.1> SSM Group RPF Route: 118.1.0.0/255.255.0.0 (Directly attached) Oifs: Register Oif to RP: 141.0.0.2 suppressed for SSM Group. Address: 134.0.0.1 Joined as <S, G> Interface: ATM3/0.104 Join Expires: 161 IIF: 118.1.0.1 RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3 Interface: loopback7 Local group membership present. RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3 RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3
5-58
IIF: 118.1.0.1
Register Oif to RP: 141.0.0.2 suppressed for SSM Group. Address: 134.0.0.1 Joined as <S, G> <10.0.1.8, 235.1.1.1> Interface: ATM3/0.104 Join Expires: 161 EntryExpires: 143 RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3
Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 10.0.0.0/255.0.0.0 106.0.3.7 Oifs: Address: 78.7.7.7 Joined as <*, G> Count of entries - <S, G> <*, G> : 2 : 1 Interface: loopback7
<*, *, RP>: 0
Route IP address and network mask for the unicast route RpfNbr RPF neighbor Iif incoming interface for the unicast route Pref preference for the unicast route Metric value of metric for the unicast route (type of metric varies with the unicast protocol)
Access List Name name of the IP access list that specifies the groups to
which the threshold applies
5-59
host1:2#show ip pim spt-threshold Access List Name 1 SptThreshold(in kbps) infinity -------------------------------------------------------
DVMRP
Note: PIM has gained general acceptance among a large number of multicast-enabled networks. We recommend that you use PIM rather than DVMRP for applications that are not otherwise required to run DVMRP.
The router supports Distance Vector Multicast Routing Protocol (DVMRP) on VRs to forward multicast datagrams through a network. DVMRP is an interior gateway protocol that supports operations within an autonomous system, but not between autonomous systems. The multicast backbone of the Internet, MBone, uses DVMRP to forward multicast datagrams. DVMRP is a dense-mode multicasting protocol and therefore uses a broadcast and prune mechanism. The protocol builds an SRT in a similar way to PIM DM (see Figure 5-3). DVMRP routers flood datagrams to all interfaces except the one that provides the shortest unicast route to the source. DVMRP uses pruning to prevent unnecessary sending of multicast messages through the SRT. A DVMRP router sends prune messages to its neighbors if it discovers that: The network to which a host is attached has no active members of the multicast group. All neighbors, except the next-hop neighbor connected to the source, have pruned the source and the group. When a neighbor receives a prune message from a DVMRP router, it removes that neighbor from its (S,G) pair table, which provides information to the multicast forwarding table. If a host on a previously pruned branch wants to join a multicast group, it sends an IGMP message to its first-hop router. The first-hop router then sends a graft message upstream.
Identifying Neighbors
In this implementation of DVMRP, a neighbor is a directly connected DVMRP router. When you enable DVMRP on an interface, the associated VR adds information about local networks to its DVMRP
5-60
routing table. The VR then sends probe messages periodically to learn about neighbors on each of its interfaces. To ensure compatibility with other DVMRP routers that do not send probe messages, the VR also updates its DVMRP routing table when it receives route report messages from such routers.
Advertising Routes
As its name suggests, DVMRP uses a distance vector routing algorithm. Such algorithms require that each router periodically inform its neighbors of its routing table. DVMRP routers advertise routes by sending DVMRP report messages. For each network path, the receiving router picks the neighbor advertising the lowest cost and adds that entry to its routing table for future advertisement. The cost or metric for this routing protocol is the hop count back to the source. The hop count for a network device is the number of routers on the route between the source and that network device. Table 5-2 shows an example of the routing table for a DVMRP router.
Table 5-2 Sample routing table for a DVMRP router Time Before Entry Is Deleted from From Router Metric Routing Table 143.32.44.12 4 143.2.55.23 143.78.6.43 2 3 85 80 120
Input Output Port Port 3/0 3/1 3/1 4/0, 4/1 4/0, 4/1 4/0, 4/1
The DVMRP router maintains a (S,G) pair table that provides information to the multicast forwarding table. The (S,G) pair table is based on: Information from the DVMRP routing table Information learned from prune messages If IGMP and DVMRP are on the same interface, group information learned from IGMP The (S,G) pair table includes a route from each subnetwork that contains a source to each multicast group of which that source is a member. These routes can be static or learned routes. Table 5-3 shows an example of the (S,G) pair table for DVMRP.
5-61
Table 5-3 Example of DVMRP (S,G) pair table Time Before Entry Is Deleted from Routing Table 85 75 60 90 80
Output Port 4/0, 4/1 4/0, 4/1 4/1 4/0 4/0, 4/1
143.3.0.0
230.1.2.3
3/1
a No value for the input port indicates that the interface is associated with a protocol other than DVMRP.
Enabling DVMRP on a VR
Note: If you do not specify a VR, you can configure DVMRP on the default router.
You must now enable and configure DVMRP on one or more interfaces. See Activating DVMRP on an Interface. You can also set DVMRP limits for the VR. See Configuring DVMRP Limits.
Example
host1(config)#ip multicast-routing host1(config)#virtual-router boston
By default, DVMRP is not activated on an interface. Configuring any DVMRP parameter on an interface automatically activates DVMRP on that interface. You can also activate DVMRP on an interface and use the default parameters.
ip dvmrp
Use to activate DVMRP on an interface. This command automatically creates and enables DVMRP processing on the current VR. Issuing this command identifies this interface as one that DVMRP owns.
5-62
Example
host1:boston(config-if)#ip dvmrp
You can configure DVMRP and IGMP on the same interface. If you configure IGMP and DVMRP on an interface, the router considers that DVMRP owns the interface.
Note: You cannot configure DVMRP and PIM on the same interface.
When you have enabled DVMRP processing on a VR, you can configure the following settings for that VR: The number of routes that the VR advertises on each interface. A maximum number of DVMRP routes at which the router generates a system log warning message and an SNMP trap.
ip dvmrp route-hog-notification
Use to set the number of DVRMP routes that the router can record before it generates a system log warning message. The warning allows you to identify routers that are injecting large numbers of routes into the MBone. Example
host1:boston(config)#ip dvmrp route-hog-notification 5000
ip dvmrp route-limit
Use to limit the number of routes that the router can advertise on each interface. Example
host1:boston(config)#ip dvmrp route-limit 5000
You can configure an interface to accept only reports with routes that appear on a standard IP access list. You can refine the set of accepted routes further, by defining a second access list of neighbors who can supply the specified routes. For example, suppose you define an access list that specifies that the router accepts only reports for the route 172.16.2.0/24. You then define a
5-63
second access list that specifies that only neighbors 192.168.1.1 and 193.168.1.1 can supply this route. If neighbor 192.168.2.2 supplies the route, the DVMRP router rejects this report. You can also modify the value (distance) that the router associates with a DVMRP route when it computes the RPF interface for the source of a multicast packet. By default, the router associates a distance of 0 with DVMRP routes; this value indicates that the router should use DVMRP, rather than a unicast routing protocol, to transport multicast datagrams. However, in a configuration where PIM discovers multicast routes and a unicast routing protocol performs RPF lookups, you can increase the administrative distance to favor the unicast protocol. For information about defining access lists, see Chapter 1, Configuring Routing Policy.
ip dvmrp accept-filter
Use to filter routes in DVMRP reports in accordance with a standard IP access list. Specify a standard IP access list of sources for which the interface will accept routes. To favor a unicast routing protocol, specify a DVMRP administrative distance. To restrict the neighbors from whom reports for routes on the first list will be accepted, specify a neighbor list. Example
host1:boston(config-if)#ip dvmrp accept-filter boston-list 4 neighbor-list boston-neighbors
You can configure an interface to advertise a summary address with a known metric rather than a more specific route. DVMRP advertises the summary address if the DVMRP routing table contains a more specific route that matches the address and mask of the summary address. If you want to advertise all routes rather than a summary, disable automatic summarization on the interface. By default, the router automatically summarizes DVMRP routes. DVMRP automatic summarization maps a unicast subnet route to a classful network number route when the subnet has a different network number from the IP address of the interface (or tunnel) over which the advertisement travels. If the interface is unnumbered, the router compares the network number of the numbered interface to the IP address to which the unnumbered interface points.
5-64
If you configure a summary address on an interface and do not disable automatic summarization, the interface advertises the least specific address.
ip dvmrp auto-summary
Use to reenable the router to summarize routes automatically for this interface. By default, automatic summarization is enabled. Example
host1:boston(config-if)#ip dvmrp auto-summary
ip dvmrp summary-address
Use to advertise DVMRP summary addresses on an interface. By default, an interface advertises only summary addresses generated by automatic summarization. If you configure multiple overlapping summary addresses on an interface, the one with the shortest mask takes preference. The default metric value is 1. Example
host1:boston(config-if)#ip dvmrp summary-address 192.48.1.2 255.255.255.0 metric 1
The metric for DVMRP is hop count. For example, a route with two hops over a slow serial line is preferable to a route with three hops over a faster optical line. The router increments DVMRP routes in incoming reports by a default metric of one and in outgoing reports by a default of 0. You can change the metric for an interface to promote or demote the preference for associated routes.
ip dvmrp metric-offset
Use to adjust the number of hops associated with a route. This action specifies that the route is more efficient or less efficient than an alternative route. Use the in keyword to specify the number of hops by which the router increments a DVMRP route advertised in incoming DVMRP reports. This option is the default. Use the out keyword to specify the number of hops by which the router increments a DVMRP route advertised in outgoing DVMRP reports.
5-65
Example
host1:boston(config-if)#ip dvmrp metric-offset in 3
Use the no version to revert to the default settings: 1 for incoming reports and 0 for outgoing reports.
You can import routing information from other protocols into the DVMRP routing table. Only routes that appear in the RPF table can be imported. To do so:
1
If you want to use IS-IS, OSPF, or RIP routes, make those routes available to multicasting protocols. See Using Unicast Routes for RPF, earlier in this chapter. Access Router Configuration mode. Specify a route map. Import information from one type of routing domain into another.
2 3 4 redistribute
Use to import information from another type of routing domain to the DVMRP domain. Only routes that appear in the RPF table can be imported. Specify the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, isis, ospf, static, and connected. Use the static keyword to redistribute static IP multicast routes into DVMRP. Use the keyword connected to redistribute routes that are established automatically in the RPF table when another multicast routing protocol, such as PIM, is enabled on an interface. Use the route-map keyword to configure the route map to filter imported routes from the source routing protocol to the current routing protocol. If you do not specify the route-map option, all routes are redistributed. If you specify the route-map option, but no route map tags are listed, no routes will be imported. Example: Importing routing information from BGP into DVMRP
host1:boston(config-router)#redistribute bgp 100 route-map boston-map
route-map
Use to specify a route map.
host1:boston(config-router)#route-map boston-map atm 3/2
Use the no version to delete the route map. If you do not specify an interface, it removes the global route map if one exists.
5-66
router dvmrp
Use to create and enable DVMRP processing on a VR or to access DVMRP Router Configuration mode. Example
host1:boston(config)#router dvmrp
By default, if DVMRP owns an interface, that interface advertises all DVMRP routes it has learned to its neighbors. You can specify the routes that the interface advertises by issuing the ip dvmrp announce-filter command in conjunction with a standard IP access list. The IP access list defines the DVMRP routes that will be advertised.
ip dvmrp announce-filter
Use to specify the DVMRP routes that an interface will advertise. Specify a standard IP access list of routes that the interface will advertise. Example
host1:boston(config-if)#ip dvmrp announce-filter boston-list
Use the no version to allow the interface to advertise all DVMRP routes that it has learned.
By default, if you make changes to a route map, the router dynamically redistributes the routes in DVMRP. To prevent this dynamic redistribution, use the disable-dynamic-redistribute command.
disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute
There is no no version.
DVMRP maintains its own unicast routing table, based on distance vector calculations. The routing table defines the best-known distance to each destination and how to get there. The router updates the tables by
5-67
exchanging information with its neighbors. The DVMRP routing table is used solely for RPF lookups. By default, if DVMRP owns an interface, that interface exchanges DVMRP unicast routes with its neighbors, and you cannot disable the exchange of routes. However, you can enable and disable the exchange of DVMRP unicast routes on interfaces that DVMRP does not own. When an interface exchanges DVMRP routes, the router obtains routes from DVMRP report messages and stores them in its DVMRP routing table. Other multicast protocols, such as PIM, can then use these routes for RPF lookups. With this feature, PIM can use the DVMRP routing table even when the router is not running DVMRP. All interfaces, including tunnels, support DVMRP unicast routing. DVMRP tunnels use DVMRP multicast routing to support DVMRP unicast routing.
ip dvmrp unicast-routing
Use to enable the exchange of DVMRP unicast routes on an interface not owned by DVMRP. Example
host1:boston(config-if)#ip dvmrp unicast-routing
Use the no version to disable the exchange of DVMRP unicast routes on an interface not owned by DVMRP.
You can disable DVMRP on a VR or an interface without removing the configuration. You can also remove DVMRP from a VR or an interface.
disable
Use to disable DVMRP processing on a VR without removing the DVMRP configuration. By default, DVMRP processing is enabled. Example
host1:boston(config-router)#disable
ip dvmrp disable
Use to disable DVMRP processing on an interface without removing the DVMRP configuration. Example
host1:boston(config-if)#ip dvmrp disable
5-68
ip dvmrp
Use to activate DVMRP on an interface. This command automatically creates and enables DVMRP processing on the current VR. Issuing this command identifies this interface as one that DVMRP owns. Example
host1:boston(config-if)#ip dvmrp
router dvmrp
Use to create and enable DVMRP processing on a VR or to access Router Configuration mode. Example
host1:boston(config)#router dvmrp
You can clear one or more routes from the DVMRP routing table. However, if you do so, the routes may reappear in the routing table if they are rediscovered.
clear ip dvmrp routes
Use to delete DVMRP routes from the routing table. If you do not specify any options, the router removes all routes except those associated with its own interfaces from the DVMRP table. If you specify an IP address but not a subnet mask, the router removes the longest route to that IP address from the DVMRP table. If you specify a subnet mask, the router removes that specific route from the DVMRP table. Example
host1:boston#clear ip dvmrp routes
DVMRP tunnels allow the exchange of IP multicast traffic between routers separated by networks that do not support multicast routing. For information about DVMRP tunnels, see Chapter 6, Configuring IP Tunnels.
5-69
Monitoring DVMRP
You can establish a reference point for DVMRP statistics by setting the statistics counters to zero. You can display DVMRP information with the show ip dvmrp commands.
baseline ip dvmrp
Use to set the counters for IGMP statistics to zero. Example
(host1)#baseline ip dvmrp
show ip dvmrp
Use to display DVMRP information for a VR. Field descriptions
Dvmrp Admin State state of DVMRP in the software: enabled or disabled Mcast Admin State state of multicasting in the software: enabled or
disabled
Dvmrp Version version of DVMRP with which this software is compatible GenerationID a number the router generates each time it reboots; when
the number changes, neighbors discard all information previously learned from the router
NumRoutes number of routes in the DVMRP routing table NumTrigdRts number of routes waiting to be advertised, because a
parameter for the route changed
ReachableRoutes number of routes that the router can currently reach RouteHogNotification number of DVMRP routes that the router can record
before it generates a system log warning message
5-70
Routes Sent/SntRt number of bad routes advertised on this interface Administrative State configured state of DVMRP on this interface: enabled
or disabled
auto-summary status of automatic summarization: enabled or disabled metric-offset in number of hops by which the router increments a DVMRP
route advertised in incoming DVMRP reports
accept-filter(s) names of IP access lists that specify the sources for which
the interface accepts routes. Example 1
host1:v3#show ip dvmrp interface Interface: atm5/0.14 SourceAddress: Network/Mask: Received Bad Packets: Received Bad Routes: Routes Sent: Administrative State: Summary Address(es) None Configured auto-summary: metric-offset in: Enabled 1 14.0.1.1 14.0.1.1/8 0 0 2 Enabled
5-71
0 None Configured
Example 2
SourceAddress 14.0.1.1 15.0.1.1 Network/Mask 14.0.1.1/8 15.0.1.1/8 RBdPk RBdRt SntRt 0 0 0 0 2 2
Interface interface type and identifier, such as atm3/0. For details about
interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
Neighbor Address/NbrAddress IP address of the neighbor Neighbor upTime/UpTime length of time, in seconds, that this router has
been a neighbor
5-72
Routes Received number of routes learned from this neighbor Bad Routes Received number of bad routes received from this neighbor Bad Packets Received number of bad packets received from this neighbor
Example 1
14.0.0.1 atm5/0.14 28 3 255 Prune GenerationId Mtrace NetMask Active 0x3a13fbc2 1 0 0 host1:boston#show ip dvmrp neighbor Neighbor Address: Interface: Neighbor upTime: Neighbor Major Version: Neighbor Minor Version: Neighbor Capabilities: Neighbor State: Geneneration ID: Routes Received: Bad Routes Received Bad Packets Received:
Example 2
host1:v3#show ip dvmrp neighbor brief Interface State atm5/0.14 Active atm5/0.15 Active NbrAddress 14.0.0.1 15.0.0.1 UpTime Maj Min Cap 32 34 3 255 PGMN 3 255 PGMN
5-73
Prefix IP address of the network Length length of the subnet mask for the network usNbr/Owner IP address of the upstream neighbor associated with this
route or a description of the origin of the route DVMRP Local route is associated with a directly attached network DVMRP Aggregate route is an aggregate route determined by summarization
Prefix/Length 14.0.0.0/8
Metric metric associated with this interface for this route ExpireTime time until the VR starts the process for removing the route UpTime length of time the route has been in the DVMRP routing table Interface type and identifier for the interface, such as atm3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
Example
usNbr/Owner Dvmrp Local Metric ExpireTime UpTime Interface 1 Never 18 atm5/0.14
Downstream Interface(s) Interface atm5/0.15 15.0.0.0/8 None 25.0.0.0/8 Interface atm5/0.15 host1:v3#show ip dvmrp route brief Prefix/Length 14.0.0.0/8 15.0.0.0/8 25.0.0.0/8 usNbr/Owner Dvmrp Local Dvmrp Local 14.0.0.1 Metric ExpireTime UpTime Interface 1 1 2 Never Never 121 26 26 19 atm5/0.14 atm5/0.15 atm5/0.14 14.0.0.1 2 129 11 atm5/0.14 Downstream Interface(s) Dvmrp Local 1 Never 18 atm5/0.15 Downstream Interface(s)
5-74
addr IP address of the next-hop router mlen mask length of the next-hop router ifIndex SNMP ifIndex for the interface that connects to the next hop Type description of the next-hop router leaf neighbor with no downstream neighbors branch neighbor with downstream neighbors
Example
host1:boston>show ip dvmrp routeNextHop addr/mlen 172.16.0.0/16 172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 172.19.0.0/16 ifIndex 4 4 3 3 4 Type leaf leaf leaf leaf branch
BGP Multicasting
BGP multicasting (MBGP) is an extension of the BGP unicast routing protocol. Many of the functions available for BGP unicasting are also available for MBGP. The MBGP extensions specify that BGP can exchange information within different types of address families. The address families available are unicast IPv4, multicast IPv4, and VPN-IPv4. When you enable BGP, the router employs unicast IPv4 addresses by default. You should be thoroughly familiar with BGP before configuring MBGP. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing, for detailed information on BGP and MBGP.
5-75
To direct the packets to a particular destination, specify the unicast address for that destination. If you do not specify a destination, the router traces the route from the device on which you issue the command. To direct the packets through a particular multicast group address, specify that multicast group address. If you do not specify a multicast group address, the router traces the route through the MBone audio multicast group. To send the trace to a particular device, specify the IP address of that device. If you do not specify a response address, the router sends the trace to an IP address on the router. To investigate a problem at a particular point in the route, specify the maximum number of hops for the trace. The trace starts at the destination and works back to the source. The default number of hops is 64. Field descriptions
Tracing multicast route from a.a.a.a to b.b.b.b for group c.c.c.c using
response address d.d.d.d a description of the trace as follows: a.a.a.a IP address of the source b.b.b.b IP address of the destination c.c.c.c IP address of the multicast group d.d.d.d IP address on the router to which the router will send the trace
Each line of the trace has the following format: hops. ip-address protocol
threshold hops number of hops from the destination to this intermediate router ip-address IP address of the intermediate router protocol multicast protocol running on the intermediate router. A value of 12 indicates IGMP; other values comply with A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (July 2000). FwdingCode forwarding information or error associated with this hop. For example, RPF iif indicates that the request arrived on the expected RPF interface for this source group. For more information about the forwarding information or error codes, see A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (July 2000). Example
host1#mtrace 100.4.4.4 40.1.1.1 232.1.1.1 Tracing multicast route from 100.4.4.4 to 40.1.1.1 for group 232.1.1.1 using response address 10.6.129.56 (Press ^c to stop.) Received mtrace response packet of length 88 1. 40.1.1.1 Protocol: PIM(3) FwdingCode: RPF iif(9) 2. 21.2.2.2 Protocol: PIM(3) FwdingCode: Reached RP(8)
There is no no version.
5-76
Configuring IP Tunnels
6
Page 6-2 6-2 6-3 6-3 6-3 6-8
IP tunnels provide a way of transporting datagrams between routers separated by networks that do not support all the protocols that those routers support. This chapter describes how to configure IP tunnels on the E-series router.
Topic Overview Line Module Requirements Managing TSMs References Configuration Tasks Monitoring IP Tunnels
6-2
Overview
The E-series router supports static IP tunnels. An IP tunnel is a virtual point-to-point connection between two routers. See Figure 6-1. To establish an IP tunnel, you specify a tunnel type and name, and then configure an interface on each router to act as an endpoint for the tunnel.
Data
ERX Destination
The E-series router supports the following types of IP tunnels: Generic Routing Protocol (GRE) tunnels Distance Vector Multicast Routing Protocol (DVMRP) tunnels, also known as IP in IP tunnels
GRE Tunnels
GRE encapsulates IP packets to enable data transmission through an IP tunnel. The resulting encapsulated packet contains a GRE header and a delivery header. Consequently, the packet requires more processing than an IP packet, and GRE can be slower than native routing protocols.
DVMRP Tunnels
DVMRP tunnels allow the exchange of IP multicast traffic between routers separated by networks that do not support multicast routing. For information about DVMRP, see Chapter 5, Configuring IP Multicasting.
6-3
egress ports. However, you must assign interfaces on other line modules or loopback interfaces to act as source endpoints for the tunnel. All line modules forward traffic to tunnels. For information about which line modules accept traffic for tunnels, see E-Series Installation and User Guide, Chapter 13, Protocol Support.
Managing TSMs
For information about TSM redundancy and tunnel distribution, see E-Series Physical Layer Configuration Guide, Chapter 9, Managing Tunnel Service and IPSec Service Interfaces.
References
For more information about IP tunnels, see the following documents: RFC 791 Internet Protocol DARPA Internet Program Protocol Specification (September 1981) RFC 1700 Assigned Numbers (October 1994) RFC 1701 Generic Routing Encapsulation (October 1994) RFC 1702 Generic Routing Encapsulation over IPv4 Networks (October 1994) RFC 2003 IP Encapsulation within IP (October 1996) RFC 2784 Generic Routing Encapsulation (GRE) (March 2000)
Configuration Tasks
To configure an IP tunnel:
1
Create or select a physical or loopback interface. This interface acts as an anchor for the source of the tunnel.
2 3 4 5 6 7
Assign an IP address to the physical or loopback interface. Create a tunnel interface. Set the source address for the tunnel. Set the destination address for the tunnel. (Optional) Enable error checking across a GRE tunnel. Set the maximum transmission unit (MTU) size for the tunnel.
6-4
Note: On TSM interfaces, issue only the commands listed below. Do not configure protocols such as Multilink PPP or Multilink Frame Relay on TSM interfaces.
interface tunnel
Use to create an IP tunnel interface. Specify the type and name of the tunnel you want to create. You can establish the tunnel on a virtual router other than the current virtual router. Example
host1(config)#interface tunnel dvmrp:boston-tunnel-1 transport-virtual-router boston
tunnel checksum
Use to enable checksum computation across a GRE tunnel. Checksum computation is not supported for DVMRP tunnels. Selecting this feature causes the E-series router to drop corrupted packets it receives on the tunnel interface. Example
host1(config)#interface tunnel gre:tunnel2 host1(config-if)#tunnel checksum
tunnel destination
Use to configure the remote end of the tunnel. Specify either the IP address of an interface on the remote router or the hostname of the remote router.
The IP address is the address for the destination interface. The hostname is the name of the destination interface.
Example 1
host1(config)#interface tunnel dvmrp:tunnel2 host1(config-if)#tunnel destination 192.13.7.1
Example 2
host1(config)#interface tunnel dvmrp:tunnel2 host1(config-if)#tunnel destination remoteHost
tunnel mtu
Use to set the MTU for the tunnel. Specify a value in the range 1024 to 10240 bytes.
6-5
Example
host1(config-if)#tunnel mtu 7500
tunnel source
Use to configure the source of the tunnel. Specify either the primary IP address or the type and specifier of an interface. Do not specify an unnumbered interface. Example 1
host1(config)#interface tunnel dvmrp:boston-tunnel-1 host1(config-if)#tunnel source 192.10.2.1
Example 2
host1(config)#interface tunnel dvmrp:boston-tunnel-1 host1(config-if)#tunnel source atm 5/0.12
Configuration Example
In this example, two GRE tunnel interfaces are configured on different virtual routers of an E-series router. The source of the first tunnel interface matches the destination of the second tunnel interface and vice versa.
1
Configure a virtual router called boston that will support one end of the tunnel.
host1#virtual-router boston
Configure a physical or loopback interface for the end of the tunnel on virtual router boston. The IP address of this interface appears in the header of tunneled frames and is used for forwarding traffic.
host1:boston#interface atm 12/0.5 host1:boston(config-if)#ip address 10.5.5.5 255.255.255.0
6-6
Configure a virtual router called chicago that will support the other end of the tunnel.
host1(config)#virtual-router chicago
Configure a physical or loopback interface for the end of the tunnel on virtual router chicago.
host1:chicago(config)#interface atm 12/1.5 host1:chicago(config-if)#ip address 10.6.6.6 255.255.255.0
The name of the tunnel interface can differ from the tunnel interface configured in step 3.
host1:chicago(config-if)#interface tunnel gre:BostonTunnel
The destination of this tunnel interface matches the source of the tunnel interface configured in step 3 and vice versa.
host1:chicago(config-if)#tunnel source 10.6.6.6 host1:chicago(config-if)#tunnel destination 10.5.5.5
When a line module receives IP frames destined for a tunnel, the module forwards the frames to the TSM. The TSM encapsulates the frames and forwards them to the tunnel through an interface determined by a route lookup of an IP frame. The source and destination addresses in the IP frame are the source and destination addresses of the tunnel.
6-7
Similarly, when a line module receives traffic from a tunnel, the module forwards the traffic to the TSM for deencapsulation. After deencapsulation, the TSM forwards the resultant IP frames to an interface determined by a route lookup. When you have configured a tunnel interface, treat it in the same way as any IP interface on the router. For example, you can configure static IP routes or enable routing protocols on the tunnel interface. The IP configurations you apply to the tunnels control how traffic travels through the network.
Preventing Recursive Tunnels
If routing information about the tunnel network combines with routing information about the transport networks (the networks that the tunnel services), a recursive tunnel can occur. In this case, the routing table defines the tunnel itself as the best path to a tunnel destination. To prevent recursive tunnels, differentiate routing information for the tunnel network and the transport networks with one or both of the following techniques: Use different routing protocols for the tunnel network and the transport networks. Define a static route to the tunnel destination.
Note: If you define a static route to a tunnel destination, be careful not to create routing loops.
Figure 6-2 illustrates how to prevent recursive tunnels by using different routing protocols for the tunnel network and the transport networks.
VR2
VR5
VR8
VR1
VR4
Tunnel
VR7
VR10
VR3
VR6
VR9
g013127
Figure 6-2 Transport and tunnel networks using different routing protocols
6-8
Monitoring IP Tunnels
You can monitor DVMRP and GRE tunnels by using the following commands.
show dvmrp tunnel
Use to display information about DVMRP tunnels. Optionally, specify the detail keyword to view detailed information about tunnels. Optionally, specify the state keyword and the state of the tunnel (disabled, down, enabled, lower-down, not-present, up) to view the number of tunnels in a specific state. Optionally, specify a tunnel name to view the state of a specific tunnel. Optionally, specify an IP address to view the number of tunnels associated with that IP address. Optionally, specify an IP address with the virtual-router keyword and the name of the virtual router to view the number of tunnels associated with that IP address on the virtual router. Field descriptions
Tunnel status
up tunnel is operational down tunnel is not operational not-present tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible
Tunnel name name of the tunnel Tunnel mtu maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router virtual router associated with the tunnel Tunnel up/down trap is enabled indicates whether or not the E-series router sends traps to SNMP when the operational state of the tunnels changes internal to the TSM.
Tunnel server location location of the TSM in slot/port format. The port is
Tunnel administrative state configured state of the tunnel: up or down Statistics details of packets received or transmitted by the tunnel Packets number of packets received or transmitted by the tunnel Octets number of octets received or transmitted by the tunnel Discards number of packets not accepted by the tunnel Errors number of packets with errors received or transmitted by the tunnel Data rx received data Data tx transmitted data
6-9
Example 1
host1#show dvmrp tunnel DVMRP tunnel boston1 is up 1 DVMRP tunnel found
Example 2
host1#show dvmrp tunnel detail DVMRP tunnel boston1 is up Tunnel operational configuration Tunnel name is 'boston1' Tunnel mtu is '10240' Tunnel source address is '0.0.0.0' Tunnel destination address is '0.0.0.0' Tunnel transport virtual router is vr1 Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0
Example 3
host1#show dvmrp tunnel state enabled DVMRP tunnel boston1 is up 1 DVMRP tunnel found
Example 4
host1#show dvmrp tunnel virtual-router vr1 ip 0.0.0.0 DVMRP tunnel boston1 is up 1 DVMRP tunnel found
Administrative status
enabled tunnel is available for use disabled tunnel is not available for use
Operational status
up tunnel is operational down tunnel is not operational not-present tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible
6-10
Example
enabled 1 up 1 disabled 0 down 0 not-present 0
Tunnel name name of the tunnel Tunnel mtu maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router virtual router associated with the tunnel Tunnel checksum option state of the checksum feature: enabled or disabled router sends traps to SNMP when the operational state of the tunnels changes
Tunnel up/down trap is enabled indicates whether or not the E-series Tunnel server location location of the TSM in slot/port format. The port is
internal to the TSM.
Tunnel administrative state configured state of the tunnel: up or down Statistics details of packets received or transmitted by the tunnel Packets number of packets received or transmitted by the tunnel Octets number of octets received or transmitted by the tunnel Discards number of packets not accepted by the tunnel Errors number of packets with errors received or transmitted by the tunnel Data rx received data Data tx transmitted data
host1#show gre tunnel 3 GRE tunnels found
Example 1
6-11
Example 2
host1#show gre tunnel detail Tunnel operational configuration Tunnel name is 'vr1' Tunnel mtu is '10240' Tunnel source address is '10.0.0.2' Tunnel destination address is '10.0.0.1' Tunnel transport virtual router is vr1 Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0
Tunnel operational configuration Tunnel name is 'default' Tunnel mtu is '10240' Tunnel source address is '10.0.0.1' Tunnel destination address is '10.0.0.2' Tunnel transport virtual router is default Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0
Tunnel operational configuration Tunnel name is 'london2' Tunnel mtu is '10240' Tunnel source address is '0.0.0.0' Tunnel destination address is '0.0.0.0' Tunnel transport virtual router is vr1 Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0
6-12
Example 3
host1#show gre tunnel state up GRE tunnel VR1 is up GRE tunnel default is up GRE tunnel london2 is down 3 GRE tunnels found Example 4 host1#show gre tunnel virtual-router vr1 ip 10.0.0.1 GRE tunnel VR1 is up 1 GRE tunnel found
Administrative status
enabled tunnel is available for use disabled tunnel is not available for use
Operational status
up tunnel is operational down tunnel is not operational not-present tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible Example
enabled 3 Operational status up 3 disabled 0 down 0 not-present 0 host1#show gre tunnel summary Administrative status
7
Page 7-1 7-2 7-3
This chapter describes IP packet reassembly for tunneled protocols on the E-series router.
Topic Overview Configuring IP Reassembly Monitoring IP Reassembly
Overview
Tunneling protocols provide a method of forwarding packets of a particular protocol through a network of a different protocol type. For example, L2TP can transport a protocol such as PPP through a routed IP network. This capability requires a pair of devices that define the endpoints of the tunnel. Packets entering the tunnel are processed and encapsulated at the ingress endpoint, and packets exiting the tunnel are processed and decapsulated at the egress endpoint. When packets are tunneled through an IP network, simple IP forwarding is performed. The IP forwarding process may require fragmentation within the tunnel, which means that a packet that enters a tunnel whole may reach the egress endpoint as fragments. Because tunnel processing requires each packet to exit the tunnel in the same form in which it entered, if fragmented packets are not reassembled before the tunnel egress processing is performed, they are dropped.
7-2
For example, in Figure 7-1, traffic is tunneled through an IP network that has four hops. Because the MTU of the link between routers B and C is smaller than that of previous hops, some packets are fragmented. Router D must reassemble the packets before tunnel egress processing and decapsulation are performed.
IP network
B Tunnel ingress A
Packets fragmented
Tunnel egress
C
g013122
Tunnel Server modules (TSMs) perform IP reassembly on the E-series router. The E-series router can perform reassembly of IP packets it receives on DVMRP, GRE, IPSec, and L2TP tunnels. Because IP reassembly is required only on tunnel egress packets, the router performs reassembly only on packets in which the IP destination address is local to the router and in which the underlying protocol is one of the supported tunneling protocols.
Configuring IP Reassembly
To set up IP reassembly, you enable it on a virtual router basis. Also, on a systemwide basis, you can control how the router handles checking of sequence numbers in data packets that it receives on L2TP tunnels.
ip tunnel reassembly
Use to enable the reassembly of fragmented IP tunnel packets that are received on the current virtual router. Note that you configure tunnel reassembly on VPN routing and forwarding routers independent of the tunnel reassembly configuration on the parent virtual router.
7-3
Example enables reassembly for virtual router vr12 and disables reassembly for virtual router vr8
host1:vr12(config)#ip tunnel reassembly host1:vr12(config)#virtual-router vr8 host1:vr8(config)#no ip tunnel reassembly
l2tp ignore-receive-data-sequencing
Use to prevent sequence number checking for data packets received on all L2TP tunnels in the router. This command does not affect the insertion of sequence numbers in packets sent from the router. We recommend that you set up the router to ignore sequence numbers in received data packets if you are using IP reassembly. Because IP reassembly may reorder L2TP packets, out-of-order packets may be dropped if sequence numbers are being used on L2TP data packets. Example
host1(config)#l2tp ignore-receive-data-sequencing
Use the no version to cause the router to check sequence numbers on received L2TP data packets.
Monitoring IP Reassembly
The router keeps several statistics that are useful for diagnostic purposes. These statistics are organized by virtual router, and some are broken out by protocol as well. You can display statistics for a single virtual router or for all virtual routers.
show ip tunnel reassembly statistics
Use to display reassembly statistics. Statistics are displayed for the current virtual router unless you include the all keyword, which causes the router to display statistics for all virtual routers. Statistics are displayed in brief form unless you include the detail keyword. Field descriptions
Fragments Received total fragments received for all tunneling protocols Packets Reassembled number of packets reassembled; detailed display
includes number of packets reassembled for each protocol
7-4
Configuring RIP
8
Page 8-1 8-2 8-3 8-6 8-7 8-18 8-19 8-22
This chapter describes how to configure the Routing Information Protocol (RIP) on your E-series router.
Topic Overview References Features Before You Run RIP Configuration Tasks Using RIP Routes for Multicast RPF Checks Remote Neighbors Monitoring RIP
Overview
RIP is an interior gateway protocol (IGP) typically used in small, homogeneous networks. RIP uses distance-vector routing to route information through IP networks. Distance-vector routing requires that each router simply inform its neighbors of its routing table. For each network path, the receiving router picks the neighbor advertising the lowest metric, then adds this entry into its routing table for readvertisement. Any host that uses RIP is assumed to have interfaces to one or more networks. These networks are considered to be directly connected networks. RIP relies on access to certain information about each of these networks. The most important information is the networks metric.
8-2
RIP Metric
RIP uses the hop count as the metric (also known as cost) to compare the value of different routes. The hop count is the number of routers that data packets must traverse between RIP networks. Metrics range from 0 for a directly connected network to 16 for an unreachable network. This small range prevents RIP from being useful for large networks.
RIP Messages
RIP exchanges routing information via User Datagram Protocol (UDP) data packets. Each RIP router sends and receives datagrams on UDP port number 520, the RIP version 1/RIP version 2 port. All communications intended for another routers RIP process area are sent from the RIP port. Every RIP message contains a RIP header that consists of a command and a version number. The router supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) extensions. RIP employs the following message types: Request A request for the responding router to send all or part of its routing table. Response A message containing all or part of the senders routing table. This message is sent in response to a request or is an unsolicited routing update generated by the sender. The RIP request and response messages also contain a list of route entries. Each route entry contains the following: Address Entry Identifier The type of address Destination IP address The destination address of the message Cost to reach the destination A value between 1 and 15, which specifies the current metric for reaching the destination
References
For more information about RIP, consult the following resources: RFC 1058 Routing Information Protocol (June 1998) RFC 2453 RIP Version 2 (November 1998)
8-3
Features
Some of the major RIP features supported by the router include:
RIP version 1 RIP version 2 route tags authentication subnet masks next hop multicast addressing route summarization split horizon equal-cost multipath remote neighbors poison reverse
Route Tags
A route tag is a field in a RIP message that allows boundary routers in an autonomous system (AS) to exchange information about external routes. Route tags provide a method of separating internal RIP routes (routes within the RIP routing domain) from external RIP routes, which may have been imported from an EGP (exterior gateway protocol) or another IGP (interior gateway protocol). Routers supporting protocols other than RIP should be configurable to allow the route tags to be configured for routes imported from different sources. For example, routes imported from BGP should be able to have their route tags set to the number of the ASs from which the routes were learned.
Authentication
RIPv1 does not support authentication. If you are sending and receiving RIPv2 packets, you can enable RIP authentication on an interface. The router provides the simple authentication scheme for RIPv2. Because authentication is a per message function and only one 2-octet field is available in the RIP message header, authentication uses the space of an entire RIP message. The first 20-byte entry in a RIP authentication message contains an address family identifier value of 0xffff and a route tag value of 2. If the 0xffff address family is present in the RIP message, the remaining 16 octets of the entry contain a plain text password. If the password is fewer than 16 octets, it must be left-justified and padded to the right with nulls (0x00). Authentication is applied per RIP interface. You can specify either text or MD5 authentication. Text authentication uses a simple password that must be shared by the neighbors receiving updates or requests. If they do
8-4
not have this password, the neighbors reject all updates or requests from the router. MD5 authentication uses a shared key to encrypt the RIP message. The neighbors must have the MD5 key to decrypt the message and encrypt a response.
Note: Do not use text authentication when security is important, because the router sends the unencrypted password in every RIP packet it sends.
Example 1
Example 2
Subnet Masks
The Subnet Mask field of a RIP message contains the subnet mask that is applied to the IP address to set the nonhost portion of the address. If the subnet mask field in a RIP message contains a zero, then no subnet mask was included for the entry. On an interface where a RIPv1 router may hear and operate on information in a RIPv2 routing entry, the following rules apply: Information internal to one network must never be advertised into another network. Information about a more specific subnet may not be advertised where RIPv1 routers would consider it a host route. Supernet routes (routes where a netmask is less specific than the natural network mask) must not be advertised where they could be misinterpreted by RIPv1 routers.
Next Hop
The Next Hop field in a RIP message contains the next IP address where a packet is sent. A value of zero in this field indicates that the next address the packet should be sent to is the router that originally sent the RIP message.
8-5
Multicasting
To reduce unnecessary load on hosts that are not listening to RIPv2 messages, an IP multicast address is used for periodic broadcast messages. The IP multicast address is 224.0.0.9.
Route Summaries
You can summarize routes reported by RIP to reduce the size of the routing table and the amount of traffic resulting from RIP updates. Configuring a RIP summary will cause that prefix to be advertised with the associated metric regardless of the presence of more-specific prefixes. Any more-specific prefixes will not be advertised when they are covered by the summary. You can choose the degree of summarization by using a prefix tree to specify the number of bits to report for routes matching a route map. Alternatively, you can explicitly specify routes for RIP to summarize.
Prefix Tree Example
Set the conditions for summarization in the prefix tree, including which routes are summarized and how many bits of the network addresses are preserved as the network prefix.
host1(config)#ip prefix-tree boston permit 2.1.0.0/16
This example summarizes routes for networks addressed by 2.1.x.x. The first 16 bits of the network address are preserved in the summary. For example, routes 2.1.3.0, 2.1.2.0, and 2.1.1.0 would all be summarized as 2.1.0.0.
8-6
You can use the ip summary-address command to specify routes that RIP will summarize.
host1(config-router)#ip summary-address 4.4.0.0 255.255.0.0 5 host1(config-router)#ip summary-address 4.3.0.0 255.255.0.0 6
Split Horizon
Split horizon is a mechanism to aid in preventing routing loops when distance-vector routing protocols such as RIP are employed in broadcast networks. When split horizon is enabled, the router cannot advertise information about routes on an interface from which the information originates. Split horizon is enabled by default on the router. You can disable split horizon and enable poison reverse routing updates that advertise routes originating on the interface, but for each of these routes the metric is set to infinity to explicitly advertise that these networks are not reachable.
Equal-Cost Multipath
RIP supports equal-cost multipath (ECMP) and installs into the routing table multiple entries for paths to the same destination. Each of these multiple paths to a given destination must have the same cost as the others, but a different next hop.
Applying Route Maps
You can apply a policy to redistributed routes with the route-map command. See Chapter 1, Configuring Routing Policy, for more information on route maps. You can use the table-map command to apply a route map to RIP routes that are about to be added to the IP routing table.
8-7
Configuration Tasks
To configure RIP:
1
(Optional) Do one of the following: Associate a network with a RIP routing process and optionally configure RIP for the network.
host1(config-router)#network 10.2.1.0 255.255.255.0 host1(config-if)#ip rip host1(config-if)#ip rip receive version 1 host1(config-if)#ip rip send version 2 host1(config-if)#ip rip authentication mode text host1(config-if)#ip rip authentication key klaatu42
Associate the RIP routing process with an interface specified by an IP address or with an unnumbered interface, and configure RIP for the interface.
host1(config-router)#address 10.2.1.1 host1(config-router)#address 10.2.1.1 receive version 1 host1(config-router)#address 10.2.1.1 send version 2 host1(config-router)#address 10.2.1.1 authentication mode text host1(config-router)#address 10.2.1.1 authentication key 31barada
Each configuration step is optional, and includes the following: (Optional) Specify a RIP receive version for an interface. By default, RIP interfaces on your router receive both RIPv1 and RIPv2. (Optional) Specify a RIP send version for an interface. By default, RIP interfaces on your router send only RIPv1. (Optional) Specify an authentication mode and authentication password or key. This step is permitted only if both receive version and send version are set to RIPv2.
4
8-8
(Optional) Control the dynamic distribution of routes caused by changes to an associated route map.
host1(config-router)#disable-dynamic-redistribute
Use a prefix tree to specify the number of bits to report for routes matching a route map:
host1(config)#ip prefix-tree boston permit 10.10.2.0/24 host1(config-router)#route-map 4 host1(config-route-map)#match-set summary prefix-tree boston
some event.
host1(config-router)#debounce-time 30
8-9
14 (Optional) Prevent RIP from purging the routing table for interfaces
If you use the network command to configure a RIP network, use the ip rip commands to configure the RIP attributes for that network. Do not use the address commands. If you use the address command to configure a RIP network, use the address commands to configure the RIP attributes for that network. Do not use the ip rip commands.
Note: The network and ip rip commands are maintained for industry compatibility. You can configure all your RIP interfaces with the address commands. You cannot configure unnumbered interfaces with the network and ip rip commands.
address
Use to configure RIP to run on the interface specified by the IP address or on an unnumbered interface. Use the address commands to configure RIP attributes on the network. Configures RIP with the default values: Send version is RIPv1, receive version is RIPv1 and RIPv2, authentication is not enabled. Example
host1(config-router)#address 10.2.1.1
8-10
Example
host1(config-router)#address 10.2.1.1 authentication key ke6G72mV
There is no no version.
debounce-time
Use to control the interval RIP waits before bringing back up an interface that was brought down by some event. The interval can range from 060 seconds.
8-11
Example
host1(config-router)#debounce-time 30
default-information originate
Use to enable RIP to advertise a default route (0.0.0.0/0) if the default route exists in the IP routing table. If the default route does not exist, you must configure it using the ip route command, or specify the always keyword. The always keyword causes RIP to always advertise the default route, and creates it if it is not present in the IP routing table. Example
host1(config-router)#default-information originate
default-metric
Use to configure RIP to apply this metric when advertising routes on all subsequently created interfaces. Configuring a default metric lowers the priority of the routes. Use a metric from 1 to 16. Example
host1(config-router)#default-metric 5
disable
Use to disable RIP processing. Example
host1(config-router)#disable
disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute
8-12
distance
Use to set the administrative distances for routes. The default is 120. Example
host1(config-router)#distance 150
distribute-list
Use to apply a specific access list to incoming or outgoing RIP route updates. An IP access list acts as a filter. Refer to the access list command in the E-Series Command Reference Guide A to M for more information. Example
host1(config-router)#distribute-list 5 incoming
interface-event-disable
Use to configure RIP to purge the routing table for interfaces that were brought down by some event. Example
host1(config-router)#interface-event-disable
Use the no version to restore the default condition, wherein RIP does not automatically purge the routing table for down interfaces.
ip prefix-tree
Use to create a prefix tree to match routes to be summarized by a route map; specifies a tree entrya deny or permit clause for a network address. The prefix tree name can be up to 32 characters long. Example
host1(config)#ip prefix-tree boston42 permit 10.10.2.0/24
Use the no version to remove the specified prefix tree or the specified tree entry.
ip rip
Use to configure RIP on the network interface specified with the network command. Configures RIP with the default values: Send version is RIPv1, receive version is RIPv1 and RIPv2, authentication is not enabled. Example
host1(config-if)#ip rip
8-13
ip split-horizon
Use to configure the split horizon feature and poison reverse features for the interface. Enabled by default, split horizon prevents the RIP router from advertising routes from the originating interface. Poison reverse routing updates are disabled by default; when enabled, they set the metric for routes originating on the interface to infinity, thus explicitly advertising that the network is not reachable. This helps to prevent routing loops.
8-14
In most configurations, you will want to accept the default condition. Example
host1(config-if)#no ip split-horizon
Use the no version to disable split horizon and enable poison reverse routing updates.
ip summary-address
Use to specify an IP address and network mask to identify which routes to summarize. You can optionally specify a metric associated with the summary address. The default metric is 1. Example
host1(config-router)#ip summary-address 4.4.0.0 255.255.0.0 5 host1(config-router)#ip summary-address 4.3.0.0 255.255.0.0 6
Use the no version to disable the use of the prefix tree by the route map.
maximum-paths
Use to control the maximum number of parallel routes that RIP can support. RIP installs multiple equal-cost paths to a given destination only if each has a different next hop. The maximum number of routes can range from 116. Example
host1(config-router)#maximum-paths 2
8-15
neighbor
Use to specify a RIP neighbor to which the router sends unicast messages. You must also use the passive-interface command to specify the interface as passive, thereby restricting the interface to unicast RIP messages. Example
host1(config-router)#neighbor 10.10.21.100
network
Use to associate a network with a RIP routing process. Use the ip rip commands to configure RIP attributes on the network. You supply a network mask to the new address so that RIP runs on that specific network. If you do not specify an interfaces network, the network is not advertised in any RIP updates. You can specify either the standard subnet mask or the inverse subnet mask. Example 1
host1(config-router)#network 10.2.1.0 255.255.255.0
Example 2
host1(config-router)#network 10.2.1.0 0.0.0.255
passive-interface
Use to disable the transmission of multicast RIP messages on the interface. RIP messages are unicast to a RIP neighbor on the interface if the interface is present in the IP routing table as the next-hop interface to the configured neighbor. Example
host1(config-router)#passive-interface atm atm 2/0.16
Use the no version to reenable the transmission of RIP multicast messages on the specified interface.
redistribute
Use to redistribute information from a routing domain other than RIP into the RIP domain. Example 1
host1(config)#router rip 5 host1(config-router)#redistribute bgp 100 route-map 4
8-16
Specify the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, isis, ospf, static [ip], and connected. Use the static keyword to redistribute IP static routes; optionally add the ip keyword when redistributing into IS-IS. The keyword connected refers to routes that are established automatically by virtue of having enabled IP on an interface. For routing protocols such as OSPF and IS-IS, these routes will be redistributed as external to the AS. Use the route-map keyword to interrogate the route map to filter the importation of routes from the source routing protocol to the current routing protocol. If you do not specify the route-map option, all routes are redistributed. If you specify the route-map option, but no route map tags are listed, no routes will be imported. Use to redistribute routes from RIP into other non-RIP routing domains. Example 2
host1(config)#router bgp 100 host1(config-router)#redistribute rip 5
route-map
Use to specify a route map for RIP. Example
host1(config)#router rip host1(config-router)#route-map 4
Use the no version to delete the route map. If you do not specify an interface, it removes the global route map if it exists.
router rip
Use to enable RIP routing protocol and specify a RIP process for IP, or to access Router Configuration mode. Specify only one RIP process per router. Example
host1(config)#router rip
Use the no version to delete the RIP process and removes the configuration from your router.
send-more-specific-routes-disable
Use to configure RIP to send a less-specific route in preference to a more-specific route if the less-specific route has a metric. Example
host1(config-router)#send-more-specific-routes-disable
Use the no version to restore the default condition, wherein RIP always sends a more-specific route in preference to a less-specific route, even if the less-specific route has a metric.
8-17
table-map
Use to apply a policy to modify distance, metric, or tag values of RIP routes about to be added to the IP routing table. The new route map is applied to all routes currently in and those subsequently placed in the forwarding table. Previously redistributed routes are redistributed with the changes caused by the route map. To remove from the forwarding table any old routes that are now disallowed by the specified route map, you must refresh the IP routing table with the clear ip routes * command. Example
host1(config)#route-map dist1 permit 5 host1(config-route-map)#match community boston42 host1(config-route-map)#set distance 33 host1(config-route-map)#exit host1(config)#router rip 100 host1(config-router)#table-map dist1 host1(config-router)#exit host1(config)#exit host1#clear ip routes *
timers
Use to configure RIP timers. The router supports the following RIP timers:
update interval in seconds at which routing updates are sent. The default is
30 seconds.
invalid interval in seconds after which a route is declared invalid (null). Set
this value to at least three times the update value. The default is 180 seconds.
flush interval in seconds that must pass before a route is removed from the
routing table. Set this value greater than the invalid value. The default is 300 seconds. Examples
host1(config-router)#timers update 20 host1(config-router)#timers invalid 60 host1(config-router)#timers holddown 60 host1(config-router)#timers flush 90
Use the no version to restore the default values, 30 180 120 300.
8-18
triggered-update-disable
Use to prevent RIP from sending triggered routing updates. Example
host1(config-router)#triggered-update-disable
Use the no version to restore the default condition, wherein RIP does sends triggered routing updates.
version
Use to specify the global RIP version. The default is RIPv1. To change the RIP version on a specific interface, use the ip rip receive version and the ip rip send version commands, or the address receive version and address send version commands. Example
host1(config-router)#version 2
8-19
Remote Neighbors
You can create RIP remote neighbors to enable the router to establish neighbor adjacencies through unidirectional interfaces, such as MPLS tunnels, rather than the standard practice of using the same interface for receipt and transmission of RIP packets. The remote neighbor can be more than one hop away through intermediate routes that are not running RIP. RIP uses the interface associated with the best route to the remote neighbor to reach the neighbor. A best route to the neighbor must exist in the IP routing table. You must explicitly configure remote neighbors on the RIP routers to specify the remote neighbor with which the router will form an adjacency and the source IP address the router will use for RIP packets destined to its peer remote neighbor. To form an adjacency with its remote neighbor, the router sends all RIP packets to the remote neighbor as unicast packets with the destination IP address equal to the source IP address of the remote neighbor. The loopback interface associated with the source IP address for the remote neighbor acts as a logical RIP interface for the neighbor. To prevent routing loops, you can disable split horizon and enable poison reverse routing updates. The remote-neighbor command to specify the remote neighbors is mandatory. Configuration of all other remote-neighbor attributes is optional.
authentication key
Use to specify the password for text authentication and the key for MD5 authentication for RIP remote-neighbor interface. This command is supported only in RIPv2. Authentication is disabled by default. Example
host1(config-router-rn)#authentication key 0 jun27ior
Use the no version to clear the key for the remote-neighbor interface.
authentication mode
Use to specify the authentication mode for the remote neighbor interface. Specify text to send a simple text password to remote neighbors. If a remote neighbor does not have the same password, requests and updates from this router are rejected. Specify md5 keyID to send an MD5 hash to remote neighbors. Remote neighbors must share the MD5 key to decrypt the message and encrypt the response.
8-20
Use the no version to remove authentication from the RIP remote-neighbor interface.
distribute-list
Use to apply a specific access list to either incoming or outgoing RIP route updates on the RIP remote-neighbor interface. An IP access list acts as a filter. Refer to the access list command in the E-Series Command Reference Guide A to M for more information. Example
host1(config)#distribute-list 5 in
exit-remote-neighbor
Use to exit from the Remote Neighbor Configuration mode and return to Router Configuration mode. Example
host1(config-router-rn)#exit-remote-neighbor
There is no no version.
receive version
Use to restrict the RIP version that the router can receive on a RIP remote-neighbor interface. The default is to receive both RIPv1 and RIPv2. The off keyword overrides any other specified option; for example, configuring both 1 and off or both 2 and off has the same result as configuring only off. Example
host1(config-router-rn)#receive version 1
remote-neighbor
Use to configure a RIP remote neighbor. Example
host1(config-router)#remote-neighbor 10.25.100.14
Use the no version to remove the remote neighbor and any attributes configured for the remote neighbor.
8-21
send version
Use to restrict the RIP version that the router can send on an interface. The default is to send only RIPv1. Example
host1(config-router-rn)#send version 1
split-horizon
Use to configure the split horizon and poison reverse features for RIP remote neighbors. Split horizon is enabled by default; poison reverse routing updates are disabled by default. Poison reverse routing updates set the metric for routes originating on the interface to infinity, thus explicitly advertising that the network is not reachable. This helps to prevent routing loops. Example
host1(config-router-rn)#no split-horizon
Use the no version to disable the split horizon and enable poison reverse routing updates.
time-to-live
Use to configure a hop count by setting the value of the time-to-live field used by packets sent to a RIP remote neighbor. Example
host1(config-router-rn)#time-to-live 12
update-source
Use to specify the RIP interface whose local address is used as the source address for the RIP connection to a remote neighbor. The source address assigned to a remote neighbor must be unique. If you configure a RIP router to form neighbor adjacencies with two RIP remote neighbors, then the RIP router must have two unique local source IP addresses, one for each of its remote neighbors. Example
host1(config-router-rn)#update-source atm 2/0.17
Use the no version to delete the source address from the connection to the remote neighbor.
8-22
Monitoring RIP
Two sets of commands enable you to monitor RIP operation on your router: the debug and the show commands. Both sets of commands provide information about your routers RIP state and configuration. The task you are performing with each of these monitoring commands is basically the same for each command; that is, you are requesting information. The results of this request may vary. For instance, the debug commands provide information about problems with the network or the router, whereas the show commands provide information about the actual state and configuration of your router.
debug Commands
The debug commands provide information about the following RIP items: General events, such as creating a RIP process or removing RIP from an interface Routing events, such as when two RIP routers exchange routes
debug ip rip
Use to display information on selected RIP events. This command has many keywords that allow you to specify a variety of RIP events. You can set the level of severity for the events you want displayed; specify the desired descriptive term or a corresponding number (07). You can set the verbosity of the messages you want displayed: low, medium, high. Example
host1#debug ip rip events
Use the no version to cancel the display of any information on the designated variable.
undebug ip rip
Use to cancel the display of information on a selected event. The same RIP variables can be designated as in the debug ip rip command. Example
host1#undebug ip rip events
There is no no version.
8-23
show Commands
Use the show commands to monitor the following types of RIP information: Configuration IP-related information Global counters Counters for a specified network Statistics You can set a statistics baseline for RIP interfaces by using the baseline ip rip command. You can specify a VRF instance for the show ip rip commands. You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
baseline ip rip
Sets a statistics baseline for RIP interfaces. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the optional delta keyword with the show ip rip statistics command to specify that baselined statistics are to be shown. Example
host1#baseline ip rip
There is no no version.
show ip rip
Use to display RIP information. Specify vrf vrfName to limit the display to a specific VRF. Use the ifconfig keyword to display address and interface configuration information instead of the default operational data. Field descriptions
Router Administrative State displays the RIP state. Enable means the
router is allowed to send and receive updates. Disable means that RIP might be configured but it is not allowed to run yet.
System version RIP1 RIP versions allowed for sending and receiving RIP
updates. The router version is currently set to RIP1, which sends RIPv1 but will receive RIPv1 or RIPv2. If it is set to RIP2, it will send and receive RIPv2 only. The default is configured for RIP1.
8-24
Incoming filters access list applied to incoming route updates Outgoing filters access list applied to outgoing route updates Global route map route map that specifies all RIP interfaces on the router Default metric value for redistributed routes. The default is 1. This global value is superseded by metrics applied to a RIP interface. default is 120.
Distance value added to RIP routes added to the IP routing table. The Number of route changes number of times the router has been told to
route changes by its peers
Number of route queries number of times the router has received route
requests from other routers
Update interval current setting of the update timer (in seconds) Invalid interval current setting of the invalid timer (in seconds) Hold down time current setting of the hold-down timer (in seconds) Flush interval current setting of the flush timer (in seconds) Network IP address of a network on which RIP is running Netmask network mask applied to the network address Address/status/interface values listed for each network that is running RIP Send version version of RIP used for sending updates Receive version version of RIP accepted in received updates Authentication mode password or MD5 authentication, or none Default metric metric value applied to the RIP interface. The default is 1. Outgoing access-list name of the access list applied to outgoing routes Incoming access-list name of the access list applied to incoming routes Outgoing route-map name of the route map applied to outgoing routes Received bad packets number of bad packets received Received bad routes number of bad routes received Triggered updates sent number of triggered updates sent; triggered updates are sent before the entire RIP routing table is sent; triggered by events such as adding a new RIP route or redistribution
8-25
Number of route queries = 0 Update interval = 30 (secs) Invalid interval = 180 (secs) Hold down time = 120 (secs) Flush interval = 300 (secs) Network 10.2.1.0 netmask 255.255.255.0
10.2.1.32, Rip is up, fastEthernet0/0 Send version = 1 Receive version = 1,2 Authentication mode = none Default metric = 1 Access-list applied to outgoing route = none Access-list applied to incoming route = none Route-map applied to outgoing route = none Received bad packet = 0 Received bad routes = 0 Triggered updates sent = 0 Received updates = 0 170.100.100.2, Rip is up, fastEthernet0/0 Send version = 1 Receive version = 1,2 Authentication mode = none Default metric = 1 Access-list applied to outgoing route = none Access-list applied to incoming route = none Route-map applied to outgoing route = none Received bad packet = 0 Received bad routes = 0 Triggered updates sent = 0 Received updates = 0
IP Address IP address of the interface where RIP is running Tx transmit version of RIP on this interface, which can override the router
configuration
Rx receive version of RIP on this interface Auth type of authentication, password (text) or MD5 Met current value is the same as the router one (the default metric). Based
on MIB 2 for RIP, the interfaces route metric can be set individually.
AccList O/I access list applied to outgoing/incoming RIP route updates RtMap identifier for the route map that specifies a summary of RIP routes
8-26
Status status of RIP, either up or down Intf interface type on which RIP is running
Example
Rx Auth Met AccList O/I 1 1 no/no no/no no no RtMap Status Intf up up fastEthernet0/0 serial5:1/1:1
Prefix IP address prefix Length prefix length ttl (time to live) indicates how many seconds the specific route remains in
the routing table. If an entry reaches 0, it is removed from the routing table.
Met metric that RIP uses to rate the value of different routes (hop count).
The hop count is the number of routers that can be traversed in a route.
Next Hop next IP address where a packet is sent. A value of zero in this
field indicates that the next address the packet should be sent to is the router that originally sent the RIP message.
8-27
network IP address of a network on which RIP is running netmask network mask applied to the network address
Example
host1#show ip rip network Network 10.2.1.0 172.30.100.0 172.30.200.0 netmask 255.255.255.0 255.255.255.0 255.255.255.0
Time since last update received time in seconds since an update was
received from this peer
Peer version version of IS-IS running on the peer Bad packets received number of bad packets received from the peer Bad routes received number of bad routes received from the peer
Example
host1#show ip rip peer 192.168.1.102 Time since last update received = 24 Peer version = 1 Bad packet received = 0 Bad routes received = 0 192.168.1.151 Time since last update received = 24 Peer version = 1 Bad packet received = 0 Bad routes received = 0 192.168.1.158 Time since last update received = 15 Peer version = 1 Bad packet received = 0 Bad routes received = 0 192.168.1.250 Time since last update received = 7 Peer version = 2 Bad packet received = 0 Bad routes received = 0
8-28
Number of route changes number of times the router has been told to
route changes by its peers
Number of route queries number of times the router has received route
requests from other routers
Received bad packets number of bad packets received from the peer Received bad routes number of bad routes received from the peer Triggered updates sent number of triggered updates sent; triggered
updates are sent before the entire RIP routing table is sent; triggered by events such as adding a new RIP route or redistribution
Example
host1#show ip rip statistics 10.2.1.32 Number of route changes = 901 Number of route queries = 0 fastEthernet 0/0, 10.2.1.32 Received bad packet = 0 Received bad routes = 0 Triggered updates sent = 2 Received updates = 41
Summary Address address summarizing RIP routes Mask network mask specified in the ip summary-address command to
identify which routes to summarize
8-29
Example
host1#show ip rip summary-address Summary Address Mask 4.3.0.0 4.4.0.0 255.255.0.0 255.255.0.0 Metric 3 5
8-30
Configuring OSPF
9
Page 9-2 9-4 9-5 9-8 9-9 9-12 9-13 9-19 9-22 9-27 9-34 9-35 9-37 9-37 9-37 9-40 9-41 9-42
This chapter provides information for configuring the Open Shortest Path First (OSPF) routing protocol on your E-series router.
Topic Overview References Features Configuration Tasks Enabling OSPF Aggregating OSPF Networks Configuring OSPF Interfaces Configuring OSPF Areas Configuring Authentication Configuring Additional Parameters Configuring OSPF for NBMA Networks Traffic Engineering Using OSPF Routes for Multicast RPF Checks OSPF and BGP/MPLS VPNs Remote Neighbors Disabling and Reenabling Incremental SPF Configuring OSPF Traps Monitoring OSPF
9-2
Overview
OSPF is an interior gateway protocol (IGP) that runs within a single autonomous system (AS). Exterior gateway protocols (EGP), such as Border Gateway Protocol (BGP), exchange routing information between ASs. OSPF is a link-state routing protocol, similar to the Intermediate System-to-Intermediate System (IS-IS) routing protocol. It advertises the states of its local network links. This distinguishes OSPF from some IGPs, such as Routing Information Protocol (RIP). A distance vector protocol, such as RIP, advertises the distances (that is, the number of hops) to each known destination within the network. Each participating OSPF router within the AS has an identical database describing the ASs topology. Each individual piece of this database is a particular routers local state. From this database, OSPF calculates a routing table by constructing a shortest-path tree. OSPF learns the best routes to reachable destinations. It can quickly perceive changes in the topology of an AS and, after a short convergence period, calculate new loop-free routes. This protocol has been designed expressly for the TCP/IP Internet environment, including explicit support for classless interdomain routing (CIDR) and the tagging of externally derived routing information. This chapter provides direction for customizing basic OSPF settings if you need to do so. For detailed information on the OSPF commands, see the E-Series Command Reference Guide N to Z.
Terms
area
area border router (ABR) A router that sits on the edge of an OSPF area and routes link state advertisements (LSAs) between areas. area ID A unique number that identifies an area. Typically, an IP address.
9-3
Table 9-1 OSPF-related terms (continued) Term authentication authentication type Meaning Contains verification information and is 64 bits long. A simple password is an example. All OSPF protocol exchanges are authenticated. The authentication type is configurable on a per-area basis.
autonomous system (AS) A group of routers using a common routing protocol to exchange routing information. autonomous system boundary router (ASBR) classless interdomain routing (CIDR) An OSPF router that redistributes routes from other autonomous systems. CIDR replaces the traditional class structure of IP addresses. In CIDR, an IP network is represented by a prefix and a notation that indicate the IP address and maskfor example, 10.12.8.3/16 Generates an LSA for the network. Performs other special responsibilities in running the protocol. A collection of routers that use a common IGP constitutes an OSPF routing domain. The distribution and synchronization of the link-state database between OSPF routers. Establishes and maintains neighbor relationships. Also, dynamically discovers neighboring routers on broadcast networks. A routing protocol that routers within an AS use to exchange information. A unit of data that describes the local state of a router or network. LSAs are flooded throughout the routing domain. Routers that have interfaces to a common network. A network that has no broadcast capability but supports more than two routers. Similar to a stub area but can also import selected external LSAs. A 32-bit number that uniquely identifies a router within an ASfor example, 10.10.1.5 An area that does not get flooded with external LSAs but does carry intra-area and interarea routes and a default route. A logical link between two backbone routers where the link tunnels through a nonbackbone area.
interior gateway protocol (IGP) link state advertisement (LSA) neighboring routers nonbroadcast network Not-so-stubby area (NSSA) router ID stub area
virtual link
9-4
10.10.3.0/24
Dallas
Atlanta
Area 0.0.0.3
ABR 3
ABR 4
Macon
10.10.7.0/24
10.10.6.0/24
Austin
Rome
10.10.8.0/24
References
If you need more information about the OSPF protocol, consult the following resources: E-Series Release Notes, Appendix A, System Maximums See the Release Notes corresponding to your software release for information on maximum values. RFC 2328 OSPF Version 2 (April 1998) RFC 2370 The OSPF Opaque LSA Option (July 1998) Traffic Engineering Extensions to OSPF Version 2 draft-katz-yeung-ospf-traffic-09.txt (April 2003 expiration)
g013123
ABR 1
Chicago
Milwaukee
ABR 2
9-5
Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.
Features
The following sections provide a brief description of key OSPF features supported in our implementation of OSPF.
Intra-area, Interarea, and External Routes
You can split up an OSPF AS into areas. Doing this reduces the size of the link-state database (LSDB). Each OSPF area runs as a separate network and maintains its own LSDB. OSPF computes routes only to destinations within the area and does not flood routes beyond the area boundaries.
Routing Priority
OSPF areas receive routes based on priority. Table 9-2 lists the routing priority.
Table 9-2 Routing priority Priority 1 (highest) 2 3 Type Intra-area Interarea External Description Intra-area routing. Refers to routing within a single OSPF area. Interarea routing. Refers to routing between OSPF areas within a single OSPF routing domain. External type 1. Refers to routing from other protocols that can be imported into the OSPF domain and readvertised by OSPF as type 1 external. Type 1 metric is comparable to the link-state metric; the cost is equal to the sum of the internal costs plus the external cost. 4 (lowest) External External type 2. Refers to routing from other protocols that can be imported into the OSPF domain and readvertised by OSPF as type 2 external. Type 2 metric is much larger than the cost of any intra-AS path; the cost is equal to the external cost. This is the OSPF default.
If you use the redistribute command to import routes from other protocols or sources, the routes default to external type 2. You can specify a route map with the redistribute command to modify the type.
9-6
Alternatively, you can use the metric-type keyword with the redistribute command to specify the type.
Virtual Links
Each OSPF area must be directly connected to the backbone area. The backbone is responsible for distributing routing information between nonbackbone areas. All routers in the backbone must be contiguous, but they need not be physically adjacent. You can configure backbone routers to be logically adjacent by creating OSPF virtual links.
Authentication
OSPF supports three modes of authentication: Null authentication Implies no authentication is in use Simple password authentication Requires a 64-bit unencrypted password in each OSPF packet Cryptographic authentication Uses a shared secret key that is configured on each router on a network. RFC 2328 defines the use of OSPF cryptographic authentication with the MD5 algorithm.
Opaque LSAs
OSPF opaque LSAs provide a generalized way of extending OSPF. The router generates opaque LSAs to carry traffic engineering (TE) information, accepts them from other routers, and floods them accordingly. OSPF uses the TE information to build a database from which paths can be computed for MPLS label-switched paths.
Route Leakage
Routes can be leaked into OSPF or from OSPF as follows: Route leakage into OSPF When another routing protocol adds a new route to the routing table, or when a static route is added to the routing table, OSPF can be informed through the redistribute commands. When OSPF learns the new route, it floods the information into the routing domain using external LSAs. Route leakage from OSPF OSPF adds routing information to the routing table, which is used in forwarding IP packets.
9-7
Equal-Cost Multipath
OSPF inherently supports the notion of equal-cost multipath (ECMP). When building the shortest-path tree, OSPF calculates all paths of equal cost to a given destination. If equal-cost paths exist, OSPF inserts into the routing table the next hops for all equal-cost paths to a destination.
OSPF MIB
See the JUNOSe Software CD, shipped with your router, for complete information on the OSPF Management Information Base (MIB) supported by your router. In the MIBs folder you will find information on all supported standard and Juniper Networks E-series enterprise (proprietary) MIBs. OSPF does not act as a host within the router and therefore does not support the ospfIfMetric and ospfHost tables.
Interacting with Other Routing Protocols
OSPF was developed originally from an early version of the IS-IS intradomain routing protocol. OSPF can receive IS-IS routing information. See Chapter 10, Configuring IS-IS.
With RIP
E-series routers can simultaneously run OSPF and RIP. When doing so, OSPF routes are preferred over RIP. In general, use of the OSPF protocol is preferred because of its robustness, responsiveness, and decreased bandwidth requirements. See Chapter 8, Configuring RIP.
With BGP
The default expectation is that your routing environment is an AS running OSPF and exchanging BGP routes with other ASs. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing.
9-8
Configuration Tasks
Configuring OSPF calls for careful coordination among a variety of routers: Routers internal to a single area Routers that link multiple areas within a single routing domain; these routers are called area border routers (ABRs). Routers that link multiple routing domains; these routers are called autonomous system boundary routers (ASBRs). To configure OSPF:
1 2 3 4
Enable OSPF. Configure and aggregate network ranges. Create the routers OSPF network interfaces. Define the OSPF areas attached to the router.
You can create OSPF interfaces in the following ways: You can issue the network area command, which creates OSPF interfaces for all IP interfaces with IP addresses within the specified range. You can issue the address area command, which creates an OSPF interface in the specified area that sits on top of the IP interface at the given IP address (or on the unnumbered interface, if that is specified).
Note: Do not enable OSPF on any unidirectional interfaces (such as an MPLS tunnel) because it will never be able to form an adjacency.
You can delete OSPF interfaces in the following ways: You can issue the no network area command, which deletes all OSPF interfaces within the specified range. If the OSPF interface was created with the address area command, you can issue the no address area command to delete the specified interface. You can issue the no ip address command to delete the IP interface associated with the OSPF interface and also the OSPF interface itself.
Note: If an OSPF interface is configured on top of an IP interface and you delete the IP interface, the corresponding OSPF interface is also deleted. The previously
9-9
configured network range, however, is not deleted. You must issue the no network area command to delete the range.
Enabling OSPF
When you enable OSPF on your router, you can create either a range of OSPF interfaces or a single OSPF interface.
Creating a Range of OSPF Interfaces
Create an OSPF routing process. Create the range of IP addresses associated with the routing process and the corresponding OSPF interfaces. Assign an area ID associated with each range of IP addresses.
Each router running OSPF has a database describing a map of the routing domain. This map needs to be identical in all participating routers.
network area
Use to configure a range of OSPF interfaces and their related area. If the specified range matches one or more of the IP addresses configured for IP interfaces, one or more corresponding OSPF interfaces are created and placed in the specified area. Create address ranges that do not overlap; you can attach only the same range of interfaces to a single area. You cannot use this command for unnumbered interfaces. If the range specified by this command includes an address on an interface that is being referred to by unnumbered interfaces, all of the unnumbered interfaces will begin trying to form adjacencies. If this behavior is not intended, you must reevaluate the interface assignment or the range specified by the command. Example 1 shows the creation of one OSPF interface in the backbone area:
host1(config-if)#ip address 2.2.2.1 255.255.0.0 host1(config-if)#ip address 2.2.1.1 255.255.0.0 secondary host1(config)#router ospf 2 host1(config-router)#network 2.2.2.0 0.0.0.255 area 0
9-10
Example 2 shows the creation of two OSPF interfaces, one in the backbone area and one in a non-backbone area:
host1(config-if)#ip address 2.2.2.1 255.255.255.0 host1(config-if)#ip address 2.2.1.1 255.255.255.0 secondary host1(config)#router ospf 2 host1(config-router)#network 2.2.2.0 0.0.0.255 area 0 host1(config-router)#network 2.2.1.0 0.0.0.255 area 1
This sequence of commands creates two OSPF ranges (2.2.2.0/24 and 2.2.1.0/24), with each range belonging to a different area. Area 0 is configured for 2.2.2.0/24, and area 1 is configured for 2.2.1.0/24. This sequence also creates two OSPF interfaces: one in the backbone area (area 0) using IP address 2.2.2.1, the second in a nonbackbone area (area 1) using IP address 2.2.1.1. This command also creates the two areas if they do not already exist. Use the no version to delete OSPF interfaces, ranges, and areas.
Note: The configured network range is not active for summarization until you activate this range for summaries by issuing the area range command. The only range that is active by default if you do not issue the area range command is the network that matches the IP interfaces network exactly. (In other words, by default the exact network of the IP interface is going to be summarized into other areas.) Note: Active for summarization means that the network range is summarized through area summariesfor ABRs only. See the Aggregating OSPF Networks section in this chapter.
ospf enable
Use to enable OSPF on the router. OSPF is enabled by default. Example
host1(config-router)#ospf enable
The no version of this command is obsolete and may be removed in the future. Use the ospf shutdown command to disable OSPF on the router.
router ospf
Use to set an OSPF process ID. The process ID can be any positive integer 165535. You must assign a unique ID for each OSPF routing process. From a virtual router context you can specify a VRF name. Doing so changes the context to that of the specified VRF and remains so until you exit from the OSPF router context. Example
host1(config)#router ospf 5
9-11
Create an OSPF routing process. Create the OSPF interface associated with the IP interface at the specified address.
Each router running OSPF has a database describing a map of the routing domain. This map needs to be identical in all participating routers.
address area
Use to create an interface in an area on which OSPF runs, on top of the IP interface at the specified IP address. You can specify either an IP address or an unnumbered interface. Configures OSPF with the default values. You can configure the interface with a nondefault value by using the other address commands. You must first issue the address area command before issuing any other address commands. See Configuring OSPF Interfaces in this chapter for more information. Example
host1(config-router)#address 10.10.32.100 area 0.0.0.0
ospf enable
Use to enable OSPF on the router. OSPF is enabled by default. Example
host1(config-router)#ospf enable
The no version of this command is obsolete and may be removed in the future. Use the ospf shutdown command to disable OSPF on the router.
router ospf
Use to set an OSPF process ID. The process ID can be any positive integer 165535. You must assign a unique ID for each OSPF routing process. Example
host1(config)#router ospf 5
9-12
At this point, the OSPF process is configured with two OSPF interfaces. If your router is an ABR, two networks must be summarized: 2.2.10.0/24 and 2.2.11.0/24.
host1(config-router)#area 0 range 2.2.0.0 255.255.0.0
After you enter this area range command, only the aggregated range 2.2.0.0/16 is going to be summarized. By default, the range of configured networks is advertised in type 3 (summary) LSAs. Use the do-not-advertise keyword to prevent advertisement of configured networks. Use the command no area area-id (with no other keywords) to remove the specified area from the configuration. Use the summary-address command to summarize external routes being redistributed into OSPF. Use the no version to disable the aggregation of routes at the OSPF area border.
summary-address
Use to aggregate external routes at the border of the OSPF routing domain. Use only for ASBRs.
9-13
The ASBR advertises one external route as an aggregate for all redistributed routes that are covered by the address. For OSPF, this command summarizes only routes from other routing protocols that are being redistributed into OSPF. With this command, you can reduce the load of advertising many OSPF external routes by specifying a range that includes some (or all) of these external routes. Example
host1(config-router)#summary-address 10.1.0.0 255.255.0.0
Use the area range command for route summarization between OSPF areas. Use the no version to restore the default.
address Commands
You can use the address area command to create a new OSPF interface. Use the other address commands to configure parameters for OSPF interfaces that already exist.
Note: You must first issue the address area command before issuing any other address command.
9-14
Note: The address commands configure OSPF attributes for a single OSPF network. The ip ospf commands configure OSPF attributes for all OSPF networks in the given interface contextfor example, in a multinet environment where multiple IP networks sit on top of an Ethernet interface.
address area
Use to create a new OSPF interface and configure the area ID. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 10.12.10.2 area 3
You must first issue the address area command before issuing any other address commands. Use the no version to delete the area ID from the specified interface.
address cost
Use to specify the cost metric for the interface. The cost is used in calculating the SPF routing table and can range from 065535. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address unnumbered area 3 host1(config-router)#address unnumbered atm 4/0.1 cost 50
Use the no version to reset the path cost to the default value, 10.
address dead-interval
Use to specify the time period that the routers neighbors should wait without seeing hello packets from the router before they declare the router to be down. The dead interval can range from 165535 seconds, and is advertised by the routers hello packets. For the OSPF routers to become adjacent, the dead interval must be identical on each router. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.10.32 area 6 host1(config-router)#address 192.168.10.32 dead-interval 60
Use the no version to reset the dead interval to the default value, 40.
address hello-interval
Use to specify the interval between hello packets that the router sends on the interface. The hello interval can range from 165535 seconds. The interface can have an IP address, or it can be unnumbered.
9-15
Example
host1(config-router)#address 192.168.1.1 area 5 host1(config-router)#address 192.168.1.1 hello-interval 25
Use the no version to reset the hello interval to the default value, 10.
address passive-interface
Use to disable the transmission of routing updates on the interface, meaning that OSPF routing information is neither sent by nor received through the interface. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.100.20 area 5 host1(config-router)#address 192.168.100.20 passive-interface
address priority
Use to specify the router priority, an 8-bit number from 1 to 255. Used in determining the designated router for the particular network. Applies only to nonbroadcast multiaccess (NBMA) networks. Every broadcast and NBMA network has a designated router. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address unnumbered area 6 host1(config-router)#address unnumbered loopback 0 priority
address retransmit-interval
Use to specify the time between LSA retransmissions for the interface when an acknowledgment for the LSA is not received. Specify an interval in the range 165535 seconds; the default value is 5. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.10.200 area 6 host1(config-router)#address 192.168.10.200 retransmit-interval
address transmit-delay
Use to specify the estimated time it takes to transmit a link-state update packet on the interface. Specify an interval in the range 165535 seconds; the default value is 1.
9-16
ip ospf Commands
The ip ospf commands have two effects on interface configuration. These effects apply to all ip ospf commands: Configuration per logical IP interface (for example, Fast Ethernet 0/1.3 or ATM 5/0.1): The ip ospf command configures the specified OSPF parameter(s) for all networks configured on the given IP interfacefor example, all multinetted addresses on an interface. The no version of the command resets the specified parameter(s) to unspecified. If the no version of the command takes effect, then for the specified IP interface there is no default value for the specified parameter(s). The parameter is set back to unspecified values. However, the value of the specified parameter for the OSPF interface is set back to the default value or the value previously specified by the address command. Configuration per OSPF interface: The ip ospf command configures the specified OSPF parameter(s) for each OSPF interface which sits on top of the IP interface. The no version of the command restores the specified parameter(s) to the default value(s).
Note: If you use ip ospf commands to configure OSPF interfaces, you must first have created the interfaces with the network area command. Note: The ip ospf commands configure OSPF attributes for all OSPF networks in the given interface contextfor example, in a multinet environment where multiple IP networks sit on top of an Ethernet interface. The address commands configure OSPF attributes for a single OSPF interface.
ip ospf cost
Use to configure the cost of sending a packet on the network. Cost is a metric value in the range 065535; the default value is 1. The router LSA advertises the link-state metric as the link cost.
9-17
Example
host1(config)#interface fastethernet 0/0 host1(config-if)#ip ospf cost 50
Use the no version to reset the path cost to the default value, 1.
ip ospf dead-interval
Use to configure the interval since the last hello packet was seen. Specify an interval in the range 165535 seconds; the default value is 40. For the OSPF routers to become adjacent, the dead interval must be identical on each router. The routers hello packets advertise this interval. Example
host1(config-if)#ip ospf dead-interval 60
ip ospf hello-interval
Use to configure the interval between hello packets. Specify an interval in the range 165535 seconds; the default value is 10. For the OSPF routers to become adjacent, the hello interval has to be identical on each router. Example
host1(config-if)#ip ospf hello-interval 8
ip ospf priority
Use to configure the routers priority. Select a priority level in the range 0255; the default value is 1. This setting determines the designated router for the particular network. A router whose priority is set to 0 cannot be a designated router. Configure priority only for interfaces to multiaccess networks. Example
host1(config-if)#ip ospf priority 2
ip ospf retransmit-interval
Use to configure the time interval between retransmission of an LSA. Specify an interval in the range 165535 seconds; the default value is 5. Example
host1(config-if)#ip ospf retransmit-interval 10
9-18
ip ospf transmit-delay
Use to configure the time it takes to transmit a link-state update on the interface. This is the time between transmissions of LSAs. Specify an interval in the range 165535 seconds; the default value is 1. In setting the time, consider the interfaces transmission and propagation delays. Example
host1(config-if)#ip ospf transmit-delay 4
Comparison Example
Suppose you configure a range of OSPF interfaces with the network area command as follows:
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip address 1.1.1.1 255.255.255.0 host1(config-if)#ip address 2.2.2.2 255.255.255.0 secondary host1(config-if)#exit host1(config)#router ospf 1 host1(config-router)#network 1.1.1.0 0.0.0.255 area 0 host1(config-router)#network 2.2.2.0 0.0.0.255 area 0
If you want to specify the cost, you can do so for both interfaces simultaneously:
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip ospf cost 30
You can use address commands to create a third OSPF interface over the Ethernet interface. When you specify a cost, it is set for only that interface:
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip address 3.3.3.3 255.255.255.0 secondary host1(config-if)#exit host1(config)#router ospf 1 host1(config-router)#address 3.3.3.3 area 0 host1(config-router)#address 3.3.3.3 cost 25
Precedence of Commands
For a single OSPF interface, when you modify the same OSPF attribute by issuing both the ip ospf command and the address command, the value configured with the address command takes precedence. In other words, the most specific command for a single OSPF interface takes precedence.
9-19
Consider the following example. Suppose you have a numbered IP interface with an IP address of 10.10.1.1/24 sitting on top of Fast Ethernet interface 0/0. Configure a single OSPF interface on top of the IP interface.
host1(config)#router ospf 100 host1(router-config)#address 10.10.1.1 area 0
The default cost for this OSPF interface is 10. Change the cost for this OSPF interface using the address cost command:
host1(router-config)#address 10.10.1.1 cost 45
The cost for OSPF interface 10.10.1.1 is now 45. Now use the ip ospf cost command to change the cost for this OSPF interface:
host1(config)#int fastEthernet 0/0 host1(config-if)#ip ospf cost 23
The cost of OSPF interface 10.10.1.1 does not change. The previously issued address cost command is more specific for the interface and takes precedence over the ip ospf cost command. You must use the address cost command if you want to change the cost again:
host1(router-config)#address 10.10.1.1 cost 23
9-20
You can optionally define an area to be a stub area or a not-so-stubby area. You can configure virtual links for areas that are not directly connected to a backbone area.
area no area
There is no affirmative version of this command; there is only a no version. Example
host1(config-router)#no area 47.0.0.0
Use the no version to remove the specified area only if no OSPF interfaces are configured in the area.
area default-cost
Use to configure the cost for the default summary route sent into a stub area. Cost is a metric value in the range 165535; the default value is 1. Use only on an ABR attached to a stub area. Provides the metric for the summary default route that the ABR generates into the stub area. Example
host1(config-router)#area 47.0.0.0 default-cost 1
area nssa
Use to configure the area as an NSSA. An NSSA is like a stub area, but it can also import external AS routes in a limited way. To cause NSSA border routers to generate a type 7 default LSA in the OSPF database if there is a default route in the routing table, you must specify the default-information-originate option. You can specify a metric cost, metric type, or a route map to be applied to the generated type 7 default LSAs. Example
host1(config-router)#area 35.0.0.0 nssa
Use the no version to remove the NSSA designation from the area, to stop the generation of type 7 default LSAs, or to stop the application of the specified metric cost, metric type, or a route map to the type 7 default LSAs.
area stub
Use to configure a stub area. Stub areas do not get flooded with external LSAs but do carry a default route, intra-area routes, and interarea routes. This reduces the size of the area's OSPF database and decreases memory usage for external routers in the stub area. You must configure each router in a stub area as belonging to the stub area.
9-21
You cannot configure virtual links across a stub area. Stub areas cannot contain ASBRs. Example
host1(config-router)#area 47.0.0.0 stub
area virtual-link
Use to configure an OSPF virtual link. A virtual link is used for areas that do not have a direct connection to the backbone area. To have configured virtual links, the router itself must be an ABR. Virtual links are identified by the router ID of the other endpoint, which is also an ABR. The two endpoint routers must be attached to a common area, called the virtual links transit area. Virtual links are part of the backbone and behave as if they were unnumbered point-to-point networks between the two routers. A virtual link uses the intra-area routing of its transit area to forward packets. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.8.4.2
9-22
automatic-virtual-link
Use to enable an automatic virtual link configuration. If enabled, then backbone connectivity is ensured by the automatic creation of a virtual link between this backbone router that has an interface to a common nonbackbone area and other backbone routers that have interfaces to a common nonbackbone area. Example
host1(config-router)#automatic-virtual-link
Configuring Authentication
The router supports the following authentication capabilities: Null authentication Simple password authentication MD5 authentication The MD5 algorithm takes as input a message of arbitrary length and produces a 128-bit fingerprint or message digest of the input. MD5 is used to create digital signatures. It is a one-way hash function, meaning
9-23
that it takes a message and converts it into a fixed string of digits, called a message digest. When using a one-way hash function, you can compare a calculated message digest with the message digest that is decrypted using a public key (password). The key verifies that the message has not been tampered with. This comparison process is called a hashcheck.
Note: You must first issue the address area command before issuing any other address command.
Authentication Requirements
If you configure either simple password or MD5 authentication, the password or authentication key must be the same on both sides of an adjacency. When you change the password or key on one side of an established adjacency, you must also change it on the other side within the dead interval. This enables a hello packet that has the latest authentication information to be sent before the dead interval expires. If the packet is not sent within the dead interval, the adjacency breaks down and is not reestablished until both sides of the adjacency have the same password or key.
address authentication-key
Use to assign a password used by neighboring routers for OSPF simple password authentication. The interface can have an IP address, or it can be unnumbered. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. The password, or key, is a character string up to 8 characters in length. Example
host1(config-router)#address 10.12.10.2 authentication-key 9rdf7
Use the no version to delete the password from the specified interface.
9-24
Use the no version to set authentication for the interface to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the interface without having to reconfigure the key.
address authentication-none
Use to disable authentication on the interface. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.10.32 authentication-none
9-25
Example
host1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 authentication message-digest
Use the no version to set authentication for the virtual link to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the virtual link without having to reconfigure the key.
ip ospf authentication-key
Use to configure a type 1 authentication (a simple password) on the interface. Neighboring OSPF routers use the password to access the routers interface. Use the same password on all neighboring routers on the same network. Use this password only when you enable authentication for the interface. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Use a password that is a continuous string up to 8 characters long. Example
host1(config-if)#ip ospf authentication-key yourpwd
9-26
Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password. Example
host1(config-if)#ip ospf authentication message-digest
Use the no version to set authentication for the interface to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the interface without having to reconfigure the key.
ip ospf authentication-none
Use to specify that no authentication is used for the OSPF interface. Example
host1(config-if)#ip ospf authentication-none
Use the no version to delete an MD5 key from the OSPF interface.
Note: If all the MD5 keys have been deleted, the authentication type is still MD5, but you need to configure MD5 keys. Note: To disable MD5 authentication for the interface, use the ip ospf authentication-none command. Note: To display the password only in encrypted text, use the service password-encryption command.
9-27
access-list route-map
Use the access-list command to create a standard or extended access list. Use the route-map command to create a route map. For detailed information on configuring access lists and route maps, see Chapter 1, Configuring Routing Policy. Example 1 Configure three static routes:
host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.1.0
3 Configure a route map which matches the previous access list and applies a metric type 1 (OSPF):
host1(config)#route-map boston host1(config-route-map)#match ip address boston host1(config-route-map)#set metric-type type-1
4 Configure redistribution of the static routes into OSPF with route map boston:
host1(config)#router ospf 2 host1(config-router)#redistribute static route-map boston
9-28
5 Use the show ip ospf database command to verify the effect of the redistribution (the two static routes matching the route map are redistributed as external type 1):
host1#show ip ospf database OSPF Database Router Link States (Area 0.0.0.0) Link ID 192.168.1.250 192.168.254.7 Link ID 192.168.1.214 Link ID 20.20.20.0 20.20.21.0 ADV Router 192.168.1.250 192.168.254.7 ADV Router 192.168.254.7 ADV Router 192.168.1.250 192.168.1.250 Age 3 220 Age 220 Age 3 3 Seq# 0x80000006 0x80000169 Seq# 0x80000001 Seq# 0x80000001 0x80000001 Checksum 0x39a1 0xd2b5 Checksum 0xe0f2 Checksum 0x6045 0x554f
Use the no version of the access-list command to remove the access list or the specified entry in the access list. Use the no version of the route-map command to remove an entry.
baseline ip ospf
Use to set a baseline for OSPF statistics and counters. The following example first displays the output of the show ip ospf command shown before you run the baseline ip ospf command; then, the execution of the baseline ip ospf command; and finally, the display of the show ip ospf command run after you execute the baseline ip ospf command.
The output of the show ip ospf command run before the baseline ip ospf
command reflects the up-to-date packet counters.
The output of the show ip ospf delta command run after you run the
baseline ip ospf command reflects the baseline set for OSPF statistics and counters. There is no no version. Example
host1#show ip ospf Routing Process OSPF 1 with Router ID 5.106.7.1 OSPF Statistics: Rcvd: 217935 total, 0 checksum errors 8987 hello, 8367 database desc, 188 link state req 159898 link state updates, 40484 link state acks Sent: 265026 total, 0 pkts dropped 8927 hello, 8341 database desc, 53 link state req 158571 link state updates, 89134 link state acks Supports only single TOS(TOS0) routes SPF schedule delay 0 secs, Hold time between two SPFs 3 secs
9-29
Maximum path splits 1 Area BACKBONE(0.0.0.0) Area is a transit area SPF algorithm executed 425 times ABR count 0 ASBR count 1 LSA Count 12 Number of interfaces in this area is 24 Area ranges are: Number of active areas in this router is 1 1 normal, 0 stub, 0 NSSA.
host1#baseline ip ospf host1#show ip ospf delta Routing Process OSPF 1 with Router ID 5.106.7.1 OSPF Statistics: Rcvd: 0 total, 0 checksum errors 0 hello, 0 database desc, 0 link state req 0 link state updates, 0 link state acks Sent: 0 total, 0 pkts dropped 0 hello, 0 database desc, 0 link state req 0 link state updates, 0 link state acks Supports only single TOS(TOS0) routes SPF schedule delay 0 secs, Hold time between two SPFs 3 secs Maximum path splits 1 Area BACKBONE(0.0.0.0) Area is a transit area SPF algorithm executed 425 times ABR count 0 ASBR count 1 LSA Count 12 Number of interfaces in this area is 24 Area ranges are: Number of active areas in this router is 1 1 normal, 0 stub, 0 NSSA.
There is no no version.
9-30
default-information originate
Use to generate a default route into an OSPF routing domain. When you use this command to redistribute routes into an OSPF routing domain, the router automatically becomes an ASBR. An ASBR, however, does not, by default, generate a default route into the OSPF routing domain. The software must have a default route before it generates one, except when you have specified the always keyword. You can specify a metric for the route or specify that the route be OSPF external type 1 or 2. Example
host1(config)#router ospf 1 host1(config-router)#default-information originate route-map 5
disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute
distance
Use to configure the administrative distance for OSPF routes. Example
host1(config-router)#distance ospf external 60
Default settings:
ip ospf shutdown
Use to disable OSPF on the interface. Example
host1(config-if)#ip ospf shutdown
9-31
maximum-paths
Use to control the maximum number of parallel routes that OSPF can support. The maximum number of routes can range from 116. The default for OSPF is 4 paths. To enable equal-cost multipath (ECMP) for OSPF, you need to specify a value for maxPaths greater than 1. Example
host1(config-router)#maximum-paths 2
If you issue this command, the metric is calculated as follows: OSPF metric = bandwidth*1,000,000/link speed For the previous example, a 64K link will get a metric of 15625, while a T1 link will have a metric of 647. The minimum value for the metric is 1.
If you never issue the ospf auto-cost reference-bandwidth command, OSPF calculates the cost as 108/link speed. Use the no version to assign cost based only on the interface type.
ospf log-adjacency-changes
Use to configure the router to send a log message when the state of an OSPF neighbor changes. Example
host1(config-router)#ospf log-adjacency-changes severity 3 verbosity low
ospf shutdown
Use to administratively disable OSPF on the router. Example
host1(config-router)#ospf shutdown
9-32
passive-interface
Use to disable the transmission of routing updates on the interface, meaning that OSPF routing information is neither sent by nor received through the interface. The specified interface appears as a stub network in the OSPF domain. By default, OSPF is enabled on a configured OSPF interface. Example
host1(config-router)#passive-interface ethernet 1/0
Use the no version to reenable the transmission of OSPF routing updates on the specified interface.
redistribute
Use to redistribute information from a routing domain other than OSPF into the OSPF domain. You can set the OSPF metric typetype 1 or type 2and set a metric for all redistributed routes. Example 1
host1(config)#router ospf 5 host1(config-router)#redistribute bgp route-map 4
If you do not specify route-map, all routes are redistributed. By default, all routes are imported as external type 2 routes. If you do specify route-map but do not list any route map tags, no routes are imported. Use to redistribute routes from OSPF into other non-OSPF routing domains. Example 2
host1(config)#router bgp 100 host1(config-router)#redistribute ospf 5
table-map
Use to apply a policy to modify distance, metric, metric type, route type, or tag values of OSPF routes about to be added to the IP routing table. The new route map is applied to all routes currently in and those subsequently placed in the forwarding table. Previously redistributed routes are redistributed with the changes caused by the route map. To remove from the forwarding table any old routes that are now disallowed by the specified route map, you must refresh the IP routing table with the clear ip routes * command.
9-33
Example
host1(config)#route-map dist1 permit 5 host1(config-route-map)#match community boston42 host1(config-route-map)#set distance 33 host1(config-route-map)#exit host1(config)#router ospf 100 host1(config-router)#table-map dist1 host1(config-router)#exit host1(config)#exit host1#clear ip routes *
timers spf
Use to configure the time between two consecutive SPF calculations. Set the time (in seconds) in the range 15; the default value is 3. If you set the hold time to 0, there is no delay between two consecutive SPF calculations. They can be done one immediately after the other. Example
host1(config-router)#timers spf 2
Default Metrics
Although the router does not support a default-metric command, the redistribute command provides two ways to set a default metric for redistributed routes. You can simply configure a metric with the redistribute command to apply to all routes redistributed from the specified source protocol:
host1(config)#router ospf 5 host1(config-router)#redistribute bgp metric 5
Alternatively, you can create one or more route maps that set the metric and apply them selectively to redistributed routes:
host1(config)#access-list 1 permit any any host1(config)#route-map defmetric host1(config-route-map)#match ip address 1 host1(config-route-map)#set metric 10 host1(config-route-map)#exit host1(config)#router ospf 5 host1(config-router)#redistribute bgp route-map defmetric host1(config-router)#redistribute isis route-map defmetric
9-34
See Chapter 1, Configuring Routing Policy, for information on configuring route maps.
Specify an OSPF neighbor, and optionally assign a priority number or poll interval to the neighbor.
host1(config-router)#neighbor 10.12.14.1 priority 5 poll-interval 180
If you want to configure the network type for a specific interface or OSPF area, rather than for all OSPF interfaces, you can use the address network command rather than the ip ospf network command.
address network
Use to configure the network type on a specific OSPF interface or for a specific OSPF area to a type other than the default for the medium. You must first issue the address area command before issuing the address network command. Use the no version to restore the default value for the medium.
9-35
ip ospf network
Use to configure the network type on all OSPF interfaces on the OSPF network to a type other than the default for the medium. Use the no version to restore the default value for the medium.
neighbor
Use to configure OSPF neighbors on the NBMA network. Specify priority and poll interval only for routers that are eligible to become the designated router or backup designated routerthat is, a router with a nonzero router priority value. The default priority value is 0, and the default polling interval is 120 seconds. Use the no version to remove the neighbor or restore the default values 0 and 120.
Traffic Engineering
Traffic engineering (TE) enables more effective use of network resources by providing for the setup of explicitly routed Multiprotocol Label Switching (MPLS) label-switched paths (LSPs) that satisfy resource and administrative constraints. You can use OSPF to exchange link resource and traffic-engineering administrative information between routers. OSPF uses this information to calculate paths in the network that satisfy the administrative constraints. MPLS can then set up LSPs along these paths. Refer to E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 2, Configuring MPLS, for a detailed discussion of MPLS.
Configuring OSPF for TE
For OSPF to support TE, you must issue both of the following commands: mpls traffic-eng area Enables the router to flood TE resource and administrative information in the specified area using type 10 opaque LSAs. These LSAs have an area-wide scope and therefore are flooded only within the indicated area. mpls traffic-eng router-id Designates a router as TE capable and specifies the address of a stable router interface as the router ID of the node for TE purposes. The TE router ID serves as the tunnel endpoint for tunnels terminating at the node. Each node advertises its TE router ID in type 10 LSAs. By default, OSPF always uses the MPLS tunnel to reach the MPLS endpoint. Best paths determined by SPF calculations are not considered. You can enable the consideration of best paths by issuing the mpls spf-use-any-best-path command. As a result, OSPF considers metrics
9-36
for IGP paths and the tunnel metric, and might forward traffic along a best path, through the MPLS tunnel, or both. You can use the show ip ospf database opaque-area command to display information about TE opaque LSAs. For OSPF routes to use established MPLS tunnels as next hopsso that traffic can be mapped to use these tunnelsyou must configure the tunnels with the tunnel mpls autoroute announce ospf command. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 2, Configuring MPLS, for information on configuring MPLS on a router.
mpls spf-use-any-best-path
Use to enable SPF calculations to consider the IGP (OSPF) best paths as well as the MPLS tunnel for forwarding traffic to the MPLS endpoint. By default, the MPLS tunnel is always selected for traffic to the tunnel endpoint; IGP paths are not considered. For traffic beyond the endpoint, the tunnel is considered equally with any other path. Example
host1(config-router)#mpls spf-use-any-best-path
9-37
Remote Neighbors
You can create OSPF remote neighbors to enable the router to establish neighbor adjacencies through unidirectional interfaces, such as MPLS tunnels, rather than the standard practice of using the same interface for receipt and transmission of OSPF packets. The remote neighbor can be more than one hop away through intermediate routers that are not running OSPF. OSPF uses the interface associated with the best route to reach the remote neighbor. A best route to the neighbor must exist in the IP routing table. You must explicitly configure a remote neighbor on an OSPF router. You must specify the remote neighbor with which the router will form an
9-38
adjacency and the source IP address the router will use for OSPF packets destined to its peer remote neighbor. To form an adjacency with its remote neighbor, all OSPF packets are sent to the remote neighbor as unicast packets with the destination IP address equal to the source IP address of the remote neighbor. Use the update-source loopback command to assign the source IP address to a remote neighbor. The connection between two remote neighbors is treated as an unnumbered point-to-point link that resides in the same area as that to which the pair of remote neighbors belongs. The rules of OSPF adjacency must be followed for remote neighbors to form an adjacency with each other; for example, the neighbors must be in the same OSPF area and have the same hello interval and dead interval, and so on. Once you have used the remote-neighbor command to specify the remote neighbors and the update-source loopback to assign the source IP address, you must set a TTL value with the ttl command, because a remote neighbor can be more than one hop away. Configuration of all other remote-neighbor attributes is optional.
authentication-key
Use to enable simple password authentication and assign a password for communication with OSPF remote neighbors. Example
host1(config-router-rn)#authentication-key 0 br549hee
authentication message-digest
Use to specify that MD5 authentication is to be used on the OSPF remote neighbor interface. Example
host1(config-router-rn)#authentication message-digest
There is no no version.
authentication-none
Use to specify that no authentication is to be used on the OSPF remote neighbor interface. Example
host1(config-router-rn)#authentication-none
There is no no version.
9-39
cost
Use to specify a cost metric for the OSPF remote-neighbor interface; the metric is used in the calculation of the SPF routing table. The default value is 10 if there is no route to the remote neighbor; otherwise, the default is calculated based on the bandwidth of the physical interface used to reach the remote neighbor and the OSPF autocost reference bandwidth. Example
host1(config-router-rn)#cost 235
dead-interval
Use to set the time period that the OSPF router waits without seeing hello packets from a remote neighbor before declaring the neighbor to be down. Example
host1(config-router-rn)#dead-interval 180
hello-interval
Use to set the interval between hello packets that the router sends on the OSPF remote-neighbor interface. Specify a value in the range 165535 seconds; the default value is 40. Example
host1(config-router-rn)#hello-interval 15
message-digest-key md5
Use to enable MD5 authentication for the OSPF remote-neighbor interface and configure the MD5 key. Example
host1(config-router-rn)#message-digest-key 42 md5 0 sal29ute
If you delete all MD5 keys, MD5 authentication is still enabled; you must either configure an MD5 key or disable MD5 authentication with the authentication-none command. Use the no version to delete the MD5 key.
remote-neighbor
Use to configure an OSPF remote neighbor. Example
host1(config-router)#remote-neighbor 10.25.100.14 area 35672
Use the no version to remove the remote neighbor and any attributes configured for the remote neighbor.
9-40
retransmit-interval
Use to set the time between LSA retransmissions for the OSPF remote-neighbor interface when an acknowledgment for the LSA is not received. Specify a value in the range 13600 seconds; the default value is 5. Example
host1(config-router-rn)#retransmit-interval 10
transmit-delay
Use to set the estimated time it takes to transmit a link state update packet on the OSPF remote-neighbor interface. Specify a value in the range 03600 seconds; the default value is 1 second. Example
host1(config-router-rn)#transmit-delay 3
ttl
Use to configure a hop count by setting the value of the time-to-live field used by packets sent to an OSPF remote neighbor. Specify a value in the range 1255 seconds; the default value is 1 second. Example
host1(config-router-rn)#ttl 35
update-source
Use to specify the loopback interface whose local IP address is used as the source address for the OSPF connection to a remote neighbor. Example
host1(config-router-rn)#update-source loopback 1
Use the no version to delete the source address from the connection to the remote neighbor.
9-41
disable-incremental-external-spf
Use to disable incremental external SPF on the router. When issued, this command results in a full SPF when an event occurs to trigger an external SPF. Example
host1(config-router)#disable-incremental-external-spf
9-42
maxAgeLsa to indicate that an LSA in this router LSDB has reached MaxAge ifStateChange to indicate a state change on an OSPF interface
traps
Use to specify traps for OSPF. Example
host1(config-router-rn)#traps all
Use the no version to delete the specified trap, group of traps, or all traps.
Monitoring OSPF
Two sets of commands enable you to monitor OSPF operation on your router: the debug and the show commands. Both sets of commands provide information on your routers OSPF state and configuration. The task you are performing with each of these monitoring commands is basically the same for each command; that is, you are requesting information. The results of this request may vary. For instance, the debug commands provide information on problems with the network or the router, whereas the show commands provide information on the actual state and configuration of your router.
debug Commands
The debug commands provide information on the following OSPF items: Adjacencies Designated router General events Link-state advertisements Neighbors Packets received Packets sent Route events SPF events
9-43
debug ip ospf
Use to display information on selected OSPF events. This command has many keywords that allow you to specify a variety of OSPF events. You can set the level of severity for the events you want displayed: 07. You can set the verbosity of the messages you want displayed: low, medium, high. Example
host1#debug ip ospf adj
Use the no version to cancel the display of any information on the designated variable.
ospf log-adjacency-changes
Use to enable the logging of changes in the state of an OSPF neighbor. Example
host1(config-router)#ospf log-adjacency-changes
Use the no version to disable the logging of changes in the state of an OSPF neighbor.
undebug ip ospf
Use to cancel the display of information on a selected event. The same OSPF variables can be designated as in the debug ip ospf command. Example
host1#undebug ip ospf adj
There is no no version.
show Commands
The show commands provide information on the following OSPF items: Routing processes Border routers Database Interfaces Neighbors Virtual links Internal statistics MPLS tunnels and opaque LSAs
9-44
You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
show ip ospf
Use to display general information about OSPF routing processes. Field descriptions
Routing process process ID, router ID, domain ID OSPF administrative state enabled or disabled OSPF operational state enabled or disabled Incremental External SPF on or off Router router types: internal, area border, or autonomous system boundary routers OSPF Statistics packets sent and received TOS type number of types of service supported SPF timers timers configured on the router Maximum path splits maximum equal-cost paths supported Areas areas configured and their parameters Number of areas number of areas in the router
host1#show ip ospf Routing Process OSPF 1 with Router ID, 2.2.2.2, Domain ID 0.0.0.0 OSPF administrative state is enabled OSPF operational state is enabled Incremental External SPF is OFF Automatic virtual links configuration is enabled Ospf set trap field disabled Router is an Area Border Router (ABR) OSPF Statistics: Rcvd: 35 total, 0 checksum errors 20 hello, 9 database desc, 3 link state req 24 link state updates, 8 link state acks Sent: 51 total, 0 pkts dropped 2155 hello, 6 database desc, 3 link state req 32 link state updates, 10 link state acks LSA discard count: 0 Supports only single TOS(TOS0) routes SPF schedule delay 0 secs, Hold time between two SPFs 3 secs Maximum path splits 4 Area 0.0.0.1 SPF algorithm executed 20 times ABDR count 1
Example
9-45
ASBDR count 0 LSA Count 2 Number of interfaces in this area is 2 Area ranges are: Area 0.0.0.3 SPF algorithm executed 20 times ABDR count 1 ASBDR count 0 LSA Count 3 Number of interfaces in this area is 1 Area ranges are: Number of active areas in this router is 2 2 normal, 0 stub, 0 NSSA.
Destination destination's router ID Next Hop next hop toward the destination Router Type router type of the destination: either an ABR or ASBR or both Route Type type of this route: either an intra-area or interarea route Area area ID of the area that this route is learned from
Example
Interface fastethernet0 fastethernet0 fastethernet0 Router Type ABR/ASBR ABR/ASBR ABR Route Type Area INTRA INTRA INTRA 0.0.0.0 0.0.0.1 0.0.0.1
host1#show ip ospf border-routers Destination NEXT HOP 5.5.0.250 5.5.0 250 6.6.6.250 5.5.6.250 4.4.4.250 4.4.4.13
Adv Router advertising routers ID Age link-state age Seq# link-state sequence number (detects old or duplicate LSAs) Checksum Fletcher checksum of the complete contents of the LSA
9-46
Example
host1#show ip ospf database OSPF Database Router Link States (Area 0.0.0.0) Link ID 5.1.101.1 ADV Router 5.1.101.1 Age 932 Seq# 0x80000069 0x80000087 0x80000087 0x800005bf Checksum 0x102f 0xaa4e 0xada6 0xaba5 0x6087
192.168.1.13 192.168.1.13 1763 0x80000099 192.168.1.10 192.168.1.10 285 192.168.1.11 192.168.1.11 401 192.168.24.6 192.168.24.6 622
Network Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# Checksum
56.56.56.220 5.6.6.1
192.168.1.12 192.168.254.6 622 0x8000009e 0xebc2 Summary Link States (Area 0.0.0.0) Link ID ADV Router 4.4.4.0 4.4.4.0 5.5.0.250 Age Seq# Checksum
AS Summary Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# Checksum
5.5.0.250 192.168.1.13 491 0x80000002 0xe9d4 AS External Link States Link ID ADV Router Age Seq# 8.8.8.0 5.5.0.250 Checksum
Router Link States (Area 0.0.0.1) Link ID 5.5.0.250 ADV Router 5.5.0.250 Age Seq# Checksum
192.168.1.13 192.168.1.13 505 0x800000a5 0x3b32 Network Link States (Area 0.0.0.1) Link ID 4.4.4.13 5.1.0.0 5.2.0.0 5.2.0.0 ADV Router 192.168.1.13 192.168.1.13 5.5.0.250 192.168.1.13 Age Seq# 505 0x80000001 940 0x80000059 495 0x80000001 932 0x80000059 Checksum 0x410b 0x82c4 0x51bf 0x76cf
9-47
AS Summary Link States (Area 0.0.0.1) Link ID ADV Router Age Seq# 496 0x800000001 Checksum 0x51c0 5.5.0.250 5.5.0.250
LS age age of LSA Options optional capabilities supported by the described portion of the
routing domain
Link State ID link-state ID of the opaque LSA Advertising Router router ID of the router that originated the LSA LS Seq Number link-state sequence number to identify duplicate or old
LSIDs
Checksum checksum of the complete contents of the LSA Length length of the LSA in bytes TE router ID TE router ID of the originating router Link type point-to-point or multiaccess Link ID for point-to-point interfaces, this is the router ID of the router at the remote end; for multiaccess interfaces, this is the address of the DR
Local Address IP address of the local interface for the link Remote Address IP address of the remote (neighbors) interface for the
link
TE Metric link metric for traffic engineering purposes; can be different from
the standard OSPF link
Max BW maximum bandwidth that can be used on this link in this direction Max Reservable BW maximum bandwidth that can be reserved on this
link; can exceed the maximum bandwidth in the event of oversubscription
Color bitmask that specifies the administrative group membership for this
link; a link that is a member of more than one group will have multiple bits set
9-48
Example
host1#show ip ospf database opaque-area Opaque-area Link States (Area 0.0.0.0) LS age: 914 Options: (TOS-capable, No Type7-LSA, ExternalRoutingCapability, No Multicast Capability, No External Attributes LS Type: Opaque-Area (TE Router Address) Link State ID: 1.0.0.0(Instance) Advertising Router: 100.1.1.1 LS Seq Number: 0x80000003 Checksum: 0xd293 Length: 28 TE Router-ID: 100.1.1.1 LS age: 919 Options: (TOS-capable, No Type7-LSA, ExternalRoutingCapability, No Multicast Capability, No External Attributes LS Type: Opaque-Area (TE Links) Link State ID: 1.0.0.1(Instance) Advertising Router: 100.1.1.1 LS Seq Number: 0x80000003 Checksum: 0xf66e Length: 124 Link Type: P2P Link ID: 1744896257 Local Address 14.1.1.2 Remote Address 14.1.1.1 TE Metric 0 Max BW 1000 kb/sec (125000 Bps) Max Reservable BW 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 0 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 1 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 2 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 3 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 4 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 5 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 6 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 7 1000 kb/sec (125000 Bps) Color 0 LSA) LSA)
9-49
Interface value (fastEthernet) status of the physical link and the operational
status of the protocol
Internet Address interface IP address Area area identifier: IP address Network type broadcast, NBMA, Point-to-Point, or Point-to-Multipoint Authentication type none, simple, or MD5 Interface cost metric for OSPF transmission Transmit Delay time between transmissions from the specified interface Interface State current state of the specified interface Priority routers priority on the specified interface Designated Router designated router ID and respective interface IP address IP address of the backup router
Backup Designated Router designated router ID and respective interface Interface timer intervals configuration of timer intervals: Hello, Dead, Wait,
and Retransmit
LSA bytes allocated number of bytes allocated for LSAs Router LSA bytes allocated number of bytes allocated for router LSAs Summary bytes allocated number of bytes allocated for summary LSAs
9-50
Timers bytes allocated number of bytes allocated for OSPF timers Ospf total bytes free total number of bytes free Ospf heap total bytes allocated total number of bytes allocated from the
OSPF heap
Neighbor allocation failures number of neighbor allocation failures LSA allocation failures number of LSA allocation failures LSA HDR allocation failures number of LSA header allocation failures DB Request allocation failures number of database request allocation failures failures
RTX allocation failures number of neighbor retransmission allocation LS Ack allocation failures number of LSA acknowledgment packet
allocation failures
OSPF interface allocation failures number of interface allocation failures OSPF general packet allocation failures number of general packet
allocation failures Example
host1#show ip ospf internal-statistics Routing Process OSPF 1 with Router ID 5.72.3.1 Internal OSPF Statistics, bytes allocated/free: LSA bytes allocated:216 Router LSA bytes allocated:936 Summary bytes allocated:0 Neighbor RTX bytes allocated:0 Timers bytes allocated:352 Ospf total bytes free:824368 Ospf heap total bytes allocated:1048576 Internal OSPF Statistics, allocation failures: Neighbor allocation failures:0 LSA allocation failures:0 LSA HDR allocation failures:0 DB Request allocation failures:0 RTX allocation failures:0 LS Ack allocation failures:0 DD pkt allocation failures:0 OSPF interface allocation failures:0 OSPF general packet allocation failures:0
9-51
Neighbor ID neighbors router ID Pri router priority of neighbor State OSPF neighbors state
DR designated router BDR backup designated router DR Other neighbor to a designated router or a backup designated router
Dead Time interval since last hello packet from neighbor Address IP address of the neighbors interface Interface name of the specified interface and its port number
Example
Dead Time 00:00:39 00:00:42 00:00:28 Address 10.0.76.1 10.0.76.2 10.0.76.4 Interface fastEthernet11/0 fastEthernet11/0 fastEthernet11/0
Intra SPF log log for SPF calculations run to compute intraarea LSAs Inter SPF log log for SPF calculations run to compute interarea LSAs
9-52
External SPF log log for SPF calculations run to compute routes outside
the OSPF routing domain
When amount of time since a full SPF calculation took place given in
hours:minutes:seconds; the previous 20 calculations are logged
9-53
Virtual link to router identifies the OSPF neighbor and the current state of
the virtual link
Transmit Delay time between transmissions from the specified interface Timer intervals timer intervals configured for the link: Hello, Dead, and
Retransmit Example
host1#show ip ospf virtual-links Virtual link to router 192.168.1.13 in state POINT-TO-POINT Transmit Delay is 1 sec Timer intervals configured, Hello 10 sec, Dead 40 sec, Retransmit 5 sec
9-54
Configuring IS-IS
10
Page 10-1 10-10 10-11 10-11 10-11 10-12 10-14 10-20 10-35 10-36 10-37
This chapter describes how to configure Intermediate System-toIntermediate System (IS-IS) routing on your E-series router.
Topic Overview References Features Before You Run IS-IS Configuration Tasks Enabling IS-IS Configuring IS-IS Interface-Specific Parameters Configuring Global IS-IS Parameters Configuring IS-IS for MPLS Using IS-IS Routes for Multicast RPF Checks Monitoring IS-IS
Overview
IS-IS is a dynamic routing protocol developed by the International Organization for Standardization (ISO) and commonly referred to as ISO 10589. The original development of IS-IS was done at Digital Equipment Corporation for Phase V DECnet. The motivation to standardize IS-IS, however, was through the efforts of the American National Standards Institute (ANSI) X3S3.3 Network and Transport Layers Committee.
10-2
Similar to the Open Shortest Path First (OSPF) routing protocol, IS-IS is a link-state protocol. It builds a complete and consistent picture of a networks topology by sharing link-state information across all network Intermediate System (IS) devices. The IS-IS routing protocol provides routing for pure Open Systems Interconnection (OSI) environments. IS-IS as implemented on the E-series router supports IP networks and enables you to configure IS-IS as an IP routing protocol only. In IS-IS, networks are partitioned into routing domains, which are further divided into areas. A two-level hierarchical routing design is used. With this model, routing is referred to as level 1, level 2, or both level 1 and level 2.
Terms
OSI internetworking has its own terminology. A number of terms used in IS-IS routing discussions are defined in Table 10-1.
Table 10-1 IS-IS terms Term area Meaning A group of contiguous networks and their attached hosts. Area boundaries are normally assigned by a network administrator. PDU sent by designated router to ensure database synchronization An OSI network layer protocol used by CLNS to handle data at the transport layer; the OSI equivalent of IP
Connectionless Network An OSI network layer service that enables data Service Protocol (CLNS) transmission without establishing a circuit and that routes messages independently of any other messages. end system (ES) intermediate system (IS) level 1 routing Any nonrouting network node or host A router Routing within an area Level 1 routers (or intermediate systems) track all the individual links, routers, and end systems within a level 1 area. Level 1 routers do not know the identity of routers or destinations outside their area. A level 1 router forwards all traffic for destinations outside its area to the nearest level 2 router within its area.
10-3
Table 10-1 IS-IS terms (continued) Term level 2 routing Meaning Routing between areas Level 2 routers know the level 2 topology and know which addresses are reachable via each level 2 router. Level 2 routers track the location of each level 1 area. Level 2 routers are not concerned with the topology within any level 1 area (for example, the details internal to each level 1 area). Level 2 routers can identify when a level 2 router is also a level 1 router within the same area. Only a level 2 router can exchange packets with external routers located outside its routing domain.
PDU broadcast by link-state protocols that contains information about neighbors and path costs; used to maintain routing tables; also known as link-state advertisement
network entity title (NET) ISO network addresses used by CLNS networks; an identifier of a network entity in an end system or intermediate system. A NET consists of an area address (routing domain), system identifier, and selector. network service access point (NSAP) Hierarchical network address that specifies the point at which network services are made available to a transport layer entity in the OSI reference model. A valid NSAP address is unique and unambiguously identifies a single system. OSI term equivalent to packet, containing protocol control information and, possibly, user data. This chapter uses the term packet interchangeably with PDU. A collection of connected areas that provide full connectivity to all end systems located within them. A routing domain is partitioned into areas. Uniquely identifies a system within an area
routing domain
system identifier
10-4
Figure 10-1 illustrates some of the terms described in Table 10-1 above.
Routing domain Intermediate Systems (ISs) Level 1 router Level 1 routing Level 1 router Level 1 router Level 1-2 router
Le ve l2
g013128
Area A
Area B
Area C
ES ES End systems ES ES
ro
uti
Level 2 router
Level 2 routing
ES
End systems
ES
ISO network layer addresses are flexible enough to make routing feasible in a worldwide Internet. Network layer addresses in ISO and IP are hierarchical and clearly identify level 1 and level 2 areas. These addresses can be up to 20 octets long; any packet that contains an address has one additional octet to specify the length of the address. An ISO addressalso known as the NSAP addressis broken into three parts: the area address, the system identifier (ID), and the NSAP selector.
area address system ID selector
The area address defines the routing domain and the area within the routing domain. The length of the ID field can be from 1 to 8 octets and uses a single fixed length for any one routing domain. The selector field is always 1 octet long. Usually, all end systems within the same area have the same area address. Some areas can have multiple addresses. The NSAP address is defined by the network entity title (NET) during configuration.
Level 1 Routing
A level 1 router looks at a packets area address and compares it with a destination address. If the area portion of the destination address matches
10-5
its own areas address, the level 1 router uses the ID portion of the address to route the packet. If the area portion of the address does not match, the level 1 router routes the packet to a level 2 router within its area.
Level 2 Routing
Level 2 routers do not look at an areas internal structure, but simply route toward an area based on the area address. It is common for a level 2 router to also be a level 1 router in a particular area; these routers are sometimes referred to as level 1-2 routers. See Figure 10-1.
Dynamic Hostname Resolution
The system identifier of the NSAP address identifies a node in a network. System operators often find symbolic hostnames to be easier to use and remember than the system identifier. However, a static mapping of hostname to system identifier requires every router to maintain a table of the mappings; each table must contain the hostnames and system identifiers of every router in the network. The static mapping must be managed by router operators, and every change or addition of a mapping requires all the tables to be updated. Consequently, the static tables are likely to become rapidly outdated. The router supports dynamic resolution of hostnames to system identifiers. You can use the clns host command to map the hostname to the NSAP address, and therefore to the system ID. This mapping is inserted in the dynamic hostname type-length-value tuple (TLV type 137), and subsequently advertised when LSPs are transmitted. The value field contains the hostname, preferably the fully qualified domain name (FQDN) of the host, or a subset of the FQDN. You can display the TLV by issuing the show isis database detail command.
Authentication
The router supports hash function-based message authentication code (HMAC) MD5 authentication for IS-IS to prevent unauthorized routers from injecting false routing information into your network or forming adjacencies with your router. Authentication is disabled by default. When you enable IS-IS MD5 authentication, the router creates secure digests of the packets, encrypted according to the HMAC MD5 message-digest algorithms. The digests are inserted into the packets from which they are created. Depending on the commands you issue, the digests can be inserted into hello packets, link-state PDUs, complete sequence number PDUs, and partial sequence number PDUs.
10-6
Commands
The area-message-digest-key command specifies an HMAC MD5 key that the router uses to create a message digest of each level 1 packetLSPs, CSNPs, and PSNPstransmitted by area routers. Using MD5 authentication for area routers protects against unauthorized routers injecting false routing information into the area portions of your network. The domain-message-digest-key command specifies an HMAC MD5 key that the router uses to create a message digest of each level 2 packetLSPs, CSNPs, and PSNPstransmitted by domain routers. Using MD5 authentication for domain routers protects against unauthorized routers injecting false routing information into the routing domain portions of your network. The isis message-digest-key command specifies an HMAC MD5 key that the router uses to create a message digest of level 1 or level 2 hello packets on the interface. Level 1 packets are the default. Using MD5 authentication on interfaces protects against intrusion by preventing unauthorized routers from forming adjacencies with your router.
Example
Suppose authentication is configured on router LA and router SanDiego, but not on router SanJose, as shown in Figure 10-2. Router LA and router SanDiego accept packets from each other because they contain message digests generated by an accepted key. Router SanJose accepts packets from router LA and router SanDiego, and simply ignores the message digest included in their packets. Router LA and router SanDiego reject packets from router SanJose because those packets do not include a message digest.
SanJose
LA
SanDiego
Figure 10-2 Packet flow between routers with and without authentication set
g013129
10-7
With each of the MD5 commands, you can specify when the router will start and stop accepting packets that include a digest made with this key. You can also specify when the router will start and stop generating packets that include a digest made with this key. If you specify a time for any of these actions, you can further specify the day, month, and year. The default times are as follows: Start accepting keys (startAcceptTime) current time Stop accepting keys (stopAcceptTime) never Start generating keys (startGenTime) current time plus 2 minutes Stop generating keys (stopGenTime) never If you specify times, you must follow these guidelines to achieve appropriate timing between the actions: startAcceptTime must be less than startGenTime. stopGenTime must be less than stopAcceptTime. When a new key replaces an old one, the startGenTime time for the new key must be less than or equal to the stopGenTime time of the old key. For example, suppose you configure authentication on router A and router B. If the startGenTime for router A is earlier than the startAcceptTime for router B, router B does not accept packets from router A until the current time matches its startAcceptTime. The router accepts any packet authenticated with a key you have defined if the packet is received within the period defined for the key by its startAcceptTime and stopAcceptTime. If more than one key has been defined for that period, the router determines which key to use by comparing the startGenTime with the current time. When the startGenTime of a key matches the current time, the router starts using this key to transmit packets and stops using the previous key.
Example
host1(config-router)#area-message-digest-key 1 hmac-md5 mr942s7n start-accept 08:00:00 start-generate 9:00:00 stop-accept 23:00:00 stop-generate 22:59:59 host1(config-router)#area-message-digest-key 2 hmac-md5 dsb38h5f start-accept 08:00:00 start-generate 0:00:00 stop-accept 23:00:00 stop-generate 22:59:59
Both key 1 and key 2 are configured to be accepted between 08:00:00 and 23:00:00. When the current time reaches 09:00:00, the router begins using key 1 to transmit packets. When the current time reaches 10:00:00,
10-8
the router begins using key 2 to transmit packets; key 1 is no longer used. Key 2 will continue to be used until a new key is configured and the new key's startGenTime matches the current time on the router.
Halting MD5 Authentication
To prevent key expiration from causing your network to revert to an unauthenticated condition, you cannot halt MD5 authentication by using the timers. When the stopGenTime time for a key is reached, the router does not stop generating the key if it was the last key issued. You must delete all keys to halt authentication. Use the no version of the command to delete a key.
Managing and Replacing Keys
A key has an infinite lifetime if you do not specify stopGenTime and stopAcceptTime. (As noted above, if the last key expires, the router continues to generate that key.) Many system operators choose to roll their keys over on a regular basis, such as every month. If you determine that a key is no longer secure, you should configure a new key immediately. We recommend the following practice for configuring new keys:
1 2 3
Configure the new key on all routers in the IS-IS network. Verify that the new key is working. Delete the old key from every router.
Each key has an associated key-ID that you specify. The key-ID is sent with the message digest, so that the receiving routers know which key was used to generate the digest. You also use the key-ID to delete a key.
Extensions for Traffic Engineering
The router supports new-style TLV tuples described in the Internet draft, IS-IS Extensions for Traffic Engineering. The router ID TLV (TLV type 134) contains the ID of the router that originates the LSP, providing a stable address that can always be referenced regardless of the state of node interfaces. The extended IP reachability TLV (type 135) carries IP prefixes and is similar to the IP reachability TLVs (types 128 and 130). The extended IS reachability TLV (type 22) contains information about a series of IS neighbors and is similar to the IS neighbor TLV (type 2). The older TLVs2, 128, 130each have a narrow metric field, providing for metric values ranging only from 063. The new TLVs22
10-9
and 135have a new data structure that includes a wide metric field of 3 bytes (extended IS reachability; configurable) or four bytes (extended IP reachability; calculated). Both new TLVs provide for the use of sub-TLVs to carry more information about IS neighbors; however, only the extended IS reachability TLV currently has defined sub-TLVs, such as IPv4 interface and neighbor addresses. Use the metric-style commands to configure what style the router generates and accepts. The following behaviors are supported: Generates and accepts only old-style metrics Generates only old-style metrics, but accepts old style and new style Generates and accepts both old-style and new-style metrics (this option consumes the most system resources) Generates only new-style metrics, but accepts old style and new style Generates and accepts only new-style metrics Refer to the Internet draft, IS-IS Extensions for Traffic Engineering, for more information about these extensions.
Integrated IS-IS
The E-series router supports the Integrated IS-IS version of IS-IS. Integrated IS-IS provides a single routing algorithm to route both TCP/IP and OSI Connectionless Network Protocol (CLNP) packets. This design adds IP-specific information to the OSI IS-IS routing protocol. It supports IP subnetting, variable subnet masks, type of service (ToS), and external routing. Integrated IS-IS allows for the mixing of routing domains; that is, IP-only routers, OSI-only routers, and dual (IP and OSI) routers. OSI and IP packets are forwarded directly over the link layer services without needing mutual encapsulation. The E-series router supports IS-IS only for the routing and forwarding of TCP/IP packets. Forwarding of OSI packets is not supported.
Equal-Cost Multipath
IS-IS supports equal-cost multipath (ECMP) and installs into the routing table multiple entries for paths to the same destination. Each of these multiple paths to a given destination must have the same cost as the others, but a different next hop.
10-10
References
For more information about the IS-IS protocol, consult the following resources: E-Series Release Notes, Appendix A, System Maximums refer to the Release Notes corresponding to your software release for information on maximum values. ISO International Standard 8473-1:1993 Information technology Protocol for providing the connectionless-mode network service ISO International Standard 9542:1988 (E) Information processing systems Telecommunications and information exchange between systems End System-to-Intermediate System Routing Exchange Protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473) ISO/IEC 10589:1992 Information technology Telecommunications and information exchange between systems Intermediate System-to-Intermediate System Intra-Domain Routing Exchange Protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473) Extended Ethernet Frame Size Support draft-ietf-isis-ext-eth-01.txt (November 2001 expiration) IS-IS Extensions for Traffic Engineering draft-ietf-isis-traffic-04.txt (August 2001 publication) Management Information Base for IS-IS draft-ietf-isis-wg-mib-10.txt (April 2003 expiration) RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments (December 1990) RFC 2763 Dynamic Hostname Exchange Mechanism for IS-IS (February 2000) RFC 2966 Domain-wide Prefix Distribution with Two-Level IS-IS (October 2000) RFC 2973 IS-IS Mesh Groups (October 2000) Routing IPv6 with IS-IS draft-ietf-isis-ipv6-03.txt (April 2003 expiration)
Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.
10-11
Features
Some of the major IS-IS features supported by the router include: Optimization of route leaking from level 1 to level 2 Equal-cost paths maximum 32 equal paths Adjacency and LSP overrun Dynamic resolution of hostnames to system IDs Mesh groups Configurable LSP transmit and throttle intervals Route redistribution policies based on access lists between IS-IS levels Three-way handshake for point-to-point adjacencies HMAC MD5 authentication Support for bigger metric TLVs Domain-wide prefix distribution Traffic engineering for MPLS
Configuration Tasks
Configure Integrated IS-IS by completing the tasks in the order presented below. You must enable IS-IS. All other tasks are optional.
1 2 3 4 5
Enable IS-IS. Configure selected IS-IS interface-specific parameters. Configure selected global IS-IS parameters. Configure selected IS-IS parameters for monitoring and debugging purposes. Configure IS-IS parameters to enable CLNS packets to be recognized by your router and to monitor CLNS information.
10-12
Enabling IS-IS
When enabling IS-IS, you must create an IS-IS routing process and assign it to specific interfaces rather than to networks. You can specify only a single IS-IS process per router. To enable IS-IS routing enter Global Configuration mode, and follow this procedure:
1
Specify an IS-IS process for IP. In this example, floor12 is specified as the tag name.
host1(config)#router isis floor12
Configure Network Entity Titles (NETs) for the routing process that specify the ISO network address.
host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00
Enter Interface Configuration mode, and specify the interface that you want to actively route IS-IS.
host1(config)#interface atm 2/0
Specify the IS-IS process to apply to the interface. Use the tag name from step 1.
host1(config-if)#ip router isis floor12
You can repeat steps 3 and 4 to apply the IS-IS process to multiple interfaces.
ip router isis
Use to configure an IS-IS routing process on an IP interface. Before the IS-IS router process is useful, you must assign a NET with the net command, and enable some interfaces with IS-IS. Use the tag parameter to specify a meaningful name for a routing process. It must be unique among all IP routing processes for a given router. If you choose not to specify a tag name, a null tag is assumed, and the process is referenced with a null tag. Use the same tag name for ip router isis as you did for the router isis command. Example
host1(config-if)#ip router isis floor12
10-13
net
Use to configure a NET for a specified routing process. The NET defines the ISO address and consists of an area address or ID, a system ID, and a selector. You must configure a minimum of one NET. You are allowed a maximum of three NETs per router. You can manually add multiple area IDs by adding multiple NETs with the same system ID. There is no default value; net must be configured for an IS-IS process to start. Multiple NETs can be temporarily useful when there has been a network reconfiguration where either multiple areas are merged, or one area is in the process of being split into more areas. Multiple area addresses enable you to renumber an area slowly, without needing to set aside time to renumber areas all at once. When you use IS-IS to do IP routing only, a NET must be configured to instruct the router about its system ID and area ID. Example If you are configuring a router with the area ID 47.0005.80ff.f800.0000.0001.0001 and the system ID 0000.0c11.1111, you would enter it as shown. The last byte of the NET is the N-selector byte and is always 0.
host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00
Use the no version to remove a specific NET. Remember that you must specify the NET. The last NET cannot be removed.
router isis
Always use the router isis command to enable the IS-IS routing protocol and to specify an IS-IS process for IP. Specify only one IS-IS process per router. Use the tag parameter to specify a meaningful name for a routing process. If you choose not to specify a tag name, a null tag is assumed, and the process is referenced with a null tag. Example
host1(config)#router isis floor12
10-14
Summary Example
host1(config)#router isis floor12 host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00 host1(config-router)#exit host1(config)#interface atm 2/0 host1(config-if)#ip router isis floor12 host1(config-router)#exit host1(config-if)#interface atm 2/1 host1(config-if)#ip router isis floor12
10-15
isis authentication-key
Use to specify a password associated with an interface for authentication of IS-IS hellos. You can specify whether the password is for level 1 or level 2 hellos. Example
host1(config-if)#isis-authentication-key 0 red5flower6
isis circuit-type
Use to specify adjacency levels on a specified interface; however, normally, you do not need to use this command. Configure a router as a level 1-only, a level 1level 2 system, or a level 2-only system. Configure some interfaces to be level 2-only for routers that are between areas. This prevents wasting bandwidth by sending out unused level 1 hellos. On point-to-point interfaces, the level 1 and level 2 hellos are in the same packet. Level 1-2 is the default. Example
host1(config-if)#isis circuit-type level-2-only
isis csnp-interval
Configure the isis csnp-interval level for a specified interface. The level can be configured independently for level 1 and level 2. For LAN interfaces: the default value is 10 seconds, which you probably do not need to change. For WAN interfaces: the default value is 0 seconds or disabled. On point-to-point subinterfaces use isis csnp-interval in conjunction with the isis mesh-group command. Completed sequence number PDUs are sent by the designated router to maintain database synchronization. Example
host1(config-if)#isis csnp-interval 30 level-1
10-16
Holding time time a neighbor waits for another hello packet before
declaring the neighbor is down. It determines how quickly a failed link or neighbor is identified so that routes can be recalculated. Raise the hello multiplier and lower the hello interval simultaneously to make the hello protocol more reliable without increasing the time required to detect a link failure. Example
host1(config-if)#isis hello-interval 6 level-1 host1(config-if)#isis hello-multiplier 10 level-1
isis lsp-interval
Use to configure the delay between successive IS-IS link-state PDU (LSP) transmissions. You can choose an interval in the range 14294967295 milliseconds. For example, setting 100 milliseconds allows 10 packets per second. The default value is 33 milliseconds. If your network has many IS-IS neighbors and interfaces, a particular router may have difficulty with the CPU load imposed by LSP transmission and reception. If this is the case, you can reduce the LSP transmission rate by issuing this command. Example
host1(config-if)#isis lsp-interval 100
isis message-digest-key
Use to configure HMAC MD5 authentication for an interface. Generates a secure, encrypted message digest of level 1 or level 2 hello packets and inserts the digest into the packet from which it is created. Level 1 is the default. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
10-17
Example
host1(config-if)#isis message-digest-key 3 hmac-md5 wdi6c3s39n level-2
For point-to-point interfaces, configure keys only for level 1, because only one hello packet is sent (at level 1), not one at level 1 and one at level 2. Keys configured at level 2 are ignored for point-to-point interfaces. Use the no version to delete the MD5 key, specified by the key ID, from the interface.
isis metric
Use to configure a cost for a specified interface. You can select a number in the range 063 if you configured the router with the metric-style narrow command. You can select a number in the range 016277215 if you configured the router with the metric-style transition or the metric-style wide command. The default value is 10. The default metric is the value assigned when no quality of service (QoS) routing is performed. You can configure the default metric for a specified interface by selecting level 1 or level 2 routing. This resets the metric only for level 1 or level 2 routing, respectively. We recommend that you configure metrics on all interfaces that are related to link speed. If you do not, the IS-IS metrics are simply hop-count-like metrics. Example
host1(config-if)#isis metric 20 level-2
isis priority
Use to set the priority of use for your designated router. You can configure an individual priority for level 1 and level 2 by choosing a priority level in the range 0127. The default priority level is 64. Specifying the level 1 or level 2 keyword resets the priority only for level 1 or level 2 routing, respectively. Priorities are used to determine which router in the network is the designated intermediate system (DIS); the router with the highest priority becomes the DIS. Priorities are advertised in hellos. IS-IS has no backup designated router. Setting the priority to 0 reduces the chance of this router becoming the DIS, but does not prevent it. If a router with a higher priority is identified, it takes over the role from the current DIS. When priorities are equal, the highest MAC address breaks the tie and becomes the DIS. Example
host1(config-if)#isis priority 80 level-1
10-18
isis retransmit-interval
Use to configure the number of seconds between the retransmission of IS-IS LSPs with the same LSP ID for point-to-point links. You can select an interval in the range 165535 seconds. The default value is 5 seconds. Specify a number greater than the expected round-trip delay between any two routers on your network. Always specify conservatively; otherwise, excessive retransmission will result. Because retransmissions occur only when LSPs are dropped, when you set isis retransmit-interval to a higher value, it has little effect on reconvergence. You should set to a higher value when routers have many neighbors and/or more paths over which LSPs can be flooded. Use a large value for serial lines. Example
host1(config-if)#isis retransmit-interval 60
isis retransmit-throttle-interval
Use to configure the maximum rate at which IS-IS LSPs are retransmitted on point-to-point links. The interval is the number of milliseconds between packets. You can choose an interval in the range 065535 milliseconds. The default delay value is 33 milliseconds. The isis retransmit-throttle-interval is the maximum rate at which IS-IS LSPs are retransmitted. It is different from isis lsp-interval, which is the rate at which LSPs are transmitted on the interface; and it is different from isis retransmit-interval, which is the period between successive retransmissions of the same LSP. Use all three commands with each other to control the load of routing traffic from one router to its neighbors. Typically, you can set this interval for very large networks with many LSPs and many interfaces as a way of controlling LSP retransmission traffic. Example
host1(config-if)#isis retransmit-throttle-interval 300
10-19
passive-interface
Use to configure an IS-IS interface such that its IP address is advertised in its link-state PDUs, but no IS-IS packets are sent from or received on the interface. Example The following commands configure loopback 0 as a passive interface and enable IS-IS on subinterfaces ATM 2/0.1 and ATM 2/1.1. IS-IS advertises the IP address of loopback 0 in its link-state PDUs, but runs only on ATM 2/0.1 and ATM 2/1.1:
host1(config)#router isis floor12 host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00 host1(config-router)#passive-interface loopback 0 host1(config-router)#exit host1(config)#interface atm 2/0.1 host1(config-if)#ip router isis floor12 host1(config-if)#exit host1(config)#interface atm 2/1.1 host1(config-if)#ip router isis floor12
You can override the passive-interface configuration simply by issuing the complementary command. For example, suppose you issue the following commands after the previous configuration:
host1(config-router)#passive-interface atm 2/0.1 host1(config-router)#exit host1(config)#interface loopback 0 host1(config-if)#ip router isis floor12
Now IS-IS advertises the IP address of ATM 2/0.1 in its link-state PDUs, but runs only on loopback 0 and ATM 2/1.1. You can also accomplish the equivalent of the passive-interface command by using the redistribute command to redistribute a connected route to level 1. Use the no version to delete the passive interface.
Summary Example
host1(config-router)#passive-interface loopback 0 host1(config-if)#interface atm 8/0.500 host1(config-if)#isis metric 20 level-2 host1(config-if)#isis csnp-interval 30 level-1 host1(config-if)#isis hello-interval 6 level-1 host1(config-if)#isis hello-multiplier 10 level-1 host1(config-if)#isis lsp-interval 100 host1(config-if)#isis retransmit-interval 60 host1(config-if)#isis retransmit-throttle-interval 300 host1(config-if)#isis priority 80 level-1 host1(config-if)#isis circuit-type level-2-only
10-20
You can configure HMAC MD5 authentication either for an area or for a domain.
area-authentication-key
Use to specify a password used by neighboring routers for authentication of IS-IS level 1 LSPs, CSNPs, and PSNPs. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#area-authentication-key 0 bigtree
area-message-digest-key
Use to configure HMAC MD5 authentication for an area. Generates a secure, encrypted message digest of level 1 packets (LSPs, CSNPs, and PSNPs) and inserts the digest into the packet from which it is created. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#area-message-digest-key 1 hmac-md5 kd4s8hnEK
Use the no version to delete the MD5 key specified by the key ID.
domain-authentication-key
Use to specify a password used by neighboring routers for authentication of IS-IS level 2 LSPs, CSNPs, and PSNPs. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
10-21
Example
host1(config-router)#domain-authentication-key 8 4kl6n39us
domain-message-digest-key
Use to configure HMAC MD5 authentication for a domain. Generates a secure, encrypted message digest of level 2 packets (LSPs, CSNPs, and PSNPs) and inserts the digest into the packet from which it is created. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#domain-message-digest-key 4 hmac-md5 4bFjt7es
Use the no version to delete the MD5 key specified by the key ID.
Configuring Redistribution
You can specify how IS-IS redistributes routes received from other routing protocols, redistributes routes according to new policies, and controls redistribution of routes with access lists and route maps.
access-list route-map
Use the access-list command to create a standard or extended access list. Use the route-map command to create a route map. For detailed information about configuring access lists and route maps, see Chapter 1, Configuring Routing Policy. Example 1 Configure three static routes:
host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.1.0
3 Configure a route map that matches the previous access list and applies an internal metric type:
host1(config)#route-map 1 host1(config-route-map)#match ip address 1 host1(config-route-map)#set metric-type internal
10-22
4 Configure redistribution into IS-IS of the static routes with route map 1:
host1(config)#router isis testnet host1(config-router)#redistribute static ip route-map 1
5 Use the show isis database command to verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes):
host1#show isis database detail l2 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum 0x000002B7 LSP Holdtime ATT/P/OL 0000.0000.6666.00-00 NLPID: IP Address: 0xcc 192.168.1.105 0x3E1F 1198 0/0/0
Metric: 10 IS 0000.0000.6666.01 Metric: 10 IS 0000.0000.3333.00 Metric: 10 IS 0000.0000.7777.00 Metric: 30 IP 20.20.21.0 255.255.255.0 Metric: 30 IP 20.20.20.0 255.255.255.0
Use the no version of the access-list command to remove the access list or the specified entry in the access list. Use the no version of the route-map command to remove an entry.
There is no no version.
disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute
redistribute
Use to redistribute routes from other routing protocols in the routing table to IS-IS. IS-IS advertises these routes within its level 1 and level 2 LSPs. The default is no source protocol defined for redistribution.
10-23
This command can accomplish the same results as the passive-interface command by redistributing a connected route to level 1. Example
host1(config-router)#redistribute static ip
The two-level routing hierarchy of IS-IS can lead to suboptimal path selection in certain situations. Because a level 1 router by default has knowledge only of level 1 routes, traffic from a level 1 router to a router in another area passes through the nearest level 1-2 router as its next hop. Consider the topology shown in Figure 10-3.
Area 2 6 Level 1 routing 7 Level 1 8 Area 3 9
Level 1-2
Level 2 routing
1 Level 2
Level 1-2
Level 1
Level 1 routing
Level 1
End system
Figure 10-3 Example of level 1 and level 2 routing
In this example, Router 4 in Area 1 considers Router 2 to be its next hop for interarea traffic, and Router 5 considers Router 3 to be its next hop for interarea traffic. Traffic from Router 4 to Router 8 passes through Router 2, requiring a total of five hops to the destination: Routers 2, 1, 3, 9, and 8. Similarly, five hops are required for traffic from Router 5 to Router 7.
g013130
ES
10-24
Neither of these paths is optimal. For example, it would be shorter for traffic from Router 4 to take the four-hop path: Routers 5, 3, 9, and 8. You can configure IS-IS to redistribute routes between the routing levels; this is sometimes known as route leaking between levels. The redistribute isis ip command enables you to specify a route filter (an access list) and the direction of leakage, as shown in the following example:
host1(config)#access-list leakList permit ip 100.0.0.0 0.255.255.255 any host1(config)#router isis 1 host1(config-router)#redistribute isis ip level-1 into level-2 distribute-list leakList host1(config-router)#redistribute isis ip level-2 into level-1 distribute-list leakList
redistribute isis ip
Use to redistribute routes from level 1 to level 2 or from level 2 to level 1. Use the access list command to create a route filter to apply to the redistribution. Example
host1(config-router)#redistribute isis ip level-1 into level-2 distribute-list leakList
Use the no version to stop redistribution of routes between the specified levels.
You can force the distribution of level 2 routing information to level 1 routers in other areas to improve the quality of the resulting routes, but at the cost of reduced scalability.
distribute-domain-wide
Use to increase the granularity of routing information within a domain. Domainwide prefix distribution enables a routing domain running with both level 1 and level 2 IS routers to distribute IP prefixes from level 2 to level 1 between areas. The major advantage for using domainwide prefix distribution is to improve the quality of the resulting routes within a domain by distributing more specific information. The major disadvantage of using domainwide prefix distribution is that it affects the scalability of IS-IS. When used, it increases the number of prefixes throughout the domain, causing increased memory consumption, transmission requirements, and computation requirements throughout the domain.
10-25
Use the no version to halt the distribution of routes from level 2 to level 1.
Extensions to IS-IS traffic engineering enable the use of bigger metrics. You can specify whether your router accepts, generates, or accepts and generates only old-style metrics, only new-style metrics, or both.
metric-style narrow
Use to specify that the router generates and accepts only old-style TLV tuples. Old-style TLVs refers to TLVs having metrics with a narrow (six-bit) field that range in value from 063. New-style TLVs refers to TLVs having metrics with a wider field, as provided for in current extensions to IS-IS traffic engineering. Use the transition option to accept old-style and new-style metrics; only old-style metrics are generated. Specify whether the command applies to level 1, level 2, or both. Example
host1(config-router)#metric-style narrow level-2
Use the no version to restore the default, which is to generate and accept only old-style TLVs with narrow (six-bit) metric fields.
metric-style transition
Use to specify that the router generates and accepts both old-style and new-style TLV tuples. Old style refers to TLVs having metrics with a narrow (six-bit) field that range in value from 0 63. New style refers to TLVs having metrics with a wider field, as provided for in current extensions to IS-IS traffic engineering. Specify whether the command applies to level 1, level 2, or both. Example
host1(config-router)#metric-style transition level-1
Issuing this command results in more resource usage than issuing the metric-style narrow or metric-style wide commands. Use the no version to restore the default, which is to generate and accept only old-style TLVs with narrow (six-bit) metric fields.
metric-style wide
Use to specify that the router generates and accepts only new-style TLV tuples. Old style refers to TLVs having metrics with a narrow (six-bit) field that range in value from 0 63. New style refers to TLVs having metrics with a wider field, as provided for in current extensions to IS-IS traffic engineering.
10-26
Use the transition option to accept old-style and new-style metrics; only new-style metrics are generated. Specify whether the command applies to level 1, level 2, or both. Example
host1(config-router)#metric-style wide level-1-2
Use the no version to restore the default, which is to generate and accept only old-style TLVs with narrow (six-bit) metric fields.
You can indicate the dependability of a routing information source by configuring the administrative distance for learned routes.
distance ip
Use to configure the administrative distance for IS-IS learned routes. The distance indicates the dependability of a routing information source. A higher relative value indicates lower dependability. Preference is always given to the routes with smaller values. Select a value between 1 and 255. A value of 255 means discard the route. Example
host1(config-router)#distance ip 50
You can specify a default route within IS-IS routing domains. You can also suppress the installation of a default route to level 1-2 routers by level 1 routers.
default-information originate
Use to generate a default route into an IS-IS routing domain. When you specify a route map with this command and the router has a route to 0.0.0.0 in the routing table, IS-IS originates an advertisement for 0.0.0.0 in its LSPs. When you do not specify a route map, the default route is advertised only in level 2 LSPs. For level 1 routing, look for the closest level 1-2 router to find the default route. The closest level 1-2 router is found by looking at the attach bit (ATT) in level 1 LSPs. The default is disabled. Example
host1(config-router)#default-information originate
10-27
suppress-default
Use to prevent level 1 routers from automatically installing a default route to a level 1-2 router in order to reach destinations outside the area. Suppresses level 1-2 router from indicating to level 1 routers that it can reach other areas. Consequently, the level 1 routers do not consider the level 1-2 router to be the nearest attached level 2 router and do not install default routes to it. This command is useful, for example, if you issue the distribute-domain-wide command, which causes the level 2 routes to be leaked into the level 1 area. The level 1 routers then have knowledge of the routes outside the area and will not need to rely on the nearest attached level 2 router for any unknown destination. Example
host1(config-router)#suppress-default
You can specify whether the router behaves as an IS-IS station router, area router, or both.
is-type
Use to configure the router to act as either a station router (level 1), an area router (level 2), or as both a station router and an area router (level 1-2). You should always configure the type of IS-IS router. Level 1-2 is the default. Example
host1(config-router)#is-type level-2-only
Summarizing Routes
You can summarize routes redistributed into IS-IS or within IS-IS by creating aggregate addresses for the routes.
summary-address
Use to create aggregate addresses of routes that are redistributed from other protocols in the routing table or distributed between level 1 and level 2 by a summary address. This process is called route summarization. A single summary address includes groups of addresses for a given level. The metric value is used when the router advertises the summary address. When the metric value is not used, the value of the lowest cost route (the default) is used.
10-28
This command reduces the size of the neighbors routing table and improves stability because a summary advertisement depends on many more specific routes. A disadvantage of summary addresses is that other routes might have less information to calculate the optimal routing table for all individual destinations. Example
host1(config-router)#summary-address 10.2.0.82 255.255.0.0 level-1-2
Use the no version to restore the default, the value of the lowest cost route.
If you have a router through which you do not want IS-IS traffic to pass, you can set the overload bit, causing other IS-IS routers to ignore the router.
set-overload-bit
Use to configure the router to set the overload bit in its nonpseudonode LSPs. When set, other routers ignore the unreliable router in their SPF calculations until the router problems are corrected. You would normally set the overload bit only when a router runs into problems such as memory shortage that may result in routing table inaccuracies. When set, no paths through this router can be seen by other routers in the IS-IS area. IP prefixes directly connected to this router are still reachable. Set this command when you want to connect a router to an IS-IS network but you do not want real traffic flowing through it. For example, you could set the overload bit if a test router were connected to a production network. Example
host1(config-router)#set-overload-bit
Use the on-startup keyword to specify a period in seconds after router reboot during which the overload bit is set. Other systems cannot route through the router until the bit clears, by which time all interfaces and protocols are up and the router is fully operational. Example
host1(config-router)#set-overload-bit on-startup 900
There is no default value; the overload bit is not set. Use the no version to disable the setting.
10-29
You can configure the router to ignore rather than purge LSPs received with errors.
ignore-lsp-errors
Use to enable your router to ignore rather than purge IS-IS LSPs that are received with internal checksum errors. Under normal conditions, the IS-IS protocol definition requires that received LSPs with incorrect data link checksums are to be purged by the receiver. This causes the LSP initiator to regenerate LSPs. If a network link causes data corruption while still delivering LSPs with correct data link checksums, a continuous cycle of regenerating and purging LSPs may result. This can render the network nonfunctional. Enabling this command prevents this continuous cycle from occurring because LSPs are ignored rather than purged. Example
host1(config-router)#ignore-lsp-errors
You can configure the router to log messages that track when adjacencies change state between up and down.
log-adjacency-changes
Use to generate log messages that track IS-IS adjacency state changes (up or down). The default is not to log adjacency state changes. Recommended for monitoring large networks. The system logs messages by using the router error message facility. Specify the minimum severity (07) or verbosity (low, medium, high) of this log category's messages. Example
host1(config-router)#log-adjacency-changes severity 3 verbosity low
Alternatively, you can use the system log command to generate the desired log messages. Use the no version to disable the function.
10-30
You can specify the following parameters for LSPs: Maximum transmission unit (MTU) Transmission rate Generation rate Maximum lifetime
lsp-mtu
Use to specify the MTU LSP size in bytes. The size must be less than or equal to the smallest MTU of any link in the area. Use this command to limit the size of LSPs generated by this router only. The router can receive LSPs of any size up to the maximum. You can set the value in the range 1289180. The default LSP MTU value is 1497. When a very large amount of information is generated by a single router, we recommend that you increase the LSP MTU. However, the default MTU is usually sufficient. If the MTU of a link is lowered to less than 1500 bytes, the LSP MTU must be lowered accordingly on each router in the network. If this is not done, routing may become unpredictable. Example
host1(config-router)#lsp-mtu 1500
lsp-gen-interval
Use to set the minimum interval rate that LSPs are generated on a per-LSP basis. You can set an interval value in the range 0120 seconds. The default interval value is 5 seconds. When a link is changing state at a high rate, the default value limits the signalling of the changing state to once every 5 seconds. Because the generation of an LSP may cause all routers in the area to perform the shortest path first (SPF) calculation, controlling this interval can have an areawide effect. When you raise this interval, you reduce the load on the network imposed by a rapidly changing link. Example
host1(config-router)#lsp-gen-interval level-2 30
10-31
lsp-refresh-interval
Use to set the LSP rate at which locally generated LSPs are periodically transmitted. The refresh interval determines the rate at which the router software periodically transmits the route topology information that it originates. These transmissions prevent the information from becoming obsolete. You can set the interval rate in the range 165535 seconds; the default is 900 seconds. LSPs must be periodically refreshed before their lifetimes expire. The refresh interval must be less than the LSP lifetime specified by max-lsp-lifetime. In the unlikely event that link stage database corruption is undetected, reducing the refresh interval reduces the amount of time that the corruption can persist. Increasing the interval reduces the link utilization caused by the flooding of refreshed packets. Example
host1(config-router)#lsp-refresh-interval 1000
max-lsp-lifetime
Use to set the maximum time that LSPs persist without being refreshed. You can select a maximum time in the range 165535 seconds. The default value is 1200 seconds (20 minutes). You might need to adjust the maximum LSP lifetime if you change the LSP refresh interval with the lsp-refresh-interval command. The maximum LSP lifetime must be greater than the LSP refresh interval. Example
host1(config-router)#max-lsp-lifetime 1500
You can configure how often the router performs the shortest path first (SPF) calculation.
spf-interval
Use to control the minimum interval between the SPF calculations. You can select an interval value in the range 0120 seconds. The default value is 5 seconds. If you do not specify level1 or level2, the interval applies to both level 1 and level 2. SPF calculations are performed only when the topology of the area changes. They are not performed when external routes change. Controls how often the router software can perform the SPF calculation. The SPF calculation is processor-intensive. Therefore, it may be useful to limit how
10-32
often calculation is done, especially when the area is large and the topology changes often. Increasing the SPF interval reduces the processor load of the router, but potentially slows down the rate of convergence. Example
host1(config-router)#spf-interval level-2 30
The IS-IS protocol uses the Dijkstra algorithm to compute IP node metrics when a change occurs within the IS-IS network. This calculation results in the IS-IS router containing a shortest path tree (SPT) that maps the shortest path to each node in the IS-IS network. By default, the router uses a partial route calculation (PRC) SPF to determine the next hop (when required). This partial computation occurs when the router receives link-state PDUs (LSPs) with only changes relating to IP prefixes (for example, the addition of a new IP prefix, change in attributes of an existing IP prefix, or the removal of an existing IP prefix). Because changes in IP prefixes happen more frequently than other events, using the PRC SPF results in faster IS-IS convergence and saves router resources. However, you can also specify that the router always use full SPF, recalculating the entire SPT, when resolving any IS-IS state changes.
full-spf-always
Use to enable and disable full SPF calculations for ISIS network changes. Example
host1(config-router)#full-spf-always
Use the no version to restore partial route calculation (PRC) mode for SPF calculations.
10-33
You can specify transmission rates for ES and IS hello packets, the period for which the router considers ES and IS hello packets to be valid, and name-to-network service access point mappings.
clns configuration-time
Use to specify the rate (in seconds) at which ES hello and IS hello packets are sent. The hello packet recipient creates an adjacency entry for the router that sent it. If the next hello packet is not received within the specified interval, the adjacency times out, and the adjacent node is determined to be unreachable. In most cases, these parameters should be left at their default value, which is 10 seconds. Example
host1(config)#clns configuration 240
clns holding-time
Use to enable sender of an ES hello or IS hello packet to specify the length of time you consider the information in these packets to be valid. In most cases, these parameters should be left at their default value, which is 30 seconds. Example
host1(config)#clns holding-time 900
clns host
Use to define a name-to-NSAP mapping that can then be used with commands requiring NSAPs. The default is that no mapping is defined. The assigned NSAP name is displayed, where applicable, in show commands. The first character can be either a letter or a number. This command is generated after all other CLNS commands when the configuration file is parsed. As a result, the NVRAM version of the configuration cannot be edited to specifically change the address defined in the original clns host command. You must specifically change any commands that refer to the original address. This affects commands that accept names, such as the net command. Enables dynamic resolution of hostnames to system IDs (within the NSAP address). The hostname mapping is sent in the LSPs within the Dynamic Hostname type-length-value (TLV type 137). Display the TLV by issuing the show isis database detail command. Use the show hosts command to display the mapping.
10-34
Example
host1(config)#clns host
You can configure how many parallel routes IS-IS supports to a destination.
maximum-paths
Use to control the maximum number of parallel routes IS-IS can support. You can select a number of routes (or paths) in the range 116. The default number for IS-IS is 4 paths. Example
host1(config-router)#maximum-paths 12
You can specify that interfaces within a given mesh group will act as a virtual multiaccess network.
isis mesh-group
Use when you want interfaces in the same mesh group to act as a virtual multiaccess network. LSPs seen on one interface in a mesh group will not be flooded to another interface in the same mesh group. Example
host1(config-if)#isis mesh-group blocked
Summary Example
host1(config)#router isis floor12 host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00 host1(config-router)#exit host1(config)#interface atm 0/1 host1(config-if)#ip router isis floor12 host1(config-if)#isis mesh-group blocked host1(config-if)#exit host1(config)#interface atm 1/0 host1(config-if)#ip router isis floor12 host1(config-router)#distribute-domain-wide
10-35
host1(config-router)#distance 100 ip host1(config-router)#default-information originate route-map 9 host1(config-router)#is-type level-1-2 host1(config-router)#summary-address 10.2.0.82 255.255.0.0 level-1-2 host1(config-router)#set-overload-bit host1(config-router)#ignore-lsp-errors host1(config-router)#log-adjacency-changes host1(config-router)#lsp-mtu 1500 host1(config-router)#lsp-refresh-interval 1000 host1(config-router)#lsp-gen-interval level-2 30 host1(config-router)#max-lsp-lifetime 1500 host1(config-router)#spf-interval level-2 30 host1(config-router)#maximum-paths 32 host1(config-router)#redistribute static ip host1(config-router)#exit host1(config)#clns configuration-time 120 host1(config)#clns holding-time 600
10-36
generate the new-style TLVs. If you are using some IS-IS routers that still do not understand the new-style TLVs, use the metric-style transition command. See Extensions for Traffic Engineering (page 10-8) and Configuring Global IS-IS Parameters for detailed information about using the metric-style commands.
mpls spf-use-any-best-path
Use to enable SPF calculations to consider the IGP (IS-IS) best paths as well as the MPLS tunnel for forwarding traffic to the MPLS endpoint. By default, the MPLS tunnel is always selected for traffic to the tunnel endpoint; IGP paths are not considered. For traffic beyond the endpoint, the tunnel is considered equally with any other path. Example
host1(config-router)#mpls spf-use-any-best-path
mpls traffic-eng
Use to enable flooding of MPLS traffic engineering link information into the specified IS-IS level. Flooding is disabled by default. Example
host1(config-router)#mpls traffic-eng level-1
10-37
ip route-type
Use to specify whether IS-IS routes are available only for unicast forwarding, only for multicast reverse-path forwarding checks, or for both. Use the show ip route command to view the routes available for unicast forwarding. Use the show ip rpf-routes command to view the routes available for multicast reverse path forwarding checks. By default, IS-IS routes are available for both unicast forwarding and multicast reverse path forwarding checks. Example
host1(config)#router isis host1(config-router)#ip route-type unicast
Monitoring IS-IS
The CLI has commands available for monitoring IS-IS parameters and CLNS parameters.
Monitoring IS-IS Parameters
You can monitor the IS-IS link-state database and IS-IS debug information. Use the commands in this section to: Display router information. Display information about SPF calculations. Monitor IS-IS summary address information. Display debug information. Display host. Display information about MPLS tunnels. Clear adjacencies. Display paths to intermediate systems. You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. Refer to E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
10-38
There is no no version.
debug isis
Use to obtain debug-related information about certain parameters. This command manipulates the same log as the Global Configuration log commands. You can select from these parameters:
adj-packets IS-IS adjacency-related packets mpls traffic-eng advertisements MPLS traffic-engineering agent
advertisements
mpls traffic-eng agents MPLS traffic-engineering agents snp-packets IS-IS CSNP/PSNP packets spf-events IS-IS Shortest Path First events spf-statistics IS-IS SPF timing and statistic data spf-triggers IS-IS SPF triggering events update-packets IS-IS update-related packets
host1#debug isis adj-packets
Example
show hosts
Use to display the name-to-NSAP mappings defined with the clns host command. Field descriptions
10-39
system ID six-byte value of the host alias type type of host alias Example
host1:abc#show hosts Static Host Table ----------------name ---jkk ip address ---------10.10.0.73 type ---ftp username --------anonymous password -------null
Clns Host Alias Table --------------------name fred area address system ID type ----- -------------------------------- ----------------- -----47.0005.80FF.F800.0000.0001.0001 0000.0000.0011.00 static karen 47.0005.80FF.F800.0000.0001.0001 0000.0000.0012.00 static
lspid link-state protocol ID in form xxxx.xxxx.xxxx.yy-zz detail detailed link-state database information; if this option is not
specified, a summary display is provided
l1 level 1 routing link-state database l2 level 2 routing link-state database level-1 level 1 routing link-state database level-2 level 2 routing link-state database
Field descriptions
LSPID LSP identifier LSP Seq Num sequence number for the LSP. Enables other routers to
determine if they have received the latest information from source.
LSP Checksum checksum of the LSP packet LSP Holdtime number of seconds that the LSP remains valid ATT attach bit; indicates that the router is a level 2 router and can reach
other areas
OL overload bit; determines whether intermediate system is congested Area Address area addresses that can be reached from the router NLPID ISO network layer protocol identifier IP Address IP address of the interface Hostname hostname of the router
10-40
Router ID ID configured on the router Metric metric that indicates either of the following costs:
cost of adjacency between the originating router and the advertised neighbor cost between the advertising router and the advertised destination
IPv4 Interface Address address of the interface IPv4 Neighbor Address address of a neighbor
Example 1
host1#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 0x000013F5 0x00000007 0x0000308D 0x00000011 0x0000005F 0x8BAA 1198 0xEA1E 1199 0x8C30 1199 0x5EDF 1198 0xB082 1195 0x9860 1196 0/0/0 0/0/0 0/0/0 0/0/0 1/0/0 0/0/0 0000.0000.004E.00-00 0000.0000.3333.02-00 0000.0000.7500.00-00 0090.1A00.B000.00-00 0090.1A00.C000.00-00
0000.0000.3333.00-00* 0x0000020F
IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 0x00001355 0x00000007 0x00003315 0x00000BAF 0x00000016 0x00000071 0x0DA7 1198 0x566B 1199 0x8C30 1199 0x3627 1198 0x187A 1183 0xD624 1195 0x9358 1196 0/0/0 0/0/0 0/0/0 0/0/0 0/0/0 1/0/0 0/0/0 0000.0000.004E.00-00 0000.0000.3333.02-00 0000.0000.7500.00-00 0010.7B36.5FF7.00-00 0090.1A00.B000.00-00 0090.1A00.C000.00-00
0000.0000.3333.00-00* 0x00000257
Example 2
host1#show isis database detail LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL boston.00-00*0x000001160x4760 6551/0/0 Area Address: 47.0005.80FF.F800.0000.0000.0004 NLPID: IP Address: Router ID: 0x81 0xcc 10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.2 10.1.3.1 10.1.3.3
Hostname: boston Metric: 10 IS newyork.00 IPv4 Interface Address: IPv4 Neighbor Address: Metric: 10 IS washington.00 IPv4 Interface Address: IPv4 Neighbor Address: Metric: 10 IP 10.1.1.0/24
Metric: 10 IP 192.168.1.0/24
10-41
Example 3
host1#show isis database verbose IS-IS Level-1 Link State Database LSPID zion.00-00* NLPID: IP Address: Router ID: Metric: 0 LSP Seq Num 0x00000011 0x81 0xcc 222.9.1.1 222.9.1.1 ES 2220.0900.1001 0 221.1.1.1 221.1.1.2 50000 50000 LSP Checksum 0xBFAD LSP Holdtime 487 ATT/P/OL 0/0/0
Hostname: zion
Metric: 10 IS london.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 50000 50000 50000 50000 30000 30000 30000 30000 0 0 221.1.6.1 221.1.6.2 50000 50000
Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 50000 50000 50000 50000 30000 30000 30000 30000 0
TE default metric:
10-42
Metric: 10 IS paris.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 0 0 0 0 0 0 0 0 0 0 221.1.4.1 221.1.4.4 0 0
TE default metric: Metric: 10 IP 221.1.1.0/24 Metric: 10 IP 221.1.6.0/24 Metric: 10 IP 221.1.4.0/24 Metric: 0 IP 222.9.1.1/32
When amount of time since recording the log entry Neighbor ID identifier for the neighbor IP Address IP address of the neighbor Interface interface from which neighbor was learned Status adjacency status, Up or Down Level IS-IS routing level
Example
host1#show isis mpls adjacency-log IS-IS MPLS TE log When 02:25:47 02:25:47 02:25:47 Neighbor ID 2220.0900.2002.00 2220.0900.2002.00 2220.0900.4004.00 IP Address 221.1.1.2 221.1.6.2 221.1.4.4 Interface Status at2/0.1 at2/0.6 at2/1.5 Up Up Up Level L1 L1 L1
10-43
System ID name or system ID of the MPLS tail-end (destination) router Router ID router ID for the router Link Count number of links that MPLS advertises Neighbor System ID identifier of the remote system in an area Administrative group TLV administrative group or color assigned to the link Interface IP address IP address of the interface Neighbor IP Address IP address of the neighbor Maximum link bandwidth bandwidth capacity of the link in bits per second Reservable link bandwidth amount of bandwidth reservable on the link (whether reserved or not) the link
Unreserved bandwidth amount of bandwidth available for reservation on Affinity Bits attributes flooded for the link
Example
host1#show isis mpls advertisements System ID: zion.00 Router ID: Link[1] Neighbor System ID: london.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: Link[2] Neighbor System ID: london.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: 0 221.1.6.1 221.1.6.2 50000 50000 50000 50000 50000 50000 30000 30000 30000 30000 0 0 221.1.1.1 221.1.1.2 50000 50000 222.9.1.1
TE default metric:
10-44
Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: Link[3] Neighbor System ID: paris.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 0 0 0 0 0 0 0 0 0 0 221.1.4.1 221.1.4.4 0 0 50000 50000 50000 50000 30000 30000 30000 30000 0
TE default metric:
TE default metric:
System Id
System Id name or system ID of the MPLS tail-end (destination) router Tunnel Name name of the MPLS tunnel interface Nexthop destination IP address of the MPLS tunnel Metric metric of the MPLS tunnel Mode metric mode, either absolute or relative
Example
Tunnel Name Tunnel2 Nexthop 2.2.2.2 2.2.2.2 3.3.3.3 3.3.3.3 Metric -3 11 -1 Mode Relative Absolute Relative
10-45
When amount of time since a full SPF calculation took place, given in
hours:minutes:seconds. The previous 20 calculations are logged.
Duration number of seconds to complete this SPF run. The elapsed time is
in actual clock time, not CPU time.
SpfType type of SPF run Triggers list of causes that triggered the SPF calculation
Example 1
ERX-40-20-33:2#sho isis spf-log Level 1 SPF log When Duration First Trigger LSP SpfType Triggers LSP Add LSP Add LSP Add LSP Sequence Update 00:01:45 0.000 00:01:36 0.000 00:01:31 0.000 00:00:08 0.000 0000.0000.0000.00-00 Full 0000.0000.0000.00-00 Full 0000.0101.0101.00-00 Full 0000.0101.0101.00-00 PRC
Example 2
ERX-40-20-33:2#sho isis spf-log detail Level 1 SPF log When Duration First Trigger LSP SpfType Triggers LSP Add 00:01:53 0.000 RTupdt 0.000 RtLeak 0.000 00:01:44 0.000 RTupdt 0.000 RtLeak 0.000 00:01:39 0.000 RTupdt 0.000 RtLeak 0.000 00:00:16 0.000 RTupdt 0.000 RtLeak 0.000 0000.0101.0101.00-00 PRC LSP Sequence Update 0000.0101.0101.00-00 Full LSP Add 0000.0000.0000.00-00 Full LSP Add 0000.0000.0000.00-00 Full
10-46
Address aggregate addresses advertised by summarization process Mask IP subnet masks used for the summary routes Level level for which multiple groups of addresses can be summarized Metric metric used to advertise the summary State state of the summary address
host1#show isis summary-addresses Address -------3.0.0.0 4.0.0.0 Mask ---------255.0.0.0 255.0.0.0 Level --------LEVEL-1 LEVEL-1-2 Metric -----0 5 State ------ENABLED ENABLED
Example
System ID name or system ID of the intermediate system Metric metric of the path to the intermediate system Next Hop destination IP address of the intermediate system Interface interface from which neighbor was learned SNPA subnetwork point of attachment; for a LAN circuit, it is the MAC address; not meaningful for a point-to-point circuit.
Example
IS-IS paths for level-1 routers -------------------------------
System-ID barcelona:vr2
Metric 10
Intf -------at2/0.12
SNPA ----
------------- ------
undebug isis
Use to cancel the display of information about a selected event. The same IS-IS variables can be designated as in the debug isis command. Example
host1#undebug isis adj-packets
There is no no version.
10-47
Displaying CLNS
You can display the following information related to the CLNS protocol: CLNS information about interfaces Information about router adjacencies Information about ES and IS neighbors Protocol-specific information for each routing process Information about CLNS packets Global CLNS configurations You can set a statistics baseline for CLNS using the baseline clns command.
baseline clns
Use to set a statistics baseline for CLNS. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the optional interface-specifier parameter to specify an interface; otherwise the command sets a baseline for all interfaces. You cannot set a baseline for groups of interfaces. When baselining is requested, the time since the last baseline was set is displayed in days, hours, minutes, and seconds. Use the optional delta keyword with the show clns traffic command to specify that baselined statistics are to be shown. There is no no version. Example
host1#show clns traffic detail IS-IS: Baseline last set 0 days, 0 hours, 1 minutes, 41 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 6 IS-IS: Own LSPs Purged: 1 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 Interface: atm2/1.3 IS-IS: Baseline last set 0 days, 0 hours, 1 minutes, 43 seconds IS-IS: Protocol PDUs (in/out): 32/36 IS-IS: Init Failures: 0
10-48
IS-IS: Adjacencies Changes: 1 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 0 IS-IS: Level-2 Designated IS Changes: 0 IS-IS: Invalid 9542s: 0 host1#baseline clns atm 2/1.3 host1#show clns traffic detail delta IS-IS: Baseline last set 0 days, 0 hours, 2 minutes, 27 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 6 IS-IS: Own LSPs Purged: 1 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 Interface: atm2/1.3 IS-IS: Baseline last set 0 days, 0 hours, 0 minutes, 8 seconds IS-IS: Protocol PDUs (in/out): 2/1 IS-IS: Init Failures: 0 IS-IS: Adjacencies Changes: 0 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 0 IS-IS: Level-2 Designated IS Changes: 0 IS-IS: Invalid 9542s: 0
LSPID LSP identifier LSP Seq Num sequence number for the LSP. Enables other routers to
determine if they have received the latest information from source.
LSP Checksum checksum of the LSP packet LSP Holdtime number of seconds that the LSP remains valid ATT attach bit; indicates that the router is a level 2 router and can reach
other areas
10-49
Example
host1#show isis database IS-IS Level-1 Link State Database LSPID rtr1.00-00* rtrtwo.00-00 LSP Seq Num 0x00000009 0x00000005 LSP Checksum 0x568F 0xEC9B LSP Holdtime 1188 444 ATT/P/OL 0/0/0 0/0/0
IS-IS Level-2 Link State Database LSPID rtr1.00-00* rtrtwo.00-00 LSP Seq Num 0x00000010 0x0000000C LSP Checksum 0xF630 0xF8DA LSP Holdtime 1193 1188 ATT/P/OL 0/0/0 0/0/0
host1#clear isis database host1#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
show clns
Use to display global CLNS information about the router. Field descriptions
Interfaces Enabled for CLNS number of interfaces that have the CLNS
routing protocol enabled
Configuration Timer interval (in seconds) after which the router sends out
IS hello packets
Default Holding Timer length of time (in seconds) that hello packets are
remembered
Packet Lifetime default value used in packets sourced by this router Intermediate system operation enabled (forwarding allowed) indicates
whether this router is configured to be an ES or an IS
IS-IS Level-1-2 Router shows whether IS-IS is running in this router, gives
tag information, and shows whether it is running level 1 or level 1-2
Routing for Area ISO (NSAP) address for the network Distribute domain wide enabled indicates whether distribute-domain-wide
is enabled
10-50
intermediate-system adjacencies. Neighbor entries are sorted according to the area in which they are located. The following fields are displayed when any of these keywords is used:
System Id six-byte value of router Interface interface on which the router was discovered State adjacency state, either Up or Init
Up believes that the ES or IS is reachable Init router is an IS and is waiting for an IS-IS hello message. IS-IS regards the neighbor as not adjacent.
Circuit Id neighbors idea of what the designated IS-IS router is for the
interface Add the detail keyword to display area addresses and IP addresses. Example 1
host1#show clns Global CLNS Information: 3 Interfaces Enabled for CLNS NET: 47.0005.80FF.F800.0000.0001.0001.0000.0000.3333.00 Configuration Timer: 10, Default Holding Timer: 30, Packet Lifetime: 1200 Intermediate system operation enabled IS-IS level-1-2 Router: testnet Routing for Area: 47.0005.80FF.F800.0000.0001.0001 Distribution domain wide enabled Area Authentication: Key-id: 1 Type: hmac-md5 FRI JAN 14 09:57:41 2000 0 0 Start Accept: Stop Accept: Stop Generate: Key-id:
Domain Authentication: 1 Type: hmac-md5* WED JAN 12 19:01:52 2000 0 0 Start Accept: Stop Accept: Stop Generate:
10-51
System Id
Example 2
Interface State up Type Priority L1L2 127 Circuit Id 0000.0000.0000.00 Circuit Id 0000.0000.0000.00
host1#show clns is-neighbors detail State Type Priority L1L2 127 0000.0000.7500 atm2/0.111 up Ip Address(es):
interface shows status of interface Checksums can be either enabled or disabled MTU shows the maximum transmission size for a packet on this interface Encapsulation describes encapsulation used by CLNP packets on this interface interface
Next ESH/ISH shows when the next ES hello or IS hello is sent on this Routing Protocol lists the area(s) that this interface is in. In most cases, an
interface will be in only one area.
Circuit type indicates whether the interface has been configured for local
routing (level 1), area routing (level 2), or local and area routing (level 1-2)
10-52
Number of active level-2 adjacencies: 0 Next IS-IS LAN Level-1 Hello in 0 seconds Next IS-IS LAN Level-2 Hello in 0 seconds Mesh Group Inactive serial3/1:1/1.111 is up, line protocol is up Checksums Enabled, MTU 1600, Encapsulation Frame Relay Next ESH/ISH is 8 seconds Routing Protocol: IS-IS Circuit Type: level-1-2 Interface number 0x2, local circuit ID 0x2 Level-1 Metric: 10, Priority: 0, Circuit ID: 0000.0000.0000.02 Number of active level-1 adjacencies: 0 Level-2 Metric: 10, Priority: 0, Circuit ID: 0000.0000.0000.02 Number of active level-2 adjacencies: 0 Next IS-IS PTPT Hello in 3 seconds Mesh Group Inactive Authentication Level-1: Key-id: 1 Type: hmac-md5* WED JAN 12 18:56:20 2000 0 0 Start Accept: Stop Accept: Stop Generate: Key-id:
Authentication Level-2: 1 Type: hmac-md5 FRI JAN 14 09:58:27 2000 0 0 Start Accept: Stop Accept: Stop Generate:
host1#show clns interface atm2/0.111 is up, line protocol is up Checksums Enabled, MTU 4470, Encapsulation ATM Next ESH/ISH is 2 seconds Routing Protocol: IS-IS Circuit Type: level-1-2 Interface number 0x1, local circuit ID 0x1
Level-1 Metric: 10, Priority: 0, Circuit ID:0000.0000.7500.07
Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 0, Circuit ID:0000.0000.0000.01 Number of active level-2 adjacencies: 1 Next IS-IS PTPT Hello in 7 seconds Mesh Group Inactive ethernet6/0 is up, line protocol is up Checksums Enabled, MTU 1500, Encapsulation SNAP Next ESH/ISH is 8 seconds Routing Protocol: IS-IS Circuit Type: level-1-2
10-53
Interface number 0x2, local circuit ID 0x2 Level-1 Metric: 10, Priority: 0, Circuit ID:0000.0000.3333.02 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 0, Circuit ID:0000.0000.3333.02 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 1 seconds Next IS-IS LAN Level-2 Hello in 3 seconds Mesh Group Inactive
System Id six-byte value of router SNPA subnetwork point of attachment; the data link address Interface interface the router was learned from State state of the ES or IS Init router is an IS and is waiting for an IS-IS hello message. IS-IS regards the neighbor as not adjacent. Up believes the ES or IS is reachable
Holdtime number of seconds before this adjacency entry times out Type adjacency type. Possible values are as follows:
ES end-system adjacency either discovered via the ES-IS protocol or statically configured IS router adjacency either discovered via the ES-IS protocol or statically configured L1 router adjacency for level 1 routing only L1L2 router adjacency for level 1 and level 2 routing L2 router adjacency for level 2 only
Protocol protocol through which the adjacency was learned. Valid protocol
sources include ES-IS, IS-IS, and Static.
System Id 0000.0000.7500
10-54
IS-IS Router IS-IS router name System ID six-byte value of router IS-Type indicates the routing level (level 1, level 2, or both) that is enabled
on the router
Manual area addresses configured area addresses Routing for area address(es) identified for level 1 routing processes. For
level 2 routing processes, lists the domain address.
Interfaces supported by IS-IS lists interfaces and type Distance configured distance value Redistributing protocols being redistributed into IS-IS
Example
host1#show clns protocol IS-IS Router:testnet System Id: 0000.0000.3333.00 IS-Type: level-1-2 Manual area address(es):47.0005.80FF.F800.0000.0001.0001 Routing for area address(es):47.0005.80FF.F800.0000.0001.0001 Interfaces supported by IS-IS:atm2/0.111 - IP Distance: 115 Redistributing:
IS-IS: Baseline last set time since the baseline was set IS-IS: Corrupted LSPs number of LSPs received with errors IS-IS: L1 LSP Database Overloads number of overloads in level 1 IS-IS: L2 LSP Database Overloads number of overloads in level 2 IS-IS: Area Addresses Dropped number of area addresses that the router dropped maximum
IS-IS: Attempts to Exceed Max Sequence number of sequence wraps over IS-IS: Sequence Numbers Skipped number of LSPs received out of order IS-IS: Own LSPs Purged number of LSPs deleted IS-IS: System ID Length Mismatches number of unmatched system ID
lengths
10-55
When you specify an interface, reports include the following additional field descriptions:
IS-IS: Protocol PDUs (in/out) number of packets in/out on interface IS-IS: Init Failures number of rejected hellos on interface IS-IS: Adjacencies Changes number of times adjacencies have
transitioned from down to up
IS-IS: Bad LSPs number of LSPs received with errors IS-IS: Level-1 Designated IS Changes number of times the level 1
designated router has changed
IS-IS: Invalid 9542s number of rejected ES hello packets IS-IS: Authentication Failures number of authentication failures on
received level 1 and level 2 hello packets
host1#show clns traffic IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 15 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 5 IS-IS: Own LSPs Purged: 0 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 IS-IS: Area/Domain Authentication Failures: 0 host1#show clns traffic detail IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 40 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 5 IS-IS: Own LSPs Purged: 0 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 IS-IS: Area/Domain Authentication Failures: 0 Interface: fastEthernet0/0 IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 40 seconds
10-56
IS-IS: Protocol PDUs (in/out): 62005/66617 IS-IS: Init Failures: 0 IS-IS: Adjacencies Changes: 2 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 2 IS-IS: Level-2 Designated IS Changes: 2 IS-IS: Invalid 9542s: 0 IS-IS: Authentication Failures: 0 Interface: serial3/2:1/1.222 IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 40 seconds IS-IS: Protocol PDUs (in/out): 10422/9522 IS-IS: Init Failures: 0 IS-IS: Adjacencies Changes: 1 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 0 IS-IS: Level-2 Designated IS Changes: 0 IS-IS: Invalid 9542s: 0 IS-IS: Authentication Failures: 0
Configuring VRRP
11
Page 11-1 11-2 11-3 11-7 11-8 11-12
This chapter describes how to configure the Virtual Router Redundancy Protocol (VRRP) on your E-series router.
Topic Overview References How VRRP Works How VRRP Is Implemented in the E-Series Router Configuring VRRP Monitoring VRRP
Overview
VRRP can prevent loss of network connectivity to end hosts if the static default IP gateway fails. By implementing VRRP, you can designate a number of routers as backup routers in the event that the default master router fails.
Note: It is important to understand that the term virtual router as defined in the E-Series System Basics Configuration Guide, Chapter 11, Configuring Virtual Routers, is different from what is implied by VRRP. In this chapter, the term virtual router always refers to a VRRP router; that is, a router that has enabled VRRP.
In case of a failure, VRRP dynamically shifts the packet-forwarding responsibility to a backup router. A redundancy scheme is created by VRRP, which allows hosts to keep a single IP address for the default gateway, but maps the IP address to a well-known virtual MAC address. VRRP provides this redundancy without user intervention or additional configuration at the end hosts.
11-2
VRRP is supported on the FE-2 line module and the GE/FE line module. VLANs and S-VLANs are fully supported.
Terminology
Table 11-1 provides definitions for the basic VRRP terms used in this chapter.
Table 11-1 VRRP definitions Term VRRP router Definition A router that is running VRRP. It may participate in one or more virtual router IDs (VRIDs). An IP redundancy instance can: Master router Act as a master with associated addresses it owns at an IP interface Act simultaneously as a backup for other routers with additional VRID mappings and priorities for those routers
The VRRP router that assumes the responsibility of forwarding packets sent to the IP address(es) associated with the virtual router, and that answers ARP requests for these IP addresses. If the IP address owner is available, then it always becomes the master. The VRRP router available to assume forwarding responsibility if the current master router fails. The IP interfaceVRID pair instance that has the associated IP address(es) as real interface address(es). This router, when up, responds to packets addressed to one of these IP addresses for ICMP pings or TCP connections. The IP address owner is the primary router. An IP address configured as primary from the set of real interface addresses. VRRP advertisements are always sent (by the master router) using the primary IP address as the source of the IP packet.
Primary IP address
References
For more information about VRRP, see: RFC 2338 Virtual Router Redundancy Protocol (April 1998) RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol (March 2000)
Note: It is important to have some background understanding of the Address Resolution Protocol (ARP) before configuring VRRP. See the section, Address Resolution Protocol (ARP), in Chapter 2, Configuring IP.
11-3
Three VRRP configuration examples are described and illustrated in this section. They include: Basic VRRP configuration Common VRRP configuration VRRP configuration without the real address owner
Basic VRRP Configuration
As shown in Figure 11-1, the basic VRRP configuration uses a single VRID (VRID 1). Because R1 is the address owner, it serves as the master. Router R2 is the backup. The four end hosts on subnet 1 are configured to use 10.0.0.1/8 as the default router. IP address 10.0.0.1 is associated with VRID 1. In this example, if R1 becomes unavailable, R2 takes over VRID 1 and its associated IP addresses. Packets sent to IP destinations outside the 10.x.x.x subnet using 10.0.0.1 as the router are then forwarded by R2. Even though R2 assumes R1s forwarding responsibilities, it never
11-4
processes any packet with destination address (DA) 10.0.0.1. When R1 becomes active again, it takes over as the master and R2 reverts to backup. The VRRP MAC address is always: 00-00-5e-00-01-vrid. The valid VRID range is 0x010xFF.
subnet 2
subnet 1
Figure 11-2 shows two physical routers backing each other up through VRRP. Routers R1 and R2 are both configured with VRID 1 and VRID 2. In this configuration, under normal circumstances the routing load is distributed between the two routers.
g013133
VRID 1 10.0.0.1
11-5
VRID 3 address: 20.0.0.251 VRID 4 address: 20.0.0.252 interface address: 20.0.0.252/8 R2 interface address: 10.0.0.254/8 VRID 1 address: 10.0.0.253 VRID 2 address: 10.0.0.254
subnet 1
VRID 1 10.0.0.253 default gateway: 10.0.0.253/8 Notes R1: master router for VRID 3 backup router for VRID 4 master router for VRID 1 backup router for VRID 2 default gateway: 10.0.0.254/8
VRID 2 10.0.0.254
R2: backup router for VRID 3 master router for VRID 4 backup router for VRID 1 master router for VRID 2
g013132
11-6
Figure 11-3 is noticeably similar to Figure 11-2 except that there is no real owner for the addresses configured by the VRIDs. Consequently, both routers R1 and R2 are configured as backup routers for VRID 1, VRID 2, VRID 3, and VRID 4.
default gateway: 20.0.0.252/8 VRID 3 20.0.0.251 subnet 2 VRID 4 20.0.0.252 default gateway: 20.0.0.251/8
VRID 3 address: 20.0.0.251 VRID 4 address: 20.0.0.252 interface address: 20.0.0.2/8 R2 interface address: 10.0.0.2/8 VRID 1 address: 10.0.0.253 VRID 2 address: 10.0.0.254
subnet 1
Assuming that preemption is enabled, the router that is configured with the highest priority for each VRID becomes the master. If priorities are the same, the router that has the highest primary address becomes the master. This configuration shows how the address owner does not necessarily need to exist under VRRP. The configuration seems somewhat mysterious, since the PCs are never able to ping their gateway; however, they can talk to destinations outside their own subnet. IP multicast packets are used by the election protocol specified in VRRP to provide the router with redundancy. Therefore, VRRP can operate over a variety of multiaccess LAN technologies supporting IP multicast. It is important to remember that there is always one master for an IP address shared by the redundancy group.
g013131
VRID 1 10.0.0.253
VRID 2 10.0.0.254
11-7
The E-series router assigns common VRIDs to the group of routers that are going to share IP addresses. The E-series router sends VRRP advertisements to well-known multicast addresses. The router that owns the addresses automatically becomes the master and sends periodic VRRP advertisement messages. A VRRP advertisement consists of the IP addresses that the master controls and the VRID. If the master stops advertising for a predetermined period of time, the remaining routers using the same VRID enter an election process to determine which router takes over the master responsibilities. If the master does not own the IP addresses for which it is responsible, it drops all packets that have DAs to these IP addresses. If the elected master fails, backup routers start the election process again. When the original master becomes operational again, it restarts broadcasting advertisements as long as preemption is enabled or the master is the address owner. Packet forwarding responsibility then shifts back to the original master router.
4 5 6
If the master router becomes unavailable, there are rules that govern election of the master router: The backup router assigned the highest priority for each VRID becomes the master. If two backup routers were assigned the same priority, the router that has the highest primary address becomes the master. For example, if several routers were all assigned the default priority of 100, then the IP addresses must be compared.
11-8
Router election on a VRRP router can also be determined by whether or not the preemption option is enabled. When a backup router detects a master router with a lower priority than the backup has, the backup router may either choose to leave the current master alone or take over the current master and become the master itself. When preemption is enabled, a backup router always preempts or takes over the responsibility of the master router. When preemption is disabled, the lower-priority backup is left in the master state.
Note: It is possible that ICMP redirects source address may be overridden when VRRP is in use. When a backup VRID acts as a master on a given IP interface, its ICMP redirects must fake the source IP address of the IP address owner. The IP address must be faked because hosts accept only an ICMP redirect that was sent by the hosts current gateway.
Configuring VRRP
You must perform certain steps to configure VRRP; others are optional.
Configuring the IP Interface
Before you configure VRRP, you must configure an IP interface and assign a primary IP address and subnet mask. When the IP address belongs to the owner of the VRID, it must be associated with the VRID you create. To configure an IP interface and IP address:
1
Configure an IP interface.
host1(config)#interface fastEthernet 4/0
Note: It is recommended that you complete all IP address configurations before you configure VRRP. If for any reason the IP address information is changed after you configure VRRP, you must revise the associated IP addresses configured on the related VRRP entries. If auto addresses are specified in the ip vrrp virtual-address command and they are used in conjunction with priority 255, you must disable and reenable the VRRP entry for the association list to be updated.
11-9
Creating VRIDs
A master or backup router running the VRRP protocol may participate in one or more VRID instances. There are several ways to create a VRID instance: It is recommended that you create and/or configure a VRID instance first, and enable it last. For example:
host1(config-if)#ip vrrp 198 host1(config-if)#ip vrrp 198 priority 255
You can create and enable a VRID instance by using the ip vrrp vrid enable command, as shown below.
host1(config-if)#ip vrrp 25 enable
You continue to configure the VRID by identifying the VRID each time a VRRP command is used. For example:
host1(config-if)#ip vrrp 175 authentication-type none
Alternatively, you can create a new VRID when configuring any VRRP command, providing it is the first time the VRID instance is used. For example, if you execute the command ip vrrp vrid preempt and it is the first time that VRID is used, a new VRID is created.
host1(config-if)#ip vrrp 16 preempt
Use the ip vrrp vrid enable command last. The new VRID is not enabled until you execute this command.
host1(config-if)#ip vrrp 198 enable host1(config-if)#ip vrrp 16 enable host1(config-if)#ip vrrp 175 enable
Configuration Steps
Before configuring VRRP, you may find it helpful to review the configuration examples in the earlier section How VRRP Works. To configure VRRP parameters:
1
11-10
Set the VRRP router priority for owner and/or backup router(s). This step is mandatory to configure priority for the owner VRID (255). This step is optional to configure priority for a backup VRID (1254). The default is 100.
host1(config-if)#ip vrrp 25 priority 255 host1(config-if)#ip vrrp 22 priority 254
(Optional) Set the preemption option. In this example a new VRID is created.
host1(config-if)#ip vrrp 10 preempt
ip vrrp
Use to create a VRID instance. The VRID range is between 1255. Example
host1(config-if)#ip vrrp 25
ip vrrp advertise-interval
Use to configure the advertisement interval time. The interval time can be configured for seconds or milliseconds. Use seconds to be in compliance with RFC 2338. If your VRID environment consists of only E-series routers, you can optionally use milliseconds. Example
host1(config-if)#ip vrrp 25 advertise-interval 50
11-11
ip vrrp authentication-key
Use to specify the authentication key. Use the key keyword only when the authentication type is text. See ip vrrp authentication-type. Example
host1(config-if)#ip vrrp 25 authentication-key dublin
Use no ip vrrp authentication-key to set the authentication key to its default, empty string.
ip vrrp authentication-type
Use to specify the authentication type of either text or none. Example
host1(config-if)#ip vrrp 175 authentication-type none
Use no ip vrrp authentication-type to set the authentication type to its default, none.
ip vrrp enable
Use to enable an existing VRID instance. The VRID range is between 1255. The default is disable. Example
host1(config-if)#ip vrrp 175 enable
ip vrrp preempt
Use to enable preemption. When preemption is enabled, a backup router always takes over the responsibility of the master router. When preemption is disabled, the lowerpriority backup is left in the master state. Example
host1(config-if)#ip vrrp 10 preempt
ip vrrp priority
Use to configure the priority of VRRP routers. A value of 255 implies master router priority. A value of 1254 implies backup router priority. Example
host1(config-if)#ip vrrp 25 priority 255
Use the no version to set the priority to the default value, 100.
11-12
ip vrrp virtual-address
Use to associate an IP address with a VRID. If the auto keyword is used, associated addresses are automatically learned or configured, depending on the priority attribute. There is no default. Example
host1(config-if)#ip vrrp 25 virtual-address 194.2.1.63 255.255.255.0
Use no ip vrrp virtual-address to remove an IP address association with a VRID. If auto addresses are used, the no version clears the auto flag.
Monitoring VRRP
You can use several VRRP show commands to monitor the details of your VRRP configuration.
baseline ip vrrp
Sets the baseline on all VRRP statistics as the current value. Example
host1#baseline ip vrrp
show ip vrrp
Use to display a detailed summary of all VRIDs configured. Use the interface keyword to specify a specific Fast Ethernet or Gigabit Ethernet interface. Field descriptions
Interface Fast Ethernet or Gigabit Ethernet interface specifier and VRID primary address IP address used while in master state; not necessarily an
associated address
operational state state of the VRRP router: master, backup, or init; when
the operational state is backup, the current masters ip address is given
admin state administrative status: enabled or disabled up time number of seconds that the VRID has been enabled in non-init
state
interval VRRP advertisement interval: seconds/milliseconds last error status help text used to debug any error detected priority priority of VRRP router auth type the VRRP authentication type: none or text preemption VRRP router preemption status: enabled or disabled auto assoc address(es) IP addresses associated with VRID
11-13
Example
Interface: fastEthernet5/0.0 vrrpVrid: 1 primary address: 10.0.0.2 operational state: backup (current master: 130.0.0.1) admin state: enabled up time: 145 seconds interval: 1 second last error status: no error priority: 101 auth type: none preemption: enabled auto assoc address(es): 10.0.0.1, 100.0.0.1, 101.0.0.1
Interface Fast Ethernet or Gigabit Ethernet specifier VRID VRRP router instance configured on this interface Primary Address IP address used while in master state; not necessarily an
associated address
State operational state of VRRP router: master, backup, or init Adv advertisement interval in seconds Pri priority assigned to this router Admin administrative state of the VRID: enabled or disabled
VRID Primary Address State ---- --------------- -----255 123.123.123.123 init 1 1.1.1.1 master Adv Pri Admin --- --- -------1 100 disabled 1 254 enabled
Example
time discovered date and time neighbor was detected primary address primary IP address of neighbor adv interval (sec) VRRP advertisement interval in seconds priority priority status of VRRP router (255 = owner)
11-14
auth type VRRP authentication type: none or text assoc address(es) IP addresses associated with VRID that are advertised
by neighbor Example
Interface: fastEthernet5/0.0 vrrpVrid: 1 time discovered: 08/09/2001 07:44 primary address: 10.0.0.1 adv interval (sec): 1 priority: 255 (owner) auth type: none assoc address(es): 10.0.0.1, 100.0.0.1, 101.0.0.1 Interface: fastEthernet5/0.1 vrrpVrid: 11 time discovered: 08/09/2001 07:44 primary address: 11.0.0.1 adv interval (sec): 1 priority: 255 (owner) auth type: none assoc address(es): 11.0.0.1, 110.0.0.1, 111.0.0.1
vrIdErrors total number of VRRP packets received with an invalid VRID for
this virtual router
iccErrors count of line module notifications that did not make it to the
controller
txErrors count of advertisements that did not get sent due to resource
limitations
Interface Fast Ethernet or Gigabit Ethernet interface specifier and VRID becomeMaster total number of times that this VRID state has transitioned
to master
advertiseRcvd total number of VRRP advertisements received advertiseIntervalErrors total number of VRRP advertisement packets
received for which the advertisement interval is different from the one configured for the VRID
11-15
authFailures total number of VRRP packets received that do not pass the
authentication check
priorityZeroPktsSent total number of VRRP packets sent with a priority of 0 invalidTypePktsRcvd total number of VRRP packets received with an
invalid value in the Type field
11-16
vrIdErrors total number of VRRP packets received with an invalid VRID for
this virtual router
iccErrors count of line module notifications that did not make it to the
controller
txErrors count of advertisements that did not get sent due to resource
limitations
11-17
Example
host1#show ip vrrp statistics global Globals: checksumErrors: 0 versionErrors: 0 vrIdErrors: 0 iccErrors: 0 txErrors: 0 rxErrors: 0
ip interfaces with vrrp total number of VRIDs configured on ip interfaces entries total number of entries in all states entries enabled number of entries that were enabled entries with owner priority number of entries with owner priority entries in init state number of entries in the init state entries in backup state number of entries in backup state entries in master state number of entries in master state
host1#show ip vrrp summary ip interfaces with vrrp: 1 entries: 10 entries enabled: 10 entries with owner priority: 1 entries in init state: 0 entries in backup state: 9 entries in master state: 1
Example
11-18
Part 4
Configuring IPSec
12
Page 12-1 12-3 12-4 12-15 12-20 12-31 12-42
Overview
The IP security functionality covered in this chapter includes the following major areas: Encapsulating protocols, including AH and ESP, to provide security on specified packets The ISAKMP/IKE protocol suite to provide automatic negotiation of security associations including session keys
12-2
Terms
Table 12-1 defines terms and abbreviations that are used in this discussion of IPSec.
Table 12-1 IPSec terms and abbreviations Term 3DES AH CA DES DSS ESP HMAC IKE IKE endpoint Inbound traffic Definition Triple DES encryption/decryption algorithm Authentication Header. Provides authentication of the sender and of data integrity. certificate authority Data Encryption Standard encryption algorithm Digital Signature Standard authentication algorithm Encapsulating Security Payload, provides data integrity, data confidentiality and, optionally, senders authentication Hashed Message Authentication Code Internet Key Exchange IP address of the entity that is one of two endpoints in an IKE/ISAKMP SA. In the context of a secure interface, inbound traffic refers to already secured traffic arriving on that interface (identified based on its SPI). This traffic is cleared and checked against the security parameters set for that interface. IP security IP address of the entity that is one of two endpoints in an IPSec SA Internet Security Association and Key Management Protocol Security associations used to secure control channels between security gateways. These are negotiated via IKE phase I. Message Digest x hash algorithm A random value used to detect and protect against replay attacks In the context of a secure interface, outbound traffic is the clear traffic forwarded to the interface (either by policy or by routing) that should be secured according to security parameters set for that interface. Perfect forward secrecy Rivest-Shamir-Adleman encryption algorithm Security association. The set of security parameters that dictate how IPSec processes a packet, including encapsulation protocol and session keys. A single secure tunnel uses multiple SAs. A virtual connection between two security gateways used to exchange data packets in a secure way. A secure tunnel is made up of a local SA and a remote SA, where both are negotiated in the context of an ISAKMP SA.
IPSec IPSec endpoint ISAKMP ISAKMP SA MDx Nonce Outbound traffic PFS RSA SA
Secure tunnel
12-3
Table 12-1 IPSec terms and abbreviations (continued) Term SHA SPI VPN Definition Secure Hash Algorithm Security parameter index Virtual private network
References
This IPSec implementation supports the following RFCs: RFC 2401 Security Architecture for the Internet Protocol (November 1998) RFC 2402 IP Authentication Header (November 1998) RFC 2403 The Use of HMAC-MD5-96 within ESP and AH (November 1998) RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH (November 1998) RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV (November 1998) RFC 2406 IP Encapsulating Security Payload (ESP) (November 1998) RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP (November 1998) RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) (November 1998) RFC 2409 The Internet Key Exchange (IKE) (November 1998) RFC 2410 The NULL Encryption Algorithm and Its Use With IPSec (November 1998) RFC 768 User Datagram Protocol (August 1980) For information on using digital certificates, see Chapter 13, Configuring Digital Certificates.
12-4
IPSec Concepts
This section provides an overview of IPSec concepts. IPSec provides security to IP flows through the use of authentication and encryption. Authentication verifies that data is not altered during transmission and ensures that users are communicating with the individual or organization that they believe they are communicating with. Encryption makes data confidential by making it unreadable to everyone except the sender and intended recipient. IPSec comprises two encapsulating protocols: Encapsulating Security Payload (ESP) provides confidentiality and authentication functions to every data packet. Authentication Header (AH) provides authentication to every data packet.
Secure IP Interfaces
Secure IP interfaces are virtual IP interfaces that can be configured to provide confidentiality and authentication services for the data flowing through such interfaces. The software provides these services using mechanisms created by the suite of IPSec standards established by the IETF. Secure IP interfaces connect the router to any other endpoint through the routed network and allow much of the same functionality as other IP interfaces. Traffic can reach a secure IP interface via routing and/or policy routing. A secure tunnel is a layer 2 entity. It is a point-to-point connection that is mapped on top of other IP interfaces. Secure tunnels carry only IP traffic. A secure IP interface is a layer 3 entity; that is, an IP interface mapped on top of a secure tunnel that inherits all security associated with it. Secure IP interfaces are a logical representation of a secure connection between two security endpoints, one of which is the local system. The remote endpoint can be another security gateway or a host.
RFC 2401 Compliance
RFC 2401 states that a security policy database (SPD) must exist for each physical interface in the router, and an administrator must configure
12-5
these SPDs to determine which traffic must be IPSec-protected, not IPSec-protected, or denied. The E-series router does not support a system-wide SPD. Instead, the router takes advantage of routing policies that are applied to physical interfaces to describe which traffic should be forwarded to a single IPSec tunnel, which traffic should be discarded, and so on. The router also applies IPSec selectors to traffic going into or coming out of a secure tunnel so that no unwanted traffic is allowed inside the tunnel. Supported selectors include IP addresses, subnets, and IP address ranges. Note that an implementation that strictly follows RFC 2401 requires a separate IPSec tunnel for each SPD entry.
IPSec Protocol Stack
Figure 12-1 shows the protocol stack on a client, an IPSec gateway, and a server. In the figure, HTTP and TCP are examples of higher-level protocols involved in the end-to-end communication; other end-to-end communication protocols are also supported. The layers where the data can be encrypted are shown in gray.
HTTP
HTTP
HTTP
TCP
TCP
Private IP
TCP
IP
Client
IPSec
IPSec
IPSec
ETH
Public IP Layer 2
IP
L2
IPSec gateway
Figure 12-1 IPSec tunneling stack
g013305
12-6
Security Parameters
Secure IP interfaces allow tunneled traffic to be secured in many ways. For that, secure interfaces are associated with security parameters that are enforced for traffic that goes through these interfaces. Table 12-2 gives a brief description of all parameters used for a secure IP interface.
Table 12-2 Security parameters used on secure IP interfaces Security Parameter
Description Manual interfaces are configured manually on both local and remote security gateways. Signalled interfaces are able to dynamically set up connections between security gateways using ISAKMP/IKE.
Operational VR
Operational parameters for the secure IP interface, including the virtual router context to which this interface belongs and the network prefix reachable through the interface. Transport network characteristics for the tunnel, including its virtual router context and source and destination IP addresses. A key generation approach that guarantees that every newly generated session key is not in any way related to the previous keys. PFS ensures that a compromised session key will not compromise previous and subsequent keys. A limit on time and traffic volume allowed over the interface before an SA needs to be renegotiated. The actual session-related parameters used by both security gateways to secure the traffic between them. The SA can be manually defined for manual secure IP tunnels or dynamically negotiated for signalled tunnels. Two sets of SA parameters exist. One for inbound traffic and another for outbound traffic.
Transform set
The set of security parameters, including protocols and algorithms, that is considered adequate to provide a required security level to the traffic flowing through an interface.
g013306
Layer 2
Public IP
IPSec header
Private IP
Payload
IPSec trailer
12-7
Figure 12-3 shows the relationships of the various security parameters to the IPSec security interface. Each parameter is covered in detail in the following sections.
[Manual | Signaled] Mask IP address Operational VR Perfect forward secrecy [On | Off] Lifetime [Time-out] [Volume-out] Security association Tunnel ID Transport VR Destination IP address Source IP address
Secure IP interface
Inbound SA(s)
Transform set
Outbound SA(s)
Transform
Encryption keys
12-8
The router supports both manual and signalled interfaces: Manual interfaces use a preconfigured set of SA parameters to secure traffic flowing through a secure IP interface. If SA parameters are not preconfigured for a manual secure interface, all traffic reaching the interface is dropped. Statistics are kept for dropped traffic. A manual secure IP tunnel must be manually provisioned in both peer security gateways. Signalled interfaces negotiate an SA on demand with the remote security gateway. The remote security gateway must also support SA negotiation; otherwise traffic is dropped. Again, statistics are kept for dropped traffic. The router supports SA negotiation within an IKE SA by means of the ISAKMP and IKE protocols. Only one IKE SA is maintained between a set of local and remote IKE endpoints. That means that if an IKE SA already exists between the two endpoints, it is reused. Secure IP interface parameters can be required, optional, or not applicable, depending on whether the interface is manual or signalled. Table 12-3 shows how the other security parameters fit with manual and signalled interfaces.
Table 12-3 Security parameters per IPSec policy type Security Parameter Transport VR Operational VR Perfect forward secrecy Lifetime Inbound and outbound SAs Transform set Manual Required Required Optional Optional Required Required Signalled Required Required Optional Optional Not Applicable Required
The operational VR for a secure IP tunnel is the VR in which a secure IP tunnel exists. The IP address and mask associated with a secure IP interface exist only within the operational VR under which the interface is declared. The VR defines the network prefix, which is reachable through the logical IP interface.
12-9
A secure IP tunnel is always a member of one and only one operational VR. Therefore, the operational VR attributes are mandatory for any secure tunnel. These attributes include: IP address and mask Virtual router where the secure IP interface exists
Transport Virtual Router
The transport VR for a secure IP tunnel is the VR in which both of the secure tunnel endpoints, the source and destination, are routable addresses. Normally, the transport VR is the default ISP routing infrastructure on top of which VPNs are provisioned. The IPSec service line module is a security gateway and, as such, is one of the endpoints for secure tunnels. The tunnel endpoints are the tunnel source and the tunnel destination IP addresses. The tunnel source IP address must be one of the local IP addresses configured on the router. The tunnel destination address must be a routable IP address within the transport VR routing tables. The transport VR information is required, although its explicit configuration is not. If omitted, the transport VR is assumed to be the same as the operational VR. However, the tunnel source and destination are mandatory elements.
Transport VR Definition
Transport virtual router name If not explicitly configured, the operational VR is assumed. Tunnel source endpoint IP address used as the tunnel source endpoint on this end of the tunnel. In the case of signalled tunnels, the router monitors and transmits on port 500 of this address for IKE negotiations. The tunnel source endpoint must be a configured IP address on the transport VR, or the router indicates an error. Tunnel destination endpoint IP address associated with the termination or initiation point of the secure IP tunnel. This address must be routable within the context of the transport VR. Each secure IP tunnel can have a different remote IP address.
12-10
PFS is an optional feature that causes every newly refreshed key to be completely unrelated to the previous key. PFS provides added security, but requires extra processing for a new Diffie-Hellmann key exchange on every key refresh. If PFS is enabled, the router mandates PFS during SA negotiation. The remote security gateway must accept PFS if the SA is to be successfully negotiated. On the other hand, if PFS is disabled, PFS may still be negotiated if the remote security gateway requests PFS. PFS supports three Diffie-Hellmann prime modulus groups: Group 1 A 768-bit Diffie-Hellmann prime modulus group Group 2 A 1024-bit Diffie-Hellmann prime modulus group Group 5 A 1536-bit Diffie-Hellmann prime modulus group SA negotiation favors the highest request. For example, if group 2 is requested locally, the remote security gateway must support group 2 for the SA negotiation to be successful. If group 1 is requested locally, then either groups 1 or 2 can be accepted, depending on requests from the remote security gateway.
Lifetime
You can set a lifetime for user SAs and IKE SAs. For information on setting the IKE SA lifetime, see Lifetime in the IKE Policies section later in this chapter. For signalled IPSec interfaces, both the inbound and outbound SA must be assigned a lifetime. The lifetime parameter controls the duration for which the SA is valid. When a user SA is established, both a timer and a traffic volume counter are set. When either counter reaches the limit specified by the SAs lifetime, a new SA is negotiated and the expired SA is deleted. The renegotiations refresh several SA parameters, including keys. Note the following about how the lifetime parameters work: To avoid delays in the data flow, a new user SA is actually renegotiated before the expiration. If the SA expires in the middle of processing a packet, the router finishes processing that packet. The actual user SA lifetime may not equal the value configured in the router.
12-11
There are both global and tunnel-specific lifetime parameters. If there is no tunnel-specific lifetime configured, the router uses the global lifetime. The global lifetime parameters have the following default settings:
> 8 hours for the time-based lifetime > 100 MB for the traffic-based lifetime
Lifetime parameters are valid only for user SAs established via IKE. Manually configured user SAs ignore this parameter. You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime. To set the tunnel lifetime, use the tunnel lifetime command. To set the global (default) lifetime, use the ipsec lifetime command.
Inbound and Outbound SAs
SA parameters are the actual session parameters used to secure a specific data flow associated with a specific secure IP interface. For manual secure IP interfaces, the system administrator sets SA parameters. Manually setting SA parameters allows provisioning of IP security to destinations that do not support SA negotiation via IKE. For signalled secure IP interfaces, the two security gateway peers negotiate SA parameters; the system administrator is not allowed to set any of the parameters. In fact, for some of these parameters, such as session keys, the system administrator is not granted even read-access. Similarly to IPSec SA, SA parameters are unidirectional. Therefore, for a two-way data flow, two SAs need to be establishedone for inbound traffic and another for outbound traffic. For each direction, SA parameters must be set for each transform associated with a secure IP interface. Therefore, two sets of SA parameters exist for each secure IP interface, one being the inbound SA parameters and the other the outbound SA parameters. The following parameters form each set of SA parameters: SPI A unique identifier for the SA used when securing this flow. An SPI is unique for a given destination IP address and protocol tuple. The destination IP address is either the remote secure IP interface endpoint for the outbound direction or the local secure IP interface endpoint for the inbound direction.
12-12
Encapsulation The encapsulation options include both an encapsulating protocol and an encapsulating mode. The protocol can be either ESP or AH. The mode is tunnel mode. Transforms The allowed transforms for given SA parameters depend on its encapsulation protocol. See Transform Sets for more information. Keys The session key used for the respective SA transform. The key length depends on the SA transform to which it applies, and is as follows:
> DES 8 bytes > 3DES 24 bytes > MD5 16 bytes > SHA 20 bytes Transform Sets
Transform sets are composed of security parameters that provide a required security level to a particular data flow. Transform sets are used during user SA negotiation to find common agreement between the local and the remote security gateway on how to protect that specific data flow. A transform set includes encapsulation protocols and transforms; for example, encryption/decryption/authentication algorithms. These parameters are grouped to specify the acceptable protection for a given data flow. Many transform sets are supported, since different traffic requires distinct security levels. A secure IP tunnel is associated with one transform set. Multiple secure IP tunnels can refer to the same transform set. Changing existing transform sets affects only future user SA negotiations. User SAs that are already established remain valid and do not use the changed transform set until they are renegotiated. For manually configured secure IP tunnels, the associated transform set must contain a single transform option.
12-13
Encapsulation Protocols Both the AH and ESP protocols are supported. See supported transforms in Table 12-4.
AH provides authentication. ESP provides data confidentiality and antireplay functions. ESP can also provide data authentication, although, in this implementation, ESP does not cover the outer IP header.
Encapsulation Modes IPSec supports two encapsulation modestunnel mode and transport mode. Currently the E-series router supports only tunnel mode. Tunnel mode creates a second IP header in the packet and uses both the local and remote security gateway addresses as source and destination IP addresses. Supported Transforms Table 12-4 describes the supported
transforms.
Table 12-4 Supported transforms Transform AH-MD5 AH-SHA Description IPSec performs AH protocol encapsulation using the MD5 hash function with HMAC message authentication. IPSec performs AH protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. IPSec performs ESP protocol encapsulation using the MD5 hash function with HMAC message authentication. IPSec performs ESP protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. IPSec performs ESP protocol encapsulation using the DES encryption algorithm. DES uses a 56-bit symmetric key and is considered a weak (breakable) encryption algorithm. IPSec performs ESP protocol encapsulation using the 3DES encryption algorithm. 3DES uses a 168-bit symmetric encryption key and is widely accepted as a strong encryption algorithm. Export control issues apply to products that ship from the USA with 3DES. Combination of ESP-MD5 and ESP-DES transforms. Combination of ESP-SHA and ESP-DES transforms. Combination of ESP-MD5 and ESP-3DES transforms. Combination of ESP-SHA and ESP-3DES transforms.
ESP-MD5 ESP-SHA
ESP-DES
ESP-3DES
12-14
Table 12-5 shows the security functions achieved with the supported transforms, and provides a view of which combinations can be used, depending on security requirements.
Table 12-5 Combinations of supported security transforms Security Type Data authentication only Supported Transform Combinations AH-HMAC-MD5 AH-HMAC-SHA ESP-HMAC-MD5 ESP-HMAC-SHA Data confidentiality only Data authentication and confidentiality ESP-DES ESP-3DES ESP-DES-MD5 ESP-DES-SHA ESP-3DES-MD5 ESP-3DES-SHA
Note that the IPSec service line module does not support both the ESP and AH encapsulation modes concurrently on the same secure tunnel.
Negotiating Transforms Inside a transform set, IPSec transforms are numbered in a priority sequence.
During negotiation as an initiator of the user SA, the router uses transform number one first. If the remote system does not agree on the transform, the router then tries number two, and so on. If both end systems do not agree on a transform, the user SA fails and the secure IP tunnel is not established. During negotiation as a responder, the router compares the proposed transform from the remote end against each transform in the transform set. If there is no match, the router provides a negative answer to the remote end, which can either try another transform or give up. If no match is found, the secure IP tunnel is not established.
Other Security Features IP Security Policies
The E-series router does not support a system-wide security policy database (SPD). Instead, the router takes advantage of routing to forward traffic to and from a secure tunnel. The router still applies IPSec selectors to traffic going into or coming out of a secure tunnel so that no unwanted
12-15
traffic is allowed inside the tunnel. Supported selectors include IP addresses, subnets, and IP address ranges.
ESP Processing
The router supports both the encryption and authentication functions of ESP encapsulation as defined in RFC 2406. Specifically, the router supports: DES and 3DES encryption algorithms The HMAC-SHA and HMAC-MD5 authentication algorithms ESP security options on a per-tunnel (per-SA) basis Tunnel mode
AH Processing
The router supports AH encapsulation as defined in RFC 2402. Specifically, the router supports: HMAC-SHA and HMAC-MD5 authentication algorithms AH authentication options on a per-tunnel (per-SA) basis Tunnel mode
IPSec Maximums Supported
Refer to the E-Series Release Notes, Appendix A, System Maximums corresponding to your software release for information on maximum values.
IKE Overview
The IKE suite of protocols allows a pair of security gateways to: Dynamically establish a secure tunnel over which the security gateways can exchange tunnel and key information. Set up user-level tunnels or SAs, including tunnel attribute negotiations and key management. These tunnels can also be refreshed and terminated on top of the same secure channel.
12-16
IKE is based on the Oakley and Skeme key determination protocols and the ISAKMP framework for key exchange and security association establishment. IKE provides: Automatic key refreshing on configurable timeout. Support for public key infrastructure (PKI) authentication systems. Antireplay defense. IKE is layered on UDP and uses UDP port 500 to exchange IKE information between the security gateways. Therefore, UDP port 500 packets must be permitted on any IP interface involved in connecting a security gateway peer. The following sections expand on the IKE functionality available for the router.
Main Mode and Aggressive Mode
IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE phase 2 negotiations. IKE uses one of two modes for phase 1 negotiations: main mode or aggressive mode. The choice of main or aggressive mode is a matter of tradeoffs. Some of the characteristics of the two modes are: Main mode
> Protects the identities of the peers during negotiations and is
messages are exchanged between peers. (Six messages are exchanged in main mode.) Aggressive mode
> Exposes identities of the peers to eavesdropping, making it less
between peers. (Three messages are exchanged in aggressive mode.) The next section describes aggressive mode in more detail.
12-17
During aggressive mode phase 1 negotiations, the E-series router behaves as follows: When the router is the initiator, the router searches all policy rules to find those that allow aggressive mode. The router then selects the rule with highest priority and uses the rule to initiate phase 1 negotiation. If there are no policy rules with aggressive mode allowed, the router selects the highest-priority rule that allows main mode. When the router is the responder, the negotiation depends on what the initiator proposes, as well as what is configured in the policy rules. Table 12-6 outlines the possible combinations of initiator proposals and policy rules. As shown, allowing aggressive mode in a policy rule allows negotiation to take place no matter what the initiator requests.
Table 12-6 Initiator proposals and policy rules Initiator Requests Aggressive mode Aggressive mode Main mode Main mode Responder Policy Rule Aggressive allowed Aggressive not allowed Aggressive allowed Aggressive not allowed Match Yes No Yes Yes
The router responds to phase 1 negotiations with the highest priority policy rule that matches the initiator. A match means that all parameters, including the exchange type, match.
IKE Policies
An IKE policy defines a combination of security parameters to be used during the IKE SA negotiation. IKE policies are configured on both security gateway peers, and there must be at least one policy on the local peer that matches a policy on the remote peer. Failing that, the two peers will not be able to successfully negotiate the IKE SA, and no data flow will be possible. IKE policies are global to the router. Every IPSec service line module on a router uses the same set of policies when negotiating IKE SAs. The agreed-on IKE SA between the local system and a remote security gateway may vary, because it depends on the IKE policies used by each remote peer. However, the initial set of IKE policies the router uses is always the same and independent of which peer the router is negotiating with.
12-18
During negotiation, the router may skip IKE policies that require parameters that are not configured for the remote security gateway with which the IKE SA is being negotiated. You can define up to ten IKE policies, with each policy having a different combination of security parameters. A default IKE policy that contains default values for every policy parameter is available. This policy is used only when IKE policies are not configured and IKE is required. The following sections describe each of the parameters contained in an IKE policy.
Priority
Priority allows better (more secure) policies to be given preference during the negotiation process. The fact still remains that every IKE policy is considered secure enough to secure the IKE SA flow. During IKE negotiation all policies are scanned, one at a time, starting from the highest-priority policy and ending with the lowest-priority policy. The first policy that the peer security gateway accepts is used for that IKE session. This procedure is repeated for every IKE session that needs to be established.
Encryption
A specific encryption transform can be applied to an IKE policy. The supported encryption algorithms are: DES 3DES
Hash Function
A specific hash function can be specified to an IKE policy. The supported ones are: MD5 SHA-1 IKE also uses an authentication algorithm during IKE exchanges. This authentication algorithm is automatically set to the HMAC version of the specified hash algorithm. Therefore, you cannot have the hash function set to MD5 and authentication algorithm set to HMAC-SHA.
12-19
Authentication Mode
As part of the IKE protocol, one security gateway needs to authenticate the other security gateway to make sure that the IKE SA is established with the intended party. The E-series router supports two authentication methods: Digital certificates (using RSA algorithms) For digital certificate authentication, an initiator signs message interchange data using his private key, and a responder uses the initiators public key to verify the signature. Typically, the public key is exchanged via messages containing an X.509v3 certificate. This certificate provides a level of assurance that a peers identity (as represented in the certificate) is associated with a particular public key. For more information, see Chapter 13, Configuring Digital Certificates. Preshared keys With preshared key authentication mode, the same secret string (similar to a password) must be configured on both security gateways before the gateways can authenticate each other. It is not advisable to share a preshared key among multiple pairs of security gateways, because it reduces the keys security level. The router allows preshared keys to be up to 256 characters composed of any ASCII alphanumeric character.
Diffie-Hellman Group
An IKE policy must specify which Diffie-Hellmann group is used during the symmetrical key generation phase of IKE. The following Diffie-Hellmann groups are supported: Group 1 (768-bit) Group 2 (1024-bit) Group 5 (1536-bit)
Lifetime
Like a user SA, an IKE SA should not last indefinitely. Therefore, the router allows you to specify a lifetime parameter for an IKE policy. The timer for the lifetime parameter begins when the IKE SA is established using IKE.
12-20
IKE SA Negotiation
As the initiator of an IKE SA, the router sends its IKE policies to the remote peer. If the peer has an IKE policy that matches the encryption, hash, authentication method, and Diffie-Hellmann group settings, the peer returns the matching policy. The peers use the lesser lifetime setting as the IKE SA lifetime. If no match is found, the IKE SA fails, and a log alarm is generated. As the responder of an IKE negotiation, the router receives all IKE policies from a remote security gateway. The router then scans its own list of IKE policies to check whether a match exists, starting from the highest priority. If it finds a match, that policy is successfully negotiated. Again, the lifetime is negotiated to the lesser of the two lifetimes, and failures are logged.
Configuration Tasks
This section shows the steps to configure an IPSec license and IPSec parameters, create an IPSec tunnel, and define an ISAKMP/IKE policy. The next section contains configuration examples.
Configuring an IPSec License
You can purchase IPSec licenses, which allow additional IPSec tunnels in the E-series router. The number of additional tunnels depends on the number of IPSec Service line modules (ISMs) installed in the router and the type of license that you purchase. Table 12-7 shows how many tunnels are allowed in the router depending on how many ISMs are installed and the type of license configured on the router.
Table 12-7 Number of IPSec tunnels allowed in E-series routers Number of ISMs in Chassis One Two Number of IPSec Tunnels Allowed in System Without a License 2,500 5,000 Level 1 License 5,000 7,500 7,500 Level 2 License 5,000 10,000 10,000
If you have two ISMs in one chassis and have not purchased an IPSec license, you can configure 5,000 tunnels on the router. If you remove one of the ISMs, the router allows all 5,000 tunnels to migrate to the remaining ISM. However, on reload, the router brings up only 2,500 tunnels.
12-21
license ipsec-tunnels
Use to specify an IPSec tunnel license.
Note: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative.
Example
host1(config)#license ipsec-tunnels g1k23b23eb2j
To configure IPSec:
1
For each endpoint, create a transform set that provides the desired encryption and authentication.
host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha host1(config)#ipsec transform-set customerBprotection ah-hmac-md5
Add a preshared key that the routers use to authenticate each other.
host1(config)#ipsec key manual pre-share 5.2.0.1 host1(config-manual-key)#key customerASecret
Once you enter a preshared key, the router encrypts the key and displays it in masked form to increase the security of the key. If you need to reenter the key, you can enter it in its masked form using this command. To see the masked form of the key:
host1#show config ! ipsec key manual pre-share 10.10.1.1 masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO !
12-22
Define the local endpoint used for ISAKMP/IKE negotiations for all IPSec tunnels in the router.
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router vr#8
(Optional) Set the global (default) lifetime for all SAs on the router.
host1(config)#ipsec lifetime kilobytes 42000000
Use the no version to delete a manually configured key from the router.
ipsec lifetime
Use to set the global (default) lifetime in seconds and/or volume of traffic. The IPSec lifetime applies to tunnels that do not have a tunnel lifetime defined. When either limit is reached, the SA is renegotiated. To set a lifetime for all SAs on a tunnel, use the tunnel lifetime command. To set a lifetime for a specific SA, use the lifetime command. Example 1
host1(config)#ipsec lifetime kilobytes 42000000
Example 2
host1(config)#ipsec lifetime seconds 8600
Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours).
ipsec local-endpoint
Use to define a default local endpoint for ISAKMP/IKE negotiations and all IPSec tunnels for a transport virtual router. You must specify the IP address used as the local endpoint and the transport virtual router on which the IP address is defined.
12-23
Example
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router VR#8
Use the no version to delete a local endpoint. You cannot remove an endpoint if a tunnel is referencing the endpoint.
ipsec transform-set
Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality. Transform sets used for manually configured tunnels can have one transform. Transform sets used for signalled tunnels can have up to six transforms. The actual transform used on the tunnel is negotiated with the peer. Transforms are numbered in a priority sequence in the order in which you enter them. Example
host1(config)#ipsec transform-set espSet esp-3des-hmac-md5 esp-3des-null-auth
Use the no version to delete a transform set. You cannot remove a transform set if a tunnel is referencing the transform set.
key
Use to enter a manual preshared key. Preshared keys can have up to 256 characters composed of any ASCII alphanumeric character. To include spaces in the key, enclose the key in quotation marks. Example
host1(config-manual-key)#key dj5fe23owi8er49fdsa
Example
host1(config-manual-key)#key my key with spaces
There is no no version. To delete a key, use the no version of the ipsec key manual command.
masked-key
Use to enter the preshared key in masked form. For security purposes, the router displays the key only in masked form. If you delete the key or reboot the router to factory defaults, you can use this command to reenter the key in its masked form so that the key is not visible while you enter it. To see the masked key, use the show config command.
12-24
Example
host1#show config ! ipsec key manual pre-share 10.10.1.1 masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO ! host1#configure terminal host1(config)#ipsec key manual pre-share 10.10.1.1 host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
There is no no version. To delete a key, use the no version of the ipsec key manual command.
Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface.
host1(config)#virtual-router vrA host1:vrA(config)#
Specify an existing interface address that the tunnel uses as its source address.
host1:vrA(config-if)#tunnel source 5.1.0.1
12-25
For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs.
host1:vrA(config-if)#tunnel session-key-inbound esp-3des-hmac-md5 xj82k14OWaRqy dj3EwxNQ98z3bPw9 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 tM967dq3KvZ3j52r HeI38pkRn963wEg4
signalled.
host1:vrA(config-if)#tunnel signaling manual
12 (Optional) Set the renegotiation time of the SAs in use by this tunnel.
host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
interface tunnel
Use to create or configure an IPSec tunnel interface. To establish the tunnel on a virtual router other than the current virtual router context, use the transport-virtual-router keyword. Example
host1(config)#interface tunnel ipsec:jak transport-virtual-router tvr041 host1(config-if)#
tunnel destination
Use to set the address of the remote tunnel endpoint. Example
host1(config-if)#tunnel destination 10.10.11.12
12-26
tunnel lifetime
Use to set the renegotiation time of the SAs in use by this tunnel. To configure the lifetime in amount of data, use the kilobytes keyword. To configure the lifetime in number of seconds, use the seconds keyword. If you include the seconds keyword as the first keyword on the command line, you can also include the kilobytes keyword on the same line. Before either the volume of traffic or number of seconds limit is reached, the SA is renegotiated, which ensures that the tunnel does not go down during renegotiation.
host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
Use the no version to set the lifetime to the default lifetime, which you define using the ipsec lifetime command.
tunnel local-identity
Use to configure the local identity (selector) of the tunnel. Specify the identity using one of the following keywords:
address specifies an IP address as the local identity subnet specifies a subnet as the local identity range specifies a range of IP addresses as the local identity
Example 1
host1(config-if)#tunnel local-identity range 10.10.1.1 10.10.2.1
Example 2
host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0
Use the no version to set the default identity, which is subnet 0.0.0.0 0.0.0.0
tunnel mtu
Use to set the MTU size for the tunnel. Example
host1(config-if)#tunnel mtu 2240
tunnel peer-identity
Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords:
address specifies an IP address as the peer identity subnet specifies a subnet as the peer identity range specifies a range of IP addresses as the peer identity
12-27
Example 1
host1(config-if)#tunnel peer-identity range 10.10.1.1 10.10.2.2
Example 2
host1(config-if)#tunnel peer-identity subnet 130.10.1.1 255.255.255.0
tunnel session-key-inbound
Use to manually configure the authentication and/or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signalling set to manual. To see a list of available algorithm sets, use the online Help. Keys are an arbitrary hexadecimal string. If the algorithm set includes:
DES, create an 8-byte key 3DES, create a 24-byte key MD5, create a 16-byte key SHA, create a 20-byte key
host1(config-if)#tunnel session-key-inbound esp-3des-hmac-md5 xj82kl40WaQp03i7 5bv0k4hm23z6uPn9
Example
tunnel session-key-outbound
Use to manually configure the authentication and/or encryption algorithm sets, SPI, and session keys for outbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signalling set to manual. To see a list of available algorithm sets, use the online Help. The SPI is a number from 256 to 4294967295 that identifies an SA.
12-28
DES, create an 8-byte key 3DES, create a 24-byte key MD5, create a 16-byte key SHA, create a 20-byte key
host1(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 tM967dq3KvZ3j52r HeI38pkRn963wEg4
Example
tunnel signaling
Use to set the tunnel type to signalled (ISAKMP) or manual. Specify a keyword:
isakmp uses ISAKMP/IKE to negotiate SAs and to establish keys manual specifies that security parameters and keys are configured
manually Example
host1(config-if)#tunnel signaling manual
tunnel source
Use to specify an existing interface address that will serve as the tunnels source address. Example
host1(config-if)#tunnel source 10.10.2.8
tunnel transform-set
Use to specify the transform set that ISAKMP uses during SA negotiations on this tunnel. You create transform sets using the ipsec transform-set command. Example
host1(config-if)#tunnel transform-set espSet
ISAKMP/IKE policies define parameters that the router uses during ISAKMP/IKE phase 1 negotiation. To create an ISAKMP/IKE policy:
host1(config)#ipsec isakmp-policy-rule 3 host1(config-isakmp-policy)#
12-29
You can then set the following parameters, or use the default settings: Allow aggressive mode negotiation.
host1(config-isakmp-policy)#aggressive-mode
aggressive-mode
Use to allow aggressive mode negotiation for the tunnel. If you allow aggressive mode negotiation, the tunnel proposes aggressive mode to the peer in connections that the policy initiates. If the peer initiates a negotiation, the tunnel accepts the negotiation if the mode matches this policy. Example
host1(config-isakmp-policy)#aggressive-mode
authentication
Use to specify the authentication method the router uses in the IKE policy, preshared keys or RSA signature. Example
host1(config-isakmp-policy)#authentication pre-share
encryption
Use to specify one of the following encryption algorithms to use in the IKE policy:
12-30
Example
host1(config-isakmp-policy)#encryption 3des
group
Use to assign a Diffie-Hellman group to the IKE policy. Specify:
hash
Use to set the hash algorithm for the IKE policy:
ipsec isakmp-policy-rule
Use to define an ISAKMP/IKE policy. When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies from 1 to 10000, with 1 having the highest priority. You can add up to 10 ISAKMP/IKE policies per router. Example
host1(config)#ipsec isakmp-policy-rule 3 host1(config-isakmp-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
lifetime
Use to specify the lifetime of IKE SAs. The range is 60 to 86400 seconds.
host1(config-isakmp-policy)#lifetime 360
Use the no version to reset the SA lifetime to the default, 28800 seconds.
12-31
Refreshing SAs
ipsec clear sa
Use to refresh ISAKMP/IKE or IPSec SAs. To reinitialize all SAs, use the all keyword. To reinitialize SAs on a specific tunnel, use the tunnel keyword. To reinitialize SAs on tunnels that are in a specific state, use the state keyword. To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase keyword. Example
host1(config)#ipsec clear sa all phase 2
There is no no version.
Configuration Examples
This section contains examples of two IPSec applications. The first example shows a customer who replaces a leased line network with an IPSec network that allows the company to connect its corporate locations over the Internet. The second example provides leased line replacement to two customers who use address schemes in the same range.
Configuration Notes
Both the local and remote identities shown in these examples serve two purposes: They identify multiple IPSec tunnels between the same endpoints. They filter traffic going into and coming out of the tunnels so that it is within the specified range. If the configuration requires that only one IPSec tunnel exists between two endpoints and no traffic filtering is required, you can omit the tunnel local-identity and tunnel peer-identity commands.
Example 1
In Figure 12-4 customer A is using Frame Relay to connect its corporate offices in three cities: Boston, Ottawa, and Boca.
12-32
Ottawa
Boca
Boston
Figure 12-4 Customer As corporate Frame Relay network
Customer A hires ISP-X to provide a leased line replacement over an IP infrastructure using IPSec. ISP-X can offer a replacement for long-haul Frame Relay links by creating IPSec tunnels to carry customer As traffic securely between the sites over the public or ISP-provided IP network. This alternative will cost only a fraction of the price of the Frame Relay links. Figure 12-5 shows the connectivity scheme.
Ottawa
ERX1
Boca
ERX2
Boston
ERX3
ISP-X 100.3.0.1
g013053
200.3.0.1/16
Figure 12-5 ISP-X uses E-series routers to connect corporate offices over the Internet
On each E-series router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet.
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
g013054
12-33
On each E-series router, create preshared keys that the three routers will use to authenticate each other:
erx1(config)#ipsec key manual pre-share 100.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 100.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 100.1.0.1 erx3(config-manual-key)#exit erx3(config-manual-key)#key customerASecret erx3(config)#ipsec key manual pre-share 100.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit
On erx1 create two IPSec tunnels, one to carry customer As traffic between Ottawa and Boston and another to carry the traffic between Ottawa and Boca: Tunnel 1:
erx1(config)#interface tunnel ipsec:Aottawa2boston erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.3.0.1 erx1(config-if)#ip address 200.3.0.0 255.255.0.0 erx1(config-if)#exit
Tunnel 2:
erx1(config)#interface tunnel ipsec:Aottawa2boca erx1(config-if)#tunnel transform-set customerAprotection
12-34
erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.2.0.1 erx1(config-if)#ip address 200.2.0.0 255.255.0.0 erx1(config-if)#exit
On erx2 create two IPSec tunnels, one to carry customer As traffic between Boca and Ottawa and another to carry the traffic between Boca and Boston: Tunnel 1:
erx2(config)#interface tunnel ipsec:Aboca2ottawa erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.1.0.1 erx2(config-if)#ip address 200.1.0.0 255.255.0.0 erx2(config-if)#exit
Tunnel 2:
erx2(config)#interface tunnel ipsec:Aboca2boston erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.3.0.1 erx2(config-if)#ip address 200.3.0.0 255.255.0.0 erx2(config-if)#exit
12-35
Finally, on erx3 create two IPSec tunnels, one to carry customer As traffic between Boston and Ottawa and another to carry the traffic between Boston and Boca: Tunnel 1:
erx3(config)#interface tunnel ipsec:Aboston2ottawa erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.1.0.1 erx3(config-if)#ip address 200.1.0.0 255.255.0.0 erx3(config-if)#exit
Tunnel 2:
erx3(config)#interface tunnel ipsec:Aboston2boca erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.2.0.1 erx3(config-if)#ip address 200.2.0.0 255.255.0.0 erx3(config-if)#exit
The configuration is complete. Now customer A traffic between different cities flows through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated. Of course, this example shows the basic secure encapsulation of customer traffic over the untrusted IP network. You can add features such as key refreshing.
12-36
Example 2
Example 2, shown in Figure 12-6, enhances the previous example by having the same ISP-X providing leased line replacement to two customers who use address schemes in the same range. There are two ways to solve scenarios in which different customers use similar IP address schemes: One solution is to have different transport virtual routersa configuration similar to example 1, except that a different VR domain is possible. Another solution, as described in this example, simply duplicates the endpoints for the transport VR. This example assumes that the transport VR is the default VR.
Ottawa
ERX1
Public ip network
Boca
ERX2
Boston vrA
ERX3 vrB
ISP-X 5.3.0.1 5.3.0.2 Layer 2 connection, such as Frame Relay or ATM, that is trusted by the customer
g013052
12-37
On each E-series router, create a protection suite that provides customer A with 3DES encryption and SHA-1 authentication, and customer B with AH authentication using MD5.
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx1(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerBprotection ah-hmac-md5
On each E-series router, create a protection suite that the three routers will use to authenticate each other:
erx1(config)#ipsec key manual pre-share 5.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.2.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit
12-38
erx3(config)#ipsec key manual pre-share 5.1.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit
On erx1, create two IPSec tunnels, one to carry customer As traffic and another to carry customer Bs traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. The endpoints for the tunnels should be created in the ISP default virtual router. Virtual router A:
erx1(config)#virtual-router vrA erx1:vrA(config)#
12-39
Virtual router B:
erx1(config)#virtual-router vrB erx1:vrB(config)#
On erx2, create two IPSec tunnels, one to carry customer As traffic and another to carry customer Bs traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. The endpoints for the tunnels should be created in the ISP default virtual router. Virtual router A:
erx2(config)#virtual-router vrA erx2:vrA(config)#
12-40
Virtual router B:
erx2(config)#virtual-router vrB erx2:vrB(config)#
12-41
Last, on erx3, create two IPSec tunnels, one to carry customer As traffic and another to carry customer Bs traffic. Virtual router A:
erx3(config)#virtual-router vrA erx3:vrA(config)#
Virtual router B:
erx3(config)#virtual-router vrB erx3:vrB(config)#
12-42
The configuration is complete. Customer As traffic and customer Bs traffic can flow through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated.
Monitoring IPSec
This section contains information on troubleshooting and monitoring IPSec.
System Event Logs
To troubleshoot and monitor IPSec, use the following system event logs:
> auditIpsec Lower layers of IKE SA negotiations > ikepki Upper layers of IKE SA negotiations > stTunnel Secure tunnel interface
For more information on using event logs, see E-Series System Basics Configuration Guide, Chapter 12, Logging System Events.
show Commands
To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands.
show ike policy-rule
Use to display the configuration of IKE phase 1 policy rules. Field descriptions
Protection suite priority priority number assigned to the policy rule encryption algorithm encryption algorithm used in the IKE policy: des, 3des hash algorithm hash algorithm used in the IKE policy: SHA, MD5
12-43
lifetime lifetime of SAs created with this policy: 60 to 86400 seconds aggressive mode allowed or not allowed
Example
host1#show ike policy-rule IKE Policy Rules: Protection suite priority: 5 encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys) hash algorithm :SHA Secure Hash Standard authentication method:RSA Signatures Diffie-Hellman group :5 (1536 bit) lifetime aggressive mode :7200 seconds :Not Allowed
Protection suite priority: 6 encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys) hash algorithm :SHA Secure Hash Standard authentication method:Pre Shared Keys Diffie-Hellman group :2 (1024 bit) lifetime aggressive mode :28800 seconds :Not Allowed
show ike sa
Use to display IKE phase 1 SAs running on the router. Field descriptions
Source local IP address of phase 1 negotiation Destination remote IP address of phase 1 negotiation Time(s) time remaining in phase 1 lifetime, in seconds State current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. The number in brackets corresponds to the state number. Possible states are: MM_SA_I Sent SA initiator has sent initial main mode SA payload to the responder MM_SA_R Sent SA responder has sent a response to the initial main mode SA MM_KE_I Sent KE initiator has sent initial main mode key exchange to the responder MM_KE_R Sent KE responder has sent a response to the key exchange
12-44
MM_FINAL_I Sent final packet initiator has sent the final packet in the main mode negotiation MM_FINAL_R Sent final packet responder has finished main mode negotiation MM_DONE_I Done initiator has finished main mode negotiation AM_SA_I Sent SA, KE initiator has sent initial aggressive mode SA payload and key exchange to the responder AM_SA_R Sent SA, KE responder has sent aggressive mode SA payload
and key exchange to the initiator
AM_FINAL_I Sent final packet initiator has finished aggressive mode negotiation AM_DONE_R Done responder has finished aggressive mode negotiation Example
host1#show ike sa IKE Phase 1 SA's: Source 10.13.0.99 10.13.1.99 10.13.2.99 10.13.3.99 10.13.4.99 10.13.5.99 10.13.6.99 10.13.7.99 10.13.8.99 Destination 10.13.0.100 10.13.1.100 10.13.2.100 10.13.3.100 10.13.4.100 10.13.5.100 10.13.6.100 10.13.7.100 10.13.8.100 Time(s) State 12585 12584 12584 12591 12598 12632 12658 12690 12716 MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9)
12-45
Example 2
host1#show ipsec transform-set transform-esp-3des-hmac-sha Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha}.
IPSEC tunnel name and state of tunnel for which information is displayed Tunnel operational configuration configuration running on the tunnel
Tunnel type manual, signaled Tunnel mtu MTU size of the tunnel Tunnel localEndpoint IP address of local tunnel endpoint Tunnel destination address IP address of tunnel destination Tunnel transport virtual router name of transport virtual router over which tunnel runs Tunnel transform set tunnel transform set in use on this tunnel Tunnel local identity IP address of local endpoint identity that ISAKMP uses Tunnel peer identity IP address of peer endpoint identity that ISAKMP uses Tunnel inbound spi/SA SPI and SA in use on traffic received from the tunnel Tunnel outbound spi/SA SPI and SA in use on traffic sent to the tunnel Tunnel lifetime seconds configured lifetime in seconds Tunnel lifetime kilobytes configured lifetime in kilobytes Tunnel pfs PFS group in use on the tunnel: 0 (PFS is not in use), 1 (768-bit group), 2 (1024-bit group), 5 (1536-bit group) Tunnel administrative state Up, Down
Tunnel Statistics displays statistics on traffic received on and sent from this
tunnel InUserPackets number of user packets received InUserOctets number of octets received from user packets InAccPackets number of encapsulated packets received
12-46
InAccOctets number of octets received in encapsulated packets InAuthErrors number of authentication errors received InReplayErrors number of replay errors in received traffic InPolicyErrors number of policy errors in received traffic InOtherRxErrors number of packets received that have errors other than those listed above InDecryptErrors number of decryption errors in received traffic InPadErrors number of packets received that had invalid values after the packet was decrypted OutUserPackets number of user packets sent OutUserOctets number of octets sent in user packets OutAccPackets number of encapsulated packets sent OutAccOctets number of octets sent in encapsulated packets OutPolicyErrors number of packets arriving at tunnel for encapsulation that do not meet specified tunnel identifier (selector) OutOtherTxErrors number of outbound packets that have errors other than those listed above Example
host1#show ipsec tunnel detail IPSEC tunnel s0l1e3d0 is up Tunnel operational configuration: Tunnel type is signaled Tunnel mtu is 1440 Tunnel localEndpoint is 10.255.1.13 Tunnel destination address is 10.255.1.14 Tunnel transport virtual router is vr00 Tunnel transform set is transform-esp-3des-hmac-sha Tunnel local identity is ipAddress: 10.0.10.3 Tunnel peer identity is ipAddress: 10.0.11.3 Tunnel inbound spi is 0x13c00201, SA is esp-3des-hmac-sha. Tunnel outbound spi is 0x12b90209, SA is esp-3des-hmac-sha. Tunnel lifetime seconds is 7200 Tunnel lifetime kilobytes is 102400 Tunnel pfs is group 5 Tunnel administrative state is Up Tunnel Statistics : InUserPackets InUserOcets InAccPackets InAccOcets InAuthErrors InReplayErrors InPolicyErrors InOtherRxErrors 297 306232 297 322864 0 0 0 0
12-47
Total number of ipsec interface number of tunnels configured on the router Administrative status number of tunnels with an administrative status of
enabled and disabled
For a description of fields, see the show ipsec tunnel detail command.
Example
host1#show ipsec tunnel virtual-router default ip 10.255.1.13 IPSEC tunnel s0l1e3d0 is up IPSEC tunnel s0l1e3d1 is up IPSEC tunnel s0l2e3d0 is up IPSEC tunnel s0l2e3d1 is up IPSEC tunnel s0l3e3d0 is up IPSEC tunnel s0l4e3d0 is up IPSEC tunnel s0l4e3d1 is up IPSEC tunnel s0l5e3d0 is up
12-48
13
Page 13-1 13-2 13-3 13-7 13-12
This chapter describes the digital certificates feature on your E-series router.
Topic Overview References IKE Authentication Using Digital Certificates Configuration Tasks Monitoring Digital Certificates
Overview
You can use digital certificates in place of preshared keys for IKE negotiations. For more information about IKE, see IKE Overview in Chapter 12, Configuring IPSec.
13-2
Terms
Table 13-1 defines terms and abbreviations that are used in this discussion of digital certificates.
Table 13-1 Digital certificate terms and abbreviations Term 3DES Base64 CA Certificate Certificate revocation list (CRL) ESP IKE PKCS PKCS10 Root CA Root certificate RSA SA Definition Triple DES encryption/decryption algorithm Method used to encode certificate requests and certificates before they are sent to or from the CA. Certificate authority. An organization that creates digital certificates. Binds a person or entity to a public key using a digital signature. A list of certificates that a CA has revoked Encapsulating Security Payload; provides data integrity, data confidentiality and, optionally, senders authentication Internet Key Exchange Public-Key Cryptography Standards; a series of standards established by RSA Laboratories PKCS #10, which describes a syntax for certification requests CA that signs the certificates of subordinate CAs Self-signed public key certificate for a root CA. Root certificates are used to verify other certificates Rivest-Shamir-Adleman encryption algorithm Security association. The set of security parameters that dictate how IPSec processes a packet, including encapsulation protocol and session keys. A single secure tunnel uses multiple SAs.
References
Digital certificates support: RFC 2986 PKCS #10: Certification Request Syntax Specification Version 1.7 (November 2000) RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile (January 1999) For more information on IPSec and IKE, see Chapter 12, Configuring IPSec.
13-3
The following are key steps for using public key cryptography to authenticate a peer. These steps are described in more detail in the following sections.
1
Generating a private/public key pair. Before the router can place a digital signature on messages, it requires a private key to sign, and requires a public key so that message receivers can verify the signature.
Obtaining a public key certificate. The router requires at least one public key certificate, which binds the router identity to its public key. The CA verifies the identity represented on the certificate and then signs the certificate. The router sends the certificate to IKE peers during negotiations to advertise the router public key.
13-4
Obtaining a root CA certificate. The router requires at least one root CA certificate to send to IKE peers, and also to verify that a peers certificate is genuine.
Authenticating the peer. As part of IKE negotiations, the router receives its peers digital signature in a message exchange. The router must verify the digital signature using the peers public key. The public key is contained in the peers certificate, which often is received during the IKE negotiation. To ensure that the peer certificate is valid, the router verifies its digital signature using the CA public key contained in the root CA certificate. The router and its IKE peer require at least one common trusted root CA for authentication to work.
Generally, only step 4 above is required each time a Phase 1 negotiation happens. The first three steps are required only if keys are compromised or router certificates require renewal.
Generating Private/Public Key Pairs
The E-series router needs at least one valid pair of public/private keys whenever it uses any of the public key methods for authenticating an IKE peer. The E-series router can generate its own public/private key pairs. The public/private key pair supports the RSA standard (1024 or 2048 bits). The private key is used only by the E-series router. It is never exchanged with any other nodes. It is used to place a digital signature on IKE authentication messages. When generated, it is securely stored internally to the E-series router in flash memory. Access to the private key is never allowed, not even to a system administrator or a network management system. Private key storage includes protection mechanisms to prevent improper private key usage, including encryption with 3DES using a unique internally generated key. The key is also tied to SRP-specific data to prevent swapping flash disks between routers. The public key is used in the generation of the router certificate request, which is sent to a CA. Based on the certificate request, the CA generates a public key certificate for the E-series router. The router public/private key pair is a global system attribute. It does not matter how many IPSec service line modules exist in the router; only one set of keys is available at any given moment. The private/public key pair applies across all virtual routers and is persistent across reloads and booting to factory defaults.
13-5
Once the public key is generated, the router must obtain a public key certificate from a CA, a process called certificate enrollment. The E-series router supports manual certificate enrollment, which works as follows:
1 2 3 4 5
An operator generates a certificate request by supplying identity information. The E-series router creates a certificate request file and makes it available to the operator. The operator supplies the certificate request file to a CA for approval, typically by copying and pasting the file to a Web page. The CA approves the request and generates a certificate. The operator copies the certificate file onto the E-series router so that it can be used for IKE negotiations.
The standards supported for this enrollment are PKCS #10 certificate requests and X.509v3 certificates. Certificates are encoded in base64 (MIME) so that the files are easily transferred through cut and paste operations and e-mail.
Obtaining a Root CA Certificate
Downloading the root CAs self-signed certificate is also done manually. An operator obtains the root CA certificate, typically through a Web browser, and copies the certificate file to the E-series router so that the router can use it as part of IKE negotiations. The standards supported for obtaining root CAs are X.509v3, base64, and BER-encoded certificates.
Authenticating the Peer
The E-series router validates X.509v3 certificates from the peer by confirming that the ID payload passed in IKE matches the identifiers in the peer certificate. The router also verifies that the signature is correct, based on the root CA public key.
Note: The E-series router does not support certificate chains (where a root CA signs the certificate of a subordinate CA, and a subordinate CA signs the peer certificate), so validation must be done on each stage up to the root CA that both peers trust).
The E-series router also validates the certificate based on its time window, so correct UTC time on the router is essential. In addition to the certificate checks, the E-series router confirms that message data received
13-6
from the peer has the correct signature based on the peers public key as found in its certificate. Once complete, the IKE authentication is done and quick-mode negotiation of SAs can proceed.
Checking CRLs
To use CRL checking, you must copy CRL files that are published by CAs to the E-series router. Using the ike crl command, you can control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. The ike crl command has three settings: Ignored Allows negotiations to succeed even if a CRL is invalid or the peers certificate appears in the CRL; this is the most lenient setting. Optional If the router finds a valid CRL, it uses it. Required Requires a valid CRL, and the certificates belonging to the E-series router or the peer must not appear in the CRL; this is the strictest setting. Based on the CRL setting, you can expect that phase 1 IKE negotiations will succeed or fail depending on the following conditions: CRL OK The certificate revocation list is present for the CA and valid (not expired). CRL expired The CRL is present on the E-series router but is old Missing CRL There is no CRL on the router for the CA. Peer Cert revoked The CRL contains the peer certificate. ERX Cert revoked The CRL contains the E-series routers certificate. Table 13-2 shows some examples of how the CRL setting affects the outcome of IKE phase 1 negotiations. It shows common problem conditions such as ERX Cert revoked.
Table 13-2 Outcome of IKE phase 1 negotiations CRL Setting Condition CRL OK CRL expired Missing CRL Peer Cert revoked Optional Succeed Succeed Succeed Fail Ignored Succeed Succeed Succeed Succeed Required Succeed Fail Fail Fail
13-7
Table 13-2 Outcome of IKE phase 1 negotiations (continued) CRL Setting Condition ERX Cert revoked Optional Fail Ignored Succeed Required Fail
File Extensions
Table 13-3 describes the file extensions that digital certificates use on the E-series router.
Table 13-3 File extensions File Extension .crq .cer Description Used for certificate request files that are generated on the E-series router and taken to CAs for obtaining a certificate. Used for public certificate files. The public certificates for root CAs and the router public certificates are copied to the E-series router. They are autorecognized as belonging to the E-series router or CA by certificate subject name and issuer name (in a CA they are the same). The E-series router supports multiple CAs. Used for certificate revocation lists that are obtained offline from CAs and copied to the E-series router. CRLs indicate which certificates from a particular CA are revoked.
.crl
In addition, router IKE identity information and private keys are kept on the flash disk in hidden areas not visible to users. (These files do not appear when you enter a dir command).
Configuration Tasks
To set up digital certificates:
1
Note: For more information on setting up IKE policies, see Defining an ISAKMP/IKE Policy in Chapter 12, Configuring IPSec.
13-8
Specify the information that the router uses to generate a certificate request.
a
host1(config-ipsec-identity)#country CA
host1(config-ipsec-identity)#common-name Jim
host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
Specify an organization.
Generate a certificate request using certificate parameters from the IPSec identity configuration.
host1(config)#ipsec certificate-request generate rsa myrequest.crq
Once the certificate request is generated, you need to copy the file from the E-series router and send it to the CA. Typically, you will copy the file and paste it to a CAs Web page. When you receive the certificate from the CA, copy the certificate to the E-series router, and then inform the router that a new certificate exists.
host1(config)#ipsec certificate-database refresh
(Optional) To delete RSA key pairs, use the ipsec key zeroize command.
host1(config)#ipsec key zeroize rsa
13-9
authentication
Use to specify the authentication method that the router uses in the IKE policy to RSA signature. Example
host1(config-isakmp-policy)#authentication rsa-sig
common-name
Use to specify a common name used to generate certificate requests. Example
host1(config-ipsec-identity)#common-name Jim
country
Use to specify a country name used to generate certificate requests. Example
host1(config-ipsec-identity)#country CA
domain-name
Use to specify the domain name that the router uses in IKE authentication messages and to generate certificate requests. The domain name is used in the SubjectAlternative DNS certicate extensions and as an FQDN (fully qualified domain name) ID payload for IKE negotiations. Example
host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
ike crl
Use to control how the router handles certificate revocation lists (CRLs) during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords:
optional if the router finds a valid CRL, it uses it; this is the default setting required requires a valid CRL; either the certificates that belong to the
E-series router or the peer must not appear in the CRL; this is the strictest setting
13-10
Example
host1(config)#ike crl ignored
Use the no version to return the CRL setting to the default, optional.
Example
host1(config)#ipsec certificate-database refresh
There is no no version.
There is no no version.
ipsec identity
Use to enter IPSec Identity Configuration mode where you can specify information that the router uses in certificate requests and during negotiations with its peers. Example
host1(config)#ipsec identity host1(config-ipsec-identity)#
ipsec isakmp-policy-rule
Use to define an ISAKMP/IKE policy. When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies from 1 to 10000, with 1 having the highest priority.
13-11
Example
host1(config)#ipsec isakmp-policy-rule 3 host1(config-isakmp-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
There is no no version. To remove a key pair, use the ipsec key zeroize command.
rsa removes the RSA key pair from the router pre-share removes all preshared keys from the router all removes all keys within the VR context from the router
Example
host1(config)#ipsec key zeroize rsa
There is no no version.
organization
Use to specify the organization used in the Subject Name field of certificates. Example
host1(config-ipsec-identity)#organization juniperNetworks
13-12
all all certificates configured on the router crl certificate revocation lists peer peer certificates public-certs public certificates root-cas root CA certificates
Use the hex-format keyword to display certificate data, such as serial numbers, in hexadecimal format. Doing so allows easier comparison with CAs, such as Microsoft, that display certificates in hex format. Example
SubjectName = <C=CA, O=Juniper Networks, CN=Trev Larock> IssuerName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> Validity = NotBefore = 2003 Feb NotAfter = 2003 Mar PublicKeyInfo = PublicKey = Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}} Modulus n (1024 bits) : 13225766016639784111076637633741932992106377577699283110795188796052482 65342146764124357160800571914230195127208418504109976431218877486359782 05039116157265311149909398062120023292037934003177853958261330798885742 78483784295640530834307567681635251787413138487842020206430811996635774 6473467422163528513914011 Exponent e ( 65537 Extensions = Available = authority key identifier, subject key identifier, key usage(critical), subject alternative names, CRL distribution points, extended key usage SubjectAlternativeNames = Following names detected = DNS (domain name server name) Viewing specific name types = 17 bits) : 5th, 00:37:07 GMT 7th, 01:07:07 GMT
13-13
DNS = treverx1.unispherenetworks.com KeyUsage = DigitalSignature [CRITICAL] CRLDistributionPoints = % Entry 1 FullName = Following names detected = URI (uniform resource indicator) Viewing specific name types = URI = ldap://193.64.193.154:389/CN=SSH%20Test%20CA%201%20No%20Liabilities ,O=SSH%20Communications%20Security%20Corp,C=FI?certificaterevocatio nlist AuthorityKeyID = KeyID = : 3d cb be 20 64 49 16 1d 88 b7 98 67 93 f0 5d 42 81 2e bd 0c SubjectKeyID = KeyId = : cb 89 0a 07 8c b1 bd a0 5a 8d 9f fb 08 6f ae bf fc 22 37 2b ExtendedKeyUsage = clientAuth (1.3.6.1.5.5.7.3.2) ikeIntermediate (1.3.6.1.5.5.8.2.2) host1#show ike certificates root-cas Certificate = SerialNumber = 1538512 SubjectName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> IssuerName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> Certificate seems to be self-signed. * Signature verification success. Validity = NotBefore = 2001 Aug NotAfter = 2004 Aug PublicKeyInfo = PublicKey = Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}} Modulus n (1024 bits) : 11917611287778603070080534566511562975214407448390943179928807818173885 47247666155825989542261220981799976308014604905009354671795084636946388 05807250595102357061876406491725197545378029185127138910656474019020750 57893862702272777323679505496338679231604634989591340666076231855527357 3617925277649092630861237 Exponent e ( 65537 17 bits) : 1st, 07:08:32 GMT 1st, 07:08:32 GMT
13-14
Extensions = Available = authority key identifier, subject key identifier, key usage(critical), subject alternative names, basic constraints(critical) SubjectAlternativeNames = Following names detected = EMAIL (rfc822) Viewing specific name types = EMAIL = [email protected] KeyUsage = DigitalSignature KeyCertSign CRLSign [CRITICAL] BasicConstraints = PathLength = 0 cA = TRUE [CRITICAL]
Ike identity information from your IKE identify configuration that the router
uses to generate certificate requests
14
Page 14-1 14-2 14-2 14-7 14-7 14-13
This chapter describes the L2TP with IPSec feature on your E-series router.
Topic Overview References How Secure Remote Access Works Configuration Tasks for Client PC Configuration Tasks for E-Series Routers Monitoring L2TP over IPSec
Overview
IPSec remote access allows clients to connect to a corporate VPN over the public Internet with a secure connection. IPSec remote access works by running an L2TP tunnel on top of an IPSec transport mode connection. The secure tunnel runs from the client PC to the E-series router that terminates the secure tunnel. Using L2TP with IPSec, B-RAS clients can securely connect to a corporate or other VPN in addition to another unsecured connection to the Internet.
14-2
References
This IPSec with L2TP implementation supports: RFC 3193 Securing L2TP using IPSec (November 2001) RFC 2661 Layer Two Tunneling Protocol L2TP (August 1999) RFC 2401 Security Architecture for the Internet Protocol (November 1998) For more information on related router features, see: Chapter 12, Configuring IPSec Chapter 13, Configuring Digital Certificates E-Series Broadband Access Configuration Guide, Chapter 5, Configuring L2TP
14-3
RADIUS server
RADIUS server
PC client
Access network
ISP
Public IP network
VPN provider
Figure 14-2 gives an overview of the process used to set up a secure connection between the client PC and the E-series router.
Internet 1. First IP interface PC 2. IKE SA 3. Secure IP interface ERX B-RAS + IPSec VPN Content
g013168 g013308
Obtain an IP address from your ISP, using a normal B-RAS termination. IKE signals a security association (SA) between the client PC and the E-series router. Two unidirectional SAs are established to secure data traffic. The IPSec connection secures UDP port 1701.
Set up an L2TP tunnel and session between the client PC (the LAC) and the E-series router (the LNS). The tunnel runs over the SAs that IKE established.
14-4
L2TP defines control and data messages used for L2TP/IPSec. Figure 14-3 shows an L2TP/IPSec encapsulated control frame. The gray area indicates the encrypted part of the frame.
IP header
UDP header
L2TP message
Encrypted by IPSec
Figure 14-3 L2TP/IPSec encapsulated control frame
Figure 14-4 is an L2TP/IPSec encapsulated data frame. The gray area shows the encrypted part of the frame.
IP header
UDP header
L2TP message
PPP header
PPP payload
Authenticated by IPSec
Figure 14-4 L2TP/IPSec encapsulated data packet
This section covers various compatibility issues and requirements for the IPSec/L2TP traffic.
End-to-End Security
L2TP/IPSec provides security only between tunnel endpoints. It does not provide end-to-end security. For end-to-end security, you need additional security for the connection beyond the router.
g013608
Encrypted by IPSec
14-5
The L2TP/IPSec software supports the following client PC operating systems and L2TP and IPSec applications: Windows 2000 and Windows XP running built-in IPSec VPN software. Microsoft L2TP/IPSec VPN client for Windows NT, Windows 98, and Windows Me. SafeNet client software.
Interactions with NAT
Network address translation (NAT) devices can change the IP address and/or port number of a traversing IP packet. Encrypted frames, where an ESP header follows the IP header, may or may not get through the NAT device. You can set up the router to run in NAT passthrough mode, which causes the router to not generate or check UDP checksums. The reason is that a NAT device may change the IP address while the UDP header is encrypted. In this case, the UDP checksum cannot be recalculated. Not generating or checking UDP checksums does not compromise security, because IPSec protects UDP with an authentication algorithm far stronger than UDP checksums. To set up the router to run in NAT passthrough mode, use the application l2tp-nat-passthrough command. For the router to accept an IP address that is changed by NAT, configure the IP address in the IPSec transport profile as the wildcard.
Tunnel Creation
The E-series router can have both secured and unsecured L2TP tunnels. When you configure L2TP, you can differentiate the secured and unsecured tunnels in the L2TP destination profile with the enable ipsec transport command. Unsecured L2TP tunnels are not allowed on the IPSec service module.
Interaction Between IPSec and PPP
PPP defines the ECP and CCP modes, and these modes are currently not supported in the E-series router. There will be no interaction related to encryption directives between IPSec and PPP.
14-6
The IPSec service module allows up to 5,000 secure tunnels and L2TP/IPSec connections combined.
LNS Change of Address
For L2TP applications, the LNS may change the IP address from its end when an incoming call is terminated. If this is done in an L2TP tunnel protected by IPSec, the following procedure must be followed:
1 2 3
The LNS must send a StopCCN to the LAC, with the Result and Error Code AVP present. The Result Code must be set to 2 (General Error), and the Error Code should be set to 7 (Try Another). The optional error message must be present, and the contents must contain only the IP address (ASCII, dotted decimal encoded) that the LNS wants to use for subsequent communications. The StopCCN message must be sent with the same address and port that the LAC used to send the SCCRQ.
In the above scenario, the LACthat is, the client PCneeds to establish a new IPSec tunnel toward the new LNS address before a new SCCRQ can be sent to the new destination.
LNS Change of Port
In the L2TP world, the LNS is allowed to change its port number; this functionality is currently not supported in the E-series router. IPSec allows only port 1701 to be used for L2TP/IPSec tunnels. However, the LAC is allowed to use any source port it desires.
Group Preshared Key
Group preshared keys allow the provisioning of secure remote access via L2TP/IPSec to networks that do not use a certificate authority (CA) to issue certificates. A group preshared key is associated with a local IP address in the E-series router and is used to authenticate L2TP/IPSec clients that target this IP address as their VPN server address.
Caution: Group preshared keys are not fully secure, and we recommend that you use digital certificates in place of group preshared keys. Group preshared keys are open to man-in-the-middle attacks. To reduce this risk, the E-series router accepts only IPSec connections that specify L2TP traffic selectors for security associations (SAs) that are negotiated over IKE connections authenticated with group preshared keys.
14-7
Create a destination profile that defines the location of the LAC, and access L2TP Destination Profile Configuration mode.
host1(config)#l2tp destination profile boston4 ip address 192.168.76.20 host1(config-l2tp-dest-profile)#
14-8
Specify that for L2TP tunnels associated with this destination profile, the router accepts only tunnels protected by IPSec.
host1(config-l2tp-dest-profile-host)#enable ipsec-transport
Define the L2TP host profile, and enter L2TP Destination Profile Host Configuration mode.
host1(config-l2tp-dest-profile)#remote host default host1(config-l2tp-dest-profile-host)#
Specify the local IP address to be used in any packets sent to the LAC.
host1(config-l2tp-dest-profile-host)#local ip address 10.0.0.1
For information on other L2TP destination profile commands, see Configuring the LNS in E-Series Broadband Access Configuration Guide, Chapter 5, Configuring L2TP.
enable ipsec-transport
Use to specify that the router accepts only L2TP tunnels protected by an IPSec transport connection. Example
host1(config-l2tp-dest-profile-host)#enable ipsec-transport
You can then set any of the following parameters for the profile. Specify the type of application that the profile secures.
Boston(config-ipsec-transport-profile)#application l2tp-nat-passthrough
Set a lifetime range for the IPSec connection in volume of traffic and/or seconds.
Boston(config-ipsec-transport-profile)#lifetime seconds 3600 28800 kilobytes 102400 4294967295
14-9
Configure perfect forward secrecy for connections created with this IPSec transport profile.
host1(config-ipsec-transport-profile)#pfs group 5
Specify the transform set(s) that an IPSec transport connection uses to negotiate a transform algorithm.
Boston(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha esp-3des-hmac-md5
Specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection, and enter Local IPSec Transport Profile mode.
Boston(config-ipsec-transport-profile)#local ip address 10.10.1.1 Boston(config-ipsec-transport-profile-local)#
host1(config-ipsec-transport-profile-local)#pre-share secretforL2tp
The router encrypts the key and stores it in encrypted form. You can no longer retrieve the unencrypted.
b
Note: The show config command displays the key in its encrypted (masked) format.
host1#show config ! ipsec transport profile secureL2tp virtual-router default ip address 10.0.0.0 local ip address 0.0.0.0 pre-share-masked AAAAGAAAAAIAAAACmQGsvejwZkiSLTFOWvjianwzRyr41KgE !
host1(config-ipsec-transport-profile-local)#pre-share-maske d AAAAGAAAAAIAAAACmQGsvejwZkiSLTFOWvjianwzRyr41KgE
If you must reenter the key (for example, on a system reload using the show config output command to configure the router), you can use the masked-key. If you know the unencrypted key, you can enter it using the pre-share command.
14-10
application
Use to specify the type of application that is secured by connections created with this IPSec transport profile. To specify the application, use one of the following keywords:
l2tp secures L2TP traffic l2tp-nat-passthrough secures L2TP traffic and also allows clients to
connect from behind NAT devices that support IPSec passthrough. To allow these clients to connect, the router: Does not generate or verify UDP checksums. This does not compromise security, because IPSec protects UDP packets with an authentication algorithm far stronger than UDP checksums. Provides IPSec filtering based on the received IP address (the NAT public IP address), rather than filtering based on the negotiated IKE identities. Example
Boston(config-ipsec-transport-profile)#application l2tp-nat-passthrough
virtual-router name of the virtual router on which you want to create the
profile
ip address remote endpoint for the IPSec transport connection. You can
enter a fixed IP address or the wildcard address, 0.0.0.0. If you use the wildcard address, the profile accepts any remote client connection, which is a typical scenario for secure remote access. Example
Boston(config)#ipsec transport profile secureL2tp virtual-router default ip address 0.0.0.0 Boston(config-ipsec-transport-profile)#
lifetime
Use to set a lifetime range for the IPSec connection in volume of traffic and/or in seconds. If the PC client offers a lifetime within this range, the router accepts the offer. If the PC client offers a lifetime outside of this range, the router rejects the connection. Example
Boston(config-ipsec-transport-profile)#lifetime seconds 900 86400 kilobytes 100000 4294967295
Use the no version to restore the default values, 1000004294967295 KB and 90086400 seconds (124 hours).
14-11
local ip address
Use to specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection and to enter Local IPSec Transport Profile Configuration mode. You can enter this command multiple times in an IPSec transport profile. You can enter a fixed IP address or the wildcard address, 0.0.0.0. The wildcard address has a lower precedence than a fixed IP address.
Caution: We do not recommend that you use address 0.0.0.0 because it allows any address to accept IKE calls, and it creates a group preshared key, which is not fully secure.
Example
Boston(config-ipsec-transport-profile)#local ip address 192.168.1.2 host1(config-ipsec-transport-profile-local)#
pfs group
Use to configure perfect forward secrecy for connections created with this IPSec transport profile. Assign a Diffie-Hellman prime modulus group using one of the following keywords:
Use the no version to remove PFS from this profile, which is the default setting.
pre-share
Use to configure an unencrypted (red) preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for the local IP address. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.
Caution: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes where the missed security does not pose a risk to the provider.
After you enter the preshared key, use the show config command to see the encrypted form of the key. You then enter the encrypted key with the pre-share-masked command. To have preshared key authentication take place, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode.
14-12
Example
host1(config-ipsec-transport-profile-local)#pre-share secretforL2tp
pre-share-masked
Use to specify an encrypted preshared key. To obtain this key, you enter an unencrypted key using the pre-share command. You then run the show config command, and the router displays the preshared key in encrypted form. You enter the encrypted key using this command. The router uses the preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for any local IP address specified for this transport profile. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.
Caution: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes, where the missed security does not pose a risk to the provider.
To have preshared key authentication take place, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode. Example
host1(config-ipsec-transport-profile-local)#pre-sharemasked AAAAGAAAAAcAAAACZquq4ABieTUBuNBELSY8b/L3CX/RcPX7
transform-set
Use to specify the transform set(s) that an IPSec transport connection can use to negotiate a transform algorithm. Each transform in the set provides a different combination of data authentication and confidentiality. Example
Boston(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha
14-13
To troubleshoot and monitor L2TP over IPSec, use the following system event log:
> itm IPSec transport mode
For more information on using event logs, see E-Series System Basics Configuration Guide, Chapter 12, Logging System Events.
show Commands
To display information on L2TP over IPSec profiles and connections, use the following show commands.
show ipsec transport interface
Use to display information on transport connections. Field descriptions
Connection number of the IPSec transport connection Operational Status status of the connection: up, down Transport virtual-router name of the transport virtual router for which
configuration and statistics are displayed Virtual router virtual router on which this profile is configured Local ip address local endpoint address Peer ip address remote endpoint address Local identity shows the subnet, protocol, and port Remote identity shows the subnet, protocol, and port Transported-application type of application the connection is protecting Inbound SA algorithm and SPI Outbound SA algorithm and SPI Pfs group PFS group being used for the connection Lifetime configured lifetime in seconds and kilobytes
Statistics
InUserPackets number of user packets received InUserOctets number of octets received from user packets InAccPackets number of encapsulated packets received InAccOctets number of octets received in encapsulated packets InAuthErrors number of authentication errors received InReplyErrors number of reply errors in received traffic
14-14
InPolicyErrors number of policy errors in received traffic InOtherRxErrors number of packets received that have errors other than those listed above InDecryptErrors number of decryption errors in received traffic InPadErrors number of packets received that had invalid values after the packet was decrypted OutUserPackets number of user packets sent OutUserOctets number of octets sent in user packets OutAccPackets number of encapsulated packets sent OutAccOctets number of octets sent in encapsulated packets OutPolicyErrors number of packets arriving at the transport connection for encapsulation that do not meet the specified identifier (selector) OutOtherTxErrors number of outbound packets that have errors other than those listed above Example
boston#show ipsec transport interface Connection 1 Up Connection 2 Up There are 2 connections found.
Connection 1
Example
boston#show ipsec transport interface 1 Operational Status Up Configuration Attributes Transport virtual-router default Local ip address 1.2.3.4 Peer Local ip address 5.6.7.8 identity is subnet 1.2.3.4 255.255.255.255, proto 17, port 1701
Remote identity is subnet 5.6.7.8 255.255.255.255, proto 17, port 1701 Transported-application l2tp Inbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Outbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Pfs group 5 Lifetime seconds 3600 kilobytes 102400
Connection 1
Example
boston#show ipsec transport interface detail 1 Operational Status Up Configuration Attributes Transport virtual-router default Local ip address 1.2.3.4 Peer Local ip address 5.6.7.8 identity is subnet 1.2.3.4 255.255.255.255, proto 17, port 1701
Remote identity is subnet 5.6.7.8 255.255.255.255, proto 17, port 1701 Transported-application l2tp
14-15
Inbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Outbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Pfs group 5 Lifetime seconds 3600 kilobytes 102400 Statistics InUserPackets InUserOctets InAccPackets InAccOctets InAuthErrors InReplyErrors InPolicyErrors InOtherRxErrors InDecryptErrors InPadErrors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec transport interfaces interfaces by type of application total total number of IPSec transport interfaces for each application up number of IPSec transport interfaces that are currently up down number of IPSec transport interfaces that are currently down
Example
total 1234 7044 8278 up 1001 43 1044 down 233 7001 7234
boston#show ipsec transport interface summary ipsec transport interfaces l2tp l2tp-nat-passthrough total
------------------------------------------------------
14-16
Virtual router virtual router on which this profile is configured Peer address remote endpoint address Application type of application that this profile is protecting Lifetime range in seconds lifetime range in seconds configured for the profile Lifetime range in kilobytes lifetime range in kilobytes configured for the profile TransformSet transform set(s) configured for the profile Pfs group PFS group configured for the profile; 0 (zero) means that PFS is not configured for the profile Local ip address local endpoint address Example
host1#show ipsec transport profile IPSEC transport profile secureL2tp 1 Ipsec transport profile found
Example
host1#show ipsec transport profile secureL2tp IPSEC transport profile secureL2tp Virtual router default Peer address 0.0.0.0 Application l2tp Lifetime range in seconds 3600 86400 Lifetime range in kilobytes 102400 4294967295 TransformSet transport-esp-3des-md5 Pfs group 0 Local ip address : 0.0.0.0
Index
A
ABRs (area border routers), OSPF configuring area range 9-12 defined 9-2 access-list command 1-17, 1-23, 4-11 IS-IS 10-21 OSPF 9-27 access lists, BGP 1-16 to 1-24 access lists, IP monitoring 1-44, 2-57 redirecting traffic with null interface instead 1-26 redistributing access routes 1-7 redistributing static routes 1-18 specifying multicast groups 5-22 address commands, OSPF address area 9-14 address authentication key 9-23 address authentication message-digest 9-23 address authentication-none 9-24 address cost 9-14 address dead-interval 9-14 address hello-interval 9-14 address message-digest-key 9-24 address network 9-34 address passive-interface 9-15 address priority 9-15 address retransmit-interval 9-15 address transmit-delay 9-15 address commands, RIP address 8-9 address authentication key 8-9 address authentication mode 8-10 address receive version 8-10 address send version 8-10 address ranges, IS-IS 10-27 Address Resolution Protocol. See ARP adjacencies, clearing IS-IS 10-38 adjacency, OPSF 9-2 adjacency levels, IS-IS 10-15 displaying information on 10-49 logging changes between 10-29 administrative distance IP, setting 2-23 IS-IS 10-26 OSPF 9-30 RIP 8-12 advertising DVMRP routes 5-60, 5-66 aggregate addresses IS-IS 10-27 OSPF routing 9-12 application layer, TCP/IP 2-4 area-authentication-key command 10-20 area border routers, OSPF. See ABRs area commands area 9-20 area default-cost 9-20 area nssa 9-20 area range 9-12 area stub 9-20 area IDs (OSPF packets) 9-2 area-message-digest-key command 10-6, 10-20 areas, IS-IS 10-2 areas, OSPF 9-2 configuring 9-19 to 9-22 defining 9-5, 9-9 stub areas 9-3, 9-20 area virtual-link commands area virtual-link 9-21 area virtual-link authentication-key 9-24 area virtual-link authentication message-digest 9-24 area virtual-link authentication-none 9-25 area virtual-link dead-interval 9-21 area virtual-link hello-interval 9-21 area virtual-link message-digest-key md5 9-25 area virtual-link retransmit-interval 9-22 area virtual-link transmit-delay 9-22 ARP (Address Resolution Protocol) hosts 2-14 monitoring 2-57 physical and logical addresses 2-6 arp commands arp 2-17 arp timeout 2-17 AS (autonomous system) 9-3 ASBR (autonomous system boundary router) default route and 9-30
2 Index
OSPF 9-3 AS-path, BGP access lists, modifying 1-12 filtering 1-19 to 1-21 AS-path attribute 1-19 assert messages 5-37 assigning multicast groups 5-21 audience for documentation xx authentication IS-IS, halting 10-8 IS-IS HMAC MD5 10-5, 10-16, 10-20 IS-IS key commands 10-6 IS-IS MD5 packet timing 10-7 IS-IS MD5 start and stop timing 10-7 managing and replacing IS-IS keys 10-8 OSPF 9-3, 9-6, 9-25 OSPF, configuring 9-22 to 9-26 RIP 8-3 type 9-3 authentication commands authentication key 8-19 authentication message-digest 9-38 authentication mode 8-19 authentication-key command 9-38 authentication-none command 9-38 autocost, OSPF routing 9-31 automatic virtual link, OSPF 9-22 automatic virtual-link command 9-22 autonomous system boundary router. See ASBR auto-RP router PIM S-DM 5-45 PIM SM 5-44
baseline ipv6 3-20 baseline ipv6 interface 3-21 baseline ip vrrp 11-12 BGP (Border Gateway Protocol), OSPF routing with 9-7 BGP/MPLS VPNs, interaction with OSPF 9-37 BGP/MPLS VPNs, multicast services over configuring 5-47 overview 5-39 BGP multicasting 5-74 BGP protocol clearing IP routing table 1-43 communities 1-8, 1-13, 1-35 community lists 2-60 reinstalling routes in IP routing table 1-43 well-known communities 1-32 border routers, OSPF 9-45 B-RAS applications, creating an IP profile 2-11 B-RAS applications, creating an IPv6 profile 3-11 broadcast addressing 2-19 to 2-20 broadcast storms 2-20
C
CDs E-series routers documentation CD xxi JUNOSe software CD xxiii certificate revocation list. See CRL checksum computation 6-4 CIDR (Classless Interdomain Routing) 2-8, 9-3 Class D IPv4 addresses 5-15 classes of IP addresses 2-6 Classless Interdomain Routing. See CIDR clear arp command 2-17 clear ip commands clear ip dvmrp route 5-68 clear ip interface 2-28 clear ip isis redistribution 10-22 clear ip mroute 5-4 clear ip ospf redistribution 9-29 clear ip pim auto-rp 5-50 clear ip pim interface count 5-50 clear ip pim remote-neighbor count 5-50 clear ip prefix-list 1-27, 1-28 clear ip prefix-tree 1-30 clear ip routes 1-43, 2-28 clear ipv6 interface command 3-14 clear isis commands clear isis adjacency 10-38 clear isis database 10-48
B
backbone area, OSPF 9-19 backup router 11-7 defined 11-2 election process and 11-7 VRRP 11-1 bandwidth, OSPF interface cost by 9-31 baseline commands baseline clns 10-47 baseline ip 2-55 baseline ip dvmrp 5-69 baseline ip igmp 5-25 baseline ip igmp-proxy interface 5-32 baseline ip ospf 9-28 baseline ip rip 8-23 baseline ip tcp 2-55 baseline ip udp 2-56
3 E-Series Routers
CLNP (Connectionless-mode Network Protocol) 10-2 CLNS (Connectionless Network Service Protocol) defined 10-2 displaying 10-47 to 10-48 clns commands clns configuration-time 10-33 clns holding-time 10-33 clns host 10-5, 10-33 See also show clns commands 10-33 communities, BGP 1-8, 1-13, 1-31, 1-35 community lists, BGP 1-32, 2-60 complete sequence number PDU. See CSNP configuring 5-6 DVMRP 5-62 IGMP 5-18 IGMP proxy 5-30 IP tunnels 6-3 PIM 5-44 routing policy 1-1 VRRP 11-8 to 11-12 Connectionless-mode Network Protocol. See CLNP Connectionless Network Service Protocol. See CLNS connectionless protocols 2-2, 3-2 connection-oriented protocols 2-2 conventions defined icons xx syntax xx text xx cost, IS-IS interface 10-17 cost, OSPF routing 9-16 autocost 9-31 default cost 9-20 equal-cost multipath 9-7 cost command 9-39 creating an IP profile access-routes 2-12 address 2-12 directed-broadcast 2-12 mtu (maximum transmission unit) 2-12 redirects 2-12 unnumbered 2-12 virtual-router 2-12 creating an IPv6 profile address 3-11 ipv6-virtual-router 3-11 mtu (maximum transmission unit) 3-11 unnumbered 3-11
creating OSPF interfaces 9-8 CRL (certificate revocation list) 13-2 CRL (certificate revocation lists) checking 13-6 file extension 13-7 viewing on E-series router 13-12 cryptographic authentication, OSPF 9-6 CSNP (complete sequence number PDU) 10-2 CSNP interval, IS-IS interface 10-15 customer support xxiv
D
database, OSPF 9-45 datagrams, IP 2-2 fragmenting and reassembling 2-3, 2-20 dead interval, OSPF 9-17, 9-21 dead-interval command 9-39 debounce-time command 8-10 debug commands 8-22, 9-42 debug ip ospf 9-43 debug ip pim 5-51 debug ip rip 8-22 debug isis 10-38 debug-related information, IS-IS 10-38, 10-46 default-information originate command 1-24 IS-IS 10-26 OSPF 9-30 RIP 8-11 default-metric command 8-11 default routes cost, OSPF 9-20 IP routing 2-26 IS-IS routing 10-26 OSPF routing 9-30 suppressing IS-IS 10-27 deleting DVMRP routes 5-68 IP multicast routes 5-4 IS-IS redistribution information 10-22 OSPF interfaces 9-8 OSPF redistribution information 9-29 dense mode multicasting protocols 5-5 description, adding to IP interfaces 2-30, 3-16 designated routers. See DRs destination, tunnel 6-2 destination address (DA), VRRP 11-4 digital certificates authenticating the peer 13-5 base64 13-2 checking CRLs 13-6
4 Index
configuring 13-7 file extensions 13-7 generating private/public key pairs 13-4 monitoring 13-12 obtaining a public key certificate 13-5 obtaining a root CA certificate 13-5 overview 13-1 signature authentication 13-3 viewing on E-series routers 13-12 X.509v3 13-3 directed broadcast packets 2-19 directly connected networks 8-1 disable command 5-67, 8-11 disable-dynamic-redistribute command DVMRP 5-66 IS-IS 10-22 OSPF 9-30 RIP 8-11 disable-incremental-external-spf command 9-41 disabling DVMRP 5-67 IGMP 5-25 disabling dynamic route redistribution DVMRP 5-66 ISIS 10-22 OSPF 9-30 RIP 8-11 distance, RIP administrative 8-12 distance commands 8-12 distance 2-24 distance ip 2-24, 10-26 distance ospf 9-30 Distance Vector Multicast Routing Protocol. See DVMRP distribute-domain-wide command 10-24 distribute-list command 8-12, 8-20 documentation set, E-series xxii CD xxi comments on xxiii domain, OSPF 9-3 domain-authentication-key command 10-20 domain-message-digest-key command 10-6, 10-21 domain-wide prefix distribution 10-24 downstream interface 5-30 dropped packets, troubleshooting 2-65 DRs (designated routers) IS-IS routing 10-17 OSPF routing 9-3 PIM routing 5-34
DVMRP 5-59 to 5-74 advertising routes 5-60, 5-66 configuring limits 5-62 summary addresses 5-63 default router, configuring 5-61 deleting routes 5-68 disabling 5-67 enabling on an interface 5-61 on a virtual router 5-61 exchanging unicast routes 5-66 filtering reports 5-62 metric 5-64 monitoring 5-69 to 5-74 neighbors 5-59 pruning 5-59 reassembly of tunnel packets 7-2 removing 5-67 summary addresses 5-63 tunnels 5-68, 6-2 using with IGMP 5-62 using with PIM 5-43, 5-62 dynamic hostname resolution, IS-IS 10-5, 10-33 dynamic route redistribution, disabling in DVMRP 5-66 in IS-IS 10-22 in OSPF 9-30 in RIP 8-11
E
ECMP (equal-cost multipath) IP 2-32 IS-IS 10-9, 10-34 OSPF 9-7, 9-31 RIP 8-6, 8-14 enabling directed broadcasts 2-20 DVMRP 5-61 ICMP Router Discovery Protocol 2-39 IGMP 5-18, 5-19 IGMP proxy 5-31 IP multicasting 5-4 IP redirects 2-39 IS-IS 10-12 to 10-14 MD5 authentication 9-26 OSPF 9-9 to 9-13 PIM 5-42, 5-43 PIM SSM 5-49 unreachable messages (ICMP) 2-39
5 E-Series Routers
endpoints, tunnel 6-2 end system. See ES (end system) entry, routing table 2-22 equal-cost multipath. See ECMP ERX-14xx models xix ERX-7xx models xix ES (end system) hello packet rate 10-33 neighbor information 10-53 E-series documentation set xxii comments on xxiii E-series models xix E-series router IP features of 2-5 IPv6 features of 3-2 IS-IS features 10-11 routing policy 1-1 to 1-54 E-series routers documentation set CD xxi Ethernet controllers 2-6 exchanging DVMRP unicast routes 5-66 exit-remote-neighbor command 8-20 extended communities, BGP 1-35 external routes, OSPF 9-5
H
hashcheck process 9-23 hash functions 9-22 hello interval 5-41 IS-IS interface 10-16, 10-33 OSPF interface 9-17, 9-21 PIM 5-43, 5-47, 5-53, 5-55 hello-interval command 9-39 hello multiplier, IS-IS interface 10-16 hello packet validity rate, IS-IS 10-33 Hello protocol 9-3 HMAC MD5 authentication, IS-IS 10-5 IS-IS area-wide password 10-20 IS-IS domain-wide password 10-21 IS-IS password on the interface 10-16 hold time IS-IS 10-16 IS-IS SPF 10-31 PIM SM 5-41 SPF 9-33 hop count 5-64, 8-2 host access routes on PPP interface 2-26 hosts 2-3
F
fabric congestion 2-65 Fast Ethernet (FE) modules 11-2 filtering AS paths 1-19 DVMRP reports 5-62 network prefixes 1-16 undesirable traffic 1-26 filter lists, BGP 1-19 to 1-21 flooded broadcast packets 2-19 flooding 9-3 forwarding table 2-22 fragmenting IP datagrams 2-3, 2-20 full spf, IS-IS 10-32 full-spf-always command 10-32
I
ICMP (Internet Control Message Protocol) 2-38 to 2-39 echo request packets IP 2-40 IPv6 3-14 icmp update-source command 2-39 icons defined, notice xx identifying DVMRP neighbors 5-59 IP multicast groups 5-16 IGMP 5-39 IGMP (Internet Group Management Protocol) 5-15 to 5-34 configuring 5-19 disabling 5-25 enabling 5-18, 5-19 limiting groups on interfaces 5-22 monitoring 5-14, 5-25 to 5-29 performing host functions 5-30
G
gateways 2-3 Gigabit Ethernet (GE) modules 11-2 global IP routing table 2-22 GRE, reassembly of tunnel packets 7-2 GRE tunnels 6-2 group (multicast) addressing 2-7
6 Index
querier 5-19 removing 5-25 specifying version 5-19 igmp commands igmp disable 5-25 igmp promiscuous 5-24 IGMP proxy 5-29 configuring 5-30 enabling 5-31 monitoring 5-32 to 5-34 version 5-29 IGMP reports, accepting 5-24 ignore-lsp-errors command 10-29 IGP (interior gateway protocol) 5-59, 9-3 IKE (Internet Key Exchange) aggressive mode characteristics 12-16 aggressive mode negotiations 12-17 initiator proposals and policy rules 12-17 main mode characteristics 12-16 overview 12-15 SA negotiation 12-20 using digital certificates 13-3 IKE policies 12-17 authentication mode 12-19 Diffie-Hellman group 12-19 encryption algorithms 3DES 12-18 DES 12-18 hash function MD5 12-18 SHA-1 12-18 lifetime 12-19 priority 12-18 importing routes. See redistributing routes incremental SPF 9-40 installing the system software xix instance, route map 1-3 Integrated IS-IS routing 10-9 interarea routes, OSPF 9-5 interface commands interface ip 2-35 interface tunnel 6-4, 12-25 interface-event-disable command 8-12 interfaces IPv6, enabling and disabling 3-14 NAT, marking 4-8 interior gateway protocol. See IGP intermediate system. See IS (intermediate system) Intermediate System-to-Intermediate System. See IS-IS
Internet addresses 2-6 internet community, BGP 1-32 Internet Control Message Protocol. See ICMP Internet Group Management Protocol. See IGMP Internet Key Exchange. See IKE Internet Layer, TCP/IP 2-4 interval rate, LSP (IS-IS) 10-30 intra-area routes, OSPF 9-5 investigating IP multicast routes 5-74 IP 2-1 to 2-81 ARP protocol 2-6, 2-14, 2-57 assigning router IDs 2-25 broadcast addressing 2-19 to 2-20 ECMP 2-32 E-series router features 2-5 functions of 2-2 ICMP and 2-38 to 2-39 layers of 2-3 to 2-4 managing the routing table 1-43 monitoring 2-56 to 2-81 profile 2-11 to 2-14 reachability commands 2-40 routing 2-21 to 2-33 source address verification 2-27 ip access-route table-map command 1-26 IP addresses 2-6 to 2-9 class D 5-15 classes of 2-6 for multicasting 5-15 interfaces without (unnumbered) 2-26 IP address owner, VRRP 11-2 matching routes destination 1-9 multinetting 2-10 OSPF routing costs and 9-16 prefix lists 1-27 prefix trees 1-30 primary adding 2-10 deleting 2-10 primary IP address, VRRP 11-2 router IDs and 2-25 secondary adding 2-10 deleting 2-10 VRRP 11-7, 11-8 ip commands ip access-routes 2-12, 2-26 ip address 2-10, 2-12 ip alwaysup 2-30 ip as-path access-list 1-19
7 E-Series Routers
ip bgp-community new-format 1-34 ip broadcast-address 2-20 ip community-list 1-34 ip debounce-time 2-30 ip description 2-30 ip directed-address 2-20 ip directed-broadcast 2-12 ip disable-forwarding 2-29 ip extcommunity-list 1-36 ip icmp update-source 2-40 ip ignore-df-bit 2-21 ip irdp 2-39 ip mask-reply 2-39 ip mtu 2-13, 2-21 ip multicast-routing 5-4 ip multicast-routing disable-rpf-check 5-8 ip multipath round-robin 2-32 ip prefix-list 1-17, 1-27 ip prefix-tree 1-17, 1-30, 8-12 ip proxy-arp 2-18 ip redirects 2-13, 2-39 ip refresh-route 1-43, 2-28 ip route 1-27, 2-25 ip router-id 2-25 ip router isis 10-12 ip route-type 5-8, 8-18, 9-37, 10-37 ip rpf-route 5-6 ip sa-validate 2-27 ip share-interface 2-36 ip share-nexthop 2-36 ip shutdown 2-27 ip source-route 2-29 ip speed 2-31 ip split-horizon 8-13 ip tunnel reassembly 7-2 ip unnumbered 2-13 ip unnumbered loopback 2-26 ip unreachables 2-39 ip vrrp 11-10 ip vrrp advertise-interval 11-10 ip vrrp authentication-key 11-11 ip vrrp authentication-type 11-11 ip vrrp enable 11-9, 11-11 ip vrrp preempt 11-11 ip vrrp priority 11-9, 11-11 ip vrrp virtual-address 11-8, 11-12 no ip interface 2-27 See also show ip commands 2-12 ip dvmrp commands ip dvmrp 5-61, 5-68
ip dvmrp accept-filter 5-63 ip dvmrp announce-list 5-66 ip dvmrp auto-summary 5-64 ip dvmrp disable 5-67 ip dvmrp metric-offset 5-64 ip dvmrp routehog-notification 5-62 ip dvmrp route-limit 5-62 ip dvmrp summary-address 5-64 ip dvmrp unicast-routing 5-67 See also show ip dvmrp commands 5-61, 5-68 IP fragmentation, reassembling for tunnel packets 7-1 ip igmp commands ip igmp 5-19 ip igmp access-group 5-22 ip igmp group limit 5-22 ip igmp immediate-leave 5-20 ip igmp last-member query-interval 5-20 ip igmp promiscuous 5-24 ip igmp-proxy 5-31 ip igmp-proxy unsolicited-report-interval 5-31 ip igmp-proxy V1-router-present-time 5-31 ip igmp querier 5-19 ip igmp querier-timeout 5-20 ip igmp query-interval 5-21 ip igmp query-max-response-time 5-21 ip igmp robustness 5-21 ip igmp static-exclude 5-23 ip igmp static-group 5-21 ip igmp static-include 5-23 ip igmp version 5-19 See also show ip igmp commands 5-19 IP in IP tunnels 6-2 IP interface, creating 2-35 IP interfaces adding a description 2-30, 3-16 clearing 2-28 moving 2-37 primary 2-33 removing IP configuration 2-27 setting a baseline 2-28 shared 2-33 sharing 2-33 shutting down 2-27 unnumbered 2-26 IP multicast groups assigning to an interface 5-21 identifying 5-16 leaving 5-16 maintaining membership of 5-16
8 Index
reporting 5-15 specifying 5-22 IP multicasting benefits of 5-2 deleting routes 5-4 dense mode protocols 5-5 enabling 5-4 M-BONE 5-59 monitoring 5-8 sparse mode protocols 5-5 IP multicast interfaces, monitoring 5-14 IP multicast routes 5-74 ip nat commands address 4-12 ip nat 4-8 ip nat inside source list 4-13 ip nat inside source static 4-9 ip nat outside source list 4-14 ip nat outside source static 4-10 ip nat pool 4-12 ip nat translation 4-15 ip nat translation max-entries 4-8 ip ospf commands ip ospf authentication-key 9-25 ip ospf authentication message-digest 9-25 ip ospf authentication-none 9-26 ip ospf cost 9-16 ip ospf dead-interval 9-17 ip ospf hello-interval 9-17 ip ospf message-digest-key 9-26 ip ospf network 9-35 ip ospf priority 9-17 ip ospf retransmit-interval 9-17 ip ospf shutdown 9-30 ip ospf transmit-delay 9-18 ip pim commands ip pim 5-43 ip pim query-interval 5-43 ip pim rp-address 5-45 ip pim send-rp-announce 5-45 ip pim send-rp-discovery scope 5-46 ip pim spt-threshold 5-46 See also show ip pim commands 5-43 IP profile, B-RAS 2-11 IP reassembly of tunnel packets 7-1 configuring 7-2 monitoring 7-3 ip rip commands ip rip 8-12 ip rip authentication key 8-13
ip rip authentication mode 8-13 ip rip receive version 8-13 ip rip send version 8-13 See also show ip rip commands IPSec AH 12-4 AH processing 12-15 concepts 12-4 configuration examples 12-31 tasks 12-20 configuring IPSec parameters 12-21 ISAKMP/IKE policy 12-28 tunnels 12-24 digital certificates 13-1 encapsulation modes 12-13 encapsulation protocols 12-13 ESP 12-4 ESP processing 12-15 L2TP with IPSec 14-1 license 12-20 monitoring 12-42 overview 12-1 packet encapsulation 12-6 protocol stack 12-5 reassembly of tunnel packets 7-2 remote access 14-1 secure IP interfaces 12-4 security parameters 12-6 security parameters per policy type 12-8 tunnel destination endpoint 12-9 tunnel source endpoint 12-9 See also L2TP with IPSec 14-1 ipsec certificate commands ipsec certificate-database refresh 13-10 ipsec certificate-request generate 13-10 ipsec commands ipsec clear 12-31 ipsec identity 13-10 ipsec isakmp-policy-rule 12-30, 13-10 ipsec key generate 13-11 ipsec key manual 12-22 ipsec key zeroize 13-11 ipsec lifetime 12-22 ipsec local-endpoint 12-22 ipsec transform-set 12-23 key 12-23 masked-key 12-23
9 E-Series Routers
IPSec identity commands common-name 13-9 country 13-9 domain-name 13-9 ipsec identity 13-10 organization 13-11 IPSec security parameters inbound SAs 12-6, 12-11 in relation to IPSec interface 12-7 lifetime 12-6 lifetime for user SAs 12-10 manual versus signalled 12-6, 12-8 negotiating transforms 12-14 operational VR 12-6, 12-8 outbound SAs 12-6, 12-11 perfect forward secrecy (PFS) 12-6, 12-10 per IPSec policy type 12-8 transform combinations supported 12-14 transform sets 12-6, 12-12 transforms supported 12-13 transport VR 12-6, 12-9 IPSec transport local profile commands pre-share 14-11 pre-share-masked 14-12 IPSec transport profile commands application 14-10 ipsec transport profile 14-10 lifetime 14-10 local ip address 14-11 pfs group 14-11 transform-set 14-12 IP security policies 12-14 IP tunnels 6-1 to 6-12 configuring 6-3 monitoring 5-14, 6-8 IPv6 address, defining 3-12 addressing compression and 3-6 prefix 3-6 scope 3-7 structure 3-8 types of 3-6 understanding 3-5 configuring neighbor discovery 3-17 enabling and disabling 3-14 E-series router features 3-2 headers extensions 3-5 standard 3-4
ICMP and 3-8 instance, creating an 3-16 interface, unnumbered 3-12 interfaces clearing 3-14 managing 3-14 license 3-11 monitoring 3-21 to 3-35 neighbor discovery, defining 3-18 neighbors, creating 3-17, 3-20 overview 3-2 packet headers 3-3 ping and 3-8 profile 3-11 to 3-13 references 3-3 static routes and 3-13 traceroute and 3-8 ipv6 commands ipv6 3-16 ipv6 address 3-12 ipv6 description 3-16 ipv6 enable 3-14 ipv6 mtu 3-12 ipv6 nd 3-18 ipv6 nd dad attempts 3-19 ipv6 nd ns-interval 3-18 ipv6 nd reachable-time 3-18, 3-19 ipv6 neighbor 3-17, 3-20 ipv6 neighbor proxy 3-19 ipv6 route 3-13 ipv6 routes 3-17 ipv6 unnumbered 3-12 ipv6 virtual-router 3-12 ipv6 nd commands ipv6 nd 3-18 ipv6 nd dad attempts 3-19 ipv6 nd ns-interval 3-18 ipv6 nd reachable-time 3-18 IPv6 profile, B-RAS 3-11 IRDP (ICMP Router Discover Protocol) 2-39 IS (intermediate system) 10-2 hello packet rate 10-33 neighbor information 10-53 ISAKMP policy commands aggressive-mode 12-29 authentication 12-29, 13-9 encryption 12-29 group 12-30 hash 12-30 lifetime 12-30
10 Index
IS-IS (Intermediate System-to-Intermediate System) 10-1 to 10-56 adjacencies, clearing 10-38 configuring 10-11 to 10-35 default routes 10-26 for MPLS 10-35 global parameters 10-20 to 10-35 interface-specific parameters 10-14 to 10-19 redistribution 10-21 displaying CLNS 10-47 to 10-48 dynamic hostname resolution 10-33 ECMP 10-9 enabling 10-12 to 10-14 hello packet validity rate 10-33 HMAC MD5 authentication for level 1 packets 10-21 for level 2 packets 10-20 on the interface 10-16 Integrated IS-IS 10-9 level 1 routing 10-4 level 2 routing 10-5 LSPs. See LSPs (link state packets), IS-IS monitoring 10-37 to 10-46 MPLS and 10-35 redistributing routes between levels 10-23 route leaking 10-23 router type 10-27 routes summarizing 10-27 using for multicast RPF checks 10-36 routing levels/layers 10-2, 10-3, 10-4, 10-17, 10-27 starting and stopping MD5 packets 10-7 suboptimal paths, correcting 10-23 summarizing routes 10-27 suppressing default routes 10-27 system identifier 10-3 topology elements 10-4 traffic engineering 10-35 troubleshooting 10-38 isis commands isis authentication-key 10-15 isis circuit-type 10-15 isis csnp-interval 10-15 isis hello-interval 10-16 isis hello-multiplier 10-16 isis lsp-interval 10-16 isis mesh-group 10-34 isis message-digest-key 10-6, 10-16
isis metric 10-17 isis priority 10-17 isis retransmit-interval 10-18 isis retransmit-throttle-interval 10-18 See also show isis commands 10-6 IS-IS protocol, OSPF routing with 9-7 ISO 10589. See IS-IS ISO address 10-3 is-type command 10-27
J
join messages 5-39
L
L2F, reassembly of tunnel packets 7-2 L2TP, reassembly of tunnel packets 7-2 l2tp ignore-receive-data-sequencing command 7-3 L2TP with IPSec 14-1 client software supported 14-5 compatibility 14-4 configuring client PC 14-7 E-series router 14-7 IPSec transport profiles 14-8 L2TP destination profiles 14-7 control and data frames 14-4 group preshared key 14-6 how it works 14-2 LNS change of address 14-6 of port 14-6 overview 14-1 references 14-2 requirements 14-4 setting up secure connection 14-3 tunnel creation 14-5 with NAT 14-5 with PPP 14-5 leakage, OSPF route 9-6 leave group membership messages 5-16 leaving an IP multicast group 5-16 level 1 routing, IS-IS 10-2, 10-4 level 2 routing, IS-IS 10-3, 10-5 levels of IS-IS routing 10-2, 10-3, 10-4, 10-17, 10-27 license ipsec-tunnels command 12-21 license ipv6 command 3-11 lifetime, IPSec 12-10, 12-19 limited broadcast packets 2-19
11 E-Series Routers
limiting IGMP groups on interfaces 5-22 limiting translation entries 4-8 line modules, forwarding table on 2-22 link state advertisements. See LSAs link state metrics, IS-IS 10-17 link state packets. See LSPs local-as community, BGP 1-32 local routing table 2-21 log-adjacency-changes command 10-29 logical addresses 2-6 loopback interfaces 6-3 LSAs (link state advertisements) 9-3 opaque LSAs 9-6 retransmit interval and transmit delay 9-17, 9-22 LSDB (link state database) 9-5 lsp-gen-interval command 10-30 lsp-mtu command 10-30 lsp-refresh-interval command 10-31 LSPs (link state packets), IS-IS ignoring errors 10-29 interval rate 10-30 MTU 10-30 overload bit 10-28 refresh interval 10-31 retransmission interval 10-18 retransmission throttle interval 10-18 transmission interval 10-16
M
MAC addresses and ARP 2-14 defined 2-6 manual IPSec interfaces 12-8 manuals, E-series xxii comments on xxiii on CD xxi map tag, route map 1-3 master router 11-1 to 11-11 match commands 1-8 to 1-11 and route maps 1-2 match as-path 1-8 match community 1-8 match distance 1-8 match extcommunity 1-8, 1-36 match ip address 1-9, 1-27, 1-30, 1-31 match ip next-hop 1-9, 1-10, 1-27, 1-29, 1-30, 1-31 match level 1-10 match metric 1-10
match metric-type 1-10 match route-type 1-10 match-set summary prefix-tree 1-31, 8-14 match tag 1-11 match-set summary prefix-tree 1-30 maximum-paths command IP 2-32 IS-IS 10-34 OSPF 9-31 RIP 8-14 maximum transmission unit. See MTU max-lsp-lifetime command 10-31 M-BONE (multicast backbone of the Internet) 5-59 MD5 authentication IS-IS 10-5 OSPF 9-22, 9-25, 9-26 mesh group, setting (IS-IS) 10-34 message-digest-key md5 command 9-39 message digests 9-22 metric, DVMRP 5-64 metric, setting 2-25 metrics, OSPF default 9-33 metric-style commands metric-style narrow 10-25 metric-style transition 10-25 metric-style wide 10-25 MIB, OSPF 9-7 MIBs xxiii models ERX-14xx xix ERX-7xx xix E-series xix monitoring ARP 2-57 DVMRP 5-69 to 5-74 IGMP 5-14, 5-25 to 5-29 IGMP proxy 5-32 to 5-34 IP 2-56 to 2-81 IP multicast interfaces 5-14 IP multicast settings 5-8 IP tunnels 5-14, 6-8 IPv6 3-21 to 3-35 IS-IS 10-37 to 10-46 mrinfo requests 5-14 NAT 4-23 OSPF 9-42 to 9-53 PIM 5-14, 5-51 to 5-59 routing policy 1-43 to 1-54 RPF routes 5-6
12 Index
mpls commands mpls spf-use-any-best-path (IS-IS) 10-36 mpls spf-use-any-best-path (OSPF) 9-36 mpls traffic-eng (IS-IS) 10-36 mpls traffic-eng area 9-36 mpls traffic-eng router-id 9-36 mpls traffic-eng router-id (IS-IS) 10-36 mrinfo requests, support for 5-14 mtrace command 5-74 MTU (maximum transmission unit) IP 2-3, 2-21 IP tunnels 6-4 IPv6 3-12 IS-IS 10-30 OSPF 9-13 multicast, addressing 2-7 multicast group port limit command 5-23 multicasting, IP. See IP multicasting multicast services over BGP/MPLS VPNs configuring 5-47 overview 5-39 multihomed hosts 2-3 multinetting 2-9
N
NAT (Network Address Translation) configuration examples 4-15 to 4-22 NAT (Network Address Translation) access list rules, creating 4-10 address pools, defining 4-11 address translation dynamic 4-6 inside source 4-5 outside source 4-6 static 4-6 bidirectional 4-3 configuration types 4-2 configuring 4-1 dynamic address translation, defining 4-10 dynamic inside source translation, creating 4-13 dynamic outside source translation, creating 4-14 interfaces, specifying inside and outside 4-8 monitoring 4-23 order of operations 4-7 overview 4-2 references 4-7 static address translation, defining 4-9 terms 4-4
inside global address 4-5 inside local address 4-5 outside global address 4-5 outside local address 4-5 timeouts, defining 4-14 traditional 4-2 basic 4-3 NAPT (Network Address Port Translation) 4-3 translation entries, limiting 4-8 translation rules, defining 4-12 translations, clearing 4-15 twice 4-4 ND (neighbor discovery) configuring 3-17 understanding 3-9 neighbor commands neighbor 8-15, 9-35 neighbor distribute-list 1-17, 1-25 neighbor filter-list 1-19, 1-25 neighbor prefix-list 1-17, 1-25 neighbor prefix-tree 1-17, 1-25 neighbor send-community 1-35 neighboring routers, OSPF 9-3, 9-51 neighbors, DVMRP 5-59 NET (network entity title) 10-3, 10-12, 10-13 net command 10-13 network area command 9-9 network command 8-15 network entity title. See NET network interface layer (TCP/IP) 2-3 Network Layer addresses 10-4 network masks 2-7 to 2-8 network prefixes, filtering 1-16 network service access point. See NSAP next-hop routers, setting/redistributing routes 1-9, 1-10, 1-14, 1-29 no-advertise community, BGP 1-32 no area command 9-20 no-export community, BGP 1-32 no-export-subconfed community, BGP 1-32 no ipv6 command 3-16 nonbroadcast networks 9-3 notice icons defined xx not-so-stubby area, OSPF. See NSSA NSAP (network service access point) 10-3, 10-5, 10-33 NSSA (not-so-stubby area), OSPF 9-3, 9-20 null authentication, OSPF 9-6 null interface 1-26
13 E-Series Routers
O
opaque LSAs, OSPF 9-6 Open Shortest Path First. See OSPF OSPF (Open Shortest Path First) 9-1 to 9-53 ABRs 9-2 adjacency 9-2 areas, defining 9-5 ASBR 9-3 authentication MD5 9-25 simple password 9-6, 9-25 autocost 9-31 automatic virtual links 9-22 backbone area 9-19 BGP/MPLS VPNs and 9-37 BGP and 9-7 clearing IP routing table 1-43 configuring areas 9-19 to 9-22 authentication 9-22 to 9-26 incremental SPF 9-40 interfaces 9-13 to 9-18 NBMA networks 9-34 remote neighbors 9-37 traps 9-41 creating interfaces 9-8 database 9-45 dead interval 9-17 default cost 9-20 deleting interfaces 9-8 domain 9-3 ECMP 9-7 enabling 9-9 interaction with BGP/MPLS VPNs 9-37 MD5 authentication 9-25 metrics, default 9-33 MIB 9-7 monitoring 9-42 to 9-53 password authentication, simple 9-6, 9-25 reinstalling routes in IP routing table 1-43 route leakage 9-6 routes, using for multicast RPF checks 9-37 routing costs 9-16 routing priority 9-5 SPF hold time interval 9-33 stub area 9-3 topology elements 9-4 traffic engineering 9-35 transmit delay 9-18, 9-22 troubleshooting 9-42
virtual links 9-6 ospf commands ospf auto-cost reference-bandwidth 9-31 ospf enable 9-10, 9-11 ospf log-adjacency-changes 9-31, 9-43 ospf shutdown 9-31 See also show ospf commands overload bit, IS-IS 10-28
P
packets, IP 2-2 broadcast packets 2-19 echo request and trace packets 2-42 ICMP messages and 2-38 packets, IPv6 echo request and trace 3-15 packet switching networks 2-2 parallel routes, maximum number of 2-32, 8-14, 9-31, 10-34 passive-interface command 8-15, 9-32, 10-19 passwords IS-IS area authentication 10-20 IS-IS authentication 10-16 IS-IS domain authentication 10-21 OSPF MD5 authentication 9-25 OSPF simple password authentication 9-6, 9-25 PDU (protocol data unit) 10-3 perfect forward secrecy 12-10 physical addresses 2-6 PIM (Protocol Independent Multicast) 5-34 to 5-59 displaying events 5-51 enabling on an interface 5-43 on a virtual router 5-42 monitoring 5-14, 5-51 to 5-59 removing 5-49 resetting counters and mappings 5-50 using with DVMRP 5-43, 5-62 using with IGMP 5-43 See also PIM DM, PIM SM, and PIM S-DM PIM dense mode. See PIM DM pim disable command 5-43 PIM DM (PIM dense mode) 5-35 See also PIM PIM S-DM (PIM sparse-dense mode) 5-42 configuring auto-RP router 5-45 PIM SM (PIM sparse mode) 5-38 configuring auto-RP router 5-44 hold time 5-41
14 Index
joining groups 5-39 multicast services over BGP/MPLS VPNs configuring 5-47 overview 5-39 pruning 5-39 remote neighbors configuring 5-47 creating 5-39 setting a threshold 5-46 timers 5-41 PIM sparse mode See also PIM SM PIM sparse-dense mode See PIM S-DM PIM SSM (PIM source-specific multicast) enabling 5-49 requirements for IGMPv3 5-49 ping command 2-40, 3-8 Point-to-Point Protocol. See PPP PPP (Point-to-Point Protocol), host access routes 2-26 prefixes, filtering network 1-16 prefix lists 1-27 prefix trees 1-30 preventing recursive tunnels 6-7 primary IP addresses 2-10 interface 2-33 priority IS-IS designated router 10-17 OSPF routing 9-5, 9-17 profile, creating 2-11, 3-11 profile command 2-12, 2-13, 2-14, 3-11, 3-13 protocol data unit. See PDU Protocol Independent Multicast. See PIM protocol number 2-2 protocols (IP), monitoring 1-47 prune messages 5-5, 5-36, 5-39
Q
query-interval command 5-47
R
reachability commands IP 2-40 IP multicast 5-74 reassembling IP datagrams 2-3 receive version command 8-20 recursive tunnels, preventing 6-7
redirects, IP 2-39 redistribute command 1-25 DVMRP 5-65 IS-IS 10-22 OSPF 9-6, 9-32 RIP 8-15 redistribute isis ip command 10-24 redistributing routes, DVMRP 5-65 redistributing routes between IS-IS levels 10-23 redistribution policy (IP), monitoring 1-48, 2-69, 2-72, 3-30 redistribution routes clearing all (IS-IS) 10-22 clearing all (OSPF) 9-29 disabling dynamic (DVMRP) 5-66 disabling dynamic (IS-IS) 10-22 disabling dynamic (OSPF) 9-30 disabling dynamic (RIP) 8-11 setting 8-15, 9-32, 10-22 redundancy, tunnel server 6-3 refresh interval, LSP (IS-IS) 10-31 regular expressions and routing policy 1-37 AS-path lists 1-37 community lists 1-38 community number format 1-38 examples 1-40 metacharacters defined 1-38 specifying as literals 1-39 release notes xxiii reliable protocols 2-38, 3-8 remote-neighbor command 5-47, 8-20, 9-39 remote neighbors OSPF 9-37 PIM SM 5-39 PIM SM, configuring 5-47 RIP 8-19 removing DVMRP 5-67 PIM 5-49 See also deleting rendezvous point router. See RP routers reporting IP multicast groups 5-15 request messages, RIP 8-2 resetting PIM counters and mappings 5-50 response messages, RIP 8-2 Response Time Reporter. See RTR retransmission interval, IS-IS 10-18 retransmission throttle interval, IS-IS 10-18
15 E-Series Routers
retransmit interval and transmit delay 9-17, 9-22 OSPF 9-17, 9-22 retransmit-interval command 9-40 reverse-path forwarding. See RPF RIP (Routing Information Protocol) 8-1 to 8-28 authentication 8-3 clearing IP routing table 1-43 configuring 8-7 to 8-15 debounce interval 8-10 disabling dynamic route distribution 8-11 ECMP 8-6 maximum number of parallel routes 8-14 message types 8-2 monitoring 8-22 to 8-28 purging the routing table 8-12 reinstalling routes in IP routing table 1-43 remote neighbors 8-19 request messages 8-2 response messages 8-2 route specificity 8-16 route tags 8-3 split horizon mechanism 8-6 subnet masks 8-4 summarizing routes 8-5 triggered updates, disabling 8-18 troubleshooting 8-22 using routes for multicast RPF checks 8-18 route leakage, OSPF 9-6 route leaking between IS-IS levels 10-23 route-map command 1-11, 5-65, 8-16, 9-27, 10-21 route maps and routing policy 1-2 to 1-16 deny keyword 1-3 filtering incoming/outgoing routes with access lists 1-22 to 1-24 instance 1-3 map tag 1-3 match clause 1-2 monitoring 1-54 permit keyword 1-3 sequence number 1-3 set clause 1-2 route maps, IP, monitoring 2-80 router commands router dvmrp 5-66, 5-68 router igmp 5-25 router isis 10-13 router ospf 9-10, 9-11 router pim 5-43, 5-49
router rip 8-16, 8-18 router IDs 2-25, 9-3 router type, IS-IS 10-27 routes summarizing IS-IS 10-27 summarizing RIP 8-5 using for other protocols 5-8 using IS-IS 10-36 using OSPF 9-37 using RIP 8-18 route tags, RIP 8-3 routing, IP 2-21 to 2-33 adding host route to peer on PPP interface 2-26 default routes 2-26 disabling forwarding of packets 2-29 identifying a router 2-25 maximum number of parallel routes 2-32 monitoring 1-49, 1-50, 2-61, 2-72, 2-74 routing operations 2-25 routing tables 2-21 to 2-27 source address validation 2-27 static routes 2-25 See also IP routing, IPv6 See also IPv6 hop limit 3-13 monitoring 3-28, 3-31 static routes 3-13 routing, IS-IS clearing redistribution information 10-22 default route and routing domain 10-26 designated routers 10-17 integrated 10-9 layers/levels of 10-2, 10-3, 10-4, 10-17 maximum number of parallel routes 10-34 OSPF routing with 9-7 route summarization 10-27 routing domains 10-3 setting redistribution routes 10-22 specifying type (level) 10-27 See also IS-IS routing, OSPF clearing redistribution information 9-29 cost 9-16 autocost 9-31 default routing cost 9-20 equal-cost multipath 9-7 default route and routing domain 9-30 displaying information about 9-44
16 Index
intra-area, interarea, external routes 9-5 leakage 9-6 maximum number of parallel routes 9-31 priority 9-5, 9-17 See also OSPF routing, RIP debounce interval 8-10 maximum number of parallel routes 8-14 purging the routing table 8-12 route specificity 8-16 triggered updates, disabling 8-18 routing information base (RIB) 2-21 Routing Information Protocol. See RIP routing policy community 1-31 community list 1-32 configuring 1-1 managing the routing table 1-43 monitoring 1-43 overview 1-1 prefix lists 1-27 prefix trees 1-30 route maps 1-2 troubleshooting 1-43 routing policy, BGP access lists 1-16 to 1-24 monitoring 1-43 to 1-54 route maps 1-2 to 1-16 routing table entry 2-22 global IP 2-22 local 2-21 routing table, managing the IP 1-43 RP (rendez-vous point) routers 5-44 configuring, automatic 5-45 configuring, static 5-44 RP (rendezvous point) routers assigning automatically 5-45 configuring, automatic 5-44 RPF (reverse-path forwarding) 5-5 RPF routes, monitoring 5-6 RTR (Response Time Reporter) 2-42 collecting history 2-46 collecting statistics 2-46 configuring 2-43 monitoring 2-50 options 2-44 probe configuring 2-43 scheduling 2-48
S
secondary IP addresses 2-10 secure IP interfaces 12-4 security parameters 12-6 send-more-specific-routes-disable command 8-16 send version command 8-21 sequence number, route map 1-3 set commands 1-12 to 1-16 and route maps 1-2 set as-path prepend 1-12 set automatic-tag 1-12 set comm-list delete 1-12 set community 1-13, 1-35 set dampening 1-13 set distance 1-13 set extcommunity 1-14, 1-36 set ip next-hop 1-14 set level 1-14 set local-preference 1-14 set metric 1-15 set metric-type 1-15 set origin 1-16 set route-type 1-16 set tag 1-16 set weight 1-16 set-overload-bit command 10-28 setting administrative distance, IP 2-23 baseline DVMRP 5-69 IGMP 5-25 IGMP Proxy 5-32 DVMRP hop-count 5-64 metric 2-25 threshold, PIM SM 5-46 shared IP interfaces configuring 2-34 moving 2-37 primary interface 2-33 shared interface 2-33 shared trees 5-38, 5-39, 5-46 shortest path trees. See SRTs show access-list command 1-44, 2-57 show arp command 2-57 show clns commands show clns 10-49 show clns interface 10-51
17 E-Series Routers
show clns neighbors 10-53 show clns protocol 10-54 show clns traffic 10-54 show dvmrp commands show dvmrp tunnel 6-8 show dvmrp tunnel summary 6-9 show gre commands show gre tunnel 6-10 show gre tunnel summary 6-12 show host command 10-38 show ike commands show ike certificates 13-12 show ike configuration 13-14 show ike identity 13-14 show ike policy-rule 12-42 show ike sa 12-43 show ip commands show ip 2-58 show ip address 2-58 show ip as-path-access-list 1-45, 2-60 show ip community-list 1-45, 2-60 show ip dynamic-interface-prefix 2-61 show ip extcommunity-list 1-37 show ip forwarding-table 2-61 show ip interface 2-61 show ip interface shares 2-65 show ip mroute 5-8 show ip mroute count 5-10, 5-11 show ip mroute summary 5-12 show ip prefix-list 1-46 show ip prefix-list detail 1-46 show ip prefix-list summary 1-46 show ip prefix-tree 1-47 show ip prefix-tree detail 1-47 show ip prefix-tree summary 1-47 show ip protocols 1-47, 2-69 show ip redistribute 1-48, 2-72, 3-30 show ip route 1-49, 2-72 show ip route slot 1-50, 2-74 show ip rpf-route 5-6 show ip static 1-51, 2-74 show ip tcp statistics 2-75 show ip traffic 1-51 show ip tunnel reassembly statistics 7-3 show ip udp statistics 2-80 show ip vrrp 11-12 show ip vrrp brief 11-13 show ip vrrp neighbors 11-13 show ip vrrp statistics 11-14 show ip vrrp statistics global 11-16
show ip dvmrp commands show ip dvmrp 5-69 show ip dvmrp interface 5-70 show ip dvmrp mroute 5-71 show ip dvmrp neighbor 5-71 show ip dvmrp route 5-73 show ip dvmrp routeNextHop 5-74 show ip igmp commands show ip igmp 5-25 show ip igmp groups 5-26 show ip igmp interface 5-27 show ip igmp interface brief 5-28 show ip igmp-proxy 5-32 show ip igmp-proxy groups 5-32 show ip igmp-proxy interface 5-33 show ip multicast commands show ip multicast protocols 5-12 show ip multicast protocols brief 5-13 show ip multicast routing 5-14 show ip nat commands show ip nat statistics 4-23 show ip nat translations 4-24 show ip ospf commands show ip ospf 9-44 show ip ospf border-routers 9-45 show ip ospf database 9-45 show ip ospf database opaque-area 9-47 show ip ospf interface 9-49 show ip ospf internal-statistics 9-49 show ip ospf neighbors 9-51 show ip ospf remote-neighbor interface 9-51 show ip ospf spf-log 9-51 show ip ospf virtual-links 9-53 show ip pim commands show ip pim auto-rp 5-51 show ip pim dense-mode sg-state 5-52 show ip pim interface 5-53 show ip pim neighbor 5-54 show ip pim remote-neighbor 5-55 show ip pim rp 5-55 show ip pim rp-hash 5-56 show ip pim sparse-mode sg-state 5-56 show ip pim sparse-mode unicast-route 5-58 show ip pim spt-threshold 5-58 show ip rip commands 8-23 to 8-26 show ip rip 8-23 show ip rip brief 8-25 show ip rip database 8-26 show ip rip network 8-27 show ip rip stats 8-28
18 Index
show ip rip summary-address 8-28 show ipsec commands show ipsec lifetime 12-44 show ipsec local-endpoint 12-44 show ipsec transform-set 12-45 show ipsec tunnel detail 12-45 show ipsec tunnel summary 12-47 show ipsec tunnel virtual-router 12-47 show license ipsec-tunnels 12-48 show IPSec transport profile commands show ipsec transport interface 14-13 show ipsec transport interface summary 14-15 show ipsec transport profile 14-15 show ipv6 commands show ipv6 3-22 show ipv6 address 3-22 show ipv6 neighbors 3-28 show ipv6 protocols 3-29 show ipv6 route 3-31 show ipv6 static 3-32 show ipv6 traffic 3-32 show ipv6 udp statistics 3-34 show license ipv6 3-35 show isis commands show isis database 10-39 show isis mpls adjacency-log 10-42 show isis mpls advertisements 10-43 show isis mpls tunnel 10-44 show isis spf-log 10-45 show isis summary-addresses 10-46 show isis topology 10-46 show multicast group limit command 5-29 show profile commands show profile 2-68, 3-28 show profile brief 2-81 show route-map command 1-54, 2-81 signalled IPSec interfaces 12-8 simple password authentication, OSPF 9-6, 9-25 snmp trap ip link-status command 2-31 software, installing xix source, tunnel 6-2 source address verification 2-27 source-rooted trees. See SRTs sparse mode multicast protocols 5-5 specifying IP multicast groups 5-22 SPF, incremental 9-40 SPF calculations, information on 9-51, 10-45 SPF hold time interval 9-33 IS-IS 10-31
spf-interval command 10-31 split-horizon command 8-21 split horizon mechanism 8-6 SPTs (shortest path trees). See SRTs SRP module, global IP routing table on 2-22 SRTs (source-rooted trees) 5-35, 5-39, 5-46, 5-59 starting IS-IS MD5 packets 10-7 static routes 1-51, 2-25, 2-74, 3-13, 3-32, 5-6, 6-7 static tunnels 6-1 to 6-12 stopping IS-IS MD5 packets 10-7 stub areas, OSPF 9-3, 9-20 subnet addressing 2-7 subnet masks, RIP 8-4 summarizing RIP routes 8-5 summary-address command 10-27, 9-12 summary addresses DVMRP routing 5-63 IS-IS routing 10-27 OSPF routing 9-12 supernets 2-9 suppress-default command 10-27 suppressing IS-IS default routes 10-27 syntax conventions defined xx system identifier, IS-IS 10-3
T
table forwarding 2-22 global IP routing 2-22 local routing 2-21 table-map command (RIP) 8-17, 9-32 table-map command, IP 1-26 TCP/IP protocol suite defined 2-2 layers of 2-3 to 2-4 text conventions defined xx timers PIM SM 5-41 RIP 8-17 timers commands timers 8-17 timers spf 9-33 time-to-live command 8-21 TLV for resolution of IS-IS dynamic hostname 10-5, 10-33 topology IS-IS 10-4 OSPF 9-4 trace packets 2-42, 3-15, 5-74 traceroute command 2-40, 2-42, 3-8, 3-15
19 E-Series Routers
traffic, IP 1-51, 2-11 to 2-80 traffic engineering and IS-IS 10-35 and OSPF 9-35 transform sets, IPSec 12-12 transmit delay, OSPF 9-18, 9-22 transmit-delay command 9-40 transport layer (TCP/IP) 2-4 transport network 6-7 traps, OSPF 9-41 traps command 9-42 triggered-update-disable command 8-18 troubleshooting dropped packets 2-65 IS-IS 10-38 OSPF 9-42 RIP 8-22 routing policy 1-43 TSM (Tunnel Service line module) installing 6-2 monitoring parameters 6-8 redundancy 6-3 ttl command 9-40 tunnel commands, IP tunnel checksum 6-4 tunnel destination 6-4 tunnel mtu 6-4 tunnel source 6-5 tunnel commands, IPSec tunnel destination 12-25 tunnel lifetime 12-26 tunnel local-identity 12-26 tunnel mtu 12-26 tunnel peer-identity 12-26 tunnel pfs group 12-27 tunnel session-key-inbound 12-27 tunnel session-key-outbound 12-27 tunnel signaling 12-28 tunnel source 12-28 tunnel transform set 12-28 tunnels, IP 6-1 to 6-12 DVMRP (IP in IP) 6-2 endpoints 6-2 GRE 6-2 tunnels, reassembling tunnel packets 7-1 Tunnel Service line module. See TSM type-length-value for resolution of IS-IS dynamic hostname 10-5, 10-33
U
UDP (User Datagram Protocol) 8-2 undebug commands undebug ip ospf 9-43 undebug ip pim 5-51 undebug ip rip 8-22 undebug isis 10-46 unicast routes, DVMRP 5-66 unnumbered interface IP 2-26 IPv6 3-12 unreachable messages (ICMP) 2-39 unreliable protocols 2-2, 2-38, 3-8 updates, BGP AS-path filters for 1-19 to 1-21 update-source command 5-48, 8-21, 9-40 updating the system software xix upstream interface 5-29 User Datagram Protocol. See UDP
V
validating source addresses 2-27 virtual links, OSPF 9-3, 9-6, 9-22 virtual MAC address 11-1 virtual-router command 2-13 Virtual Router Redundancy Protocol (VRRP). See VRRP VRID (virtual router ID) configuration 11-9 creating 11-8, 11-9 router election rules 11-7 VRRP (Virtual Router Redundancy Protocol) advertisement interval 11-9 advertisement messages 11-7 authentication key 11-10 authentication type 11-10 backup router 11-1, 11-7 configuration examples 11-3 to 11-6 configuring 11-8 to 11-12 Fast Ethernet (FE) modules 11-2 Gigabit Ethernet (GE) modules 11-2 how it works 11-3 implementation 11-7, 11-8 MAC address 11-1 master router 11-1 to 11-11 monitoring 11-12 overview 11-1 preemption 11-8, 11-11 router election rules 11-7
20 Index
router priority 11-10 VLAN support 11-2 VRRP router defined 11-2 vrrp commands ip vrrp 11-10 ip vrrp advertise-interval 11-10 ip vrrp authentication-key 11-11 ip vrrp authentication-type 11-11 ip vrrp enable 11-9, 11-11 ip vrrp preempt 11-9, 11-11 ip vrrp priority 11-11 ip vrrp virtual-address 11-12
W
well-known communities, BGP 1-32
X
X.509v3 certificates 13-3