Nortel VPN Router Config
Nortel VPN Router Config
Nortel VPN Router Config
NN46110-504 315898-E Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130
Trademarks
Nortel Networks, the Nortel Networks logo, and Nortel VPN Router are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation. All other trademarks and registered trademarks are the property of their respective owners. The asterisk after a name denotes a trademarked item.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
NN46110-504
4
Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customers use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
c.
d. e. f.
NN46110-504
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . 19 Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . 20 Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . 20 Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . 20
7 Configuring Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Adding a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring the Route Reflector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring AS Path Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Configuring Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Health Check Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 8 Client address redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Chapter 9 Configuring multicast relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Chapter 10 Configuring the Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . 97
VRRP and dynamic routing for high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring VRRP on the Nortel VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuring IP addresses for backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Interface groups and critical interface failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
NN46110-504
Figures
Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Interaction of OSPF, BGP, and RIP with the routing table . . . . . . . . . . . . . 30 BGP communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Accept and announce policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Client address redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Aggregation for client address redistribution . . . . . . . . . . . . . . . . . . . . . . 89 Sample high-availability environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 VRRP and static tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
10 Figures
NN46110-504
11
Tables
Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Forwarding capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Routing status window options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 IP Forward Table window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 IP Route Table window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 RIP Statistics window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 RIP Database window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 RIP Interfaces window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 LSDB window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 OSPF Dynamic Neighbors window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 OSPF Interfaces window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 OSPF Summary window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 OSPF Statistics window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Path attribute types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Redistribution rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Show user tunnel routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Multicast interface-specific rules example . . . . . . . . . . . . . . . . . . . . . . . . 94 Multicast Statistics window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Multicast Interfaces window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12 Tables
NN46110-504
13
Preface
This guide describes the Nortel VPN Router routing. It also provides information to help you configure routing.
Text conventions
This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping <ip_address>, you enter
ping 192.32.10.12 bold Courier text
Indicates command names and options and text that you need to enter. Example: Use the show health command. Example: Enter terminal paging {off | on}.
14
Preface
braces ({})
Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is ldap-server source {external | internal}, you must enter either ldap-server source external or ldap-server source internal, but not both. Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command. Example: If the command syntax is show ntp [associations], you can enter either show ntp or show ntp associations. Example: If the command syntax is default rsvp [token-bucket {depth | rate}], you can enter default rsvp, default rsvp token-bucket depth, or default rsvp token-bucket rate. Indicate that you repeat the last element of the command as needed. Example: If the command syntax is
more diskn:<directory>/...<file_name>, you enter more and the fully qualified name of the file.
brackets ([ ])
ellipsis points (. . .)
italic text
Indicates new terms, book titles, and variables in command syntax descriptions. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is ping <ip_address>, ip_address is one variable and you substitute one value for it. Indicates system output, for example, prompts and system messages. Example: File not found.
NN46110-504
Preface
15
Shows menu paths. Example: Choose Status > Health Check. Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is terminal paging {off | on}, you enter either terminal paging off or terminal paging on, but not both.
Acronyms
This guide uses the following acronyms: ABOT ABR AS ASBR BGP BOT CAR CMS DN DNS DR EBGP ECMP FEM FTP IBGP IGP asynchronous branch office tunnel autonomous boundary router autonomous system autonomous system border router border gateway protocol bisync over TCP transport service client address redistribution circuit mapping service distinguished name domain name system designated router exterior border gateway protocol equal cost multipath forwarding engine mapper File Transfer Protocol interior border gateway protocol interior gateway protocol
Nortel VPN Router Configuration Routing
16
Preface
IP IR ISP L2TP LAN LDAP LSA LSDB MBGP MED MD5 MIB NAT NLRE NLRI NVR OSPF PACE PDN POP PPP PPTP RIB RIP RPA RPS RR RTM SNMP
NN46110-504
Internet Protocol information retrieval Internet service provider Layer 2 Tunneling Protocol local area network lightweight directory access protocol link state advertisement link state database multiprotocol BGP multi-exit discriminator message digest management information base Network Address Translation network layer routing entries network layer reachability information Nortel VPN Router Open Shortest Path First packet context engine public data network point-of-presence Point-to-Point Protocol Point-to-Point Tunneling Protocol Routing Information Base Routing Information Protocol routing protocol application routing policy server route reflector route table manager Simple Network Management Protocol
Preface
17
transmission control protocol time to market User Datagram Protocol uniform resource locator variable-length subnet masks virtual private network Virtual Router Redundancy Protocol wide area network
18
Preface
Related publications
For more information about the Nortel VPN Router, refer to the following publications: Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. Nortel VPN Router Configuration Basic Features (NN46110-500) introduces the product and provides information about initial setup and configuration. Nortel VPN Router Configuration SSL VPN Services (NN46110-501) provides instructions for configuring services on the Nortel SSL VPN Module 1000, including authentication, networks, user groups, and portal links. Nortel VPN Router Security Servers, Authentication, and Certificates (NN46110-600) provides instructions for configuring authentication services and digital certificates. Nortel VPN Router Security Firewalls, Filters, NAT, and QoS (NN46110-601) provides instructions for configuring the Nortel VPN Router Stateful Firewall and Nortel VPN Router interface and tunnel filters. Nortel VPN Router Configuration Advanced Features (NN46110-502) provides instructions for configuring advanced LAN and WAN settings, PPP, frame relay, PPPoE, ADSL and ATM, T1CSU/DSU, dial services and BIS, DLSw, IPX, and SSL VPN. Nortel VPN Router Configuration Tunneling Protocols (NN46110-503) configuration information for the tunneling protocols IPsec, L2TP, PPTP, and L2F. Nortel VPN Router Troubleshooting (NN46110-602) provides information about system administrator tasks such as backup and recovery, file management, and upgrading software, and instructions for monitoring gateway status and performance. Also, provides troubleshooting information and inter operability considerations. Nortel VPN Router Using the Command Line Interface (NN46110-507) provides syntax, descriptions, and examples for the commands that you can use from the command line interface. Nortel VPN Router Configuration TunnelGuard (NN46110-307) provides information about configuring and using the TunnelGuard
NN46110-504
Preface
19
This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. From this site, you can: download software, documentation, and product bulletins
20
Preface
search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases
NN46110-504
21
Features
See the following sections for information about feature changes:
22
NN46110-504
23
Client tunnel yes Branch yes office tunnel System yes management
1.Nortel VPN Router Stateful Firewall must be enabled. 2.Must be enabled under SystemForwarding (disabled by default). 3.Only RADIUS, CMP, and CRL retrieval permitted.
Dynamic routing
Dynamic routing protocols are available for private physical interfaces or branch office tunnel interfaces. Public interfaces are not trusted and therefore cannot be configured to run a dynamic routing protocol. The only exception is Border Gateway Protocol (BGP), which can be enabled on public interfaces on request. All physical LAN and WAN interfaces can be configured as either a private or public interface with the exception of slot 0 interface 1, which is always a LAN and private. Note: The Advanced Routing License Key is required to enable features such as Open Shortest Path First (OSPF) and Equal Cost Multiple Paths (ECMP). Static routes, Routing Information Protocol (RIP), and route redistribution do not need this license. The Border Gateway Protocol License Key is required to enable BGP. Another option is to purchase the Premium Routing License to enable OSPF, ECMP, and BGP.
VPN routing
VPN routing forwards traffic between tunnels or between tunnels and private interfaces. VPN routing enables traffic to enter or exit the Nortel VPN Router through a tunnel. Enhanced routing provides additional traffic patterns beyond traditional VPN routing. Either the Nortel VPN Router Stateful Firewall or Nortel VPN Router filter must be enabled to support the enhanced routing feature.
NN46110-504
Static routes
You can configure static routes between Nortel VPN Router s when you do not have any dynamic routing protocol, such as OSPF, RIP, or BGP. Even if you do have dynamic routing protocols, you may want to use static routes because they provide stronger security. The Nortel VPN Router supports multiple default and static routes.
Route table
The route table contains the routes submitted by the routing protocols and the static route application and dynamic protocols, such as OSPF, RIP, and BGP. The route table manager (RTM) chooses the best routes from the route table to populate the IP forward table. The IP forward table is used by the Nortel VPN Router during forwarding decisions. The best routes are selected based on the following order of protocol preference: direct route static route BGP route OSPF route RIP route default route
The route preference and the weight and cost of the route factor into the RTM route selection.
Routing status
The Routing > Status window provides access to information about each routing protocol. It also provides access to the route table and route table manager (RTM) statistics. Table 2 shows routing status window options.
Table 2 Routing status window options
Button BGP Summary Description Overall summary of BGP running on the Nortel VPN Router , including the router ID, Local AS, Admin state (enabled or disabled), Hold Interval, Keep Alive Interval, Local Preference, Default Metric, Route Reflector, Client Reflection, Cluster ID, Always Compare MED, Auto summary, Redistribute Internal, Synchronization, Max paths, and Number of Peers. Search Type, IP Address, Mask, and Mask Type. Includes IP Address, IP Mask, and Origin Type. Includes Routes Type and Neighbor. Overall summary of Foreign Host, Remote AS, External Link, Remote Router ID, BGP state, Up For, Hold Time, KeepAlive Interval, Advertisement Runs, Received, Received Notifications, Sent, Community Attribute, Accepted Prefixes, Prefix Advertised, Local Host, Local Port, Foreign Host, Foreign Port, Connections Established, Elapsed Time Between Updated Msg, MinASOriginationInterval Timer. Link state databases in all areas that are known to OSPF, including information on the link state type, ID, advertising router address, metric, ASE, forward address, age, and sequence number for each area. Neighbors on all the interfaces running OSPF, including the IP interface address, router ID, neighbor IP address, state, and dead time priority. Interfaces configured for OSPF, including the IP address of the interface, the area to which the interface belongs, the type of interface, the state, cost and the designated router in the area to which the interface belongs. Overall summary of OSPF running on the Nortel VPN Router , including the router ID, global state (up or down), whether an area border router or autonomous system border router. System-wide OSPF statistics.
BGP Routes BGP Redistributed Routes BGP Neighbors Routes BGP Neighbors Summary
OSPF LSDB
OSPF Neighbor
OSPF Interfaces
OSPF Summary
OSPF Statistics
NN46110-504
NN46110-504
29
30 Chapter 2 Route table and default routes Figure 1 Interaction of OSPF, BGP, and RIP with the routing table
The route table entries are divided into two groups: public and private. Because private interfaces are trusted and public interfaces are untrusted, dynamic routing protocols RIP and OSPF are only permitted on private interfaces and branch office tunnel interfaces. BGP is permitted on a public interface. Public traffic has the following public routes:
NN46110-504
Dynamic (BGP only) routes to public interfaces Default route to public interface
Private traffic has the following private routes: Static routes to private interfaces Dynamic routes to private interfaces Static routes to branch office tunnel interfaces Dynamic routes to branch office tunnel interfaces Default route to private interface Routes used for tunnels
When a packet arrives, the Nortel VPN Router performs a full lookup in its IP forwarding table to determine which route to use: If firewall support is enabled, all public and private routes in the IP forwarding table are available to the traffic. If firewall support is not enabled, only the private portion of the IP forwarding table is available. If the traffics destination route is not found in the table, the tables public or private default route is invoked as described in the following section.
Dynamic routes To private interfaces To branch office tunnel interfaces To public interfaces (BGP only) Default routes To public interfaces To private interfaces Host routes Routes added for VPN users (for example, Nortel VPN Router Clients or PPTP clients) Utunnel routes Host/network routes for clients that log in using the client address redistribution feature
NN46110-504
7 8 9
Default - BGP routes (learned from other routers through BGP redistribution) Default - OSPF routes (learned from other routers through OSPF redistribution) Default - RIP routes (learned from other routers through RIP redistribution)
You can use ECMP to load balance traffic across multiple paths for static routes, BGP routes, OSPF routes, or RIP routes of the same cost.
If you select Network: a b 3 4 Type the network mask. From the Search Type list, choose Exact or Best Match.
Click Search. To save the route table to a file: a Enter the file name in the Filename edit box.You can save the route table as a text file in the directory ide0/system/xxx, where xxx is the name of the file that you specify. Under Route Filter, select Best Routes to view all routes to a single or All Routes to view all destinations. The default is Best Routes.
b 5
Click Save.
Nortel VPN Router Configuration Routing
To check the route table status, click the IP Forwarding Table button on the Route Table window to display the IP Route Network Table, the IP Route Host Table, and the IP Public Address Table.
Click the Route Table button on the Route Table window to display the full internal route table.
NN46110-504
Click OK.
NN46110-504
37
The Nortel VPN Router supports RIP Version 1 and Version 2. For additional information on RIP, refer to the RFCs located on the Internet Engineering Task Force (IETF) Web site at www.ietf.org. RFC 1058 Routing Information Protocol: Describes the Routing Information Protocol (RIP), which is loosely based on the program routed, distributed with the 4.3 Berkeley Software Distribution. The specifications in this RFC represent a combination of features taken from various implementations of this program. RFC 1721 RIP Version 2 Protocol Analysis: Describes the key features of the RIP Version 2 protocol and the current implementation experience. RFC 1722 RIP Version 2 Protocol Applicability Statement: Describes how RIP Version 2, which is an extension to RIP Version 1, may be useful within the Internet. RFC 1723 RIP Version 2 Carrying Additional Information: Specifies an extension of the Routing Information Protocol (RIP) that expands the amount of useful information carried in RIP messages and that adds a measure of security.
NN46110-504
Triggered updates, where an update is sent almost immediately after a routing change has been made on the Nortel VPN Router . By default, RIP updates routes at regular intervals.
e f
If no default route has been set, you can check the Import Default Route box to use the default route learned during RIP updates. Typically, you specify a default route in the route table on the Routing > Static Routes window. The default is disabled. Select Enabled to specify that the default route is exported during RIP updates or enter a metric value (1 through 15) to the default route. Select Enabled to specify that static routes are exported during RIP updates or enter a metric value (1 through 15) to the default route. Select Enabled to specify that OSPF routes are exported during RIP updates or enter a metric value (1 through 15) to the default route. Select Enabled to specify that BGP routes are exported during RIP updates or enter a metric value (1 through 15) to the default route. Select a metric value (1 through 15) to export the static routes metric if you have a branch office connection. This informs the remote branch office connection of the routes that are used and provides the assigned metric value. The default is 1 and the maximum value is 15.
h i j k l
To globally enable RIP: 1 2 Go to the Routing > RIP window and click Enable. Enter the amount of time in seconds that you want RIP to update the routes. The default is 30 seconds and the range of values is from 5 through 65535 seconds. The hold-down timer is six times the update timer. Select a metric value (1 through 4) Equal Cost MulitPath for the maximum number of RIP paths.
To configure RIP interfaces: 1 Enable RIP interfaces by clicking Configure on the Routing > Interfaces window for private interfaces or Profiles > Branch Office > <Group> Edit for branch office tunnel interfaces. On the Routing > RIP window, check Enabled to globally enable RIP. By default RIP is globally disabled. Enter the interval of time in seconds for RIP to update the routes. The supported range is from 5 seconds to 65535 seconds, with the default setting
2 3
NN46110-504
at 30 seconds. The RIP hold down timer is automatically 6 times the update timer. 4 5 Configured Physical Interfaces section lists the IP address and RIP configuration state (enabled or disabled) of each physical interface. Click on Statistics to display statistics about RIP on the Nortel VPN Router.
Click Interfaces to display information for all RIP interfaces, including tunnels that are running RIP.
To configure RIP for branch office tunnels: 1 2 3 Go to the Profiles > Branch Office > <Group > Edit window. Click Configure in the RIP section. The list of RIP settings appears. Click Configure button next to each field to change these values. a Select V2, V1, or Off as the transmit mode. Transmit mode enables you to specify which version of RIP to use when routing traffic from this Nortel VPN Router . The default is V2. Selecting OFF specifies that RIP is not used. Select V2, V1, Both, or Off as the receive mode. Receive mode enables you to specify which version of RIP accepts incoming traffic. The default
NN46110-504
is V2. Selecting OFF specifies that RIP is not used. Selecting BOTH specifies that incoming transmissions using either version of RIP are accepted. c If no default route has been set, you can check the Import Default Route box to use the default route learned during RIP updates. Typically, you specify a default route in the route table on the Routing > Static Routes window. The default is Disabled. Select Enabled to specify that the Default Route is exported during RIP updates or enter a metric value (1 through 15) to the default route. Select Enabled to specify that Static Routes are exported during RIP updates or enter a metric value (1 through 15) to the default route. Select a metric value (1 through 15) to export the static routes metric if you have a branch office connection. This informs the remote branch office connection of the routes that are used and provides the assigned metric value. The default is 1 and the map value is 15. Select Enabled to specify that OSPF routes are exported during RIP updates or enter a metric value (1 through 15) to the default route. Enter a metric value for the Cost. This is the cost of local RIP interface through the Branch Tunnel. Select Enabled or Disabled for Poison Reverse. Poison reverse updates routing loops in large networks. Select None, Simple, or MD5 as the Authentication Type that is used as part of the RIP transmission. This authentication is specific to RIP and has no bearing on the authentication done as part of the connection to the Nortel VPN Router. The default is None, which specifies that no authentication is required. Simple indicates that authentication uses a simple password. MD5 specifies that authentication uses an MD5 secret. If you select either Simple or MD5, password and password confirmation fields display.
d e f
g h i j
Click OK.
NN46110-504
45
The Nortel VPN Router OSPF support allows you to enable or disable OSPF on the Nortel VPN Router s private and tunneled interfaces. It supports broadcast and point-to-point network types and can act as autonomous boundary router (ABR), information retrieval (IR), autonomous system boundary router (ASBR), designated router (DR), and system designated router (SDR) router types. The Nortel VPN Router OSPF implementation conforms to OSPF 2 (RFC 2178). The interface filters setting affects the behavior of routing protocols. For example, OSPF uses IP as its transport mechanism; therefore, if the interface filters are set to deny IP, OSPF advertisements are not sent or received.
After the key is installed, the label Key Installed is displayed. It is only necessary to install a key once on each Nortel VPN Router. Click Delete to remove the key. A confirmation message appears and, if you click Yes, the key is removed. Note: The presence of the Advanced Routing License key is checked only when OSPF is globally enabled. If you enter the Advanced Routing Key, globally enable OSPF, and then delete the Advanced Routing Key, OSPF will continue to run. However, if you then disable and re-enable OSPF, it will no longer run.
NN46110-504
For the Hello Interval, enter the Length of time in seconds between the Hello packets that the router sends on the interface. It must be the same for all routers attached to a common network. The default is 10. For the Dead Interval, enter the number of seconds after a router ceases to hear Hello packets before declaring that the router is down. The number must be the same for all routers attached to a common network. The default is 40. For the Poll Interval, enter the number of seconds when, if a neighboring router becomes inactive, the router sends packets at a reduced rate in seconds. The default is 120. For the Retransmission Interval, enter the number of seconds between link state advertisement (LSA) retransmission for adjacencies belonging to this interface. It is also used for retransmitting Database Description and Link State Request packets. This setting should be considerably over the expected round trip delay between any two routers on the attached network. The default is 5. For the Transmission Delay, enter the number of seconds to transmit a Link State Update Packet over this interface. The default is 1.
k 3
Click OK.
To configure OSPF globally: 1 Click Routing > OSPF to configure OSPF global parameters. Enabled indicates that OSPF is enabled on this window. The default setting is Disabled. In the Router ID field, type in the IP address used to uniquely identify the OSPF router in the OSPF network. The default address is the lowest IP address of the management or physical interfaces defined on the Nortel VPN Router . You can change this address provided that it is unique within the area. If this Nortel VPN Router is an autonomous system (AS) boundary router, select True from the AS-Boundary-Router list. This parameter must be set to True to enable the redistribution of non-OSPF routes into OSPF. An AS boundary router is a router that exchanges routing information with routers belonging to other autonomous systems and advertises AS external routing information throughout the AS. The default is False. To automatically create virtual links to the backbone network, select True from the Auto Virtual Link list. The default is False.
NN46110-504
Select metric Type 1 or Type 2 from the External Metric Type list . Type 1 is the default. Type 1 external metrics are expressed in the same units as OSPF interface cost (in terms of the link state metric). Type 2 external metrics are an order of magnitude larger; any Type 2 metric is considered greater than the cost of any path internal to the AS boundary router. Use of Type 2 external metrics assumes that routing between AS boundary routers is the major cost of routing a packet, and eliminates the need for conversion of external costs to internal link state metrics. Select the maximum number of ECMP paths (1-4). Equal Cost Multipath provides load balancing of packets to a destination that is reachable over more than one physical interface. The Known OSPF Areas section displays all OSPF areas defined locally to the Nortel VPN Router . The area information is not shared among Nortel VPN Routers. If you want two Nortel VPN Routers to have one of their interfaces in a common area, you must configure both Nortel VPN Routers to define the area information. Area IDs are used as representations of parts of the OSPF network. They help to manage large numbers of networks so that they can exchange information within an area. Each Area ID must be unique for OSPF. By default, all Nortel VPN Routers have an area named 0.0.0.0. To add an OSPF area, click Add. The Routing Protocols > Add Area window appears. a b c Enter the IP address in the Area ID field. For Stub, select True or False from the list. The default is False. For Stub Metric, enter the number of the stub metric. The default is 1.
The Configured Physical Interfaces section lists: a b c d IP address of the configured OSPF interfaces. Area ID of the configured OSPF interfaces. Type is either Broadcast or Point-to-Point. State is either Enabled or Disabled.
In the Save LSDB Table section, type in the name of the LSDB table that you want to save as a text file in the ide0/system/routing directory.
10 In the Status section, you can display LSDB (link state database), Neighbor, Interfaces, Summary, or Statistics. Click on LSDB to display the link state databases in all areas configured for the Nortel VPN Router.
Nortel VPN Router Configuration Routing
11 Click Neighbor to display a list of neighbors for all the interfaces running OSPF. Table 9 describes information on the OSPF Neighbors window.
Table 9 OSPF Dynamic Neighbors window
Column Router ID P State Dead Time Address Interface Description OSPF ID of neighbor Priority number State of neighbor connection Time until neighbor is declared dead Neighbor IP address Local IP interface address
12 Click the Interfaces button to display the list of interfaces that you configured for OSPF.
NN46110-504
13 Click Summary to display the overall summary of OSPF running on the Nortel VPN Router. Table 11 describes fields on the OSPF Summary window.
Table 11 OSPF Summary window
Column Router ID Router State Supports TOS SPF schedule delay Hold time between two SPFs Minimum LSA interval Minimum LSA arrival Number of external LSA Link State Update Interval Description Unique OSPF ID of router OSPF global configured state (up or down) Type of service support Shows delay time before calculating changes to SPF Time between shortest path first calls Link state advertisement interval Link state advertisement arrival minimum Number of link state advertisements Time between link state updates
14 Click Statistics to display statistical information about OSPF. Table 12 describes the fields on the OSPF Statistics window.
Table 12 OSPF Statistics window
Column Interface-CID Hellos DBs LS Req LS Upd LS Ack Description IP address for OSPF interface and circuit ID Number of Hello packets received (RX) and transmitted (TX) Number of DB (Database Exchange) packets received (RX) and transmitted (TX) Link state requests received (RX) and transmitted (TX) Link state updates received (RX) and transmitted (TX) Link state acknowledgements received (RX) and transmitted (TX)
To configure OSPF for branch offices: 1 2 Click Configure in the OSPF section of the Edit Group window to configure the OSPF routing attributes of the group. Enter the priority level of the routers on this interface. The router with the highest priority takes precedence and is the designated router (DR). If there is a tie, the router with the highest Router ID takes precedence. A priority setting of 0 is ineligible to become a designated router on the attached network. Router priority only applies to broadcast networks. The default is 1. Enter the time in seconds until neighbor is declared dead.
3
NN46110-504
Enter the length of time in seconds between the Hello packets that the router sends on the interface. It must be the same for all routers attached to a common network. The default is 10. Enter the number of seconds between LSA retransmission for adjacencies belonging to this interface. It is also used for retransmitting Database Description and Link State Request packets. This setting should be considerably over the expected round trip delay between any two routers on the attached network. and should be conservative. The default is 5. Enter the number of seconds for the transmission delay. The default is 1. Select None, Simple, or MD5 as the authentication type that is used as part of the OSPF transmission. Simple indicates that authentication uses a simple password. MD5 specifies that authentication uses an MD5 secret. If you select either Simple or MD5, password and password confirmation fields appear.
6 7
NN46110-504
55
RFCs
Table 13 shows the RFCs that have been added to those supported on VPN Router.
Table 13 RFCs
RFC RFC 1771 BGP4 Description RFC 1771 renders RFC 1654 obsolete. All implementations of the BGP protocol must conform to this RFC to ensure complete inter-operability. RFC 1966 describes the use and design of Route Reflection to alleviate the need for full mesh Internal BGP (IBGP).
RFC 1997 RFC 1997 describes an extension to BGP that can be Community Attributes used to pass additional information to both neighboring and remote BGP peers. RFC 1657 MIB RFC 1657 describes managed objects used for managing the Border Gateway Protocol Version 4 or lower.
After the key is installed, the label Key Installed is displayed. It is only necessary to install a key once on each Nortel VPN Router.
NN46110-504
To delete a software license key: 1 2 Click on the Delete button to remove the key. A confirmation message appears. Click Yes. The key is removed. Note: The presence of the Border Gateway License key is checked only when BGP is globally enabled. If you enter the Border Gateway key, globally enable BGP, and then delete the Border Gateway key, BGP will continue to run. However, if you then disable and re-enable BGP, it will no longer run.
EBGP/IBGP peers
There are two types of BGP, External BGP (EBGP) and Internal BGP (IBGP). EBGP is BGP between two different ASs. If the TCP connection has hops between endpoints, EBGP must be enabled. IBGP is BGP within the same AS. With IBGP, all BGP speakers should have a peer relationship with each other.
NN46110-504
Well-known attributes are recognized by all BGP implementations. Some of these attributes are mandatory and must be included in every UPDATE message. Others are discretionary and may or may not be sent in a particular UPDATE message. Attribute values can be modified using route filters, thus influencing the best path selection. The path attribute information applies to all prefix destinations listed in the NLRI. Path attribute types are listed in Table 14.
Table 14 Path attribute types
Path attribute type ORIGIN Code 1 Description Well-known mandatory Defines the origin of the path. 0 IGP NLRI info is interior to originating AS. 1 EGP NLRI info is learned via EGP. 2 Incomplete NLRI I learned by other means. Well-known mandatory sequence of AS Path Segments (tuple) <type, len, value> type = AS_SET unordered set of ASs traversed by the update message in its path to you. AS_SEQUENCE ordered set of ASs traversed by the update message on its path to you. NEXT_HOP 3 Well-known mandatory IP address of the border router to be used as the nexthop to the destinations listed in the NLRI of the update message. Optional non-transitive Value used by BGP speaker to discriminate among multiple exit points when there is more than one path to a neighboring AS. Well-known discretionary Number used by BGP speaker to inform other speakers in its own AS of the originating speakers degree of preference for an advertised route. Well-known discretionary Informs other BGP speakers that the local system chose a less specific route, even though it had a more specific route available.
AS_PATH
MULTI_EXIT_DISC
LOCAL_PREF
ATOMIC_AGGREGATE
8 9 10
BGP policies
Policy rules are applied to either permit or deny a route. Policies provide a way of filtering information based on IP prefixes, AS path information, BGP attributes, or source and destination addresses.
NN46110-504
There are two types of policies: interface-based policy An inbound interface-based policy says that if a packet comes in on interface IX, then apply policy PY to that packet. peer-based policy An inbound peer-based policy (neighbor policy) says that if a packet comes in from peer PH, then apply policy PZ to that packet.
Accept/Announce policies
In the Nortel VPN Router policy filtering model, both accept and announce policies are applied only to peer-based filtering. Accept policies are rules that apply to incoming packets, and announce policies are rules that apply to outgoing packets. You apply accept policies to incoming routes before routes are added to the BGP RIB IN table. You apply peer-based accept policies to any packets received from a particular peer. You apply announce policies to the Local RIB table before advertising routes to the BGP peers. You apply peer-based announce policies to any BGP updates destined for a particular peer. Outgoing routes matching the announce policy rule are either permitted or denied, depending on the rule.
Access list example 2: This rule says that only route updates containing the route 55.1.0.0 matches the rule.
CES(config-bgp)# neighbor 55.1.1.1 route-map EXAMPLE_MAP in CES(config)# route-map EXAMPLE_MAP permit 10 CES(config-route-map)# match ip address 3 CES(config-route-map)# set metric 15 CES(config)# ip access-list 3 permit 44.1.0.0 255.255.0.0 range
In this example, IP access list 3 identifies all routes in the range 44.1.0.0 -> 44.1.255.255. Any route in this range matches the access list and is propagated with a new metric of 15. AS path regular expression example: A particular AS (AS = 5) consistently advertises bad routes, so you do not want to accept any routes advertised by that AS. You set up a route map deny filter for any routes containing AS path sequences that end in AS 5. You use a regular expression pattern-matching filter as follows:
ip as-path access-list 2 ends with) deny * 5$ (* is wildcard; $ symbolizes
NN46110-504
You can create, delete, and modify AS path access lists. You can also apply access lists directly to neighbors for filtering. To configure AS path access lists, go to Configuring AS Path Access Lists on page 73.
Route maps
You use route maps for route filtering and attribute manipulation. Route maps specify a certain set of criteria that need to be matched. If a match is found, there is an associated set of actions that need to be applied to the matching route update. These filters are called Match /Set rules. You can apply a route map to either inbound or outbound updates. Only the routes that pass the route map are sent or accepted in updates. You can create, delete, or modify route maps. A route map may have several parts. Any route that does not match at least one match clause relating to a route map command is ignored. The route is not advertised for outbound route maps and is not accepted for inbound route maps. The route maps can be matched on: as-path community-list ip address
The route maps can set: as-path community local-preference metric next-hop origin weight
NN46110-504
The following example illustrates how route maps are used: Route map example:
Format: route-map map-tag [permit | deny] [sequence number] CES(config-bgp)# Neighbor 55.1.1.1 route-map EXAMPLE_MAP in CES(config)# route-map EXAMPLE_MAP permit 10 CES(config-route-map)# match ip address 1 CES(config-route-map)# set metric 8 CES(config)# route-map EXAMPLE_MAP permit 20 CES(config-route-map)# match ip address 2 CES(config-route-map)# set metric 12 CES(config)# ip access-list 1 permit 33.1.0.0 255.255.0.0 exact CES(config)# ip access-list 2 permit 44.1.0.0 255.255.0.0 exact
In the above example, any route updates received from neighbor 55.1.1.1 are checked against this route map. First, the sequence number 10 rule states that any route matching ip access list 1 sets the metric to 8. If that check fails to match, then the sequence number 20 rule is checked. This states that any route matching ip access list 2, set the metric to 12. So, if a route update comes in with network 33.1.0.0, then the route is assigned metric 8. Similarly, if a route update comes in with network 44.1.0.0, it is assigned metric 12.
6 7 8 9
Click OK. The Route Maps window reappears. The number you entered appears in the Number menu. Select a type from the Type menu. To add a Match, click Add below Match. The Rule Match Add window appears. Select an attribute from the Attribute menu.
10 Select a value from the Value menu. 11 Click OK. The Route Maps window reappears with the information you selected showing under Match. 12 To add a set, click Add below Set. The Rule Set Add window appears. 13 Select an attribute from the Attribute menu. 14 Enter a value in the Value text box. 15 Click OK. The Route Maps window reappears with the information you selected showing under Set. 16 Click OK.
Multi-Hop BGP
To configure a remote BGP peer that does not reside on a directly connected subnet, the EBGP peer must be accessible from the NVR and must reside on a network or subnet that exists in the IP routing table. For IBGP peers, there is no restriction specified in the protocol regarding multi-hop peering. Therefore, internal connection requests from neighbors not directly connected are accepted. Multihop is configured on the BGP > Neighbor > Configuration page. By default, multi-hop BGP is disabled.
NN46110-504
Route Reflector
Using a route reflector, BGP peers are organized into clusters. Each cluster is assigned an ID. Each member of the cluster advertises its routes only to the route reflector. The route reflector, in turn, collects all of the routes from all of the cluster members and advertises them to each of the IBGP peers in its cluster, as well as to any other route reflectors within the AS. Routes learned by the route reflector from other route reflectors are also forwarded to each of its cluster members. All route reflectors must be fully meshed. By default, the clients of a route reflector are not required to be fully meshed, the routes from a client are reflected to other clients, and client-to-client reflection is enabled. In order to increase redundancy and to avoid a single point of failure, a cluster might have more than one route reflector. In that case, all route reflectors in the cluster are configured with the 4-byte cluster ID so that a route reflector recognizes updates from route reflectors in the same cluster. The route reflector client list can be configured from a neighbor list. The clients of a route reflector cannot be members of a peer group. Route reflector is disabled by default. To configure the route reflector, refer to Configuring the Route Reflector on page 72.
BGP communities
A community is a group of destinations that share some common property. A BGP route may be a member of more than one community. Each AS administrator defines to which communities a destination belongs. Community lists are associated only with route maps. By default, all destinations belong to the general Internet community.
BGP communities were developed as a method of simplifying the route distribution based on membership to the community. A set of destination addresses is assigned a community identifier. Network administrators establish a policy for a community instead of a separate policy for each individual prefix. All route updates that are received for members of a community have the same route redistribution characteristics. Control over the distribution of routing information is based on: IP address prefixes value of the AS_PATH attribute (or part of it) identity of a group
You can create, delete, and modify community lists. The well-known communities are: internet the Internet community no-export routes with this community are sent to peers in other sub-autonomous systems within a confederation. Do not advertise this route to an EBGP peer. local-as do not advertise this route to an external system no-advertise do not advertise this route to any peer (internal or external)
A route is considered a member of a community if the UPDATE message for the route contains a community attribute that includes that value. A BGP speaker uses this attribute to control which routing information it accepts, prefers, or distributes to other neighbors. A BGP speaker receiving a route that does not have the COMMUNITIES path attribute may append this attribute to the route when propagating it to its peers. A BGP speaker receiving a route with the COMMUNITIES path attribute may modify this attribute according to the local policy. Figure 2 on page 69 illustrates the following example. You do not want ISP 1 to announce ISP 2s routes to ISP 3. Likewise, you do not want ISP 3 to announce ISP 2s routes to ISP 1. ISP 2 (AS 20) and ISP 3 (AS 30) belong to community 444.
NN46110-504
ISP 1 (AS 10) belongs to community 888. AS 10 wants to offer transit service to customers in AS 100, AS 200 and AS 300 but non-transit service to customers in AS 20 and AS 30. Assume that AS 100, AS 200 and AS 300 do not belong to a community. AS 10 will label all routes learned from AS 100, AS 200, and AS 300 as 10:888. Community 10:888 identifies routes that receive transit service. AS 10 will label all routes learned from AS20 and AS30 as 10:444. This community label represents routes that will receive non-transit service. AS 10 can now have a policy that only announces routes that belong to community 10:888 and do not announce any routes belonging to community 10:444.
Figure 2 BGP communities
To configure a BGP community list, refer to Configuring Community Lists on page 74.
3 4 5 6 7
8 9
10 Check the Always Compare MED option if you want to allow the comparison of the MED for paths from neighbors in different ASs. 11 Enter the Maximum Paths value. This configuration controls the number of paths allowed. By default, only one path is installed in the IP routing table. If BGP multi-path support is enabled and the EBGP paths are learned from the same neighboring AS, instead of picking one best path, multiple paths are
NN46110-504
installed in the IP routing table. A maximum of six paths is supported and load balancing is performed among multiple paths. You configure Neighbors, Networks, Route Reflector, AS-Path Access Lists, or Community Lists from the BGP page. You can also see a Summary page, the BGP Routes, Redistributed Routes, and Neighbors Routes from this page. Neighbors. Networks, Route Reflector, AS-Path Access Lists, and Community Lists are described in the following sections.
Configuring Neighbors
You can create, delete, or modify neighbors. The maximum number of neighbors you can create is a configurable parameter, depending on the hardware. To configure neighbors: 1 2 3 4 5 6 7 8 9 Click Neighbors from the Routing > BGP window. To add or delete a Neighbor, click the Add or Delete button beside Neighbor at the top of the page. Select Enabled or Disabled for State. Enter your password and confirm your password. Enter a value in Remote AS. At a minimum, remote-AS should be configured for neighbors to be enabled. Enter the Hold Timer value. The default value is 90 seconds. Enter the Keep Alive Timer value. The default value is 30 seconds. Enter the Advertisement Interval value. The minimum advertisement interval is 30 seconds. Enter the Retry Interval value. The default is 30 seconds.
10 Enter the Source IP Address. Note: The source IP address typically comes from the route table, but the administrator has the option of entering it in the Source IP Address text box.
The
11 Enter the Weight value. The administrative weight is local to the router. Any path that a VPN router originates will have a default weight of 32768 and other paths have a weight of 0. You can also assign the weight through filter-lists and route maps. 12 Disable NH Self when BGP neighbors do not have direct access to all neighbors on the same IP subnet. You can also specify the next-hop address to be used by route maps. 13 Enable EBGP to allow BGP sessions, even when the neighbor is not on a directly connected segment. 14 Enable Send Community if you want to include the community parameters in the message when the BGP route is announced to a neighbor. To see a display of the Summary of the Neighbors, go to the Routing > BGP > Neighbors > Summary window.
Adding a Network
To add a network: 1 2 3 4 5 Click Networks on the Routing > BGP page. The BGP > Networks window appears. Click Add. The BGP > Networks Add window appears. Enter an IP address in the IP Address field. Enter a Mask in the Mask field. Click OK.
From the Routing > BGP page, click Route Reflector. The Route Reflector window appears. Select the Status of the route reflector. The status globally enables or disables the feature. Enter the Cluster ID. The router ID of the route reflector identifies the cluster.
Select the Client to Client Route Reflector value. The default is Enabled. However, if the clients are fully meshed, route reflection is not required and the route reflector should be disabled.
To add or remove members from Route Reflector Client lists: 1 Under Clients, select a Non Member from the Non Member RR Client List. Click Make RR Client. The Non Member becomes a member of the Member RR Client List. Select a member from the Member RR Client List. Click Remove RR Client. The member is removed from the list.
10 To delete an Access List, select the list that you want to delete and click Delete. A new window appears asking if you are sure you want to delete the as-path access list number.
11 Click OK. The BGP > AS-Path Access List window reappears with the number you deleted removed from the list. At the top of the window is a note stating Delete operation completed successfully. 12 To delete an Access List Entry, click the radio button to select the entry you want to delete. A new window appears asking if you are sure you want to delete the as-path access list entry. 13 Click OK. The BGP > AS-Path Access List window reappears with the entry you deleted removed. At the top of the window is a note stating Delete operation completed successfully.
10 Click Delete. A new window appears with a warning asking if you are sure you want to delete the community list number. 11 Click OK. The Community List window reappears with the community list number deleted.
NN46110-504
NN46110-504
77
c d
To add a private default route, click the Add Private Route button. The Add Private Default Route window appears. a b Click Enabled or Disabled to select the Admin State. Type the relative cost for the Nortel VPN Router . You use a lower cost number, such as 1, for the least expensive route. When there are multiple default paths, the Nortel VPN Router chooses the route with the least cost as the preferred route. The default cost is 10. Enter the IP address for the next-hop default router in the Gateway Address field. Click OK.
c d 4
Click the Add button to add static routes to the route table. The Static Routes > Add window appears. When a static route is added, the Nortel VPN Router checks whether the next-hop interface address belongs to an attached network. If it does not, the Nortel VPN Router does not allow the static route. a b Select Enabled or Disabled for the Admin state. The default is Enabled. Select the relative cost for the Nortel VPN Router. You use a lower cost number (for example, 1) for the least expensive route. When there are multiple paths, the Nortel VPN Router chooses the route with the least cost as the preferred route. The default is 10. Enter the network address for the static route to the destination network. Enter the subnet mask for the static route to the destination network. Enter the Nortel VPN Router address to the next-hop router to reach the destination network. Click OK.
c d e f 5
Click the Show Branch Office Routes button to display the configured branch office tunnels that are set up as static routes. By default, a tunnel is configured as a static route between the tunnel endpoints. Click the Adjacent Hosts button to display adjacent host routes.
NN46110-504
If validation is globally disabled, any public default routes that were disabled because of validation are enabled.
To configure ping to validate a public default route: 1 2 3 4 5 Go to Routing > Static Routes. In the Default Routes section, choose Public type and click Edit. The default is Disabled. Select Validate at Ping Interval. The minimum (and default) is 30 seconds and the maximum is five minutes. Enter the address in the Ping Address field. Click OK.
NN46110-504
81
82 Chapter 7 Configuring Route policy service Figure 3 Accept and announce policies
The route table manager forwards a route for advertisement to the protocol. The protocol consults an announce policies to determine whether or not to advertise the route to the network. OSPF link state advertisements (LSA) are received and placed in the link state database (LSDB) of the router. The information in the LSDB is also propagated to other routers in the OSPF routing domain. According to the OSPF standard, all routers in a given area must maintain a similar database. To maintain database integrity across the network, a router must not manipulate received LSAs before propagating them to other routers.
NN46110-504
To accomplish this goal, OSPF accept and announce policies act in the following manner: The accept policies control only the information that the local router uses; they do not affect the propagation of OSPF internal and OSPF non-self-originated external information to other routers. OSPF announce policies control which self-originated external routing updates are placed into the LSDB for distribution according to the OSPF standard. OSPF announce policies affect what other routers learn, but only with regard to the local routers self-originated information.
Redistribution of routes
The Nortel VPN Router can redistribute static, direct, BGP, and RIP routes into OSPF. It can redistribute static, direct, BGP, and OSPF routes into RIP. It can also redistribute static, direct, OSPF, and RIP routes into BGP. The redistribution of routes from BGP to OSPF is controlled through access lists. Such a redistribution can be further controlled on a per-interface basis in RIP. Route redistribution is also based on security configurations. Table 15 describes the rules of redistribution for RIP, OSPF, and BGP with the firewall enabled or disabled.
Table 15 Redistribution rules
Redistributed Route Public direct route Public default route Public static route Private direct route Private default route Private static route Tunnel static route Firewall ON Firewall OFF Yes Yes Yes Yes Yes Yes Yes No No No Out physical - No; out tunnel - Yes Out physical - No; out tunnel - Yes Out physical - No; out tunnel - Yes OSPF - Always Yes RIP - In general, Yes, but can be controlled on a per-interface basis Yes Yes
Yes Yes
When a dynamic routing protocol redistributes default routes (public or private), the receiving router treats these routes as protocol-specific default routes. Therefore, any locally defined default route has a higher precedence over any routes learned by redistribution. Even though a public default route is represented by 0.0.0.0/32 when redistributed, it is represented as 0.0.0.0/0 to conform with the routing protocols. When static routes are redistributed by a routing protocol, default routes are also redistributed. However, if you have both private and public default routes, only one of them will be redistributed, thus reducing the number of redundant routes to the same destination through the same next-hop interface.
b c d 4
Click Edit to change an existing rule for the selected policy. The current information appears for each policy. You can use either an exact network address or a range of network addresses. If you want to move the position of an existing rule, enter a number in the edit box. For example, if you select the third rule and enter 2 in the edit box, this moves the third rule to the second position. The order of the rules is important because the first match causes the action to occur. If there are no matches,
NN46110-504
then all traffic is denied. Therefore, build your filter rules by first permitting the services that you want to allow. You can also add a Deny rule early in the rules sequence so that an unwanted packet is dropped before all of the rules are processed. 6 Click Close.
d 4
Click OK.
NN46110-504
87
If the client address does not belong to a locally attached Nortel VPN Router network, you must enable client address redistribution to ensure that these addresses are advertised in the dynamic route updates sent out by the Nortel VPN Router . Client address redistribution uses a route type called a Utunnel. Utunnel routes can be either host or network routes. When client address redistribution is in host mode, the Nortel VPN Router creates and advertises a user tunnel host route whenever a client tunnel is created, using an inner address that does not belong to a locally attached network. When the tunnel is taken down, the corresponding host route is deleted. When inner addresses are allocated from an address pool with a range that does not belong to a locally attached network, use the aggregation option to reduce the number of entries in the route table and the route redistribution overhead. Aggregation creates and advertises a single Utunnel network route covering the address pool range when a client tunnel is created using an inner address from this
address pool. In Dynamic Aggregation mode, the network route remains in the route table until the last tunnel using an inner address from this address pool is taken down. In Static Aggregation mode, the network route remains in the route table until the user address pool is deleted. Note: The maximum number of Utunnel routes cannot exceed the maximum number of client tunnels supported by the corresponding hardware platform. The default value is 200. Figure 4 shows an example of client address redistribution where the client has an inner address that is not within the local subnet of the private network. The Nortel VPN Router creates a Utunnel route that is then propagated over the network. The Utunnel route allows the router on the private network to recognize the 200.168.1.100 address and route responses back to it properly.
Figure 4 Client address redistribution
If you enable aggregation, the Nortel VPN Router identifies the subnet from the address pools where this address belongs and inserts a user tunnel network route for this subnet into the route table manager.
NN46110-504
Enabling aggregation is useful for large networks where route summary optimization reduces the number of Utunnel host entries in the RTM. However, if you enable aggregation, you could potentially have routing problems if the subnets of the address ranges span multiple Nortel VPN Routers. If you have two Nortel VPN Routers assigning addresses that belong to the same IP subnet, do not use the aggregation option. For example, in Figure 5, Nortel VPN Router A has an address range of 200.168.1.100 through 200.168.1.120 and Nortel VPN Router B has an address range of 200.168.1.150 through 200.168.1.170. Both of these ranges are part of Class C subnet 200.168.1.x/24. Client 1 logs in to Nortel VPN Router A and Client 2 logs in to Nortel VPN Router B. Both clients have inner addresses that are not within the local subnet of the private network, but are in the same IP subnet. Nortel VPN Router A and Nortel VPN Router B running client address redistribution create Utunnel host routes. These routes are propagated over the network. The router on the private network recognizes addresses 200.168.1.100 and 200.168.1.150 and route responses back to them through the designated NVR.
Figure 5 Aggregation for client address redistribution
If you enable aggregation on both Nortel VPN Router s, both VPN Routers will advertise routes to 200.168.1.x/24. Router R will use one of these routes, causing either Client 1 or Client 2 to have communication problems. The route table manager handles Utunnel routes similarly to other route types (RIP or OSPF). You can view Utunnel routes using the Routing > Route Table Manager window. The route policy service handles redistribution (advertisement) of Utunnel routes similarly to redistribution of other route types. To configure client address redistribution, go to the Routing > Client-Addr-Dis window: 1 On the Routing > Client Address Redistribution (CAR) window, select one of the following CAR modes: Disable CAR is disabled and redistribution of client routes does not take place. Host Mode CAR is enabled and redistribution of client routes is limited only to host routes. Host routes are added to both the forwarding table and the routing table. RIP and OSPF advertise the host routes of the VPN clients to their peers. Dynamic Aggregation CAR is enabled and the client host addresses are added only to the forwarding table. The subnet of the user address pool from which the client address was assigned is added to the routing table. RIP and OSPF only advertise the subnet of the address pool and not the client host addresses. When the last client using this user address pool disconnects, the subnet route is removed from the routing table. RIP and OSPF propagate the route deletion to the surrounding networks. Static Aggregation CAR is enabled and the client host addresses only are added to the forwarding table. The subnet of the user address pool from which the client address was assigned is added to the routing table. RIP and OSPF advertise only the subnet of the address pool and not the client host addresses. When the last client using this user address pool disconnects, the subnet route remains in the routing table. The subnet of the user address pool remains in the routing table as long as the user address pool remains valid. If you delete the user address pool, the subnet for the pool is then deleted from the routing table.
Maximum Number of UTunnel Host Routes allows you to limit the maximum number of user tunnel host routes advertised by the system. The default value is 200.
NN46110-504
The Current Number of UTunnel Host Routes field displays the current number of user tunnel hosts logged in to the system. 3 Click Show User Tunnel Routes to display the user tunnel routes. Table 16 describes the fields.
4 5
Click Statistics to display the configuration of client address redistribution, including mode, the UTunnel limit, and current UTunnel count. Click Refresh to view any changes.
NN46110-504
93
Forward multicast packets over a tunnel using the default filter (permit all). For example, to allow multicast packets received over the interface to be relayed over tunnel B01 and not over tunnel B02, define the interface-specific rules as shown in Table 17.
Table 17 Multicast interface-specific rules example
type receiving relay relay SRC DST DST src intf LAN ANY ANY dst intf ANY BO1 BO2 source S S S dst 231.0.01 231.0.0.1 231.0.0.1 service voice voice voice action allow allow drop
To configure multicast relay: 1 On the Routing > Multicast window, check the Enabled check box to enable multicast relay on the Nortel VPN Router. When you enable multicast relay, received traffic is filtered according to filter lists and access lists. Note: Multicast requires use of the permit all interface filter.
2 3
Enter the Congestion Threshold value. The default value is 3000. To add an interface to the multicast boundary list, click Add to go to the Multicast > Add window. a b c d Enter the Access Name/Number in the edit box. Select the IP address for the interface. Select Enabled for the State. Click the New Access List link to view the existing access window.
Click Statistics to display the global multicast relay status and the statistics of the configured multicast interfaces, including branch office interfaces.
NN46110-504
Click Interfaces to display all configured information about enabled interfaces, including private physical and branch office tunnel interfaces.
NN46110-504
97
For VLAN, VRRP associates one IP address with two virtual routes. This association is a virtual router. On a VLAN segment, a virtual router has these properties: Virtual router ID Rate or frequency of messages between VRRP and the VLAN
Nortel VPN Router Configuration Routing
An external Lightweight Directory Access Protocol (LDAP) server is not a requirement, but may make VRRP easier to use. The LDAP server provides a common location where information for each Nortel VPN Router can be maintained. It enables each Nortel VPN Router to see the virtual router settings of other Nortel VPN Routers in the system. To configure VRRP, the virtual router ID (VRID) for the virtual router group must be identical to all Nortel VPN Routers. If you use the internal LDAP server, the Nortel VPN Routers must have the virtual router parameters configured the same way. Nortel recommends that you do not use a 4 port switch (Lan0) in a VRRP configuration for Nortel VPN Router 1100 platforms. VRRP is not supported on Nortel VPN Router 1050 platforms.
NN46110-504
Routing configuration plays a vital role in this failover operation. VPN2 and VPN3 need to know that the path to Host1 is through VPN1; and VPN1 should know that there are two paths to Host2: one through VPN2 and another through VPN3. The routing information on the each Nortel VPN Router can be manually populated using static routes, but dynamic routing protocols such as RIP, BGP, or OSPF provide more reliable route information in networks that are considered dynamic or volatile (route information changes often). In this case, OSPF, BGP, or RIP would update VPN2 so that VPN1 no longer has a route to Host2. The VRRP failover occurs within 3 seconds based on the default configuration. Use of OSPF on the tunnels guarantees a maximum failover time of 40 seconds based on the default configuration. However, by setting the appropriate value for the OSPF hello interval, failover time can be drastically reduced. Use of RIP takes a maximum of 2.5 minutes based on the default configuration. You can also modify the RIP parameters to reduce this time.
100 Chapter 10 Configuring the Virtual Router Redundancy Protocol (VRRP) Figure 6 Sample high-availability environment
Central Office Host1
Tunnelled OSPF branch 1_1 Nortel VPN Router 2 10.40.2.186 VR ID 1 VR ID 2 Master Back up/100 branch 1_2 Nortel VPN Router 3 Virtual router 10.40.2.186 10.40.4.186 Back up/100 Master
LDAP
In the previous example, if the branch office tunnels are static routes and Host2s default gateway VPN2 encounters a public interface failure (private interface 10.40.2.186 remained active), VRRP would not failover. If VPN2 is unaware that another route to Host1 exists through VPN3, it will drop all traffic from Host2 destined to Host1. To correct this, another route to Host1 through VPN3 must be added to VPN2s route table. One way to add this route is shown in Figure 7 on page 101.
NN46110-504
In Figure 7, an OSPF branch office tunnel is added between VPN2 and VPN3 to provide both with a secondary route to Host1. Because static routes are preferred over OSPF, both VPN2 and VPN3 will always use their static route to Host1 through VPN1 if it is available. This inter-VPN Router branch office tunnel does not have to use OSPF. RIP or a static route of higher cost would work equally well.
Figure 7 VRRP and static tunnels
Central Office Host1
Static Tunnel branch 1_1 OSPF Nortel VPN Router 2 10.40.2.186 VR ID 1 VR ID 2 Master Back up/100 Nortel VPN Router 3 10.40.4.186 Back up/100 Master branch 1_2
LDAP
3 4
8 9
NN46110-504
possible ways: Delay or Time of Day. The default for a VR in Master Delay mode is disabled (None). Note: When Safe mode is enabled, a boot after an unclean failure starts the Safe mode image, instead of the normal boot image. If the Safe mode image is configured with VRRP, then Master Delay mode works. However, Safe mode automatically boots the normal image after a configured delay. This boot appears as clean shutdown, and Master Delay mode is not invoked. 10 Click OK. 11 Go to the Routing > Interfaces window and click the Configure button next to VRRP for the appropriate interface. The LAN (with corresponding physical address on the box) and VLAN interfaces are automatically displayed in the Master Status section and all others are displayed in the Current Backed up Addresses section. 12 Check or uncheck Enable to enable or disable VRRP for this interface. 13 In the Master Status section, enable all interfaces that you want to be master and click OK. The Current Backed up Addresses section displays information about the currently configured backups. Displayed are the IP addresses this subinterface is backing up, the VRID it is using, its configured state (which can be Enabled or Disabled), and the current operational state and its priority. 14 In the New Backed up Address section, back up an IP address by selecting an IP address from the menu. 15 Enter a priority number in the Priority box. 16 Click Add.
For example, for VPN2 to be the master of VRID 1 and VPN3 to be its backup, configure the following: 1 2 3 On VPN2, go to Routing > VRRP and add IP address 10.40.2.186 with VRID 1. In the Routing > Interfaces window, select 10.40.2.186 and configure and check the Master Box. On VPN3, go to Routing > VRRP and add IP Address 10.40.4.186 with a VRID not equal to 1 (use 2) and add IP Address 10.40.2.186 with a VRID equal to 1. In the Routing > Interface window, select 10.40.4.186 and configure. From the New Backed up Address, select 10.40.2.186, VRID 1 and click ADD.
To configure VPN3 to be the master of VRID 2: 1 2 3 4 5 6 On VPN2, go to Routing > VRRP and add IP address 10.40.2.186 with VRID 1. In the Routing > VRRP window, add IP address 10.40.4.186 with VRID 2. In the Routing > Interfaces window, select 10.40.2.186 and the Master Box next to 10.40.2.186. The Backed Up list contains 10.40.4.186 VRID 2. On VPN3, go to Routing > VRRP and add IP address 10.40.4.186 with VRID 2. In the Routing > VRRP window, add IP address 10.40.2.186 with VRID 1. In the Routing > Interfaces window, select 10.40.4.186 and the Master Box next to 10.40.4.186. Backed Up list contains 10.40.2.186 VRID 1.
For example, for a VLAN to be the master of VRID 1 and VPN3 to be its backup, configure the following: 1 2 3 On VLAN, go to Routing > VRRP and add IP address 1.1.1.1 with VRID 1. In the Routing > Interfaces window, select 1.1.1.1 and configure and check the Master Box. On VPN3, go to Routing > VRRP and add IP Address 10.40.4.186 with a VRID not equal to 1 (use 2) and add IP Address 1.1.1.1 with a VRID equal to 1.
NN46110-504
In the Routing > Interface window, select 10.40.4.186 and configure. From the New Backed up Address, select 1.1.1.1, VRID 1 and click ADD.
The Configured Interface Groups section of the Routing > Interface Group window lists the names of configured interface groups, the number of IP interfaces included in the group, and the current administrative and operational states of the group. If you delete an active interface group, you must then go to the Routing > Interface Group window and click OK. To configure interface groups: 1 2 3 4 5 6 7 8 9 Go to the Routing > Interface Grp window. Click Add to access the Interface Group > Add window. Enter a name for the group in the name field. Select and move the available interfaces that you want to include in the group into the Interfaces in Group list. To find interface groups with a given interface, enter the IP address and click Search. Click OK. Go to the Routing > Interfaces > Configure VRRP window for the VRRP interface that will be associated with the critical interface group. Under Master Status, select the interface group from the list. Click Enabled, and then click OK to enable the VRRP critical interface.
NN46110-504
107
You can change the Forwarding Algorithm to per-packet, per-destination, or per-source without affecting route or forwarding tables. The load balancing and resource sharing is controlled by the following forwarding algorithms: Per-packet - packets are forwarded in a round-robin fashion. If the Nortel VPN Router Stateful Firewall is enabled, this policy may cause some overhead in switching the firewall context. Per-destination - packets are forwarded based on source and destination address pair. Per-source - packets are forwarded based on source address.
Click OK.
NN46110-504
109
Index
A
Accept policies 81 advanced routing key 46, 56 Announce policies 81 multicast relay 93
O
OSPF configuration 48 overview 45
B
BGP 57
P
Permit All 94 ping validating public default route 79 poison reverse 38 publications hard copy 19
C
client address redistribution 87 configuring 90 sample 88 summarization 88
D
default route 35
R
RIP 37 using 37, 45 route redistribution 83 route selection 32 route table 25, 29 lookup 31 routes default 35 dynamic 29 static 29 routing dynamic 24 enhanced 24 integrated firewall 24 loops 38 overview 23 Nortel VPN Router Configuration Routing
E
equal cost multipath (ECMP) 107
I
interface filter Permit All 94
L
load balancing 108
M
multicast 94
110 Index policy 85 policy service 81 route lookup 31 route table types 31 rules of redistribution 83 table 29
S
split horizon 38 static routes 25, 77 status 26
T
technical publications 19 triggered updates 39
U
Utunnel 87
V
virtual links 47 VRRP configuring 102 failover 99 high availability 98 master interface 100 VRRP overview 97
NN46110-504