E-Series Routers Routing Protocols Configuration Guide, Vol.

1
Release 5.1.x

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net
Part No. 162-00734-00 Rev. A00

Juniper Networks is registered in the U.S. Patent and Trademark Office and in other countries as a trademark of Juniper Networks, Inc. Broadband Cable Processor, ERX, ESP, E-series, G1, G10, G-series, Internet Processor, J-Protect, Juniper Your Net, JUNOS, JUNOScript, JUNOSe, M5, M10, M20, M40, M40e, M160, M-series, NMC-RX, SDX, ServiceGuard, T320, T640, T-series, UMC, and Unison are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Products made or sold by Juniper Networks (including the G1 and G10 CMTSs, ERX-310, ERX-705, ERX-710, ERX-1410, ERX-1440, M5, M10, M20, M40, M40e, M160, and T320 routers, T640 routing node, and the JUNOS, SDX-300, and ServiceGuard software) or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,333,650, 6,359,479, and 6,406,312. E-Series Routers Routing Protocols Configuration Guide, Vol. 1, Release 5.1.x Copyright 2003, Juniper Networks, Inc. All rights reserved. Printed in USA. Writers: Mark Barnard, Bruce Gillham, Justine Kangas, Helen Shaw, Brian Wesley Simmons, Michael Taillon, Nathaniel Woodward Editor: Fran Mues Revision History August 2003 The information in this document is current as of the date listed in the revision history above. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

SOFTWARE LICENSE AGREEMENTa

JUNIPER NETWORKS, INC. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE AND ACCOMPANYING USER DOCUMENTATION (COLLECTIVELY, THE PROGRAM) TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE COPYING OR USING THE ACCOMPANYING SOFTWARE OR INSTALLING THE HARDWARE UNIT WITH PRE-ENABLED SOFTWARE OR USING THE ACCOMPANYING USER DOCUMENTATION. BY USING THE ACCOMPANYING SOFTWARE OR INSTALLING THE HARDWARE UNIT WITH PRE-ENABLED SOFTWARE, YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT, JUNIPER NETWORKS IS UNWILLING TO LICENSE THE PROGRAM TO YOU, IN WHICH EVENT YOU SHOULD PROMPTLY WITHIN TEN (10) DAYS FROM SHIPMENT RETURN THE UNUSED SOFTWARE, USER DOCUMENTATION, AND RELATED EQUIPMENT AND HARDWARE TO THE PLACE OF PURCHASE AND YOU WILL RECEIVE A FULL REFUND OF YOUR LICENSE FEE. THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE PROGRAM BETWEEN YOU AND JUNIPER NETWORKS, AND IT SUPERSEDES ANY PRIOR PROPOSAL, REPRESENTATION OR UNDERSTANDING BETWEEN THE PARTIES. 1. License Grant. Juniper Networks, Inc. (Juniper Networks) and its suppliers and licensors hereby grant to you and you hereby accept a nonexclusive, personal and nontransferable license to use the computer software and/or hardware unit with pre-enabled software, including all patches, error corrections, updates, and revisions thereto in machine-readable, object code form only (the Software), and the accompanying User Documentation on the Juniper Networks product owned by you and only as authorized in this License Agreement. You may make one (1) archival copy of the Software for backup purposes provided you affix to such copy all copyright, confidentiality, and proprietary notices that appear on the original. Except as authorized under this paragraph, no copies of the Program or any portions thereof may be made, in whole or in part, by you or any person under your authority or control. The Software and User Documentation are protected under copyright laws. The title to Software and User Documentation shall remain solely with Juniper Networks and its suppliers. Except as authorized above, you shall not: copy, in whole or in part, the Software or the related User Documentation; modify, reverse assemble, reverse compile, or otherwise translate, dissemble, or obtain source code for the Software or User Documentation, in whole or in part, or permit a third party to do so; rent, lease, distribute, sell, or create derivative works of the Software; pledge, lease, rent, sublicense or share its rights under this License Agreement; or, without Juniper Networks prior written consent, assign or transfer its rights hereunder. 2. Juniper Networks' Rights. You agree that the Software, including the User Documentation, embodies Juniper Networks' and its suppliers' and licensors' confidential and proprietary intellectual property protected under U.S. copyright law and you will use your best efforts to maintain their confidentiality. You further acknowledge and agree that Juniper Networks or its suppliers and licensors own all right, title, and interest in and to the Software, including all intellectual property rights therein. You shall take no action inconsistent with Juniper Networks' or its suppliers' ownership of such Software. You shall not sublicense, assign, or otherwise disclose to any third party the Software or any information about the operation, design, performance, or implementation of the Software and User Documentation without prior written consent of Juniper Networks. You agree to implement reasonable security measures to protect such confidential and proprietary information and copyrighted material. This License Agreement does not convey to you an interest in or to the Program, but only the limited right of use revocable in accordance with the terms of this License Agreement. 3. License Fees. The license fees paid by you are paid in consideration of the license granted under this License Agreement. 4. Term. This license is effective upon opening of the package(s) or use of the hardware containing the Software, and shall continue until terminated. You may terminate this License at any time by returning the Software, including any User Documentation, and all copies or portions thereof to Juniper Networks. This License will terminate immediately without notice from Juniper Networks if you breach any term or provision of this License. Upon such termination by Juniper Networks, you

a. If you and Juniper Networks, Inc., have executed another license agreement for the Program which is now in effect, then such agreement (Negotiated Agreement) shall supersede this Software License Agreement and shall exclusively govern the use and license terms of the Program.

must return the Software, including any User Documentation, and all copies or portions thereof to Juniper Networks. Termination of this License Agreement shall not prejudice Juniper Networks' rights to damages or other available remedy. 5. Limited Software Warranty: Juniper Networks warrants, for your benefit alone, that for a period of ninety (90) days from the date of shipment from Juniper Networks that the Software substantially conforms to its published specifications. The limited warranty extends only to you as the original licensee. Your exclusive remedy and the entire liability of Juniper Networks and its suppliers under this limited warranty will be, at Juniper Networks' option, repair or replacement of the Software, or refund of the amounts paid by you under this License Agreement. You agree that this is your sole and exclusive remedy for breach by Juniper Networks, its suppliers or its licensors of any warranties made under this License Agreement. In no event does Juniper Networks warrant that the Software is error free or that you will be able to operate the Software without problems or interruptions. Juniper Networks does not warrant: 1) that the functions contained in the software will meet your requirements; 2) that the Software will operate in the hardware or software combination that you may select; 3) that the operation of the Software will be uninterrupted or error free; or 4) that all defects in the operation of the Software will be corrected. This warranty does not apply if the product: 1) has been altered, except by Juniper Networks; 2) has not been installed, operated, repaired, or maintained in accordance with instruction supplied by Juniper Networks; or 3) has been subjected to or damaged by improper environment, abuse, misuse, accident, or negligence. EXCEPT FOR THE WARRANTIES SET FORTH ABOVE, THE SOFTWARE IS LICENSED AS IS, AND JUNIPER NETWORKS DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS, CONDITIONS, AND WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES FOR NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. ANY AND ALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. JUNIPER NETWORKS' SUPPLIERS AND LICENSORS DO NOT MAKE OR PASS ON TO YOU OR ANY THIRD PARTY ANY EXPRESS, IMPLIED, OR STATUTORY WARRANTY OR REPRESENTATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES FOR NONINFRINGEMENT. 6. Proprietary Rights Indemnification. Juniper Networks shall at its expense defend you against and, subject to the limitations set forth elsewhere herein, pay all costs and damages made in settlement or awarded against you resulting from a claim that the Program as supplied by Juniper Networks infringes a United States copyright or a United States patent, or misappropriates a United States trade secret, provided that you: (a) provide prompt written notice of any such claim, (b) allow Juniper Networks to direct the defense and settlement of the claim, and (c) provide Juniper Networks with the authority, information, and assistance that Juniper Networks reasonably deems necessary for the defense and settlement of the claim. You shall not consent to any judgment or decree or do any other act in compromise of any such claim without first obtaining Juniper Networks written consent. In any action based on such a claim, Juniper Networks may, at its sole option, either: (1) obtain for you the right to continue using the Program, (2) replace or modify the Program to avoid the claim, or (3) if neither (1) nor (2) can reasonably be effected by Juniper Networks, terminate the license granted hereunder and give you a pro rata refund of the license fee paid for such Program, calculated on the basis of straight-line depreciation over a five-year useful life. Notwithstanding the preceding sentence, Juniper Networks will have no liability for any infringement or misappropriation claim of any kind if such claim is based on: (i) the use of other than the current unaltered release of the Program and Juniper Networks has provided or offers to provide such release to you for its then current license fee, or (ii) use or combination of the Program with programs or data not supplied or approved by Juniper Networks if such use or combination caused the claim. 7. Limitation of Liability. IN NO EVENT WILL JUNIPER NETWORKS OR ITS SUPPLIERS OR LICENSORS BE LIABLE FOR ANY COST FOR SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN IF JUNIPER NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Juniper Networks' cumulative liability to you or any other party for any loss or damages resulting from any claims, demands, or actions arising out of or relating to this License Agreement shall not exceed the total fees paid to Juniper Networks for the Software. 8. Export Control. Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to

export or import regulations in other countries. You agree to comply strictly with all such regulations and acknowledge that you have the responsibility to obtain licenses to export, re-export, or import Software. 9. Government Licensees: If any Software or associated documentation is acquired by or on behalf of a unit or agency of the United States government, the government agrees that such Software or documentation is a commercial item as that term is defined in 48 C.F.R. 2.101, consisting of commercial computer software or commercial computer software documentation as such terms are used in 48 C.F.R. 12.212 of the Federal Acquisition Regulations and its successors and 48 C.F.R. 227.7202-1 through 227.7202-4 of the DoD FAR Supplement and its successors. The use, duplication, or disclosure by the United States government of technical, data, computer software and documentation is subject to the restrictions set forth in FAR section 12.212(a), FAR section 52.227-14(g)(2), FAR section 52.227-19, DFARS section 252.227-7015(b), DFARS section 227.7202-1(a), and DFARS section 227.7202-3(a), as applicable. All United States government end users acquire the Software with only the rights set forth in this License Agreement. 10. General: This License shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any dispute arising out of this Agreement shall be referred to an arbitration proceeding in Boston, Massachusetts, in accordance with the commercial arbitration rules of the American Arbitration Association (the AAA). If the parties cannot agree upon an arbitrator, arbitration shall be conducted by a neutral arbitrator selected by the AAA who is knowledgeable in electronics equipment manufacturing and software licensing. The parties shall share the procedural costs of arbitration equally, and each party shall pay its own attorneys' fees and other costs and expenses associated with the arbitration, unless the arbitrator decides otherwise. The arbitrator's award shall be in writing and shall include a statement of reasons, but the arbitrator shall not be permitted to award punitive or indirect damages. The arbitrator's decision and award shall be final and binding and may be entered in any court having jurisdiction. The terms of this section shall not prevent any party from seeking injunctive relief in any court of competent jurisdiction in order to protect its proprietary and confidential information. If any term or provision hereof is found to be void or unenforceable by a court of competent jurisdiction, the remaining provisions of this License Agreement shall remain in full force and effect. This License Agreement constitutes the entire agreement between the parties with respect to the use of the Software and User Documentation and supersedes any and all prior oral or written agreements, discussions, negotiations, commitments, or understandings. No amendment, modification, or waiver of any provision of this License Agreement will be valid unless in writing and signed by the authorized representative of the party against which such amendment, modification, or waiver is sought to be enforced. The waiver by either party of any default or breach of this License Agreement shall not constitute a waiver of any other or subsequent default or breach. This License Agreement shall be binding upon the parties and their respective successors and permitted assigns. Should you have any questions about this agreement, please contact: Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 Attn: Contracts Administrator

Contents

About This Guide E-Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi MIBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Comments About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Part 1. Routing Policy

Chapter 1 Configuring Routing Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Sample Route Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Multiple Values in a Match Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Negating Match Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Matching a Community List Exactly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Removing Community Lists from a Route Map . . . . . . . . . . . . . . . . . . . . . . . 1-7 Redistributing Access Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 Filtering Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17 Filtering AS Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19 Using Access Lists in a Route Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22 Creating Table Maps for Access Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26 Using the Null Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26 Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27 Using a Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

viii Contents

Prefix Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Using a Prefix Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 Extended Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35 Using Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37 AS-path Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37 Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Community Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Metacharacters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Using Metacharacters as Literal Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39 Regular Expression Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40 Managing the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43 Troubleshooting Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43 Monitoring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Part 2. Internet Protocol

Chapter 2 Configuring IP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 IP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 IP Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Moving Data Between Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Routing Datagrams to Remote Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Fragmenting and Reassembling Datagrams . . . . . . . . . . . . . . . . . . . . . . . . 2-3 IP Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Network Interface Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Internet Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 IP Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Physical and Logical Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Internet Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Subnet Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Classless Addressing with CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Adding and Deleting Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Adding a Primary Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Deleting a Primary Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Adding a Secondary (Multinet) Address . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Deleting a Secondary Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 ip address Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Before You Configure IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 Creating a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 Assigning a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Address Resolution Protocol (ARP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 How ARP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15 MAC Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18

ix E-Series Routers

Broadcast Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19 Broadcast Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 Routing Information Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 Setting the Administrative Distance for a Route . . . . . . . . . . . . . . . . . . . . . . . 2-23 Setting the Metric for a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Routing Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Identifying a Router Within an Autonomous System . . . . . . . . . . . . . . . . . . . 2-25 Establishing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Setting Up Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 Setting Up an Unnumbered Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 Adding a Host Route to a Peer on a PPP Interface . . . . . . . . . . . . . . . . . . . . 2-26 Enabling Source Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Shutting Down an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Removing the IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Clearing IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27 Clearing IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Setting a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Disabling Forwarding of Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Enabling Forwarding of Source-Routed Packets . . . . . . . . . . . . . . . . . . . . . . 2-29 Forcing an Interface to Appear Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Specifying a Debounce Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Enabling Link Status Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31 Configuring the Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31 Configuring Equal-Cost Multipath Load Sharing . . . . . . . . . . . . . . . . . . . . . 2-31 Setting a TTL Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Configuring Prefixes for Dynamic Shared IP Interfaces . . . . . . . . . . . . . . . . 2-34 Configuring Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 Moving IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 IP Shared Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Internet Control Message Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38 ICMP Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38 Specifying a Source Address for ICMP Messages . . . . . . . . . . . . . . . . . . . . . . 2-39 Reachability Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40 Response Time Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 Configuring the Probe Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 Configuring Optional Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44 Capturing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46 Collecting History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46 Setting Reaction Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47 Scheduling the Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48 Shutting Down the Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49 Monitoring RTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50

x Contents

Monitoring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-55 Establishing a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-55 IP show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-56 Chapter 3 Configuring IPv6 and Neighbor Discovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv6 Packet Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv4 and IPv6 Header Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Standard IPv6 Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Extension Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Address Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 IPv6 Address Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 IPv6 Address Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Address Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Address Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 ICMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Understanding Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Before You Configure IPv6 or Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . 3-10 IPv6 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Configuring an IPv6 License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Creating an IPv6 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Assigning a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Establishing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Specifying an IPv6 Hop Count Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Managing IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14 Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16 Removing an IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16 Clearing IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Creating Static IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Neighbor Discovery Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Configuring Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Configuring Proxy Neighbor Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . 3-19 Configuring Duplicate Address Detection Attempts . . . . . . . . . . . . . . . . . . . . 3-19 Clearing IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 Monitoring IPv6 and Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 Establishing a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 IPv6 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21 Chapter 4 Configuring NAT Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 NAT Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Traditional NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

xi E-Series Routers

Bidirectional NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Twice NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Network and Address Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Inside Local Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Inside Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Outside Local Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Outside Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Understanding Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Inside Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Outside Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Address Assignment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Static Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Order of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Limiting Translation Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Specifying Inside and Outside Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Defining Static Address Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Creating Inside Source Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Creating Outside Source Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Defining Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Creating Access List Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Defining Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Defining Translation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Creating Dynamic Inside Source Translations . . . . . . . . . . . . . . . . . . . . . 4-13 Creating Dynamic Outside Source Translations . . . . . . . . . . . . . . . . . . . 4-14 Defining Translation Time-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 Clearing Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 NAPT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Bidirectional NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 Twice NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19 Cross-VRF Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21 Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Displaying Translation Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Displaying Translation Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Part 3. Internet Protocol Routing

Chapter 5 Configuring IP Multicasting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Enabling IP Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Deleting Multicast Forwarding Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Reverse-Path Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

xii Contents

Multicast Packet Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Disabling RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Using Unicast Routes for RPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Monitoring IP Multicast Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Support for Multicast Router Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14 IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 IGMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 Group Membership Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 Group Membership Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 Leave Group Membership Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 Configuring Static and Dynamic IGMP Interfaces . . . . . . . . . . . . . . . . . . . . 5-17 Enabling IGMP on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18 Configuring IGMP Settings for an Interface . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Assigning a Multicast Group to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . 5-21 Specifying Multicast Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22 Limiting the Number of Accepted IGMP Groups . . . . . . . . . . . . . . . . . . . . . 5-22 Including and Excluding Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 Accepting IGMP Reports from Remote Subnets . . . . . . . . . . . . . . . . . . . . . . 5-24 Disabling and Removing IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 Monitoring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 Configuring IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30 Setting the IGMP Proxy Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 Monitoring IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 PIM DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Overriding Prunes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36 Preventing Duplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37 PIM SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37 Joining Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-41 PIM S-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 PIM SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 Enabling and Disabling PIM on a VR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 Enabling PIM on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 Configuring an RP Router for PIM SM and PIM S-DM . . . . . . . . . . . . . . . 5-44 Configuring a Static RP Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 Configuring an Auto-RP Router for PIM SM . . . . . . . . . . . . . . . . . . . . . 5-44 Configuring an Auto-RP Router for PIM S-DM . . . . . . . . . . . . . . . . . . . 5-45 Switching to an SPT for PIM SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46 Configuring PIM SM Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48 Configuring PIM SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 Removing PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 Resetting PIM Counters and Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-50 Monitoring PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51 Monitoring PIM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51 Monitoring PIM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51

xiii E-Series Routers

DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59 Identifying Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59 Advertising Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-60 Enabling DVMRP on a VR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Activating DVMRP on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Configuring DVMRP Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-62 Filtering DVMRP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-62 Configuring DVMRP Summary Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 5-63 Changing the Metric for a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64 Importing Routes from Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-65 Specifying Routes to Be Advertised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66 Preventing Dynamic Route Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66 Exchanging DVMRP Unicast Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66 Disabling and Removing DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-67 Deleting DVMRP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-68 Configuring DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-68 Monitoring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-69 BGP Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74 Investigating Multicast Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74 Chapter 6 Configuring IP Tunnels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Line Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Managing TSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Configuring IP Tunnels to Forward IP Frames . . . . . . . . . . . . . . . . . . . . . . . . 6-6 Preventing Recursive Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Monitoring IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 Chapter 7 IP Reassembly for Tunnels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Reassembly Processing Within the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Configuring IP Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Monitoring IP Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Chapter 8 Configuring RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 RIP Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 RIP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Route Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

xiv Contents

Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Route Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Split Horizon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Equal-Cost Multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Applying Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Before You Run RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Relationship Between address and network Commands . . . . . . . . . . . . . . . . . 8-9 Using RIP Routes for Multicast RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 Monitoring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22 debug Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23 Chapter 9 Configuring OSPF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Intra-area, Interarea, and External Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Routing Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Opaque LSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Route Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Equal-Cost Multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 OSPF MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Interacting with Other Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 With IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 With RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 With BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 Configuring OSPF Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 Creating a Range of OSPF Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 Creating a Single OSPF Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11 Aggregating OSPF Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12 Configuring OSPF Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13 address Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13 ip ospf Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16 Comparison Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18 Precedence of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18 Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19 Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22 Authentication Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23 Configuring Additional Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 Default Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-33

xv E-Series Routers

Configuring OSPF for NBMA Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34 Traffic Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35 Configuring OSPF for TE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35 Using OSPF Routes for Multicast RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 OSPF and BGP/MPLS VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 Remote Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 Disabling and Reenabling Incremental SPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-40 Configuring OSPF Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-41 Monitoring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42 debug Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-43 Chapter 10 Configuring IS-IS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 ISO Network Layer Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Level 1 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Level 2 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Dynamic Hostname Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Specifying Start and Stop Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Halting MD5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Managing and Replacing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Extensions for Traffic Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Integrated IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 Equal-Cost Multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Before You Run IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11 Enabling IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12 Summary Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Configuring IS-IS Interface-Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Summary Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19 Configuring Global IS-IS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20 Setting Authentication Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20 Configuring Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21 Redistributing Routes Between Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23 Controlling Granularity of Routing Information . . . . . . . . . . . . . . . . . . . . . 10-24 Configuring Metric Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25 Setting the Administrative Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Configuring Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Setting Router Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Configuring the Router to Be Ignored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Ignoring LSP Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Logging Adjacency State Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Configuring LSP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30

xvi Contents

Specifying the SPF Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining the SPF Route Calculation Level . . . . . . . . . . . . . . . . . . . . . . . . . . Setting CLNS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting the Maximum Parallel Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Virtual Multiaccess Network . . . . . . . . . . . . . . . . . . . . . . . . . Summary Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IS-IS for MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using IS-IS Routes for Multicast RPF Checks . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring IS-IS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying CLNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 11 Configuring VRRP

10-31 10-32 10-33 10-34 10-34 10-34 10-35 10-36 10-37 10-37 10-47

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 How VRRP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Basic VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Commonly Used VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 VRRP Configuration Without the Real Address Owner . . . . . . . . . . . . . 11-6 How VRRP Is Implemented in the E-Series Router . . . . . . . . . . . . . . . . . . . . . . . 11-7 Router Election Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8 Configuring the IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8 Creating VRIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Monitoring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

Part 4. Internet Protocol Security

Chapter 12 Configuring IPSec Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 IPSec Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Secure IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 RFC 2401 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 IPSec Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 Manual Versus Signalled Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8 Operational Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8 Transport Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9 Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 Inbound and Outbound SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11 Transform Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12

xvii E-Series Routers

Other Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESP Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AH Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec Maximums Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Main Mode and Aggressive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aggressive Mode Negotiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diffie-Hellman Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE SA Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring an IPSec License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IPSec Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining an ISAKMP/IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Refreshing SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 13 Configuring Digital Certificates

12-14 12-14 12-15 12-15 12-15 12-15 12-16 12-17 12-17 12-18 12-18 12-18 12-19 12-19 12-19 12-20 12-20 12-20 12-21 12-24 12-28 12-31 12-31 12-31 12-31 12-36 12-42 12-42 12-42

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 IKE Authentication Using Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Signature Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Generating Private/Public Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Obtaining a Public Key Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Obtaining a Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Authenticating the Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Checking CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6 File Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 Monitoring Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12 Chapter 14 Configuring L2TP with IPSec Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

xviii Contents

How Secure Remote Access Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Setting Up the Secure Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 L2TP with IPSec Control and Data Frames . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Compatibility and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 End-to-End Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Client Software Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Interactions with NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Tunnel Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Interaction Between IPSec and PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Number of L2TP/IPSec Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 LNS Change of Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 LNS Change of Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 Group Preshared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 Configuration Tasks for Client PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Configuration Tasks for E-Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Configuring L2TP Destination Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Configuring IPSec Transport Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8 Monitoring L2TP over IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 Index

About This Guide

This E-Series Routing Protocols Configuration Guide, Vol. 1 provides the information you need to configure certain routing protocols (primarily IP and IPv6 protocols) on your E-series router.
Note: If the information in the latest E-Series Release Notes differs from the information in this guide, follow the E-Series Release Notes.

The E-series router is shipped with the latest system software installed. If you need to install a future release or reinstall the system software, refer to the procedures in the E-Series Installation and User Guide, Appendix B, Installing JUNOSe Software.

E-Series Routers
Five models of E-series routers are available: ERX-1440 router ERX-1410 router ERX-710 router ERX-705 router ERX-310 router All models use the same software. For information about the differences between the models, see E-Series Installation and User Guide, Chapter 1, E-Series Overview. In the E-series documentation, the term ERX-14xx models refers to both the ERX-1440 router and the ERX-1410 router. Similarly, the term ERX-7xx models refers to both the ERX-710 router and the ERX-705

xx About This Guide

router. The terms ERX-1440 router, ERX-1410 router, ERX-710 router, ERX-705 router, and ERX-310 router refer to the specific models.

Audience
This guide is intended for experienced system and network specialists working with E-series routers in an Internet access environment.

Conventions
Table 1 defines notice icons used in this guide, and Table 2 defines text conventions used throughout the book, except for command syntax. Table 3 provides command syntax conventions used primarily in the E-Series Command Reference Guide. For more information about command syntax, see E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface.
Table 1 Notice icons Icon Meaning Informational note Caution Description Indicates important features or instructions. Indicates that you may risk losing data or damaging your hardware.

Warning

Alerts you to the risk of personal injury.

Table 2 Text conventions (except for command syntax) Convention Bold typeface Description Represents commands and keywords in text. Examples Bold Courier typeface Key name in angle brackets Key names linked with a plus sign (+) in angle brackets. Represents text that the user must type. Indicates the name of a key on the keyboard. Indicates that you must press two or more keys simultaneously. Command example: Issue the clock source command. Keyword example: Specify the keyword exp-msg.

user input Press <Enter>. Press <Ctrl+B>.

Documentation E-Series Routers

xxi

Table 2 Text conventions (except for command syntax) (continued) Convention Plain Courier typeface Description Represents information as displayed on your terminals screen. Examples host1#show ip ospf 2 Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an Area Border Router (ABR) Italics Emphasize words. Identify variables. Identify chapter, appendix, and book names. There are two levels of access, user and privileged. clusterId, ipAddress. Appendix A, System Specifications.

Table 3 Syntax conventions in Command Reference Guide Convention Words in plain text Words in italics Words separated by the | symbol Description Represent keywords. Represent variables. Represent a choice to select one keyword or variable to the left or right of this symbol. (The keyword or variable may be either optional or required.) Represent optional keywords or variables. Represent optional keywords or variables that can be entered more than once. Represent required keywords or variables. Examples terminal length mask, accessListName diagnostic | line

Words enclosed in [ brackets ] Words enclosed in [ brackets ]*

[ internal | external ] [ level1 | level2 | l1 ]*

Words enclosed in { braces }

{ permit | deny } { in | out } { clusterId | ipAddress }

Documentation
The E-Series Installation Quick Start poster is shipped in the box with all new routers. This poster provides the basic procedures to help you get the router up and running quickly. With each software release, we provide the E-Series Routers Documentation CD (formerly ERX Edge Routers Documentation CD). The documentation CD contains the document set in PDF format and HTML format (with and without frames). From the HTML files, you can also access PDF files of individual chapters and appendixes. The documentation is also available on the Web. You can order a set of printed documents from your Juniper Networks sales representative.

xxii About This Guide

The document set comprises the following books: E-Series Installation and User Guide Provides the necessary procedures for getting the router operational, including information on installing, cabling, powering up, configuring the router for management access, and general troubleshooting. Describes SRP modules, line modules, and I/O modules available for the E-series routers, and provides information about the compatibility of line modules and I/O modules with software releases. Lists the layer 2 protocols, layer 3 protocols, and applications that line modules and their corresponding I/O modules support. E-Series System Basics Configuration Guide Describes planning and configuring your network, managing the router, configuring passwords and security, configuring the router clock, and configuring virtual routers. Includes a list of references that provide information on the protocols and features supported by the router. E-Series Physical Layer Configuration Guide Describes configuring physical layer interfaces. E-Series Link Layer Configuration Guide Describes configuring link layer interfaces. E-Series Routing Protocols Configuration Guide, Vol. 1 Provides information about configuring routing policy and configuring IP, IP routing, and IP security. E-Series Routing Protocols Configuration Guide, Vol. 2 Describes BGP routing, MPLS, BGP-MPLS VPNs, and encapsulation of layer 2 services. E-Series Policy and QoS Configuration Guide Provides information about configuring policy management and quality of service (QoS). E-Series Broadband Access Configuration Guide Provides information about configuring remote access. E-Series Command Reference Guide A to M; E-Series Command Reference Guide N to Z Together comprise the E-Series Command Reference Guide. Contain important information about commands implemented in the system software. Use to look up command descriptions, command syntax, a commands related mode, or a description of a commands parameters. Use with the E-series configuration guides. E-Series Product Overview Guide Gives a thorough overview of the router from a software and hardware perspective. It provides illustrations and configuration examples that present the big picture.

Comments About the Documentation E-Series Routers

xxiii

MIBS

Copies of the MIBs available in a software release are included on the JUNOSe Software CD (formerly ERX Edge Routers Software CD) and on the Web.
Release Notes

Release notes are included on the corresponding software CD and are available on the Web. In the Release Notes, you will find the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notes differs from the information found in the documentation set, follow the Release Notes.
Abbreviations

A complete list of abbreviations used in this document set, along with their spelled-out terms, is provided in the E-Series System Basics Configuration Guide, Appendix A, Abbreviations and Acronyms.
Web Access

To view the documentation on the Web, go to: http://www.juniper.net/techpubs/

Comments About the Documentation

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation to better meet your needs. Please e-mail your comments to: [email protected] Along with your comments, be sure to indicate: Document name Document part number Page number Software release version

xxiv About This Guide

Contacting Customer Support

For technical support, contact Juniper Networks at [email protected], or at 1-888-314-JTAC (within the United States) or 408-745-9500 (from outside the United States).

Part 1

Routing Policy

Configuring Routing Policy

1
Page 1-1 1-2 1-2 1-16 1-26 1-27 1-30 1-31 1-37 1-43 1-43 1-43

This chapter provides information on configuring routing policy for your E-series router. It describes routing policy configuration in general as it might be used with various routing protocols, such as BGP, IS-IS, OSPF, and RIP.
Topic Overview References Route Maps Access Lists Using the Null Interface Prefix Lists Prefix Trees Community Lists Using Regular Expressions Managing the Routing Table Troubleshooting Routing Policy Monitoring Routing Policy

Overview
Routing policy determines how the system handles the routes it receives from and sends to neighboring routers. In many cases, routing policy consists of filtering routes, accepting certain routes, accepting and modifying other routes, rejecting some routes, and determining the

1-2

CHAPTER 1 Configuring Routing Policy

routing protocol used to distribute the routes. You can think of routing policy as a way to control the flow of routes into and out of the router. The decision about which routes to accept from and advertise to various neighbors has an important impact on the traffic that crosses a network. Routing policy is used to enforce business agreements between two or more ISPs concerning the amount and type of traffic that is allowed to pass between them. You can use one or more of the following mechanisms to configure routing policy: Route maps Access lists Prefix lists Prefix trees Community lists

References
For more information about the protocols discussed in this chapter, refer to their respective chapters in this guide and in E-Series Routing Protocols Configuration Guide, Vol. 2, and to the References sections within those chapters.

Route Maps
You can use route maps to control and modify routing information and to define conditions for redistributing routes between routing domains. You can apply route maps to inbound, outbound, or redistribution routes. A route map consists of match clauses and set clauses. Match clauses specify the attribute values that determine whether a route matches the route map. A route that has the same attribute values passes the match condition. Routes that pass all the match conditions match the route map. You issue match commands to define the match conditions for a route map. You can specify the match conditions in any order. If you do not specify any match conditions in a route map, that route map then matches all routes. Set clauses define how the attributes are modified for matching routes. The set conditions apply only to routes that pass all the match conditions (or a route map with no match conditions). When a route passes all the

Route Maps E-Series Routers

1-3

match conditions, all set conditions are applied. You issue set commands to define the set conditions for a route map. You assign a unique string called the map tag to identify each route map. You can have multiple instances of a route map, where each instance consists of a different group of clauses. Each instance is identified by a sequence number. When you apply a route map, the routing protocol evaluates routes against the instance of the route map with the lowest sequence number. If the routes pass all the match conditions specified in the lowest-numbered instance, and if all set commands are successfully applied, then no other instance of the route map is considered. However, any routes that do not pass all the match conditions are evaluated against the next instance of the route map. For example, suppose you create two instances of route map boston5, one with sequence number 10 and one with sequence number 25. When you apply boston5, routes are evaluated first against instance 10; any that do not match are evaluated against instance 25. When you apply a route map, you specify the permit or deny keyword. If you specify permit, routes that match the route map are accepted, forwarded, or redistributed. Routes that do not match the route map are rejected or blocked. If you specify deny, routes that match the route map are rejected or blocked. Routes that do not match the route map are accepted, forwarded, or redistributed. A route map must have at least one match clause or one set clause. If you have no match clauses, all routes match the route map, and the set conditions apply to all routes. If you have no set clauses, no action is taken other than that specified by the permit or deny keyword.

1-4

CHAPTER 1 Configuring Routing Policy

Sample Route Map

Consider the network structure shown in Figure 1-1. Suppose you do not want router Boston to receive any routes that originate in or pass through router Chicago.
AS 32
10.5.5.2

EBGP
10.5.5.3

Chicago

10.72.4.2

EBGP
10.72.4.3

AS 293
192.168.5.0/24

NY

10.2.2.1

10.16.22.0/23

EBGP

10.2.2.2

LA

AS 873

10.2.2.3

EBGP
10.2.2.4

172.24.160.0/19

Figure 1-1 Applying route maps to routes

You can use a route map to filter routes based on the AS path to accomplish this goal. Use the following commands to configure router NY:
host1(config)#router bgp 293 host1(config-router)#network 192.168.5.0 mask 255.255.255.0 host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.2.2.2 remote-as 873 host1(config-router)#neighbor 10.2.2.4 remote-as 17 host1(config-router)#neighbor 10.2.2.4 route-map block1 out host1(config-router)#exit host1(config)#ip as-path access-list boston deny _32_ host1(config)#route-map block1 deny 1 host1(config-route-map)#match as-path boston

g013108

192.168.144.0/20

Boston

AS 17

Route Maps E-Series Routers

1-5

Multiple Values in a Match Entry

You can specify more than one value in each match entry of a route map using any of the match commands shown in Table 1-1. A clause with multiple values matches a route having any of the values; that is, the multiple values are logical ORed.
Table 1-1 Match commands enabling multiple values match as-path match community match distance match extcommunity-list match ip address match ip next-hop match ipv6 address host1(config-route-map)#match ip address lisbon madrid host1(config-route-map)#match as-path 10 20 30 match ipv6 next-hop match ipv6 route-source match level match metric match route-type match tag

You can also issue successive match commands to add new values to a route map entry for any of the commands in Table 1-1.
host1(config-route-map)#match ip address boston host1(config-route-map)#match ip address newyork

This is equivalent to issuing the following single command:

host1(config-route-map)#match ip address boston newyork

You cannot specify multiple values for the match metric-type command, because it has only two acceptable values, which are mutually exclusive. Specifying both values would have the same effect as not specifying a metric type at all; specifying the same value more than once has no meaning.
Negating Match Clauses

If you specify a value when you negate a match command configured in a route map, only that value for the match entry is deleted. The entire match entry is deleted only if no other values are specified by the entry. In earlier releases, any value specified with a no match command was ignored, and the entire match entry was deleted. This change applies to all match commands configured in a route map. For example, consider the following match entry to route map miami:
host1(config)#ip community-list corporate5 permit 32 463 21 host1(config)#ip community-list dade2 permit 41 53 22

1-6

CHAPTER 1 Configuring Routing Policy

host1(config)#route-map miami permit 1 host1(config-route-map)#match community corporate5 dade2 host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5 dade2

In earlier releases, issuing a command to remove a community not specified in the entry deleted the whole entry, but now nothing happens:
host1(config-route-map)#no match community southbeach host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5 dade2

If you instead issue the following commands, the specified value is deleted:
host1(config-route-map)#no match community dade2 host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5

You could delete the entire match community entry by issuing either of the following commands:
host1(config-route-map)#no match community host1(config-route-map)#no match community corporate5 dade2

Matching a Community List Exactly

You can use the exact-match keyword for the match community command to specify that a match exists only for the exact community numbers specified in the community list. The exact-match keyword applies only to a standard community listthat is, one not specified by a regular expression. You cannot use the exact-match keyword with a community list that is specified by a regular expression. Consider the following example:
host1(config)#ip community-list 1 permit 100 200 300 host1(config)#exit

Route Maps E-Series Routers

1-7

host1#show ip community-list Community standard list 1 permit 0:100 0:200 0:300 host1(config)#route-map example1 permit 10 host1(config-route-map)#match community 1 exact-match host1(config)#exit host1#show route-map example1 route-map example, permit, sequence 10 Match clauses: community (community-list filter): 1 exact-match

The route map example1 permits a route only if the route contains community 100 and community 200 and community 300 and no additional communities. If you do not specify the exact-match option, the route map also permits a match on a route containing additional communities. For example, a route containing communities 100, 200, 300, 400, and 450 would match.
Removing Community Lists from a Route Map

You can use the set comm-list delete command to remove the specified community list from routes matching the route map, provided that you created the community list with a single community number per list entry. For example, you cannot remove the community lists 231:10 and 231:20 with the set comm-list delete command if you created them with the following command:
host1(config)#ip community list 1 permit 231:10 231:20

You can, however, remove the lists with the set comm-list delete command if you created them separately:
host1(config)#ip community list 1 permit 231:10 host1(config)#ip community list 1 permit 231:20

Redistributing Access Routes

To redistribute access and access-internal routes by matching on a tag:

1

Configure route map 2 to match tag 30.

host1(config)#route-map 2 host1(config-route-map)#match tag 30

Configure redistribution into BGP of the access routes with route map 1.
host1(config)#router bgp testnet host1(config-router)#redistribute access

1-8

CHAPTER 1 Configuring Routing Policy

match as-path
Use to match an AS-path access list. The implemented weight is based on the first matched AS path. Example
host1(config-route-map)#match as-path pathlist5

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match community
Use to match a community list. Supported for inbound and outbound route maps. Example
host1(config-route-map)#match community comm5

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match distance
Use to match any routes being redistributed out of the routing table that have the specified administrative distance. Distance is used to determine the relative preference between routes to the same prefix in order to pick the best route to that prefix in the routing table. Distance has no meaning in any other circumstance, and any attempt to match distance will fail. Example
host1(config-route-map)#match distance 25

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match extcommunity
Use to match an extended community list in a route map. You can specify one or more extended community list names in a match clause. If you specify more than one extended community list, the lists are logically ORed. Example
host1(config-route-map)#match extcommunity topeka10

Use the no version to remove the match clause from a route map or a specified value from the match clause.

Route Maps E-Series Routers

1-9

match ip address
Use to match any route that has a destination network number that is permitted by an access list, a prefix list, or a prefix tree, or that performs policy routing on packets. Example
host1(config-route-map)#match ip address prefix-tree boston

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match ip next-hop
Use to match any routes that have a next-hop router address passed by the specified access list, prefix list, or prefix tree. Example
host1(config-route-map)#match ip next-hop 5 192.54.24.1

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match ipv6 address

Use to match any routes that have a destination network number address that is permitted by the specified prefix list. The no version removes all address match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map. Example
host1(config-route-map)#match ipv6 address prefix-list boston

Use the no version to delete all address match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.

match ipv6 next-hop

Use to match any routes that have a next-hop router address passed by the specified prefix list. Example
host1(config-route-map)#match ipv6 next-hop prefix-list next1

Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.

1-10

CHAPTER 1 Configuring Routing Policy

match ipv6 route-source

Use to match any routes that are advertised from addresses contained in the specified prefix list. Example
host1(config-route-map)#match ipv6 route-source prefix-list source

Use the no version to delete all route-source match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.

match level
Use to match routes for the specified type. Example
host1(config-route-map)#match level-1

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match metric
Use to match a route for the specified metric value. Example
host1(config-route-map)#match metric 10

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match metric-type
Use to match a route for the specified metric type. Example
host1(config-route-map)#match metric-type external

Use the no version to delete the match clause from a route map.

match route-type
Use to match a route for the specified route type. Example
host1(config-route-map)#match route-type level-1

Use the no version to delete the match clause from a route map or a specified value from the match clause.

Route Maps E-Series Routers

1-11

match-set summary prefix-tree

Use to specify the prefix tree that summarizes routes for a particular route map. Use the ip prefix-tree command to set the conditions of the prefix tree, including which routes to summarize and how many bits of the network address to preserve. Example
host1(config-route-map)#match-set summary prefix-tree boston

Use the no version to disable the use of the prefix tree by the route map.

match tag
Use to match the tag value of the destination routing protocol. Example
host1(config)#route-map 1 host1(config-route-map)#match tag 25

Use the no version to delete the match clause from a route map or a specified value from the match clause.

route-map
Use to define the conditions for redistributing routes from one routing protocol into another, and for filtering or modifying updates sent to or received from peers. Each route-map command has a list of match and set commands associated with it. That is, the route map itself consists of a set of clauses; each clause (also called an entry) consists of a match or set command. match commands specify the match criteria, the conditions under which redistribution is allowed for the current route map. set commands specify the set actions, the redistribution actions to perform if the criteria enforced by the match commands are set. You can specify match and set clauses to modify attributes of redistributed routes. Use route maps when you wish to have detailed control over how routes are redistributed between routing processes.

You specify the destination routing protocol with the router command. You specify the source routing protocol with the redistribute command.
Example
host1(config)#route-map nyc1 permit 10 host1(config-route-map)#match ip address list1 host1(config-route-map)#set metric-type internal

Use the no version to delete the route map.

1-12

CHAPTER 1 Configuring Routing Policy

set as-path prepend

Use to modify an AS path for BGP routes by prepending one or more AS numbers or a list of AS numbers to the path list. The only global BGP metric available to influence the best path selection is the AS path length. By varying the length of the AS path, a BGP speaker can influence the best path selection by a peer farther away. Example
host1(config-route-map)#set as-path prepend list list10

Use the no version to delete the set clause from a route map.

set automatic-tag
Use to automatically compute the tag value of the destination routing protocol. Example
host1(config-route-map)#set automatic-tag

Use the no version to delete the set clause from a route map.

set comm-list delete

Use to remove communities specified by the community list from the community attribute of routes matching the route map. You can use this command to delete communities only if the community list was created with a single community per list entry, as shown in the following sample configuration for router Test:
host1(config)#ip community-list 1 permit 231:10 host1(config)#ip community-list 1 permit 231:20 host1(config)#router bgp 45 host1(config-router)#neighbor 10.6.2.5 remote-as 5 host1(config-router)#neighbor 10.6.2.5 route-map indelete in host1(config-router)#route-map indelete permit 10 host1(config-route-map)#set comm-list 1 delete

Router Test receives the same route from 10.6.2.5 and applies the indelete route map. BGP compares each list entry with the community attribute. A match is found for the list entry 231:10, and this community is deleted from the community attribute. Similarly, a match is found for the list entry of 231:20, and this community is deleted from the community attribute. Use the no version to delete the set clause from a route map.

Route Maps E-Series Routers

1-13

set community
Use to set the community attribute in BGP updates. You can specify a community list number in the range 14294967295, or in the new community format of AA:NN, or one of the following well-known communities:

local-as prevents advertisement outside the local AS no-advertise prevents advertisement to any peer no-export prevents advertisement beyond the BGP confederation
boundary Alternatively, you can use the list keyword to specify the name of a community list that you previously created with the ip community-list command. Example
host1(config-route-map)#set community no-advertise

Use the none keyword to remove the community attribute from a route. Use the no version to delete the set clause from a route map.

set dampening
Use to enable BGP route flap dampening only on routes that pass the match clauses of, and are redistributed by, a particular route map. BGP creates a dampening parameter block for each unique set of dampening parameterssuch as suppress threshold, reuse threshold, and so onused by BGP. For example, if you have a route map that sets the dampening parameters to one set of values for some routes and to another set of values for the remaining routes, BGP uses and stores two dampening parameter blocks, one for each set. Example
host1(config-route-map)#set dampening 5 1000 1500 45 15

Use the no version to delete the set clause from a route map.

set distance
Use to set the administrative distance on routes being installed into the routing table that match the route map. Distance establishes preference between routes to the same prefix to identify the best route to that prefix. Setting distance in any other circumstance has no effect. Example
host1(config-route-map)#set distance 5

Use the no version to delete the set clause from a route map.

1-14

CHAPTER 1 Configuring Routing Policy

set extcommunity
Use to set the extended community attributes in a route map for BGP updates. You can specify a site-of-origin (soo) extended community and a route target (rt) extended community at the same time in a set clause without overwriting the other. Example
host1(config-route-map)#set extcommunity rt 10.10.10.2:325

Use the no version to delete the set clause from a route map.

set ip next-hop
Use to set the next hop attribute of a route that matches a route map. You can specify an IP address or an interface as the next hop. Use the peer-address keyword to have the following effect:

On outbound route maps, disables the next-hop calculation by setting the

next hop to the IP address of the BGP speaker

On inbound route maps, overrides any third-party next-hop configuration by

setting the next hop to the IP address of the peer Example
host1(config-route-map)#set ip next-hop 192.56.32.1

Use the no version to delete the set clause from a route map.

set ipv6 next-hop

Use to set the next-hop attribute of a route that matches a route map. You can specify an IPv6 address or an interface as the next hop. Example
host1(config-route-map)#set ip next-hop 192.56.32.1

Use the no version to delete the set clause from a route map.

set level
Use to specify where to import routes when all of a route maps match criteria are met. Example
host1(config-route-map)#set level level-2

Use the no version to delete the set clause from a route map.

set local-preference
Use to specify a preference value for the AS path. Example
host1(config-route-map)#set local-preference 200

Use the no version to delete the set clause from a route map.

Route Maps E-Series Routers

1-15

set metric
Use to set the metric valuefor BGP, the MEDfor a route. To establish an absolute metric, do not enter a plus or minus sign before the metric value. Example
host1(config-route-map)#set metric 10

To establish a relative metric, specify a plus or minus sign immediately preceding the metric value. The value is added to or subtracted from the metric of any routes matching the route map. The relative metric value range is 04294967295. Example
host1(config-route-map)#set metric -25

You cannot use both an absolute metric and a relative metric within the same route map sequence. Setting either metric overrides any previously configured value. Use the no version to delete the set clause from a route map.

set metric-type
Use to set the metric type for a route. For BGP, this command affects BGP behavior only in outbound route maps and has no effect on other types of route maps. If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence. If you specify the internal metric type in a BGP outbound route map, BGP sets the MED of the advertised routes to the IGP cost of the next hop of the advertised route. If the cost of the next hop changes, BGP is not forced to readvertise the route. For BGP, you can specify:

external reverts to the normal BGP rules for propagating the MED; this is
the BGP default

internal sets the MED of a received route that is being propagated to an

external peer equal to the IGP cost of the indirect next hop For IS-IS, you can specify:

external only the metric of the route itself is considered for comparison internal both the metric of the route and the cost to the router that
advertised the route are considered for comparison; this is the IS-IS default For OSPF, you can specify:

1 cost of the external routes is equal to the sum of all internal costs and the
external cost

2 cost of the external routes is equal to the external cost alone; this is the
OSPF default Example
host1(config-route-map)#set metric-type internal

Use the no version to delete the set clause from a route map.

1-16

CHAPTER 1 Configuring Routing Policy

set origin
Use to set the BGP origin of the advertised route. Example
host1(config-route-map)#set origin egp

Use the no version to delete the set clause from a route map.

set route-type
Use to set the routes of the specified type. Example
host1(config-route-map)#set route-type internal

Use the no version to delete the set clause from a route map.

set tag
Use to set the tag value of the destination routing protocol. Example
host1(config-route-map)#set tag 23

Use the no version to delete the set clause from a route map.

set weight
Use to specify the BGP weight for the routing table. The weights assigned with the set weight command in a route map override the weights assigned using the neighbor weight and neighbor filter-list weight commands. Example
host1(config-route-map)#set weight 200

Use the no version to delete the set clause from a route map.

Access Lists
An access list is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on either the prefix or the AS path.

Access Lists E-Series Routers

1-17

Filtering Prefixes

To filter routes based on the prefix, you can do any of the following: Define an access list with the access list command, and apply the list to routes received from or passed to a neighbor with the neighbor distribute-list command Define a prefix list with the ip prefix-list command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-list command Define a prefix tree with the ip prefix-tree command, and apply the list to routes received from or passed to a neighbor with the neighbor prefix-tree command The router compares each routes prefix against the conditions in the list or tree one by one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes. The implicit rule is displayed by show access-list and show config commands. You cannot selectively place conditions in or remove conditions from an access list, prefix list, or prefix tree. You can insert a new condition only at the end of a list or tree.
Example 1

The following example shows the how the implicit deny condition is displayed.
host1(config)#access-list 1 permit 10.10.10.1 0.0.0.255 host1(config)#access-list 2 permit 10.25.25.1 0.0.0.255 host1(config)#access-list 3 permit any any host1(config)#show access-list IP Access List 1: permit ip 10.10.10.1 0.0.0.255 any deny ip any any IP Access List 2: permit ip 10.25.25.1 0.0.0.255 any deny ip any any IP Access List 3: permit ip any any

Note that the implicit deny rule does not appear in the display for access list 3, because any prefix will match access list 3.

1-18

CHAPTER 1 Configuring Routing Policy

Example 2

The following example demonstrates how to use a route map and an access list to redistribute static routes to IS-IS.
1

Configure three static routes.

host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.2.0 host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.30.0

Configure an access list, fltra, that filters routes 20.20.20.0/24 and 20.20.21.0/24.
host1(config)#access-list fltra permit 20.20.0.0 0.0.255.255

Configure route map 1 to match access list fltra, and apply an internal metric type.
host1(config)#route-map 1 host1(config-route-map)#match ip address fltra host1(config-route-map)#set metric-type internal

Configure redistribution into IS-IS of the static routes with route map 1.
host1(config)#router isis testnet host1(config-router)#redistribute static route-map 1

Verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes).
host1#show isis database detail l2 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum 0x000002B7 LSP Holdtime ATT/P/OL 0000.0000.6666.00-00 NLPID: IP Address: 0xcc 192.168.1.105 0x3E1F 1198 0/0/0

Area Address: 47.0005.80FF.F800.0000.0001.0001

Metric: 10 IS 0000.0000.6666.01 Metric: 10 IS 0000.0000.3333.00 Metric: 10 IS 0000.0000.7777.00 Metric: 30 IP 20.20.20.0 255.255.255.0 Metric: 30 IP 20.20.21.0 255.255.255.0

Access Lists E-Series Routers

1-19

Example 3

The following example demonstrates how to use an access list to filter routes advertised to a BGP speaker. Consider the network structure in Figure 1-2.
AS 873
172.24.160.0/19 172.24.48.0/20

LA

10.2.2.3

AS 17
10.5.5.1

IBGP
10.2.2.4 172.24.24.0/21 10.5.5.4

192.168.144.0/20

Figure 1-2 Filtering with access lists

The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19.
host1(config)#router bgp 17 host1(config-router)#neighbor 10.5.5.4 remote-as 873 host1(config-router)#neighbor 10.5.5.4 distribute-list reject1 in host1(config-router)#exit host1(config)#access-list reject1 permit 172.24.48.0 0.0.255 host1(config)#access-list reject1 deny 172.24.160.0 0.0.0.255 host1(config)#access-list reject1 permit 172.24.24.0 0.0.0.255

Filtering AS Paths

You can use a filter list to filter incoming and outgoing routes based on the value of the AS-path attribute. Whenever a BGP route passes through an AS, BGP prepends its AS number to the AS-path attribute. The AS-path attribute is the list of ASs that a route has passed through to reach a destination. To filter routes based on the AS path, define the access list with the ip as-path access-list command, and apply the list to routes received from or passed to a neighbor with the neighbor filter-list command. AS-path access lists use regular expressions to describe the AS path to be matched.

g013109

Boston

EBGP

SanJose

1-20

CHAPTER 1 Configuring Routing Policy

A regular expression uses special charactersoften referred to as metacharactersto define a pattern that is compared with an input string. For a full discussion of regular expressions, with examples of how to use them, see Using Regular Expressions later in this chapter. The router compares each routes AS path against each condition in the access list. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the route; that is, the last action of any list is an implicit deny condition for all routes. You cannot selectively place conditions in or remove conditions from an AS-path access list. You can insert a new condition only at the end of an AS-path access list.
Example 1

Consider the network structure in Figure 1-3. Suppose you want router London to behave in the following way: Accept routes originated in AS 621 only if they pass directly to router London. Accept routes originated in AS 11 only if they pass directly to router London. Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11, but not both AS 621 and AS 11.
192.168.33.0/24 172.21.10.0/23

AS 621 Paris
192.168.33.0/24 10.2.9.2

AS 435

Madrid
10.2.7.2

EBGP EBGP EBGP AS 11 Berlin

10.2.8.2

Zurich

EBGP
10.2.9.1 10.2.8.1

EBGP AS 47

AS 282

EBGP
172.19.0.0/16

London

10.2.7.1
g013081

172.28.8.0/21

Figure 1-3 Filtering with AS-path access lists

Access Lists E-Series Routers

1-21

The following commands configure router London to apply filters based on AS path to routes received from router Berlin and router Paris and to routes forwarded to router Madrid.
host1(config)#router bgp 47 host1(config-router)#neighbor 10.2.9.2 remote-as 621 host1(config-router)#neighbor 10.2.9.2 filter-list 1 in host1(config-router)#neighbor 10.2.8.2 remote-as 11 host1(config-router)#neighbor 10.2.8.2 filter-list 2 in host1(config-router)#neighbor 10.2.7.2 remote-as 435 host1(config-router)#neighbor 10.2.7.2 filter-list 3 out host1(config-router)#exit host1(config)#ip as-path access-list 1 deny ^11 host1(config)#ip as-path access-list 1 permit .* host1(config)#ip as-path access-list 2 deny ^621 host1(config)#ip as-path access-list 2 permit .* host1(config)#ip as-path access-list 3 deny [621 11] host1(config)#ip as-path access-list 3 permit .*

AS-path access list 1 is applied to routes that router London receives from router Paris. Router London rejects routes with the AS path 11 621 or 11 282 621. AS-path access list 2 is applied to routes that router London receives from router Berlin. Router London rejects routes with the AS path 621 11 or 621 282 11. Router London accepts routes with the AS path 282 11, 282 621, 282 621 11, or 282 11 621. However, it applies AS-path access-list 3 to routes it forwards to router Madrid, and filters out routes with the AS path 282 621 11 or 282 11 621.

1-22

CHAPTER 1 Configuring Routing Policy

Using Access Lists in a Route Map

You can use a route map instead of the neighbor filter-list command to apply access lists for filtering routes. In Figure 1-4, a route map is used to determine the weight for routes learned by router Chicago.
AS 32 10.5.5.2 EBGP 10.5.5.3 AS 293 192.168.5.0/24 Chicago 10.2.2.3 EBGP 10.2.2.4 AS 17 AS 451 10.16.22.0/23

AS 837 EBGP

NY

LA

Boston

EBGP

SanJose

192.168.144.0/20
Figure 1-4 Route map filtering

Access list 1 permits any route whose AS-path attribute includes 32 or 837. This condition permits routes that originate in (or pass through from elsewhere) AS 32 or AS 837. When these routes are advertised through AS 451 and AS 17 to router Chicago, instance 1 of route map 1 matches such routes and sets their weight to 25, overriding the neighbor weight set for updates received from 10.2.2.4. Access list 2 permits any route whose AS-path attribute indicates that it originates in AS 74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2.

g013110

Access Lists E-Series Routers

1-23

To configure router Chicago:

host1(config)#router bgp 293 host1(config-router)#network 192.168.5.0 mask 255.255.255.0 host1(config-router)#neighbor 10.2.2.4 remote-as 17 host1(config-router)#neighbor 10.2.2.4 weight 150 host1(config-router)#neighbor 10.2.2.4 route-map 1 in host1(config-router)#exit host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.5.5.2 weight 50 host1(config-router)#neighbor 10.5.5.2 route-map 2 in host1(config)#route-map 1 permit 1 host1(config-route-map)#match as-path 1 host1(config-route-map)#set weight 25 host1(config-route-map)#exit host1(config)#ip as-path access-list 1 permit [ 32 837 ] host1(config)#route-map 2 permit 1 host1(config-route-map)#match as-path 2 host1(config-route-map)#set weight 175 host1(config-route-map)#exit host1(config)#ip as-path access-list 2 permit [ 74 ]

The result of this configuration is that router Chicago prefers routes learned via router Boston (weight 150) over routes learned through router NY (weight 50), except that: Router Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 (weight 50) over the same routes learned via router Boston (weight 25 according to route map 1). Router Chicago prefers routes originating in AS 74 learned via router NY that passed through AS 837 and AS 32 (weight 175 according to route map 2) over the same routes learned via router Boston (weight 150).
access-list
Use to define an IP access list to permit or deny routes based on the prefix. Each access list is a set of permit or deny conditions for routes based on matching a routes prefix. A zero in the wildcard mask means that the corresponding bit in the address must be exactly matched by the route. A one in the wildcard mask means that the corresponding bit in the address does not have to be matched by the route. Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.

1-24

CHAPTER 1 Configuring Routing Policy

Use the log keyword to log an Info event in the ipAccessList log whenever an access-list rule is matched. Use the no version to delete an IP access list (no other options specified), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).

default-information originate
Use to enable RIP, OSPF, or BGP to advertise a default route (0.0.0.0/0) that exists in the IP routing table. If you specify the always option for OSPF, OSPF generates a default route if it does not exist in the IP routing table and advertises it. Use to generate a default route into an IS-IS domain. Example
host1(config-router)#default-information originate

Use the no version to disable advertisement of the default route.

ip as-path access-list
Use to define an AS-path access list to permit or deny routes based on the AS path. Each access list is a set of permit or deny conditions for routes based on matching a routes AS path to a regular expression. If the regular expression matches the representation of the AS path of the route as an ASCII string, then the permit or deny condition applies. The AS path does not contain the local AS number. The AS path allows substring matching. For example, the regular expression 20 matches AS path = 20 and AS path = 100 200 300, because 20 is a substring of each path. To disable substring matching and constrain matching to only the specified attribute string, place the underscore (_) metacharacter on both sides of the string; for example _20_. Use the neighbor filter-list command to apply the AS-path access list. You can apply access list filters to inbound and outbound BGP routes. You can assign weights to routes matching the AS-path access list. Use the no version to remove the AS-path access list; all entries belonging to this list are removed.

neighbor distribute-list
Use to filter routes to selected prefixes as specified in an access list. Distribute lists are applied only to external peers. Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy). Using distribute lists is one of several ways to filter BGP advertisements. Other methods are to:

Use AS path filters with the ip as-path access-list and the neighbor
filter-list commands

Access Lists E-Series Routers

1-25

Use route map filters with the route-map and the neighbor route-map
commands Use the no version to disassociate the access list from a neighbor.

neighbor filter-list
Use to assign an AS-path access list to matching inbound or outbound routes. Use the in keyword to apply the list to inbound routes (inbound policy). Use the out keyword to apply the list to outbound routes (outbound policy). You can specify an optional weight value with the weight keyword to assign a relative importance to incoming routes matching the AS-path access list. Access list values can range from 065535. Use the no version to disassociate the access list from a neighbor.

neighbor prefix-list
Use to assign an inbound or outbound prefix list. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. Example
host1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in

Use the no version to remove the prefix list.

neighbor prefix-tree
Use to assign an inbound or outbound prefix tree. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. Example
host1(config-router)#neighbor 192.168.1.158 prefix-tree newyork out

Use the no version to remove the prefix tree.

redistribute
Use to redistribute routes from one routing domain into another routing domain. Example
host1(config)#router bgp 100 host1(config-router)#neighbor 192.56.10.2 remote-as 200 host1(config-router)#redistribute static host1(config-router)#exit host1(config)#ip route 155.30.0.0 0.0.255.255

Use the no version to remove the filter list.

1-26

CHAPTER 1 Configuring Routing Policy

Creating Table Maps for Access Routes

For access routes, you can configure and apply a table map that filters routes before an access list adds them to the routing table. You can use the ip access-route table-map command when triggering on the following policy values:
Match ip address metric distance tag Set metric distance tag

For example, you can configure an access list and route map to filter, based on IP address, any routes that appear in the routing table:
host1(config)#ip access-route table-map just10net host1(config)#access-list permit10 permit 10.0.0.0 0.255.255.255 host1(config)#access-list permit10 deny any host1(config)#route-map just10net host1(config-route-map)#match ip address permit10

Using the same name for both the table map and the route map creates an association specifying (in this case) that only IP addresses matching the access list criterion appear in the routing table.
ip access-route table-map
Use to filter access routes before an access list adds them to the routing table. Example
host1(config)#ip access-route table-map just10net

Use the no version to delete the table map.

Using the Null Interface

You can use access control lists to filter undesired traffic. Another way to handle undesired traffic is to send it to the null interface. The null interface is always up and acts as a data sink. In other words, the null interface cannot forward or receive traffic. The E-series router creates the null interface by default; you do not have to create it manually. You can direct traffic to the null interface by specifying the null 0 keywords instead of a next-hop or destination address when configuring routes.

Prefix Lists E-Series Routers

1-27

ip route
Use to configure a static route and redirect traffic from it to the null interface. Example
host1(config-if)#ip route 10.10.20.5 null 0

Use the no version to remove the static route.

Prefix Lists
A prefix list is a sequential collection of permit and deny conditions that apply to IP or IPv6 addresses. Like an access list, the router tests addresses one by one against the conditions in a prefix list. The first match determines whether the router accepts or rejects the address. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the address. An empty prefix list results in an automatic permit of the tested address. Unlike access lists, the prefix list specifies a base IP or IPv6 address and a length (the number of bits applied to the base to determine the network prefix). The tested address is matched against the prefix. Use the ip prefix-list command to define an IP prefix list, or the ipv6 prefix-list command to define an IPv6 prefix list. The prefix-list keyword with either the match { ip | ipv6 } address or match { ip | ipv6 } next-hop commands allow you to add a clause to a route map.
Using a Prefix List

The following example creates a prefix list that permits routes with a prefix length up to 24 in the 151.0.0.0/8 network:
host1(config)#ip prefix-list abc permit 151.0.0.0/8 le 24

clear ip prefix-list
Use to clear all hit counts in the prefix lists, or the specified entry from the specified prefix list. (The hit count is incremented +1 each time an entry matches.) Example
host1#clear ip prefix-list abc

There is no no version.

1-28

CHAPTER 1 Configuring Routing Policy

clear ipv6 prefix-list

Use to clear all hit counts in the IPv6 prefix lists, or the specified entry from the specified prefix list. (Each match results in the hit count incrementing by 1.) Example
host1#clear ipv6 prefix-list abc

There is no no version.

ip prefix-list
Use to create a prefix list for route filtering and to specify a list entrya deny or permit clause for a network addressto the prefix list. Use to add entries to prefix lists. The prefix list name can be up to 32 characters long. Specify the position of each entry in the list with the seq keyword. If a sequence number is not specified, the value of the last sequence number plus 5 is used. Use the ge and le keywords to specify a range of network prefixes. These keywords have the following values:

prefix length < ge <= 32 prefix length < le <= ge

If you do not specify either ge or le, an exact match is expected. For example, if you issue the following command, only a route with a prefix length of 8 and a network address of 151.0.0.0 is permitted.
host1(config)#ip prefix-list abc permit 151.0.0.0/8

Use the no version to remove the specified prefix list or the specified list entry.

ipv6 prefix-list
Use to create an IPv6 prefix list for route filtering and to specify a list entrya deny or permit clause for a network addressto the prefix list. Use to add entries to prefix lists. The prefix list name can be up to 32 characters long. Specify the position of each entry in the list with the seq keyword. If a sequence number is not specified, the value of the last sequence number plus 5 is used. Use the ge and le keywords to specify a range of network prefixes. These keywords have the following values:

prefix length < ge <= 32 prefix length < le <= ge

If you do not specify either ge or le, an exact match is expected. For example, if you issue the following command, only a route with a prefix length of 8 and a network address of 1:0:0:0:0:0:0:5 is permitted.
host1(config)#ipv6 prefix-list abc permit 1::5/8

Use the no version to remove the specified prefix list or the specified list entry.

Prefix Lists E-Series Routers

1-29

match ip address
Use with the prefix-list keyword to match routes that have a destination network number address that is permitted by the prefix list. Example
host1(config-route-map)#match ip address prefix-list abc

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match ipv6 address

Use to match any routes that have a destination network number address that is permitted by the specified prefix list. The no version removes all address match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map. Example
host1(config-route-map)#match ipv6 address prefix-list boston

Use the no version to delete all address match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.

match ip next-hop
Use with the prefix-list keyword to match routes that have a next-hop router address passed by the specified prefix list. Example
host1(config-route-map)#match ip next-hop prefix-list abc

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match ipv6 next-hop

Use to match any routes that have a next-hop router address passed by the specified prefix list. Example
host1(config-route-map)#match ipv6 next-hop prefix-list next1

Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.

1-30

CHAPTER 1 Configuring Routing Policy

Prefix Trees
A prefix tree is a nonsequential collection of permit and deny conditions that apply to IP addresses. Like a prefix list, the prefix tree specifies a base IP address and a length, the number of bits applied to the base to determine the network prefix. The tested address is matched against the prefix. The prefix tree also enables route summarization. However, the prefix tree does not match addresses one by one in sequence against the listed conditions. The router performs a binary search against the tree structure of the entries. If the tested address is less than a particular entry, it branches one way to another test pair; if it is greater than the entry, it branches the other way to another mutually exclusive test pair. The router stops testing conditions when it finds the best match. If no conditions match, the router rejects the address. An empty prefix tree results in an automatic permit of the tested address. The prefix tree provides a faster search methodology and matches the test address more closely than either the access list or the prefix list. Use the ip prefix-tree command to define an IP prefix tree. Use the prefix-tree keyword with the match ip address or match ip next-hop commands to add a clause to a route map. Use the match-set summary prefix-tree command to specify the prefix tree that summarizes routes for a particular route map.
Using a Prefix Tree

The following example creates a prefix tree that permits routes with a prefix length of 24 or larger in the 10.10.2.0/24 network:
host1(config)#ip prefix-tree xyz permit 10.10.2.0/24

clear ip prefix-tree
Use to clear all hit counts in the prefix trees, or the specified entry from the specified prefix tree. (The hit count is incremented +1 each time an entry matches.) Example
host1#clear ip prefix-tree xyz

There is no no version.

ip prefix-tree
Use to create a prefix tree for best route filtering; specifies a tree entrya deny or permit clause for a network address. The prefix tree name can be up to 32 characters long.

Community Lists E-Series Routers

1-31

Example
host1(config)#ip prefix-tree boston42 permit 10.10.2.0/24

Use the no version to remove the specified prefix tree or the specified tree entry.

match ip address
Use with the prefix-tree keyword to match routes that have a destination network number address that is permitted by the prefix tree. Example
host1(config-route-map)#match ip address prefix-tree xyz

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match ip next-hop
Use with the prefix-tree keyword to match routes that have a next-hop router address passed by the specified prefix tree. Example
host1(config-route-map)#match ip next-hop prefix-tree xyz

Use the no version to delete the match clause from a route map or a specified value from the match clause.

match-set summary prefix-tree

Use to specify the prefix tree that summarizes routes for a particular route map. Use the ip prefix-tree command to set the conditions of the prefix tree, including which routes to summarize and how many bits of the network address to preserve. Example
host1(config-route-map)#match-set summary prefix-tree dog3

Use the no version to disable use of the prefix tree by the route map.

Community Lists
A community is a logical group of prefixes that share some common attribute. Community members can be on different networks and in different ASs. BGP allows you to define the community to which a prefix belongs. A prefix can belong to more than one community. The community attribute lists the communities to which a prefix belongs. You can use communities to simplify routing policies by configuring the routing information that a BGP speaker will accept, prefer, or distribute to other neighbors according to community membership. When a route is learned, advertised, or redistributed, a BGP speaker can set, append, or

1-32

CHAPTER 1 Configuring Routing Policy

modify the community of a route. When routes are aggregated, the resulting BGP update contains a community attribute that contains all communities from all of the aggregated routes (if the aggregate is an AS-set aggregate). Several well-known communities are predefined. Table 1-2 describes how a BGP speaker handles a route based on the setting of its community attribute.
Table 1-2 Action based on well-known community membership If the well-known community is... The BGP speaker... no-export no-advertise local-as (also known as no-export-subconfed) internet Does not advertise the route beyond the BGP confederation boundary Does not advertise the route to any peers, IBGP, or EBGP Does not advertise the route to any external peers Advertises this route to the Internet community; by default, all prefixes are members of the Internet community

In addition to the well-known communities, you can define local-use communities, also known as private communities or general communities. These communities serve as a convenient way to categorize groups of routes to facilitate the use of routing policies. The community attribute consists of four octets, but it is common practice to designate communities in the AA:NN format. The autonomous system number (AA) comprises the higher two octets, and the community number (NN) comprises the lower two octets. Both are expressed as decimal numbers. For example, if a prefix in AS 23 belongs to community 411, the attribute could be expressed as 23:411. Use the ip bgp-community new-format command to specify that the show commands display communities in this format. You can also use a regular expression to specify the community attribute. Use the set community command in route maps to configure the community attributes. You can add one or more communities to the attribute, or use the list keyword to add a list of communities to the attribute. By default, the community attribute is not sent to BGP peers. To send the community attribute to a neighbor, use the neighbor send community command. A community list is a sequential collection of permit and deny conditions. Each condition describes the community number to be matched. If you issued the ip bgp-community new-format command, the community

Community Lists E-Series Routers

1-33

number is in AA:NN format; otherwise it is in decimal format (the hexadecimal octets converted to decimal). The router tests the community attribute of a route against each condition in a community list. The first match determines whether the router accepts (the route is permitted) or rejects (the route is denied) a route having the specified community. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the route. Consider the network structure shown in Figure 1-5.
AS 32 AS 873 10.5.5.2 EBGP 10.5.5.3 AS 293 192.168.5.0/24 10.2.2.3 EBGP 10.2.2.4 AS 17 172.31.24.0/21
Figure 1-5 Community lists

NY

10.72.4.2 EBGP

10.72.4.3

LA

10.16.22.0/23 EBGP 10.2.2.1 SanJose

172.24.160.0/19

Albany

AS 451

192.168.144.0/20

Suppose you want router Albany to set metrics for routes that it forwards to router Boston based on the communities to which the routes belong. You can create community lists and filter the routes with a route map that matches on the community list. To configure router Albany:
host1(config)#router bgp 293 host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.2.2.1 remote-as 451 host1(config-router)#neighbor 10.2.2.4 remote-as 17 host1(config-router)#neighbor 10.2.2.4 route-map commtrc out host1(config-router)#exit host1(config)#route-map commtrc permit 1 host1(config-route-map)#match community 1 host1(config-route-map)#set metric 20 host1(config-route-map)#exit

g013111

Boston

1-34

CHAPTER 1 Configuring Routing Policy

host1(config)#route-map commtrc permit 2 host1(config-route-map)#match community 2 host1(config-route-map)#set metric 75 host1(config-route-map)#exit host1(config)#route-map commtrc permit 3 host1(config-route-map)#match community 3 host1(config-route-map)#set metric 85 host1(config-route-map)#exit host1(config)#ip community-list 1 permit 25 host1(config)#ip community-list 2 permit 62 host1(config)#ip community-list 3 permit internet

Community list 1 comprises routes with a community of 25; their metric is set to 20. Community list 2 comprises routes with a community of 62; their metric is set to 75. Community 3 catches all remaining routes by matching the internet community; their metric is set to 85.
ip bgp-community new-format
Use to specify that communities must be displayed in AA:NN format, where AA is a number that identifies the autonomous system and NN is a number that identifies the community within the autonomous system. Example
host1(config)#ip bgp-community new-format

Use the no version to restore the default display.

ip community-list
Use to create a community list for BGP and control access to it. The list name can be up to 32 characters long. A route can belong to any number of communities, so a community list can have many entries comprising many communities. You can specify one or more community values when you create a community list. A clause in a route map that includes a list having more than one value matches only a route having all of the values; that is, the multiple values are logical ANDed. You can specify community values with a number or a regular expression. Example
host1(config)#ip community-list 1 permit 100:2 100:3 100:4 host1(config)#route-map marengo permit 10 host1(config-route-map)#match community 1

A route matches this community list only if it belongs to at least all three communities in community list 1: communities 100:2, 100:3, and 100:4. Use the no version to remove the specified community list, including all list entries.

Community Lists E-Series Routers

1-35

neighbor send-community
Use to specify that a community attribute should be sent to a BGP neighbor. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command. Use the no version to specify that common attributes should not be sent to a BGP neighbor.

set community
Use to set the community attribute in BGP updates. You can specify a community list number in the range 14294967295, or in the new community format of AA:NN, or one of the following well-known communities:

local-as prevents advertisement outside the local AS no-advertise prevents advertisement to any peer no-export prevents advertisement beyond the BGP confederation
boundary Alternatively, you can use the list keyword to specify the name of a community list that you previously created with the ip community-list command. Supported for inbound, outbound, and redistribution route maps. Example
host1(config)#route-map 1 host1(config-route-map)#set community no-advertise

Use the none keyword to remove the community attribute from a route. Use the no version to delete the entry.

Extended Community Lists

The router supports the BGP extended community attribute defined in the Internet draft, BGP Extended Communities Attribute draft-ietf-idr-bgp-ext-communities-05.txt (November 2002 expiration). This attribute enables the definition of a new type of IP extended community and extended community list unrelated to the community list that uses regular expressions.
Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.

BGP speakers can use the extended community attribute to control routes much like they use the community attribute to determine routes they accept, reject, or redistribute. A BGP speaker can append the extended community attribute to a route that does not have the attribute before advertising the route. For routes that do have the attribute, BGP can modify the attribute.

1-36

CHAPTER 1 Configuring Routing Policy

ip extcommunity-list
Use to create an extended community list for BGP and control access to it. A route can belong to any number of communities, so an extended community list can have many entries comprising many communities. You can specify one or more community values when you create an extended community list. A clause in a route map that includes a list having more than one value matches only a route having all of the values; that is, the multiple values are logical ANDed. Use the rt keyword to specify a route target community, which consists of one or more routers that can receive a set of routes advertised by BGP that carry the extended community attribute. Use the soo keyword to specify a site-of-origin community, which consists of one or more routers that inject into BGP a set of routes that carry the extended community attribute. Example
host1(config)#ip extcommunity-list boston1 permit rt 100:2 rt 100:3 rt 100:4 host1(config)#route-map marengo permit 10 host1(config-route-map)#match extcommunity boston1

A route matches this community list only if it belongs to at least all three communities in extended community list boston1: communities 100:2, 100:3, and 100:4. Use the no version to remove a single extended community list entry if permit or deny and a path-expression are specified. Otherwise, the entire community list is removed.

match extcommunity
Use to match an extended community list in a route map. You can specify one or more extended community list names in a match clause. If you specify more than one extended community list, the lists are logically ORed. Example
host1(config-route-map)#match extcommunity topeka10

Use the no version to remove the match clause from a route map or a specified value from the match clause.

set extcommunity
Use to set the extended community attributes in a route map for BGP updates. Use the rt keyword to specify a route target community, which consists of one or more routers that can receive a set of routes advertised by BGP that carry the extended community attribute. Use the soo keyword to specify a site-of-origin community, which consists of one or more routers that inject into BGP a set of routes that carry the extended community attribute.

Using Regular Expressions E-Series Routers

1-37

You can specify both a route target community and a site-of-origin community at the same time in a set clause without overwriting each other. Example
host1(config)#route-map 1 host1(config-route-map)#set extcommunity rt 10.10.10.2:325

Use the no version to remove the set clause from the route map.

show ip extcommunity-list
Use to display information about a specific extended community list or all extended community lists. Example
host1#show ip extcommunity-list IP Extended Community List dresden1: permit soo 10.10.10.10:15 IP Extended Community List bonn: deny rt 12:12

Using Regular Expressions

You can use regular expressions when defining AS-path access lists and community lists to more easily filter routes. A regular expression uses special charactersoften referred to as metacharactersto define a pattern that is compared with an input string.
AS-path Lists

For an AS-path access list, the input string is the AS path of the routes to which the list is applied via the route-map or neighbor filter-list commands. If the AS path matches the regular expression in the access list, then the route matches the access list.
Example

The following commands apply access list 1 to routes inbound from BGP peer 10.5.5.2. Access list 1 uses a regular expression to deny routes originating in AS 32.
host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.5.5.2 filter-list 1 in host1(config-router)#exit host1(config)#ip as-path access-list 1 deny 32$

1-38

CHAPTER 1 Configuring Routing Policy

Community Lists

For a community list, the input string is the community attribute of the routes to which the list is applied via a route-map command. If the community attribute matches the regular expression in the community list, then the route matches the community list.
Example

The following commands apply route map 5 to routes forwarded to BGP peer 10.5.5.4. Route map 5 uses a regular expression to match community numbers ending with 305, setting the weight of matching routes to 150.
host1(config-router)#neighbor 10.5.5.4 remote-as 425 host1(config-router)#neighbor 10.5.5.4 route-map 5 out host1(config-router)#exit host1(config)#route-map 5 permit 10 host1(config-route-map)#match community 305$ host1(config-route-map)#set weight 150

Community Numbers

When you use a regular expression to match a community number, use the appropriate format for the community number in the community list. If you issue the ip bgp-community new-format command, the community number has the format AA:NN where AA is a number that identifies the autonomous system, and NN is a number that identifies the community within the autonomous system. Otherwise, the community number is an integer in the range 14294967295.
Metacharacters

Each regular expression consists of one or more metacharacters and zero or more complete or partial AS or community numbers. Table 1-3 describes the metacharacters supported for regular expression pattern-matching.
Table 1-3 Supported regular expression metacharacters Metacharacter Description ^ Matches the beginning of the input string. Alternatively, when used as the first character within brackets[^ ]matches any number except the ones specified within the brackets. $ . * Matches the end of the input string. Matches any single character, including white space. Matches 0 or more sequences of the immediately previous character or pattern.

Using Regular Expressions E-Series Routers

1-39

Table 1-3 Supported regular expression metacharacters (continued) Metacharacter Description + ? () [] (hyphen) _ (underscore) Matches 1 or more sequences of the immediately previous character or pattern. Matches 0 or 1 sequence of the immediately previous character or pattern. Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? Matches any enclosed character; specifies a range of single characters. Used within brackets to specify a range of AS or community numbers. Matches a ^, a $, a comma, a space, a {, or a }. Placed on either side of a string to specify a literal and disallow substring matching. Numerals enclosed by underscores can be preceded or followed by any of the characters listed above. Matches characters on either side of the metacharacter; logical OR.

Using Metacharacters as Literal Tokens

You can remove the special meaning of a metacharacter by preceding it with a backslash (\). Such a construction denotes that the metacharacter is not treated as a metacharacter for that regular expression. It is simply a character or token with no special meaning, just as a numeral has no special meaning. The backslash applies only to the character immediately following it in the regular expression. On the E-series router, you are likely to use the backslash only for the parentheses characters, ( or ). BGP indicates a segment of an AS path that is of type AS-confed-set or AS-confed-seq by enclosing that segment within parentheses.
Example

The following AS-path access list uses a regular expression to match routes having an AS-path attribute that begins with any AS-confed-set or AS-confed-seq:
host1(config)#ip as-path access-list 1 permit ^\(

The following AS-path access list uses a regular expression to match routes having an AS-path attribute that ends with any AS-confed-set or AS-confed-seq:
host1(config)#ip as-path access-list 1 permit \)$

1-40

CHAPTER 1 Configuring Routing Policy

The following AS-path access list uses a regular expression to match routes having an AS-path attribute that includes the specific AS-confed-set or AS-confed-seq, (100 200):
host1(config)#ip as-path access-list 1 permit \(100 200\)

Regular Expression Examples

Table 1-4 shows some representative regular expressions that might be used in an AS-path access list or community list, along with sample attribute values that match or do not match the regular expression.
Table 1-4 Sample regular expressions Regular Expression Matches Any AS-path or Community Attribute That... ^12 Begins with 12, such as the following: 12 23 42 12 but not 58 12 7 [^12] Includes any numeral except 1 or 2, such as the following: 44 73 46 8 but not 1145 19 2 49 305$ 89 611 305 42 305 6666:305 .5 5 69 12 629 1245 19

12

Ends with 305, such as the following: 305 19 1305

Includes any one character followed by numeral 5, such as the following: 89 611 35 600:500 33 252 12 998

1.9

Includes a sequence of three characters where the first character is numeral 1 and the third character is numeral 9, such as the following: 179 35 24 2129 14 321:94 33 252 129 48 600:2129

.* 42*

Includes any character; matches all AS paths and community lists Includes a number having a numeral 4 followed by zero or more instances of numeral 2, such as the following: 67 42 51 33 252 422 48 4 339 78 314 3142 31422

Using Regular Expressions E-Series Routers

1-41

Table 1-4 Sample regular expressions (continued) Regular Expression Matches Any AS-path or Community Attribute That... 1(37)* Includes a sequence having a numeral 1 followed by zero or more instances of the pattern 37, such as the following: 137 42 21 1 but not 4 3737 78 42+ Includes a number having a numeral 4 immediately followed by one or more instances of numeral 2, such as the following: 67 42 21 but not 4 329 78 1(37)+ Includes a sequence having a numeral 1 immediately followed by one or more instances of the pattern 37, such as the following: 1373737 29 4 137 42 21 but not 4 372 21 1 456 88 42? 4 37137 78 33 252 422 48 1373737 29 4

21 37 5 1

Includes a number having a numeral 4 followed by zero or only one instance of numeral 2, such as the following: 67 42 71 but not 33 252 422 48 4 359 78

1(37)?

Includes a sequence having a numeral 1 followed by zero or only one instance of the pattern 37, such as the following: 137 42 21 1 but not 4 13737 78 53 612 49

7..

Includes a sequence of three characters where the first character is numeral 7, such as the following: 600 700 100 25 7771 In the following examples, the three characters are 7, space, 8: 307 800 6127 888 999

^7..

Includes a number ranging from 700 to 799, such as the following: 6127 723 999 but not 25 7771 700 100 600 307 800

1-42

CHAPTER 1 Configuring Routing Policy

Table 1-4 Sample regular expressions (continued) Regular Expression Matches Any AS-path or Community Attribute That... ^7..$ Consists only of a number ranging from 700 to 799, such as the following: 723 but not 25 7771 6127 723 999 [621] 60 43 200 86 53 [0-9] ^\(22 431\) 700 307 800 700 100 600 34 545 92 710

Includes any of the numerals 6, 2, or 1, such as the following:

The regular expression [162] has the same results. Includes any number in the range 09 (AS-path attribute only) Begins with the AS-confed-set or AS-confed-seq (22 431), such as the following: (22 431) 102 but not 43 (22 431) 5 {41 19} (22 431) 55 76 22 431 59

(AS-path attribute only) Includes the AS-set or AS-seq {41 19}, such as the following: {41 19} 53 255 {41 19} but not 3 41 19 76 {41 19} 17

41 19 532

101 102 | 103 105

Includes either sequence 101 102 or sequence 103 105, such as the following: 43 101 102 5 but not 19 102 101 103 105 22 102 103

_200_

Includes the number 200 (as opposed to the pattern consisting of numeral 2, numeral 0, numeral 0), such as the following: 33 200 422 48 ^200 500$ but not 33 20 422 48 ^200$

51 2005

Our implementation of regular expressions is not literal. Substring matching is enabled by default. Specifying 200 (no underscores) results in a match on 200 and on 2005. The underscore metacharacter disables substring matching.

For information on using AS-path access lists, see Access Lists on page 1-16. For information on using community lists, see Community Lists on page 1-31.

Managing the Routing Table E-Series Routers

1-43

Managing the Routing Table

You can clear all routes from the IP routing table, then enable the owning protocolsBGP, OSPF, RIPto reinstall the routes.
clear ip routes
Use to clear all routing entries or a specified entry from the IP routing table. Example
host1#clear ip routes

There is no no version.

ip refresh-route
Use to reinstall routes removed from the IP routing table by the clear ip route command. Example
host1#ip refresh-route

There is no no version.

Troubleshooting Routing Policy

You can turn on debugging for routing policy by issuing the log severity debug ipRoutePolicy command from Global Configuration mode. You can specify different levels of severity for ipRoutePolicy. See E-Series System Basics Configuration Guide, Chapter 4, Managing the System, for more information on using log commands for troubleshooting.

Monitoring Routing Policy

You can monitor the following aspects of routing policy using show commands: Access lists
host1#show access-list host1#show ip as-path access-list

Community lists
host1#show ip community-list

Prefix lists
host1#show ip prefix-list

1-44

CHAPTER 1 Configuring Routing Policy

Prefix trees
host1#show ip prefix-tree

Protocols
host1#show ip protocols

Redistribution policies
host1#show ip redistribute

Routes
host1#show ip route

Interfaces and next hops

host1#show ip route slot 5 192.168.5.4

Route maps
host1#show route-map

Static routes
host1#show ip static

IP traffic
host1#show ip traffic

You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. Refer to E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
show access-list
Use to display information about access lists. The displayed information includes the instances of each access list. Use the detail keyword to display the automatically assigned element ID for each access-list entry. Only rules that you explicitly create have element IDs. Example
host1#show access-list IP Access List 1: permit ip host 172.31.192.217 any permit ip 12.40.0.0 0.0.0.3 any deny ip any any IP Access List 2: permit ip 172.19.0.0 0.0.255.255 any deny ip 0.0.0.0 255.255.255.255 any IP Access List 10: permit ip any any

Monitoring Routing Policy E-Series Routers

1-45

IP Access List 11: deny ip any any host1#show access-list detail IP Access List 1: 1: permit ip host 172.31.192.217 any 2: permit ip 12.40.0.0 0.0.0.3 any deny ip any any

show ip as-path-access-list
Use to display information about AS-path access lists. Example
host1#show ip as-path-access-list AS Path Access List 1: permit deny permit deny permit deny deny permit deny .* .* _109$ ^108_ .* _109$ .* _109_ .* AS Path Access List 2: AS Path Access List 3:

AS Path Access List 4:

AS Path Access List 10:

show ip community-list
Use to display community list information. Display varies based on whether you issued the ip bgp community new-format command. Example 1. If you did not issue the ip bgp community new-format command, the display appears as follows:
host1#show ip community-list Community List 1: permit permit permit deny permit permit 81200109 81200110 81200108 81200109 81200110 81200108

Community List 2:

Community List 4: permit local-as

1-46

CHAPTER 1 Configuring Routing Policy

Community List 5: permit no-advertise Community List 6: permit no-export Community List 7: permit internet

Example 2. If you did issue the ip bgp community new-format command, the display appears as follows:
host1#show ip community-list Community List 1: permit 1239:1005 permit 1239:1006 permit 1239:1004 Community List 2: deny 1239:1005 permit 1239:1006 permit 1239:1004 Community List 4: permit local-as Community List 5: permit no-advertise Community List 6: permit no-export Community List 7: permit internet

show ip prefix-list
Use to display information about the prefix lists currently configured on the router. Example
host1#show ip prefix-list Prefix-list with the last deletion/insertion: def ip prefix-list name abc: 4 entries seq 5 permit 192.168.0.0/16 le 24 seq 10 permit 192.178.0.0/16 le 24 seq 15 deny 195.178.0.0/16 le 24 seq 20 deny 195.178.0.0/16 le 32 ip prefix-list name def: 1 entries seq 5 deny 192.170.0.0/16

Example
host1#show ip prefix-list summary Total memory used for prefix-list: 310 bytes Prefix-list with the last deletion/insertion: def ip prefix-list name abc: count: 4, range entries: 4, sequences: 5-20

Monitoring Routing Policy E-Series Routers

1-47

ip prefix-list name def: count: 1, range entries: 0, sequences: 5-5

show ip prefix-tree
Use to display information about the prefix trees currently configured on the router. Example
host1#show ip prefix-tree Prefix-tree with the last deletion/insertion: t_abc5 ip prefix-tree name t_abc1: 1 entries permit 108.243.0.0/16 ip prefix-tree name t_abc2: 3 entries permit 101.10.254.0/24 permit 102.10.248.0/21 permit 103.10.192.0/18 permit 108.109.0.0/16 permit 108.109.241.0/24 ip prefix-tree name t_abc3: 1 entries deny 108.0.0.0/8

Example
host1#show ip prefix-tree summary Total memory used for prefix-tree: 860 bytes Prefix-tree with the last deletion/insertion: t_abc5 ip prefix-tree name t_abc1: count: 1 ip prefix-tree name t_abc2: count: 5 ip prefix-tree name t_abc3: count: 1

show ip protocols
Use to display detailed information about the protocols currently configured on the router. Use the summary keyword to display only a list of the configured protocols. For field descriptions, see the show commands for the individual routing protocols in their respective Configuration Guide chapters. Example
host1#show ip protocols Routing Protocol is bgp 1 Default local preference is 100 IGP synchronization is enabled Always compare MED is disabled Router flap damping is disabled Administrative Distance: external 20 internal 200 local 200

1-48

CHAPTER 1 Configuring Routing Policy

Neighbor(s): No neighbors are configured Routing for Networks: Routing Protocol is ospf 255 with Router ID 100.100.100.1 Distance is 110 Address Summarization: None Routing for Networks: Routing Protocol is rip Router Administrative State: enable System version RIP1: send = 1, receive = 1 or 2 Update interval: 30 seconds Invalid after: 180 seconds hold down time: 120 seconds flushed interval: 300 seconds Filter applied to outgoing route update is not set Filter applied to incoming route update is not set No global route map Distance is 120 Interface Tx Rx Auth

Routing for Networks: 10.2.1.0/255.255.255.0

show ip redistribute
Use to display configured route redistribution policy. Field descriptions

To protocol into which routes are distributed From protocol from which routes are distributed status redistribution status route map number number of the route map
host1#show ip redistribute To ospf, From static is enabled with route map 4 To ospf, From connected is enabled with route map 3

Example

Monitoring Routing Policy E-Series Routers

1-49

show ip route
Use to display the current state of the routing table, including routes not used for forwarding. You can display all routes, a specific route, all routes beginning with a specified address, routes for a particular protocol (BGP, IS-IS, OSPF, or RIP), locally connected routes, internal control routes, static routes, or summary counters for the routing table. Field descriptions

Prefix IP address prefix Length prefix length Type protocol type Next Hop IP address of the next hop Dist distance metric for the route Met number of hops Intf interface type and interface specifier

Example 1

host1#show ip route Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------172.16.2.0/24 10.10.0.112/32 10.1.1.0/24 Type ---Bgp Static Next Hop -------192.168.1.102 192.168.1.1 Dist/Met -------20/1 1/1 0/1 Intf -----fastEthernet0/0 fastEthernet0/0 atm3/0.100

Connect 10.1.1.1

Example 2

host1#show ip route static Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------10.10.0.112/32

Type ---Static

Next Hop -------192.168.1.1 1/1

Dist/Met --------

Intf ------

fastEthernet0/0

1-50

CHAPTER 1 Configuring Routing Policy

Example 3
host1#show ip route summary 5 total routes, 720 bytes in route entries 0 isis routes 0 rip routes 1 static routes 1 connected routes 0 bgp routes 0 ospf routes 3 other internal routes 0 access routes 0 internally created access host routes Last route added/deleted: 0.0.0.0/0 by StaticLow At THU MAR 09 2000 05:22:49 UTC

show ip route slot

Use to display the interface and next hop for an IP address in the routing table of a line module specified by the slot it occupies.

slotNumber number of slot containing the line module for which the
information is displayed

ipAddress IP address to look up in the routing table

Field descriptions

IP address address reachable via the interface Interface interface type and specifier associated with the IP address;
displays Local Interface if a special interface index is present in the routing table for special IP addresses, such as broadcast addresses

Next Hop next hop to reach the IP address; displays --- if no next hop is
associated with the IP address Example 1
host1#show ip route slot 6 10.10.0.231 IP address -----------10.10.0.231 Interface ---------------fastEthernet 6/0 Next Hop -----------10.10.0.231

Example 2
host1#show ip route slot 9 90.248.1.2 IP address -----------90.248.1.2 Interface ---------------serial9/23:2 Next Hop --------------

Example 3
host1#show ip route slot 9 90.249.255.255 IP address -----------Interface ---------------Next Hop --------------

90.249.255.255 Local Interface

Monitoring Routing Policy E-Series Routers

1-51

show ip static
Use to display the status of static routes in the routing table. You can specify an optional IP mask that filters specific routes. Field descriptions

Prefix IP address prefix Length prefix length Next Hop IP address of the next hop Met number of hops Dist administrative distance or weight assigned to the route Tag tag value assigned to the route Intf interface type and interface specifier
host1#show ip static Prefix/Length 10.2.0.0/24 10.2.1.0/24 172.31.1.48/32 Next Hop: 192.168.1.1 192.168.1.1 172.18.2.2 Met: Dist: 1 1 1 1 1 1 Tag: 0 1 0 Intf: ethernet6/0 ethernet6/0 atm5/1.1

Example

show ip traffic
Use to display statistics about IP traffic. Field descriptions

IP Statistics Rcvd:
Router Id router ID number total number of frames received local destination frames with this router as their destinations hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets

IP Statistics Frags:
reassembled number of reassembled packets reasm timed out number of reassembled packets that timed out reasm req number of requests for reassembly reasm fails number of reassembly failures frag ok number of fragmented packets reassembled successfully frag fail number of fragmented packets reassembled unsuccessfully frag creates number of packets created by fragmentation

1-52

CHAPTER 1 Configuring Routing Policy

IP Statistics Sent:
forwarded number of packets forwarded generated number of packets generated out disc number of outbound packets discarded no routes number of packets that could not be routed routing discards number of packets that could not be routed that were discarded

IP Statistics Route:
routes in table number of routes in the routing table timestamp req number of requests for a timestamp timestamp rpy number of replies to timestamp requests addr mask req number of address mask requests addr mask rpy number of address mask replies

ICMP Statistics Rcvd:

total total number of ICMP packets received errors number of error packets received dst unreach number of packets received with destination unreachable time exceed number of packets received with time-to-live exceeded param probs number of packets received with parameter errors src quench number of source quench packets received redirects number of receive packet redirects echo req number of echo request (ping) packets echo rpy number of echo replies received timestamp req number of requests for a timestamp timestamp rpy number of replies of timestamp requests addr mask req number of mask requests sent addr mask rpy number of mask replies sent

ICMP Statistics Sent:

total total number of ICMP packets sent errors number of error packets sent dest unreach number of packets sent with destination unreachable time excd number of packets sent with time-to-live exceeded param prob number of packets sent with parameter errors src quench number of source quench packets sent redirects number of send packet redirects echo req number of echo request (ping) packets echo rpy number of echo replies received timestamp req number of requests for a timestamp timestamp rpy number of replies to timestamp requests addr mask req number of address mask requests addr mask rpy number of address mask replies

Monitoring Routing Policy E-Series Routers

1-53

UDP Statistics Rcvd:

total total number of UDP packets received checksum number of checksum error packets received no port number of packets received for which no application listener was listening on the destination port

UDP Statistics Sent:

total total number of UDP packets sent errors number of error packets sent

TCP Global Statistics Connections:

attempted number of outgoing TCP connections attempted accepted number of incoming TCP connections accepted established number of TCP connections established dropped number of TCP connections dropped closed number of TCP connections closed

TCP Global Statistics Rcvd:

total pkts total number of TCP packets received in-sequence pkts number of packets received in sequence bytes number of bytes received chksum err pkts number of checksum error packets received authentication err pkts number of authentication error packets received bad offset pkts number of packets received with bad offsets short pkts number of short packets received duplicate pkts number of duplicate packets received out of order pkts number of packets received out of order

TCP Global Statistics Sent:

total pkts total number of TCP packets sent data pkts number of data packets sent bytes number of bytes sent retransmitted pkts number of packets retransmitted retransmitted bytes number of retransmitted bytes

OSPF Statistics not supported for this version of the router IGMP Statistics not supported for this version of the router ARP Statistics not supported for this version of the router
Example
host1#show ip traffic IP statistics: Router Id: 172.31.192.217 Rcvd: 97833 total, 171059 local destination 167 unkn proto, 0 discards Frags: 4 reassembled, 30 reasm timed out, 8 reasm req 0 reasm fails, 145 frag ok, 0 frag fail 290 frag creates 0 hdr errors, 0 addr errors

1-54

CHAPTER 1 Configuring Routing Policy

Sent:

15 forwarded, 25144 generated, 0 out disc 0 no routes,0 routing discards

Route: 57680 routes in table 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy ICMP statistics: Rcvd: 561 total, 0 errors, 15 dst unreach 0 time exceed, 0 param probs, 0 src quench 0 redirects, 0 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy Sent: 0 total, 0 errors, 0 dest unreach 0 time excd, 0 param prob, 0 src quench 0 redirects, 0 echo req, 0 echo rpy UDP Statistics: Rcvd: 93326 total, 0 checksum errors, 90610 no port Sent: 0 total, 0 errors TCP Global Statistics: Connections: 7358 attempted, 4 accepted, 7362 established 0 dropped, 14718 closed Rcvd: 75889 total pkts, 53591 in-sequence pkts, 3120283 bytes 0 chksum err pkts, 0 authentication err pkts, 0 bad offset 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: ARP Statistics:

show route-map
Use to display the configured route maps. The displayed information includes the instances of each access list such as match and set commands. Example
host1(config)#route-map 1 permit 10 host1(config-route-map)#match community 44 host1(config-route-map)#set local-pref 400 host1(config-route-map)#exit host1(config)#exit host1#show route-map 1

Monitoring Routing Policy E-Series Routers

1-55

route-map 1, permit, sequence 10 Match clauses: match community 44 Set clauses: set local-pref 400

1-56

CHAPTER 1 Configuring Routing Policy

Part 2

Internet Protocol

Configuring IP

2
Page 2-2 2-4 2-5 2-6 2-11 2-11 2-14 2-19 2-20 2-21 2-33 2-38 2-40 2-42 2-55

This chapter describes how to configure Internet Protocol (IP) routing on your E-series router.
Topic Overview References IP Features IP Addressing Before You Configure IP Creating a Profile Address Resolution Protocol (ARP) Broadcast Addressing Fragmentation IP Routing Shared IP Interfaces Internet Control Message Protocol Reachability Commands Response Time Reporter Monitoring IP

2-2

CHAPTER 2 Configuring IP

Overview
TCP/IP is a suite of data communications protocols. Two of the more important protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). IP provides the basic packet delivery service for all TCP/IP networks. IP is a connectionless protocol, which means that it does not exchange control information to establish an end-to-end connection before transmitting data. A connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. IP relies on protocols in other layers to establish the connection if connection-oriented services are required and to provide error detection and error recovery. IP is sometimes called an unreliable protocol, because it contains no error detection or recovery code.
IP Packets

A packet is a block of data that carries with it the information necessary to deliver it to a destination address. A packet-switching network uses the addressing information in the packets to switch packets from one physical network to another, moving them toward their final destination. Each packet travels the network independently of any other packet. The datagram is the packet format defined by IP.
IP Functions

Some of the functions IP performs include: Moving data between the network access layer and the host-to-host transport layer Routing datagrams to remote hosts Fragmenting and reassembling datagrams
Moving Data Between Layers

When IP receives a datagram that is addressed to the local host, it must pass the data portion of the datagram to the correct host-to-host transport layer protocol. IP uses the protocol number in the datagram header to select the transport layer protocol. Each host-to-host transport layer protocol has a unique protocol number that identifies it to IP.

Overview E-Series Routers

2-3

Routing Datagrams to Remote Hosts

Internet gateways are commonly referred to as IP routers because they use IP to route packets between networks. In traditional TCP/IP terms, there are only two types of network devices: gateways and hosts. Gateways forward packets between networks, and hosts do not. However, if a host is connected to more than one network (called a multihomed host), it can forward packets between the networks. When a multihomed host forwards packets, it acts like any other gateway and is considered to be a gateway.
Fragmenting and Reassembling Datagrams

As a datagram is routed through different networks, it may be necessary for the IP module in a gateway to divide the datagram into smaller pieces. A datagram received from one network may be too large to be transmitted in a single packet on a different network. This condition occurs only when a gateway interconnects dissimilar physical networks. Each type of network has a maximum transmission unit (MTU) that determines the largest packet it can transfer. If the datagram received from one network is longer than the other networks MTU, it is necessary to divide the datagram into smaller fragments for transmission in a process called fragmentation. See Fragmentation later in this chapter.
IP Layering

TCP/IP is organized into four conceptual layers (as shown in Figure 2-1).
Application Transport
g013300

Internet Network Interface

Figure 2-1 TCP/IP conceptual layers

Network Interface Layer

The network interface layer is the lowest level of the TCP/IP protocol stack. It is responsible for transmitting datagrams over the physical medium to their final destinations.

2-4

CHAPTER 2 Configuring IP

Internet Layer

The Internet layer is the second level of the TCP/IP protocol stack. It provides host-to-host communication. In this layer, packets are encapsulated into datagrams, routing algorithms are run, and the datagram is passed to the network interface layer for transmission on the attached network.
Transport Layer

The transport layer is the third level of the TCP/IP protocol stack. It is responsible for providing communication between applications residing in different hosts. By placing identifying information in the datagram (such as socket information), the transport layer enables process-to-process communication. The transport layer provides either a reliable transport service (TCP) or an unreliable service (User Data Protocol). In a reliable delivery service, the destination station acknowledges the receipt of a datagram.
Application Layer

The application layer is the fourth and highest level of the TCP/IP protocol stack. Some applications that run in this layer are: Telnet File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Domain Name System (DNS)

References
For more information about IP, consult the following resources: RFC 768 User Datagram Protocol (August 1980) RFC 791 Internet Protocol DARPA Internet Program Protocol Specification (September 1981) RFC 792 Internet Control Message Protocol (September 1981) RFC 793 Transmission Control Protocol (September 1981) RFC 854 Telnet Protocol Specification (May 1983) RFC 919 Broadcasting Internet Datagrams (October 1984)

IP Features E-Series Routers

2-5

RFC 922 Broadcasting Internet Datagrams in the Presence of Subnets (October 1984) RFC 950 Internet Standard Subnetting Procedure (August 1985) RFC 1112 Host Extensions for IP Multicasting (August 1989) RFC 1122 Requirements for Internet HostsCommunication Layers (October 1989) RFC 1812 Requirements for IP Version 4 Routers (June 1995) E-Series Release Notes, Appendix A, System Maximums Refer to the Release Notes corresponding to your software release for information on maximum values.

IP Features
The E-series router supports the following IP features: Internet Control Message Protocol (ICMP) Traceroute User Datagram Protocol (UDP) Transmission Control Protocol (TCP) Classless interdomain routing (CIDR) Maximum transmission unit (MTU) Support for simultaneous multiple logical IP stacks on the same router Flexible IP address assignment to support any portion of a physical interface (for example, a channel or circuit), exactly one physical interface, or multilink PPP interfaces Packet segmentation and reassembly Loose source routing to specify the IP route Strict source routing to specify the IP route for each hop Record route to track the route taken Internet timestamp Broadcast addressing, both limited broadcast and directed broadcast

2-6

CHAPTER 2 Configuring IP

Support for 32,000 discrete, simultaneous IP interfaces per router to support thousands of logical connections Capability of detecting and reporting changes in the up or down state of any IP interface IP policy support. See Chapter 1, Configuring Routing Policy, for more information on policy configuration.

IP Addressing
This section provides an overview of IP addressing in general and includes a discussion of CIDR, which your router fully supports.
Physical and Logical Addresses

Physical node addresses are used at the network access layer to identify physical devices in a network. For example, each Ethernet controller comes from the manufacturer with a physical address, called a MAC address. IP implements a system of logical host addresses called IP addresses. The IP addresses are used by the internetwork and higher layers to identify devices and to perform internetwork routing. The Address Resolution Protocol (ARP) enables IP to identify the physical (MAC) address that matches a given IP address. You can use ARP only on Ethernet and bridged IP 1483 interfaces. IP is used by all protocols in the layers above and below it to deliver data. This means that all TCP/IP data flows through IP when it is sent and received, regardless of its final destination.
Internet Addresses

Internet addressing uses a 32-bit address field. The bits in this address field are numbered 0 to 31. The 32-bit address field consists of two parts: a network number and a host number whose boundaries are defined based on the class of IP address. Hosts attached to the same network must share a common prefix designating their network number. Four types of IP classes lend themselves to different network configurations, depending on the desired ratio of networks to hosts. Figure 2-2 shows the format of IP address classes.

IP Addressing E-Series Routers

2-7

0 Class A 0 Class B 0 Class C 0 Class D 1 1 1

1 0 1 0 1 1 1 1 2 1 2 0 3 0 3 Network 2

7 8 Local host address 15 16 Network Local host address 23 24 Network 4 Multicast address Local host address

31

31

31

31

Figure 2-2 IP address classes

Class A The leading bit is set to 0, a 7-bit number, and a 24-bit local host address. Up to 125 class A networks can be defined, with up to 16,777,214 hosts per network. Class B The two highest-order bits are set to 1 and 0, a 14-bit network number, and a 16-bit local host address. Up to 16,382 class B networks can be defined, with up to 65,534 hosts per network. Class C The three leading bits are set to 1, 1, and 0, a 21-bit network number, and an 8-bit local host address. Up to 2,097,152 class C networks can be defined, with up to 254 hosts per network. Class D The four highest-order bits are set to 1, 1, 1, and 0. Class D is used as a multicast address.
Subnet Addressing

A subnet is a subset of a class A, B, or C network. Subnets cannot be used with class D (multicast) addresses. A network mask is used to separate the network information from the host information on an IP address. Figure 2-3 shows the network mask 255.0.0.0 applied to network 10.0.0.0. The mask in binary notation is a series of 1s followed by a series of contiguous 0s. The 1s represent the network number; the 0s represent the host number. The sample address splits the IP address 10.0.0.1 into a network portion of 10 and a host portion of 0.0.1.
Note: The router supports a 31-bit mask on point-to-point links. This means that the IP address 1.2.3.4 255.255.255.254 is valid. A point-to-point link in which only one end supports the use of 31-bit prefixes may not operate correctly.

g013301

2-8

CHAPTER 2 Configuring IP

Decimal IP Address Mask 40. 0.0.1 255. 0.0.0 00101000 11111111 Network portion
Figure 2-3 Basic network masking

Binary 00000000 00000000 00000000 00000000 00000001

g013309 g013310

00000000

Host portion

Classes A, B, and C have the following natural masks, which define the network and host portions of each class: Class A natural mask 255.0.0. Class B natural mask 255.255.0.0 Class C natural mask 255.255.255.0 The use of masks can divide networks into subnetworks by extending the network portion of the address into the host portion. Subnetting increases the number of subnetworks and reduces the number of hosts. For example, a network of the form 10.0.0.0 accommodates one physical segment with about 16 million hosts on it. Figure 2-4 shows how the mask 255.255.0.0. is applied to network 10.0.0.0. The mask divides the IP address 10.0.0.1 into a network portion of 10, a subnet portion of 0, and a host portion of 0.1. The mask has borrowed a portion of the host space and has applied it to the network space. The network space of the class 10 has increased from a single network 10.0.0.0 to 256 subnetworks, ranging from 10.0.0.0 to 10.255.0.0. This process decreases the number of hosts per subnet from 16,777,216 to 65,536.
Decimal IP Address Mask 40. 0 .0.1 00101000 11111111 Network portion
Figure 2-4 Subnetting

Binary 00000000 00000000 00000001 00000000 00000000 00000000 Subnet portion Host portion

255. 255 .0.0

Classless Addressing with CIDR

Classless interdomain routing (CIDR) is a system of addressing that improves the scaling factor of routing in the Internet. CIDR does not use an implicit mask based on the class of network. In CIDR, an IP network is represented by a prefix, which is an IP address and an indication of the leftmost contiguous significant bits within this address.

IP Addressing E-Series Routers

2-9

For example, without CIDR, the class C network address 192.56.0.0 would be an illegal address. With CIDR, the address becomes valid with the notation: 192.56.0.0/16. The /16 indicates that 16 bits of mask are being used (counting from the far left). This would be similar to an address 198.32.0.0. with a mask of 255.255.0.0. A network is called a supernet when the prefix boundary contains fewer bits than the networks natural mask. For example, a class C network 192.56.10.0 has a natural mask of 255.255.255.0. The representation 192.56.0.0/16 has a shorter mask than the natural mask (16 is less than 24), so it is a supernet. Figure 2-5 shows how CIDR can reduce the number of entries globally in Internet routing tables. A service provider has a group of customers with class C addresses that begin with 192.56. Despite this relationship, the service provider announces each of the networks individually into the global Internet routing mesh.
192.56.0.0 192.56.1.0 192.56.2.0

Service provider

192.56.255.0

192.56.0.0 192.56.1.0 192.56.2.0

Global Internet routing mesh

192.56.255.0

Interdomain routing without CIDR 192.56.0.0 192.56.1.0 192.56.2.0

Service provider

192.56.0.0/16

Global Internet routing mesh

g013302

192.56.255.0

Interdomain routing with CIDR

Figure 2-5 Routing with and without CIDR

Adding and Deleting Addresses

This section provides information on adding or deleting IP addresses. Multinetting is adding more than one IP address to an IP interfacethat is, a primary address and one or more secondary addresses. To make an interface unnumbered, see Setting Up an Unnumbered Interface later in this chapter.

2-10

CHAPTER 2 Configuring IP

Adding a Primary Address

The primary address must be the first address added to the interface. Adding a new primary address overwrites the existing primary address. You can change a secondary address to be the primary address on an interface only via SNMP. An unnumbered address is always the primary address; adding an unnumbered address, therefore, overwrites any other numbered address.
Deleting a Primary Address

You must always remove the primary address from an interface last. You cannot delete the primary address if the interface still has assigned secondary addresses.
Adding a Secondary (Multinet) Address

You cannot add a secondary address until you add the primary address. You cannot add a secondary address to bridged Ethernet interfaces. You cannot change a primary address to a secondary address. An interface can have multiple secondary addresses.
Deleting a Secondary Address

You must delete secondary addresses before deleting the primary address.
ip address Command

Use the following command to add addresses to or delete addresses from an interface:
ip address
Use to add a primary address or to add secondary addresses to an interface. To add multiple addresses to a single IP interface, use the secondary keyword. (Remember, if you add an address using the ip address command and do not include the secondary keyword, the new address becomes the primary address.)

Before You Configure IP E-Series Routers

2-11

Example this example adds a primary address (192.168.2.77) and two secondary addresses (172.31.7.22 and 10.8.7.22); the Fast Ethernet interface now has addresses in three networks.
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip address 192.168.2.77 255.255.255.0 host1(config-if)#ip address 172.31.7.22 255.255.255.0 secondary host1(config-if)#ip address 10.8.7.22 255.255.255.0 secondary Note: You can use this command in Interface Configuration, Subinterface Configuration, or Profile Configuration mode.

Use the no version to remove an IP address. If you remove a primary IP address, IP processing is disabled on the interface.

Before You Configure IP

Before you configure IP, you should have created lower-layer interfaces over which IP traffic flows. For example, to configure an ATM interface:
host1(config)#interface atm 1/0 host1(config-if)#atm sonet stm-1 host1(config-if)#no loopback host1(config-if)#atm clock internal chassis host1(config-if)#interface atm 1/0.10 host1(config-if)#atm pvc 10 0 20 aal5snap

Refer to the appropriate chapters for information on configuring a specific type of interface.
Note: If you choose to configure VRRP, we recommend that you complete all IP address configurations before you configure VRRP. See Chapter 11, Configuring VRRP, for additional information.

Creating a Profile
You can configure an IP interface dynamically by creating a profile. A profile is a set of characteristics that acts as a pattern that can be dynamically assigned to an IP interface. You can manage a large number of IP interfaces efficiently by creating a profile with a specific set of characteristics. In addition, you can create a profile to assign an IP interface to a virtual router.

2-12

CHAPTER 2 Configuring IP

A profile can contain one or more of the following characteristics: access-route Enables the creation of host access routes on an interface address Configures an IP address on an interface directed-broadcast Enables directed broadcast forwarding mtu Configures the maximum transmission unit for a network nat Configures the interface as inside or outside for Network Address Translation (NAT) redirects Enables transmission of ICMP redirect messages unnumbered Configures IP on this interface without a specific address virtual-router Specifies a virtual router to which interfaces created by this profile will be attached Use the profile command from Global Configuration mode to create or edit a profile. See E-Series Link Layer Configuration Guide, Chapter 13, Configuring Dynamic Interfaces for information on creating profiles and on other characteristics that can be applied to the profile.
host1(config)#profile acton host1(config-profile)#ip virtual-router warf host1(config-profile)#ip unnumbered atm 3/0

ip access-routes
Use to enable an access route in a profile. Example
host1(config)#profile foo host1(config-profile)#ip access-routes

Use the no version to remove the access route.

ip address
Use to assign an IP address to a profile. You must first specify the layer 2 encapsulation before you can set the IP address for serial interfaces. Use the no version to remove the IP address assigned to the profile.

ip directed-broadcast
Use to enable a directed broadcast address in a profile. Use the no version to remove the directed broadcast address from the profile.

Creating a Profile E-Series Routers

2-13

ip mtu
Use to assign the MTU size sent on an IP interface. Use the no version to remove the assignment from the profile.

ip redirects
Use to enable the sending of redirect messages if the software is forced to resend a packet through the same interface on which it was received. Use the no version to remove the assignment from the profile.

ip unnumbered
Use to specify the numbered interface with which dynamic unnumbered interfaces created with the profile are associated. You can specify an unnumbered interface using RADIUS instead of using the ip unnumbered command in a profile. Example
host1(config-profile)#ip unnumbered fastEthernet 0/0

Use the no version to remove the assignment from the profile.

ip virtual-router
Use to assign a virtual router to a profile. You can configure a virtual router using RADIUS instead of adding one to the profile by using the ip virtual-router command. Use the no version to remove the virtual router assignment.

profile
Use to create a profile. You specify a profile name with up to 80 characters. Example
host1(config)#profile foo

Use the no version to remove a profile.

2-14

CHAPTER 2 Configuring IP

Assigning a Profile

To assign a profile to an interface, use the profile command from Interface mode.
profile
Use to assign a profile to a PPP interface. The profile configuration is used to dynamically create an upper IP interface. Example
host1(config-if)#interface serial 2/1 host1(config-if)#encapsulation ppp host1(config-if)#profile acton

Use the no version to remove the assignment from the interface.

Address Resolution Protocol (ARP)

Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address). In an Ethernet environment, ARP is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured. Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages. To keep the cache from growing too large, an entry is removed if it is not used within a certain period of time. Before sending a packet, the host looks in its cache for Internet-to-Ethernet address mapping. If the mapping is not found, the host sends an ARP request.
Note: For information on MAC address validation, see the section MAC Address Validation.

Address Resolution Protocol (ARP) E-Series Routers

2-15

How ARP Works

The way ARP works can best be explained in a simple example. As shown in Figure 2-6, host 1 wants to send an IP packet to host 2 on a different subnet. To complete this transmission, host 1 needs the MAC address of router 1, to be used as the forwarding gateway. A typical scenario is:
1

Host 1 broadcasts an ARP request to all devices on subnet 1, composed by a query with the IP address of router 1. The IP address of router 1 is needed because host 2 is on a different subnet. All devices on subnet 1 compare their IP address with the enclosed IP address sent by host 1. Having the matching IP address, router 1 sends an ARP response, which includes its MAC address, to host 1.
host 1 2
10.0.0.10

2 3

ip address: 10.0.0.253/8 default gateway: 10.0.0.10

1 subnet 1
MAC

10.0.0.10

?
10.0.0.10

00-90-1A-00-72-E0

3
MAC

IP packet ARP message

10.0.0.10

? interface address: 10.0.0.10/8

2 router 1

subnet 2 ip address: 20.0.0.252/8 default gateway: 20.0.0.10 host 2

interface address: 20.0.0.10/8

g013112

Figure 2-6 How ARP works, steps 1, 2, and 3

2-16

CHAPTER 2 Configuring IP

4 5

Host 1 proceeds with its intended transmission of IP packet to layer 3 DA (host 2) using router 1s MAC address. Router 1 forwards IP packet to host 2. Router 1 may send an ARP request to identify the MAC of host 2.
host 1 4 subnet 1 interface address: 10.0.0.10/8 router 1 interface address: 20.0.0.10/8 5 host 2
g013113

ip address: 10.0.0.253/8 default gateway: 10.0.0.10

IP packet

subnet 2

ip address: 20.0.0.252/8 default gateway: 20.0.0.10

Figure 2-7 How ARP works, steps 4 and 5

ARP forces all receiving hosts to compare their IP addresses with the IP address of the ARP request. Keeping the above example in mind, if host 1 sent another IP packet to host 2, host 1 would first check its ARP table for router 1s MAC address. If the default router/gateway becomes unavailable, then all the routing/packet forwarding to remote destinations ceases. Usually, it requires manual intervention to restore connectivity, even though alternative paths may be available. Alternatively, Virtual Router Redundancy Protocol (VRRP) may be used to prevent loss of connectivity. See Chapter 11, Configuring VRRP.

Address Resolution Protocol (ARP) E-Series Routers

2-17

arp
Use to add a static (permanent) entry in the ARP cache. You specify one of the following:

ipAddress and macAddress of the interface ipAddress, interfaceType and interfaceSpecifier, and an optional MAC
address You can issue this command only for an Ethernet or bridged IP 1483 interface. Example
host1(config)#arp 192.56.20.1 0090.1a00.0170

Use the no version to remove an entry from the ARP cache.

arp timeout
Use to specify how long an entry remains in the ARP cache. On the FE-2 module, you can set the ARP timeout only on bridged IP 1483 and Fast Ethernet interfaces. You cannot set the timeout on the SRP module. The default value is 21,600 seconds (6 hours). Use the show config command to display the current value. If you specify a timeout of 0 seconds, entries are never cleared from the ARP cache. Example
host1(config-if)#arp timeout 8000

Use the no version to restore the default value.

clear arp
Use to clear dynamic entries from the ARP cache. To clear a particular entry, specify all of the following:

ipAddress IP address in four-part dotted-decimal format corresponding to

the local data link address

interfaceType interface type; see Interface Types and Specifiers in

About This Guide

interfaceSpecifier particular interface; format varies according to

interface type; see Interface Types and Specifiers in About This Guide
To clear all dynamic ARP entries, specify an asterisk (*). Example
host1#clear arp

There is no no version.

2-18

CHAPTER 2 Configuring IP

ip proxy-arp
Use the ip proxy-arp command to enable proxy ARP on an Ethernet or bridge1483 interface. Proxy ARP is enabled by default. Example
host1(config-if)#ip proxy-arp unrestricted

Use the no version to disable proxy ARP on the interface.

MAC Address Validation

MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packets source IP address with its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.
Note: MAC address validation for bridged Ethernet interfaces is supported only on OC12a line modules.

MAC address validation on the E-series router can be accomplished in two ways: You can statically configure it on a physical interface via the arp validate command You can allow DHCP to perform the function independently and dynamically. See DHCP in E-Series Link Layer Configuration Guide, Chapter 8, Configuring Bridged IP. The arp validate command adds the IP-MAC address pair to the validation table maintained on the physical interface. If the validation is added statically via the CLI, the IP addressMAC address pairs are stored in NVS. The entries are used for MAC validation only if MAC validation is enabled on the interface via the ip mac-validate command.
Caution: When you configure an interface using the arp validate command, you cannot overwrite the ARP values that were added by DHCP.

You can enable or disable MAC address validation on a per interface basis by issuing the ip mac-validate command. See E-Series Physical Layer Configuration Guide, Chapter 6, Configuring Ethernet Interfaces or E-Series Link Layer Configuration Guide, Chapter 9, Configuring Bridged Ethernet for information.

Broadcast Addressing E-Series Routers

2-19

arp validate
Use to add IP addressMAC address validation pairs. When validation is enabled, all packets with the source IP address received on this IP interface are validated against the IP-MAC entries. You specify one of the following:

ipAddress and macAddress of the interface ipAddress, interfaceType and interfaceSpecifier, and an optional MAC
address You can issue this command only for an IP Ethernet-based interface. For subscriber interface configurations, the IP addressMAC address pair must have a matching source prefix that already exists on the subscriber interface. If the matching source prefix does not exist, the IPMAC address pair is rejected. See E-Series Broadband Access Configuration Guide, Chapter 8, Configuring Subscriber Interfaces for information about using subscriber interfaces. The following example shows packets originating from host 192.56.20.1 and validated at Gigabit Ethernet interface with the MAC address 0090.1a00.0170.
host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170 validate

The following example shows the subscriber interface MAC address validation enabled.
host1(config)#arp 192.168.32.0 ip subsc 1 000.0001.8100

Use the no version to remove an entry from the ARP cache.

Broadcast Addressing
A broadcast is a data packet destined for all hosts on a particular physical network. Network hosts recognize broadcasts by special addresses. The router supports the following kinds of broadcast types: Limited broadcast A packet is sent to a specific network or series of networks. A limited broadcast address includes the network or subnet fields. In a limited broadcast packet destined for a local network, the network identifier portion and host identifier portion of the destination address is either all ones (255.255.255.255) or all zeros (0.0.0.0). Flooded broadcast A packet is sent to every network. Directed broadcast A packet is sent to a specific destination address where only the host portion of the IP address is either all ones or all zeros (such as 192.20.255.255 or 190.20.0.0). Several early IP implementations do not use the current broadcast address standard. Instead, they use the old standard, which calls for all zeros instead of all ones to indicate broadcast addresses. Many of these implementations do not recognize a broadcast address of all ones and fail

2-20

CHAPTER 2 Configuring IP

to respond to the broadcast correctly. Others forward broadcasts of all ones, which causes a serious network overload known as a broadcast storm. Implementations that exhibit these problems include systems based on versions of BSD UNIX before version 4.3. Routers provide some protection from broadcast storms by limiting their extent to the local cable. Bridges (including intelligent bridges), because they are layer 2 devices, forward broadcasts to all network segments, thus propagating all broadcast storms. The best solution to the broadcast storm is to use a single broadcast address scheme on a network. Most IP implementations allow the network manager to set the address to be used as the broadcast address. Many implementations of IP, including the one on your router, can accept and interpret all possible forms of broadcast addresses.
Broadcast Tasks

There are two broadcast-related IP commands you can use to perform broadcast-related tasks.
ip broadcast-address
Use to broadcast to all addresses in the host portion of an IP address. You specify an IP address to set the broadcast address. Example
host1(config-if)#ip broadcast-address 255.255.255.255

Use the no version to restore the default IP broadcast address.

ip directed-broadcast
Use to enable translation of directed broadcasts to physical broadcasts. Example
host1(config-if)#ip directed-broadcast

Use the no version to disable the function.

Fragmentation
Fragmentation is the process of segmenting a large IP datagram into several smaller pieces. Fragmentation is required when IP must transmit a large packet through a network that transmits smaller packets, or when the MTU size of the other network is smaller. By default, the router does not fragment the packet if the dont-fragment bit (DF bit) is set in the IP header. You can specify that the router not consider the DF bit before determining whether to fragment a packet.

IP Routing E-Series Routers

2-21

Note: It is possible that lower-layer protocols may also set the MTU value. If MTU values set in lower layers differ from the one set at the IP layer, the router always uses the MTU lower-layers value.

ip ignore-df-bit
Use to force the router to ignore the DF bit if it is set in the IP packet header for packets on an interface. Example
host1(config-if)#ip ignore-df-bit

Use the no version to restore the default behavior, which is to consider the DF bit before fragmentation.

ip mtu
Use to set the MTU size of IP packets sent on an interface. The range is 12810240. Example
host1(config-if)#ip mtu 1000

Use the no version to restore the default MTU size.

IP Routing
The Internet is a large collection of hosts that communicate with each other and use routers as intermediate packet switches. Routers forward a packet through the interconnected system of networks and routers until the packet reaches a router that is attached to the same network as the destination host. The router delivers the packet to the specified host on its local network.
Routing Information Tables

A router makes forwarding decisions based on the information that is contained in its routing table. Routers announce and receive route information to and from other routers. They build tables of routes based on the collected information on all the best paths to all the destinations they know how to reach. Each configured protocol has one or more local routing tables, sometimes referred to as a routing information base (RIB). This table is a database local to the protocol that contains all the routes known by that protocol to the prefixes in the table. For example, OSPF might have four different routes to 10.23.40.5.32. Only one of these routes is the best route to that prefix known to OSPF, but all four routes are in the OSPF local routing table.

2-22

CHAPTER 2 Configuring IP

The global routing table is a database maintained by IP on the SRP module. It contains at most one route per protocol to each prefix in the table. Each of these routes is the best route known by a given protocol to get to that prefix. The IP routing table does not, for example, have two OSPF routes to 10.5.11.0/24; it will have only one (if any) OSPF route to that prefix. It might also have a BGP route to the prefix, and a RIP route to the prefix, but no more than one route to a prefix per protocol. IP compares the administrative distances for the routes to each prefix and selects the overall best route regardless of protocol. The best route to 10.5.11.0/24 might be via IS-IS. The best route to 192.168.0.0/16 might be via EBGP, and so on. These selected overall best routes to each prefix are used to create the forwarding table. The forwarding table is pushed to each line module. The line modules use their local instance of the forwarding table to forward the packets that they receive. When the global IP routing table is updated, so are the forwarding tables on the line modules. Figure 2-8 illustrates a very simple network composed of three networks and two routers. The hosts that are attached to each network are not shown, because each router makes its forwarding decisions based on the network number and not on the address of each individual host. The router uses ARP to find the physical address that corresponds to the Internet address for any host or router on networks directly connected to it.
10.1.0.0/16 10.5.0.0/30 10.2.0.0/16

10.1.0.1

NY 10.5.0.2

10.5.0.3

LA
g013456

10.2.0.1

Figure 2-8 Routers in a small network

Table 2-1 and Table 2-2 represent information from the routing tables for routers NY and LA. Each routing table contains one entry for each route for each protocol or route type. Each routing table entry includes the following information: The destination IP network address. The IP address of the next-hop router. The type of network, such as static, directly connected, or the particular protocol.

IP Routing E-Series Routers

2-23

An administrative distance that is used to select the least-cost route among multiple routes to the same destination network. The least-cost (best) route is placed in the forwarding table. The administrative distance is not included in the forwarding table. A metric that is used by protocols to which the route is redistributed to select the least-cost route among multiple routes to the same destination network. The metric is not used to determine the best route to be placed in the forwarding table. The metric is also not listed in the forwarding table.
Table 2-1 Routing table for router NY Destination Network 10.1.0.0/16 10.2.0.0/16 10.2.0.0/16 10.2.0.0/16 10.2.0.0/16 10.5.0.0/30 Next-Hop Router 10.1.0.1 10.5.0.3 10.5.0.3 10.5.0.3 10.5.0.3 10.5.0.2 Route type connected OSPF IS-IS EBGP RIP connected Administrative Distance 0 110 115 20 120 0 Metric 0 10 10 15 5 0

Table 2-2 Routing table for router LA Destination Network 10.1.0.0/16 10.1.0.0/16 10.1.0.0/16 10.2.0.0/16 10.5.0.0/30 Next-Hop Router 10.5.0.2 10.5.0.2 10.5.0.2 10.2.0.1 10.5.0.3 Route type static OSPF RIP connected connected Administrative Distance 1 110 120 0 0 Metric 0 10 4 0 0

Setting the Administrative Distance for a Route

The administrative distance is an integer that is associated with each route known to a router. The distance represents how reliable the source of the route is considered to be. A lower value is preferred over a higher value. An administrative distance of 255 indicates no confidence in the source; routes with this distance are not installed in the routing table. Table 2-3 shows the default distance for each type of source from which a route can be learned.

2-24

CHAPTER 2 Configuring IP

Table 2-3 Default administrative distances for route sources Route Source Connected interface Static route Internal access route Access route External BGP OSPF IS-IS RIP Internal BGP Unknown Default Distance 0 1 2 3 20 110 115 120 200 255

If the IP routing table contains several routes to the same prefixfor example, an OSPF route and a RIP routethe route with the lowest administrative distance is used for forwarding. To set the administrative distance for BGP routes, see Setting the Administrative Distance for a Route in E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing. To set the administrative distance for RIP, IS-IS, and OSPF, use the following distance commands in Router Configuration mode.
distance
Use to set an administrative distance for RIP or OSPF routes in the range 0255. For RIP routes, the default value is 120. For OSPF routes, the default value is 110. Example
host1(config)#router rip host1(config-router)#distance 100

Use the no version to restore the default value.

distance ip
Use to set the administrative distance for IS-IS routes in the range 1255. Example
host1(config)#router isis host1(config-router)#distance 80 ip

Use the no version to restore the default value of 115.

IP Routing E-Series Routers

2-25

Setting the Metric for a Route

For information on how to set a metric for a route, see E-Series Routing Protocols Configuration Guide, Vol. 1, Chapter 1, Configuring Routing Policy as well as the individual routing protocol chapters in E-Series Routing Protocols Configuration Guide, Vol. 1 and E-Series Routing Protocols Configuration Guide, Vol. 2.
Routing Operations

Routers keep track of next-hop information that enables a data packet to reach its destination through the network. A router that does not have a direct physical connection to the destination checks its routing table and forwards packets to another next-hop router that is closer to that destination. This process continues until the packet reaches its final destination.
Identifying a Router Within an Autonomous System

The router ID is commonly one of the routers defined IP addresses. Although the router ID is, by convention, formatted as an IP address, it is not required to be a configured address of the router. If you do not use the ip router-id command to assign a router ID, the router uses one of its configured IP addresses as the router ID.
ip router-id
Use to assign a router IDa unique identifier that IP routing protocols use to identify the router within an autonomous system. Example
host1(config)#ip router-id 192.32.15.23

Use the no version to remove the router ID assignment.

Establishing a Static Route

You can set a destination to receive and send traffic by a specific route through the network.
ip route
Use to establish a static route. Example
host1(config)#ip route 192.56.15.23 255.255.255.0 192.66.0.1

Use the no version to remove a static route from the routing table.

2-26

CHAPTER 2 Configuring IP

Setting Up Default Routes

A router examines its routing table to find a path for each packet. If the router cannot locate a route, it must discard the packet. You can set up a default route using the special address: 0.0.0.0. If the router cannot locate a path to a destination network and a default route is defined, the router forwards the packet to the default router. For example:
host1(config)#ip route 0.0.0.0 0.0.0.0 192.56.21.3

Default routes are typically used to reduce the size of the routing table. Routing is simplified because the router can test for a few local networks or use the default route. However, a disadvantage of default routes is the possible creation of multiple paths and routing loops.
Setting Up an Unnumbered Interface

An unnumbered interface does not have an IP address assigned to it. Unnumbered interfaces are often used in point-to-point connections where an IP address is not required.
ip unnumbered
Use to set up an unnumbered interface. This command enables IP processing on an interface without assigning an explicit IP address to the interface. You supply an interface location, which is the type and number of another interface on which the router has an assigned IP address. This interface cannot be another unnumbered interface. Example
host1(config-if)#ip unnumbered fastEthernet 0/0

Use the no version to disable IP processing on an interface.

Adding a Host Route to a Peer on a PPP Interface

You can enable the ability to create host access routes on a PPP interface. This feature is useful in B-RAS applications.
ip access-routes
Use to enable the ability to create host access routes on a PPP interface. Example
host1(config-if)#ip access-routes

Use the no version to disable this feature.

IP Routing E-Series Routers

2-27

Enabling Source Address Validation

Source address validation verifies that a packet has been sent from a valid source address. When a packet arrives on an interface, the router performs a routing table lookup using the source address. The result from the routing table lookup is an interface to which packets destined for that address are routed. This interface must match the interface on which the packet arrived. If it does not match, the router drops the packet.
ip sa-validate
Use to enable source address validation. Example
host1(config-if)#ip sa-validate

Use the no version to disable source address validation.

Shutting Down an IP Interface

The router lets you disable an interface at the IP level without removing it.
ip shutdown
Use to shut down an IP interface. Example
host1(config-if)#ip shutdown

Use the no version to restart the interface.

Removing the IP Configuration

You can remove the IP configuration from an interface or subinterface.

no ip interface
Use to remove the IP configuration from an interface or subinterface and disable IP processing on the interface. Example
host1(config-if)#no ip interface

Clearing IP Routes

The router enables you to clear the specified routing entries from the routing table. You must specify the IP address prefix and the mask of the IP address prefix to clear specific routes. You can later reinstall the routes you have cleared.

2-28

CHAPTER 2 Configuring IP

clear ip routes
Use to clear specified IP routes according to an IP prefix or a VPN routing and forwarding (VRF) table. Use an asterisk (*) to clear all dynamic routes from the routing table. Example
host1#clear ip routes *

There is no no version.

ip refresh-route
Use to enable the owning protocols (BGP, IS-IS, OSPF) to reinstall routes removed from the IP routing table by the clear ip routes command. Example
host1#ip refresh-route

There is no no version.

Clearing IP Interfaces

The router enables you to clear the counters on the specified IP interface(s).
clear ip interface
Use to clear a specified IP interface. Example
host1#clear ip interface pos 2/0

There is no no version.

Setting a Baseline

The router enables you to set a baseline for statistics on an IP interface.

baseline ip interface
Use to set a baseline for a specified IP interface. Example
host1#baseline ip interface pos 2/0

There is no no version.

IP Routing E-Series Routers

2-29

Disabling Forwarding of Packets

The router allows you to disable forwarding of packets on an SRP Ethernet interface.
ip disable-forwarding
Use to disable forwarding of packets on the SRP Ethernet interface. The purpose of this command is to maintain router performance by maximizing the CPU time available for routing protocols. Although you can allow data forwarding on the SRP Ethernet interface, router performance will be affected. You see an error message if you try to set this command for interfaces other than the SRP Ethernet interface. Example
host1(config-if)#ip disable-forwarding

Use the no version to enable forwarding of packets on the interface.

Enabling Forwarding of Source-Routed Packets

IP packets are normally routed according to the destination address they contain based on the routing table at each hop through a path. The originator or source of the source-routed packets specifies the path (the series of hops) that the packets must traverse; the source makes the routing decisions. The source can specify either of the following types of source routing: Strict-source routing specifies every hop that the packet must traverse. The specified path consists of adjacent hops. The source generates an ICMP error if the exact path cannot be followed. For example, for a path going from source router A to router B to router C to router D, router A would specify a strict-source route as B, C, D. Loose-source routing specifies a set of hops that the packet must traverse, but not necessarily every hop in the path. That is, the specified hops do not have to be adjacent. For example, for a path going from source router A to router B to router C to router D, router A would specify a loose-source route as B, D or C, D, or B, C, D.
ip source-route
Use to enable forwarding of source-routed packets. Forwarding is enabled by default. Example
host1#ip source-route

Use the no version to disable forwarding of source-routed packets on the interface.

2-30

CHAPTER 2 Configuring IP

Forcing an Interface to Appear Up

The router enables you to force an IP interface to appear as if it is up, regardless of the state of the lower layers.
ip alwaysup
Use to force an IP interface to appear as up regardless of the state of lower layers. This command reduces route topology changes when the network attached to this link is single-homed. Example
host1(config-if)#ip alwaysup

Use the no version to make the interface appear in the current state.

Specifying a Debounce Time

You can set a debounce time that requires an IP interface to be in a given statefor example, up or downfor the specified time before the state is reported. This feature prevents a link that briefly goes up or down from causing an unnecessary topology change, for example by causing an interface down condition.
ip debounce-time
Use to set the interval for which an interface must maintain a given state before the state change is reported. Example
host1(config)#ip debounce-time 5000

Use the no version to remove the debounce time requirement.

Adding a Description

The router enables you to add a text description or an alias to an IP interface or subinterface. Adding a description helps you identify the interface and keep track of interface connections.
Note: The ip description command is replacing the description command to assign a description to an IP interface.

ip description
Use to assign a text description or an alias to an IP interface or subinterface. The description or alias can be a maximum of 256 characters. Use the show ip interface command to display the text description.

IP Routing E-Series Routers

2-31

Examples
host1(config-if)#ip description canada01 ip interface host1(config-subif)#ip description montreal011 ip subinterface

Use the no version to remove the text description or alias.

Enabling Link Status Traps

The router allows you to enable link status traps on an interface.

snmp trap ip link-status
Use to enable link status traps on an interface. Example
host1(config-if)#snmp trap ip link-status

Use the no version to disable link status traps on an interface.

Configuring the Speed

The router enables you to set the speed of an IP interface.

ip speed
Use to set the speed of the interface in bits per second. By default, the speed is determined from a lower-layer interface. Example
host1(config-if)#ip speed 1000

Use the no version to set the speed to the default, 0.

Configuring Equal-Cost Multipath Load Sharing

Equal-cost multipath (ECMP) sets are formed when the router finds routing table entries for the same destination with equal cost. You can add routing table entries manually (as static routes), or they are formed as routers discover their neighbors and exchange routing tables (via OSPF, BGP, and other routing protocols). The router then balances traffic across these sets of equal-cost paths by using one of the following ECMP modes: Hashed uses hashing of source and destination addresses to determine which of the available paths in the ECMP set to use Round-robin distributes packets equally among the available paths in the ECMP set

2-32

CHAPTER 2 Configuring IP

ip multipath round-robin
Use to specify round-robin as the mode for ECMP load sharing on an interface. ECMP uses the round-robin mode when you have configured all interfaces in the set to round-robin. Otherwise, ECMP defaults to hashed mode because round-robin mode could cause reordering of packets. You must explicitly ensure that the possible reordering is acceptable on all the member interfaces by setting them to round-robin mode. Use the no version to set the ECMP mode to the default, hashed. Example
host1(config)#virtual-router router_0 host1:router_0(config)#interface serial 4/0:1/22.22 host1:router_0(config-subif)#ip multipath round-robin host1:router_0(config-subif)#exit host1:router_0(config)#exit host1:router_0#show ip interface serial 4/0:1/22.22 serial4/0:1/22.22 is up, line protocol is up Network Protocols: IP Internet address is 190.121.1.1/255.255.0.0 Broadcast address is 255.255.255.255 Operational MTU = 1600 Administrative MTU = 0 Administrative speed = 0 Operational speed = 64000

Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = round-robin In Received Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 Out Forwarded Packets 0, Bytes 0 Out Scheduler Drops Packets 0, Bytes 0 = disabled

maximum-paths
Use to control the maximum number of parallel routes that the routing protocol (BGP, IS-IS, OSPF, or RIP) can support. The maximum number of routes can range from 16 for BGP and from 116 for IS-IS, OSPF, or RIP. Example
host1(config-router)#maximum-paths 2

Use the no version to restore the default value, 1 for BGP or 4 for IS-IS, OSPF, or RIP.

Shared IP Interfaces E-Series Routers

2-33

Setting a TTL Value

You can use the ip ttl command to set the TTL (time-to-live) field in the IP header for all IP operations. The TTL specifies a hop count. This configured TTL value can be overridden by other commands that specify a TTL.
ip ttl
Use to set a default value for the IP header TTL field for all IP operations. Example
host1(config)#ip ttl 255

Use the no version to restore the default value, 127.

Shared IP Interfaces
You can create multiple shared IP interfaces over the same layer 2 logical interfacefor example, atm 5/3.101enabling more than one IP interface to share the same logical resources. This capability is useful, for example, when data received in one VPN routing and forwarding (VRF) needs to be forwarded out an interface in another VRF, such as for BGP/MPLS VPNs (see E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs, for more information). You can configure one or more shared IP interfaces. Data sent over shared interfaces uses the same layer 2 interface. You can configure shared interfaces as you would unshared IP interfaces. Each shared interface has its own statistics. Some layer 2 interfaces require a primary IP interface to negotiate certain IP parametersfor example, IPCP for PPP, ARP for Ethernet, and Inverse ARP for Frame Relay. If you do not configure a primary IP interface in such cases, the layer 2 interface cannot become operationally up. A primary IP interface is the default interface for receiving data that arrives on the layer 2 interface. If you configure shared IP interfaces for the same layer 2 interface as your primary IP interface, by default data received on the layer 2 interface is received on the virtual router corresponding to the primary IP interface. A primary IP interface and all of its shared IP interfaces have the same interface location. You cannot configure a shared IP interface to receive data on the same layer 2 interface as a primary IP interface. You can delete primary and shared IP interfaces independently of each other.

2-34

CHAPTER 2 Configuring IP

You can create a primary IP interface as you do any other IP interface, as shown in the following example:
host1(config)#virtual-router vr-a:vrf-2 host1:vr-a:vrf-2:(config)#interface atm 5/3.101 host1:vr-a:vrf-2:(config-if)#ip address 10.1.1.1 255.255.255.255 host1:vr-a:vrf-2:(config-if)#exit

You do not have to configure a primary IP interface if you do not need one as described above. In the absence of a primary interface, you can still configure shared IP interfaces; however, in this scenario, data received on the layer 2 interface is discarded. You cannot create shared IP interfaces for the following kinds of interface: IP floating interfaces (IP interfaces that stack over MPLS stacked tunnels) Loopback interfaces Null interfaces For information about configuring shared IP interfaces to receive data on the same layer 2 interface as a primary IP interface, see E-Series Broadband Access Configuration Guide, Chapter 8, Configuring Subscriber Interfaces.
Configuring Prefixes for Dynamic Shared IP Interfaces

For the typical BGP/MPLS VPN scenario, shared interfaces are created dynamically based on VPN membership in support of overlapping VPNs. In screen output, dynamic interfaces are distinguished from those you configure statically by a prefix (default prefix is dyn). You can define the prefix with the ip dynamic-interface-prefix command. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs, for more information on VPNs and shared IP interfaces.
Configuring Shared IP Interfaces

To share IP interfaces:
1

Create a layer 2 interface.

host1(config)#interface atm 5/3 host1(config-if)#interface atm 5/3.101

Shared IP Interfaces E-Series Routers

2-35

(Optional) Create a primary IP interface.

host1(config-if)#ip address 10.1.1.1 255.255.255.255 host1(config-if)#exit

Create the shared IP interface.

host1(config)#interface ip si0

Associate the shared IP interface with the layer 2 interface by one of the following methods: Statically
host1(config-if)#ip share-interface atm5/3.101

Dynamically
host1:vr-a:vrf-1(config-if)#ip share-nexthop 10.0.0.1

To fully configure the shared interface, assign an address (or make the interface unnumbered).
host1(config-if)#ip address 2.2.2.2 255.0.0.0

(Optional) For BGP/MPLS VPNs, configure a prefix for the shared IP interfaces.
host1(config-if)#ip dynamic-interface-prefix vrf2 rt66

interface ip
Use to create an IP interface for interface sharing. Use the specified name to refer to the shared IP interface; you cannot use the layer 2 interface to refer to them, because the shared interface can be moved. Example
host1(config)#interface ip si0

Use the no version to delete the IP interface.

ip dynamic-interface-prefix
Use to specify the prefix that distinguishes dynamic shared IP interfaces (created for overlapping BGP/MPLS VPNs) from static shared IP interfaces. You can specify the VRF in which the shared IP interface is created. Dynamic shared IP interfaces are represented in screen output as
ipprefixvrfName-number

where prefix is the prefix you specified, vrfName is the VRF where the primary interface is located, and number is incremented as these interfaces are created.

2-36

CHAPTER 2 Configuring IP

Example
host1:pe1(config)#ip dynamic-interface-prefix vrf pe12 vpnsh host1:pe1(config)#exit host1:pe1#show ip vrf VRF Name pe11 Default RD 1:1 Interfaces null0 atm4/0.2 ipdynpe12-6 pe12 1:2 null0 ipvpnshpe11-5 atm4/0.3

The no version restores the default prefix value, dyn.

ip share-interface
Use to specify the layer 2 interface used by a shared IP interface. The command fails if the layer 2 interface does not yet exist. If you issue this command on a shared IP interface, you cannot issue the ip share-nexthop command for the interface. After creating the shared IP interface, you can configure it as you would any other IP interface. The shared interface is operationally up when the layer 2 interface is operationally up. You can create operational shared IP interfaces in the absence of a primary IP interface. Example
host1(config-if)#ip share-interface atm5/3.101

Use the no version to remove the association between the layer 2 interface and the shared IP interface. You can delete shared and primary IP interfaces independently.

ip share-nexthop
Use to specify that the shared IP interface dynamically tracks a next hop. If the next hop changes, the shared IP interface moves to the new layer 2 interface associated with the IP interface toward the new next hop. If you issue this command on a shared IP interface, you cannot issue the ip share-interface command for the interface. If you specify a virtual router, the command fails if the VR does not already exist. If you do not specify a VR, the current VR is assumed. After creating the shared IP interface, you can configure it as you would any other IP interface. The shared interface is operationally up when the layer 2 interface associated with the specified next hop is operationally up. Use the no version to halt tracking of the next hop.

Shared IP Interfaces E-Series Routers

2-37

Moving IP Interfaces

You cannot directly move a primary IP interface. However, primary IP interfaces created dynamically by MPLS move when the underlying MPLS minor interface moves or changes. You can move an IP shared interface from one layer 2 interface to another by issuing the ip share-interface command to specify a different layer 2 interface. Moving an IP interface does not affect interface statistics, packets forwarded through the interface, or policies attached to the IP interface.
Example

The following commands create shared interface si0 on the layer 2 interface atm5/3.101:
host1(config)#virtual-router vr-a:vrf-1 host1:vr-a:vrf-1(config)#interface ip si0 host1:vr-a:vrf-1(config-if)#ip share-interface atm5/3.101 host1:vr-a:vrf-1(config-if)#exit

The following commands move shared interface si0 to the layer 2 interface atm5/3.201:
host1:vr-a:vrf-1(config)#interface ip si0 host1:vr-a:vrf-1(config-if)#ip share-interface atm5/3.201

IP Shared Interface Statistics

Each shared interface has its own statistics. Packets transmitted on a shared IP interface are always counted only in the shared IP interface.
Subscriber Interfaces

A subscriber interface is an extension of a shared IP interface. Shared IP interfaces are unidirectionalthey can transmit but not receive traffic. In contrast, subscriber interfaces are bidirectionalthey can both receive and transmit traffic. For details about configuring and using subscriber interfaces, see E-Series Broadband Access Configuration Guide, Chapter 8, Configuring Subscriber Interfaces.

2-38

CHAPTER 2 Configuring IP

Internet Control Message Protocol

IP was not designed to provide reliable delivery service. The higher-layer protocols that operate as clients of IP implement their own reliability procedures if reliable communications are required. Internet Control Message Protocol (ICMP) provides a mechanism that enables a router or destination host to report an error in data traffic processing to the original source of the packet. ICMP messages provide feedback about problems that occur in the communication environment. ICMP messages are sent only when errors occur in either the processing of an unfragmented data packet or the first fragment of a fragmented data packet. ICMP messages are encapsulated as part of the data portion of an IP data packet and are routed like any other IP data packets. Thus, there is no guarantee to the sender of an ICMP message that it will be delivered to its destination. The router supports ICMP redirects. When a packet enters an IP interface and exits the same interface, the router may send an ICMP message to the originator of the packet. This message notifies the originator that there is a better gateway for the assigned destination address. The ip redirects command (used in Interface Configuration mode) lets you enable or disable ICMP redirects. This attribute is enabled by default. If it is enabled on the IP interface and if the internal ICMP redirect queue is not full, the router sends an ICMP redirect packet to the originator. When the originator receives the ICMP redirect notification, it is up to the originator to start using the better gateway.
ICMP Tasks

You can enable the following ICMP features: ICMP Router Discovery Protocol (IRDP) ICMP netmask reply Sending of IP redirects Generation of ICMP unreachable messages

Internet Control Message Protocol E-Series Routers

2-39

ip irdp
Use to enable IRDP processing on an interface. Example
host1(config-if)#ip irdp

Use the no version to disable the function.

ip mask-reply
Use to enable ICMP netmask reply. Example
host1(config-if)#ip mask-reply

Use the no version to disable the function.

ip redirects
Use to enable the sending of redirect messages if software is forced to resend a packet through the same interface on which it was received. Example
host1(config-if)#ip redirects

Use the no version to disable the sending of redirect messages.

ip unreachables
Use to enable the generation of an ICMP unreachable message when a packet is received that the router cannot deliver. Example
host1(config-if)#ip unreachables

Use the no version to disable the function.

Specifying a Source Address for ICMP Messages

By default, ICMP uses the IP address of the outgoing interface as the source IP address for the ICMP message. However, you can use the ip icmp update-source command to instruct ICMP to use an already configured interface or a specified IP address, as the source address of the ICMP message. For example, you can specify that ICMP use Fast Ethernet interface 1 in slot 0 as the source for any messages that it sends:
host1(config)#ip icmp update-source fastEthernet 0/1

You must use an already configured interface or an existing IP address when using the ip icmp update-source command. Also, you cannot specify a multicast address when using this command.

2-40

CHAPTER 2 Configuring IP

ip icmp update-source
Use to define an update source address for all ICMP messages that the E-series router generates from the specified interface. Example
host1#ip icmp update-source 192.35.42.1

Use the no version to disable the function.

Reachability Commands
Use the ping and traceroute commands to determine reachability of destinations in the network. Use the ping command to send an ICMP or ICMPv6 echo request packet. In the following example, the request packet is sent to IP address 192.35.42.1, with a packet count of 10 and a timeout value of 10 seconds:
host1#ping 192.35.42.1 10 timeout 10

Use the traceroute command to discover routes that router packets follow when traveling to their destination. In the following example, the trace destination IP address is 192.56.20.1, the maximum number of hops of the trace is 20, and the timeout value is 10 seconds:
host1#traceroute 192.56.20.1 20 timeout 10

ping
Use to send an ICMP or ICMPv6 echo request packet to the IP address that you specify. You can specify a VRF context. Use the source interface keywords to specify a source interface other than the one from which the probe originates. Use the source address keywords to specify a source IP address other than the one from which the probe originates. You can specify the following options:

packetCount number of packets to send to the destination IP address. If

you specify a zero, echo requests packets are sent indefinitely.

data-pattern sets the type of bits contained in the packet to all ones, all
zeros, a random mixture of ones and zeros, or a specific hexadecimal data pattern that can range from 0x00xFFFFFFFF. The default is all zeros.

data-size sets the number of bytes comprising the IP packet and reflected
in the IP header in the range 064000; the default is 100 bytes

extended header attributes set the following:

A value to be set in the type of service (ToS) byte, in the range 0255, to support quality of service (QoS) offerings

Reachability Commands E-Series Routers

2-41

Dont-fragment bit to prevent IP from fragmenting the packet if it is too long for the MTU of a given link; if the nonfragmented packet cannot be delivered, it is discarded. Strict-source or loose-source routing, including the IP address of the hops the packets must traverse. For loose-source-route, you specify some or all of the hops, but they do not have to be adjacent. For strict-source-route, you must specify every adjacent hop through which the packet must traverse. The IP addresses to be recorded for a specified number of routers that the packets traverse The time that a packet traverses a router to be recorded for a specified number of routers An interface type and specifier of a destination address on the router that is configured for external loopback; the command succeeds only if the specified interface is configured for external loopback

sweep-interval specifies the change in the size of subsequent ping

packets while sweeping across a range of sizes. For example, you can configure the sweep interval to sweep across the range of packets from 100 bytes to 1000 bytes in increments equal to the sweep interval. By default the router increments packets by one byte; for example, it sends 100, 101, 102, 103, ... 1000. If the sweep interval is 5, the router sends 100, 105, 110, 115, ... 1000.

sweep-sizes enables you to vary the sizes of the echo packets being sent.
This capability is useful for determining the minimum sizes of the MTUs configured on the nodes along the path to the destination address. Determining the minimum size reduces packet fragmentation, which contributes to performance problems. The default is not to sweep (all packets are the same size).

timeout sets the number of seconds to wait for an ICMP echo reply packet
before the connection attempt times out

ttl sets the time-to-live hop count in the range 1255; the default is 32
The following characters can appear in the display after issuing the ping command:

! reply received . timed out while waiting for a reply ? unknown packet type A address mask request message a address mask reply message D router discovery advertisement message d router discovery request message H host unreachable I information request message i information reply message L TTL expired message M could not fragment, DF bit set m parameter problem message

2-42

CHAPTER 2 Configuring IP

N network unreachable P protocol unreachable Q source quench r redirect message T timestamp request message t timestamp reply message U destination unreachable
host1(config)#interface serial 5/2:1/1 host1(config-if)#ip address 172.16.1.1 255.255.255.0 host1(config-if)#exit host1#ping 172.16.1.1 extended interface serial 5/2:1/1

Example

There is no no version.

traceroute
Use to discover the routes that router packets follow when traveling to their destination. You can specify:

A VRF context Destination IP or IPv6 address Source interface for each of the transmitted packets Source address for each of the transmitted packets Maximum number of hops of the trace and a timeout value Size of the IP packets (not the ICMP payload) in the range 064000 bytes sent with the traceroute command. Including a size might help locate any MTU problems that exist between your router and a particular device. DF bit for the transmitted packets

Extended IP header attributes, including the ToS byte and whether to set the
You can also force transmission of the packets on a specified interface regardless of what the IP address lookup indicates. Example
host1#traceroute 172.20.13.1 20 timeout 10

There is no no version.

Response Time Reporter

The Response Time Reporter (RTR) feature enables you to monitor your networks performance and its resources. It does this by measuring response times and the availability of your network devices.

Response Time Reporter E-Series Routers

2-43

Configuration Tasks

To configure RTR:
1 2

Configure the probe typean echo probe or a path echo probe. (Optional) Configure probe characteristics: frequency hops-of-statistics-kept (path echo) max-response-failure (path echo) operations-per-hop (path echo) owner request-data-size samples-of-history-kept tag timeout (echo) tos

Note: You cannot set any of these characteristics until you have set the probe type. The default values of these characteristics depend on the type of the entry.

3 4 5 6

(Optional) Set reaction conditions. Schedule the probe. (Optional) Capture statistics and collect error information. (Optional) Collect history.

Note: RTR configuration is associated with a specific virtual router, distinct from any other virtual router.

Configuring the Probe Type

To begin configuring RTR, enter RTR Configuration mode and configure the probe typeeither an echo probe or a path echo probe.
rtr
Use to configure an RTR probe and to enter RTR Configuration mode. Example
host1(config)#rtr 1

Use the no version to delete all configuration information for an RTR probe.

2-44

CHAPTER 2 Configuring IP

type
Use to set an echo or path echo probe:

echo limited to end-to-end RTR operations; corresponds to SNMP ping pathEcho finds a path to the destination and echoes each device in the
path; corresponds to SNMP traceroute You must specify this value before any other. If you change the type for an existing RTR entry, all values are reset, including the administrative status. There is no default value. More than one RTR entry can become active, provided each entrys target address is unique. If you use a target address already configured for another RTR entry that is active, the test will not run if both entries are in the same virtual router. If they are in distinct virtual routers, however, there is no restriction. Example
host1(config-rtr)#type echo protocol ipIcmpEcho 10.10.0.9

Use the no version to remove the type configured for the probe.

Configuring Optional Characteristics

In addition to configuring the probes type, you can configure the probe characteristics presented in Table 2-4.
Table 2-4 Probe characteristics Characteristic frequency hops-of-statistics-kept max-response-failure operations-per-hop owner request-data-size samples-of-history-kept tag timeout tos Description Time between tests (in seconds) Hops per path for which statistics are gathered Maximum number of consecutive failures Number of probes per hop Owner of the probe Requests payload size Maximum number of history samples User-defined tag Probe timeout (in milliseconds) A value for the TOS byte

frequency
Use to set the rate (in seconds) the RTR probe uses to start a response time operation. Example
host1(config-rtr)#frequency 90

Use the no version to return to the default value, 60 seconds.

Response Time Reporter E-Series Routers

2-45

operations-per-hop
Use to set the number of RTR probe operations sent to a given hop. You can apply this option only to a pathEcho type. Example
host1(config-rtr)#operations-per-hop 5

Use the no version to return to the default, 3.

owner
Use to identify the owner of the probe. If the SNMP agent is the owner of the probe, the owners name may begin with agent. Example
host1(config-rtr)#owner 192.10.27.6 rtc.boston.com 555.1212

Use the no version to return to the default, no owner.

request-data-size
Use to set the protocol data size in the request packet. Example
host1(config-rtr)#request-data-size 20

Use the no version to return to the default value, 1 byte.

tag
Use to set an identifier for the probe. Example
host1(config-rtr)#tag westford

Use the no version to return to the default, no tag.

timeout
Use to set the time (in milliseconds) that the probe waits for a response. You can apply this option only to an echo type. Do not set the value for timeout to more than the value set for frequency. If you do, it will be ignored. Example
host1(config-rtr)#timeout 3000

If you set the timeout to 0, no timeout is set. Use the no version to return to the default value, 5000 milliseconds.

2-46

CHAPTER 2 Configuring IP

tos
Use to set the type of service (ToS) byte in the probes IP header. Example
host1(config-rtr)#tos 16

Use the no version to return to the default value, 0. The default applies to both the echo and pathEcho types.

Capturing Statistics

The primary objective of RTR is to collect statistics and information on network performance. You can control the number and type of statistics collected.
hops-of-statistics-kept
Use to set the number of hops per path for which statistics are collected. When the number of hops reaches the specified number (that is, size), no additional statistical information on the path is stored. This option applies only to pathEcho entries. Example
host1(config-rtr)#hops-of-statistics-kept 5

To turn off this feature, set the value to 0. Use the no version to set the default, 16 hops.

max-response-failure
Use to set the maximum number of consecutive failures to respond to a probes request. When the maximum number is reached, the test stops. This option applies only to pathEcho entries. Example
host1(config-rtr)#max-response-failure 2

To turn off this feature, set the value to 0. Use the no version to set the default, 5 consecutive failures.

Collecting History

RTR can collect data samples for a given probe. These samples are referred to as history data. When RTR collects history, it refers to tests. A test is the lifetime of a probe operation.

Response Time Reporter E-Series Routers

2-47

samples-of-history-kept
Use to set the maximum number of entries in the history table for each RTR probe. This command enables you to control the number of samples saved in the history table. Because collecting history increases memory usage, you should do so only when there is a problem in your network. Example
host1(config-rtr)#samples-of-history-kept 5

If you set the number of samples to 0, no samples will be kept. Use the no version to set the default, 16 hops for pathEcho type; 1 hop for echo type.

Setting Reaction Conditions

You can set the RTR probe to react to events that take place and to send notifications about these events.
Note: The only no version for all the rtr reaction-configuration commands is no rtr reaction-configuration rtrIndex. Use the no version to clear all traps. This works for all the options.

rtr reaction-configuration action-type

Use to specify the type of actions to occur depending on the events controlled by RTR. The default is to take the traps of enabled events. Example
host1(config)#rtr reaction-configuration 1 action-type trapOnly

There is no no version.

rtr reaction-configuration operation-failure

Use to enable the operation-failure reaction. The operation-failure event is triggered when a number of consecutive probe operations are not received or when they are received after a timeout. Example
host1(config)#rtr reaction-configuration 1 operation-failure 3

There is no no version.

rtr reaction-configuration path-change

Use to enable the path-change reaction. The path-change event is triggered when a change is detected in the hop table. At most, there can be one such event per test.

2-48

CHAPTER 2 Configuring IP

Example
host1(config)#rtr reaction-configuration 1 path-change

There is no no version.

rtr reaction-configuration test-completion

Use to enable test-completion reaction. The test-completion event is triggered when a test is completed successfully.

For echo, a successful test means that all probes were sent. For pathEcho, a successful test means that the destination was reached at
least once. At most, there can be one such event per test. Example
host1(config)#rtr reaction-configuration 1 test-completion

There is no no version.

rtr reaction-configuration test-failure

Use to enable test-failure reaction. The test-failure event is triggered when a test fails. Failure is determined in the following ways:

If Echo, this event is triggered after testFailureValue probes are either not
received or are received after a timeout.

If PathEcho, this event is triggered when the test ends and no responses are
received from the destination. At most, there can be one such event per test. Example
host1(config)#rtr reaction-configuration 1 test-failure

There is no no version.

Scheduling the Probe

When you have configured the RTR probe, you must schedule the operation to begin collecting statistics and other information on problems that may arise.
rtr schedule
Use to create an RTR schedule. Example
host1(config)#rtr schedule 5

Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state. The no version also resets the restart-time attribute and the life attribute.

Response Time Reporter E-Series Routers

2-49

rtr schedule life

Use to schedule the tests length. Life is a value that depends on the type of the RTR entry; it is not a length of time.

If the type is echo, life relates to the number of probes sent until a test
finishes.

If the type is pathEcho, life relates to the maximum number of hops used by
the traceRoute trap. Example
host1(config)#rtr schedule 5 life 1800

Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state. The no version also resets the life attribute.

rtr schedule restart-time

Use to restart a test. Example
host1(config)#rtr schedule 5 restart-time 15

Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state. The no version also resets the restart-time attribute.

rtr schedule start-time

Use to schedule a tests starting time. Example
host1(config)#rtr schedule 5 start-time now

Use the no version to stop the test. The no version stops the probe operation by putting it in the pending state.

Shutting Down the Probe

You can shut down the RTR probe operation.

rtr reset
Use to shut down the RTR, stop all probe operations, and clear the RTR configuration for the given virtual router. We recommend that you use this command only in extremely serious situations, such as problems with the configurations of a number of probe operations. Example
host1(config)#rtr reset

2-50

CHAPTER 2 Configuring IP

Monitoring RTR

You can monitor RTR by displaying status and configuration information.

show rtr application
Use to display global information about RTR. Field descriptions

numberOfEntries number of RTR entries according to type entriesEnabled RTR entries with administrative status enabled entriesActive RTR entries with operational status enabled
Example
host1#show rtr application numberOfEntries -----------------echo pathEcho total 1 1 2 entriesEnabled ----------------1 1 2 entriesActive --------------1 1 2

show rtr collection-statistics

Use to display statistical information for a particular probe operation or for all operations. Field descriptions

rtrIndex index number of the RTR probe operationsSent number of probe operations sent operationsRecvd number of probe operations received lastGoodResponse time when last valid probe operation was received operStatus operational status of the probe: enabled, disabled minRtt minimum round-trip time in milliseconds maxRtt maximum round-trip time in milliseconds avgRtt average round-trip time in milliseconds rttSumSqr sum of the square of all round-trip times in milliseconds testAttempts number of times the test ran testSuccesses number of times the test ran successfully currentHop current hop (TTL) used in the test currentOperation current probe operation index sent to the hop

Response Time Reporter E-Series Routers

2-51

Example

host1#show rtr collection-statistics Echo Entries: rtrIndex ---------1 rtrIndex ---------1 operationsSent -------------5208 operStatus ---------enabled PathEcho Entries: rtrIndex ---------2 rtrIndex ---------2 testAttempts -----------156 operStatus ---------enabled testSuccesses ------------156 currentHop ---------2 lastGoodResponse ---------------08/30/2000 05:09 currentOperation ---------------4 operationsRcvd -------------5187 minRtt -----0 lastGoodResponse ----------------

08/30/2000 05:09 avgRtt -----3 rttSumSqr --------7109208

maxRtt -----1785

show rtr configuration

Use to display the configuration for a particular probe or for all probes. Field descriptions

rtrIndex index number of the RTR probe type probe type: echo, pathEcho targetAddress address of the probes target reqSize protocol data size in the request packet freq rate in seconds that the RTR probe uses to start a response time operation life length of the test source interface from which the probe is sent restartTime restart time of the test in seconds owner owner of the probe samples maximum number of entries saved in the history table for this RTR probe admin administrative status of the probe: enabled, disabled tos setting of the type of service (ToS) byte in the probes IP header reactionConfiguration RTR reactions that are configured for the probe operFail operation failure event is triggered when this number of consecutive probe operations is not received or when the operations are received after a time-out

2-52

CHAPTER 2 Configuring IP

testFail test failure event is triggered when this number of probe operations
is not received or when the operations are received after a timeout

timeout time in milliseconds that the probe waits for a response tag identifier configured for the probe operPerHop number of RTR probe operations sent to a given hop maxFail maximum number of consecutive failures to respond to a probes request. When the maximum number is reached, the test stops. Applies only to pathEcho entries. this number is reached, no additional statistical information on the path is stored. Applies only to pathEcho entries.

hopKpt number of hops per path for which statistics are collected. When

rtrIndex ------1 2 rtrIndex ---------1 2 rtrIndex ---------1 2 rtrIndex ---------1 rtrIndex ---------2 samples ------5 5 operFail -------1 operPerHop ---------5 maxFail ------3 admin -------enabled enabled testFail -------1 tos --0 0 timeout ------10000 hopKpt -----16 tag -----tag ------

Example
type targetAddress reqSize freq -----------10.5.0.200 10.5.0.11 -----1 1 1 1 owner ---------life 20 30

host1#show rtr configuration -------echo pathEcho source -----------------fastEthernet0/0 ------ -----

restartTime ----------10 60

reactionConfiguration ------------------------

show rtr history

Use to display history (data samples) for a particular probe or for all probes. Field descriptions

rtrIndex index number of the RTR probe operation index number of the probe operation rtt round-trip time in milliseconds statusDescription concurrentLimitFail target already being used by another rtrIndex ifInactiveToTarget interface used to reach target is not operational

Response Time Reporter E-Series Routers

2-53

invalidHostAddress target address is not supported noRouteToTarget target address is not reachable responseReceived probe operation replied by target requestTimedOut probe operation not replied to by target or reply received after timeout unknownDestAddress target address is invalid unableToResolveName target address could not be looked up

timeStamp date and time when the RTR entry was created test index number of the pathEcho test hop index number of the hop count operation index number of the probe operation address address of router at the hop

Example

host1#show rtr history Echo Entries: rtrIndex -------1 1 1 1 1 operation --------5476 5477 5478 5479 5480 rtt --0 0 0 0 0 statusDescription timeStamp ----------------- --------responseReceived responseReceived responseReceived responseReceived responseReceived 08/30/2000 05:17 08/30/2000 05:17 08/30/2000 05:17 08/30/2000 05:17 08/30/2000 05:17

PathEcho Entries: rtrIndex ---------2 2 2 2 2 rtrIndex ---------2 2 2 2 2 test -----165 165 165 165 165 test -----165 165 165 165 165 hop ---3 3 3 3 3 hop ---3 3 3 3 3 operation --------5 1 2 3 4 operation --------5 1 2 3 4 rtt -----0 0 0 0 0 timeStamp ---------------08/30/2000 20:39 08/30/2000 20:40 08/30/2000 20:40 08/30/2000 20:40 08/30/2000 20:40 statusDescription ----------------responseReceived responseReceived responseReceived responseReceived responseReceived address -------10.5.0.11 10.5.0.11 10.5.0.11 10.5.0.11 10.5.0.11

2-54

CHAPTER 2 Configuring IP

show rtr hops

Use to display RTR hops information. Field descriptions

rtrIndex index number of the RTR probe hop index number of the hop count address address of the router at the hop minRtt minimum round-trip time in milliseconds maxRtt maximum round-trip time in milliseconds avgRtt average round-trip time in milliseconds rttSumSqr sum of the square of all round-trip times in milliseconds operationsSent number of probe operations sent operationsRcvd number of probe operations received lastGoodResponse time when last valid probe operation was received

Example

host1#show rtr hops rtrIndex ---------2 2 hop ---1 2 address 192.168.1.1 10.2.0.3 minRtt 1 0 maxRtt -----276 1109 avgRtt -----1 2 rttSumSqr -------955363 10094451

----------- ------

rtrIndex hop operationsSent operationsRcvd -------- --- -------------- -------------2 2 1 2 36985 30717 36838 21494

lastGoodResponse -----------09/18/2000 20:20 09/18/2000 20:20

show rtr operational-state

Use to display RTR operational information. Field descriptions

rtrIndex index number of the RTR probe type type of RTR probe: echo, pathEcho entryStatus if the entry was created via the SNMP DISMAN MIB, the row
may be partially constructed; if that is the case, the CLI displays notReady as the entrys status

adminStatus derived from the rtr schedule start-time command; if the

option is now, the status is enabled; if the option is pending, the status is disabled

operStatus enabled only if entryStatus and adminStatus are enabled and

the test is running; operStatus remains enabled if the test finishes and restart time is not 0

Monitoring IP E-Series Routers

2-55

Example
host1#show rtr operational-state rtrIndex ---------1 2 type -------echo pathEcho entryStatus ----------active active adminStatus enabled enabled operStatus enabled enabled ----------- ----------

Monitoring IP
This section shows how to set a statistics baseline and use the show commands to view your IP configuration and monitor IP interfaces and statistics.
Establishing a Baseline

IP statistics are stored in system counters. The only way to reset the system counters is to reboot the router. You can, however, establish a baseline for IP statistics by setting a group of reference counters to zero.
baseline ip
Sets a statistics baseline for IP statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. Example
host1#baseline ip

There is no no version.

baseline ip tcp
Sets a statistics baseline for TCP statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. Example
host1#baseline ip tcp

There is no no version.

2-56

CHAPTER 2 Configuring IP

baseline ip udp
Sets a statistics baseline for UDP statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. Example
host1#baseline ip udp

There is no no version.

IP show Commands

You can monitor the following aspects of IP using show ip commands:

To Display Access lists ARP General IP information IP addresses Community lists Command show access-list show ip as-path-access-list show arp show ip show ip address show ip community-list

Prefix for the names of dynamic IP shared show ip dynamic-interface-prefix interfaces Routing table Interfaces Shared IP interfaces Protocols Redistribution policies Routes Interfaces and next hops Static routes TCP statistics Traffic UDP statistics Profiles Route maps show ip forwarding-table slot show ip interface show ip interface shares show ip protocols show ip redistribute show ip route show ip route slot show ip static show ip tcp statistics show ip traffic show ip udp statistics show ip profile show route-map

Monitoring IP E-Series Routers

2-57

To set a statistics baseline for IP interfaces, use the baseline ip tcp and baseline ip udp commands. Use the delta keyword with IP show commands to specify that baselined statistics are to be shown. You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
show access-list
Use to display information about access lists, including the instances of each access list. Example
host1#show access-list IP Access List 1: permit ip 172.31.192.217 0.0.0.0 0.0.0.0 255.255.255.255 permit ip 12.40.0.0 0.0.0.3 0.0.0.0 255.255.255.255 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 IP Access List 2: permit ip 172.19.0.0 0.0.255.255 0.0.0.0 255.255.255.255 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 IP Access List 10: permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 IP Access List 11: deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

show arp
Use to display information about ARP. Field descriptions

Address IP address of the entry Age time to live for this entry in seconds Hardware Addr physical (MAC) address of the entry Interface interface-specifier of the entry (for example, fastEthernet6/0 is an Ethernet interface on slot 6, port 0) command, rather than just an arp command.

* indicates that an ARP entry was added because of an arp-validate

Example
host1#show arp Address 172.31.192.217 192.168.1.0 192.168.1.1 192.168.1.217 192.168.1.255 Age 21340 20730 12550 21600 21600 Hardware Addr Interface 00d0.58f2.67e0 loopback1 00e0.09ed.5312 fastEthernet6/0 * 00e0.b06a.4c75 fastEthernet6/0 * 0090.1a00.0230 fastEthernet6/0 * 00f0.c2d1.1200 fastEthernet6/0 *

2-58

CHAPTER 2 Configuring IP

12.40.0.2 172.18.2.1 172.18.2.2 172.31.192.206

24320 21600 21600 21600

0020.6393.4233 atm5/0.1 0020.bed2.8738 atm5/1.1 0020.5b91.60f2 atm5/1.1 00d0.43b5.1032 atm5/1.1

show ip
Use to display general information on IP. Example
host1#show ip IP Router Id: 192.168.1.155 Router Name: default Default TTL: 60 Reassemble Timeout: 30

show ip address
Use to display detailed or summary information on a particular IP interface. Field descriptions

Network Protocols network protocols configured on this interface Internet address IP address and subnet mask of this interface Broadcast address broadcast address of this interface Operational MTU MTU of this interface Administrative MTU value of the MTU if it has been administratively overridden using the configuration

Operational speed speed of the interface Administrative speed value of the speed if it has been administratively
overridden using the configuration

Discontinuity Time value of the SysUpTime when the interface statistics

last started being valid

Router advertisement status of router discovery advertisement: enabled,

disabled

Proxy Arp status of the feature: enabled, disabled Administrative debounce-time configured time in milliseconds that an
interface event has to be in the same state before being reported

Operational debounce-time time in milliseconds that an interface event has

to be in the same state before being reported

Access routing access route addition: enabled, disabled Multipath mode equal cost multipath mode method: hashed, round-robin In Received Packets, Bytes total number of packets and bytes received on
this interface Unicast Packets, Bytes unicast packets and bytes received on the IP interface; link-local received multicast packets (non-multicast-routed frames) are counted as unicast packets Multicast Packets, Bytes multicast packets and bytes received on the IP interface which are then multicast-routed are counted as multicast packets

Monitoring IP E-Series Routers

2-59

In Policed Packets, Bytes packets and bytes that were received and
dropped because of rate limits

In Error Packets number of packets received with errors In Invalid Source Address Packets packets received with invalid source
address (for example, spoofed packets)

In Discarded Packets packets received that were discarded for reasons

other than rate limits, errors, and invalid source address

Out Forwarded Packets, Bytes total number of packets and bytes that
were sent from this interface Unicast Packets, Bytes unicast packets and bytes that were sent from this interface Multicast Routed Packets, Bytes multicast packets and bytes that were sent from this interface

Out Scheduler Drops Committed Packets, Bytes outgoing packets and

bytes dropped by the scheduler even though they had a committed traffic contract

Out Scheduler Drops Conformed Packets, Bytes outgoing packets and

bytes dropped by the scheduler even though they conformed to the traffic contract

Out Scheduler Drops Exceeded Packets, Bytes outgoing packets and

bytes that were dropped by the scheduler because they exceeded the contract

Out Policed Packets, Bytes outgoing packets and bytes dropped because
of rate limiters

Out Discarded Packets outgoing packets that were discarded for reasons
other than those dropped by the scheduler and those dropped because of rate limits Example
host1#show ip address 10.6.136.73 fastEthernet0/0 is up, line protocol is up Network Protocols: IP Internet address is 10.6.136.73/255.255.128.0 Broadcast address is 255.255.255.255 Operational MTU = 0 Operational speed = 1 Administrative MTU = 0 Administrative speed = 0

Discontinuity Time = 5766 Router advertisement = disabled Proxy Arp = disabled Administrative debounce-time = 10 mSecs Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 2849, Bytes 759428 Unicast Packets 2849, Bytes 759428 Multicast Packets 0, Bytes 0 = disabled

2-60

CHAPTER 2 Configuring IP

In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 1866, Bytes 84650 Unicast Packets 1866, Bytes 84650 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 Out Discarded Packets 0 Packets 0, Bytes 0

show ip as-path-access-list
Use to display information about AS-path access lists. Example
host1#show ip as-path-access-list AS Path Access List 1: permit deny permit deny permit deny deny permit deny .* .* _109$ ^108_ .* _109$ .* _109_ .* AS Path Access List 2: AS Path Access List 3:

AS Path Access List 4:

AS Path Access List 10:

show ip community-list
Use to display routes that are permitted by a BGP community list. Example
host1#show ip community-list Community List 1: permit 752877569 (11488:1) permit 752877570 (11488:2) permit 752877571 (11488:3) permit 752877572 (11488:4) Community List 2: permit 4294967043 (local-as)

Monitoring IP E-Series Routers

2-61

show ip dynamic-interface-prefix
Use to display the prefix for the names of dynamic IP shared interfaces. Example
host1#show ip dynamic-interface-prefix Dynamic Interface Prefix: dyn

show ip forwarding-table slot

Use to display details on the forwarding table for a specific line module, including the memory used by each virtual router configured on the line module and free memory available on the module. The Load Errors field records any failed routing table distribution attempt as an error. Attempts can fail for many reasons during normal operation; a failed attempt does not necessarily indicate a problem. It is normal to see many Load Errors per day. If the Status field does not indicate Valid, then the routing table distribution has failed constantly for that VR. It is normal and appropriate behavior for the Status field to indicate Valid while the Load Error field increases daily. Field descriptions

Free Memory amount of routing table memory free on the line module, in
kilobytes

Virtual Router name of the virtual router(s) configured on the line module Memory (KB) amount of routing table memory consumed by the virtual
router, in kilobytes

Load Errors count of errors made while loading the routing table on the line
module

Status indicates whether the routing table for the virtual router is valid
Example
host1#show ip forwarding-table slot 9 Free Memory = 3,166KB Virtual Router ---------------vr1 vr2 vr3 vr4 default Memory (KB) --------4128 3136 2256 1512 1024 ------------0 0 0 0 0 -------Valid Valid Valid Valid Valid Load Errors Status

-----------------------------------------------------------

show ip interface
Use to display the current state of all IP interfaces or the IP interfaces you specify. The default is all interface types and all interfaces. Field descriptions

interface interface type and interface specifier

2-62

CHAPTER 2 Configuring IP

interface status status of the interface line protocol status of the line protocol Description text description or alias if configured for the interface Link up/down trap status of SNMP link up/down traps on the interface Internet address IP address of the interface IP Statistics Rcvd: local destination frames with this router as their destinations hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets

IP Statistics Frags:
reasm ok number of reassembled packets reasm req number of requests for reassembly reasm fails number of reassembly failures frag ok number of packets fragmented successfully frag req number of frames requiring fragmentation frag fails number of packets unsuccessfully fragmented

IP Statistics Sent:
generated number of packets generated no routes number of packets that could not be routed discards number of packets that could not be routed that were discarded

ICMP Statistics Rcvd:

errors error packets received dst unreach packets received with destination unreachable time exceed packets received with time-to-live exceeded param probs packets received with parameter errors src quench source quench packets received redirect receive packet redirects echo req echo request (ping) packets echo rpy echo replies received timestamp req requests for a timestamp timestamp rpy replies of timestamp requests addr mask req mask requests sent addr mask rpy mask replies sent

ICMP Statistics Sent:

errors error packets sent dst unreach packets sent with destination unreachable time excd packets sent with time-to-live exceeded param probs packets sent with parameter errors

Monitoring IP E-Series Routers

2-63

src quench source quench packets sent redirect send packet redirects timestamp req requests for a timestamp timestamp rpy replies to timestamp requests addr mask req address mask requests addr mask rpy address mask replies

In Received Packets, Bytes total number of packets and bytes received on

the IP interface Unicast Packets, Bytes unicast packets and bytes received on the IP interface; link-local received multicast packets (non-multicast-routed frames) are counted as unicast packets Multicast Packets, Bytes multicast packets and bytes received on the IP interface which are then multicast-routed are counted as multicast packets

In Forwarded Packets, Bytes packets and bytes forwarded into an output

IP interface

In Total Dropped Packets, Bytes total number of packets and bytes that
were dropped on the interface; sum of all the drop reasons indented below this field In Policed Packets packets discarded on a receive IP interface due to token bucket limiting In Invalid Source Address Packets packets discarded on a receive IP interface due to invalid IP source address (sa-validate enabled) In Error Packets packets discarded on a receive IP interface due to IP header errors In Discarded Packets packets discarded on the ingress interface due to a configuration problem rather than a problem with the packet itself In Fabric Dropped Packets packets discarded on a receive IP interface due to internal fabric congestion

Out Forwarded Packets, Bytes total number of packets and bytes

forwarded out the IP interface Unicast Packets, Bytes unicast packets and bytes forwarded out the IP interface Multicast Routed Packets, Bytes multicast packets and bytes forwarded out the IP interface

Out Requested Packets, Bytes packets and bytes requested to be

forwarded out an IP interface

Out Total Dropped Packets, Bytes total number of packets and bytes that
were discarded on the egress interface; sum of all the drop reasons indented below this field Out Scheduler Drops Committed Packets, Bytes packets and bytes dropped by the scheduler even though they had a committed traffic contract Out Scheduler Drops Conformed Packets, Bytes packets and bytes dropped by the scheduler even though they conformed to the traffic contract

2-64

CHAPTER 2 Configuring IP

Out Scheduler Drops Exceeded Packets, Bytes packets and bytes dropped by the scheduler because they exceeded the contract Out Policed Packets packets discarded on the egress interface due to rate limiting Out Discarded Packets packets discarded on the egress interface due to a configuration problem rather than a problem with the packet itself Out Fabric Dropped Packets packets dropped due to internal fabric congestion Example 1
host1#show ip interface detail fastEthernet 0/0 fastEthernet0/0 is up, line protocol is up Description: boston00 fast ethernet interface Link up/down trap is disabled Internet address is 1.1.1.2/255.255.255.0 IP statistics: Rcvd: 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Frags: 0 reasm ok, 0 reasm req, 0 reasm fails 0 frag ok, 0 frag creates, 0 frag fails Sent: Rcvd: 31656835 generated, 0 no routes, 0 discards 0 errors, 0 dst unreach, 0 time exceed 0 param probs, 0 src quench, 0 redirect, 0 echo req, 31656816 echo rpy 0 timestmp req, 0 timestmp rpy 0 addr mask req, 0 addr mask rpy Sent: 0 errors, 0 dst unreach, 0 time excd 0 param probs, 0 src qnch, 0 redirect 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy In Received Packets 246220, Bytes 344624800 Unicast Packets 246162, Bytes 344621410 Multicast Packets 58, Bytes 3390 In Forwarded Packets 245464, Bytes 343566400 In Total Dropped Packets 756, Bytes 1058400 In Policed Packets 756 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 In Fabric Dropped Packets 0 Out Forwarded Packets 117, Bytes 87297 Unicast Packets 117, Bytes 87297 Multicast Routed Packets 0, Bytes 0 ICMP statistics:

Monitoring IP E-Series Routers

2-65

Out Requested Packets 117, Bytes 87297 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0 Out Discarded Packets 0 Out Fabric Dropped Packets 0 Packets 0, Bytes 0

If you are losing packets because of fabric congestion, you can use the In Fabric Dropped Packets and Out Fabric Dropped Packets statistics to help determine the location of the bottleneck. Both statistics count the same thingthe same packets dropped because of fabric congestionbut in different directions. At any given time, the total number of packets dropped in the fabric for all interfaces in the chassis is equal to the sum of all In Fabric Dropped Packets for all interfaces in the chassis, which equals the sum of all Out Fabric Dropped Packets for all interfaces in the chassis. Packets not dropped for another listed reason are considered to have been dropped in the fabric. The router calculates In Fabric Dropped Packets by subtracting the total number of inbound packets dropped for all other reasons from the In Total Dropped Packets number. The router calculates Out Fabric Dropped Packets by subtracting the total number of outbound packets dropped for all other reasons from the Out Total Dropped Packets number. The router calculates In Total Dropped Packets by subtracting In Forwarded Packets from In Received Packets. The router calculates Out Total Dropped Packets by subtracting Out Forwarded Packets from Out Received Packets. These statistics are reported as traffic is moving through the router. It is possible to get false statistics based on packets being forwarded and/or received after polling and based on which of the statistics is reported first. For example, In Forwarded Packets could be reported as greater than In Received Packets. Rather than displaying In Total Dropped Packets as a negative value, the command displays it as the sum of all drop reasons other than fabric drops; fabric drops are reported as 0, but might actually be nonzero. If you halt traffic, the In Total Dropped Packets and Out Total Dropped Packets values are always correct.
show ip interface shares
Use to display information about shared IP interfaces. If you specify an IP interface specifier, the command displays information only for that interface and any shared IP interfaces associated with it.

2-66

CHAPTER 2 Configuring IP

Field descriptions

Interface interface specifier or name of the interface IP-Address IP address associated with the interface Status operational state of the interface Protocol state of the protocol running on the interface Virtual Router virtual router in which the interface is configured

Example 1

host1#show ip interface shares brief Interface null0 fastEthernet0/0 loopback100 atm4/0.1 ip si0 ip si1 IP-Address 255.255.255.255/32 10.13.5.17/24 202.1.1.1/24 10.1.1.1/24 Unnumbered Unnumbered Status up up up up up up Protocol up up up up up up vr-a vr-b:vrf-1 Virtual Router

Example 2

host1#show ip interface shares brief atm 4/0.1 Interface atm4/0.1 ip si0 ip si1 IP-Address 10.1.1.1/24 Unnumbered Unnumbered Status up up up Protocol up up up vr-a vr-b:vrf-1 Virtual Router

Example 3 for a description of the following fields, see the show ip address command
host1#show ip interface shares atm 4/0.1 atm4/0.1 is up, line protocol is up Network Protocols: IP Unnumbered Interface on loopback100 ( IP address 202.1.1.1 ) Administrative MTU = 0 Administrative speed = 0 Operational MTU = 1500 Discontinuity Time = 0 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 120, Bytes 12000 Unicast Packets 60, Bytes 6000 Multicast Packets 60, Bytes 6000 In Policed Packets 0, Bytes 0 In Error Packets 0 = disabled

Operational speed = 155520000

Monitoring IP E-Series Routers

2-67

In Invalid Source Address Packets 0 Out Forwarded Packets 101, Bytes 5252 Unicast Packets 101, Bytes 5252 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 ip si0 is up, line protocol is up Network Protocols: IP Virtual Router vr-a Layer 2 interface atm4/0.1 Unnumbered Interface on loopback100 ( IP address 202.1.1.1 ) Administrative MTU = 0 Administrative speed = 0 Operational MTU = 1500 Discontinuity Time = 0 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 Out Forwarded Packets 101, Bytes 5252 Unicast Packets 101, Bytes 5252 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 ip si1 is up, line protocol is up Network Protocols: IP Virtual Router vr-b:vrf-1 Layer 2 interface atm4/0.1 . . . Out Policed Packets 0, Bytes 0 Packets 0, Bytes 0 = disabled Packets 0, Bytes 0

Operational speed = 155520000

2-68

CHAPTER 2 Configuring IP

Example 4 You can also display statistics for shared IP interfaces with the show ip interface command
host1#show ip interface ip si0 ip0 is up, line protocol is up Network Protocols: IP Layer 2 interface atm4/0.1 Unnumbered Interface on loopback100 ( IP address 202.1.1.1 ) Administrative MTU = 0 Administrative speed = 0 Operational MTU = 1500 Discontinuity Time = 0 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 Out Forwarded Packets 101, Bytes 5252 Unicast Packets 101, Bytes 5252 Multicast Routed Packets 0, Bytes 0 Out Scheduler Drops Committed Packets 0, Bytes 0 Out Scheduler Drops Conformed Packets 0, Bytes 0 Out Scheduler Drops Exceeded Out Policed Packets 0, Bytes 0 Packets 0, Bytes 0 = disabled

Operational speed = 155520000

show ip profile
Use to display information about a specific IP profile. Field descriptions

IP profile profile name IP address IP address and subnet mask of the interface or none if the
interface is unnumbered

Unnumbered interface specifier for the unnumbered interface or none if the

interface is numbered

Router router name Directed Broadcast enabled or disabled ICMP Redirects enabled or disabled Access Route Addition enabled or disabled Network Address Translation enable or disable; domain location (inside or outside)

Monitoring IP E-Series Routers

2-69

Source-Address Validation enabled or disabled Ignore DF Bit enabled or disabled Administrative MTU MTU size
Example
host1#show ip profile foo IP profile : foo IP address Unnumbered interface Router Directed Broadcast ICMP Redirects Access Route Addition Source-Address Validation Ignore DF Bit Administrative MTU : none : none : : Enabled : Disabled : Enabled : Enabled : Disabled : 0

Network Address Translation: Enabled, domain inside

show ip protocols
Use to display configured protocols. Field descriptions

For BGP:
Redistributing protocol to which BGP is redistributing routes Default local preference local preference value IGP synchronization status of IGP synchronization: enabled, disabled Always compare MED status of multiexit discrimination: enabled, disabled Router flap damping status of route dampening: enabled, disabled Administrative Distance external, internal, and local administrative distances Neighbor Address IP address of the BGP neighbor Neighbor Incoming/Outgoing update distribute list number of the access list for outgoing routes Neighbor Incoming/Outgoing update prefix list number of the prefix list for incoming or outgoing routes Neighbor Incoming/Outgoing update prefix tree number of the prefix tree for incoming or outgoing routes Neighbor Incoming/Outgoing update filter list number of filter list for incoming routes Routing for Networks network for which BGP is currently injecting routes

For IS-IS:
System Id 6-byte value of the system IS-Type routing type of the router: Level 1, Level 2 Distance administrative distance for IS-IS learned routes

2-70

CHAPTER 2 Configuring IP

Address Summarization aggregate addresses defined in the routing table for multiple groups of addresses at a given level or routes learned from other routing protocols Routing for Networks network for which IS-IS is currently injecting routes

For OSPF:
Router ID OSPF process ID for the router Distance administrative distance for OSPF learned routes Redistributing protocol to which OSPF is redistributing routes Address Summarization aggregate addresses defined in the routing table for multiple groups of addresses at a given level or routes learned form other routing protocols Routing for Networks network for which OSPF is currently injecting routes

For RIP:
Router Administrative State RIP protocol state. Enable means that the interface is allowed to send and receive updates. Disable means that the interface may be configured but it is not allowed to run yet. System version RIP versions allowed for sending and receiving RIP updates. The router version is currently set to RIP1, which sends RIP version 1 but will receive version 1 or 2. If the version is set to RIP2, the router will send and receive version 2 only. The default is configured for RIP1. Update interval current setting of the update timer (in seconds) Invalid after current setting of the invalid timer (in seconds) hold down time current setting of the hold down timer (in seconds) flushed interval current setting of the flush timer (in seconds) Filter applied to outgoing route update access list applied to outgoing RIP route updates Filter applied to incoming route update access list applied to incoming RIP route updates Global route map route map that specifies all RIP interfaces on the router Distance value added to RIP routes added to the IP routing table; the default is 120. Interface interface type on which RIP protocol is running Redistributing protocol to which RIP is redistributing routes Routing for Networks network for which RIP is currently injecting routes Example
host1#show ip protocols Routing Protocol is bgp 100 Redistributing: ospf Default local preference is 100 IGP synchronization is enabled Always compare MED is disabled

Monitoring IP E-Series Routers

2-71

Router flap damping is disabled Administrative Distance: external 20 internal 200 local 200 Neighbor(s): Address 1.1.1.1 Outgoing update distribute list is 2 Outgoing update prefix list is efg Incoming update prefix tree is abc Incoming update filter list is 1 Routing for Networks: 192.168.1.0/24 Routing Protocol is isis isisOne System Id: 0000.0000.0011.00 Distance: 115 Address Summarization: None Routing for Networks: fastEthernet0/0 Routing Protocol is ospf 1 with Router ID 192.168.1.151 Distance is 110 Redistributing: isis Address Summarization: None Routing for Networks: 192.168.1.0/255.255.255.0 area 0.0.0.0 Routing Protocol is rip Router Administrative State: enable System version RIP1: send = 1, receive = 1 or 2 Update interval: 30 seconds Invalid after: 180 seconds hold down time: 120 seconds flushed interval: 300 seconds Filter applied to outgoing route update is not set Filter applied to incoming route update is not set No global route map Distance is 120 Interface fastEthernet0/0 Tx 1 Rx 1,2 Auth none IS-Type: level-1-2

Redistributing: ospf Routing for Networks: 192.168.1.0/255.255.255.0

2-72

CHAPTER 2 Configuring IP

show ip redistribute
Use to display configured route redistribution policy. Field descriptions

To protocol that routes are distributed into From protocol that routes are distributed from status redistribution status route map number number of the route map
host1#show ip red To ospf, From static is enabled with route map 4 To ospf, From connected is enabled with route map 3

Example

show ip route
Use to display the current state of the routing table, including routes not used for forwarding. You can display all routes, a specific route, best route to a resolved domain name, all routes beginning with a specified address, routes for a particular protocol (BGP, IS-IS, OSPF, or RIP), locally connected routes, internal control routes, static routes, or summary counters for the routing table. Field descriptions

Type type of route; protocol or other Prefix IP address prefix of network destination Length network mask length for prefix Next Hop IP address of the next hop to the route, whether it is a local interface or another router

Dist administrative distance for the route; see Table 2-3 Met number of hops Intf interface type and interface specifier
Example 1
host1#show ip route Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------172.16.2.0/24 10.10.0.112/32 10.1.1.0/24 Type ---Bgp Static Next Hop -------192.168.1.102 192.168.1.1 Dist/Met -------20/1 1/1 0/1 Intf -----fastEthernet0/0 fastEthernet0/0 atm3/0.100

Connect 10.1.1.1

Monitoring IP E-Series Routers

2-73

Example 2

host1#show ip route static Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------10.10.0.112/32 Type ---Next Hop -------Dist/Met -------1/1 Intf -------------fastEthernet0/0

Static 192.168.1.1

Example 3

host1#show ip route summary 5 total routes, 720 bytes in route entries 0 isis routes 0 rip routes 1 static routes 1 connected routes 0 bgp routes 0 ospf routes 3 other internal routes 0 access routes 0 internally created access host routes Last route added/deleted: 0.0.0.0/0 by StaticLow At THU MAR 09 2000 05:22:49 UTC

Example 4

host1#show ip route all Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length ------------0.0.0.0/0 1.1.1.1/32 6.6.6.0/24 6.33.5.0/24 8.8.8.0/24 9.9.9.9/32 10.0.0.0/8 10.10.0.156/32 11.1.1.1/32 11.11.11.12/32 22.2.0.0/16 Type ---Static I2-E-i Static Static I2-E-i I2-E-i I2-E-i Static I2-E-i I2-I-i I2-I-i Next Hop -------192.168.1.1 192.168.1.105 192.168.1.1 0.0.0.0 192.168.1.105 192.168.1.105 192.168.1.105 192.168.1.1 192.168.1.105 192.168.1.105 92.168.1.105 Dist/Met -------1/1 115/10 1/1 1/1 115/10 115/10 115/10 1/1 115/10 115/10 115/10 Intf ------

fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 loopback2 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0

2-74

CHAPTER 2 Configuring IP

34.0.0.0/8 172.20.32.0/24 174.20.32.0/24 176.20.32.0/24 192.168.1.0/24 201.1.1.0/24 201.2.1.0/24 201.3.1.0/24 202.1.1.1/32 207.1.1.0/24

I2-E-i Static I2-I-i Connect Connect I2-E-i I2-E-i I2-E-i I2-E-i I2-E-i

192.168.1.105 192.168.1.1 192.168.1.105 176.20.32.1 192.168.1.214 192.168.1.105 192.168.1.105 192.168.1.105 192.168.1.105 192.168.1.105

115/10 1/1 115/20 0/1 0/1 115/10 115/10 115/10 115/10 115/10

fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 loopback1 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0 fastEthernet0/0

show ip route slot

Use to display the interface and next hop for an IP address in the routing table of a line module. A next hop is displayed only for protocols where ARP is used to resolve the addresses, such as for fastEthernet, gigabitEthernet, bridged Ethernet over ATM, and so on. Field descriptions

IP address address reachable via the interface Interface interface type and specifier associated with the IP address;
displays Local Interface if a special interface index is present in the routing table for special IP addresses, such as broadcast addresses

Next Hop IP address of the next hop router to reach the IP address;
displays --- if no next hop is associated with the IP address Example 1
host1#show ip route slot 6 10.10.0.231 IP address -----------10.10.0.231 Interface ---------------fastEthernet 6/0 Next Hop -----------10.10.0.231

Example 2
host1#show ip route slot 9 90.248.1.2 IP address -----------90.248.1.2 Interface ---------------serial9/23:2 Next Hop --------------

Example 3
host1#show ip route slot 9 90.249.255.255 IP address -----------Interface ---------------Next Hop --------------

90.249.255.255 Local Interface

show ip static
Use to display the status of static routes in the routing table. You can specify an IP mask that filters specific routes. Field descriptions

Prefix IP address prefix Length prefix length Next Hop IP address of the next hop

Monitoring IP E-Series Routers

2-75

Met number of hops Dist administrative distance of the route; see Table 2-3 Tag tag value of the route Intf interface type and interface specifier
host1#show ip route static Prefix/Length: 10.2.0.0/24 10.2.1.0/24 172.31.1.48/32 Next Hop: 192.168.1.1 192.168.1.1 172.18.2.2 Met: 1 1 1 Dist: Tag: 1 1 1 0 1 0 Intf: ethernet6/0 ethernet6/0 atm5/1.1

Example

show ip tcp statistics

Use to display TCP statistics. Field descriptions

TCP Global Statistics Connections:

attempted number of outgoing TCP connections attempted accepted number of incoming TCP connections accepted established number of TCP connections established

TCP Global Statistics Rcvd:

total pkts total number of packets received in-sequence pkts number of packets received in sequence bytes number of bytes received chksum err pkts number of checksum error packets received authentication err pkts number of authentication error packets received bad offset pkts number of bad offset packets received short pkts number of short packets received duplicate pkts number of duplicate packets received out of order pkts number of packets received out of order

TCP Global Statistics Sent:

total pkts total number of packets sent data pkts number of data packets sent bytes number of bytes sent retransmitted pkts number of packets retransmitted retransmitted bytes number of bytes retransmitted

TCP Session Statistics

Local addr local address of the TCP connection Local port local port number of the TCP connection Remote addr remote address of the TCP connection Remote port remote port number of the TCP connection State current state of the TCP connection Authentication authentication status of the TCP connection

2-76

CHAPTER 2 Configuring IP

TCP Session Statistics Rcvd:

total pkts total number of packets received on the TCP connection in-sequence pkts number of packets received in sequence on the TCP connection bytes number of bytes received on the TCP connection chksum err pkts number of checksum error packets received on the TCP connection bad offset pkts number of bad offset packets received on the TCP connection short pkts number of short packets received on the TCP connection duplicate pkts number of duplicate packets received on the TCP connection out of order pkts number of packets received out of order on the TCP connection

TCP Session Statistics Sent:

total pkts total number of packets sent on the TCP connection data pkts number of data packets sent on the TCP connection bytes number of bytes sent on the TCP connection retransmitted pkts number of packets retransmitted on the TCP connection retransmitted bytes number of bytes retransmitted on the TCP connection Example
host1#show ip tcp statistics TCP Global Statistics: Connections: 7358 attempted, 4 accepted, 7362 established 0 dropped, 14718 closed Rcvd: 75923 total pkts, 53608 in-sequence pkts, 3120303 bytes 0 chksum err pkts, 0 authentication err pkts, 0 bad offset pkts 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82352 total pkts, 44404 data pkts, 657095 bytes 34 retransmitted pkts, 487 retransmitted bytes TCP Session Statistics: Local addr: 0.0.0.0, Local port: 23 Remote addr: 0.0.0.0, Remote port: 0 State: LISTEN Authentication: None Rcvd: 4 total pkts, 0 in-sequence pkts, 0 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 0 total pkts, 0 data pkts, 0 bytes 0 retransmitted pkts, 0 retransmitted bytes

Monitoring IP E-Series Routers

2-77

Local addr: 192.168.1.250, Local port: 23 Remote addr: 10.10.0.77, Remote port: 2170 State: ESTABLISHED Authentication: None Rcvd: 61 total pkts, 34 in-sequence pkts, 41 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 64 total pkts, 45 data Local addr: 192.168.1.250, Local port: 23 Remote addr: 10.10.0.77, Remote port: 2170 State: ESTABLISHED Authentication: None Rcvd: 61 total pkts, 34 in-sequence pkts, 41 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 64 total pkts, 45 data pkts, 2304 bytes 0 retransmitted pkts, 0 retransmitted bytes Local addr: 192.168.1.250, Local port: 23 Remote addr: 192.168.1.139, Remote port: 1038 State: ESTABLISHED Authentication: None Rcvd: 295 total pkts, 159 in-sequence pkts, 299 bytes 0 chksum err pkts, 0 bad offset pkts, 0 short pkts 0 duplicate pkts, 0 out of order pkts Sent: 281 total pkts, 210 data pkts, 3089 bytes 0 retransmitted pkts, 0 retransmitted bytes

show ip traffic
Use to display statistics about IP traffic. You can use the ipTraffic log to show consumable IP traffic to the SRP module; the traffic is filterable per router and IP interface. You can show ICMP, TCP, and UDP traffic with the icmpTraffic, udpTraffic, and tcpTraffic logs. Field descriptions

IP Statistics Rcvd:
router Id router ID number total number of frames received local destination frames with this router as their destination hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets

IP Statistics Frags:
reassembled number of reassembled packets reasm timed out number of reassembled packets that timed out reasm req number of requests for reassembly reasm fails number of reassembly failures

2-78

CHAPTER 2 Configuring IP

frag ok number of fragmented packets reassembled successfully frag fail number of fragmented packets reassembled unsuccessfully frag creates number of packets created by fragmentation

IP Statistics Sent:
forwarded number of packets forwarded generated number of packets generated out disc number of outbound packets discarded no routes number of packets that could not be routed routing discards number of packets that could not be routed and were discarded

IP Statistics Route:
routes in table number of routes in the routing table

ICMP Statistics Rcvd:

total total number of ICMP packets received errors number of error packets received dst unreach number of packets received with destination unreachable time exceed number of packets received with time-to-live exceeded param probs number of packets received with parameter errors src quench number of source quench packets received redirects number of receive packet redirects echo req number of echo request (ping) packets echo rpy number of echo replies received timestamp req number of requests for a timestamp timestamp rpy number of replies to timestamp requests addr mask req number of mask requests received addr mask rpy number of mask replies received

ICMP Statistics Sent:

total total number of ICMP packets sent errors number of error packets sent dest unreach number of packets sent with destination unreachable time excd number of packets sent with time-to-live exceeded param prob number of packets sent with parameter errors src quench number of source quench packets sent redirects number of send packet redirects echo req number of echo request (ping) packets echo rpy number of echo replies sent timestamp req number of requests for a timestamp timestamp rpy number of replies to timestamp requests addr mask req number of address mask requests sent addr mask rpy number of replies to address mask requests

Monitoring IP E-Series Routers

2-79

UDP Statistics Rcvd:

total total number of UDP packets received checksum number of checksum error packets received no port number of packets received for which no E-series router application listener was listening on the destination port

UDP Statistics Sent:

total total number of UDP packets sent errors number of error packets sent

TCP Global Statistics Connections:

attempted number of outgoing TCP connections attempted accepted number of incoming TCP connections accepted established number of TCP connections established dropped number of TCP connections dropped closed number of TCP connections closed currently established number of TCP connections currently established

TCP Global Statistics Rcvd:

total pkts total number of TCP packets received in-sequence pkts number of packets received in sequence bytes number of bytes received chksum err pkts number of checksum error packets received authentication err pkts number of authentication error packets received bad offset pkts number of packets received with bad offsets short pkts number of short packets received duplicate pkts number of duplicate packets received out of order pkts number of packets received out of order

TCP Global Statistics Sent:

total pkts total number of TCP packets sent data pkts number of data packets sent bytes number of bytes sent retransmitted pkts number of packets retransmitted retransmitted bytes number of retransmitted bytes

OSPF Statistics provides statistics on OSPF IGMP Statistics provides statistics about queries, reports sent or received ARP Statistics not supported for this version of the router
Example
host1#show ip traffic IP statistics: Router Id: 172.31.192.217 Rcvd: 97833 total, 171059 local destination 167 unkn proto, 0 discards Frags: 4 reassembled, 30 reasm timed out, 8 reasm req 0 reasm fails, 145 frag ok, 0 frag fail 0 hdr errors, 0 addr errors

2-80

CHAPTER 2 Configuring IP

290 frag creates Sent: 15 forwarded, 25144 generated, 0 out disc 0 no routes,0 routing discards Route: 57680 routes in table 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy ICMP statistics: Rcvd: 561 total, 0 errors, 15 dst unreach 0 time exceed, 0 param probs, 0 src quench 0 redirects, 0 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy Sent: 463866 total, 0 errors, 163676 dest unreach 0 time excd, 0 param prob, 0 src quench 20 redirects, 463846 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy UDP Statistics: Rcvd: 93326 total, 0 checksum errors, 90610 no port Sent: 0 total, 0 errors TCP Global Statistics: Connections: 7358 attempted, 4 accepted, 7362 established 0 dropped, 14718 closed Rcvd: 75889 total pkts, 53591 in-sequence pkts, 3120283 bytes 0 chksum err pkts, 0 authentication err pkts, 0 bad offset 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: ARP Statistics:

show ip udp statistics

Use to display UDP statistics. Field descriptions

UDP Statistics Rcvd:

total total number of UDP packets received checksum number of checksum error packets received no port number of packets received for which no E-series router application listener was listening on the destination port

UDP Statistics Sent:

total total number of UDP packets sent errors number of error packets sent

Monitoring IP E-Series Routers

2-81

Example
host1#show ip udp statistics UDP Statistics: Rcvd: 39196 total, 0 checksum errors, 29996 no port Sent: 210 total, 0 errors

show profile brief

Use to list all profile names. Field descriptions

profile profile name

Example
host1#show profile brief Profile : foo trill profile4

show route-map
Use to display the configured route maps. The displayed information includes the instances of each access list such as match and set commands. Example
host1(config)#route-map westford permit 10 host1(config-route-map)#match community 44 host1(config-route-map)#set local-pref 400 host1(config-route-map)#exit host1(config)#exit host1#show route-map westford route-map 1, permit, sequence 10 Match clauses: match community 44 Set clauses: set local-pref 400

2-82

CHAPTER 2 Configuring IP

Configuring IPv6 and Neighbor Discovery

3
Page 3-2 3-3 3-3 3-5 3-9 3-10 3-11 3-17 3-17 3-20 3-20

This chapter describes how to configure Internet Protocol version 6 (IPv6) routing and Neighbor Discovery (ND) on your E-series router.
Topic Overview References IPv6 Packet Headers IPv6 Addressing Understanding Neighbor Discovery Before You Configure IPv6 or Neighbor Discovery IPv6 Configuration Tasks Creating Static IPv6 Neighbors Neighbor Discovery Configuration Tasks Clearing IPv6 Neighbors Monitoring IPv6 and Neighbor Discovery

3-2

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Overview
Internet Protocol version 6 (IPv6) is designed to eventually supersede IP version 4 (IPv4). The intent of this design change is not to take a radical step away from IPv4, but to enhance IP addressing and maintain other IPv4 functions that work well. The differences between IPv4 and IPv6 include the following: Expanded addressing capabilities IPv6 increases the size of the IP address from 32 bits to 128 bits. This increased size allows for a larger address space and a much larger number of addressable nodes. Simplified header format Reducing some common processing costs associated with packet handling and streamlining the bandwidth cost of the larger IPv6 header, some IPv4-specific header fields either no longer exist or are now optional in the IPv6 header. Traffic flow labelling capabilities The ability to label packets for specific traffic flows exists in the IPv6 packet. These labels allow for nondefault quality of service (QoS) or the possibility of real-time services. Authentication capabilities Authentication provides the ability to use extensions for some authentication and data integrity applications. IPv6 continues to provide the basic packet delivery service for all TCP/IP networks. As a connectionless protocol, IPv6 does not exchange control information to establish an end-to-end connection before transmitting data. Instead, just like its IPv4 predecessor, IPv6 continues to rely on protocols in other layers to establish the connection if connection-oriented services are required and to provide error detection and error recovery. In addition to supporting a revised header structure and an expanded addressing format, the E-series router supports the following IPv6 features: Static routes ICMPv6 Ping Traceroute

References E-Series Routers

3-3

Routing policy (see Chapter 1, Configuring Routing Policy for details) IPv6 BRAS (see Broadband Access Configuration Guide for details).

References
For more information about IPv6, consult the following resources: RFC 2373 IP Version 6 Addressing Architecture (July 1998) RFC 2460 Internet Protocol, Version 6 (IPv6) (December 1998) RFC 2461 Neighbor Discovery for IP Version 6 (IPv6) (December 1998) RFC 2462 IPv6 Stateless Address Autoconfiguration (December 1998) RFC 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification (December 1998) RFC 2464 Transmission of IPv6 Packets over Ethernet Networks (December 1998) RFC 2465 Management Information Base for IP Version 6: Textual Conventions and General Group (December 1998) RFC 2466 Management Information Base for IP Version 6: ICMPv6 Group (December 1998) You can access these and other Internet RFCs and drafts at the following URL: http://www.ietf.org

IPv6 Packet Headers

An IPv6 packet is a block of data that contains a header and a payload. The header is the information necessary to deliver the packet to a destination address; the payload is the data that you want to deliver. IPv6 packets can use a standard or an extended format.
IPv4 and IPv6 Header Differences

The main difference between IPv4 and IPv6 resides in their headers. Figure 3-1 provides a comparison between the two protocol versions.

3-4

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

32 bits
Ver. Ver. HL HL 4 4 Ver. Traffic class Ver. Traffic class 6 8 bits 8 bits 6

32 bits
Flow label Flow label 20 bits 20 bits Next Hdr. Next Hdr. 8 bits 8 bits Hop Limit Hop Limit 8 bits 8 bits

TOS

Datagram Length Datagram Length Flags Flags Flag Offset Flag Offset

Datagram-ID Datagram-ID TTL TTL Protocol Protocol

Payload Length Payload Length 16 bits 16 bits

Header Checksum Header Checksum Source Address Source Address 128 bits 128 bits

Source IP Address Source IP Address Destination IP Address Destination IP Address

IP Options (with padding if necessary) IP Options (with padding if necessary) Destination Address Destination Address 128 bits 128 bits

IPv4 header

IPv6 header
Figure 3-1 IPv4 and IPv6 header comparison

Standard IPv6 Headers

IPv6 packet headers contain many of the fields found in IPv4 packet headers; some of these fields differ from IPv4. (See Figure 3-1.) The 40-byte IPv6 header consists of the following eight fields: Version Indicates the version of the Internet Protocol. Traffic class Previously the type-of-service (ToS) field in IPv4, the traffic class field defines the class-of-service (CoS) priority of the packet. However, the semantics for this field (for example, DiffServ code points) are identical to IPv4. Flow label The flow label identifies all packets belonging to a specific flow (that is, packet flows requiring a specific class of service [CoS]); routers can identify these packets and handle them in a similar fashion. Payload length Previously the total length field in IPv4, the payload length field specifies the length of the IPv6 payload. Next header Previously the protocol field in IPv4, the Next Header field indicates the next extension header to examine. Hop limit Previously the time-to-live (TTL) field in IPv4, the hop limit indicates the maximum number of hops allowed.

IPv6 Addressing E-Series Routers

3-5

Source address Identifies the address of the source node sending the packet. Destination address Identifies the final destination node address for the packet.
Extension Headers

In IPv6, extension headers are used to encode optional Internet-layer information. Extension headers are placed between the IPv6 header and the upper-layer header in a packet. IPv6 allows you to chain extension headers together by using the next header field. The next header field, located in the IPv6 header, indicates to the router which extension header to expect next. If there are no more extension headers, the next header field indicates the upper-layer header (TCP header, UDP header, ICMPv6 header, an encapsulated IP packet, or other items).

IPv6 Addressing
IPv6 increases the size of the IP address from the 32 bits found in IPv4 to 128 bits. This increased size allows for a broader range of addressing hierarchies and a much larger number of addressable nodes. In addition to the increased size, IPv6 addresses can be of different scopes that categorize what types of applications are suitable for the address. IPv6 does not support broadcast addresses, but uses multicast addresses to serve this role. In addition, IPv6 also defines a new type of address called anycast.
Address Representation

IPv6 addresses consist of eight hexadecimal groups. Each hexadecimal group, separated by a colon (:), consists of a 16-bit hexadecimal value. The following is an example of the IPv6 format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx A group of xxxx represents the 16-bit hexadecimal value. Each individual x represents a 4-bit hexadecimal value. The following is an example of a possible IPv6 address: 4FDE:0000:0000:0002:0022:F376:FF3B:AB3F
Note: Hexadecimal letters in IPv6 addresses are not case sensitive.

3-6

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

IPv6 Address Compression

IPv6 addresses often contain consecutive hexadecimal fields of zeros. To simplify address entry, you can use two colons (::) to represent the consecutive fields of zeros when typing the IPv6 address. Table 3-1 provides compressed IPv6 address format examples.
Table 3-1 Compressed IPv6 formats IPv6 Address Type Unicast Multicast Loopback Unspecified Full Format 10FB:0:0:0:C:ABC:1F0C:44DA FD01:0:0:0:0:0:0:1F 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:0 Compressed Format 10FB::C:ABC:1F0C:44DA FD01::1F ::1 ::

Note: You can use two colons (::) only once in an IPv6 address to represent hexadecimal fields of consecutive zeros.

IPv6 Address Prefix

An IPv6 address prefix is a combination of an IPv6 prefix (address) and a prefix length. The prefix takes the form ipv6-prefix/prefix-length and represents a block of address space (or a network). The ipv6-prefix variable follows general IPv6 addressing rules (see RFC 2373 for details). The /prefix-length variable is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. For example, 10FA:6604:8136:6502::/64 is a possible IPv6 prefix.
Address Types

IPv6 can use several types of addresses: Unicast Used to identify a single interface, this release of the E-series router product supports the following unicast address types:
> Global aggregatable Allows for aggregation of routing prefixes to

limit the number of global routing table entries

> Link-local Eliminates the need for a globally unique prefix.

Local-link addresses allow communications between devices on a local link.

> Site-local Used as private addresses to restrict communication to

a domain portion.
Note: IPv6 routers must not forward packets that have site-local source or destination addresses outside the site.

IPv6 Addressing E-Series Routers

3-7

> IPv4-compatible Contains a standard IPv4 address in the

lower-order 32 bits of the address and zeros in the higher-order 96 bits of the address. For example, the format of an IPv4-compatible IPv6 address is 0:0:0:0:0:0:A.B.C.D (or condensed as ::A.B.C.D). In other words, devices using IPv6 use the entire 128-bit IPv4-compatible IPv6 address, whereas IPv4 devices use the IPv4 address embedded within the lower-order 32-bits of the address. You would use IPv4-compatible IPv6 addresses for devices that must support both IPv4 and IPv6 protocols. Multicast Used for sending packets to multiple destinations. A multicast transmission sends packets to all interfaces that are part of a multicast group. The group is represented by the IPv6 destination address of the packet. Anycast Used for a set of interfaces on different nodes. An anycast transmission sends packets to only one of the interfaces associated with the address, not to all of the interfaces. This interface is typically the closest interface, as defined by the routing protocol. Loopback Used by a node to send an IPv6 packet to itself. An IPv6 loopback address functions the same as an IPv4 loopback address. Unspecified Indicates the absence of an IPv6 address. For example, newly initialized IPv6 nodes may use the unspecified address as the source address in their packets until they receive an IPv6 address.
Note: IPv6 does not use broadcast addresses; instead, IPv6 uses multicast addresses.

Address Scope

Some unicast and multicast IPv6 addresses contain a value known as scope. This value identifies the application suitable for the address. Unicast addresses support two types of scopeglobal and local. In addition, there are two types of local scopelink-local addresses and site-local addresses. Link-local unicast addresses, identified by the first ten bits of the prefix, function within a single network link. You cannot use link-local addresses outside a network link. Site-local unicast addresses function within a site or an intranet. A site consists of multiple network links, and site-local addresses identify nodes inside the intranet. You cannot use site-local addresses outside the site.

3-8

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Multicast addresses support 16 different types of scope, including node, link, site, organization, and global scope. A four-bit field in the prefix identifies the scope.
Address Structure

Unicast addresses identify a single interface. The address consists of n bits for the prefix and 128-n bits for the interface ID. Multicast addresses identify a set of interfaces. The address is made up of the first 8 bits of all ones, a 4-bit flag field, a 4-bit scope field, and a 112-bit group ID. 11111111 | flgs | scop | group ID The first octet of ones identifies the address as a multicast address. The flags field identifies whether the multicast address is a well-known address or whether it is a transient multicast address. The scope field identifies the scope of the multicast address. The 112-bit group ID identifies the multicast group. Similar to multicast addresses, anycast addresses identify a set of interfaces. However, packets are sent to only one of the interfaces, not to all interfaces. Anycast addresses are allocated from the normal unicast address space and cannot be distinguished from a unicast address in format. Therefore, each member of an anycast group must be configured to recognize certain addresses as anycast addresses.
ICMP Support

Internet Control Message Protocol (ICMP) provides a mechanism that enables a router or destination host to report an error in data traffic processing to the original source of the packet. For this release, the E-series router supports ICMP for use in the IPv6 ping and traceroute commands. The ping and traceroute commands help you determine destination reachability within a network. Use the ping ipv6 command to send an ICMP echo request packet. In the following example, the request packet is sent to address 1::1 with a data size of 200 and a timeout value of 10 seconds:
host1#ping ipv6 1::1 data-size 200 timeout 10

Use the traceroute ipv6 command to discover routes that router packets follow when traveling to their destination. In the following

Understanding Neighbor Discovery E-Series Routers

3-9

example, the trace destination address is 1::1, the maximum number of hops of the trace is 20, and the timeout value is 10 seconds:
host1#traceroute ipv6 1::1 hop-limit 20 timeout 10

Understanding Neighbor Discovery

Though not a true protocol, routers and hosts (nodes) use Neighbor Discovery (ND) messages to determine the link-layer addresses of neighbors that reside on attached links and to overwrite invalid cache entries. Hosts also use ND to find neighboring routers that can forward packets on their behalf. In addition, nodes use ND to actively track the ability to reach neighbors. When a router (or the path to a router) fails, nodes actively search for alternatives to reach the destination. IPv6 Neighbor Discovery corresponds to a number of the IPv4 protocols ARP, ICMP Router Discovery, and ICMP Redirect. However, Neighbor Discovery provides many improvements over the IPv4 set of protocols. These improvements address the following: Router discovery How a host locates routers residing on an attached link. Prefix discovery How a host discovers address prefixes for destinations residing on an attached link. Nodes use prefixes to distinguish between destinations that reside on an attached link and those destinations that it can reach only through a router. Parameter discovery How a node learns various parameters (link parameters or Internet parameters) that it places in outgoing packets. Address resolution How a node uses only a destination IPv6 address to determine a link-layer address for destinations on an attached link. Next-hop determination The algorithm that a node uses for mapping an IPv6 destination address into a neighbor IPv6 address (either the next router hop or the destination itself) to which it plans to send traffic for the destination. Neighbor unreachability detection How a node determines that it can no longer reach a neighbor. Duplicate address detection How a node determines whether an address is already in use by another node.

3-10

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Before You Configure IPv6 or Neighbor Discovery

Before you configure IPv6, you must create the lower-layer interfaces over which IPv6 traffic flows. In this release, the following modules support IPv6 configuration: ATM OC3/STM-1 ATM OC12/STM-4 Fast Ethernet (FE-8) Gigabit Ethernet (GE)
Note: This release does not support Neighbor Discovery router advertisements on Ethernet cards.

For example, to configure an ATM interface:

host1(config)#interface atm 1/0 host1(config-if)#atm sonet stm-1 host1(config-if)#no loopback host1(config-if)#atm clock internal chassis host1(config-if)#interface atm 1/0.10 host1(config-if)#atm pvc 10 0 20 aal5snap

Refer to E-Series Link Layer Configuration Guide, Chapter 1, Configuring ATM for information on configuring an ATM interface. Refer to E-Series Link Layer Configuration Guide, Chapter 6, Configuring Ethernet Interfaces for information on configuring an Ethernet interface. Configuring Ethernet interfaces to function with IPv6 requires Neighbor Discovery configuration for the interface. In this release, only the 8-port Fast Ethernet (FE-8) and Gigabit Ethernet (GE) modules support Neighbor Discovery. ND is required for IPv6 to function on Ethernet interfaces. For information about configuring Neighbor Discovery, see Neighbor Discovery Configuration Tasks.

IPv6 Configuration Tasks E-Series Routers

3-11

IPv6 Configuration Tasks

This section describes how to configure and maintain IPv6 interfaces.
Configuring an IPv6 License

You must configure an IPv6 license before you can use any IPv6 commands on the E-series router.
license ipv6
Use to specify an IPv6 license. Purchase an IPv6 license to allow IPv6 configuration on the E-series router.
Note: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative.

Example
host1(config)#license ipv6 <license-value>

Use the no version to disable the license.

Creating an IPv6 Profile

You can configure an IPv6 interface dynamically by creating a profile. A profile is a set of characteristics that acts as a pattern that can be dynamically assigned to an IPv6 interface. You can manage a large number of IPv6 interfaces efficiently by creating a profile with a specific set of characteristics. In addition, you can create a profile to assign an IPv6 interface to a virtual router. A profile can contain one or more of the following characteristics: address configures an IPv6 address on an interface mtu configures the MTU for a network policy attaches (or removes) a policy to (or from) an interface unnumbered configures IPv6 on this interface without a specific address ipv6 virtual-router specifies a virtual router to which interfaces created by this profile will be attached
Note: You can also configure any of these IPv6 characteristics outside the profile configuration mode.

Use the profile command from Global Configuration mode to create or edit a profile. See E-Series Link Layer Configuration Guide, Chapter 13,

3-12

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Configuring Dynamic Interfaces for information on creating profiles and on other characteristics that can be applied to the profile.
host1(config)#profile boston host1(config-profile)#ipv6 virtual-router warf host1(config-profile)#ipv6 unnumbered atm 3/0

ipv6 address
Use to add an IPv6 address to an interface or a subinterface. Example
host1(config)#interface atm 1/0.25 host1(config-if)#ipv6 address 1::1/64 Note: You can use this command in Interface Configuration or Subinterface Configuration mode.

Use the no version of this command to remove an IPv6 address.

ipv6 mtu
Use to set the MTU size of IPv6 packets sent on an interface. The range is 12810240. Example
host1(config-if)#ipv6 mtu 1000

Use the no version to restore the default MTU size.

ipv6 unnumbered
Use to set up an unnumbered interface. An unnumbered interface does not have an IPv6 address assigned to it. Unnumbered interfaces are often used in point-to-point connections where an IPv6 address is not required. This command enables IPv6 processing on an interface without your having to assign an explicit IPv6 address to the interface. You supply an interface location that is the type and number of another interface on which the router has an assigned IPv6 address. This interface cannot be another unnumbered interface. Example
host1(config-if)#ipv6 unnumbered loopback

Use the no version to disable IPv6 processing on an interface.

ipv6 virtual-router
Use to assign a virtual router to a profile. You can configure a virtual router using RADIUS instead of adding one to the profile by using the ipv6 virtual-router command. Use the no version to remove the virtual router assignment.

IPv6 Configuration Tasks E-Series Routers

3-13

Assigning a Profile

To assign a profile to an interface, use the profile command from Interface mode.
profile
Use to assign a profile to a PPP interface. The profile configuration is used to dynamically create an upper IP interface. Example
host1(config-if)#interface atm 3/1.50 host1(config-if)#encapsulation ppp host1(config-if)#profile boston

Use the no version to remove the assignment from the interface.

Establishing a Static Route

You can set a destination to receive and send traffic by a specific route through the network.
ipv6 route
Use to establish a static IPv6 route. You can set a destination to receive and send traffic from and to a network or to use a specific route through the network.
Note: In this release, IPv6 supports only static routes and loopback configurations.

Example
host1(config)#ipv6 route 7fff::0/16 1::1

Use the no version of this command to remove a static route from the routing table.

Specifying an IPv6 Hop Count Limit

You can specify the maximum number of hops that the router can use in router advertisements and all IPv6 packets.
ipv6 hop-limit
Use to set the maximum number of hops that the router can use in router advertisements and all IPv6 packets. Example
host1(config)#ipv6 hop-limit 50

Use the no version to set the hop limit for IPv6 packets to 255 hops and router advertisements to zero [0] hops (or unspecified).

3-14

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Managing IPv6 Interfaces

You can manage IPv6 interfaces in the following ways: Disable or reenable an IPv6 interface.
host1(config-if)#no ipv6 enable host1(config-if)#ipv6 enable

Set a baseline for IPv6 interface counters.

host1#clear ipv6 interface atm 2/0

Determine reachability within a network.

host1#ping ipv6 1::1 host1#traceroute ipv6 1::1

clear ipv6 interface

Use to set a baseline for counters on a specified IPv6 interface. Example
host1#clear ipv6 interface atm 2/0

There is no no version.

ipv6 enable
Use to enable or disable an IPv6 interface at any time.
Note: By default, an IPv6 interface is enabled when you first create it.

Example
host1(config-if)#ipv6 enable

Use the no version of this command to disable IPv6 on an interface or a subinterface.

ping ipv6
Use to send an ICMP echo request packet to the IPv6 address that you specify. Use the source interface keywords to specify a source interface other than the one from which the probe originates. Use the source address keywords to specify a source IP address other than the one from which the probe originates. You can specify the following options:

packetCount number of packets to send to the destination IPv6 address. If

you specify a zero, echo requests packets are sent indefinitely.

data-pattern sets the type of bits contained in the packet to all ones, all
zeros, a random mixture of ones and zeros, or a specific hexadecimal data pattern that can range from 0x00xFFFFFFFF. The default is all zeros.

data-size sets the number of bytes comprising the IPv6 packet and
reflected in the IPv6 header in the range 064000; the default is 100 bytes

IPv6 Configuration Tasks E-Series Routers

3-15

extended header attributes set the interface type and specifier of a

destination address on the router that is configured for external loopback; the command succeeds only if the specified interface is configured for external loopback

sweep-interval specifies the change in the size of subsequent ping

packets while sweeping across a range of sizes. For example, you can configure the sweep interval to sweep across the range of packets from 100 bytes to 1000 bytes in increments equal to the sweep interval. By default the router increments packets by one byte; for example, it sends 100, 101, 102, 103, ... 1000. If the sweep interval is 5, the router sends 100, 105, 110, 115, ... 1000.

sweep-sizes enables you to vary the sizes of the echo packets being sent.
This capability is useful for determining the minimum sizes of the MTUs configured on the nodes along the path to the destination address. This reduces packet fragmentation, which contributes to performance problems. The default is not to sweep (all packets are the same size).

timeout sets the number of seconds to wait for an ICMP echo reply packet
before the connection attempt times out

hop-limit sets the time-to-live hop count in the range 1255; the default is
255 The following characters can appear in the display after you issue the ping command:

! reply received . timed out while waiting for a reply ? unknown packet type A admin unreachable b packet too big H host unreachable N network unreachable P port unreachable p parameter problem S source beyond scope t hop limit expired (TTL expired)
host1#ping ipv6 1::1

Example

There is no no version.

traceroute
Use to discover the routes that router packets follow when traveling to their destination. You can specify:

Destination IPv6 address Source interface for each of the transmitted packets Source IPv6 address for each of the transmitted packets

3-16

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Maximum number of hops of the trace and a time-out value Size of the IPv6 packets (not the ICMP payload) in the range 064000 bytes
sent with the traceroute command. Including a size might help locate any MTU problems that exist between your router and a particular device.

Hop count in the range 1255; the default is 32

You can also force transmission of the packets on a specified interface regardless of what the IPv6 address lookup indicates. Example
host1#traceroute ipv6 1::1 timeout 10

There is no no version.

Adding a Description

The router enables you to add a text description or an alias to an IPv6 interface or subinterface. Adding a description helps you identify the interface and keep track of interface connections.
ipv6 description
Use to assign a text description or an alias to an IPv6 interface or subinterface. The description or alias can be a maximum of 256 characters. Use the show ipv6 interface command to display the text description. Examples
host1(config-if)#ipv6 description boston01 ipv6 interface host1(config-subif)#ipv6 description dallas05 ipv6 subinterface

Use the no version to remove the text description or alias.

Removing an IPv6 Configuration

To remove an IPv6 configuration from the virtual router, issue the no ipv6 command.
no ipv6
Use to remove IPv6 configuration from the virtual router. Example
host1(config)#no ipv6 Note: The E-series router automatically starts IPv6 processing when you begin configuring an IPv6 interface. However, by issuing the ipv6 command without using the no option, you can create an IPv6 processing instance with no IPv6 configuration.

Creating Static IPv6 Neighbors E-Series Routers

3-17

Clearing IPv6 Routes

To clear IPv6 routes from the routing table, use the clear ipv6 routes command. To clear the routes for a specific IPv6 network, specify the IPv6 prefix. To clear all dynamic IPv6 routes, using the * (asterisk) option.
clear ipv6 routes
Use to clear IPv6 routes. To clear routes in a specific IPv6 network, specify an IPv6 prefix. To clear all dynamic IPv6 routes, use the * (asterisk) option. Example
host1(config)#clear ipv6 routes *

There is no no version.

Creating Static IPv6 Neighbors

To create static IPv6 neighbors, use the ipv6 neighbor command.
ipv6 neighbor
Use to create static IPv6 neighbors. Example
host1(config)#ipv6 neighbor 1::10 fastEthernet 1/0 0002.7dfa.0034

Use the no version of this command to delete the neighbor.

Neighbor Discovery Configuration Tasks

This section describes how to configure Neighbor Discovery on IPv6 interfaces.
Note: This release supports Neighbor Discovery on 8-port Fast Ethernet and Gigabit Ethernet modules only.

Configuring Neighbor Discovery

To configure Neighbor Discovery:

1

Access an IPv6 interface.

host1(config)#interface fastEthernet 3/0 host1(config-if)#

3-18

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Configure the current IPv6 interface to send neighbor solicitations and to respond with neighbor advertisements.
host1(config)#ipv6 nd

Note: This command is redundant when configuring Neighbor Discovery over Ethernet, because router advertisements are automatically sent on Ethernet interfaces. However, unless explicitly enabled, IPv6 router advertisements are not sent on other types of interfaces.

(Optional) Configure the interface to retry sending neighbor solicitations using a specified interval.
host1(config-if)#ipv6 nd ns-interval 500

(Optional) Configure the interface to assume that a neighbor is reachable for a specified time after a reachable confirmation event.
host1(config-if)#ipv6 nd reachable-time 30000

ipv6 nd
Use to enable the IPv6 Neighbor Discovery process on an interface. Example
host1(config)#interface fastEthernet 3/0 host1(config-if)#ipv6 nd

Use the no version of this command to disable the Neighbor Discovery process.

ipv6 nd ns-interval
Use to specify the interval between IPv6 neighbor solicitation retransmissions on an interface. Example
host1(config-if)#ipv6 nd ns-interval 500

Use the no version of this command to return the interval between neighbor solicitation retransmission to its default value (zero [0] milliseconds for router advertisements and 1000 milliseconds for Neighbor Discovery activity of the E-series router).

ipv6 nd reachable-time
Use to specify the amount of time that the E-series router can reach a remote IPv6 node after some reachability confirmation event has occurred. Example
host1(config-if)#ipv6 nd reachable-time 30000

Use the no version of this command to restore the default value (zero [0] milliseconds for router advertisements and 60000 milliseconds for Neighbor Discovery activity of the E-series router).

Neighbor Discovery Configuration Tasks E-Series Routers

3-19

Configuring Proxy Neighbor Advertisements

Much like proxy ARP, proxy Neighbor Discovery is a means by which one interface responds to a Neighbor Discovery query on behalf of another interface. To configure proxy Neighbor Discovery:
1

Access an IPv6 interface.

host1(config)#interface fastEthernet 0/0 host1(config-if)#

Enable Neighbor Discovery on the current interface.

host1(config)#ipv6 nd

Note: This command is redundant when configuring Neighbor Discovery over Ethernet, because neighbor solicitations and advertisements are automatically sent on Ethernet interfaces.

Enable IPv6 neighbor proxy.

host1(config-if)#ipv6 nd proxy

ipv6 nd proxy
Use to enable or disable Neighbor Discovery proxy. Example
host1(config-if)#ipv6 nd proxy

Use the no version of this command to disable Neighbor Discovery proxy.

Configuring Duplicate Address Detection Attempts

The duplicate address detection feature helps to verify that a new unicast IPv6 address is unique in the network. The router sends the IPv6 address in its neighbor solicitation messages. However, the router relies on the receiving device to understand the address duplication and does not prompt a conflict if the address already exists. The CLI allows you to specify the number of consecutive neighbor solicitation messages that the router sends from the IPv6 interface.
ipv6 nd dad attempts
Use to specify the number of consecutive neighbor solicitation messages that the router sends from the IPv6 interface. Use an attempt value of zero (0) to disable duplicate address detection on the current interface. The router suspends duplicate address detection on interfaces that are administratively down.

3-20

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Example
host1(config-if)#ipv6 nd dad attempts 10

Use the no version of this command to restore the default number of attempts to one (1).

Clearing IPv6 Neighbors

To clear dynamic IPv6 neighbors, use the clear ipv6 neighbor command. Use the include-statics keyword clears both dynamic neighbors and static neighbors. Use the statics-only keyword clears only IPv6 static neighbors.
clear ipv6 neighbors
Use to clear all dynamic IPv6 neighbors. Use the include-statics keyword clears both dynamic neighbors and static neighbors. Use the statics-only keyword clears only IPv6 static neighbors. Example
host1(config)#clear ipv6 neighbors

There is no no version.

Monitoring IPv6 and Neighbor Discovery

This section shows how to set an IPv6 statistics baseline and use the show commands to view your IPv6 configuration, monitor IPv6 interfaces and statistics, and view IPv6 neighbors.
Establishing a Baseline

IPv6 statistics are stored in system counters. The only way to reset the system counters is to reboot the system. You can, however, establish a baseline for IPv6 statistics by setting a group of reference counters to zero.
baseline ipv6
Sets a baseline for IPv6 statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the udp keyword to set a baseline for UDP statistics Use the delta keyword with IPv6 show commands to specify that baselined statistics are to be shown.

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-21

Example
host1#baseline ipv6

There is no no version.

baseline ipv6 interface

Use to set a statistical baseline for a specified IPv6 interface. Example
host1#baseline ipv6 interface atm 2/0.100

There is no no version.

IPv6 show Commands

You can monitor the following aspects of IPv6 using show ipv6 commands:
To Display General IPv6 information IPv6 addresses IPv6 Interfaces IPv6 neighbors IPv6 profile information Active IPv6 protocol information IPv6 route redistribution configuration IPv6 routes IPv6 static routes IPv6 statistics/traffic IPv6 UDP information IPv6 license string Command show ipv6 show ipv6 address show ipv6 interface show ipv6 neighbors show ipv6 profile show ipv6 protocols show ipv6 redistribute show ipv6 route show ipv6 static show ipv6 traffic show ipv6 udp statistics show license ipv6

You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.

3-22

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

show ipv6
Use to display general IPv6 information. Example
host1#show ipv6 Ipv6 Unicast Routing: Enabled Default hop limit: not specified Number of interfaces: 2 Default interface source address/mask: fe80::90:1a00:210:fd0/128

show ipv6 address show ipv6 interface

Use to display detailed or summary information for a particular IPv6 address/interface or all interfaces. The default for the show ipv6 interface command is all interface types and all interfaces. Use brief or detail keywords with the show ipv6 interface command to display different levels of information. Field descriptions

Network Protocols network protocols configured on this interface Link local address local IPv6 address of this interface Internet address external address of this interface IP statistics Rcvd: local destination frames with this router as their destination hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets

IP statistics Sent:
generated number of packets generated no routes number of packets that could not be routed discards number of packets that could not be routed that were discarded

ICMP statistics Rcvd:

total total number of received packets errors error packets received destination unreach packets received with destination unreachable admin unreach packets received because the destination was administratively unreachable (for example, the packet encountered a firewall filter) parameter problem packets received with parameter errors time exceeded packets received with time-to-live exceeded pkt too big number of packet-too-big messages received that indicate a packet was too large to forward because of the allowed MTU size

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-23

redirects received packet redirects echo requests echo request (ping) packets echo replies echo replies received rtr solicits number of received router solicitations rtr advertisements number of received router advertisements neighbor solicits number of received neighbor solicitations neighbor advertisements number or received neighbor advertisements Group membership (queries, responses, reductions) number of queries, responses, and reduction requests received from within a group to which the interface is assigned

ICMP statistics Sent:

total total number of received packets errors error packets received destination unreach packets received with destination unreachable admin unreach packets sent because the destination was administratively unreachable (for example, due to a firewall filter) parameter problem packets received with parameter errors time exceeded packets received with time-to-live exceeded pkt too big number of packet-too-big messages sent because a received packet was too large to forward because of the allowed MTU size redirects received packet redirects echo requests echo request (ping) packets echo replies echo replies received rtr solicits number of sent router solicitations rtr advertisements number of sent router advertisements neighbor solicits number of sent neighbor solicitations neighbor advertisements number of sent neighbor advertisements Group membership (queries, responses, reductions) number of queries, responses, and reduction requests sent to a group of which the interface is assigned

Operational MTU value of the MTU Administrative MTU value of the MTU if it has been administratively
overridden using the configuration

Operational speed speed of the interface Administrative speed value of the speed if it has been administratively
overridden using the configuration

In Received Packets, Bytes total number of packets and bytes received on

this interface Unicast Packets, Bytes unicast packets and bytes received on the IPv6 interface; link-local received multicast packets (non-multicast-routed frames) are counted as unicast packets

3-24

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Multicast Packets, Bytes multicast packets and bytes received on the IPv6 interface which are then multicast-routed are counted as multicast packets

In Total Dropped Packets, Bytes total number of inbound packets and

bytes dropped on this interface In Policed Packets packets that were received and dropped because of rate limits In Invalid Source Address Packets packets received with invalid source address (for example, spoofed packets) In Error Packets number of packets received with errors In Discarded Packets packets received that were discarded for reasons other than rate limits, errors, and invalid source address

Out Forwarded Packets, Bytes total number of packets and bytes that
were sent from this interface Unicast Packets, Bytes unicast packets and bytes that were sent from this interface Multicast Routed Packets, Bytes multicast packets and bytes that were sent from this interface

Out Total Dropped Packets total number of outbound packets and bytes
dropped by this interface Out Scheduler Dropped Packets, Bytes number of outbound packets and bytes dropped by the scheduler Out Policed Packets, Bytes number of outbound packets and bytes dropped because of rate limits Out Discarded Packets number of outbound packets that were discarded for reasons other than those dropped by the scheduler and those dropped because of rate limits Example 1
host1#show ipv6 address 1::1 loopback0 line protocol IpLoopback is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1a00:210:fd0 Internet address: 1::1/64 Operational MTU 1500 Administrative MTU 0 Operational speed 100000000 Administrative speed 0 Creation type Static Neighbor Discovery is disabled In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-25

Out Forwarded Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0

Example 2
host1#show ipv6 address detail 5::1 ATM4/0.15 line protocol Atm1483 is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1a00:4440:1d44 Internet address: 5::1/64 IP statistics: Rcvd: 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Sent: 0 generated, 0 no routes, 0 discards

ICMP statistics: Rcvd: 2914 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 21 echo requests, 2893 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Sent: 2914 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 2893 echo requests, 21 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Operational MTU 9180 Administrative MTU 0 Operational speed 155520000 Administrative speed 0 In Received Packets 2914, Bytes 430372 Unicast Packets 2914, Bytes 430372 Multicast Packets 0, Bytes 0

3-26

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 2914, Bytes 430372 Unicast Packets 2914, Bytes 430372 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0

Example 3
host1#show ipv6 interface ATM4/0.15 line protocol Atm1483 is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1aff:fe01:725 Internet address: 1::2/60 Operational MTU 1500 Administrative MTU 0 Operational speed 100000000 Administrative speed 0 In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 5, Bytes 740 Unicast Packets 5, Bytes 740 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0

Example 4

host1#show ipv6 int detail ATM4/0.15 line protocol Atm1483 is up, ipv6 is up Network Protocols: IPv6 Link local address: fe80::90:1aff:fe01:725

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-27

Internet address: 1::2/60 IP statistics: Rcvd: 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Sent: 0 generated, 0 no routes, 0 discards

ICMP statistics: Rcvd: 0 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 0 echo requests, 0 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Sent: 5 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 5 echo requests, 0 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Operational MTU 1500 Administrative MTU 0 Operational speed 100000000 Administrative speed 0 In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Total Dropped Packets 0, Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 5, Bytes 740 Unicast Packets 5, Bytes 740 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 0

3-28

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Interface ATM4/0.15

Example 5
IPv6-Address 1::2/60 Status up Protocol up Description

host1#show ipv6 interface brief ---------------------- -------------------- ------- -------- ------------------

show ipv6 neighbors

Use to display IPv6 Neighbor Discovery cache information static entries, dynamic entries, or both. Field descriptions

Prefix IPv6 address prefix Length prefix length Type protocol type (possible route types include: Bgp, Connect, Idrp, Igrp,
Invalid, Isis, Ndisc, Ospf, Other, Rip, Static)

Dst (or Distance) administrative distance for the route Met (or Metric) number of hops Intf (or Interface) interface type and interface specifier NextHop configured next hop address for this interface IfIndex autogenerated value for the next-hop interface

Example 1

show ipv6 profile

Use to display information about a specific IPv6 profile. Field descriptions

IP profile profile name Unnumbered interface specifier for the unnumbered interface or none if the
interface is numbered

Router router name Access Route Addition enabled or disabled Source-Address Validation enabled or disabled Administrative MTU MTU size
host1#show ip profile foo IPv6 profile : foo Unnumbered interface on : loopback 0 Router Access Route Addition Source-Address Validation Administrative MTU : r1 : Enabled : Disabled : 0

Example

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-29

show ipv6 protocols

Use to display configured protocols. Field descriptions

Local router ID router ID of the local router Local AS AS number of local router Administrative state administrative state of the protocol Operational state operational state of the protocol Shutdown in overload state status of shutdown in an overload state Default local preference default value for local preference IGP synchronization indicates whether synchronization is enabled or disabled BGP

Default originate indicates whether network 0.0.0.0 is redistributed into Auto summary status of autosummary Always compare MED status of always compare MED Compare MED within confederation status of compare MED within a
confederation

Advertise inactive routes status of Advertise inactive routes Advertise best external router to internal peers status of Advertise best
external router to internal peers

Enforce first AS status of Enforce first AS Missing MED as worst status of Missing MED as worst Route flap dampening status of route dampening Log neighbor changes status of Log neighbor changes Fast External Fallover status of Fast External Fallover Maximum received AS-path length maximum AS-path length received BGP administrative distances external, internal, and local BGP administrative distances Client-to-client reflection whether client-to-client reflection is configured Cluster ID cluster IDs Route-target filter status of Route-target filter Default IPv4-unicast status of Default IPv4-unicast Local-RIB version RIB version Local-FIB version FIB version Neighbor (s) BGP neighbors (if configured) Networks for which routing is occurring Aggregate Generation for Unicast Routes
host1#show ipv6 protocols Routing Protocol is "bgp 100" Local router ID 1.1.1.1, local AS 100 Administrative state is Start Operational state is Up

Example 1

3-30

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Shutdown in overload state is disabled Default local preference is 100 IGP synchronization is enabled Default originate is disabled Auto summary is enabled Always compare MED is disabled Compare MED within confederation is disabled Advertise inactive routes is disabled Advertise best external route to internal peers is disabled Enforce first AS is disabled Missing MED as worst is disabled Route flap dampening is disabled Log neighbor changes is disabled Fast External Fallover is disabled No maximum received AS-path length BGP administrative distances are 20 (ext), 200 (int), and 200 (local) Client-to-client reflection is enabled Cluster ID is 1.1.1.1 Route-target filter is enabled Default IPv4-unicast is enabled Local-RIB version 8. FIB version 8. Neighbor(s): No neighbors are configured Routing for Networks: Aggregate Generation for Unicast Routes:

Example 2
host1#show ipv6 protocols summary bgp 100

show ipv6 redistribute

Use to display configured route redistribution policy. Field descriptions

To protocol that routes are distributed into From protocol that routes are distributed from status redistribution status route map name name of the route map
host1#show ipv6 redistribute To bgp, From static is enabled with route map foo To bgp, From connected is enabled without a route map

Example

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-31

show ipv6 route

Use to display the current state of the routing table, including routes not used for forwarding. You can display all routes, a specific route, detailed information about all or a specific route, or summary counters for the routing table. Field descriptions

Prefix IPv6 address prefix Length prefix length

Type protocol type (possible route types include: Bgp, Connect, Idrp, Igrp, Invalid, Isis, Ndisc, Ospf, Other, Rip, Static)

Dst (or Distance) administrative distance for the route Met (or Metric) number of hops Intf (or Interface) interface type and interface specifier NextHop the configured next hop address for this interface IfIndex an autogenerated value for the next hop interface

Example 1
Type Dst/Met Intf loopback1 ATM4/0.15 ATM4/0.15 ATM4/0.15

host1#show ipv6 route Prefix/Length 1::/16 5::/64 6::/64 2003::/16 -------------------------------- ------- ------- -------------------Connect 0/0 Connect 0/0 Static Static 1/0 1/0

Example 2
host1#show ipv6 route summary 6 total routes, 408 bytes in route entries 0 isis routes 0 rip routes 2 static routes 2 connected routes 0 bgp routes 0 ospf routes 2 other internal routes 0 access routes 0 internally created access host routes Last route added/deleted: null by Local At WED JAN 22 2003 09:53:33 UTC

Example 3
host1#show ipv6 route 5::/64 detail 5::/64 Type local Distance 0 Metric 0 NextHop 1::2 IfIndex 10007 Intf ATM4/0.15

3-32

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

show ipv6 static

Use to display the status of static routes in the routing table. You can specify an IP mask that filters specific routes. Field descriptions

host1#show ipv6 static Prefix/Length 6::/64 2003::/16

Prefix IP address prefix Length prefix length Next Hop IP address of the next hop Dst administrative distance of the route Met number of hops Interface interface type and interface specifier

Example
NextHop 5::2 5::1 Dst/Met 1/0 1/0 Interface ATM4/0.15 ATM4/0.15

------------------------ ------------------------ ------- --------------------

show ipv6 traffic

Use to display statistics about IPv6 traffic. Field descriptions

IPv6 statistics Rcvd:

total total number of packets received local destination number of packets received with this router as their destination hdr errors number of packets containing header errors addr errors number of packets containing addressing errors unkn proto number of packets received containing unknown protocols discards number of discarded packets

IPv6 statistics Sent:

forwarded number of packets forwarded generated number of packets generated out disc number of packets that could not be routed that were discarded

IPv6 statistics Mcast:

received number of multicast packets received forwarded number of multicast packets forwarded

IPv6 statistics (Routes) number of routes currently in the routing table ICMPv6 statistics Rcvd:
total total number of received packets errors error packets received destination unreach packets received with destination unreachable

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-33

admin unreach packets received because the destination was administratively unreachable (for example, the packet encountered a firewall filter) parameter problem packets received with parameter errors time exceeded packets received with time-to-live exceeded pkt too big number of packet-too-big messages received that indicate a packet was too large to forward because of the allowed MTU size redirects received packet redirects echo requests echo request (ping) packets echo replies echo replies received rtr solicits number of received router solicitations rtr advertisements number of received router advertisements neighbor solicits number of received neighbor solicitations neighbor advertisements number of received neighbor advertisements Group membership (queries, responses, reductions) number of queries, responses, and reduction requests received from within a group to which the interface is assigned

ICMP statistics Sent:

total total number of received packets errors error packets received destination unreach packets received with destination unreachable admin unreach packets sent because the destination was administratively unreachable (for example, due to a firewall filter) parameter problem packets received with parameter errors time exceeded packets received with time-to-live exceeded pkt too big number of packet-too-big messages sent because a received packet was too large to forward because of the allowed MTU size redirects received packet redirects echo requests echo request (ping) packets echo replies echo replies received rtr solicits number of sent router solicitations rtr advertisements number of sent router advertisements neighbor solicits number of sent neighbor solicitations neighbor advertisements number of sent neighbor advertisements Group membership (queries, responses, reductions) number of queries, responses, and reduction requests sent to a group to which the interface is assigned

UDP Statistics Rcvd:

total total number of received packets checksum errors checksum error packets received no port no port error packets received

3-34

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

UDP Statistics Sent:

total total number of received packets errors error packets received Example
host1#show ipv6 traffic IPv6 statistics: Rcvd: 0 total, 0 local destination 0 hdr errors, 0 addr errors 0 unkn proto, 0 discards Sent: 0 forwarded, 0 generated 0 out disc Mcast: 0 received 0 forwarded Routes: 7 in routing table ICMPv6 statistics: Rcvd: 0 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 0 echo requests, 0 echo replies 0 rtr solicits, 0 rtr advertisements 0 neighbor solicits, 0 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions Sent: 3 total, 0 errors 0 destination unreach, 0 admin unreach, 0 parameter problem 0 time exceeded, 0 pkt too big, 0 redirects 0 echo requests, 0 echo replies 0 rtr solicits, 0 rtr advertisements 2 neighbor solicits, 1 neighbor advertisements Group membership: 0 queries, 0 responses, 0 reductions UDP Statistics: Rcvd: 0 total, 0 checksum errors, 0 no port Sent: 0 total, 0 errors

show ipv6 udp statistics

Use to display IPv6 UDP statistics. Example
host1#show ipv6 udp statistics UDP Statistics: Rcvd: 0 total, 0 checksum errors, 0 no port Sent: 0 total, 0 errors

Monitoring IPv6 and Neighbor Discovery E-Series Routers

3-35

show license ipv6

Use to display the IPv6 license key configured on the router. Example
host1#show license ipv6 Ipv6 license is ipv6_licence

3-36

CHAPTER 3 Configuring IPv6 and Neighbor Discovery

Configuring NAT

4
Page 4-2 4-2 4-4 4-5 4-6 4-7 4-7 4-8 4-8 4-8 4-9 4-10 4-15 4-15 4-23

This chapter describes how to configure Network Address Translation (NAT) on your E-series router.
Topic Overview NAT Configurations Network and Address Terms Understanding Address Translation Address Assignment Methods Order of Operations References Before You Begin Limiting Translation Entries Specifying Inside and Outside Interfaces Defining Static Address Translations Defining Dynamic Translations Clearing Dynamic Translations Configuration Examples Monitoring NAT

4-2

CHAPTER 4 Configuring NAT

Overview
The Internet faces the challenge of conserving IP address space while continuing to provide scalability in routing. Network Address Translation (NAT) helps to address these challenges by allowing the conservation of registered IP addresses within private networks and simplifying IP addressing management tasks through a form of transparent routing. NAT allows you to translate IP addresses between two address realms (for example, between an intranet network that uses private, not publicly routable addresses and the Internet or between two overlapping, private networks). On receiving incoming traffic, the IP addresses are translated back for delivery within the private network. Using NAT at the edge of your intranet provides the following advantages: Allows unregistered private addresses to connect to the Internet by translating those addresses into globally registered IP addresses Increases network privacy by hiding internal IP addresses from external networks

NAT Configurations
You can configure NAT in several different ways. Each configuration method provides a solution for different configuration requirements. These methods include: Traditional NAT Bidirectional NAT Twice NAT
Traditional NAT

Traditional NAT (sometimes called outbound NAT) is the most common method of using address translation. Its primary use is translating private addresses to legal addresses for use in an external network. When configured for dynamic operation, hosts within a private network can initiate access to the external (public) network, but external nodes on the outside network cannot access the private network. Addresses on the private network and public network must not overlap. Also, route destination advertisements on the public network (for example, the Internet) can appear within the inside network, but the

NAT Configurations E-Series Routers

4-3

NAT router does not propagate advertisements of local routes that reference private addresses out to the public network. Two types of traditional NAT exist basic NAT and NAPT.
Basic NAT

Basic NAT provides translation for IP addresses only (called a simple translation) and places the mapping into a NAT table. In other words, for packets outbound from the private network, the NAT router translates the source IP address and related fields (for example, IP, TCP, UDP, and ICMP header checksums). For inbound packets, the NAT router translates the destination IP address (and related checksums) for entries that it finds in its translation table.
Caution: Although it is the simplest and most common, basic NAT is the least secure translation method. By not defining the translation to the port level, and accepting return information on any port, basic NAT can leave private hosts open to port access.

NAPT

Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation). This process combines the transport identifiers and addresses of any number of private hosts into one transport identifier of one or more external addresses. Similar to basic NAT, for outbound packets, NAPT translates the source IP address, source transport identifier, and related checksum fields. For inbound packets, NAPT translates the destination IP address, destination transport identifier, and checksum fields.
Bidirectional NAT

Bidirectional (or two-way) NAT uses traditional NAT in conjunction with the Domain Name System Application Level Gateway (DNS-ALG). When using bidirectional NAT, hosts can initiate sessions from both the private network and the public network. The translation, installed by DNS, maps private network addresses to globally unique addresses, statically or dynamically, as hosts establish connections in either direction. Hosts in the public network can access hosts in the private network by using DNS address resolution. This requires an end-to-end unique fully qualified domain name (FQDN) for

4-4

CHAPTER 4 Configuring NAT

each host. In other words, the NAT router intercepts any DNS message (using the DNS-ALG) and assigns a global address to reach the intended host. When a public (outside) host initiates a session with a private host, the NAT router intercepts the packet and substitutes the advertised public address with the actual private (inside) address. On the return path the NAT router replaces the local private address (now the source) with the advertised public host address. Some additional configuration may be required to allow public access from the Internet to a DNS server that resides in the private domain (see Bidirectional NAT Example on page 4-17). The same address space requirements and routing restrictions apply to bidirectional NAT as were described for traditional NAT. The difference between these two methods is that the DNS exchange may create entries within the translation table.
Twice NAT

In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. For example, you would use twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public).

Network and Address Terms

The NAT implementation defines an address realm as either inside or outside, with the router that is running NAT acting as the defining boundary between the two realms. From a NAT perspective, an inside network is the local portion of a network that uses private, not publicly routable, IP addresses that you want to translate. An outside network is the public portion of a network that uses legitimate, publicly routable IP addresses to which you want private hosts to connect. The terms in this section relate to those addresses you want to translate from one network realm to another. Addresses within these realms are labelled as either local or global. When reading the following sections, keep the following in mind: The terms inside and outside refer to where a host resides

Understanding Address Translation E-Series Routers

4-5

The terms local and global refer to where the address appears on the NAT network.
Inside Local Addresses

The inside local address is a configured IP address that is assigned to a host on the inside network. Addresses may be globally unique (not requiring translation), allocated from the private address space defined in RFC 1918, or officially allocated to some other organization.
Inside Global Addresses

The inside global address is the translated IP address of an inside host as seen by an outside host and network. Addresses may be allocated from a globally unique address space (often provided by the ISP, if the inside address is connected to the global Internet).
Outside Local Addresses

The outside local address is the translated IP address of an outside host as it appears to the inside network. Addresses may be globally unique (not requiring translation), allocated from the private address space defined in RFC 1918, or officially allocated to some other organization.
Outside Global Addresses

The outside global address is the configured, publicly routable IP address assigned to a host on the outside network.

Understanding Address Translation

Address translation can occur under one of two general methods inside or outside source translation.
Inside Source Translation

Inside source translation is the most commonly used in NAT configuration. In this method, the NAT router performs translation between an inside (private) network address and an outside network address (for example, the Internet). The NAT router replaces the private source address with a globally unique address (either statically or dynamically). When the external destination responds, the NAT router, after successfully locating the address translation in its translation table, untranslates the global address (now the destination address) back to the local, private address.

4-6

CHAPTER 4 Configuring NAT

Note: Dynamic inside source translations are established by outbound traffic.

You use inside source translation in traditional and bidirectional NAT configurations.
Outside Source Translation

Outside source translation is less often used in NAT configuration because you are configuring the translation of an outside source to access an inside network. Normally, outside hosts have globally unique IP addresses, making translation unnecessary. You use outside source translation along with inside source translation to configure translation in both directions, from both sides of the NAT router (not just translation of outbound information and untranslation of returning information).
Note: Dynamic outside source translations are established by inbound traffic.

Cases that require this type of translation method occur in twice NAT configurations that set up translation between two networks that contain nonunique or not publicly routable IP addresses (for example, two separate networks that use overlapping IP address blocks).

Address Assignment Methods

NAT uses one of two methods to assign IP addresses static translation or dynamic translation.
Static Translations

You enter static translations as direct configuration settings that remain in the translation table until you remove them. You use static translations when you must initiate connections from both the inside and outside interfaces or when the translation is not subject to change.
Dynamic Translations

Dynamic translations use access list rules (to determine whether or not to apply NAT to incoming traffic) and NAT address pools (from which a NAT translation can use one of several available IP addresses). You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.

Order of Operations E-Series Routers

4-7

Order of Operations
Table 4-1 displays the order of operations for both inside-to-outside and outside-to-inside translation.
Table 4-1 NAT Order of Operations Inside-to-Outside Translation 1 Inside (privately addressed) traffic enters the router on an interface marked as inside. A route lookup is performed. If the next interface is marked as outside, the router sends the traffic to the server module. 3 The server module performs the appropriate translation. The router forwards the packet to the appropriate egress line card. The line card sends the packet as outbound traffic using a globally unique source address (inside source translation), destination address (outside source translation), or ports (NAPT). 4 Outside-to-Inside Translation 1 2 Traffic from the outside, public domain enters the router. All traffic from an interface that is marked outside, whether or not it requires NAT, is sent to the server module. The server card looks for an associated NAT match. If the server module:

2 3

4 5 6

Finds a NAT match, and the

destination interface is marked as inside, the server module performs the appropriate translation and sends the packet to the appropriate destination.

Does not find a NAT match, and the

destination interface is marked as inside, the server module drops the packet.

Does not find a NAT match, and the

destination interface is not marked as inside, the server module processes the packet normally for its destination.

References
For more information about IP, consult the following resources: RFC 2663 IP Network Address Translator (NAT) Terminology and Considerations (August 1999) RFC 2694 DNS extensions to Network Address Translators (DNS_ALG) (September 1999) RFC 2993 Architecture Implications of NAT (November 2000) RFC 3022 Traditional IP Network Address Translator (Traditional NAT) (January 2001) RFC 3027 Protocol Complications with the IP Network Address Translator (January 2001)

4-8

CHAPTER 4 Configuring NAT

Before You Begin

You can configure certain IP interfaces to participate in Network Address Translation. This chapter discusses how to configure NAT to function for certain IP interfaces. For information about general IP interface configuration, see Chapter 2, Configuring IP.

Limiting Translation Entries

You can configure the maximum number of dynamic translation entries that the translation table contains in Global Configuration mode for a given virtual router. The no version removes the configured limit and returns the maximum number of translation entries to the default (no limit).
ip nat translation max-entries
Use to specify the maximum number of dynamic translation entries that the translation table can contain in global configuration mode for the given virtual router. Example host:VR1 (config-if) #ip nat translation max-entries 50 Use the no version to remove the configuration limit.

Specifying Inside and Outside Interfaces

You must mark interfaces that participate in NAT translation as residing on the inside or the outside network.
Caution: Only packets routed between an inside and an outside interface are subject to translation.

You can unmark an interface by using the no version of this command.

ip nat
Use to mark an IP interface as participating in NAT translation. Specifies on what side of the network (either inside or outside) the interface resides. Example host (config-if) # ip nat inside Use the no version to unmark the interface (the default).

Defining Static Address Translations E-Series Routers

4-9

Defining Static Address Translations

Static address translation establishes a one-to-one mapping between a local (private) and global address. When specifying a static address translation, you issue commands to indicate how the translation is applied, along with more specific variables that further define the type of translation.
Caution: You must mark interfaces that participate in NAT translation as on the inside or the outside network. See Specifying Inside and Outside Interfaces for details.

Creating Inside Source Translations

You use the ip nat inside source static command to create static translations from a local IP address to a global IP address, and to untranslate the destination address when a packet returns from the outside network to the inside network. When configuring traditional NAT (both basic NAT and NAPT), you need only use this command alone. However, when configuring twice NAT, you must also use the ip nat outside source static command. The ip nat inside source static command creates a simple (IP address only) or extended (IP address, protocol, and port) entry in the translation table that maps the two addresses.
ip nat inside source static
Use to create static translations for a source address when routing a packet from the inside network to the outside network, and to untranslate the destination address when a packet returns from the outside network to the inside network. Example 1 simple NAT table entry host (config) # ip nat inside source static 10.1.2.3 171.69.68.10 Example 2 extended NAT table entry host (config) # ip nat inside source static tcp 10.1.2.3 15 171.69.68.10 30 Use the no version to remove the static translation and purge the associated translations from the translation table.

Note: Creating a static translation with the ip nat inside source static command allows any outside host to contact the inside host by using the inside global address of the inside host. This means that a static translation can be initiated in either direction.

4-10

CHAPTER 4 Configuring NAT

Creating Outside Source Translations

Less commonly used, outside source translation allows you to set up translation between two nonunique or not publicly routable networks (for example, two separate networks that use overlapping IP address blocks). This command creates a simple (IP address only) or extended (IP address, protocol, and port) entry in the translation table that maps the two addresses.
ip nat outside source static
Use to translate the source address when routing a packet from the outside network to the inside network, and to untranslate the destination address when a packet travels from the inside network to the outside network. Example 1 simple NAT table entry host (config) # ip nat outside source static 171.69.68.10 10.1.2.3 Example 2 extended NAT table entry host (config) # ip nat outside source static tcp 171.69.68.10 56 10.1.2.3 24 Use the no version to remove the static translation and purge the associated translations from the translation table.

Note: Creating a static translation with the ip nat outside source static command allows any inside host to contact the outside host by using the address of the outside host. This means that a static translation can be initiated in either direction.

Defining Dynamic Translations

To configure dynamic translations: Define any access list rules that the NAT router uses to decide which packets need translation. Define an address pool from which the NAT router obtains addresses. Define inside or outside source translation rules for the NAT router to use for any NAT traffic it processes. Mark interfaces as inside or outside. (Optional) Modify any translation time-out values.
Creating Access List Rules

Before creating a dynamic translation, you should create the access list rules that you plan to apply to the translation. For information about configuring access lists, see Chapter 1, Configuring Routing Policy. The router evaluates multiple commands for the same access list in the order they were created. An undefined access list implicitly contains a

Defining Dynamic Translations E-Series Routers

4-11

rule to permit any. A defined access list implicitly ends with a rule to deny any.
Note: The access lists do not filter any packets; they determine whether or not the packet requires translation.

For reference, you can configure an access list using the access-list command.
access-list
Use to define an IP access list to permit or deny translation based on the addresses in the packets. Each access list is a set of permit or deny conditions for routes that are candidates for translation (that is, moving from the inside network to the outside network). A zero in the wildcard mask means that the route must exactly match the corresponding bit in the address. A one in the wildcard mask means that the route does not have to match the corresponding bit in the address. Use the log keyword to log an Info event in the ipAccessList log whenever matching an access-list rule. Use the no version to delete the access list (by not specifying any other options), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).

Defining Address Pools

Before you can configure dynamic translation, you should first create an address pool. An address pool is a group of IP addresses from which the NAT router obtains an address when performing a dynamic translation. You can create address pools with either a single range or multiple, nonoverlapping ranges. When creating a single range, you specify the optional starting and ending IP address for the range in the root ip nat pool command. However, when creating multiple, nonoverlapping ranges, you omit the optional starting and ending IP address in the root ip nat pool command; this launches the IP NAT Pool Configuration mode. The config-ipnat-pool mode uses an address command to specify a range of IP addresses. You can repeat this command to create multiple, nonoverlapping ranges. When creating or editing address pools, keep the following in mind: Specified-range starting and ending IP addresses are inclusive and must reside on the same subnet.

4-12

CHAPTER 4 Configuring NAT

Address ranges are verified against other ranges in the specified pool to exclude range overlaps. Additional verification occurs when the pool is associated with a translation rule and the router can determine whether the rule is inside or outside. You cannot change the network mask if configured ranges already exist. The subnetwork mask excludes host addresses that end in either all zeros or all ones. These addresses are reserved as broadcast addresses. You cannot remove an address pool if the pool is part of a translation rule or if any of the ranges within the pool are still in use. You must issue the clear ip nat translation command to clear any ranges before you can remove the pool to which they apply.
ip nat pool
Use to create address pools. Example 1 creating a single, continuous range host (config) #ip nat pool singlerange 171.69.40.1 171.69.40.100 prefix-length 30 Example 2 creating a multiple, discontinuous range host (config) #ip nat pool multiplerange prefix-length 30 host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115 host (config-ipnat-pool)#address 171.69.40.116 171.69.40.120 host (config-ipnat-pool)#exit The no version removes the range designation.

address
Use to specify a range of IP addresses in IP NAT Pool Configuration mode; you can repeat the address command to create multiple ranges. Example host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115 The no version removes the range for the current address pool.

Defining Translation Rules

The CLI allows you to define dynamic translations for inside and outside sources.
Caution: You must mark interfaces that participate in NAT translation as on the inside or the outside network. See Specifying Inside and Outside Interfaces for details.

You can create dynamic translation rules for either an inside source translation or an outside source translation. The router determines if source addresses from a named access list require translation. If they do,

Defining Dynamic Translations E-Series Routers

4-13

the router translates the addresses by substituting addresses from a specified address pool. When creating dynamic translations, keep the following in mind: You can associate a list with one pool at any given time. Associating a list with a different pool replaces the previous association. The optional overload keyword for inside source translations specifies that the router employ NAPT translation. You can configure dynamic NAPT for inside source translation only; you cannot configure dynamic NAPT for outside source translation. An access list mismatch results in the NAT routers not translating the packet. An empty pool results in the NAT routers dropping the packet. Access lists and pools do not have to exist when you are defining dynamic translations; you may create them after defining the dynamic translations.
Creating Dynamic Inside Source Translations

Use the ip nat inside source list command to create a dynamic inside source translation rule. This command dynamically translates inside local source addresses to inside global addresses when packets from the inside network are routed to the outside network (and vice versa when a packet returns before a translation table entry times out). Use the overload keyword to specify that the translation create NAPT entries (protocol, port, and address) in the NAT table. The no version of this command removes the dynamic translation rule, but does not remove any previously created translations (resulting from the rule evaluation) from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations on page 4-15.
ip nat inside source list
Use to create dynamic translations for a source address when routing a packet from the inside network to the outside network, and to translate the destination address when a packet returns from the outside network to the inside network. Example host (config) #ip nat inside source list translation1 pool pool1 Use the overload keyword to specify that the translation create extended entries (protocol, port, and address) in the translation table for NAPT. Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.

4-14

CHAPTER 4 Configuring NAT

Creating Dynamic Outside Source Translations

Use the ip nat outside source list command to create a dynamic outside source translation rule. This command dynamically translates outside global source addresses to outside local addresses when packets are routed from the outside network to the inside network (and untranslates the destination address when a packet returns before a translation table entry times out). The no version of this command removes the dynamic translation rule, but does not remove any previously created translations from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations.
ip nat outside source list
Use to create dynamic translations for a source address when routing a packet from the outside network to the inside network, and to translate the destination address when a packet returns to the outside network from the inside network. Example host (config) # ip nat outside source list translation1 pool pool1 Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.

Defining Translation Time-Outs

Dynamic translations in the translation table age out if the router does not use them. Use the ip nat translation command to change or disable NAT translation time-outs. You can set the aging time to some value (in seconds) for any one of the specified timers: timeout Dynamic simple translations, except for overloaded translations; default is 86400 seconds (24 hours). udp-timeout UDP protocol extended translations; default is 300 seconds (5 minutes). dns-timeout DNS-created protocol translations; default is 120 seconds. These dynamic translations are installed by the DNS but not yet used; as soon as the translation is used, the router applies the timeout. tcp-timeout TCP protocol extended translations; default is 86400 seconds (24 hours). finrst-timeout TCP connections terminated with reset (RST) or bidirectional finished (FIN) flags; default is 120 seconds. This time-out

Clearing Dynamic Translations E-Series Routers

4-15

applies only to TCP overload translations. It more gracefully ages out closed translations. icmp-timeout ICMP protocol extended translations; default is 300 seconds (5 minutes). All time-outs for this command support a maximum value of 2147483 seconds (about 25 days). The no version of this command resets the timer to its default value.
ip nat translation
Use to change translation time-outs for old translations in the translation table. All time-outs for this command support a maximum value of 2147483 seconds (about 25 days). Example host1 (config) # ip nat translation timeout 23200

Clearing Dynamic Translations

Use the clear ip nat translation command to clear dynamic translations from the NAT translation table. You can remove all dynamic translations from the translation table or restrict the removal of translation entries based on the protocol, address, or port values.
clear ip nat translation
Use to clear dynamic translations from the NAT translation table. Use an asterisk (*) to clear all dynamic translations from the translation table. Example 1 to clear all dynamic translations host1 #clear ip nat translation* Example 2 to clear a specific port translation host1 #clear ip nat translation tcp inside 171.69.68.10 10.1.2.3 55 There is no no version.

Configuration Examples
This section contains NAT configuration examples for a single virtual router configuration and NAT translation between two virtual routers.
NAPT Example

This example illustrates a NAPT configuration for a private network with two inside sub-networks, a field office, and a corporate office.

4-16

CHAPTER 4 Configuring NAT

Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).

Field office 10.10.1.0/24 i

Virt blue 0

i Corporate HQ 10.10.2.0/24 Address pool: 192.32.6.10 192.32.6.12 Access list: permit 10.10.1.0 0.0.0.255 permit 10.10.2.0 0.0.0.255 Static translations: 190.22.8.18.21 190.22.8.18 :21

Figure 4-1 NAPT example

The address pool consists of three addresses (the number of addresses is small, since NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool using NAPT. To configure this example:
1

Enter the correct virtual router context.

host1(config)#virtual-router blue

Mark the inside interfaces.

a

First the field office:

host1:blue(config)#interface serial 2/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit

Then the two corporate T-3 links:

host1:blue(config)#interface serial 1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit host1:blue(config)#interface serial 1/2 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit

g013229

FTP server 190.22.8.18/24

Configuration Examples E-Series Routers

4-17

Mark the outside interface.

host1:blue(config)#interface gigabitEthernet 3/0.1 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit

Create a static nil-translation for the FTP server on the corporate network.
host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 21

Create the address pool for dynamic translations.

host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24

Create the access list for addresses eligible for dynamic translation.
host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255 host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255

Create the NAPT dynamic translation rule.

host1:blue(config)#ip nat inside source list justcorp pool corpxyz overload

Configure a default route to the outside interface.

host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

Configure a null route for the inside global addresses (prevents routing loops when no matching translation exists)
host1:blue(config)#ip route 192.32.6.0 255.255.255.252 null 0

All hosts using private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because we are using NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.
Bidirectional NAT Example

In this example, outside hosts can initiate conversations with inside hosts through the use of a DNS server that resides on the inside network. The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses.

4-18

CHAPTER 4 Configuring NAT

Virt blue Enterprise A 192.168.22.0/24 i 0

DNS 192.168.22.2

Figure 4-2 Bidirectional NAT example

To configure this example:

1

Enter the correct virtual router context.

host1(config)#virtual-router blue

Mark the inside interface.

host1:blue(config)#interface serial 1/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit

Mark the outside interface.

host1:blue(config)#interface gigabitEthernet 3/0.1 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit

Create the translation for the DNS.

host1:blue(config)#ip nat inside source static 192.168.22.2 192.32.6.1

Create the address pool for dynamic translations.

host1:blue(config)#ip nat pool entA192 192.32.6.2 192.32.6.63 prefix-length 24

Create the access list for addresses eligible for dynamic translation (that is, private addresses).
host1:blue(config)#access-list entA permit 192.168.22.0 0.0.0.255

Create the dynamic translation rule.

host1:blue(config)#ip nat inside source list entA pool entA192

g013230

Address pool: 192.32.6.2 192.32.6.63 Access list: permit 192.168.22.0 0.0.0.255 Static Translations: 192.168.22.2 192.32.6.1

Configuration Examples E-Series Routers

4-19

Configure a default route to the outside interface.

host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

Configure a null route for the inside global addresses (to prevent routing loops when no matching translation exists).
host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0

Twice NAT Example

Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and desires connectivity to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router. In this example, the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this sub-network that wish to access the inside network will need their global addresses translated.

Virt blue Enterprise A 15.12.0.0/16 i 0 Public network

Outbound address pool: 12.220.1.0 12.220.255.255 Outbound access list: permit 15.12.0.0 0.255.255 Inbound address pool: 10.1.32.1 10.1.32.255 Inbound access list: 15.12.0.0 0.0.255.255
Figure 4-3 Twice NAT example

To configure this example:

1

Enter the correct virtual router context.

host1(config)#virtual-router blue

g013231

4-20

CHAPTER 4 Configuring NAT

Mark the inside interface.

host1:blue(config)#interface fast-ethernet 6/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit

Mark the Outside Interface.

host1:blue(config)#interface atm 3/0.20 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit

Create the address pool for inside source translations.

host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255 prefix-length 16

Create the access list for addresses eligible for dynamic translation.
host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255

Create the dynamic translation rule for outbound traffic.

host1:blue(config)#ip nat inside source list entAout pool entAoutpool

Create the address pool for outside source translations.

host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255 prefix-length 16

Note: Using a private address range avoids any overlap with the public network.

Configure the access list for global addresses that overlap with inside addresses.
host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255

Create the dynamic translation rule for inbound traffic

host1:blue(config)#ip nat outside source list entAin pool entAinpool

10 Create a route to the outside interface for inside hosts to access

outside hosts that have overlapping addresses

host1:blue(config)#ip route 10.1.32.0 255.255.255.0 atm 3/0.1

Note: An inside host cannot directly access hosts on the outside network that use addresses that overlap with the inside subnetwork. However, by using DNS name resolution to reference translated addresses, inside hosts can access these outside hosts.

Configuration Examples E-Series Routers

4-21

11 Configure a null route for the inside global addresses (prevents

routing loops when no matching translation exists)

host1:blue(config)#ip route 12.220.0.0 255.255.0.0 null 0

Cross-VRF Example

In MPLS VPN configurations, it may be desirable to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, we can use NAT to enable access to the public network since NAT is both VR and VRF aware. In this example, we will use the subscriber interface feature of the router in conjunction with NAT to connect the VPNs to the public network.
VR1 Enterprise A 10.16.5.0/24 VRF11
g013232

Inside

0utside DA=128.13.44.0/24 Address pool: 128.13.44.1 128.13.44.255 Access List: permit 10.16.5.0 0.0.0.255

Figure 4-4 Cross-VRF example

VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. EnterpriseA communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). The VR, of which the VRF is administratively a member, represents the public network. The interface to enterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off of the uplink to the core network and anchored in the VRF. A DA-based demultiplex matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface. To configure this example:
1

Enter the correct virtual routing and forwarding instance.

host1(config)#virtual-router vr1:vrf11

4-22

CHAPTER 4 Configuring NAT

Mark the inside interfaces.

host1:vr1:vrf11(config)#interface fast-ethernet 6/1 host1:vr1:vrf11 (config-interface)#ip nat inside host1:vr1:vrf11 (config-interface)#exit

Set the primary interface to DA-type demultiplex (for subsequent shared interfaces).
host1:vr1(config)#interface atm 12/0.101 host1:vr1(config-interface)#ip demux-type da-prefix host1:vr1(config-interface)#exit

Create the address pool for dynamic translations.

host1:vr1(config)#virtual-router vr1:vrf11 host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.1 128.13.44.255 prefix-length 24

Create the access list for addresses eligible for dynamic translation.
host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255

Create the dynamic translation rule.

host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool

Create the subscriber interface off the uplink.

host1:vr1:vrf11(config)#interface ip vrf11vr1 host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101 host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1

Configure a group of destination prefixes with which the device can communicate on the public network.
host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0 255.255.255.0

Mark the subscriber interface as outside.

host1:vr1:vrf11(config-interface)#ip nat outside host1:vr1:vrf11(config-interface)#exit

10 Point the default route to the shared interface.

host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1

11 Install a null route to avoid routing loops to the inside global address.
host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0

Monitoring NAT E-Series Routers

4-23

Monitoring NAT
This section explains how to view NAT statistics, NAT translation entries, and determine what IP interfaces have a NAT inside or outside setting.
Displaying Translation Statistics

The show ip nat statistics command displays statistics that apply to NAT operation.
show ip nat statistics
Use to display internal NAT statistics. Field descriptions

Last dynamic allocation failure completion level of any dynamic allocation

failures; the number of times the router attempted dynamic allocation but reached the dynamic allocation entry limit

Current static translation entries

Inside Source Simple number of inside source simple static translations Outside Source Simple number of outside source simple static translation entries Inside Source Extended number of inside source extended static translations Outside Source Extended number of outside source extended static translations

Dynamic Translation Type dynamic translation type (inside source simple,

outside source simple, inside source extended)

Current current number of dynamic translations of the associated

translation type

Peak peak number of dynamic translations of the associated translation

type

Accumulated accumulated number of dynamic translations of the

associated type; this value reflects the accumulation of dynamic translations since the last router reboot

Failed total number of installation attempts that failed for an associated

translation type

4-24

CHAPTER 4 Configuring NAT

Example

host1#show ip nat statistics NAT database statistics for virtual router vr1: -------------------------------------------------------------Last dynamic allocation failure: normal, successful completion Dynamic entry limit was reached 0 times Current static translation entries: ----------------------------------------Inside Source Simple: Outside Source Simple: Inside Source Extended: Outside Source Extended: Dynamic Translation Type ---------------------------Inside Source Simple Outside Source Simple Inside Source Extended 1 1 2 2 Current ---------2 2 2 Peak ---------2 2 2 Accumulated ----------2 2 2 Failed ---------0 0 0

Displaying Translation Entries

The show ip nat translations command displays current translations that reside in the translation table. Simple translation entries appear with inside/outside and local/global address information. Extended entries appear with added protocol and port numbers (or query ID). Using verbose mode additionally provides the time since creation and time since last use for each translation entry.
show ip nat translations
Use to display current translations that reside in the NAT translation table. Field descriptions

Prot protocol (TCP, UDP, or ICMP) for this translation entry; this field
appears only for extended table entries

Inside local inside local IP address for this translation entry; this field also
provides the port number, separated by a colon ( : ) for extended entries

Inside global inside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended entries

Outside global outside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended entries

Outside local outside local IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended entries

Monitoring NAT E-Series Routers

4-25

Time since creation amount of time elapsed since the translation entry
appeared in the translation table

Time since last use amount of time elapsed since the translation entry was
used
Prot Inside local 20.0.0.3 21.0.0.3 21.0.0.4 ------UDP UDP UDP TCP UDP TCP --22.0.0.4:63 22.0.0.3:63 --20.50.0.3:87 20.50.0.3:80

Example 1
Inside global 30.0.0.3 30.208.0.3 30.208.0.4 --------30.224.0.3:4097 30.224.0.3:4096 --30.50.0.3:8108 30.50.0.3:8008 Outside global ------50.0.0.3 51.0.0.3 51.0.0.4 50.50.0.3:87 ----50.50.0.3:80 ----Outside local ------70.0.0.3 70.208.0.3 70.208.0.4 70.50.0.3:8108 ----70.50.0.3:8008 -----

host1#show ip nat translation ---- ------------------ ------------------ ----------------- -----------------

Example 2
Time Time since last use 00:00:01 00:00:01 00:00:01 Never 00:00:01 00:00:01 Never 00:00:01 00:00:01 Never Never Never

host1#show ip nat translation verbose Inside Prot Inside local 20.0.0.3 21.0.0.3 21.0.0.4 ------UDP UDP UDP TCP UDP TCP --22.0.0.4:63 22.0.0.3:63 --global 30.0.0.3 30.208.0.3 30.208.0.4 --------Outside global ------50.0.0.3 51.0.0.3 51.0.0.4 7 30.224.0.3: --4097 30.224.0.3: --4096 --50.50.0.3:8 70.50.0.3:8 00:03:10 0 20.50.0.3:87 30.50.0.3:8 --108 20.50.0.3:80 30.50.0.3:8 --008 --00:03:35 008 --00:03:35 --00:02:12 ------70.0.0.3 70.208.0.3 70.208.0.4 108 --00:02:12 Outside local since creation 00:04:50 00:02:12 00:02:12 00:03:24 00:01:44 00:01:44

---- ------------ ----------- ----------- ----------- ------------ ------------

50.50.0.3:8 70.50.0.3:8 00:03:10

4-26

CHAPTER 4 Configuring NAT

Part 3

Internet Protocol Routing

Configuring IP Multicasting

5
Page 5-2 5-3 5-4 5-4 5-4 5-5 5-6 5-8 5-15 5-29 5-34 5-59 5-74 5-74

IP multicasting allows a device to send packets to a group of hosts rather than to a list of individual hosts. This chapter describes how to configure IP multicasting on the E-series router.
Topic Overview References Before You Begin Enabling IP Multicasting Deleting Multicast Forwarding Entries Reverse-Path Forwarding Multicast Packet Forwarding Monitoring IP Multicast Settings IGMP IGMP Proxy PIM DVMRP BGP Multicasting Investigating Multicast Routes

5-2

CHAPTER 5 Configuring IP Multicasting

Overview
IPv4 defines three types of addresses: unicast, broadcast, and multicast. Each type of address enables a device to send datagrams to selected recipients: A unicast address enables a device to send a datagram to a single recipient. A broadcast address enables a device to send a datagram to all hosts on a subnetwork. A multicast address enables a device to send a datagram to a specified set of hosts, known as a multicast group, in different subnetworks. Multicast IP packets contain a class D address in the Destination Address fields of their headers. A class D address is the IP address of a multicast group. Refer to Chapter 2, Configuring IP, and to IGMP, later in this chapter, for information about class D addresses. IP multicasting improves network efficiency by allowing a host to transmit a datagram to a targeted group of receivers. For example, a host may want to send a large video clip to a group of selected recipients. It would be time-consuming for the host to unicast the datagram to each recipient individually. If the host broadcasts the video clip throughout the network, network resources are not available for other tasks. The host uses only the resources it needs by multicasting the datagram. Routers use multicast routing algorithms to determine the best route and transmit multicast datagrams throughout the network. The E-series router supports a number of IP multicasting protocols on virtual routers (VRs). Each VR handles the interoperability of IP multicasting protocols automatically. To start multicast operation on a VR, you access the context for that VR and configure the desired protocols on the selected interfaces. Table 5-1 lists the protocols the router supports and the function of each protocol.
Table 5-1 Function of multicast protocols on a router Protocol Internet Group Membership Protocol (IGMP) Protocol Independent Multicast Protocol (PIM) Distance Vector Multicast Routing Protocol (DVMRP) Function Discovers hosts that belong to multicast group.

Discovers other multicast routers that should receive multicast packets. Routes multicast datagrams within autonomous systems.

References E-Series Routers

5-3

Table 5-1 Function of multicast protocols on a router (continued) Protocol Function

BGP Multicasting Protocol Routes multicast datagrams between autonomous systems.

The router supports up to 16,384 multicast forwarding entries (multicast routes) at any time.

References
This implementation of IP multicasting meets the following specifications: A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (January 2001 expiration) An Overview of Source-Specific Multicast (SSM) draft-ietf-ssm-overview-05.txt (November 2003 expiration) Distance Vector Multicast Routing Protocol draft-ietf-idmr-dvmrp-v3-10.txt (February 2001 expiration) IGMP-based Multicast Forwarding (IGMP Proxying) draft-ietf-magma-igmp-proxy-00.txt (May 2002 expiration) Protocol Independent Multicast MIB for IPv4 draft-ietf-idmr-pim-mib-10.txt (July 2000 expiration) RFC 2236 Internet Group Management Protocol, Version 2 (November 1997) RFC 2362 Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (June 1998) RFC 2858 Multiprotocol Extensions for BGP-4 (June 2000) RFC 2932 IPv4 Multicast Routing MIB (October 2000) RFC 2933 Internet Group Management Protocol MIB (October 2000) RFC 3376 Internet Group Management Protocol (October 2002) Source-Specific Multicast for IP draft-ietf-ssm-arch-03.txt (November 2003 expiration) Source-Specific Protocol Independent Multicast in 232/8 draft-ietf-mboned-ssm232-05.txt (November 2003 expiration)

5-4

CHAPTER 5 Configuring IP Multicasting

Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.

Before You Begin

You can configure IP multicasting on IP interfaces. For information about configuring IP interfaces, see Chapter 2, Configuring IP.

Enabling IP Multicasting
In this implementation, IP multicasting works on VRs. By default, IP multicasting is disabled on a VR. To enable IP multicasting on a VR, access the context for a VR, and then issue the ip multicast-routing command.
ip multicast-routing
Use to enable IP multicast routing on the VR. By default, IP multicasting is disabled on the VR. In the disabled state, all multicast protocols are disabled, and the VR forwards no multicast packets. Example
host1(config)#ip multicast-routing

Use the no version to disable IP multicast routing on the VR.

Deleting Multicast Forwarding Entries

You can clear one or more forwarding entries from the multicast routing table. However, if you do so, the entries may reappear in the routing table if they are rediscovered.
clear ip mroute
Use to delete IP multicast forwarding entries. If you specify an *, the router clears all IP multicast forwarding entries. If you specify the IP address of a multicast group, the router clears all multicast forward entries for that group. If you specify the IP address of a multicast group and the IP address of a multicast source, the router clears the multicast entry that matches that group and source. Example
host1:boston#clear ip mroute *

There is no no version.

Reverse-Path Forwarding E-Series Routers

5-5

Reverse-Path Forwarding
IP multicasting uses reverse-path forwarding (RPF) to verify that a router receives a multicast packet on the correct incoming interface. The RPF algorithm allows a router to accept a multicast datagram only on the interface from which the router would send a unicast datagram to the source of the multicast datagram. Figure 5-1 illustrates RPF in a network where all routers run dense-mode multicasting protocols. Routers that receive a multicast datagram associated with a group for which they have no hosts return prune messages upstream toward the source of the datagram. Upstream routers do not forward subsequent multicast datagrams to routers from which they receive prune messages. This technique creates a source-rooted tree (SRT), also known as a shortest-path tree (SPT) a structure that connects the source of a datagram to subnetworks of a multicast group through the shortest path. For more information on dense-mode protocols, see PIM DM, later in this chapter.

Source Data for Multicast Group Boston First-hop router

Prune

Member of Multicast Group Boston

Member of Multicast Group Boston

Figure 5-1 Reverse path forwarding in a dense-mode environment

When all routers in a network are running sparse-mode multicast protocols, the routers forward a multicast datagram only to other routers with downstream members of the groups associated with the datagram. Routers running sparse-mode protocols forward multicast traffic only when explicitly requested to do so, whereas routers running dense-mode protocols forward multicast traffic except when explicitly requested not to do so. For more information on sparse-mode protocols, see PIM SM, later in this chapter.

g013115

Prune

5-6

CHAPTER 5 Configuring IP Multicasting

RPF may take place through static routes, dynamic routes, or local subnets. You can define static routes for this purpose and view information associated with RPF routes.

Multicast Packet Forwarding

Multicast packet forwarding is based on the source (S) of the multicast packet and the destination multicast group address (G). For each (S,G) pair, the router accepts multicast packets on an incoming interface (IIF), which satisfies the RPF check (RPF-IIF). The router drops packets received on IIFs other than the RPF-IIF and notifies the routing protocols that a packet was received on the wrong interface. The router forwards packets received on the RPF-IIF to a list of outgoing interfaces (OIFs). The list of OIFs is determined by the exchange of routing information and local group membership information. The router maintains mappings of (S,G, IIF) to {OIF1, OIF2} in the multicast routing table. You can enable two or more multicast protocols on an IIF. However, only one protocol can forward packets on that IIF. The protocol that forwards packets on an IIF owns that IIF. A multicast protocol that owns an IIF also owns the (S,G) entry in the multicast routing table.
ip rpf-route
Use to customize static routes that the router may use for RPF. Specify the IP address and subnet mask of the destination network. Specify either a next-hop IP address or an interface type and specifier, such as atm 3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Optionally, specify the distance (number of hops) to the next-hop address. Optionally, specify a routes tag number to identify a particular route in the routing table. Example
host1(config)#ip rpf-route 11.1.0.0 255.255.0.0 atm4/1.1 56 tag 25093

Use the no version to remove the static route.

show ip rpf-route
Use to display routes that the router can use for RPF. Specify the IP address and the network mask to view routes to a particular destination. Specify a unicast routing protocol to view routes associated with that protocol.

Multicast Packet Forwarding E-Series Routers

5-7

Field descriptions

Proto
Connect subnet directly connected to the interface Static static route protocol-name route learned through the named protocol

Prefix value of the logical AND of the IP address of the destination network
and the subnet address

Proto: Connect Static Connect Connect

Length length of the subnet mask in bits Next Hop IP address of the next hop for this route Dist distance configured for this route Met learned or configured cost associated with this route Intf type of interface and interface specifier for the next hop. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Example
Next Hop: 10.5.3.149 21.1.1.2 21.1.1.2 25.25.25.25 Dist/Met: 0/1 1/1 0/1 0/1 Intf: fastEthernet0/0 atm4/0.1 atm4/0.1 loopback0

host1#show ip rpf-route Prefix/Length: 10.5.0.0/16 11.0.0.0/8 21.1.1.0/24 25.25.25.25/32

Disabling RPF Checks

By default, the router accepts multicast packets for each (S,G) pair on an incoming interface (IIF), which satisfies the RPF check (RPF-IIF). When the router performs RPF checks, only the interface that first accepts traffic for an (S,G) pair accepts subsequent traffic for that pair. If traffic stops coming on that interface and starts arriving on another interface, the router does not accept or forward the traffic. Some network configurations require the router to accept traffic on any interface that is the next-hop point of an equal-cost multipath (ECMP) route. To do so, you can disable the RPF check on a specified set of (S,G) pairs by issuing the ip multicast-routing disable-rpf-check command. When you disable RPF checks, the router accepts multicast packets for (S,G) pairs on any incoming interface of an ECMP route. When the router has added the new route to its multicast routing table, it will then accept multicast packets for these pairs on any interface in the virtual router and forward them accordingly. Multicast routes established before you issue this command are not affected.

5-8

CHAPTER 5 Configuring IP Multicasting

ip multicast-routing disable-rpf-check
Use to disable RPF checks for specified (S,G) pairs. Specify a standard IP access list that defines the (S,G) pairs. Example
host1(config)#ip multicast-routing disable-rpf-check boston-list

Use the no version to restore the default situation, in which the router performs RPF checks for all (S,G) pairs.

Using Unicast Routes for RPF

You can use the ip route-type command to specify that IS-IS, OSPF, or RIP routes should be available for RPF. Routes available for RPF appear in the multicast view of the routing table.
ip route-type
Use to specify whether IS-IS, OSPF, or RIP routes are available only for unicast forwarding, only for multicast reverse-path forwarding checks, or for both. Use the show ip rpf-routes command to view the routes available for RPF. By default, IS-IS, OSPF, and RIP routes are available both for unicast forwarding and multicast reverse-path forwarding checks. Example
host1(config)#router ospf host1(config-router)#ip route-type multicast

There is no no version.

Monitoring IP Multicast Settings

To display general information about the IP multicasting configuration on the router, use the following commands: show ip mroute show ip multicast protocols show ip multicast routing
show ip mroute
Use to display information about all or specified multicast forwarding entries. Specify a multicast group IP address or both a multicast group IP address and a multicast source IP address to display information about particular multicast forwarding entries. Use the summary option to see a summary rather than a detailed description. Use the count option to display the number of multicast forwarding entries.

Monitoring IP Multicast Settings E-Series Routers

5-9

Use the statistics option to display statistics for packets received through all multicast forwarding entries that the router has added to the multicast routing table and established on the appropriate line modules. Field descriptions

(S,G) IP addresses of the multicast source and the multicast group Uptime length of time in days minutes:hours:seconds format that the (S,G)
pair has been active

Expires length of time in days minutes:hours:seconds format for which the

(S,G) pair will be active

RPF Route IP address and prefix of the RPF route Incoming interface type and specifier of the incoming interface for the RPF
route

Neighbor IP address of the neighbor Owner owner of the route

Local route belonging to the local interface Static static route Other protocols route established by a protocol such as RIP or OSPF

Incoming Interface List list of incoming interfaces on the router. Details

include: Type of interface and its specifier Action that the interface takes with packets: accept or discard Multicast protocol that owns the interface Time that the interface has been active in this multicast forwarding entry, in days minutes:hours:seconds format Time that the interface will cease to be active in this multicast forwarding entry, in days minutes:hours:seconds format

Outgoing Interface List list of outgoing interfaces on the router. Details

include: Type of interface and its specifier Action that the interface takes with packets: forward Protocol running on the interface: PIM, DVMRP, or IGMP Time that the interface has been active in this multicast forwarding entry, in days minutes:hours:seconds format Time that the interface will cease to be active in this multicast forwarding entry, in days minutes:hours:seconds format

Counts numbers of types of source group mappings

(S,G) number of (S,G) entries (*,G) number of (*,G) entries

5-10

CHAPTER 5 Configuring IP Multicasting

Example

host1#show ip mroute IP Multicast Routing Table (S, G) uptime d h:m:s[, expires d h:m:s] RPF route: addr/mask, incoming interface neighbor address, owner route-owner Incoming interface list: Interface (addr/mask), State/Owner [(RPF IIF)] Outgoing interface list: Interface (addr/mask), State/Owner, Uptime/Expires (10.0.10.1, 225.1.1.1) uptime 0 00:10:31 RPF route: 10.0.10.0/24, incoming interface atm5/3.1010 neighbor 10.0.10.8, owner Local Incoming interface list: atm5/3.1010 (10.0.10.8/24), Accept/Pim (RPF IIF) Outgoing interface list: atm5/1.108 (108.0.8.5/8), Forward/Pim, 0 00:02:52/never atm5/1.109 (107.0.8.4/8), Forward/Pim, 0 00:10:07/never

show ip mroute count

Use to display information about the number of groups and sources. Specify a multicast group IP address or both a multicast group IP address and a multicast source IP address to display information about a particular multicast forwarding entry. Field descriptions

Counts numbers of types of source group mappings

(S,G) number of (S,G) entries (*,G) number of (*,G) entries Example
host1#show ip mroute count IP Multicast Routing Table Counts: 2 (S, G) entries 0 (*, G) entries

Monitoring IP Multicast Settings E-Series Routers

5-11

show ip mroute statistics

Use to display statistics for packets received through multicast routes that the router has added to the multicast routing table and established on the appropriate line modules. Specify a multicast group IP address or both a multicast group IP address and a multicast source IP address to display information about a particular multicast forwarding entry. Field descriptions

See show ip mroute command for descriptions of all fields except the
statistics field.

Statistics
Note: The display shows statistics after the VR has added the multicast route to the multicast routing table and established the route on the appropriate line module. Statistics for interactions before the route is established on the line module are not displayed.

Received number of packets and bytes that the VR received for this multicast route Forwarded number of packets and statistics that the VR has forwarded for this multicast route Rcvd on OIF number of packets and statistics that the VR has received on the OIF for this multicast route
#show ip mroute statistics IP Multicast Routing Table (S, G) uptime d h:m:s[, expires d h:m:s] RPF route: addr/mask, incoming interface neighbor address, owner route-owner Incoming interface list: Interface (addr/mask), State/Owner [(RPF IIF)] Outgoing interface list: Interface (addr/mask), State/Owner, Uptime/Expires (11.0.0.1, 225.1.1.1) uptime 0 00:00:24 RPF route: 11.0.0.0/8, incoming interface ATM5/1.200 neighbor 21.1.1.1, owner Netmgmt Incoming interface list: ATM5/1.200 (21.2.2.2/8), Accept/Pim (RPF IIF) Outgoing interface list: ATM5/1.300 (31.2.2.2/8), Forward/Pim, 0 00:00:24/never Statistics: Received Forwarded : 19 pkts, 9880 bytes : 19 pkts, 9880 bytes

Rcvd on OIF: 0 pkts Counts: 1 (S, G) entries 0 (*, G) entries

5-12

CHAPTER 5 Configuring IP Multicasting

show ip mroute summary

Use to display a summary of all or specified multicast routes. Specify a multicast group IP address or both a multicast group IP address and a multicast source IP address to display information about a particular multicast forwarding entry. Field descriptions

Group Address IP address of the multicast group Source Address IP address of the multicast source RPF Route IP address and network mask of the RPF route RPF Iif type and identifier for the incoming interface for the RPF route #Oifs number of outgoing interfaces Counts numbers of types of (S,G) mappings (S,G) number of (S,G) entries (*,G) number of (*,G) entries

Example
host1#show ip mroute summary IP Multicast Routing Table

Group Address 224.0.1.39 224.0.1.40 Counts:

Source Address 52.1.1.1 51.1.1.1

RPF route 51.1.1.1/32 51.1.1.1/32

RPF Iif ------------Register IIF loopback1

#Oifs ---0 1

--------------- --------------- ---------

2 (S, G) entries 0 (*, G) entries

show ip multicast protocols

Use to display information about multicast protocols enabled on the router. Use the brief option to display a summary of information rather than a detailed description. Field descriptions

Protocol name of the multicast protocol Type mode of the multicast protocol
For DVMRP dense For PIM sparse, dense, or sparse-dense For IGMP local

Interfaces
registered number of interfaces on which the protocol is configured owned number of interfaces that a protocol owns. If you configure only IGMP on an interface, IGMP owns the interface. However, if you configure IGMP and either PIM or DVMRP on the same interface, PIM or DVMRP owns the interface.

Monitoring IP Multicast Settings E-Series Routers

5-13

Registered interfaces includes the following information about interfaces

on which the protocol is configured Types and identifiers of interfaces. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Protocols configured on the interface and the protocol that owns the interface. If you configure only IGMP on an interface, IGMP owns the interface. However, if you configure IGMP and PIM or DVMRP on the same interface, PIM or DVMRP owns the interface.

Count number of multicast protocols on the VR

Example
host1:2#show ip multicast protocols Multicast protocols: Protocol Pim Type: Sparse Dense Interfaces: 2 registered, 2 owned Registered interfaces: atm3/1.2 (40.2.2.2/8) local Igmp owner Pim loopback2 (52.1.1.1/32) owner Pim Protocol Igmp Type: Local Interfaces: 1 registered, 0 owned Registered interfaces: atm3/1.2 (40.2.2.2/8) local Igmp owner Pim Count: 2 protocols

show ip multicast protocols brief

Use to display a summary of information about multicast protocols enabled on the router. Field descriptions

Protocol name of the multicast protocol Registered Interfaces number of interfaces on which the protocol is
configured.

Owned Interfaces number of interfaces that a protocol owns. If you

configure only IGMP on an interface, IGMP owns the interface. However, if you configure IGMP and either PIM or DVMRP on the same interface, PIM or DVMRP owns the interface.

Type mode of the multicast protocol

For DVMRP dense For PIM sparse, dense, or sparse-dense For IGMP local

Count number of multicast protocols on the VR

5-14

CHAPTER 5 Configuring IP Multicasting

Example
host1#show ip multicast protocols brief show ip multicast protocols brief Protocol Registered Interfaces --------- ---------Pim Igmp 2 1 Owned Interfaces ---------2 0 ------------------Sparse Dense Local Type

Count: 2 protocols

show ip multicast routing

Use to display information about the status of IP multicasting on the VR Example
host1#show ip multicast routing Multicast forwarding is enabled on this router

Support for Multicast Router Information

When you enable multicast routing on a virtual router, the router now acts as a multicast router information (mrinfo) server. This feature enables the E-series router to respond to mrinfo requests from other network hosts. Specifically, E-series virtual routers respond to DVMR ask neighbors and DVMR ask neighbors2 requests. Each virtual router responds to mrinfo requests with a list of multicast interfaces and their IP addresses. If appropriate, the virtual router also supplies the following information for each interface: Interface is currently not functional (down) Interface is disabled, either because IP is not configured on it or because it has been disabled through the software Interface is the IGMP querier for this subnet Information about PIM neighbors If PIM is configured on the interface, the virtual router supplies a list of the interfaces PIM neighbors and indicates which neighbors are leaf neighbors. Information about DVMRP and GRE tunnels If the interface is an endpoint of a tunnel, the virtual router specifies the IP address of the endpoint of the tunnel.

IGMP E-Series Routers

5-15

IGMP
IP hosts use Internet Group Management Protocol (IGMP) to report their multicast group memberships to neighboring routers. Similarly, multicast routers, such as the E-series router, use IGMP to discover which of their hosts belong to multicast groups. The IPv4 address scheme assigns class D addresses for IP multicasting. IGMP is the protocol that uses these addresses, which can be in the range 224.0.0.0 to 239.255.255.255. The following addresses have specific functions or are unavailable: 224.0.0.0 is reserved, and you cannot assign it to a group. 224.0.0.1 is the all-hosts address a packet sent to this address reaches all hosts on a subnet. 224.0.0.2 is the all-routers address a packet sent to this address reaches all routers on a subnet. This implementation of IGMP complies with IGMP versions 1, 2, and 3. IGMPv3 allows for source-specific join and leave messages and is backward compatible with IGMPv1, IGMPv2, and IGMPv3.
IGMP Operation

IGMPv2 mode interfaces exchange the following types of messages between routers and hosts: Group membership queries Group membership reports Leave group membership messages IGMPv3 mode interfaces exchange the following types of messages with IGMPv3 hosts: Group membership queries IGMPv3 group membership reports
Group Membership Queries

A multicast router can be a querier or a nonquerier. There is only one querier on a network at any time. Multicast routers monitor queries from other multicast routers to determine the status of the querier. If the querier hears a query from a router with a lower IP address, it relinquishes its role to that router.

5-16

CHAPTER 5 Configuring IP Multicasting

IGMPv1 and IGMPv3 mode interfaces send two types of group membership queries to hosts on the network: General queries to the all-hosts group address (224.0.0.1) Specific queries to the appropriate multicast group address IGMPv3 mode interfaces send the following type of queries to IGMPv3 hosts: Group-specific and source-specific queries The purpose of a membership group query is to discover the multicast groups to which a host belongs. IGMPv2 and IGMPv3 group membership queries have a Max Response Time field. This response time is the maximum that a host can take to reply to a query.
Group Membership Reports

When a host receives a group membership query, it identifies the groups associated with the query and determines to which groups it belongs. The host then sets a timer, with a value less than the Max Response Time field in the query, for each group to which it belongs. When the timer expires, the host multicasts a group membership report to the group address. When a multicast router receives a report, it adds the group to the membership list for the network and sets a timer to the group membership interval. If this timer expires before the router receives another group membership report, the router determines that the group has no members left on the network. If the router does not receive any reports for a specific multicast group within the maximum response time, it assumes that the group has no members on the network. The router does not forward subsequent multicasts for that group to the network. IGMPv3 supports an extended report format that allows you to report multiple groups and source lists in a single report.
Leave Group Membership Messages

When a host leaves a group, it sends a leave group membership message to multicast routers on the network. A host generally addresses leave group membership messages to the all-routers group address, 224.0.0.2.

IGMP E-Series Routers

5-17

Configuring Static and Dynamic IGMP Interfaces

The router supports static and dynamic IGMP interfaces. Unlike static interfaces, dynamic interfaces are not restored when you reboot the router. For some protocols, dynamic layers can build on static layers in an interface; however, in a dynamic IGMP interface, all the layers are dynamic. See Figure 5-2 for examples of static and dynamic IGMP interfaces.

IGMP

IGMP

IP static layers dynamic layers

IP PVC

ATM 1483

PVC

ATM 1483

ATM AAL5

ATM AAL5

Static IGMP interface

Dynamic IGMP interfaces

Figure 5-2 Static and dynamic IGMP interfaces

Static IGMP interfaces are configured with software such as the CLI or an SNMP application; dynamic IGMP interfaces are configured with a profile. A profile comprises a set of attributes for an interface; a profile for dynamic IGMP interfaces contains attributes for configuring all the layers in the interface. You define a profile using the same CLI commands that you use to configure a static IGMP interface; however, the mode in which you use the commands differs. Use the commands in Interface Configuration mode to configure a static IGMP interface and in Profile Configuration mode to define a profile. When you have defined a profile, you can apply it to an interface or a group of interfaces. Profiles provide an efficient method of creating and managing large numbers of dynamic interfaces. For detailed information about creating and assigning profiles, see E-Series Link Layer Configuration Guide, Chapter 13, Configuring Dynamic Interfaces. When you create a profile for dynamic IGMP interfaces, specify attributes for configuring all layers in the interface.

g013304

ATM

ATM

5-18

CHAPTER 5 Configuring IP Multicasting

You use the following IGMP commands to configure a static IGMP interface. You also use these commands to define the attributes for the IGMP layer when you create a profile for dynamic IGMP interfaces. ip igmp ip igmp group limit ip igmp immediate-leave ip igmp last-member-query-interval ip igmp promiscuous ip igmp querier ip igmp querier-timeout ip igmp query-interval ip igmp query-max-response-time ip igmp robustness ip igmp static-include ip igmp static-exclude ip igmp static-group ip igmp version The following sections describe the tasks associated with these commands.
Enabling IGMP on an Interface

You must start IGMP on each interface that you want to use the protocol. You can configure IGMP and either PIM or DVMRP on the same interface. If you configure only IGMP on an interface, the router considers that IGMP owns that interface. If you configure IGMP and either PIM or DVMRP on an interface, the router considers that PIM or DVMRP owns the interface. For networks that use only IGMPv1, you can configure an interface to operate in IGMPv1 mode. However, IGMPv2 and IGMPv3 interfaces will support IGMPv1 hosts. In an IGMPv1 network, you must configure one interface to act as a querier. In an IGMPv2 or IGMPv3 network, the querier is the router with the lowest IP address.

IGMP E-Series Routers

5-19

To start IGMP, complete the following steps:

1 2 3

Enable IGMP on the interface (IGMPv2 is the default version). (IGMPv1 or IGMPv3) Specify the IGMP version for the interface. (IGMPv1 only) Specify that the interface will act as the querier for the network.

ip igmp
Use to enable IGMP on an interface and sets the IGMP version to IGMPv2. Use the ip igmp version command to specify a different IGMP version. Example
host1:boston(config-if)#ip igmp

Use the no version to disable IGMP on an interface.

ip igmp querier
Use to specify that this IGMPv1 interface will act as a querier.
Note: This command is valid only for interfaces on which you configured IGMPv1.

Example
host1:boston(config-if)#ip igmp querier

Use the no version to restore the default situation, in which the interface does not act as a querier.

ip igmp version
Use to set the IGMP version (1, 2, or 3) for the interface. Example
host1:boston(config-if)#ip igmp version 1

Use the no version to set the version to the default, IGMPv2.

Configuring IGMP Settings for an Interface

When you start IGMP on an interface, it operates with the default settings. You can, however, modify: The method that the router uses to remove hosts from multicast groups (IGMPv2 and IGMPv3 interfaces only) The time interval at which the querier multicasts group membership queries The time that a querier waits before sending a new query to hosts from which it receives leave group membership messages The time that a new querier waits before sending query messages after it assumes responsibility from another querier

5-20

CHAPTER 5 Configuring IP Multicasting

The time that a host can take to reply to a query (maximum response time) The number of times that the router sends each IGMP messages from this interface
ip igmp immediate-leave
Use to specify that when the router receives a leave group membership message from a host associated with this interface, the router will immediately remove that host from the multicast group.
Caution: Issue this command only on IGMPv2 and IGMPv3 interfaces to which one IGMP host is connected. If there is more than one IGMP host connected to a LAN through the same interface, and one host sends a leave group message, the router will remove all hosts on the interface from the multicast group. The router will lose contact with the hosts that should remain in the multicast group until they send join requests in response to the routers next general group membership query.

Example
host1:boston(config-if)#ip igmp immediate-leave

Use the no version to restore the default situation, in which the router removes a host from a multicast group if that host does not return a group membership report within a certain length of time of receiving a group membership query from the router.

ip igmp last-member-query-interval
Use to specify the last-member-query-interval value, in tenths of a second. When the router receives an IGMPv2 leave message or an IGMPv3 state change report, it sends out a query and expects a response within the time specified by this value. Using a lower value allows members to leave groups more quickly. Example
host1:boston(config-if)#ip igmp last-member-query-interval 90

Use the no version to restore the default, 10-tenths of a second (1 second).

ip igmp querier-timeout
Use to set the time in seconds that the interface waits before sending query messages after it becomes the querier. Example
host1:boston(config-if)#ip igmp querier-timeout 200

Use the no version to set the time to the default, twice the query interval.

IGMP E-Series Routers

5-21

ip igmp query-interval
Use to specify how often the interface sends group membership queries. Example
host1:boston(config-if)#ip igmp query-interval 100

Use the no version to set the polling interval to the default, 125 seconds.

ip igmp query-max-response-time
Use to specify the period in tenths of a second during which the host is expected to respond to a group membership query. IGMPv2 and IGMPv3 include this value in IGMP query messages sent out on the interface. You cannot set this value on interfaces running IGMPv1. Using a lower value allows members to join and leave groups more quickly. Example
host1:boston(config-if)#ip igmp query-max-response-time 120

Use the no version to restore the default, 10-tenths of a second (1 second).

ip igmp robustness
Use to specify the number of times that the router sends each IGMP message from this interface. Use a higher value to ensure high reliability from IGMP. Specify a number in the range 14. Example
host1:boston(config-if)#ip igmp robustness 2

Use the no version to restore the default, 3.

Assigning a Multicast Group to an Interface

You can assign an interface to send and receive all traffic for a particular multicast group. This feature allows you to control the IGMP traffic and to test the behavior of multicast protocols in the network.
ip igmp static-group
Use to send and receive all traffic for a multicast group from a specific interface. The interface sets no timers for this group. Example
host1:boston(config-if)#ip igmp static-group 225.1.2.3

Use the no version to remove the group from the interface.

5-22

CHAPTER 5 Configuring IP Multicasting

Specifying Multicast Groups

You can use a standard IP access list to specify the multicast groups that a host can join.
ip igmp group limit
Use to restrict hosts on this subnet to joining only multicast groups that appear on the specified IP access list. Example
host1:boston(config-if)#ip igmp access-group boston-list

Use the no version to disassociate the interface from an access list and to allow hosts on the interface to join any multicast group.

Limiting the Number of Accepted IGMP Groups

By default, there is no limit on the number of IGMP groups that an IGMP interface can accept. However, you can manage multicast traffic on the router by restricting the number of IGMP groups accepted by: A specific port on an I/O module A specific IGMP interface If you set limits for both a port and interfaces on that port, the router uses the lower of the two limits when determining how many IGMP groups an interface can accept. For example, if you set a limit of 10 groups for the port and 15 groups for each interface, the router allows only 10 groups to be accepted among the interfaces. However, if you set a limit for a port and that limit is lower than the number of groups currently accepted by the interfaces on that port, the router does not disassociate the groups from the interfaces. The router enforces the new limit on the port when the number of groups associated with the interfaces falls to that limit. For example, if the interfaces on the port have accepted a total of 15 groups, and you set a limit of 10 groups on the port, the router does not disconnect any of the groups and does not allow the interfaces to accept any more groups. Over time, some groups leave the interfaces and, eventually, a maximum of ten groups remains connected.
ip igmp group limit
Use to limit the number of IGMP groups that an interface can accept. Example:
host1:boston(config-if)#ip igmp group limit 5

Use the no version to restore the default situation, in which there is no limit on the number of IGMP groups that an interface can accept.

IGMP E-Series Routers

5-23

multicast group port limit

Use to limit the number of IGMP groups that a port can accept. Specify the identifier for the port in slot/port format and the maximum number of IGMP groups that interfaces can accept.

slot number of the chassis slot in the range 06 (ERX-7xx models) and
013 (ERX-14xx models)

port port number on the I/O module

Examples:
host1(config)#multicast group port 3/0 limit 5

Use the no version to restore the default situation, in which there is no limit on the number of IGMP groups that a port can accept.

Including and Excluding Traffic

IGMPv3 extends IGMPv2 functionality with the ability to include or exclude specific multicast traffic sources. That is, with IGMPv3, hosts signal (S,G) pairs that they want to include or exclude. For hosts that cannot signal group membership dynamically, you can use the ip igmp static-include or ip igmp static-exclude command to either statically include or exclude multicast traffic (respectively). IGMPv3 is the industry-designated standard protocol for hosts to signal channel subscriptions in Source Specific Multicast (SSM). For additional information about SSM, see PIM SSM later in this chapter.
ip igmp static-exclude
Use to statically exclude the IGMP (S,G) membership for a host that is not capable of dynamically signalling group membership. Example:
host1:boston(config-if)#ip igmp static-exclude 10.1.1.5 225.1.2.3

Use the no version to remove the static designation.

ip igmp static-include
Use to statically include the IGMP (S,G) membership for a host that is not capable of dynamically signalling group membership. Example:
host1:boston(config-if)#ip igmp static-include 10.1.1.1 225.1.2.3

Use the no version to remove the static designation.

5-24

CHAPTER 5 Configuring IP Multicasting

Accepting IGMP Reports from Remote Subnets

By default, IGMP interfaces accept IGMP reports only from associated subnets. You can configure the router to accept IGMP reports from subnets that are not associated with its interfaces. The igmp promiscuous command in Router Configuration mode specifies whether or not interfaces on the router should accept IGMP reports from indirectly connected subnets. To override this global setting on a particular interface, use the ip igmp promiscuous command in Interface Configuration mode.
Example

In the following example, the router is configured to accept IGMP reports from indirectly connected subnets on all interfaces. The interface on port 0 of the line module in slot 4 is then configured to accept IGMP reports only from directly connected subnets.
host1(config)#virtual-router boston host1:boston(config)#router igmp host1:boston(config-router)#igmp promiscuous host1:boston(config-router)#exit host1:boston(config)#interface serial 4/0 host1:boston(config-if)#ip igmp promiscuous off

igmp promiscuous
Use to allow all IGMP interfaces on the router to accept IGMP reports from hosts on any subnet. Example
host1:boston(config-router)#igmp promiscuous

Use the no version to allow IGMP interfaces on the router to accept IGMP reports only from hosts on their associated subnets.

ip igmp promiscuous
Use to specify whether or not the interface should accept IGMP reports from hosts on any subnet.

Use the on keyword to enable the interface to accept IGMP reports from
hosts on any subnet.

Use the off keyword to allow the interface to accept IGMP reports only from
hosts on subnets associated with this interface Example
host1:boston(config-if)#ip igmp promiscuous on

Use the no version mode to configure an IGMP interface to use the Router Configuration mode setting to determine the subnets from which it can accept IGMP reports.

IGMP E-Series Routers

5-25

Disabling and Removing IGMP

You can disable and reenable IGMP on the VR. You can also remove IGMP from the VR and recreate it on the VR.
igmp disable
Use to disable IGMP on a VR. Example
host1(config)#virtual-router boston host1:boston(config)#router igmp host1:boston(config-router)#igmp disable

Use the no version to enable IGMP on a VR.

router igmp
Use to create and enable IGMP on a VR or to access IGMP Router Configuration mode. Example
host1(config)#virtual-router boston host1:boston(config)#router igmp

Use the no version to delete IGMP and IGMP proxy from the VR.

Monitoring IGMP

You can establish a reference point for IGMP statistics by setting the statistics counters to zero. To display IGMP parameters, use the show commands described in this section.
baseline ip igmp
Use to set the counters for IGMP statistics to zero. Example
(host1)#baseline ip igmp

There is no no version.

show ip igmp
Use to display IGMP information for a VR. Field descriptions

Administrative state status of IGMP in the software: enabled or disabled Operational state status of IGMP on the VR: enabled or disabled Total interfaces number of interfaces on which you started IGMP Enabled number of interfaces on which IGMP is enabled Disabled number of interfaces on which IGMP is disabled

5-26

CHAPTER 5 Configuring IP Multicasting

Learnt groups number of multicast groups that the VR has discovered IGMP Statistics Rcvd statistics for IGMP messages received
Total number of IGMP messages received Checksum errors number of IGMP messages received with checksum errors Unknown types number of messages received that are not group membership queries, group membership reports, or leave group membership messages Queries number of group member queries Reports number of group membership reports Leaves number of leave group membership messages

IGMP Statistics Sent number of group member queries sent

host1:boston#show ip igmp Routing Process IGMP, Administrative state enabled, Operational state enabled 2 total interfaces, 2 enabled, 0 disabled 2 learnt groups IGMP Statistics: Rvcd: 1 total, 0 checksum errors, 0 unknown types 0 queries, 1 reports, 0 leaves Sent: 11 total

show ip igmp groups

Use to display statically joined and directly connected groups learned through IGMP. Field descriptions

Grp Address address of the multicast group Interface interface that discovered the multicast group State IGMP version on the interface ExpTim time, in seconds, at which the router decides there are no more members of this group members of a group. If this value is 0, the interface has received no IGMPv1 reports for the group.

v1HTim time at which the router decides there are no more IGMPv1
Example

host1:boston#show ip igmp groups Grp Address ----------225.1.1.1 232.1.1.1 Count: 2 Groups (Note: 225.1.1.1 is a static group) Interface --------------fastEthernet0/0 fastEthernet0/0 State ---------Version2 Version2 ExpTim -----never 359 v1HTim -----0 0

IGMP E-Series Routers

5-27

show ip igmp interface

Use to display IGMP information for interfaces on which you enabled IGMP. Specify the brief keyword to see a summary of the information. Specify the count keyword to see the number of IGMP interfaces. Specify the group address keyword to see information for interfaces that belong to that group. Field descriptions

Interface type of interface and interface specifier. For details about

interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Address IP address of the interface Administrative state status of the interface in the software: enabled or
disabled

Operational state physical status of the interface: enabled or disabled Version IGMP version State function of the interface: querier or nonquerier Query Interval time interval at which this interface sends query messages Other querier present interval time that the interface waits before declaring itself as the querier host to respond

Maximum response time time interval during which this interface expects a Last member query interval time that this interface waits before sending a
new query to a host that sends a group leave message

Robustness number of times this interface sends IGMP messages Information about whether interface accepts IGMP reports from hosts on any
subnet Interface defaults to global promiscuous mode interface uses the setting of the igmp promiscuous command to determine whether it accepts IGMP reports from hosts on any subnet

Information about standard IP access lists configured with the ip igmp

group limit command access list specified No inbound access group no access list specified

Immediate Leave setting of the ip igmp immediate-leave command:

enabled or disabled

Max-Group limit number of IGMP groups that the interface can accept, as
configured with the ip igmp group limit command

Group Count number of IGMP groups that the interface has accepted Interface statistics Rcvd information about IGMP messages received on
this interface Reports number of group membership reports received Leaves number of group leave messages received Wrong Version Queries number of group membership queries received from devices running a different version of IGMP

5-28

CHAPTER 5 Configuring IP Multicasting

Interface statistics Sent number of IGMP messages this interface has sent Interface statistics Groups learned number of groups this interface has
discovered

Count total number of IGMP interfaces

Example
host1:boston#show ip igmp interface Interface ATM2/1.15 address 15.0.0.2/255.255.255.0 Administrative state enabled, Operational state enabled Interface parameters: Version 2 State Querier Query Interval 125 secs, 53 secs before the next query Other querier present interval 250 secs Maximum response time 100 (in 10ths of a second) Last member query interval 10 (in 10ths of a second) Robustness 3 Interface defaults to global promiscuous mode No inbound access group Immediate Leave: disabled Max-Group limit: No Limit Group Count: 1 Interface statistics: Rcvd: 0 reports, 0 leaves, 0 wrong version queries Sent: 1 queries Groups learned: 1 Counts: 0 down, 0 init state, 1 querier, 0 non-querier, 1 Total

show ip igmp interface brief

Use to display a summary of IGMP information for interfaces on which you enabled IGMP. Field descriptions

Interface type of interface and interface specifier. For details about

interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Intf Address IP address of the interface Ver IGMP version State function of the interface: querier or nonquerier Querier IP address of the querier on the network to which this interface connects

QTime time interval at which this interface sends query messages QPTime time that the interface waits before declaring itself as the querier

IGMP Proxy E-Series Routers

5-29

Interface -------------fastEthernet0/0 atm3/0.2

Example
Ver --2 2 State -----Querier Querier Querier ------------192.168.1.250 21.1.1.1 QTime ----28 26 QPTime --0 0

host1:boston#show ip igmp interface brief Intf Address ---------192.168.1.250/24 21.1.1.1/8

Count: 2 interfaces

show multicast group limit

Use to display the number of IGMP groups that ports have accepted, and if configured, the maximum number of groups that ports can accept. Only ports that have accepted IGMP groups and ports for which you have configured a limit for the number of IGMP groups appear in this display. Field descriptions

Port identifier of the port in slot/port format

slot number of the chassis slot in the range 06 (ERX-7xx models) and 013 (ERX-14xx models) port port number on the I/O module

limit maximum number of IGMP groups that the port can accept. A value of
-1 indicates that no limit has been specified.

count actual number of IGMP groups the port has accepted

Example:
host1:boston#show multicast group limit Port 2/0 2/1 limit count 5 -1 0 1

--------- ----- -----

IGMP Proxy
IGMP proxy enables the router to issue IGMP host messages on behalf of hosts that the router discovered through standard IGMP interfaces. The router acts as a proxy for its hosts. The E-series router supports IGMP proxy versions 2 and 3.
Overview

Figure 5-3 shows a router in an IGMP proxy configuration. You enable IGMP proxy on one interface, which connects to a router closer to the root of the tree. This interface is the upstream interface. The router on the upstream interface should be running IGMP.

5-30

CHAPTER 5 Configuring IP Multicasting

You enable IGMP on the interfaces that connect the router to its hosts that are farther away from the root of the tree. These interfaces are known as downstream interfaces.

PC Downstream interface Upstream interface Downstream interface Upstream interface

PC

PC

PC
Figure 5-3 Upstream and downstream interfaces

As described in IGMP Operation, earlier in this chapter, hosts interact with the router through the exchange of IGMP messages. Similarly, when you configure IGMP proxy, the router interacts with the router on its upstream interface through the exchange of IGMP messages. However, when acting as the proxy, the router performs the host portion of the IGMP task on the upstream interface as follows: When queried, sends group membership reports to the group. When one of its hosts joins a multicast address group to which none of its other hosts belong, sends unsolicited group membership reports to that group. When the last of its hosts in a particular multicast group leaves the group, sends an unsolicited leave group membership report to the all-routers group (244.0.0.2).
Configuring IGMP Proxy

To configure a downstream interface, enable IGMP on that interface. To configure IGMP proxy on the router, complete the following tasks:
1 2

Enable IP multicasting. Identify the interface that you want to act as the upstream interface.

g013116

IGMP Proxy E-Series Routers

5-31

3 4 5

Enable IGMP proxy on that interface. (Optional) Specify how often the router should send unsolicited reports to routers on the upstream interface. (Optional) Specify how long the router should assume that there is an IGMPv1 querier router on the subnet after the router receives an IGMP v1 query on this interface.

ip igmp-proxy
Use to enable IGMP proxy on an interface. You can specify either IGMP proxy version 2 or 3. The default is version 2.
Note: You can enable only one upstream interface.

The interface for which you enable IGMP proxy is the upstream interface. Example
host1(config)#ip multicast-routing host1(config-if)#ip igmp-proxy

Use the no version to disable IGMP proxy on an interface.

ip igmp-proxy unsolicited-report-interval
Use to specify how often the upstream interface should transmit unsolicited reports.
Note: Issue this command only on the upstream interface. Otherwise, this command will have no effect.

Example
host1(config-if)#ip igmp-proxy unsolicited-report-interval 600

Use the no version to transmit unsolicited reports using the default value, 400 seconds.

ip igmp-proxy V1-router-present-time
Use to specify how long the router assumes that there is an IGMPv1 querier router on the subnet after the router receives an IGMP V1 query on this interface.
Note: Issue this command only on the upstream interface. Otherwise, this command will have no effect.

Example
host1(config-if)#ip igmp-proxy V1-router-present-time 600

Use the no version to set the time to the default value, 10 seconds.

5-32

CHAPTER 5 Configuring IP Multicasting

Setting the IGMP Proxy Baseline

You can set the counters for the numbers of queries received and reports sent on the upstream interface to zero. This feature allows you to establish a reference point for IGMP proxy statistics.
baseline ip igmp-proxy interface
Use to set the counters for the numbers of queries received and reports sent on the upstream interface to zero.
Note: Issue this command only on the upstream interface. Otherwise, this command will have no effect.

Example
(host1)#baseline ip igmp-proxy interface

There is no no version.

Monitoring IGMP Proxy

To display IGMP proxy parameters, use the following show commands.

show ip igmp-proxy
Use to display IGMP proxy parameters for a VR. Field descriptions

Routing Process IGMP proxy protocol Administrative state state of IGMP proxy in the software Operational state operational state of IGMP proxy: enabled or disabled Total interfaces number of IGMP proxy interfaces on the VR; currently only one upstream interface per VR

State operational state of the IGMP proxy interfaces: up or down Multicast group number of multicast groups associated with IGMP proxy
interfaces Example
host1#show ip igmp-proxy Routing Process IGMP Proxy, Administrative state enabled, Operational state enabled total 1 upstream interface, state enabled 6 multicast group

show ip igmp-proxy groups

Use to display information about multicast groups that IGMP proxy reported. Field descriptions

Grp Address address of the multicast group Interface type and identifier of the upstream interface associated with the
multicast group

IGMP Proxy E-Series Routers

5-33

Member State
Idle interface is going to send a group membership report to respond to a group membership query for this group Delay interface has responded to the latest group membership query for this group

Count total number of multicast groups associated with this interface

Example 1
host1#show ip igmp-proxy groups Grp Address 225.1.1.1 225.1.1.2 225.1.1.3 225.1.1.4 225.1.1.5 225.1.1.6 count 6 Interface atm3/0.2 atm3/0.2 atm3/0.2 atm3/0.2 atm3/0.2 atm3/0.2 Member State Idle Idle Idle Idle Idle Idle

--------------- --------------- --------------

Example 2
host1#show ip igmp-proxy group 225.1.1.1 Grp Address 225.1.1.1 Interface atm3/0.2 Member State Idle --------------- --------------- --------------

Example 3
host1#show ip igmp-proxy group count Count: 6 groups

show ip igmp-proxy interface

Use to display information about the interface on which you configured IGMP proxy. To view information about a particular interface, enter an interface type and specifier, such as atm 3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Specify the brief option to display a summary rather than a detailed description. Field descriptions

Interface type of upstream interface. For details about interface types, see
E-Series Command Reference Guide, About This Guide.

Address address of upstream interface Administrative state state of upstream interface in the software: enabled or
disabled

Operational state physical state of upstream interface: enabled or disabled Version IGMP version on this interface

5-34

CHAPTER 5 Configuring IP Multicasting

State presence of IGMPv1 routers on the same subnet as this upstream

interface

Unsolicited report interval time interval at which this upstream interface

sends unsolicited group membership report

Version 1 router present timeout how long the upstream interface assumes
there is an IGMPv1 router on the subnet after that interface receives an IGMPv1 group membership query

multicast group number of multicast groups associated with this upstream

interface

Interface statistics Rcvd statistics for messages received on this interface

v1 queries number of IGMPv1 group membership queries received v2 queries number of IGMPv2 group membership queries received v1 report number of IGMPv1 group membership reports received v2 report number of IGMPv1 group membership reports received

Interface statistics Sent statistics for messages sent from this interface
v1 reports number of IGMPv1 leave group reports sent v2 reports number of IGMPv2 leave group reports sent leaves number of leave group membership messages sent Example
host1#show ip igmp-proxy interface atm 3/0.2 Interface atm3/0.2 address 21.1.1.1/255.0.0.0 Administrative state enabled, Operational state enabled Interface parameters: Version 2 State No v1 Router Present Unsolicited report interval 10 secs Version 1 router present timeout 400 secs 0 multicast group Interface statistics: Rcvd: Sent: 0 v1 query, 6 v2 queries 0 v1 report, 0 v2 report 0 v1 report, 48 v2 reports, 0 leave

PIM
Protocol Independent Multicast (PIM) is the protocol that allows multicast routers to identify other multicast routers that should receive packets. This implementation of PIM supports PIM dense mode (PIM DM), PIM sparse mode (PIM SM), PIM sparse-dense mode (PIM S-DM), and PIM Source-Specific Multicast (PIM SSM). Figure 5-4 represents how PIM builds an (S,G) entry in an SRT. When multiple routers are connected to a multiaccess network, one router must assume the role of the designated router (DR). The DR receives data from

PIM E-Series Routers

5-35

the source on interface 1/0 and multicasts the data to its downstream neighbors on interfaces 1/1, 2/0, and 2/1. In the DR routing table, the entry for this operation lists the source as the IP address of the source and the group as the IP address of the multicast group. Neighbors exchange hello messages periodically to determine the DR. The router with the highest network layer address assumes the role of the DR. If the DR subsequently receives a hello message from a neighbor with a higher network layer address, that neighbor becomes the DR.
PC Source 128.5.4.33 1/0 DR 1/1 2/0 PC PC PC PC PIM PIM PIM PC PC 2/1 PC PC DR Routing Table Entry Source Group Register RP Input Interface Output Interface 128.5.4.33 225.1.3.5 1/0 1/1, 2/0, 2/1 1/0 1/1, 2/0, 2/1

Figure 5-4 Source-rooted tree

PIM DM

PIM DM uses a reverse path multicast, flood and prune mechanism. The protocol was developed for situations that meet one or more of the following criteria: Sources and receivers are close together, and there are many more receivers than senders. There is a constant stream of multicast data. There is a lot of multicast data. Dense-mode routing protocols use SRT algorithms. An SRT algorithm establishes a tree that connects each source in a multicast group to the members of the group. All traffic for the multicast group passes along this tree.

5-36

CHAPTER 5 Configuring IP Multicasting

Figure 5-5 illustrates how PIM DM works. When a source sends a multicast packet to a first-hop router, the first-hop router multicasts that packet to its neighbors. Those neighbors in turn forward the packet to their neighbors and their hosts that belong to the multicast group. If a neighbor has no hosts that belong to the multicast group and has no other PIM neighbors, it returns a prune message to the first-hop router. The first-hop router does not multicast subsequent packets for that group to neighbors who respond with prune messages.

Source Data for Multicast Group Boston First-hop router

Prune

Member of Multicast Group Boston

Figure 5-5 PIM DM operation

Member of Multicast Group Boston

Overriding Prunes

If a host on a previously pruned branch wants to join a multicast group, it sends an IGMP message to its first-hop router. The first-hop router then sends a graft message upstream. PIM routers send join messages on multiaccess interfaces to override prune messages. For example, if a PIM router sent a prune message to indicate that it had no hosts for a multicast group, and one of its hosts subsequently wants to send a packet to that group, the router sends a join message to the first-hop router.

g013115

Prune

PIM E-Series Routers

5-37

Preventing Duplication

If there are parallel paths to a source, duplicate packets can travel through different routers downstream to the network. If a forwarding router receives a multicast packet on its outgoing interface, the router knows that the packet is a duplicate and notifies the upstream routers. See Figure 5-6.

Source Multicast packet

Multicast packet received on outgoing interface

Multicast packet received on outgoing interface

Figure 5-6 Detecting duplication

The upstream routers responsible for the duplication send assert messages to determine which router should be the forwarder. Downstream routers listen to the assert messages to discover which router becomes the forwarder.
PIM SM

This implementation of PIM SM supports the following features: Rendezvous point (RP) routers DRs and DR election Join/prune messages, hello messages, assert messages, register messages Switching from a shared tree to an SPT (*,*,RP) support for interoperation with dense-mode protocols RPF checks of multicast entries when unicast routing configuration changes

g013117

5-38

CHAPTER 5 Configuring IP Multicasting

Timers for tree maintenance Border, null, RPT, SPT, and wildcard flags Remote neighbors PIM SM was developed for situations that meet one or more of the following criteria: The multicast group contains few receivers. Multicast traffic is infrequent. WANs separate sources and receivers. Sparse-mode routing protocols use shared trees. In a shared tree, sources forward multicast datagrams to a directly connected router, the DR. The DR encapsulates the datagram and unicasts it to an assigned RP router, which then forwards the datagram to members of multicast groups.

Source

DR

DR unicasts datagram to RP

Router forwards datagram to RP

g013118

Router forwards datagram to RP

RP

Members of multicast group receive the multicast

Figure 5-7 PIM SM operation

In PIM SM, an RP announces a source and establishes paths from the source to members of a multicast group before multicasting any datagrams. RPs transmit join messages to become part of the shared tree that allows distribution of packets to the multicast group. However, when a source starts multicasting datagrams, PIM SM can switch to an SRTknown in PIM SM as an SPTto improve the networks efficiency. Although shared trees minimize the traffic in the

PIM E-Series Routers

5-39

network and the costs associated with unnecessary transmission of data, the routes in a shared tree may be longer than those in an SPT. See Figure 5-8. The DRs on the network determine when the source switches from a shared tree to an SPT. A DR switches to the SPT when it receives a certain number of packets, which you can configure using the ip pim-spt threshold command. This command has a default value of zero, which causes a DR to switch to an SPT immediately after it receives it first multicast data packet. When all DRs associated with a specific RP router have switched to the SPT, the RP router sends a join/prune message toward the multicast source. When the multicast source receives this message, it starts sending multicast data through the SPT.

Source

Route through the SPT Route through the shared tree

DR

Target

Figure 5-8 Shared tree versus SPT

Joining Groups

A hosts DR sends join messages to the RP when that host wants to join a group. When a host wants to leave a group, it communicates with its DR through IGMP. When the DR no longer has any hosts that belong to a particular group, it sends a prune message to the RP.
Remote Neighbors

You can create remote neighbors in PIM SM. This feature enables an E-series router to establish neighbor adjacencies with other E-series

g013119

5-40

CHAPTER 5 Configuring IP Multicasting

routers through a pair of unidirectional interfaces, such as the endpoints of an MPLS tunnel. Multicasting over BGP/MPLS VPNs is achieved via PIM SM remote neighbors. Figure 5-9 shows an example in which two E-series routers, called boston and chicago, are remote neighbors connected by two unidirectional MPLS tunnels.

Source

DR Router Boston forwards datagram to MPLS tunnel Boston

DR unicasts datagram to RP

172.16.78.3

MPLS environment (PIM not available)

Unidirectional tunnels
g013120

10.2.23.45 Chicago Router Chicago receives datagram from tunnel and forwards it to RP RP

Members of multicast group receive the multicast

Figure 5-9 PIM remote neighbors connected by MPLS tunnel

On each E-series router, you must specify the location of the interface that PIM uses as the source address for the connection to the remote neighbor. You must also specify that the other router is a remote neighbor, and identify the IP address of the other router that PIM uses as the source address for the connection from the remote neighbor. Bear the following issues in mind when configuring remote neighbors: A route to the source RP must exist in the unicast view of the routing table to ensure that the PIM router can detect the remote neighbor. For information about configuring routes in the unicast routing tables, see the chapters on unicast routing protocols in this book and E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing.

PIM E-Series Routers

5-41

A route to the source must be present in the multicast view of the IP routing table to ensure that the PIM router can perform an RPF check for that source in a VPN. To add a route to the multicast IP routing table across a VPN, you can:
> Configure a multicast static route by issuing the ip rpf-route

command (see Multicast Packet Forwarding, earlier in this chapter).

> Configure BGP to add its unicast routes to the multicast IP routing

table by issuing the ip route-type both command. (see E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing)
> Configure OSPF or RIP to learn the route through the protocols

remote neighbor features (see Chapter 8, Configuring RIP and Chapter 9, Configuring OSPF). If a route is more specific than the route used to reach the remote neighbor originally, OSPF and RIP do not insert that route in the unicast and multicast views of the IP routing table. This feature prevents OSPF and RIP from masking the original route. If you require PIM to use such a route to reach a remote neighbor, add that route to the multicast view of the IP routing table using one of the methods described in the preceding paragraphs.
Timers

PIM SM uses timers to maintain the networking trees. PIM SM routers poll their neighbors and hosts for various pieces of information at set intervals. If a PIM SM router does not receive information from a neighbor or host within a specific time, known as the hold time, it removes the associated information from its routing tables. You can configure how often an interface sends hello messages (hello interval) and how often routers send RP announce messages (RP announce interval). The hold-time associated with hello messages is 3.5 times the hello interval and the holdtime associated with RP announce messages is 2.5 times the RP announce interval. All other timers are fixed and take the default values recommended in: RFC 2934 Protocol Independent Multicast MIB for IPv4 (October 2000)

5-42

CHAPTER 5 Configuring IP Multicasting

PIM S-DM

In PIM S-DM, if an RP is not known for a group, the router sends data using PIM DM. However, if the router discovers an RP or you configure an RP statically, PIM SM takes over. You can configure both PIM DM and PIM SM commands in PIM S-DM.
PIM SSM

PIM SSM is an extension of the PIM protocol. Using SSM, a client can receive multicast traffic directly from the source. PIM SSM uses PIM SM functionality to create an SPT between the client and the source, but builds the SPT without using an RP. By default, the SSM group multicast address is limited to the IP address range 232.0.0.0 to 232.255.255.255. However, you can extend SSM operations into another class D range by including the address statement at the [edit routing-options multicast ssm-groups] hierarchy level. Advantages that an SSM-configured network has over a traditionally configured PIM SM network include the following: No need for shared trees or RP mapping (no RP is required) No need for RP-to-RP source discovery through Multicast Source Discovery Protocol (MSDP) Simplified administrative deployment; you need only configure PIM SM on all router interfaces and issue the necessary SSM commands (including specifying IGMPv3 on the receiver LAN) Support for source lists; you can use source lists, supported in IGMPv3, where only specified sources send traffic to the SSM group. In a PIM SSM-configured network, the E-series router subscribes to an SSM channel (by means of IGMP version 3), announcing a desire to join group G and source S. The directly connected PIM SM router, the designated router (DR) of the receiver, sends an (S,G) join message to its RPF neighbor for the source. For PIM SSM, the RP is not contacted in this process by the receiver (as happens in normal PIM SM operations).
Enabling and Disabling PIM on a VR

By default, PIM is disabled. To enable PIM on a VR:

1 2

Enable multicast routing. Create a VR, or access the VR context.

PIM E-Series Routers

5-43

Create and enable PIM processing.

host1(config)#virtual-router boston host1:boston(config)#router pim

To disable PIM processing on a router, use the pim disable command.

pim disable
Use to disable PIM processing. By default, PIM processing is enabled. Example
host1:boston(config-router)#pim disable

Use the no version to reenable PIM processing.

router pim
Use to create and enable PIM processing on a VR or to access Router Configuration mode. Example
host1:boston(config)#router pim

Use the no version to remove PIM from the VR.

Enabling PIM on an Interface

You can enable PIM on an interface in one of the allowed modes and specify how often the interface should send hello messages to neighbors. You can configure PIM and IGMP on the same interface. If you configure IGMP and PIM on an interface, the router considers that PIM owns the interface.
Note: You cannot configure DVMRP and PIM on the same interface.

ip pim
Use to enable PIM on an interface. Example
host1(config-if)#ip pim sparse-dense-mode

Use the no version to disable PIM on an interface.

ip pim query-interval
Use to specify how often the router should send hello messages to neighbors. Example
host1(config-if)#ip pim query-interval

Use the no version to restore the default setting, 30 seconds.

5-44

CHAPTER 5 Configuring IP Multicasting

Configuring an RP Router for PIM SM and PIM S-DM

When you use the router for PIM SM or PIM S-DM, some VRs must act as RP routers. You can configure static RP routers or configure the router to assign RP routers automatically. To configure the router to assign RP routers automatically, you must define several VRs as RP routers and one VR as an RP mapping agent. RP routers send their announcement messages to the RP mapping agent, which assigns groups to RP routers and resolves any conflicts. The RP mapping agent notifies neighbors of the RP assigned to each group.
Configuring a Static RP Router

If you want to control PIM more tightly, you can configure a static RP router. To do so:
1

Configure an access list that details the multicast groups that will use the static RP router.
host1(config)#access-list boston permit 224.0.0.0 15.255.255.255

Specify a static RP router.

host1(config)#ip pim rp-address 122.0.0.1 1

Configuring an Auto-RP Router for PIM SM

Two multicast groups, 224.0.1.39 and 224.0.1.40, are reserved for forwarding auto-RP messages through the network. When you configure an auto-RP router for PIM SM, you must assign a static RP router to these two groups. You can then specify an RP mapping agent for other multicast groups. To configure an auto-RP router for PIM SM:
1

Configure a static RP to have priority over the auto-RP for the groups that send auto-RP multicast messages.
host1(config)#access-list 11 permit 224.0.1.39 0.0.0.0 host1(config)#access-list 11 permit 224.0.1.40 0.0.0.0 host1(config)#ip pim rp-address 192.48.1.22 76 override

Assign an RP mapping agent.

host1(config)#ip pim send-rp-discovery scope 23 loopback 1

Configure routers to send auto-RP announcement messages to the mapping agent.

host1(config)#ip pim send-rp-announce loopback 2 scope 16 group-list 1

PIM E-Series Routers

5-45

Configuring an Auto-RP Router for PIM S-DM

In PIM S-DM mode, you must prevent routers from advertising auto-RP messages to the multicast groups 224.0.1.39 and 224.0.1.40, which are reserved for forwarding auto-RP messages through the network. To configure an auto-RP router for PIM S-DM:
1

Assign an RP mapping agent.

host1(config)#ip pim send-rp-discovery scope 23 loopback 1

Configure an access list that details the multicast groups that will use the static RP router.
host1(config)access-list boston permit 224.0.0.0 15.255.255.255

Prevent routers from advertising auto-RP messages to the multicast groups that are reserved for forwarding auto-RP messages through the network.
host1(config)#access-list 1 host1(config)#access-list 1 deny 224.0.1.39 deny 224.0.1.40

Configure routers to send auto-RP announcement messages to the mapping agent.

host1(config)#ip pim send-rp-announce loopback 2 scope 23 group-list boston interval 200

ip pim rp-address
Use to specify a static PIM RP router. Specify a standard IP access list of multicast groups to control which multicast groups should use this RP router. Specify the override keyword if you want this static RP router to have priority over auto-RP routers. Example
host1(config)#ip pim rp-address 192.48.1.22 76 override

Use the no version to clear the filter from this interface.

ip pim send-rp-announce
Use to send auto-RP announcement messages from a router you configured as an RP. Specify an interface type and specifier, such as atm 3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. The auto-RP announcement messages will contain the IP address for the interface you specify. Specify the number of hops for which the announcement is valid. The default value is 64.

5-46

CHAPTER 5 Configuring IP Multicasting

Specify an access list that details which multicast groups the RP should include in announcement messages. Specify a time interval in the range 165536 seconds to control how often the router sends announcements. The default is 60 seconds. Example
host1(config)#ip pim send-rp-announce loopback 2 scope 23 group-list boston interval 200

Use the no version to clear the specified filters from this interface.

ip pim send-rp-discovery scope

Use to configure the router as an RP mapping agent, which records RP-to-group mappings and notifies PIM DRs about the mappings. Specify the number of hops for which the RP discovery message is valid. The default value is 64. To assign an interface from which the router should send auto-RP discovery messages, specify an interface type and specifier, such as atm 3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Example
host1(config)#ip pim send-rp-discovery scope 23 loopback 1

Use the no version to stop the router from acting as an RP mapping agent.

Switching to an SPT for PIM SM

PIM SM initiates multicasting using a shared tree. You can configure PIM SM to switch to an SPT when a source starts sending multicast messages, or you can prevent PIM SM from switching to an SPT. Multicasting over an SPT may be more efficient than multicasting over a shared tree (see PIM SM, earlier in this chapter).
ip pim spt-threshold
Use to specify when PIM SM switches from a shared tree to an SPT. Specify a nonzero integer or the keyword infinity to prevent PIM SM from switching to an SPT. Specify a value of 0 to configure PIM to switch to an SPT when a source starts sending multicast messages. Example
host1(config)#ip pim spt-threshold 4

Use the no version to restore the default, 0.

PIM E-Series Routers

5-47

Configuring PIM SM Remote Neighbors

You must use PIM SM remote neighbors to run multicast services over BGP/MPLS VPNs.
Note: If you want to run IP multicasting over MPLS tunnels in a VRF, you must issue the ip mpls vpn-interface per-label command. IP multicasting over MPLS tunnels in a VRF is not supported in the default mode, in which MPLS allocates VPN interfaces per next hop. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs.

To configure a pair of E-series routers to act as PIM remote neighbors:

1

On one router, specify that the other router will be a remote neighbor, and identify the IP address of the interface on the other router that is used for the connection to this router.
host1(config-router):boston#remote-neighbor 10.2.23.45 sparse-mode

Specify the location of the local interface whose address is used as the source address for the PIM connection to a remote neighbor.
host1(config-router-rn):boston#update-source atm 2/1.108

(Optional) Specify how often the router should send hello messages to the remote neighbor.
host1(config-router-rn):boston#query-interval 40

4 query-interval

Repeat steps 2 to 3 for the other router.

Use to specify how often the router should send hello messages to remote neighbors. Example
host1(config-router-rn)#ip pim query-interval 40

Use the no version to restore the default setting, 30 seconds.

remote-neighbor
Use to specify a remote neighbor for PIM sparse mode. Specify the IP address of the interface on the remote neighbor that PIM uses as the source address for the connection to this router. Example
host1(config-router)#remote-neighbor 10.25.100.14 sparse-mode

Use the no version to remove the remote neighbor and any attributes configured for the remote neighbor.

5-48

CHAPTER 5 Configuring IP Multicasting

update-source
Use to specify the PIM interface whose local address is used as the source address for the PIM connection to a remote neighbor. You can use the same source address to form neighbor adjacencies with more than one PIM remote neighbor. You must use the IP address of this interface when issuing the remote-neighbor command on the remote neighbor. Example
host1(config-router-rn)#update-source loopback 5

Use the no version to delete the source address from the connection to the remote neighbor.

Configuration Example

This example uses the configuration shown in Figure 5-9. Two E-series routers called router boston and router chicago are running PIM and are connected by MPLS tunnels. To configure the routers as PIM remote neighbors:
1

Specify that router chicago will be a remote neighbor of router boston, and identify the IP address on router chicago that will transmit datagrams to router boston.
boston(config-router)#remote-neighbor 10.2.23.45 sparse-mode

Specify the location of the interface that will transmit datagrams from router boston to router chicago.
boston(config-router-rn)#update-source atm 2/1.108

Specify that router boston will send hello messages to router chicago every 40 seconds.
boston(config-if)#ip pim query-interval 40

Specify that router boston will be a remote neighbor of router chicago, and identify the IP address on router boston that will transmit datagrams to router chicago.
chicago(config-router)#remote-neighbor 172.16.78.3 sparse-mode

Specify the location of the interface that will transmit datagrams from router chicago to router boston.
chicago(config-router-rn)#update-source atm 2/1.95

Specify that router chicago will send hello messages to router boston every 40 seconds.
chicago(config-if)#ip pim query-interval 40

PIM E-Series Routers

5-49

Configuring PIM SSM

To configure PIM SSM, you enable PIM SSM on the router and define the SSM range of IP multicast addresses. To use PIM SSM, IGMPv3 must be configured on CPE-facing interfaces to receivers, and PIM SM must be configured on CPE-facing interfaces to sources and on core-facing interfaces. After configuring SSM, you can use the show ip pim sparse-mode sg-state command to display SSM group membership information. To configure PIM SSM:
1

Enable PIM SSM on the E-series router, and specify the access list that defines the SSM address range.
host1(config)#ip pim ssm range 15

2 3 ip pim ssm

Enable PIM SM on the CPE-facing interface. Enable IGMPv3 on the core-facing interface.

Use to enable PIM SSM and define the SSM range of IP multicast addresses. Example
host1(config)#access-list 15 permit 212.100.13.85 host1(config)#ip pim ssm range 15

Use the no version to disable SSM.

Removing PIM

To remove PIM from a VR, use the no router pim command.

router pim
Use to create and enable PIM processing on a VR or to access Router Configuration mode. Example
host1:boston(config)#router pim

Use the no version to remove PIM from the VR.

5-50

CHAPTER 5 Configuring IP Multicasting

Resetting PIM Counters and Mappings

You can use the clear ip pim commands to reset PIM counters and mappings.
clear ip pim auto-rp
Use to clear the group-to-RP router mappings the router learned through auto-RP. Specify the IP address of an RP to clear the group-to-RP mappings for a particular RP. If you do not specify an IP address, the router clears the group-to-RP mappings on all RP routers learned through auto-RP. Example
host1(config)#clear ip pim auto-rp 192.34.56.7

There is no no version.

clear ip pim interface count

Use to clear the counters for multicast packet statistics on all interfaces or a specified interface. Specify an interface type and identifier, such as atm 3/0 to clear the counters on that interface. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. If you do not specify an interface, the router clears the counters on all interfaces. Example
host1(config)#clear ip pim interface atm 3/0.5 count

There is no no version.

clear ip pim remote-neighbor count

Use to clear the counters for remote neighbor statistics on all interfaces or the specified interface. Specify the IP address of an interface to clear the counters for that interface. If you do not specify an interface, the router clears the counters on all interfaces. Example
host1(config)#clear ip pim remote-neighbor 10.2.5.8 count

There is no no version.

PIM E-Series Routers

5-51

Monitoring PIM

You can display information about PIM events and parameters.

Monitoring PIM Events

You can use the debug PIM commands to view information about PIM events.
debug ip pim
Use to show information on the selected event. To control the type of events displayed, specify a severity level. To control how much information to display, specify a verbosity level. Example
host1#debug ip pim events severity 1 verbosity low

Use the no version to disable the display.

undebug ip pim
Use to turn off the display of information previously enabled with the debug ip pim command.
host1#undebug ip pim events

There is no no version.

Monitoring PIM Settings

You can use the show ip pim commands to display information about PIM settings.
show ip pim auto-rp
Use to display information about RP routers and the RP mapping agent in a PIM SM environment. Field descriptions

Configured with ttl number of hops for which the RP discovery message is
valid

Using interface addr IP address of the interface from which the router
sends RP discovery messages

Interval time interval at which the router sends RP discovery messages PIM auto-RP candidate RP mapping(s) routers that the RP mapping agent
is evaluating to determine an RP router for this interface

5-52

CHAPTER 5 Configuring IP Multicasting

Example 1
host1:1#show ip pim auto-rp This PIM router is an Auto RP mapping agent. Configured with ttl 64 [ Using interface addr 121.0.0.1, interval 60 ]. PIM AutoRP candidate RP mapping(s)

Example 2

host1:1#show ip pim auto-rp This PIM router is _not_ an Auto RP mapping agent. PIM AutoRP candidate RP mapping(s) Candidate RP 122.0.0.1 Group(s) 224.0.0.0/4, AutoRP, ttl 64, interval 60, from access List 1 Candidate RP 122.0.0.1 Group(s) 224.0.1.39/32 (negative), AutoRP, ttl 64, interval 60, from access List 1 Candidate RP 122.0.0.1 Group(s) 224.0.1.40/32 (negative), AutoRP, ttl 64, interval 60, from access List 1

show ip pim dense-mode sg-state

Use to display information for each (Source, Group) entry for PIM DM. Field descriptions

(Source, Group) pair IP addresses of multicast source and group EntryExpires time until the (S,G) pair entry expires RPF Route reverse-path forwarding route IIF IP address of incoming interface UpNbr IP address of upstream neighbor Pruned Oifs outgoing interfaces that have been pruned Address IP address of outgoing interface IfId index of the interface Pruned due to reason for prune: assert or explicit prune Pruned time remaining time in seconds until the prune expires

Example

host1:8#show ip pim dense-mode sg-state PIM DM route table and pruned oif information <122.0.0.1, 224.0.1.39> Pruned Oifs: Address: 108.0.8.5 Pruned due to assert Pruned time remaining 129 <130.0.0.2, 224.0.1.39> Pruned Oifs: Address: 108.0.8.5 IfId: 95 EntryExpires: 100 IIF: 107.0.8.4 UpNbr: 107.0.4.8 RPF Route: 130.0.0.0/255.0.0.0 IfId: 95 EntryExpires: 99 IIF: 107.0.8.4 UpNbr: 107.0.4.8 RPF Route: 122.0.0.0/255.0.0.0

PIM E-Series Routers

5-53

Pruned due to assert Pruned time remaining 130 <121.0.0.1, 224.0.1.40> Pruned Oifs: Address: 108.0.8.5 Pruned due to assert Pruned time remaining 133 IfId: 95 EntryExpires: 102 IIF: 107.0.8.4 UpNbr: 107.0.4.8 RPF Route: 121.0.0.0/255.0.0.0

show ip pim interface

Use to display information about PIM interfaces. Specify no keywords or variables to display information about all PIM interfaces. Provide an interface type and specifier (such as atm 3/0) to display information about that interface only. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Specify the summary keyword to view the number of configured, enabled, and disabled PIM DM, PIM SM, and PIM S-DM interfaces. Specify the count keyword to view the number of multicast packets that the interface has sent and received. Field descriptions

Interface Addr IP address of the interface Interface Name type and identifier of the interface. For details about
interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Ver version of PIM running on this interface Mode PIM mode running on this interface: sparse, dense, or sparse-dense Nbr Count number of neighbors connected to this interface Hello Intvl time interval at which the interface sends hello messages to neighbors DR Address address of the DR SM number of PIM SM interfaces DM number of PIM DM interfaces SM/DM number of PIM S-DM interfaces enabled number of interfaces administratively enabled disabled number of interfaces administratively disabled

ControlPkt Count In | Out PIM messages received on and sent from this
interface Hello number of hello messages JoinPrune number of join and prune messages Assert number of assert messages

5-54

CHAPTER 5 Configuring IP Multicasting

PIM Interface Table Interface Addr 108.0.8.5 107.0.8.4 111.0.8.9 110.0.8.12

Examples

host1#show ip pim interface Interface Name atm2/1.108 atm2/1.109 atm2/0.110 loopback8 Ver Mode 2 2 2 2 Nbr Hello 30 30 30 30 DR Addr 108.0.8.5 107.0.8.4 111.0.9.8 110.0.8.12

Count Intvl SparseDense 1 SparseDense 1 SparseDense 1 SparseDense 0

host1#show ip pim interface summary PIM Interface Summary SM: DM: 0, 0 enabled, 0 disabled 0, 0 enabled, 0 disabled

SM/DM: 1, 0 enabled, 1 disabled host1#show ip pim interface count PIM Interface Count Interface Addr 192.32.10.20 Interface Name ATM3/0.20 ControlPktCount In|Out Hello 0 0 JoinPrune 0 0 Assert 0 0

show ip pim neighbor

Use to display information about PIM neighbors that the router discovered. Provide an interface type and specifier (such as atm 3/0) to display information about that interface only. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Field descriptions

Neighbor Addr IP address of the neighbor Interface Name type and specifier of the interface to which the neighbor
connects. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Uptime time since the router discovered this neighbor Expires time available for the neighbor to send a hello message to the
interface. If the neighbor does not send a hello message during this time, it will no longer be a neighbor.

Ver version of PIM that the neighbor is running Mode PIM mode that the neighbor is using: dense, sparse, or
sparse-dense

PIM E-Series Routers

5-55

PIM Neighbor Table Neighbor Addr 107.0.4.8 108.0.5.8 111.0.9.8

Example

host1#show ip pim neighbor Interface Name atm2/1.109 atm2/1.108 atm2/0.110 Uptime 1d15:47:35 1d15:47:34 1d15:48:02 Expires Ver Mode SparseDense SparseDense SparseDense

00:01:41 2 00:01:42 2 00:01:44 2

show ip pim remote-neighbor

Use to view information about PIM remote neighbors. Field descriptions

Remote Nbr Addr IP address of remote neighbor OurEnd Addr IP address of local interface, such as the local endpoint of a
tunnel, that transmits data to remote neighbor

Ver version of PIM running on the local interface Mode PIM mode running on the local interface; always PIM sparse mode Nbr Count number of remote neighbors detected: 0 or 1 Hello Intvl time interval at which the interface sends hello messages to neighbors

DR Addr address of DR In interface type and identifier of the interface on which PIM router receives
packets from remote neighbor. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Out interface type and identifier of the interface on which PIM router sends
packets to remote neighbor. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.
host1:boston#show ip pim remote-neighbor PIM RemoteNbr Table RemoteNbr Addr 10.2.23.45 OurEnd Addr 172.16.78.3 Ver Mode 2 Sparse Nbr 1 Hello 30 DR Addr 192.168.3.41 Count Intvl In interface : atm2/1.109 Out interface: atm2/1.108

show ip pim rp
Use to display information about PIM group-to-RP mappings. Specify the address of a group to view PIM group-to-RP mappings for a particular group. To display all RP-to-group mappings that the router has recorded, specify the mapping keyword. Field descriptions

Group prefix of the multicast group RP IP address of RP router for the multicast group priority this field is not functional

5-56

CHAPTER 5 Configuring IP Multicasting

via Auto RP/static RP method by which the RP router was assigned expiryTime time in seconds at which the RP mapping becomes invalid,
unless the mapping agent reassigns the RP router to this group Example
host1:8#show ip pim rp mapping PIM Group-to-RP mapping(s) Group(s) 224.0.0.0/4 RP 122.0.0.1, RP 122.0.0.1, RP 122.0.0.1, priority 0, priority 0, priority 0, via via via AutoRP, expiryTime 88 AutoRP (Negative), expiryTime 88 AutoRP (Negative), expiryTime 88 Group(s) 224.0.1.39/32 (negative) Group(s) 224.0.1.40/32 (negative)

show ip pim rp-hash

Use to show which RP router a multicast group is using. Field descriptions

Group multicast group RP RP router for the multicast group priority this field is not functional via Auto RP/static RP method by which the RP router was assigned expiryTime time in seconds at which the RP mapping becomes invalid, unless it is renewed by the mapping agent
host1:2#show ip pim rp-hash 232.1.1.1 Group(s) 224.0.0.0/4 RP 122.0.0.1, priority 0, via AutoRP, expiryTime 128

Example

show ip pim sparse-mode sg-state

Use to display information for each (S,G) entry for PIM SM and PIM SMM. Field descriptions

Group-to-RP mapping IP addresses and network mask of the multicast

group

RP IP address of RP router SSM group indicates that this is an SSM group

RPF route IP address and network mask of the RPF route IIF IP address of the incoming interface for the RPF route UpNbr IP address of the upstream neighbor Oifs outgoing interface Auto RP Discovery SELF oif indicates that RP router for this group was assigned through auto-RP suppressed for SSM

Register Oif to RP IP address of RP router for the outgoing interface; Address IP address of outgoing interface

PIM E-Series Routers

5-57

Interface type and specifier of the interface. For details about interface
types and specifiers, see E-Series Command Reference Guide, About This Guide.

Joined as type of mapping

(S,G) mapping from a specific source to a specific group (*,G) mapping from any source to a specific group (*,*,RP) mapping from any source to any group

Join expires number of seconds before the (S,G) membership expires Count of entries total count of (S,G) pair mappings
Example
host1:2#show ip pim sparse-mode sg-state PIM SM route table and oif information <*, 224.0.1.40> Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 123.0.0.0/255.0.0.0 106.0.3.7 Oifs: Auto RP Discovery SELF oif. Joined as <*, G> <*, 225.1.2.3> Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 123.0.0.0/255.0.0.0 106.0.3.7 Oifs: Address: 78.7.7.7 <*, 235.1.1.1> Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 123.0.0.0/255.0.0.0 106.0.3.7 Oifs: Address: 78.7.7.7 Interface: loopback7 Local group membership present. <118.1.33.34, 232.0.0.1> SSM Group RPF Route: 118.1.0.0/255.255.0.0 (Directly attached) Oifs: Register Oif to RP: 141.0.0.2 suppressed for SSM Group. Address: 134.0.0.1 Joined as <S, G> Interface: ATM3/0.104 Join Expires: 161 IIF: 118.1.0.1 RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3 Interface: loopback7 Local group membership present. RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3 RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3

<118.1.33.35, 232.0.0.1> SSM Group

5-58

CHAPTER 5 Configuring IP Multicasting

RPF Route: 118.1.0.0/255.255.0.0 (Directly attached) Oifs:

IIF: 118.1.0.1

Register Oif to RP: 141.0.0.2 suppressed for SSM Group. Address: 134.0.0.1 Joined as <S, G> <10.0.1.8, 235.1.1.1> Interface: ATM3/0.104 Join Expires: 161 EntryExpires: 143 RP: 123.0.0.1 UpNbr: IIF: 106.0.7.3

Group-to-RP mapping: 224.0.0.0/240.0.0.0 RPF Route: 10.0.0.0/255.0.0.0 106.0.3.7 Oifs: Address: 78.7.7.7 Joined as <*, G> Count of entries - <S, G> <*, G> : 2 : 1 Interface: loopback7

<*, *, RP>: 0

show ip pim sparse-mode unicast-route

Use to display the unicast routes that PIM SM is using. Field descriptions

Route IP address and network mask for the unicast route RpfNbr RPF neighbor Iif incoming interface for the unicast route Pref preference for the unicast route Metric value of metric for the unicast route (type of metric varies with the unicast protocol)

Count of entries number of unicast routes that PIM SM is using.

Example
host1:2#show ip pim sparse-mode unicast-route PIM SM unicast route table information Route 122.0.0.0 /255.0.0.0 RpfNbr Iif 122.0.0.1 Pref 255 Metric 1 --------------------------------------------------------------------------Count of entries: 1

show ip pim spt-threshold

Use to display the threshold for switching to the shortest path tree at a PIM DR. Field descriptions

Access List Name name of the IP access list that specifies the groups to
which the threshold applies

SptThreshold (in kbps) value at which PIM SM should switch from a

shared tree to an SPT. A value of infinity indicates that PIM SM should never switch to an SPT.

DVMRP E-Series Routers

5-59

host1:2#show ip pim spt-threshold Access List Name 1 SptThreshold(in kbps) infinity -------------------------------------------------------

DVMRP
Note: PIM has gained general acceptance among a large number of multicast-enabled networks. We recommend that you use PIM rather than DVMRP for applications that are not otherwise required to run DVMRP.

The router supports Distance Vector Multicast Routing Protocol (DVMRP) on VRs to forward multicast datagrams through a network. DVMRP is an interior gateway protocol that supports operations within an autonomous system, but not between autonomous systems. The multicast backbone of the Internet, MBone, uses DVMRP to forward multicast datagrams. DVMRP is a dense-mode multicasting protocol and therefore uses a broadcast and prune mechanism. The protocol builds an SRT in a similar way to PIM DM (see Figure 5-3). DVMRP routers flood datagrams to all interfaces except the one that provides the shortest unicast route to the source. DVMRP uses pruning to prevent unnecessary sending of multicast messages through the SRT. A DVMRP router sends prune messages to its neighbors if it discovers that: The network to which a host is attached has no active members of the multicast group. All neighbors, except the next-hop neighbor connected to the source, have pruned the source and the group. When a neighbor receives a prune message from a DVMRP router, it removes that neighbor from its (S,G) pair table, which provides information to the multicast forwarding table. If a host on a previously pruned branch wants to join a multicast group, it sends an IGMP message to its first-hop router. The first-hop router then sends a graft message upstream.
Identifying Neighbors

In this implementation of DVMRP, a neighbor is a directly connected DVMRP router. When you enable DVMRP on an interface, the associated VR adds information about local networks to its DVMRP

5-60

CHAPTER 5 Configuring IP Multicasting

routing table. The VR then sends probe messages periodically to learn about neighbors on each of its interfaces. To ensure compatibility with other DVMRP routers that do not send probe messages, the VR also updates its DVMRP routing table when it receives route report messages from such routers.
Advertising Routes

As its name suggests, DVMRP uses a distance vector routing algorithm. Such algorithms require that each router periodically inform its neighbors of its routing table. DVMRP routers advertise routes by sending DVMRP report messages. For each network path, the receiving router picks the neighbor advertising the lowest cost and adds that entry to its routing table for future advertisement. The cost or metric for this routing protocol is the hop count back to the source. The hop count for a network device is the number of routers on the route between the source and that network device. Table 5-2 shows an example of the routing table for a DVMRP router.
Table 5-2 Sample routing table for a DVMRP router Time Before Entry Is Deleted from From Router Metric Routing Table 143.32.44.12 4 143.2.55.23 143.78.6.43 2 3 85 80 120

Source Subnet 143.2.0.0 143.3.0.0 143.4.0.0

Subnet Mask 255.255.0.0 255.255.0.0 255.255.0.0

Input Output Port Port 3/0 3/1 3/1 4/0, 4/1 4/0, 4/1 4/0, 4/1

The DVMRP router maintains a (S,G) pair table that provides information to the multicast forwarding table. The (S,G) pair table is based on: Information from the DVMRP routing table Information learned from prune messages If IGMP and DVMRP are on the same interface, group information learned from IGMP The (S,G) pair table includes a route from each subnetwork that contains a source to each multicast group of which that source is a member. These routes can be static or learned routes. Table 5-3 shows an example of the (S,G) pair table for DVMRP.

DVMRP E-Series Routers

5-61

Table 5-3 Example of DVMRP (S,G) pair table Time Before Entry Is Deleted from Routing Table 85 75 60 90 80

Source Subnet 143.2.0.0

Multicast Group 230.1.2.3 230.2.3.4 230.3.4.5 230.4.5.6

Input Port 3/0 3/0 3/0

a

Output Port 4/0, 4/1 4/0, 4/1 4/1 4/0 4/0, 4/1

143.3.0.0

230.1.2.3

3/1

a No value for the input port indicates that the interface is associated with a protocol other than DVMRP.

Enabling DVMRP on a VR

By default, DVMRP is enabled on the router. To enable DVMRP on a VR:

1 2

Enable multicast routing. (Optional) Create a VR or access a VR context.

Note: If you do not specify a VR, you can configure DVMRP on the default router.

You must now enable and configure DVMRP on one or more interfaces. See Activating DVMRP on an Interface. You can also set DVMRP limits for the VR. See Configuring DVMRP Limits.
Example
host1(config)#ip multicast-routing host1(config)#virtual-router boston

Activating DVMRP on an Interface

By default, DVMRP is not activated on an interface. Configuring any DVMRP parameter on an interface automatically activates DVMRP on that interface. You can also activate DVMRP on an interface and use the default parameters.
ip dvmrp
Use to activate DVMRP on an interface. This command automatically creates and enables DVMRP processing on the current VR. Issuing this command identifies this interface as one that DVMRP owns.

5-62

CHAPTER 5 Configuring IP Multicasting

Example
host1:boston(config-if)#ip dvmrp

Use the no version to remove DVMRP from an interface.

Configuring DVMRP Limits

You can configure DVMRP and IGMP on the same interface. If you configure IGMP and DVMRP on an interface, the router considers that DVMRP owns the interface.
Note: You cannot configure DVMRP and PIM on the same interface.

When you have enabled DVMRP processing on a VR, you can configure the following settings for that VR: The number of routes that the VR advertises on each interface. A maximum number of DVMRP routes at which the router generates a system log warning message and an SNMP trap.
ip dvmrp route-hog-notification
Use to set the number of DVRMP routes that the router can record before it generates a system log warning message. The warning allows you to identify routers that are injecting large numbers of routes into the MBone. Example
host1:boston(config)#ip dvmrp route-hog-notification 5000

Use the no version to revert to the default, 10,000 routes.

ip dvmrp route-limit
Use to limit the number of routes that the router can advertise on each interface. Example
host1:boston(config)#ip dvmrp route-limit 5000

Use the no version to restore the default, 7000 routes.

Filtering DVMRP Reports

You can configure an interface to accept only reports with routes that appear on a standard IP access list. You can refine the set of accepted routes further, by defining a second access list of neighbors who can supply the specified routes. For example, suppose you define an access list that specifies that the router accepts only reports for the route 172.16.2.0/24. You then define a

DVMRP E-Series Routers

5-63

second access list that specifies that only neighbors 192.168.1.1 and 193.168.1.1 can supply this route. If neighbor 192.168.2.2 supplies the route, the DVMRP router rejects this report. You can also modify the value (distance) that the router associates with a DVMRP route when it computes the RPF interface for the source of a multicast packet. By default, the router associates a distance of 0 with DVMRP routes; this value indicates that the router should use DVMRP, rather than a unicast routing protocol, to transport multicast datagrams. However, in a configuration where PIM discovers multicast routes and a unicast routing protocol performs RPF lookups, you can increase the administrative distance to favor the unicast protocol. For information about defining access lists, see Chapter 1, Configuring Routing Policy.
ip dvmrp accept-filter
Use to filter routes in DVMRP reports in accordance with a standard IP access list. Specify a standard IP access list of sources for which the interface will accept routes. To favor a unicast routing protocol, specify a DVMRP administrative distance. To restrict the neighbors from whom reports for routes on the first list will be accepted, specify a neighbor list. Example
host1:boston(config-if)#ip dvmrp accept-filter boston-list 4 neighbor-list boston-neighbors

Use the no version to disable a filter.

Configuring DVMRP Summary Addresses

You can configure an interface to advertise a summary address with a known metric rather than a more specific route. DVMRP advertises the summary address if the DVMRP routing table contains a more specific route that matches the address and mask of the summary address. If you want to advertise all routes rather than a summary, disable automatic summarization on the interface. By default, the router automatically summarizes DVMRP routes. DVMRP automatic summarization maps a unicast subnet route to a classful network number route when the subnet has a different network number from the IP address of the interface (or tunnel) over which the advertisement travels. If the interface is unnumbered, the router compares the network number of the numbered interface to the IP address to which the unnumbered interface points.

5-64

CHAPTER 5 Configuring IP Multicasting

If you configure a summary address on an interface and do not disable automatic summarization, the interface advertises the least specific address.
ip dvmrp auto-summary
Use to reenable the router to summarize routes automatically for this interface. By default, automatic summarization is enabled. Example
host1:boston(config-if)#ip dvmrp auto-summary

Use the no version to disable automatic summarization for this interface.

ip dvmrp summary-address
Use to advertise DVMRP summary addresses on an interface. By default, an interface advertises only summary addresses generated by automatic summarization. If you configure multiple overlapping summary addresses on an interface, the one with the shortest mask takes preference. The default metric value is 1. Example
host1:boston(config-if)#ip dvmrp summary-address 192.48.1.2 255.255.255.0 metric 1

Use the no version to stop advertising a summary address on the interface.

Changing the Metric for a Route

The metric for DVMRP is hop count. For example, a route with two hops over a slow serial line is preferable to a route with three hops over a faster optical line. The router increments DVMRP routes in incoming reports by a default metric of one and in outgoing reports by a default of 0. You can change the metric for an interface to promote or demote the preference for associated routes.
ip dvmrp metric-offset
Use to adjust the number of hops associated with a route. This action specifies that the route is more efficient or less efficient than an alternative route. Use the in keyword to specify the number of hops by which the router increments a DVMRP route advertised in incoming DVMRP reports. This option is the default. Use the out keyword to specify the number of hops by which the router increments a DVMRP route advertised in outgoing DVMRP reports.

DVMRP E-Series Routers

5-65

Example
host1:boston(config-if)#ip dvmrp metric-offset in 3

Use the no version to revert to the default settings: 1 for incoming reports and 0 for outgoing reports.

Importing Routes from Other Protocols

You can import routing information from other protocols into the DVMRP routing table. Only routes that appear in the RPF table can be imported. To do so:
1

If you want to use IS-IS, OSPF, or RIP routes, make those routes available to multicasting protocols. See Using Unicast Routes for RPF, earlier in this chapter. Access Router Configuration mode. Specify a route map. Import information from one type of routing domain into another.

2 3 4 redistribute

Use to import information from another type of routing domain to the DVMRP domain. Only routes that appear in the RPF table can be imported. Specify the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, isis, ospf, static, and connected. Use the static keyword to redistribute static IP multicast routes into DVMRP. Use the keyword connected to redistribute routes that are established automatically in the RPF table when another multicast routing protocol, such as PIM, is enabled on an interface. Use the route-map keyword to configure the route map to filter imported routes from the source routing protocol to the current routing protocol. If you do not specify the route-map option, all routes are redistributed. If you specify the route-map option, but no route map tags are listed, no routes will be imported. Example: Importing routing information from BGP into DVMRP
host1:boston(config-router)#redistribute bgp 100 route-map boston-map

Use the no version of this command to disable redistribution.

route-map
Use to specify a route map.
host1:boston(config-router)#route-map boston-map atm 3/2

Use the no version to delete the route map. If you do not specify an interface, it removes the global route map if one exists.

5-66

CHAPTER 5 Configuring IP Multicasting

router dvmrp
Use to create and enable DVMRP processing on a VR or to access DVMRP Router Configuration mode. Example
host1:boston(config)#router dvmrp

Use the no version to remove DVMRP from the VR.

Specifying Routes to Be Advertised

By default, if DVMRP owns an interface, that interface advertises all DVMRP routes it has learned to its neighbors. You can specify the routes that the interface advertises by issuing the ip dvmrp announce-filter command in conjunction with a standard IP access list. The IP access list defines the DVMRP routes that will be advertised.
ip dvmrp announce-filter
Use to specify the DVMRP routes that an interface will advertise. Specify a standard IP access list of routes that the interface will advertise. Example
host1:boston(config-if)#ip dvmrp announce-filter boston-list

Use the no version to allow the interface to advertise all DVMRP routes that it has learned.

Preventing Dynamic Route Distribution

By default, if you make changes to a route map, the router dynamically redistributes the routes in DVMRP. To prevent this dynamic redistribution, use the disable-dynamic-redistribute command.
disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute

There is no no version.

Exchanging DVMRP Unicast Routes

DVMRP maintains its own unicast routing table, based on distance vector calculations. The routing table defines the best-known distance to each destination and how to get there. The router updates the tables by

DVMRP E-Series Routers

5-67

exchanging information with its neighbors. The DVMRP routing table is used solely for RPF lookups. By default, if DVMRP owns an interface, that interface exchanges DVMRP unicast routes with its neighbors, and you cannot disable the exchange of routes. However, you can enable and disable the exchange of DVMRP unicast routes on interfaces that DVMRP does not own. When an interface exchanges DVMRP routes, the router obtains routes from DVMRP report messages and stores them in its DVMRP routing table. Other multicast protocols, such as PIM, can then use these routes for RPF lookups. With this feature, PIM can use the DVMRP routing table even when the router is not running DVMRP. All interfaces, including tunnels, support DVMRP unicast routing. DVMRP tunnels use DVMRP multicast routing to support DVMRP unicast routing.
ip dvmrp unicast-routing
Use to enable the exchange of DVMRP unicast routes on an interface not owned by DVMRP. Example
host1:boston(config-if)#ip dvmrp unicast-routing

Use the no version to disable the exchange of DVMRP unicast routes on an interface not owned by DVMRP.

Disabling and Removing DVMRP

You can disable DVMRP on a VR or an interface without removing the configuration. You can also remove DVMRP from a VR or an interface.
disable
Use to disable DVMRP processing on a VR without removing the DVMRP configuration. By default, DVMRP processing is enabled. Example
host1:boston(config-router)#disable

Use the no version to reenable DVMRP processing on a VR.

ip dvmrp disable
Use to disable DVMRP processing on an interface without removing the DVMRP configuration. Example
host1:boston(config-if)#ip dvmrp disable

Use the no version to reenable DVMRP on an interface.

5-68

CHAPTER 5 Configuring IP Multicasting

ip dvmrp
Use to activate DVMRP on an interface. This command automatically creates and enables DVMRP processing on the current VR. Issuing this command identifies this interface as one that DVMRP owns. Example
host1:boston(config-if)#ip dvmrp

Use the no version to remove DVMRP from an interface.

router dvmrp
Use to create and enable DVMRP processing on a VR or to access Router Configuration mode. Example
host1:boston(config)#router dvmrp

Use the no version to remove DVMRP from the VR.

Deleting DVMRP Routes

You can clear one or more routes from the DVMRP routing table. However, if you do so, the routes may reappear in the routing table if they are rediscovered.
clear ip dvmrp routes
Use to delete DVMRP routes from the routing table. If you do not specify any options, the router removes all routes except those associated with its own interfaces from the DVMRP table. If you specify an IP address but not a subnet mask, the router removes the longest route to that IP address from the DVMRP table. If you specify a subnet mask, the router removes that specific route from the DVMRP table. Example
host1:boston#clear ip dvmrp routes

Configuring DVMRP Tunnels

DVMRP tunnels allow the exchange of IP multicast traffic between routers separated by networks that do not support multicast routing. For information about DVMRP tunnels, see Chapter 6, Configuring IP Tunnels.

DVMRP E-Series Routers

5-69

Monitoring DVMRP

You can establish a reference point for DVMRP statistics by setting the statistics counters to zero. You can display DVMRP information with the show ip dvmrp commands.
baseline ip dvmrp
Use to set the counters for IGMP statistics to zero. Example
(host1)#baseline ip dvmrp

show ip dvmrp
Use to display DVMRP information for a VR. Field descriptions

Dvmrp Admin State state of DVMRP in the software: enabled or disabled Mcast Admin State state of multicasting in the software: enabled or
disabled

Dvmrp Version version of DVMRP with which this software is compatible GenerationID a number the router generates each time it reboots; when
the number changes, neighbors discard all information previously learned from the router

NumRoutes number of routes in the DVMRP routing table NumTrigdRts number of routes waiting to be advertised, because a
parameter for the route changed

ReachableRoutes number of routes that the router can currently reach RouteHogNotification number of DVMRP routes that the router can record
before it generates a system log warning message

RouteLimit maximum number of routes that the router can advertise on

each interface

Send-S32-Prunes-Only indicates whether or not the router sends only

S-32 prunes True router sends only S-32 prunes and grafts to ensure compatibility with other protocols, such as PIM False router sends S-32 and S/Prefix grafts and prunes Example
host1:boston>show ip dvmrp Routing Process DVMRP - Distance Vector Multicast Routing Protocol Dvmrp Admin State: Mcast Admin State: Dvmrp Version: GenerationID: NumRoutes: Enabled Enabled 3.255 0x39aa07d3 7

5-70

CHAPTER 5 Configuring IP Multicasting

NumTrigdRts: ReachableRoutes: RouteHogNotification: RouteLimit: Send-S32-Prunes-Only:

0 7 10000 7000 false

show ip dvmrp interface

Use to display DVMRP parameters for the specified interfaces. Field descriptions

Interface type and identifier of the interface connected to a source. For

details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

SourceAddress IP address of the interface or, for an unnumbered

interface, address of the loopback interface

Network/Mask network and mask of the subnet on which the interface

resides

Received Bad Packets/RBdPk number of bad packets received on this

interface

Received Bad Routes/RBdRt number of bad routes received on this

interface

Routes Sent/SntRt number of bad routes advertised on this interface Administrative State configured state of DVMRP on this interface: enabled
or disabled

Summary Address specific summary address that this interface should

advertise

auto-summary status of automatic summarization: enabled or disabled metric-offset in number of hops by which the router increments a DVMRP
route advertised in incoming DVMRP reports

metric-offset out number of hops by which the router increments a DVMRP

route advertised in outgoing DVMRP reports

accept-filter(s) names of IP access lists that specify the sources for which
the interface accepts routes. Example 1
host1:v3#show ip dvmrp interface Interface: atm5/0.14 SourceAddress: Network/Mask: Received Bad Packets: Received Bad Routes: Routes Sent: Administrative State: Summary Address(es) None Configured auto-summary: metric-offset in: Enabled 1 14.0.1.1 14.0.1.1/8 0 0 2 Enabled

DVMRP E-Series Routers

5-71

metric-offset out: accept-filter(s):

0 None Configured

Interface atm5/0.14 atm5/0.15

Example 2
SourceAddress 14.0.1.1 15.0.1.1 Network/Mask 14.0.1.1/8 15.0.1.1/8 RBdPk RBdRt SntRt 0 0 0 0 2 2

host1:boston#show ip dvmrp interface brief

show ip dvmrp mroute

Use to display information about DVMRP routes to multicast groups. Field descriptions

For each (S,G) pair:

No Upstream Prune router has sent no prune messages for this group Uptime time, in seconds, that this (S,) pair entry has been in the routing table RPF Interface interface that provides the shortest path back to the source Outgoing interface list types and identifiers of interfaces through which the VR forwards DVMRP messages, such as atm3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide. Example
host1:boston#show ip dvmrp mroute IP DVMRP Multicast Routing Table (40.0.0.0/16, RPF Interface atm5/0.40 Outgoing interface list: atm5/0.31 228.1.1.1) Uptime: 77 Upstream Prune: none

show ip dvmrp neighbor

Use to display information about DVMRP neighbors. Field descriptions

Interface interface type and identifier, such as atm3/0. For details about
interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Neighbor Address/NbrAddress IP address of the neighbor Neighbor upTime/UpTime length of time, in seconds, that this router has
been a neighbor

Neighbor Major Version/Maj major number of the DVMRP version on the

neighbor

Neighbor Minor version/Min minor number of the DVMRP version on the

neighbor

5-72

CHAPTER 5 Configuring IP Multicasting

Neighbor capabilities/Cap capability of the neighbor

Prune/P ability to send prune messages GenerationId/G ability to create a GenID number Mtrace/M ability to trace multicast routes Netmask/N ability to send prunes and grafts with a network mask address

Neighbor State/State status of the communications with the neighbor

Active router is able to communicate with this neighbor Down neighbor is down Ignoring router is not accepting message from this neighbor Oneway router is receiving messages from the neighbor, but the neighbor does not include the routers IP address in the messages. This state can indicate a starting transition, or a problem.

Generation ID number that the neighbor generates each time it boots;

when the number changes, the VR discards all information previously learned from the router.

Routes Received number of routes learned from this neighbor Bad Routes Received number of bad routes received from this neighbor Bad Packets Received number of bad packets received from this neighbor
Example 1
14.0.0.1 atm5/0.14 28 3 255 Prune GenerationId Mtrace NetMask Active 0x3a13fbc2 1 0 0 host1:boston#show ip dvmrp neighbor Neighbor Address: Interface: Neighbor upTime: Neighbor Major Version: Neighbor Minor Version: Neighbor Capabilities: Neighbor State: Geneneration ID: Routes Received: Bad Routes Received Bad Packets Received:

Example 2
host1:v3#show ip dvmrp neighbor brief Interface State atm5/0.14 Active atm5/0.15 Active NbrAddress 14.0.0.1 15.0.0.1 UpTime Maj Min Cap 32 34 3 255 PGMN 3 255 PGMN

DVMRP E-Series Routers

5-73

show ip dvmrp route

Use to display information about DVMRP routes. Specify an IP address to display the best route to that address. Specify an IP address and subnet mask to display the route that exactly matches this IP address and subnet mask Specify an interface type and specifier to display routes associated with that interface. Specify the brief keyword to view a summary of information. Field descriptions

Prefix IP address of the network Length length of the subnet mask for the network usNbr/Owner IP address of the upstream neighbor associated with this
route or a description of the origin of the route DVMRP Local route is associated with a directly attached network DVMRP Aggregate route is an aggregate route determined by summarization

Prefix/Length 14.0.0.0/8

Metric metric associated with this interface for this route ExpireTime time until the VR starts the process for removing the route UpTime length of time the route has been in the DVMRP routing table Interface type and identifier for the interface, such as atm3/0. For details about interface types and specifiers, see E-Series Command Reference Guide, About This Guide.

Example
usNbr/Owner Dvmrp Local Metric ExpireTime UpTime Interface 1 Never 18 atm5/0.14

host1:boston>show ip dvmrp route

Downstream Interface(s) Interface atm5/0.15 15.0.0.0/8 None 25.0.0.0/8 Interface atm5/0.15 host1:v3#show ip dvmrp route brief Prefix/Length 14.0.0.0/8 15.0.0.0/8 25.0.0.0/8 usNbr/Owner Dvmrp Local Dvmrp Local 14.0.0.1 Metric ExpireTime UpTime Interface 1 1 2 Never Never 121 26 26 19 atm5/0.14 atm5/0.15 atm5/0.14 14.0.0.1 2 129 11 atm5/0.14 Downstream Interface(s) Dvmrp Local 1 Never 18 atm5/0.15 Downstream Interface(s)

5-74

CHAPTER 5 Configuring IP Multicasting

show ip dvmrp routeNextHop

Use to display information about the next hop. Field descriptions

addr IP address of the next-hop router mlen mask length of the next-hop router ifIndex SNMP ifIndex for the interface that connects to the next hop Type description of the next-hop router leaf neighbor with no downstream neighbors branch neighbor with downstream neighbors

Example
host1:boston>show ip dvmrp routeNextHop addr/mlen 172.16.0.0/16 172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 172.19.0.0/16 ifIndex 4 4 3 3 4 Type leaf leaf leaf leaf branch

BGP Multicasting
BGP multicasting (MBGP) is an extension of the BGP unicast routing protocol. Many of the functions available for BGP unicasting are also available for MBGP. The MBGP extensions specify that BGP can exchange information within different types of address families. The address families available are unicast IPv4, multicast IPv4, and VPN-IPv4. When you enable BGP, the router employs unicast IPv4 addresses by default. You should be thoroughly familiar with BGP before configuring MBGP. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing, for detailed information on BGP and MBGP.

Investigating Multicast Routes

You can use the mtrace command to trace the path that multicast packets take from a source to a destination through a multicast group address. This command is similar to the traceroute command for investigating unicast routes.
mtrace
Use this command to trace the path that multicast packets take to a destination. Specify the unicast IP address of the source for the packets.

Investigating Multicast Routes E-Series Routers

5-75

To direct the packets to a particular destination, specify the unicast address for that destination. If you do not specify a destination, the router traces the route from the device on which you issue the command. To direct the packets through a particular multicast group address, specify that multicast group address. If you do not specify a multicast group address, the router traces the route through the MBone audio multicast group. To send the trace to a particular device, specify the IP address of that device. If you do not specify a response address, the router sends the trace to an IP address on the router. To investigate a problem at a particular point in the route, specify the maximum number of hops for the trace. The trace starts at the destination and works back to the source. The default number of hops is 64. Field descriptions

Tracing multicast route from a.a.a.a to b.b.b.b for group c.c.c.c using
response address d.d.d.d a description of the trace as follows: a.a.a.a IP address of the source b.b.b.b IP address of the destination c.c.c.c IP address of the multicast group d.d.d.d IP address on the router to which the router will send the trace

Received mtrace response packet of length n length of the response

packet in bytes

Each line of the trace has the following format: hops. ip-address protocol
threshold hops number of hops from the destination to this intermediate router ip-address IP address of the intermediate router protocol multicast protocol running on the intermediate router. A value of 12 indicates IGMP; other values comply with A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (July 2000). FwdingCode forwarding information or error associated with this hop. For example, RPF iif indicates that the request arrived on the expected RPF interface for this source group. For more information about the forwarding information or error codes, see A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (July 2000). Example
host1#mtrace 100.4.4.4 40.1.1.1 232.1.1.1 Tracing multicast route from 100.4.4.4 to 40.1.1.1 for group 232.1.1.1 using response address 10.6.129.56 (Press ^c to stop.) Received mtrace response packet of length 88 1. 40.1.1.1 Protocol: PIM(3) FwdingCode: RPF iif(9) 2. 21.2.2.2 Protocol: PIM(3) FwdingCode: Reached RP(8)

There is no no version.

5-76

CHAPTER 5 Configuring IP Multicasting

Configuring IP Tunnels

6
Page 6-2 6-2 6-3 6-3 6-3 6-8

IP tunnels provide a way of transporting datagrams between routers separated by networks that do not support all the protocols that those routers support. This chapter describes how to configure IP tunnels on the E-series router.
Topic Overview Line Module Requirements Managing TSMs References Configuration Tasks Monitoring IP Tunnels

6-2

CHAPTER 6 Configuring IP Tunnels

Overview
The E-series router supports static IP tunnels. An IP tunnel is a virtual point-to-point connection between two routers. See Figure 6-1. To establish an IP tunnel, you specify a tunnel type and name, and then configure an interface on each router to act as an endpoint for the tunnel.

Tunnel ERX Source

Figure 6-1 IP tunneling

Data

ERX Destination

The E-series router supports the following types of IP tunnels: Generic Routing Protocol (GRE) tunnels Distance Vector Multicast Routing Protocol (DVMRP) tunnels, also known as IP in IP tunnels
GRE Tunnels

GRE encapsulates IP packets to enable data transmission through an IP tunnel. The resulting encapsulated packet contains a GRE header and a delivery header. Consequently, the packet requires more processing than an IP packet, and GRE can be slower than native routing protocols.
DVMRP Tunnels

DVMRP tunnels allow the exchange of IP multicast traffic between routers separated by networks that do not support multicast routing. For information about DVMRP, see Chapter 5, Configuring IP Multicasting.

Line Module Requirements

To create IP tunnels, you must install a Tunnel Service line module (TSM) in the E-series router. For information about installing TSMs in the E-series router, see the E-Series Installation and User Guide. Unlike other line modules, the TSM does not pair with a corresponding I/O module that contains ingress and egress ports. The TSM receives data from, and transmits data to, other line modules with ingress and

Managing TSMs E-Series Routers

6-3

egress ports. However, you must assign interfaces on other line modules or loopback interfaces to act as source endpoints for the tunnel. All line modules forward traffic to tunnels. For information about which line modules accept traffic for tunnels, see E-Series Installation and User Guide, Chapter 13, Protocol Support.

Managing TSMs
For information about TSM redundancy and tunnel distribution, see E-Series Physical Layer Configuration Guide, Chapter 9, Managing Tunnel Service and IPSec Service Interfaces.

References
For more information about IP tunnels, see the following documents: RFC 791 Internet Protocol DARPA Internet Program Protocol Specification (September 1981) RFC 1700 Assigned Numbers (October 1994) RFC 1701 Generic Routing Encapsulation (October 1994) RFC 1702 Generic Routing Encapsulation over IPv4 Networks (October 1994) RFC 2003 IP Encapsulation within IP (October 1996) RFC 2784 Generic Routing Encapsulation (GRE) (March 2000)

Configuration Tasks
To configure an IP tunnel:
1

Create or select a physical or loopback interface. This interface acts as an anchor for the source of the tunnel.

2 3 4 5 6 7

Assign an IP address to the physical or loopback interface. Create a tunnel interface. Set the source address for the tunnel. Set the destination address for the tunnel. (Optional) Enable error checking across a GRE tunnel. Set the maximum transmission unit (MTU) size for the tunnel.

6-4

CHAPTER 6 Configuring IP Tunnels

Note: On TSM interfaces, issue only the commands listed below. Do not configure protocols such as Multilink PPP or Multilink Frame Relay on TSM interfaces.

interface tunnel
Use to create an IP tunnel interface. Specify the type and name of the tunnel you want to create. You can establish the tunnel on a virtual router other than the current virtual router. Example
host1(config)#interface tunnel dvmrp:boston-tunnel-1 transport-virtual-router boston

Use the no version to remove the tunnel.

tunnel checksum
Use to enable checksum computation across a GRE tunnel. Checksum computation is not supported for DVMRP tunnels. Selecting this feature causes the E-series router to drop corrupted packets it receives on the tunnel interface. Example
host1(config)#interface tunnel gre:tunnel2 host1(config-if)#tunnel checksum

Use the no version to disable the checksum option.

tunnel destination
Use to configure the remote end of the tunnel. Specify either the IP address of an interface on the remote router or the hostname of the remote router.

The IP address is the address for the destination interface. The hostname is the name of the destination interface.
Example 1
host1(config)#interface tunnel dvmrp:tunnel2 host1(config-if)#tunnel destination 192.13.7.1

Example 2
host1(config)#interface tunnel dvmrp:tunnel2 host1(config-if)#tunnel destination remoteHost

Use the no version to remove the destination of a tunnel.

tunnel mtu
Use to set the MTU for the tunnel. Specify a value in the range 1024 to 10240 bytes.

Configuration Tasks E-Series Routers

6-5

Example
host1(config-if)#tunnel mtu 7500

Use the no version to restore the default, 10240 bytes.

tunnel source
Use to configure the source of the tunnel. Specify either the primary IP address or the type and specifier of an interface. Do not specify an unnumbered interface. Example 1
host1(config)#interface tunnel dvmrp:boston-tunnel-1 host1(config-if)#tunnel source 192.10.2.1

Example 2
host1(config)#interface tunnel dvmrp:boston-tunnel-1 host1(config-if)#tunnel source atm 5/0.12

Use the no version to remove the source of a tunnel.

Configuration Example

In this example, two GRE tunnel interfaces are configured on different virtual routers of an E-series router. The source of the first tunnel interface matches the destination of the second tunnel interface and vice versa.
1

Configure a virtual router called boston that will support one end of the tunnel.
host1#virtual-router boston

Configure a physical or loopback interface for the end of the tunnel on virtual router boston. The IP address of this interface appears in the header of tunneled frames and is used for forwarding traffic.
host1:boston#interface atm 12/0.5 host1:boston(config-if)#ip address 10.5.5.5 255.255.255.0

Configure the tunnel interface on virtual router boston.

a

Create the tunnel interface.

host1:boston(config)#interface tunnel gre:ChicagoTunnel

Configure the source and destination points of the tunnel interface.

host1:boston(config-if)#tunnel source 10.5.5.5 host1:boston(config-if)#tunnel destination 10.6.6.6

6-6

CHAPTER 6 Configuring IP Tunnels

Set the MTU for the tunnel.

host1:boston(config-if)#tunnel mtu 8000

Configure the IP address of the tunnel interface.

host1:boston(config-if)#ip address 10.7.7.7 255.255.255.0

Configure a virtual router called chicago that will support the other end of the tunnel.
host1(config)#virtual-router chicago

Configure a physical or loopback interface for the end of the tunnel on virtual router chicago.
host1:chicago(config)#interface atm 12/1.5 host1:chicago(config-if)#ip address 10.6.6.6 255.255.255.0

Configure the tunnel interface on virtual router chicago.

a

Create the tunnel interface.

The name of the tunnel interface can differ from the tunnel interface configured in step 3.
host1:chicago(config-if)#interface tunnel gre:BostonTunnel

Configure the source and destination points of the tunnel interface.

The destination of this tunnel interface matches the source of the tunnel interface configured in step 3 and vice versa.
host1:chicago(config-if)#tunnel source 10.6.6.6 host1:chicago(config-if)#tunnel destination 10.5.5.5

Set the MTU for the tunnel.

The MTU must match the MTU configured in step 3.

host1:chicago(config-if)#tunnel mtu 8000

Configure the IP address of the tunnel interface.

host1:chicago(config-if)#ip address 10.9.9.9 255.255.255.0

Configuring IP Tunnels to Forward IP Frames

When a line module receives IP frames destined for a tunnel, the module forwards the frames to the TSM. The TSM encapsulates the frames and forwards them to the tunnel through an interface determined by a route lookup of an IP frame. The source and destination addresses in the IP frame are the source and destination addresses of the tunnel.

Configuration Tasks E-Series Routers

6-7

Similarly, when a line module receives traffic from a tunnel, the module forwards the traffic to the TSM for deencapsulation. After deencapsulation, the TSM forwards the resultant IP frames to an interface determined by a route lookup. When you have configured a tunnel interface, treat it in the same way as any IP interface on the router. For example, you can configure static IP routes or enable routing protocols on the tunnel interface. The IP configurations you apply to the tunnels control how traffic travels through the network.
Preventing Recursive Tunnels

If routing information about the tunnel network combines with routing information about the transport networks (the networks that the tunnel services), a recursive tunnel can occur. In this case, the routing table defines the tunnel itself as the best path to a tunnel destination. To prevent recursive tunnels, differentiate routing information for the tunnel network and the transport networks with one or both of the following techniques: Use different routing protocols for the tunnel network and the transport networks. Define a static route to the tunnel destination.
Note: If you define a static route to a tunnel destination, be careful not to create routing loops.

Figure 6-2 illustrates how to prevent recursive tunnels by using different routing protocols for the tunnel network and the transport networks.

VR2

VR5

VR8

VR1

VR4

Tunnel

VR7

VR10

VR3

VR6

VR9
g013127

Transport network using IS-IS routing protocol

Tunnel network using OSPF routing protocol

Transport network using IS-IS routing protocol

Figure 6-2 Transport and tunnel networks using different routing protocols

6-8

CHAPTER 6 Configuring IP Tunnels

Monitoring IP Tunnels
You can monitor DVMRP and GRE tunnels by using the following commands.
show dvmrp tunnel
Use to display information about DVMRP tunnels. Optionally, specify the detail keyword to view detailed information about tunnels. Optionally, specify the state keyword and the state of the tunnel (disabled, down, enabled, lower-down, not-present, up) to view the number of tunnels in a specific state. Optionally, specify a tunnel name to view the state of a specific tunnel. Optionally, specify an IP address to view the number of tunnels associated with that IP address. Optionally, specify an IP address with the virtual-router keyword and the name of the virtual router to view the number of tunnels associated with that IP address on the virtual router. Field descriptions

Tunnel status
up tunnel is operational down tunnel is not operational not-present tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible

Tunnel name name of the tunnel Tunnel mtu maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router virtual router associated with the tunnel Tunnel up/down trap is enabled indicates whether or not the E-series router sends traps to SNMP when the operational state of the tunnels changes internal to the TSM.

Tunnel server location location of the TSM in slot/port format. The port is
Tunnel administrative state configured state of the tunnel: up or down Statistics details of packets received or transmitted by the tunnel Packets number of packets received or transmitted by the tunnel Octets number of octets received or transmitted by the tunnel Discards number of packets not accepted by the tunnel Errors number of packets with errors received or transmitted by the tunnel Data rx received data Data tx transmitted data

Monitoring IP Tunnels E-Series Routers

6-9

Example 1
host1#show dvmrp tunnel DVMRP tunnel boston1 is up 1 DVMRP tunnel found

Example 2

host1#show dvmrp tunnel detail DVMRP tunnel boston1 is up Tunnel operational configuration Tunnel name is 'boston1' Tunnel mtu is '10240' Tunnel source address is '0.0.0.0' Tunnel destination address is '0.0.0.0' Tunnel transport virtual router is vr1 Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0

1 DVMRP tunnel found

Example 3
host1#show dvmrp tunnel state enabled DVMRP tunnel boston1 is up 1 DVMRP tunnel found

Example 4
host1#show dvmrp tunnel virtual-router vr1 ip 0.0.0.0 DVMRP tunnel boston1 is up 1 DVMRP tunnel found

show dvmrp tunnel summary

Use to display a summary of information about DVMRP tunnels. Field descriptions

Administrative status
enabled tunnel is available for use disabled tunnel is not available for use

Operational status
up tunnel is operational down tunnel is not operational not-present tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible

6-10

CHAPTER 6 Configuring IP Tunnels

Example
enabled 1 up 1 disabled 0 down 0 not-present 0

host1#show dvmrp tunnel summary Administrative status Operational status

show gre tunnel

Use to display information about a GRE tunnel or a list of GRE tunnels. Optionally, specify the detail keyword to view detailed information about tunnels. Optionally, specify the state keyword and the state of the tunnel (disabled, down, enabled, lower-down, not-present, up) to view the number of tunnels in a specific state. Optionally, specify a tunnel name to view the state of a specific tunnel. Optionally, specify an IP address to view the number of tunnels associated with that IP address. Optionally, specify an IP address with the virtual-router keyword and the name of the virtual router to view the number of tunnels associated with that IP address on the virtual router. Field descriptions

Tunnel name name of the tunnel Tunnel mtu maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router virtual router associated with the tunnel Tunnel checksum option state of the checksum feature: enabled or disabled router sends traps to SNMP when the operational state of the tunnels changes

Tunnel up/down trap is enabled indicates whether or not the E-series Tunnel server location location of the TSM in slot/port format. The port is
internal to the TSM.

Tunnel administrative state configured state of the tunnel: up or down Statistics details of packets received or transmitted by the tunnel Packets number of packets received or transmitted by the tunnel Octets number of octets received or transmitted by the tunnel Discards number of packets not accepted by the tunnel Errors number of packets with errors received or transmitted by the tunnel Data rx received data Data tx transmitted data
host1#show gre tunnel 3 GRE tunnels found

Example 1

Monitoring IP Tunnels E-Series Routers

6-11

Example 2

host1#show gre tunnel detail Tunnel operational configuration Tunnel name is 'vr1' Tunnel mtu is '10240' Tunnel source address is '10.0.0.2' Tunnel destination address is '10.0.0.1' Tunnel transport virtual router is vr1 Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0

Tunnel operational configuration Tunnel name is 'default' Tunnel mtu is '10240' Tunnel source address is '10.0.0.1' Tunnel destination address is '10.0.0.2' Tunnel transport virtual router is default Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0

Tunnel operational configuration Tunnel name is 'london2' Tunnel mtu is '10240' Tunnel source address is '0.0.0.0' Tunnel destination address is '0.0.0.0' Tunnel transport virtual router is vr1 Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics Data rx Data tx packets 0 0 octets 0 0 discards 0 0 errors 0 0

3 GRE tunnels found

6-12

CHAPTER 6 Configuring IP Tunnels

Example 3

host1#show gre tunnel state up GRE tunnel VR1 is up GRE tunnel default is up GRE tunnel london2 is down 3 GRE tunnels found Example 4 host1#show gre tunnel virtual-router vr1 ip 10.0.0.1 GRE tunnel VR1 is up 1 GRE tunnel found

show gre tunnel summary

Use to display a summary of information about GRE tunnels. Field descriptions

Administrative status
enabled tunnel is available for use disabled tunnel is not available for use

Operational status
up tunnel is operational down tunnel is not operational not-present tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible Example
enabled 3 Operational status up 3 disabled 0 down 0 not-present 0 host1#show gre tunnel summary Administrative status

IP Reassembly for Tunnels

7
Page 7-1 7-2 7-3

This chapter describes IP packet reassembly for tunneled protocols on the E-series router.
Topic Overview Configuring IP Reassembly Monitoring IP Reassembly

Overview
Tunneling protocols provide a method of forwarding packets of a particular protocol through a network of a different protocol type. For example, L2TP can transport a protocol such as PPP through a routed IP network. This capability requires a pair of devices that define the endpoints of the tunnel. Packets entering the tunnel are processed and encapsulated at the ingress endpoint, and packets exiting the tunnel are processed and decapsulated at the egress endpoint. When packets are tunneled through an IP network, simple IP forwarding is performed. The IP forwarding process may require fragmentation within the tunnel, which means that a packet that enters a tunnel whole may reach the egress endpoint as fragments. Because tunnel processing requires each packet to exit the tunnel in the same form in which it entered, if fragmented packets are not reassembled before the tunnel egress processing is performed, they are dropped.

7-2

CHAPTER 7 IP Reassembly for Tunnels

For example, in Figure 7-1, traffic is tunneled through an IP network that has four hops. Because the MTU of the link between routers B and C is smaller than that of previous hops, some packets are fragmented. Router D must reassemble the packets before tunnel egress processing and decapsulation are performed.

IP network

B Tunnel ingress A

Packets fragmented

Tunnel egress

C
g013122

Figure 7-1 Tunneling through an IP network that fragments packets

Reassembly Processing Within the System

Tunnel Server modules (TSMs) perform IP reassembly on the E-series router. The E-series router can perform reassembly of IP packets it receives on DVMRP, GRE, IPSec, and L2TP tunnels. Because IP reassembly is required only on tunnel egress packets, the router performs reassembly only on packets in which the IP destination address is local to the router and in which the underlying protocol is one of the supported tunneling protocols.

Configuring IP Reassembly
To set up IP reassembly, you enable it on a virtual router basis. Also, on a systemwide basis, you can control how the router handles checking of sequence numbers in data packets that it receives on L2TP tunnels.
ip tunnel reassembly
Use to enable the reassembly of fragmented IP tunnel packets that are received on the current virtual router. Note that you configure tunnel reassembly on VPN routing and forwarding routers independent of the tunnel reassembly configuration on the parent virtual router.

Monitoring IP Reassembly E-Series Routers

7-3

Example enables reassembly for virtual router vr12 and disables reassembly for virtual router vr8
host1:vr12(config)#ip tunnel reassembly host1:vr12(config)#virtual-router vr8 host1:vr8(config)#no ip tunnel reassembly

Use the no version to return IP tunnel reassembly to the default, disabled.

l2tp ignore-receive-data-sequencing
Use to prevent sequence number checking for data packets received on all L2TP tunnels in the router. This command does not affect the insertion of sequence numbers in packets sent from the router. We recommend that you set up the router to ignore sequence numbers in received data packets if you are using IP reassembly. Because IP reassembly may reorder L2TP packets, out-of-order packets may be dropped if sequence numbers are being used on L2TP data packets. Example
host1(config)#l2tp ignore-receive-data-sequencing

Use the no version to cause the router to check sequence numbers on received L2TP data packets.

Monitoring IP Reassembly
The router keeps several statistics that are useful for diagnostic purposes. These statistics are organized by virtual router, and some are broken out by protocol as well. You can display statistics for a single virtual router or for all virtual routers.
show ip tunnel reassembly statistics
Use to display reassembly statistics. Statistics are displayed for the current virtual router unless you include the all keyword, which causes the router to display statistics for all virtual routers. Statistics are displayed in brief form unless you include the detail keyword. Field descriptions

Tunnel IP reassembly status of the IP reassembly feature: enabled,

disabled

Fragments Received total fragments received for all tunneling protocols Packets Reassembled number of packets reassembled; detailed display
includes number of packets reassembled for each protocol

Reassembly Errors errors in completing reassembly; detailed display

includes types of reassembly errors

Reassembly Discards number of packets discarded because they were not

reassembled; detailed displays include the cause of discard

7-4

CHAPTER 7 IP Reassembly for Tunnels

Example 1 show reassembly statistics for the default virtual router

host1:vr0#show ip tunnel reassembly statistics Tunnel IP Reassembly Statistics for Virtual Router: default Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: Reassembly Errors: Reassembly Discards: 2685 1231 32 1422

Example 2 shows detailed reassembly statistics for the default virtual

router
host1:vr0#show ip tunnel reassembly statistics detail Tunnel IP Reassembly Statistics for Virtual Router: default Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: L2TP: GRE: L2F: IPSec: Total Reassembly Errors: Fragmentation Errors: Too Many Fragments: Out of Resources: Packet Too Big: Reassembly Timeout: Reassembly Disabled Discards: 2685 1231 324 871 36 0 22 0 0 0 0 22 1422

Configuring RIP

8
Page 8-1 8-2 8-3 8-6 8-7 8-18 8-19 8-22

This chapter describes how to configure the Routing Information Protocol (RIP) on your E-series router.
Topic Overview References Features Before You Run RIP Configuration Tasks Using RIP Routes for Multicast RPF Checks Remote Neighbors Monitoring RIP

Overview
RIP is an interior gateway protocol (IGP) typically used in small, homogeneous networks. RIP uses distance-vector routing to route information through IP networks. Distance-vector routing requires that each router simply inform its neighbors of its routing table. For each network path, the receiving router picks the neighbor advertising the lowest metric, then adds this entry into its routing table for readvertisement. Any host that uses RIP is assumed to have interfaces to one or more networks. These networks are considered to be directly connected networks. RIP relies on access to certain information about each of these networks. The most important information is the networks metric.

8-2

CHAPTER 8 Configuring RIP

RIP Metric

RIP uses the hop count as the metric (also known as cost) to compare the value of different routes. The hop count is the number of routers that data packets must traverse between RIP networks. Metrics range from 0 for a directly connected network to 16 for an unreachable network. This small range prevents RIP from being useful for large networks.
RIP Messages

RIP exchanges routing information via User Datagram Protocol (UDP) data packets. Each RIP router sends and receives datagrams on UDP port number 520, the RIP version 1/RIP version 2 port. All communications intended for another routers RIP process area are sent from the RIP port. Every RIP message contains a RIP header that consists of a command and a version number. The router supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) extensions. RIP employs the following message types: Request A request for the responding router to send all or part of its routing table. Response A message containing all or part of the senders routing table. This message is sent in response to a request or is an unsolicited routing update generated by the sender. The RIP request and response messages also contain a list of route entries. Each route entry contains the following: Address Entry Identifier The type of address Destination IP address The destination address of the message Cost to reach the destination A value between 1 and 15, which specifies the current metric for reaching the destination

References
For more information about RIP, consult the following resources: RFC 1058 Routing Information Protocol (June 1998) RFC 2453 RIP Version 2 (November 1998)

Features E-Series Routers

8-3

Features
Some of the major RIP features supported by the router include:
RIP version 1 RIP version 2 route tags authentication subnet masks next hop multicast addressing route summarization split horizon equal-cost multipath remote neighbors poison reverse

Route Tags

A route tag is a field in a RIP message that allows boundary routers in an autonomous system (AS) to exchange information about external routes. Route tags provide a method of separating internal RIP routes (routes within the RIP routing domain) from external RIP routes, which may have been imported from an EGP (exterior gateway protocol) or another IGP (interior gateway protocol). Routers supporting protocols other than RIP should be configurable to allow the route tags to be configured for routes imported from different sources. For example, routes imported from BGP should be able to have their route tags set to the number of the ASs from which the routes were learned.
Authentication

RIPv1 does not support authentication. If you are sending and receiving RIPv2 packets, you can enable RIP authentication on an interface. The router provides the simple authentication scheme for RIPv2. Because authentication is a per message function and only one 2-octet field is available in the RIP message header, authentication uses the space of an entire RIP message. The first 20-byte entry in a RIP authentication message contains an address family identifier value of 0xffff and a route tag value of 2. If the 0xffff address family is present in the RIP message, the remaining 16 octets of the entry contain a plain text password. If the password is fewer than 16 octets, it must be left-justified and padded to the right with nulls (0x00). Authentication is applied per RIP interface. You can specify either text or MD5 authentication. Text authentication uses a simple password that must be shared by the neighbors receiving updates or requests. If they do

8-4

CHAPTER 8 Configuring RIP

not have this password, the neighbors reject all updates or requests from the router. MD5 authentication uses a shared key to encrypt the RIP message. The neighbors must have the MD5 key to decrypt the message and encrypt a response.
Note: Do not use text authentication when security is important, because the router sends the unencrypted password in every RIP packet it sends.

Example 1

The following example shows how to use password authentication:

host1(config)#interface fastEthernet 0/0 host1(config-if)#ip rip send version 2 host1(config-if)#ip rip authentication mode text host1(config-if)#ip rip authentication key ke6G72mV

Example 2

The following example shows how to use MD5 authentication:

host1(config)#interface fastEthernet 0/0 host1(config-if)#ip rip send version 2 host1(config-if)#ip rip authentication mode md5 8 host1(config-if)#ip rip authentication key sf43nBScE9

Subnet Masks

The Subnet Mask field of a RIP message contains the subnet mask that is applied to the IP address to set the nonhost portion of the address. If the subnet mask field in a RIP message contains a zero, then no subnet mask was included for the entry. On an interface where a RIPv1 router may hear and operate on information in a RIPv2 routing entry, the following rules apply: Information internal to one network must never be advertised into another network. Information about a more specific subnet may not be advertised where RIPv1 routers would consider it a host route. Supernet routes (routes where a netmask is less specific than the natural network mask) must not be advertised where they could be misinterpreted by RIPv1 routers.
Next Hop

The Next Hop field in a RIP message contains the next IP address where a packet is sent. A value of zero in this field indicates that the next address the packet should be sent to is the router that originally sent the RIP message.

Features E-Series Routers

8-5

Multicasting

To reduce unnecessary load on hosts that are not listening to RIPv2 messages, an IP multicast address is used for periodic broadcast messages. The IP multicast address is 224.0.0.9.
Route Summaries

You can summarize routes reported by RIP to reduce the size of the routing table and the amount of traffic resulting from RIP updates. Configuring a RIP summary will cause that prefix to be advertised with the associated metric regardless of the presence of more-specific prefixes. Any more-specific prefixes will not be advertised when they are covered by the summary. You can choose the degree of summarization by using a prefix tree to specify the number of bits to report for routes matching a route map. Alternatively, you can explicitly specify routes for RIP to summarize.
Prefix Tree Example

The following example shows how to configure a 16-bit route summary:

1

Specify a route map for RIP in Router Configuration mode.

host1#configure t Enter configuration commands, one per line. End with CNTL/Z. host1(config)#router rip host1(config-router)#route-map 1 host1(config-router)#exit

Define a route map associated with a prefix tree.

host1(config)# host1(config)#route-map 1 host1(config-route-map)#match-set host1(config-route-map)#match-set summary prefix-tree boston host1(config-route-map)#exit host1(config)#

Set the conditions for summarization in the prefix tree, including which routes are summarized and how many bits of the network addresses are preserved as the network prefix.
host1(config)#ip prefix-tree boston permit 2.1.0.0/16

This example summarizes routes for networks addressed by 2.1.x.x. The first 16 bits of the network address are preserved in the summary. For example, routes 2.1.3.0, 2.1.2.0, and 2.1.1.0 would all be summarized as 2.1.0.0.

8-6

CHAPTER 8 Configuring RIP

Static Summary Example

You can use the ip summary-address command to specify routes that RIP will summarize.
host1(config-router)#ip summary-address 4.4.0.0 255.255.0.0 5 host1(config-router)#ip summary-address 4.3.0.0 255.255.0.0 6

Split Horizon

Split horizon is a mechanism to aid in preventing routing loops when distance-vector routing protocols such as RIP are employed in broadcast networks. When split horizon is enabled, the router cannot advertise information about routes on an interface from which the information originates. Split horizon is enabled by default on the router. You can disable split horizon and enable poison reverse routing updates that advertise routes originating on the interface, but for each of these routes the metric is set to infinity to explicitly advertise that these networks are not reachable.
Equal-Cost Multipath

RIP supports equal-cost multipath (ECMP) and installs into the routing table multiple entries for paths to the same destination. Each of these multiple paths to a given destination must have the same cost as the others, but a different next hop.
Applying Route Maps

You can apply a policy to redistributed routes with the route-map command. See Chapter 1, Configuring Routing Policy, for more information on route maps. You can use the table-map command to apply a route map to RIP routes that are about to be added to the IP routing table.

Before You Run RIP

At least one IP address must be configured on your router for RIP to run.

Configuration Tasks E-Series Routers

8-7

Configuration Tasks
To configure RIP:
1

Create a RIP process by enabling RIP.

host1(config)#router rip

(Optional) Configure the global RIP version. RIPv1 is used by default.

host1(config-router)#version 2

(Optional) Do one of the following: Associate a network with a RIP routing process and optionally configure RIP for the network.
host1(config-router)#network 10.2.1.0 255.255.255.0 host1(config-if)#ip rip host1(config-if)#ip rip receive version 1 host1(config-if)#ip rip send version 2 host1(config-if)#ip rip authentication mode text host1(config-if)#ip rip authentication key klaatu42

Associate the RIP routing process with an interface specified by an IP address or with an unnumbered interface, and configure RIP for the interface.
host1(config-router)#address 10.2.1.1 host1(config-router)#address 10.2.1.1 receive version 1 host1(config-router)#address 10.2.1.1 send version 2 host1(config-router)#address 10.2.1.1 authentication mode text host1(config-router)#address 10.2.1.1 authentication key 31barada

Each configuration step is optional, and includes the following: (Optional) Specify a RIP receive version for an interface. By default, RIP interfaces on your router receive both RIPv1 and RIPv2. (Optional) Specify a RIP send version for an interface. By default, RIP interfaces on your router send only RIPv1. (Optional) Specify an authentication mode and authentication password or key. This step is permitted only if both receive version and send version are set to RIPv2.
4

(Optional) Enable RIP to advertise a default route.

host1(config-router)#default-information originate

8-8

CHAPTER 8 Configuring RIP

(Optional) Specify a default metric for advertised routes.

host1(config-router)#default-metric 5

(Optional) Set the administrative distance for advertised routes.

host1(config-router)#distance 150

(Optional) Control the dynamic distribution of routes caused by changes to an associated route map.
host1(config-router)#disable-dynamic-redistribute

(Optional) Adjust RIP timers.

host1(config-router)#timers update 20 host1(config-router)#timers invalid 60 host1(config-router)#timers holddown 60 host1(config-router)#timers flush 90

(Optional) Specify maximum number of ECMP paths.

host1(config-router)#maximum-paths 2

10 (Optional) Summarize routes.

Use a prefix tree to specify the number of bits to report for routes matching a route map:
host1(config)#ip prefix-tree boston permit 10.10.2.0/24 host1(config-router)#route-map 4 host1(config-route-map)#match-set summary prefix-tree boston

Alternatively, explicitly specify routes for RIP to summarize:

host1(config-router)#ip summary-address 4.4.0.0 255.255.0.0 5 host1(config-router)#ip summary-address 4.3.0.0 255.255.0.0 6

11 (Optional) Redistribute routes from other protocols into RIP, or from

RIP to other protocols.

host1(config-router)#redistribute rip 5 host1(config-router)#route-map 4 host1(config-router)#redistribute bgp 100 route-map 4

12 (Optional) Enable unicast communication with RIP neighbors.

host1(config-router)#neighbor 10.10.21.100 host1(config-router)#passive-interface atm atm 2/0.16

13 (Optional) Set the debounce time for interfaces brought down by

some event.
host1(config-router)#debounce-time 30

Configuration Tasks E-Series Routers

8-9

14 (Optional) Prevent RIP from purging the routing table for interfaces

brought down by some event.

host1(config-router)#interface-event-disable

15 (Optional) Prevent RIP from sending a more-specific route if a

less-specific route has a better metric.

host1(config-router)#send-more-specific-routes-disable

16 (Optional) Prevent RIP from sending triggered updates.

host1(config-router)#triggered-update-disable

17 (Optional) Apply a table map to modify route distance.

host1(config-router)#table-map dist1

Relationship Between address and network Commands

If you use the network command to configure a RIP network, use the ip rip commands to configure the RIP attributes for that network. Do not use the address commands. If you use the address command to configure a RIP network, use the address commands to configure the RIP attributes for that network. Do not use the ip rip commands.
Note: The network and ip rip commands are maintained for industry compatibility. You can configure all your RIP interfaces with the address commands. You cannot configure unnumbered interfaces with the network and ip rip commands.

address
Use to configure RIP to run on the interface specified by the IP address or on an unnumbered interface. Use the address commands to configure RIP attributes on the network. Configures RIP with the default values: Send version is RIPv1, receive version is RIPv1 and RIPv2, authentication is not enabled. Example
host1(config-router)#address 10.2.1.1

Use the no version to delete the RIP interface.

address authentication key

Use to specify either the simple password for text authentication or the encryption/decryption key for MD5 authentication. The key is a string of up to 16 alphanumeric characters and can be mixed uppercase and lowercase. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.

8-10

CHAPTER 8 Configuring RIP

Example
host1(config-router)#address 10.2.1.1 authentication key ke6G72mV

Use the no version to clear all authentication keys.

address authentication mode

Use to specify the authentication mode. Specify text to send a simple text password to neighbors. If a neighbor does not have the same password, requests and updates from this router are rejected. Specify md5 keyID to send an MD5 hash to neighbors. Neighbors must share the MD5 key to decrypt the message and encrypt the response. Example
host1(config-router)#address 10.2.1.1 authentication mode text

Use the no version to remove authentication from all RIP interfaces.

address receive version

Use to restrict the RIP version that the router can receive on an interface. The default is to receive both RIPv1 and RIPv2. Example
host1(config-router)#address 10.2.1.1 receive version 1

Use the no version to restore the default value, 1 2.

address send version

Use to restrict the RIP version that the router can send on an interface. The default is to send only RIPv1. Example
host1(config-router)#address 10.2.1.1 send version 2

Use the no version to restore the default value, 1.

clear ip rip redistribution

Use to clear all the routes that have previously been redistributed into RIP. Example
host1#clear ip rip redistribution

There is no no version.

debounce-time
Use to control the interval RIP waits before bringing back up an interface that was brought down by some event. The interval can range from 060 seconds.

Configuration Tasks E-Series Routers

8-11

Example
host1(config-router)#debounce-time 30

Use the no version to restore the default value, 10.

default-information originate
Use to enable RIP to advertise a default route (0.0.0.0/0) if the default route exists in the IP routing table. If the default route does not exist, you must configure it using the ip route command, or specify the always keyword. The always keyword causes RIP to always advertise the default route, and creates it if it is not present in the IP routing table. Example
host1(config-router)#default-information originate

Use the no version to disable advertisement of the default route.

default-metric
Use to configure RIP to apply this metric when advertising routes on all subsequently created interfaces. Configuring a default metric lowers the priority of the routes. Use a metric from 1 to 16. Example
host1(config-router)#default-metric 5

Use the no version to restore the default value, 0.

disable
Use to disable RIP processing. Example
host1(config-router)#disable

Use the no version to enable RIP processing.

disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute

Use the no version to reenable dynamic redistribution.

8-12

CHAPTER 8 Configuring RIP

distance
Use to set the administrative distances for routes. The default is 120. Example
host1(config-router)#distance 150

Use the no version to restore the default value, 120.

distribute-list
Use to apply a specific access list to incoming or outgoing RIP route updates. An IP access list acts as a filter. Refer to the access list command in the E-Series Command Reference Guide A to M for more information. Example
host1(config-router)#distribute-list 5 incoming

Use the no version to stop application of the distribute list.

interface-event-disable
Use to configure RIP to purge the routing table for interfaces that were brought down by some event. Example
host1(config-router)#interface-event-disable

Use the no version to restore the default condition, wherein RIP does not automatically purge the routing table for down interfaces.

ip prefix-tree
Use to create a prefix tree to match routes to be summarized by a route map; specifies a tree entrya deny or permit clause for a network address. The prefix tree name can be up to 32 characters long. Example
host1(config)#ip prefix-tree boston42 permit 10.10.2.0/24

Use the no version to remove the specified prefix tree or the specified tree entry.

ip rip
Use to configure RIP on the network interface specified with the network command. Configures RIP with the default values: Send version is RIPv1, receive version is RIPv1 and RIPv2, authentication is not enabled. Example
host1(config-if)#ip rip

Use the no version to delete the RIP interface.

Configuration Tasks E-Series Routers

8-13

ip rip authentication key

Use to specify either the simple password for text authentication or the encryption/decryption key for MD5 authentication. The key is a string of up to 16 alphanumeric characters and can be mixed uppercase and lowercase. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-if)#ip rip authentication key ke6G72mV

Use the no version to clear all authentication keys.

ip rip authentication mode

Use to specify the authentication mode. Specify text to send a simple text password to neighbors. If a neighbor does not have the same password, requests and updates from this router are rejected. Specify md5 keyID to send an MD5 hash to neighbors. Neighbors must share the MD5 key to decrypt the message and encrypt the response. Example
host1(config-if)#ip rip authentication mode text

Use the no version to remove authentication from all RIP interfaces.

ip rip receive version

Use to restrict the RIP version that the router can receive on an interface. The default is both RIPv1 and RIPv2. Example
host1(config-if)#ip rip receive version 1

Use the no version to restore the default value, 1 2.

ip rip send version

Use to restrict the RIP version that the router can send on an interface. The default is RIPv1. Example
host1(config-if)#ip rip send version 2

Use the no version to restore the default value, 1.

ip split-horizon
Use to configure the split horizon feature and poison reverse features for the interface. Enabled by default, split horizon prevents the RIP router from advertising routes from the originating interface. Poison reverse routing updates are disabled by default; when enabled, they set the metric for routes originating on the interface to infinity, thus explicitly advertising that the network is not reachable. This helps to prevent routing loops.

8-14

CHAPTER 8 Configuring RIP

In most configurations, you will want to accept the default condition. Example
host1(config-if)#no ip split-horizon

Use the no version to disable split horizon and enable poison reverse routing updates.

ip summary-address
Use to specify an IP address and network mask to identify which routes to summarize. You can optionally specify a metric associated with the summary address. The default metric is 1. Example
host1(config-router)#ip summary-address 4.4.0.0 255.255.0.0 5 host1(config-router)#ip summary-address 4.3.0.0 255.255.0.0 6

Use the no version to stop summarization for the specified routes.

match-set summary prefix-tree

Use to specify a prefix tree that summarizes routes for a particular route map. Use the ip prefix-tree command to set the conditions of the prefix tree, including which routes to summarize and how many bits of the network address to preserve. Example
host1(config-route-map)#match-set summary prefix-tree boston

Use the no version to disable the use of the prefix tree by the route map.

maximum-paths
Use to control the maximum number of parallel routes that RIP can support. RIP installs multiple equal-cost paths to a given destination only if each has a different next hop. The maximum number of routes can range from 116. Example
host1(config-router)#maximum-paths 2

Use the no version to restore the default value, 4.

Configuration Tasks E-Series Routers

8-15

neighbor
Use to specify a RIP neighbor to which the router sends unicast messages. You must also use the passive-interface command to specify the interface as passive, thereby restricting the interface to unicast RIP messages. Example
host1(config-router)#neighbor 10.10.21.100

Use the no version to remove the neighbor.

network
Use to associate a network with a RIP routing process. Use the ip rip commands to configure RIP attributes on the network. You supply a network mask to the new address so that RIP runs on that specific network. If you do not specify an interfaces network, the network is not advertised in any RIP updates. You can specify either the standard subnet mask or the inverse subnet mask. Example 1
host1(config-router)#network 10.2.1.0 255.255.255.0

Example 2
host1(config-router)#network 10.2.1.0 0.0.0.255

Use the no version to disable RIP on the specified interface.

passive-interface
Use to disable the transmission of multicast RIP messages on the interface. RIP messages are unicast to a RIP neighbor on the interface if the interface is present in the IP routing table as the next-hop interface to the configured neighbor. Example
host1(config-router)#passive-interface atm atm 2/0.16

Use the no version to reenable the transmission of RIP multicast messages on the specified interface.

redistribute
Use to redistribute information from a routing domain other than RIP into the RIP domain. Example 1
host1(config)#router rip 5 host1(config-router)#redistribute bgp 100 route-map 4

8-16

CHAPTER 8 Configuring RIP

Specify the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, isis, ospf, static [ip], and connected. Use the static keyword to redistribute IP static routes; optionally add the ip keyword when redistributing into IS-IS. The keyword connected refers to routes that are established automatically by virtue of having enabled IP on an interface. For routing protocols such as OSPF and IS-IS, these routes will be redistributed as external to the AS. Use the route-map keyword to interrogate the route map to filter the importation of routes from the source routing protocol to the current routing protocol. If you do not specify the route-map option, all routes are redistributed. If you specify the route-map option, but no route map tags are listed, no routes will be imported. Use to redistribute routes from RIP into other non-RIP routing domains. Example 2
host1(config)#router bgp 100 host1(config-router)#redistribute rip 5

Use the no version to disable redistribution.

route-map
Use to specify a route map for RIP. Example
host1(config)#router rip host1(config-router)#route-map 4

Use the no version to delete the route map. If you do not specify an interface, it removes the global route map if it exists.

router rip
Use to enable RIP routing protocol and specify a RIP process for IP, or to access Router Configuration mode. Specify only one RIP process per router. Example
host1(config)#router rip

Use the no version to delete the RIP process and removes the configuration from your router.

send-more-specific-routes-disable
Use to configure RIP to send a less-specific route in preference to a more-specific route if the less-specific route has a metric. Example
host1(config-router)#send-more-specific-routes-disable

Use the no version to restore the default condition, wherein RIP always sends a more-specific route in preference to a less-specific route, even if the less-specific route has a metric.

Configuration Tasks E-Series Routers

8-17

table-map
Use to apply a policy to modify distance, metric, or tag values of RIP routes about to be added to the IP routing table. The new route map is applied to all routes currently in and those subsequently placed in the forwarding table. Previously redistributed routes are redistributed with the changes caused by the route map. To remove from the forwarding table any old routes that are now disallowed by the specified route map, you must refresh the IP routing table with the clear ip routes * command. Example
host1(config)#route-map dist1 permit 5 host1(config-route-map)#match community boston42 host1(config-route-map)#set distance 33 host1(config-route-map)#exit host1(config)#router rip 100 host1(config-router)#table-map dist1 host1(config-router)#exit host1(config)#exit host1#clear ip routes *

Use the no version to halt application of the route map.

timers
Use to configure RIP timers. The router supports the following RIP timers:

update interval in seconds at which routing updates are sent. The default is
30 seconds.

invalid interval in seconds after which a route is declared invalid (null). Set
this value to at least three times the update value. The default is 180 seconds.

holddown interval in seconds during which routing information about better

paths is suppressed. Set this value to at least three times the update value. The default is 120 seconds.

flush interval in seconds that must pass before a route is removed from the
routing table. Set this value greater than the invalid value. The default is 300 seconds. Examples
host1(config-router)#timers update 20 host1(config-router)#timers invalid 60 host1(config-router)#timers holddown 60 host1(config-router)#timers flush 90

Use the no version to restore the default values, 30 180 120 300.

8-18

CHAPTER 8 Configuring RIP

triggered-update-disable
Use to prevent RIP from sending triggered routing updates. Example
host1(config-router)#triggered-update-disable

Use the no version to restore the default condition, wherein RIP does sends triggered routing updates.

version
Use to specify the global RIP version. The default is RIPv1. To change the RIP version on a specific interface, use the ip rip receive version and the ip rip send version commands, or the address receive version and address send version commands. Example
host1(config-router)#version 2

Use the no version to revert to the default value, 1.

Using RIP Routes for Multicast RPF Checks

You can use the ip route-type command to specify whether RIP routes are available for only unicast forwarding protocols or only multicast reverse path forwarding (RPF) checks. Routes available for unicast forwarding appear in the unicast view of the routing table, whereas routes available for multicast RPF checks appear in the multicast view of the routing table.
ip route-type
Use to specify whether RIP routes are available only for unicast forwarding, only for multicast reverse path forwarding checks, or for both. Use the show ip route command to view the routes available for unicast forwarding. Use the show ip rpf-routes command to view the routes available for multicast reverse path forwarding checks. By default, RIP routes are available for both unicast forwarding and multicast reverse path forwarding checks. Example
host1(config)#router rip host1(config-router)#ip route-type unicast

Use the no version to restore the default value, both.

Remote Neighbors E-Series Routers

8-19

Remote Neighbors
You can create RIP remote neighbors to enable the router to establish neighbor adjacencies through unidirectional interfaces, such as MPLS tunnels, rather than the standard practice of using the same interface for receipt and transmission of RIP packets. The remote neighbor can be more than one hop away through intermediate routes that are not running RIP. RIP uses the interface associated with the best route to the remote neighbor to reach the neighbor. A best route to the neighbor must exist in the IP routing table. You must explicitly configure remote neighbors on the RIP routers to specify the remote neighbor with which the router will form an adjacency and the source IP address the router will use for RIP packets destined to its peer remote neighbor. To form an adjacency with its remote neighbor, the router sends all RIP packets to the remote neighbor as unicast packets with the destination IP address equal to the source IP address of the remote neighbor. The loopback interface associated with the source IP address for the remote neighbor acts as a logical RIP interface for the neighbor. To prevent routing loops, you can disable split horizon and enable poison reverse routing updates. The remote-neighbor command to specify the remote neighbors is mandatory. Configuration of all other remote-neighbor attributes is optional.
authentication key
Use to specify the password for text authentication and the key for MD5 authentication for RIP remote-neighbor interface. This command is supported only in RIPv2. Authentication is disabled by default. Example
host1(config-router-rn)#authentication key 0 jun27ior

Use the no version to clear the key for the remote-neighbor interface.

authentication mode
Use to specify the authentication mode for the remote neighbor interface. Specify text to send a simple text password to remote neighbors. If a remote neighbor does not have the same password, requests and updates from this router are rejected. Specify md5 keyID to send an MD5 hash to remote neighbors. Remote neighbors must share the MD5 key to decrypt the message and encrypt the response.

8-20

CHAPTER 8 Configuring RIP

This command is supported only in RIPv2. Authentication is disabled by default. Example

host1(config-router-rn)#authentication mode text

Use the no version to remove authentication from the RIP remote-neighbor interface.

distribute-list
Use to apply a specific access list to either incoming or outgoing RIP route updates on the RIP remote-neighbor interface. An IP access list acts as a filter. Refer to the access list command in the E-Series Command Reference Guide A to M for more information. Example
host1(config)#distribute-list 5 in

Use the no version to stop application of the distribute list.

exit-remote-neighbor
Use to exit from the Remote Neighbor Configuration mode and return to Router Configuration mode. Example
host1(config-router-rn)#exit-remote-neighbor

There is no no version.

receive version
Use to restrict the RIP version that the router can receive on a RIP remote-neighbor interface. The default is to receive both RIPv1 and RIPv2. The off keyword overrides any other specified option; for example, configuring both 1 and off or both 2 and off has the same result as configuring only off. Example
host1(config-router-rn)#receive version 1

Use the no version to restore the default value, 1 2.

remote-neighbor
Use to configure a RIP remote neighbor. Example
host1(config-router)#remote-neighbor 10.25.100.14

Use the no version to remove the remote neighbor and any attributes configured for the remote neighbor.

Remote Neighbors E-Series Routers

8-21

send version
Use to restrict the RIP version that the router can send on an interface. The default is to send only RIPv1. Example
host1(config-router-rn)#send version 1

Use the no version to restore the default value, 1.

split-horizon
Use to configure the split horizon and poison reverse features for RIP remote neighbors. Split horizon is enabled by default; poison reverse routing updates are disabled by default. Poison reverse routing updates set the metric for routes originating on the interface to infinity, thus explicitly advertising that the network is not reachable. This helps to prevent routing loops. Example
host1(config-router-rn)#no split-horizon

Use the no version to disable the split horizon and enable poison reverse routing updates.

time-to-live
Use to configure a hop count by setting the value of the time-to-live field used by packets sent to a RIP remote neighbor. Example
host1(config-router-rn)#time-to-live 12

Use the no version to restore the default value, 16.

update-source
Use to specify the RIP interface whose local address is used as the source address for the RIP connection to a remote neighbor. The source address assigned to a remote neighbor must be unique. If you configure a RIP router to form neighbor adjacencies with two RIP remote neighbors, then the RIP router must have two unique local source IP addresses, one for each of its remote neighbors. Example
host1(config-router-rn)#update-source atm 2/0.17

Use the no version to delete the source address from the connection to the remote neighbor.

8-22

CHAPTER 8 Configuring RIP

Monitoring RIP
Two sets of commands enable you to monitor RIP operation on your router: the debug and the show commands. Both sets of commands provide information about your routers RIP state and configuration. The task you are performing with each of these monitoring commands is basically the same for each command; that is, you are requesting information. The results of this request may vary. For instance, the debug commands provide information about problems with the network or the router, whereas the show commands provide information about the actual state and configuration of your router.
debug Commands

The debug commands provide information about the following RIP items: General events, such as creating a RIP process or removing RIP from an interface Routing events, such as when two RIP routers exchange routes
debug ip rip
Use to display information on selected RIP events. This command has many keywords that allow you to specify a variety of RIP events. You can set the level of severity for the events you want displayed; specify the desired descriptive term or a corresponding number (07). You can set the verbosity of the messages you want displayed: low, medium, high. Example
host1#debug ip rip events

Use the no version to cancel the display of any information on the designated variable.

undebug ip rip
Use to cancel the display of information on a selected event. The same RIP variables can be designated as in the debug ip rip command. Example
host1#undebug ip rip events

There is no no version.

Monitoring RIP E-Series Routers

8-23

show Commands

Use the show commands to monitor the following types of RIP information: Configuration IP-related information Global counters Counters for a specified network Statistics You can set a statistics baseline for RIP interfaces by using the baseline ip rip command. You can specify a VRF instance for the show ip rip commands. You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
baseline ip rip
Sets a statistics baseline for RIP interfaces. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the optional delta keyword with the show ip rip statistics command to specify that baselined statistics are to be shown. Example
host1#baseline ip rip

There is no no version.

show ip rip
Use to display RIP information. Specify vrf vrfName to limit the display to a specific VRF. Use the ifconfig keyword to display address and interface configuration information instead of the default operational data. Field descriptions

Router Administrative State displays the RIP state. Enable means the
router is allowed to send and receive updates. Disable means that RIP might be configured but it is not allowed to run yet.

System version RIP1 RIP versions allowed for sending and receiving RIP
updates. The router version is currently set to RIP1, which sends RIPv1 but will receive RIPv1 or RIPv2. If it is set to RIP2, it will send and receive RIPv2 only. The default is configured for RIP1.

8-24

CHAPTER 8 Configuring RIP

Incoming filters access list applied to incoming route updates Outgoing filters access list applied to outgoing route updates Global route map route map that specifies all RIP interfaces on the router Default metric value for redistributed routes. The default is 1. This global value is superseded by metrics applied to a RIP interface. default is 120.

Distance value added to RIP routes added to the IP routing table. The Number of route changes number of times the router has been told to
route changes by its peers

Number of route queries number of times the router has received route
requests from other routers

Update interval current setting of the update timer (in seconds) Invalid interval current setting of the invalid timer (in seconds) Hold down time current setting of the hold-down timer (in seconds) Flush interval current setting of the flush timer (in seconds) Network IP address of a network on which RIP is running Netmask network mask applied to the network address Address/status/interface values listed for each network that is running RIP Send version version of RIP used for sending updates Receive version version of RIP accepted in received updates Authentication mode password or MD5 authentication, or none Default metric metric value applied to the RIP interface. The default is 1. Outgoing access-list name of the access list applied to outgoing routes Incoming access-list name of the access list applied to incoming routes Outgoing route-map name of the route map applied to outgoing routes Received bad packets number of bad packets received Received bad routes number of bad routes received Triggered updates sent number of triggered updates sent; triggered updates are sent before the entire RIP routing table is sent; triggered by events such as adding a new RIP route or redistribution

Received updates number of updates received

Example
host1#show ip rip Routing Information Protocol Router Administrative State = enable System version RIP1: send = 1, receive = 1 or 2 No filter is applied to outgoing route update for all interfaces No filter is applied to incoming route update for all interfaces No global route map Default metric = 1 Distance = 120 Number of route changes = 0

Monitoring RIP E-Series Routers

8-25

Number of route queries = 0 Update interval = 30 (secs) Invalid interval = 180 (secs) Hold down time = 120 (secs) Flush interval = 300 (secs) Network 10.2.1.0 netmask 255.255.255.0

10.2.1.32, Rip is up, fastEthernet0/0 Send version = 1 Receive version = 1,2 Authentication mode = none Default metric = 1 Access-list applied to outgoing route = none Access-list applied to incoming route = none Route-map applied to outgoing route = none Received bad packet = 0 Received bad routes = 0 Triggered updates sent = 0 Received updates = 0 170.100.100.2, Rip is up, fastEthernet0/0 Send version = 1 Receive version = 1,2 Authentication mode = none Default metric = 1 Access-list applied to outgoing route = none Access-list applied to incoming route = none Route-map applied to outgoing route = none Received bad packet = 0 Received bad routes = 0 Triggered updates sent = 0 Received updates = 0

show ip rip brief

Use to display limited RIP information. Specify vrf vrfName to limit the display to a specific VRF. Field descriptions

IP Address IP address of the interface where RIP is running Tx transmit version of RIP on this interface, which can override the router
configuration

Rx receive version of RIP on this interface Auth type of authentication, password (text) or MD5 Met current value is the same as the router one (the default metric). Based
on MIB 2 for RIP, the interfaces route metric can be set individually.

AccList O/I access list applied to outgoing/incoming RIP route updates RtMap identifier for the route map that specifies a summary of RIP routes

8-26

CHAPTER 8 Configuring RIP

Status status of RIP, either up or down Intf interface type on which RIP is running

IP Address Tx 10.2.1.32 10.10.1.2 1 1

Example
Rx Auth Met AccList O/I 1 1 no/no no/no no no RtMap Status Intf up up fastEthernet0/0 serial5:1/1:1

host1#show ip rip brief 1,2 none 1,2 none

show ip rip database

Use to display the route entries in the RIP routing table. Specify vrf vrfName to limit the display to a specific VRF. Specify the active keyword to limit the display to active routes learned via RIP updates. Specify the inactive keyword to limit the display to routes that the router will discard in the immediate future. Field descriptions

Prefix IP address prefix Length prefix length ttl (time to live) indicates how many seconds the specific route remains in
the routing table. If an entry reaches 0, it is removed from the routing table.

Met metric that RIP uses to rate the value of different routes (hop count).
The hop count is the number of routers that can be traversed in a route.

Next Hop next IP address where a packet is sent. A value of zero in this
field indicates that the next address the packet should be sent to is the router that originally sent the RIP message.

Intf interface that the route has learned

Example
host1#show ip rip database Prefix/Length: ttl 3.0.0.0/8 9.20.0.0/17 10.2.1.0/24 0 0 0 Met: 1 2 2 Next Hop 72.30.100.2 172.30.100.1 172.30.100.1 Intf: tm2/1.100 tm2/1.100 tm2/1.100

Monitoring RIP E-Series Routers

8-27

show ip rip network

Use to display the networks associated with the RIP routing process. Specify vrf vrfName to limit the display to a specific VRF. Field descriptions

network IP address of a network on which RIP is running netmask network mask applied to the network address
Example
host1#show ip rip network Network 10.2.1.0 172.30.100.0 172.30.200.0 netmask 255.255.255.0 255.255.255.0 255.255.255.0

show ip rip peer

Use to display limited information about each RIP neighbor. Specify vrf vrfName to limit the display to a specific VRF. Field descriptions

Time since last update received time in seconds since an update was
received from this peer

Peer version version of IS-IS running on the peer Bad packets received number of bad packets received from the peer Bad routes received number of bad routes received from the peer
Example
host1#show ip rip peer 192.168.1.102 Time since last update received = 24 Peer version = 1 Bad packet received = 0 Bad routes received = 0 192.168.1.151 Time since last update received = 24 Peer version = 1 Bad packet received = 0 Bad routes received = 0 192.168.1.158 Time since last update received = 15 Peer version = 1 Bad packet received = 0 Bad routes received = 0 192.168.1.250 Time since last update received = 7 Peer version = 2 Bad packet received = 0 Bad routes received = 0

8-28

CHAPTER 8 Configuring RIP

show ip rip statistics

Use to display global and session statistics counters for RIP. If you specify an IP address, statistics for that interface are displayed in addition to the global RIP statistics. Specify vrf vrfName to limit the display to a specific VRF. Use the optional delta keyword to specify that baselined statistics are to be shown. You must use the baseline ip rip command to set a baseline. Field descriptions

Number of route changes number of times the router has been told to
route changes by its peers

Number of route queries number of times the router has received route
requests from other routers

Received bad packets number of bad packets received from the peer Received bad routes number of bad routes received from the peer Triggered updates sent number of triggered updates sent; triggered
updates are sent before the entire RIP routing table is sent; triggered by events such as adding a new RIP route or redistribution

Received updates number of updates received

Example
host1#show ip rip statistics Number of route changes = 23 Number of route queries = 0

Example
host1#show ip rip statistics 10.2.1.32 Number of route changes = 901 Number of route queries = 0 fastEthernet 0/0, 10.2.1.32 Received bad packet = 0 Received bad routes = 0 Triggered updates sent = 2 Received updates = 41

show ip rip summary-address

Use to display the specified summary address or all summary addresses for RIP. Field descriptions

Summary Address address summarizing RIP routes Mask network mask specified in the ip summary-address command to
identify which routes to summarize

Metric metric advertised with the summary RIP prefix

Monitoring RIP E-Series Routers

8-29

Example
host1#show ip rip summary-address Summary Address Mask 4.3.0.0 4.4.0.0 255.255.0.0 255.255.0.0 Metric 3 5

8-30

CHAPTER 8 Configuring RIP

Configuring OSPF

9
Page 9-2 9-4 9-5 9-8 9-9 9-12 9-13 9-19 9-22 9-27 9-34 9-35 9-37 9-37 9-37 9-40 9-41 9-42

This chapter provides information for configuring the Open Shortest Path First (OSPF) routing protocol on your E-series router.
Topic Overview References Features Configuration Tasks Enabling OSPF Aggregating OSPF Networks Configuring OSPF Interfaces Configuring OSPF Areas Configuring Authentication Configuring Additional Parameters Configuring OSPF for NBMA Networks Traffic Engineering Using OSPF Routes for Multicast RPF Checks OSPF and BGP/MPLS VPNs Remote Neighbors Disabling and Reenabling Incremental SPF Configuring OSPF Traps Monitoring OSPF

9-2

CHAPTER 9 Configuring OSPF

Overview
OSPF is an interior gateway protocol (IGP) that runs within a single autonomous system (AS). Exterior gateway protocols (EGP), such as Border Gateway Protocol (BGP), exchange routing information between ASs. OSPF is a link-state routing protocol, similar to the Intermediate System-to-Intermediate System (IS-IS) routing protocol. It advertises the states of its local network links. This distinguishes OSPF from some IGPs, such as Routing Information Protocol (RIP). A distance vector protocol, such as RIP, advertises the distances (that is, the number of hops) to each known destination within the network. Each participating OSPF router within the AS has an identical database describing the ASs topology. Each individual piece of this database is a particular routers local state. From this database, OSPF calculates a routing table by constructing a shortest-path tree. OSPF learns the best routes to reachable destinations. It can quickly perceive changes in the topology of an AS and, after a short convergence period, calculate new loop-free routes. This protocol has been designed expressly for the TCP/IP Internet environment, including explicit support for classless interdomain routing (CIDR) and the tagging of externally derived routing information. This chapter provides direction for customizing basic OSPF settings if you need to do so. For detailed information on the OSPF commands, see the E-Series Command Reference Guide N to Z.
Terms

Table 9-1 defines commonly used OSPF terms.

Table 9-1 OSPF-related terms Term adjacency Meaning The relationship between selected neighboring routers for exchanging routing information. Not every pair of neighboring routers is adjacent. An OSPF area is a collection of network segments interconnected by routers. It is a region in an OSPF routing domain.

area

area border router (ABR) A router that sits on the edge of an OSPF area and routes link state advertisements (LSAs) between areas. area ID A unique number that identifies an area. Typically, an IP address.

Overview E-Series Routers

9-3

Table 9-1 OSPF-related terms (continued) Term authentication authentication type Meaning Contains verification information and is 64 bits long. A simple password is an example. All OSPF protocol exchanges are authenticated. The authentication type is configurable on a per-area basis.

autonomous system (AS) A group of routers using a common routing protocol to exchange routing information. autonomous system boundary router (ASBR) classless interdomain routing (CIDR) An OSPF router that redistributes routes from other autonomous systems. CIDR replaces the traditional class structure of IP addresses. In CIDR, an IP network is represented by a prefix and a notation that indicate the IP address and maskfor example, 10.12.8.3/16 Generates an LSA for the network. Performs other special responsibilities in running the protocol. A collection of routers that use a common IGP constitutes an OSPF routing domain. The distribution and synchronization of the link-state database between OSPF routers. Establishes and maintains neighbor relationships. Also, dynamically discovers neighboring routers on broadcast networks. A routing protocol that routers within an AS use to exchange information. A unit of data that describes the local state of a router or network. LSAs are flooded throughout the routing domain. Routers that have interfaces to a common network. A network that has no broadcast capability but supports more than two routers. Similar to a stub area but can also import selected external LSAs. A 32-bit number that uniquely identifies a router within an ASfor example, 10.10.1.5 An area that does not get flooded with external LSAs but does carry intra-area and interarea routes and a default route. A logical link between two backbone routers where the link tunnels through a nonbackbone area.

designated router domain flooding hello protocol

interior gateway protocol (IGP) link state advertisement (LSA) neighboring routers nonbroadcast network Not-so-stubby area (NSSA) router ID stub area

virtual link

9-4

CHAPTER 9 Configuring OSPF

Figure 9-1 illustrates the topology of an OSPF routing domain.

10.10.1.0/24 Area 0.0.0.1 Gary Beloit 10.10.4.0/24

10.10.2.0/24 Internet Muncie Oshkosh

10.10.3.0/24

Area 0.0.0.2 10.10.5.0/24 Houston

Dallas

Area 0.0.0.0 Backbone

Atlanta

Area 0.0.0.3

ABR 3

ABR 4

Macon

10.10.7.0/24

10.10.6.0/24

Austin

Rome

10.10.8.0/24

Figure 9-1 OSPF topology

References
If you need more information about the OSPF protocol, consult the following resources: E-Series Release Notes, Appendix A, System Maximums See the Release Notes corresponding to your software release for information on maximum values. RFC 2328 OSPF Version 2 (April 1998) RFC 2370 The OSPF Opaque LSA Option (July 1998) Traffic Engineering Extensions to OSPF Version 2 draft-katz-yeung-ospf-traffic-09.txt (April 2003 expiration)

g013123

ABR 1

Chicago

Milwaukee

ABR 2

Features E-Series Routers

9-5

Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.

Features
The following sections provide a brief description of key OSPF features supported in our implementation of OSPF.
Intra-area, Interarea, and External Routes

You can split up an OSPF AS into areas. Doing this reduces the size of the link-state database (LSDB). Each OSPF area runs as a separate network and maintains its own LSDB. OSPF computes routes only to destinations within the area and does not flood routes beyond the area boundaries.
Routing Priority

OSPF areas receive routes based on priority. Table 9-2 lists the routing priority.
Table 9-2 Routing priority Priority 1 (highest) 2 3 Type Intra-area Interarea External Description Intra-area routing. Refers to routing within a single OSPF area. Interarea routing. Refers to routing between OSPF areas within a single OSPF routing domain. External type 1. Refers to routing from other protocols that can be imported into the OSPF domain and readvertised by OSPF as type 1 external. Type 1 metric is comparable to the link-state metric; the cost is equal to the sum of the internal costs plus the external cost. 4 (lowest) External External type 2. Refers to routing from other protocols that can be imported into the OSPF domain and readvertised by OSPF as type 2 external. Type 2 metric is much larger than the cost of any intra-AS path; the cost is equal to the external cost. This is the OSPF default.

If you use the redistribute command to import routes from other protocols or sources, the routes default to external type 2. You can specify a route map with the redistribute command to modify the type.

9-6

CHAPTER 9 Configuring OSPF

Alternatively, you can use the metric-type keyword with the redistribute command to specify the type.
Virtual Links

Each OSPF area must be directly connected to the backbone area. The backbone is responsible for distributing routing information between nonbackbone areas. All routers in the backbone must be contiguous, but they need not be physically adjacent. You can configure backbone routers to be logically adjacent by creating OSPF virtual links.
Authentication

OSPF supports three modes of authentication: Null authentication Implies no authentication is in use Simple password authentication Requires a 64-bit unencrypted password in each OSPF packet Cryptographic authentication Uses a shared secret key that is configured on each router on a network. RFC 2328 defines the use of OSPF cryptographic authentication with the MD5 algorithm.
Opaque LSAs

OSPF opaque LSAs provide a generalized way of extending OSPF. The router generates opaque LSAs to carry traffic engineering (TE) information, accepts them from other routers, and floods them accordingly. OSPF uses the TE information to build a database from which paths can be computed for MPLS label-switched paths.
Route Leakage

Routes can be leaked into OSPF or from OSPF as follows: Route leakage into OSPF When another routing protocol adds a new route to the routing table, or when a static route is added to the routing table, OSPF can be informed through the redistribute commands. When OSPF learns the new route, it floods the information into the routing domain using external LSAs. Route leakage from OSPF OSPF adds routing information to the routing table, which is used in forwarding IP packets.

Features E-Series Routers

9-7

Equal-Cost Multipath

OSPF inherently supports the notion of equal-cost multipath (ECMP). When building the shortest-path tree, OSPF calculates all paths of equal cost to a given destination. If equal-cost paths exist, OSPF inserts into the routing table the next hops for all equal-cost paths to a destination.
OSPF MIB

See the JUNOSe Software CD, shipped with your router, for complete information on the OSPF Management Information Base (MIB) supported by your router. In the MIBs folder you will find information on all supported standard and Juniper Networks E-series enterprise (proprietary) MIBs. OSPF does not act as a host within the router and therefore does not support the ospfIfMetric and ospfHost tables.
Interacting with Other Routing Protocols

OSPF interacts seamlessly with other routing protocols.

With IS-IS

OSPF was developed originally from an early version of the IS-IS intradomain routing protocol. OSPF can receive IS-IS routing information. See Chapter 10, Configuring IS-IS.
With RIP

E-series routers can simultaneously run OSPF and RIP. When doing so, OSPF routes are preferred over RIP. In general, use of the OSPF protocol is preferred because of its robustness, responsiveness, and decreased bandwidth requirements. See Chapter 8, Configuring RIP.
With BGP

The default expectation is that your routing environment is an AS running OSPF and exchanging BGP routes with other ASs. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 1, Configuring BGP Routing.

9-8

CHAPTER 9 Configuring OSPF

Configuration Tasks
Configuring OSPF calls for careful coordination among a variety of routers: Routers internal to a single area Routers that link multiple areas within a single routing domain; these routers are called area border routers (ABRs). Routers that link multiple routing domains; these routers are called autonomous system boundary routers (ASBRs). To configure OSPF:
1 2 3 4

Enable OSPF. Configure and aggregate network ranges. Create the routers OSPF network interfaces. Define the OSPF areas attached to the router.

Configuring OSPF Interfaces

You can create OSPF interfaces in the following ways: You can issue the network area command, which creates OSPF interfaces for all IP interfaces with IP addresses within the specified range. You can issue the address area command, which creates an OSPF interface in the specified area that sits on top of the IP interface at the given IP address (or on the unnumbered interface, if that is specified).
Note: Do not enable OSPF on any unidirectional interfaces (such as an MPLS tunnel) because it will never be able to form an adjacency.

You can delete OSPF interfaces in the following ways: You can issue the no network area command, which deletes all OSPF interfaces within the specified range. If the OSPF interface was created with the address area command, you can issue the no address area command to delete the specified interface. You can issue the no ip address command to delete the IP interface associated with the OSPF interface and also the OSPF interface itself.
Note: If an OSPF interface is configured on top of an IP interface and you delete the IP interface, the corresponding OSPF interface is also deleted. The previously

Enabling OSPF E-Series Routers

9-9

configured network range, however, is not deleted. You must issue the no network area command to delete the range.

Enabling OSPF
When you enable OSPF on your router, you can create either a range of OSPF interfaces or a single OSPF interface.
Creating a Range of OSPF Interfaces

To create a range of OSPF interfaces:

1 2 3

Create an OSPF routing process. Create the range of IP addresses associated with the routing process and the corresponding OSPF interfaces. Assign an area ID associated with each range of IP addresses.

Each router running OSPF has a database describing a map of the routing domain. This map needs to be identical in all participating routers.
network area
Use to configure a range of OSPF interfaces and their related area. If the specified range matches one or more of the IP addresses configured for IP interfaces, one or more corresponding OSPF interfaces are created and placed in the specified area. Create address ranges that do not overlap; you can attach only the same range of interfaces to a single area. You cannot use this command for unnumbered interfaces. If the range specified by this command includes an address on an interface that is being referred to by unnumbered interfaces, all of the unnumbered interfaces will begin trying to form adjacencies. If this behavior is not intended, you must reevaluate the interface assignment or the range specified by the command. Example 1 shows the creation of one OSPF interface in the backbone area:
host1(config-if)#ip address 2.2.2.1 255.255.0.0 host1(config-if)#ip address 2.2.1.1 255.255.0.0 secondary host1(config)#router ospf 2 host1(config-router)#network 2.2.2.0 0.0.0.255 area 0

9-10

CHAPTER 9 Configuring OSPF

Example 2 shows the creation of two OSPF interfaces, one in the backbone area and one in a non-backbone area:
host1(config-if)#ip address 2.2.2.1 255.255.255.0 host1(config-if)#ip address 2.2.1.1 255.255.255.0 secondary host1(config)#router ospf 2 host1(config-router)#network 2.2.2.0 0.0.0.255 area 0 host1(config-router)#network 2.2.1.0 0.0.0.255 area 1

This sequence of commands creates two OSPF ranges (2.2.2.0/24 and 2.2.1.0/24), with each range belonging to a different area. Area 0 is configured for 2.2.2.0/24, and area 1 is configured for 2.2.1.0/24. This sequence also creates two OSPF interfaces: one in the backbone area (area 0) using IP address 2.2.2.1, the second in a nonbackbone area (area 1) using IP address 2.2.1.1. This command also creates the two areas if they do not already exist. Use the no version to delete OSPF interfaces, ranges, and areas.
Note: The configured network range is not active for summarization until you activate this range for summaries by issuing the area range command. The only range that is active by default if you do not issue the area range command is the network that matches the IP interfaces network exactly. (In other words, by default the exact network of the IP interface is going to be summarized into other areas.) Note: Active for summarization means that the network range is summarized through area summariesfor ABRs only. See the Aggregating OSPF Networks section in this chapter.

ospf enable
Use to enable OSPF on the router. OSPF is enabled by default. Example
host1(config-router)#ospf enable

The no version of this command is obsolete and may be removed in the future. Use the ospf shutdown command to disable OSPF on the router.

router ospf
Use to set an OSPF process ID. The process ID can be any positive integer 165535. You must assign a unique ID for each OSPF routing process. From a virtual router context you can specify a VRF name. Doing so changes the context to that of the specified VRF and remains so until you exit from the OSPF router context. Example
host1(config)#router ospf 5

Use the no version to end the designated OSPF routing process.

Enabling OSPF E-Series Routers

9-11

Creating a Single OSPF Interface

To create a single OSPF interface:

1 2

Create an OSPF routing process. Create the OSPF interface associated with the IP interface at the specified address.

Each router running OSPF has a database describing a map of the routing domain. This map needs to be identical in all participating routers.
address area
Use to create an interface in an area on which OSPF runs, on top of the IP interface at the specified IP address. You can specify either an IP address or an unnumbered interface. Configures OSPF with the default values. You can configure the interface with a nondefault value by using the other address commands. You must first issue the address area command before issuing any other address commands. See Configuring OSPF Interfaces in this chapter for more information. Example
host1(config-router)#address 10.10.32.100 area 0.0.0.0

Use the no version to delete the OSPF interface.

ospf enable
Use to enable OSPF on the router. OSPF is enabled by default. Example
host1(config-router)#ospf enable

The no version of this command is obsolete and may be removed in the future. Use the ospf shutdown command to disable OSPF on the router.

router ospf
Use to set an OSPF process ID. The process ID can be any positive integer 165535. You must assign a unique ID for each OSPF routing process. Example
host1(config)#router ospf 5

Use the no version to end the designated OSPF routing process.

9-12

CHAPTER 9 Configuring OSPF

Aggregating OSPF Networks

You can aggregate OSPF networks at the border of an OSPF area by using the area range command. You can also aggregate OSPF networks when entering the border of the OSPF domain by using the summary-address command.
area range
Use to aggregate OSPF routes at an OSPF area border. Use only for ABRs. You can configure multiple instances of the area range command for a single OSPF area. The following example shows the steps you must take to create an area range. 1 Configure the interfaces IP address(es) using the ip address command. 2 Enable OSPF using the router ospf command. 3 Configure the network area with the network area command. 4 Configure the area range with the area range command. Example
host1(config-if)#ip address 2.2.10.1 255.255.255.0 host1(config-if)#ip address 2.2.11.1 255.255.255.0 secondary host1(config)#router ospf 2 host1(config-router)#network 2.2.0.0 0.0.255.255 area 0

At this point, the OSPF process is configured with two OSPF interfaces. If your router is an ABR, two networks must be summarized: 2.2.10.0/24 and 2.2.11.0/24.
host1(config-router)#area 0 range 2.2.0.0 255.255.0.0

After you enter this area range command, only the aggregated range 2.2.0.0/16 is going to be summarized. By default, the range of configured networks is advertised in type 3 (summary) LSAs. Use the do-not-advertise keyword to prevent advertisement of configured networks. Use the command no area area-id (with no other keywords) to remove the specified area from the configuration. Use the summary-address command to summarize external routes being redistributed into OSPF. Use the no version to disable the aggregation of routes at the OSPF area border.

summary-address
Use to aggregate external routes at the border of the OSPF routing domain. Use only for ASBRs.

Configuring OSPF Interfaces E-Series Routers

9-13

The ASBR advertises one external route as an aggregate for all redistributed routes that are covered by the address. For OSPF, this command summarizes only routes from other routing protocols that are being redistributed into OSPF. With this command, you can reduce the load of advertising many OSPF external routes by specifying a range that includes some (or all) of these external routes. Example
host1(config-router)#summary-address 10.1.0.0 255.255.0.0

Use the area range command for route summarization between OSPF areas. Use the no version to restore the default.

Configuring OSPF Interfaces

You can configure OSPF attributes for either a single OSPF network using the address commands, or for all OSPF networks on a particular media interface using the ip ospf commands. OSPF MTU size is negotiated rather than configured. OSPF database description exchange uses the interface MTU to signal the largest OSPF MTU that can be sent over an OSPF interface without fragmentation. Perform the following tasks to configure OSPF attributes for the OSPF network(s): Set the cost. Set the dead interval. Set the hello interval. Set router priority. Set the retransmit interval. Set the transmit delay.
Note: Before using the address or ip ospf commands, see Precedence of Commands on p 9-18 for information on the relationship between these commands.

address Commands

You can use the address area command to create a new OSPF interface. Use the other address commands to configure parameters for OSPF interfaces that already exist.
Note: You must first issue the address area command before issuing any other address command.

9-14

CHAPTER 9 Configuring OSPF

Note: The address commands configure OSPF attributes for a single OSPF network. The ip ospf commands configure OSPF attributes for all OSPF networks in the given interface contextfor example, in a multinet environment where multiple IP networks sit on top of an Ethernet interface.

address area
Use to create a new OSPF interface and configure the area ID. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 10.12.10.2 area 3

You must first issue the address area command before issuing any other address commands. Use the no version to delete the area ID from the specified interface.

address cost
Use to specify the cost metric for the interface. The cost is used in calculating the SPF routing table and can range from 065535. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address unnumbered area 3 host1(config-router)#address unnumbered atm 4/0.1 cost 50

Use the no version to reset the path cost to the default value, 10.

address dead-interval
Use to specify the time period that the routers neighbors should wait without seeing hello packets from the router before they declare the router to be down. The dead interval can range from 165535 seconds, and is advertised by the routers hello packets. For the OSPF routers to become adjacent, the dead interval must be identical on each router. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.10.32 area 6 host1(config-router)#address 192.168.10.32 dead-interval 60

Use the no version to reset the dead interval to the default value, 40.

address hello-interval
Use to specify the interval between hello packets that the router sends on the interface. The hello interval can range from 165535 seconds. The interface can have an IP address, or it can be unnumbered.

Configuring OSPF Interfaces E-Series Routers

9-15

Example
host1(config-router)#address 192.168.1.1 area 5 host1(config-router)#address 192.168.1.1 hello-interval 25

Use the no version to reset the hello interval to the default value, 10.

address passive-interface
Use to disable the transmission of routing updates on the interface, meaning that OSPF routing information is neither sent by nor received through the interface. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.100.20 area 5 host1(config-router)#address 192.168.100.20 passive-interface

Use the no version to reenable the transmission of routing updates.

address priority
Use to specify the router priority, an 8-bit number from 1 to 255. Used in determining the designated router for the particular network. Applies only to nonbroadcast multiaccess (NBMA) networks. Every broadcast and NBMA network has a designated router. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address unnumbered area 6 host1(config-router)#address unnumbered loopback 0 priority

Use the no version to restore the default value, 1.

address retransmit-interval
Use to specify the time between LSA retransmissions for the interface when an acknowledgment for the LSA is not received. Specify an interval in the range 165535 seconds; the default value is 5. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.10.200 area 6 host1(config-router)#address 192.168.10.200 retransmit-interval

Use the no version to restore the default value, 5.

address transmit-delay
Use to specify the estimated time it takes to transmit a link-state update packet on the interface. Specify an interval in the range 165535 seconds; the default value is 1.

9-16

CHAPTER 9 Configuring OSPF

The interface can have an IP address, or it can be unnumbered. Example

host1(config-router)#address 10.100.25.38 area 7 host1(config-router)#address 10.100.25.38 transmit-delay

Use the no version to restore the default value, 1.

ip ospf Commands

The ip ospf commands have two effects on interface configuration. These effects apply to all ip ospf commands: Configuration per logical IP interface (for example, Fast Ethernet 0/1.3 or ATM 5/0.1): The ip ospf command configures the specified OSPF parameter(s) for all networks configured on the given IP interfacefor example, all multinetted addresses on an interface. The no version of the command resets the specified parameter(s) to unspecified. If the no version of the command takes effect, then for the specified IP interface there is no default value for the specified parameter(s). The parameter is set back to unspecified values. However, the value of the specified parameter for the OSPF interface is set back to the default value or the value previously specified by the address command. Configuration per OSPF interface: The ip ospf command configures the specified OSPF parameter(s) for each OSPF interface which sits on top of the IP interface. The no version of the command restores the specified parameter(s) to the default value(s).
Note: If you use ip ospf commands to configure OSPF interfaces, you must first have created the interfaces with the network area command. Note: The ip ospf commands configure OSPF attributes for all OSPF networks in the given interface contextfor example, in a multinet environment where multiple IP networks sit on top of an Ethernet interface. The address commands configure OSPF attributes for a single OSPF interface.

ip ospf cost
Use to configure the cost of sending a packet on the network. Cost is a metric value in the range 065535; the default value is 1. The router LSA advertises the link-state metric as the link cost.

Configuring OSPF Interfaces E-Series Routers

9-17

Example
host1(config)#interface fastethernet 0/0 host1(config-if)#ip ospf cost 50

Use the no version to reset the path cost to the default value, 1.

ip ospf dead-interval
Use to configure the interval since the last hello packet was seen. Specify an interval in the range 165535 seconds; the default value is 40. For the OSPF routers to become adjacent, the dead interval must be identical on each router. The routers hello packets advertise this interval. Example
host1(config-if)#ip ospf dead-interval 60

Use the no version to restore the default value, 40.

ip ospf hello-interval
Use to configure the interval between hello packets. Specify an interval in the range 165535 seconds; the default value is 10. For the OSPF routers to become adjacent, the hello interval has to be identical on each router. Example
host1(config-if)#ip ospf hello-interval 8

Use the no version to restore the default value, 10.

ip ospf priority
Use to configure the routers priority. Select a priority level in the range 0255; the default value is 1. This setting determines the designated router for the particular network. A router whose priority is set to 0 cannot be a designated router. Configure priority only for interfaces to multiaccess networks. Example
host1(config-if)#ip ospf priority 2

Use the no version to restore the default value, 1.

ip ospf retransmit-interval
Use to configure the time interval between retransmission of an LSA. Specify an interval in the range 165535 seconds; the default value is 5. Example
host1(config-if)#ip ospf retransmit-interval 10

Use the no version to return to the default value, 5.

9-18

CHAPTER 9 Configuring OSPF

ip ospf transmit-delay
Use to configure the time it takes to transmit a link-state update on the interface. This is the time between transmissions of LSAs. Specify an interval in the range 165535 seconds; the default value is 1. In setting the time, consider the interfaces transmission and propagation delays. Example
host1(config-if)#ip ospf transmit-delay 4

Use the no version to return to the default value, 1.

Comparison Example

Suppose you configure a range of OSPF interfaces with the network area command as follows:
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip address 1.1.1.1 255.255.255.0 host1(config-if)#ip address 2.2.2.2 255.255.255.0 secondary host1(config-if)#exit host1(config)#router ospf 1 host1(config-router)#network 1.1.1.0 0.0.0.255 area 0 host1(config-router)#network 2.2.2.0 0.0.0.255 area 0

If you want to specify the cost, you can do so for both interfaces simultaneously:
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip ospf cost 30

You can use address commands to create a third OSPF interface over the Ethernet interface. When you specify a cost, it is set for only that interface:
host1(config)#interface fastEthernet 0/0 host1(config-if)#ip address 3.3.3.3 255.255.255.0 secondary host1(config-if)#exit host1(config)#router ospf 1 host1(config-router)#address 3.3.3.3 area 0 host1(config-router)#address 3.3.3.3 cost 25

Precedence of Commands

For a single OSPF interface, when you modify the same OSPF attribute by issuing both the ip ospf command and the address command, the value configured with the address command takes precedence. In other words, the most specific command for a single OSPF interface takes precedence.

Configuring OSPF Areas E-Series Routers

9-19

Consider the following example. Suppose you have a numbered IP interface with an IP address of 10.10.1.1/24 sitting on top of Fast Ethernet interface 0/0. Configure a single OSPF interface on top of the IP interface.
host1(config)#router ospf 100 host1(router-config)#address 10.10.1.1 area 0

The default cost for this OSPF interface is 10. Change the cost for this OSPF interface using the address cost command:
host1(router-config)#address 10.10.1.1 cost 45

The cost for OSPF interface 10.10.1.1 is now 45. Now use the ip ospf cost command to change the cost for this OSPF interface:
host1(config)#int fastEthernet 0/0 host1(config-if)#ip ospf cost 23

The cost of OSPF interface 10.10.1.1 does not change. The previously issued address cost command is more specific for the interface and takes precedence over the ip ospf cost command. You must use the address cost command if you want to change the cost again:
host1(router-config)#address 10.10.1.1 cost 23

Configuring OSPF Areas

You can divide your OSPF routing domain into OSPF areas. Doing this provides the following benefits: Reduces resource demands placed on routers and links Reduces the router CPU usage by the OSPF routing calculation Reduces the amount of memory used for link state databases Hides subnets within areas from the rest of the routing domain Increases routing security within the area You must attach each area in your routing domain to an area called the backbone area (0.0.0.0). Disadvantages to using OSPF areas include the following: Areas hide information, which may result in less-than-optimal data paths. Creating areas complicates the task of configuring OSPF routing domains.

9-20

CHAPTER 9 Configuring OSPF

You can optionally define an area to be a stub area or a not-so-stubby area. You can configure virtual links for areas that are not directly connected to a backbone area.
area no area
There is no affirmative version of this command; there is only a no version. Example
host1(config-router)#no area 47.0.0.0

Use the no version to remove the specified area only if no OSPF interfaces are configured in the area.

area default-cost
Use to configure the cost for the default summary route sent into a stub area. Cost is a metric value in the range 165535; the default value is 1. Use only on an ABR attached to a stub area. Provides the metric for the summary default route that the ABR generates into the stub area. Example
host1(config-router)#area 47.0.0.0 default-cost 1

Use the no version to remove the configured default route cost.

area nssa
Use to configure the area as an NSSA. An NSSA is like a stub area, but it can also import external AS routes in a limited way. To cause NSSA border routers to generate a type 7 default LSA in the OSPF database if there is a default route in the routing table, you must specify the default-information-originate option. You can specify a metric cost, metric type, or a route map to be applied to the generated type 7 default LSAs. Example
host1(config-router)#area 35.0.0.0 nssa

Use the no version to remove the NSSA designation from the area, to stop the generation of type 7 default LSAs, or to stop the application of the specified metric cost, metric type, or a route map to the type 7 default LSAs.

area stub
Use to configure a stub area. Stub areas do not get flooded with external LSAs but do carry a default route, intra-area routes, and interarea routes. This reduces the size of the area's OSPF database and decreases memory usage for external routers in the stub area. You must configure each router in a stub area as belonging to the stub area.

Configuring OSPF Areas E-Series Routers

9-21

You cannot configure virtual links across a stub area. Stub areas cannot contain ASBRs. Example
host1(config-router)#area 47.0.0.0 stub

Use the no version to disable this function.

area virtual-link
Use to configure an OSPF virtual link. A virtual link is used for areas that do not have a direct connection to the backbone area. To have configured virtual links, the router itself must be an ABR. Virtual links are identified by the router ID of the other endpoint, which is also an ABR. The two endpoint routers must be attached to a common area, called the virtual links transit area. Virtual links are part of the backbone and behave as if they were unnumbered point-to-point networks between the two routers. A virtual link uses the intra-area routing of its transit area to forward packets. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.8.4.2

Use the no version to remove an OSPF virtual link.

area virtual-link dead-interval

Use to set the time in seconds to wait before declaring a neighbor down after not receiving packets from that neighbor. Specify an interval in the range 165535 seconds; the default value is 40. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.8.4.2 dead-interval 10

Use the no version to remove the virtual links dead interval.

area virtual-link hello-interval

Use to configure the hello interval on an OSPF virtual link. Specify an interval in the range 165535 seconds; the default value is 10. The hello interval is the time between the transmission of hello packets. The hello interval must be the same for all routers attached to a common network. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.8.4.2 hello-interval 10

Use the no version to remove the virtual links hello interval.

9-22

CHAPTER 9 Configuring OSPF

area virtual-link retransmit-interval

Use to configure the retransmission interval on an OSPF virtual link. The retransmit interval is the time between retransmissions of link-state advertisements for adjacencies belonging to the interface. Specify an interval in the range 165535 seconds; the default value is 5. Set the value greater than the expected round-trip delay. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.8.4.2 retransmit-interval 6

Use the no version to remove the interfaces retransmit interval.

area virtual-link transmit-delay

Use to configure the estimated time it takes to transmit a link-state update packet on the virtual link. Specify an interval in the range 165535 seconds; the default value is 1. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.8.4.2 transmit-delay 1

Use the no version to remove the interfaces transmit delay.

automatic-virtual-link
Use to enable an automatic virtual link configuration. If enabled, then backbone connectivity is ensured by the automatic creation of a virtual link between this backbone router that has an interface to a common nonbackbone area and other backbone routers that have interfaces to a common nonbackbone area. Example
host1(config-router)#automatic-virtual-link

Use the no version to disable an automatic virtual link.

Configuring Authentication
The router supports the following authentication capabilities: Null authentication Simple password authentication MD5 authentication The MD5 algorithm takes as input a message of arbitrary length and produces a 128-bit fingerprint or message digest of the input. MD5 is used to create digital signatures. It is a one-way hash function, meaning

Configuring Authentication E-Series Routers

9-23

that it takes a message and converts it into a fixed string of digits, called a message digest. When using a one-way hash function, you can compare a calculated message digest with the message digest that is decrypted using a public key (password). The key verifies that the message has not been tampered with. This comparison process is called a hashcheck.
Note: You must first issue the address area command before issuing any other address command.

Authentication Requirements

If you configure either simple password or MD5 authentication, the password or authentication key must be the same on both sides of an adjacency. When you change the password or key on one side of an established adjacency, you must also change it on the other side within the dead interval. This enables a hello packet that has the latest authentication information to be sent before the dead interval expires. If the packet is not sent within the dead interval, the adjacency breaks down and is not reestablished until both sides of the adjacency have the same password or key.
address authentication-key
Use to assign a password used by neighboring routers for OSPF simple password authentication. The interface can have an IP address, or it can be unnumbered. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. The password, or key, is a character string up to 8 characters in length. Example
host1(config-router)#address 10.12.10.2 authentication-key 9rdf7

Use the no version to delete the password from the specified interface.

address authentication message-digest

Use to specify that MD5 authentication is used for the OSPF interface. You must configure the MD5 key ID and password with the address message-digest-key md5 command. Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password. Example
host1(config-router)#address 10.12.10.2 authentication message-digest

9-24

CHAPTER 9 Configuring OSPF

Use the no version to set authentication for the interface to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the interface without having to reconfigure the key.

address authentication-none
Use to disable authentication on the interface. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 192.168.10.32 authentication-none

The no version has no effect.

address message-digest-key md5

Use to enable OSPF MD5 authentication and configure the MD5 key. The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Configures an interface already created, or creates a new OSPF interface and configures the MD5 key. The interface can have an IP address, or it can be unnumbered. Example
host1(config-router)#address 10.1.1.1 message-digest-key 1 md5 0 9mwk6gdr76

Use the no version to delete the MD5 key.

area virtual-link authentication-key

Use to configure a simple password for a virtual link. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. The password can be up to eight characters long. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.3.4.5 authentication-key sadsa29c

Use the no version to remove the password.

area virtual-link authentication message-digest

Use to specify that MD5 authentication is used for the particular virtual link. You must configure the MD5 key ID and password with the area virtual-link message-digest-key md5 command. Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.

Configuring Authentication E-Series Routers

9-25

Example
host1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 authentication message-digest

Use the no version to set authentication for the virtual link to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the virtual link without having to reconfigure the key.

area virtual-link authentication-none

Use to specify that no authentication is used for the particular virtual link. Example
host1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 authentication-none

The no version has no effect.

area virtual-link message-digest-key md5

Use to enable MD5 authentication and to configure MD5 keys for virtual links. The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#area 27.0.0.0 virtual-link 327.3.4.5 message-digest-key 2 md5 rc45lsm2c

Use the no version to remove the password.

ip ospf authentication-key
Use to configure a type 1 authentication (a simple password) on the interface. Neighboring OSPF routers use the password to access the routers interface. Use the same password on all neighboring routers on the same network. Use this password only when you enable authentication for the interface. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Use a password that is a continuous string up to 8 characters long. Example
host1(config-if)#ip ospf authentication-key yourpwd

Use the no version to remove the password on the interface.

ip ospf authentication message-digest

Use to specify the authentication method for the interface as MD5. You must configure the MD5 key ID and password with the ip ospf message-digest-key md5 command.

9-26

CHAPTER 9 Configuring OSPF

Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password. Example
host1(config-if)#ip ospf authentication message-digest

Use the no version to set authentication for the interface to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the interface without having to reconfigure the key.

ip ospf authentication-none
Use to specify that no authentication is used for the OSPF interface. Example
host1(config-if)#ip ospf authentication-none

The no version has no effect.

ip ospf message-digest-key md5

Use to enable MD5 authentication on the OSPF interface and configure the MD5 key. The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-if)#ip ospf message-digest-key 3 md5 0 tre987is

Use the no version to delete an MD5 key from the OSPF interface.
Note: If all the MD5 keys have been deleted, the authentication type is still MD5, but you need to configure MD5 keys. Note: To disable MD5 authentication for the interface, use the ip ospf authentication-none command. Note: To display the password only in encrypted text, use the service password-encryption command.

Configuring Additional Parameters E-Series Routers

9-27

Configuring Additional Parameters

The commands presented in this section include both OSPF-specific commands and routing protocolindependent commands that are not limited to OSPF. You can use these commands to perform the tasks listed in Table 9-3.
Table 9-3 Additional configuration tasks Filter and apply policy to routes. Set a baseline for statistics. Set the redistribution routes. Set the distance for OSPF routes. Administratively disable OSPF. Set the maximum paths. Enable automatic cost calculation. Enable logs for OSPF neighbor changes. Set SPF hold time. Set a default metric.

access-list route-map
Use the access-list command to create a standard or extended access list. Use the route-map command to create a route map. For detailed information on configuring access lists and route maps, see Chapter 1, Configuring Routing Policy. Example 1 Configure three static routes:
host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.1.0

2 Configure an access list with filters on routes 20.20.20.0/24 and 20.20.21.0/24:

host1(config)#access-list boston permit 20.20.0.0 0.0.255.255

3 Configure a route map which matches the previous access list and applies a metric type 1 (OSPF):
host1(config)#route-map boston host1(config-route-map)#match ip address boston host1(config-route-map)#set metric-type type-1

4 Configure redistribution of the static routes into OSPF with route map boston:
host1(config)#router ospf 2 host1(config-router)#redistribute static route-map boston

9-28

CHAPTER 9 Configuring OSPF

5 Use the show ip ospf database command to verify the effect of the redistribution (the two static routes matching the route map are redistributed as external type 1):
host1#show ip ospf database OSPF Database Router Link States (Area 0.0.0.0) Link ID 192.168.1.250 192.168.254.7 Link ID 192.168.1.214 Link ID 20.20.20.0 20.20.21.0 ADV Router 192.168.1.250 192.168.254.7 ADV Router 192.168.254.7 ADV Router 192.168.1.250 192.168.1.250 Age 3 220 Age 220 Age 3 3 Seq# 0x80000006 0x80000169 Seq# 0x80000001 Seq# 0x80000001 0x80000001 Checksum 0x39a1 0xd2b5 Checksum 0xe0f2 Checksum 0x6045 0x554f

Network Link States (Area 0.0.0.0)

AS External Link States

Use the no version of the access-list command to remove the access list or the specified entry in the access list. Use the no version of the route-map command to remove an entry.

baseline ip ospf
Use to set a baseline for OSPF statistics and counters. The following example first displays the output of the show ip ospf command shown before you run the baseline ip ospf command; then, the execution of the baseline ip ospf command; and finally, the display of the show ip ospf command run after you execute the baseline ip ospf command.

The output of the show ip ospf command run before the baseline ip ospf
command reflects the up-to-date packet counters.

The output of the show ip ospf delta command run after you run the
baseline ip ospf command reflects the baseline set for OSPF statistics and counters. There is no no version. Example

host1#show ip ospf Routing Process OSPF 1 with Router ID 5.106.7.1 OSPF Statistics: Rcvd: 217935 total, 0 checksum errors 8987 hello, 8367 database desc, 188 link state req 159898 link state updates, 40484 link state acks Sent: 265026 total, 0 pkts dropped 8927 hello, 8341 database desc, 53 link state req 158571 link state updates, 89134 link state acks Supports only single TOS(TOS0) routes SPF schedule delay 0 secs, Hold time between two SPFs 3 secs

Configuring Additional Parameters E-Series Routers

9-29

Maximum path splits 1 Area BACKBONE(0.0.0.0) Area is a transit area SPF algorithm executed 425 times ABR count 0 ASBR count 1 LSA Count 12 Number of interfaces in this area is 24 Area ranges are: Number of active areas in this router is 1 1 normal, 0 stub, 0 NSSA.

host1#baseline ip ospf host1#show ip ospf delta Routing Process OSPF 1 with Router ID 5.106.7.1 OSPF Statistics: Rcvd: 0 total, 0 checksum errors 0 hello, 0 database desc, 0 link state req 0 link state updates, 0 link state acks Sent: 0 total, 0 pkts dropped 0 hello, 0 database desc, 0 link state req 0 link state updates, 0 link state acks Supports only single TOS(TOS0) routes SPF schedule delay 0 secs, Hold time between two SPFs 3 secs Maximum path splits 1 Area BACKBONE(0.0.0.0) Area is a transit area SPF algorithm executed 425 times ABR count 0 ASBR count 1 LSA Count 12 Number of interfaces in this area is 24 Area ranges are: Number of active areas in this router is 1 1 normal, 0 stub, 0 NSSA.

clear ip ospf redistribution

Use to clear all the routes that have been previously redistributed into OSPF. Example
host1#clear ip ospf redistribution

There is no no version.

9-30

CHAPTER 9 Configuring OSPF

default-information originate
Use to generate a default route into an OSPF routing domain. When you use this command to redistribute routes into an OSPF routing domain, the router automatically becomes an ASBR. An ASBR, however, does not, by default, generate a default route into the OSPF routing domain. The software must have a default route before it generates one, except when you have specified the always keyword. You can specify a metric for the route or specify that the route be OSPF external type 1 or 2. Example
host1(config)#router ospf 1 host1(config-router)#default-information originate route-map 5

Use the no version to disable this feature.

disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute

Use the no version to reenable dynamic redistribution.

distance
Use to configure the administrative distance for OSPF routes. Example
host1(config-router)#distance ospf external 60

Default settings:

Intra-area routes 110 Interarea routes 112 External routes 114

Use the no version to restore the default values noted above.

ip ospf shutdown
Use to disable OSPF on the interface. Example
host1(config-if)#ip ospf shutdown

Use the no version to enable OSPF on the interface.

Configuring Additional Parameters E-Series Routers

9-31

maximum-paths
Use to control the maximum number of parallel routes that OSPF can support. The maximum number of routes can range from 116. The default for OSPF is 4 paths. To enable equal-cost multipath (ECMP) for OSPF, you need to specify a value for maxPaths greater than 1. Example
host1(config-router)#maximum-paths 2

Use the no version to restore the default value, 4.

ospf auto-cost reference-bandwidth

Use to calculate OSPF interface cost according to bandwidth. Sets the OSPF metric for an interface according to the bandwidth specified. Affects OSPF metrics only for OSPF interfaces created after its execution. This commands value overrides the cost resulting from the command. If you want this command to apply to OSPF interfaces already configured, you need to bounce the existing interfaces: Use the no network and then the network command for the selected OSPF interfaces. Example
host1(config-router)#ospf auto-cost reference-bandwidth 1000

If you issue this command, the metric is calculated as follows: OSPF metric = bandwidth*1,000,000/link speed For the previous example, a 64K link will get a metric of 15625, while a T1 link will have a metric of 647. The minimum value for the metric is 1.

If you never issue the ospf auto-cost reference-bandwidth command, OSPF calculates the cost as 108/link speed. Use the no version to assign cost based only on the interface type.

ospf log-adjacency-changes
Use to configure the router to send a log message when the state of an OSPF neighbor changes. Example
host1(config-router)#ospf log-adjacency-changes severity 3 verbosity low

Use the no version to halt logging of neighbor changes.

ospf shutdown
Use to administratively disable OSPF on the router. Example
host1(config-router)#ospf shutdown

Use the no version to reenable OSPF on the interface.

9-32

CHAPTER 9 Configuring OSPF

passive-interface
Use to disable the transmission of routing updates on the interface, meaning that OSPF routing information is neither sent by nor received through the interface. The specified interface appears as a stub network in the OSPF domain. By default, OSPF is enabled on a configured OSPF interface. Example
host1(config-router)#passive-interface ethernet 1/0

Use the no version to reenable the transmission of OSPF routing updates on the specified interface.

redistribute
Use to redistribute information from a routing domain other than OSPF into the OSPF domain. You can set the OSPF metric typetype 1 or type 2and set a metric for all redistributed routes. Example 1
host1(config)#router ospf 5 host1(config-router)#redistribute bgp route-map 4

If you do not specify route-map, all routes are redistributed. By default, all routes are imported as external type 2 routes. If you do specify route-map but do not list any route map tags, no routes are imported. Use to redistribute routes from OSPF into other non-OSPF routing domains. Example 2
host1(config)#router bgp 100 host1(config-router)#redistribute ospf 5

Use the no version to disable redistribution.

table-map
Use to apply a policy to modify distance, metric, metric type, route type, or tag values of OSPF routes about to be added to the IP routing table. The new route map is applied to all routes currently in and those subsequently placed in the forwarding table. Previously redistributed routes are redistributed with the changes caused by the route map. To remove from the forwarding table any old routes that are now disallowed by the specified route map, you must refresh the IP routing table with the clear ip routes * command.

Configuring Additional Parameters E-Series Routers

9-33

Example
host1(config)#route-map dist1 permit 5 host1(config-route-map)#match community boston42 host1(config-route-map)#set distance 33 host1(config-route-map)#exit host1(config)#router ospf 100 host1(config-router)#table-map dist1 host1(config-router)#exit host1(config)#exit host1#clear ip routes *

Use the no version to halt application of the route map.

timers spf
Use to configure the time between two consecutive SPF calculations. Set the time (in seconds) in the range 15; the default value is 3. If you set the hold time to 0, there is no delay between two consecutive SPF calculations. They can be done one immediately after the other. Example
host1(config-router)#timers spf 2

Use the no version to return to the default value, 3.

Default Metrics

Although the router does not support a default-metric command, the redistribute command provides two ways to set a default metric for redistributed routes. You can simply configure a metric with the redistribute command to apply to all routes redistributed from the specified source protocol:
host1(config)#router ospf 5 host1(config-router)#redistribute bgp metric 5

Alternatively, you can create one or more route maps that set the metric and apply them selectively to redistributed routes:
host1(config)#access-list 1 permit any any host1(config)#route-map defmetric host1(config-route-map)#match ip address 1 host1(config-route-map)#set metric 10 host1(config-route-map)#exit host1(config)#router ospf 5 host1(config-router)#redistribute bgp route-map defmetric host1(config-router)#redistribute isis route-map defmetric

9-34

CHAPTER 9 Configuring OSPF

See Chapter 1, Configuring Routing Policy, for information on configuring route maps.

Configuring OSPF for NBMA Networks

You can configure OSPF nonbroadcast multiaccess (NBMA) networks. You can configure your OSPF network type as NBMA, regardless of the default medium. This is useful when, for example, you have routers in your network that do not support multicast addressing. You must use the neighbor command to specify the routers OSPF neighbors. To configure OSPF for an NBMA network:
1

Configure an interface network type as NBMA for OSPF.

host1(config-subif)#ip ospf network non-broadcast

Exit Interface Configuration mode. Enter Global Configuration mode.

host1(config-subif)#exit

Configure an OSPF routing process, and enter Router Configuration mode.

host1(config)#router ospf 5

Specify an OSPF neighbor, and optionally assign a priority number or poll interval to the neighbor.
host1(config-router)#neighbor 10.12.14.1 priority 5 poll-interval 180

Repeat step 4 for each neighbor in the OSPF network.

If you want to configure the network type for a specific interface or OSPF area, rather than for all OSPF interfaces, you can use the address network command rather than the ip ospf network command.
address network
Use to configure the network type on a specific OSPF interface or for a specific OSPF area to a type other than the default for the medium. You must first issue the address area command before issuing the address network command. Use the no version to restore the default value for the medium.

Traffic Engineering E-Series Routers

9-35

ip ospf network
Use to configure the network type on all OSPF interfaces on the OSPF network to a type other than the default for the medium. Use the no version to restore the default value for the medium.

neighbor
Use to configure OSPF neighbors on the NBMA network. Specify priority and poll interval only for routers that are eligible to become the designated router or backup designated routerthat is, a router with a nonzero router priority value. The default priority value is 0, and the default polling interval is 120 seconds. Use the no version to remove the neighbor or restore the default values 0 and 120.

Traffic Engineering
Traffic engineering (TE) enables more effective use of network resources by providing for the setup of explicitly routed Multiprotocol Label Switching (MPLS) label-switched paths (LSPs) that satisfy resource and administrative constraints. You can use OSPF to exchange link resource and traffic-engineering administrative information between routers. OSPF uses this information to calculate paths in the network that satisfy the administrative constraints. MPLS can then set up LSPs along these paths. Refer to E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 2, Configuring MPLS, for a detailed discussion of MPLS.
Configuring OSPF for TE

For OSPF to support TE, you must issue both of the following commands: mpls traffic-eng area Enables the router to flood TE resource and administrative information in the specified area using type 10 opaque LSAs. These LSAs have an area-wide scope and therefore are flooded only within the indicated area. mpls traffic-eng router-id Designates a router as TE capable and specifies the address of a stable router interface as the router ID of the node for TE purposes. The TE router ID serves as the tunnel endpoint for tunnels terminating at the node. Each node advertises its TE router ID in type 10 LSAs. By default, OSPF always uses the MPLS tunnel to reach the MPLS endpoint. Best paths determined by SPF calculations are not considered. You can enable the consideration of best paths by issuing the mpls spf-use-any-best-path command. As a result, OSPF considers metrics

9-36

CHAPTER 9 Configuring OSPF

for IGP paths and the tunnel metric, and might forward traffic along a best path, through the MPLS tunnel, or both. You can use the show ip ospf database opaque-area command to display information about TE opaque LSAs. For OSPF routes to use established MPLS tunnels as next hopsso that traffic can be mapped to use these tunnelsyou must configure the tunnels with the tunnel mpls autoroute announce ospf command. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 2, Configuring MPLS, for information on configuring MPLS on a router.
mpls spf-use-any-best-path
Use to enable SPF calculations to consider the IGP (OSPF) best paths as well as the MPLS tunnel for forwarding traffic to the MPLS endpoint. By default, the MPLS tunnel is always selected for traffic to the tunnel endpoint; IGP paths are not considered. For traffic beyond the endpoint, the tunnel is considered equally with any other path. Example
host1(config-router)#mpls spf-use-any-best-path

Use the no version to disable the use of IGP best paths.

mpls traffic-eng area

Use to enable flooding of MPLS TE link information into the specified OSPF area. Flooding is disabled by default. Example
host1(config-router)#mpls traffic-eng area 0

Use the no version to disable flooding.

mpls traffic-eng router-id

Use to specify a stable interface to be used as a router ID for MPLS TE. Typically you specify a loopback interface to provide the greatest stability, because this is flooded to all nodes. The interface acts as the destination node for tunnels originating at other nodes. Example
host1(config-router)#mpls traffic-eng router-id loopback 0

Use the no version to remove the interface as a router ID.

Using OSPF Routes for Multicast RPF Checks E-Series Routers

9-37

Using OSPF Routes for Multicast RPF Checks

You can use the ip route-type command to specify whether OSPF routes are available for only unicast forwarding protocols or only multicast reverse path forwarding (RPF) checks. Routes available for unicast forwarding appear in the unicast view of the routing table, whereas routes available for multicast RPF checks appear in the multicast view of the routing table.
ip route-type
Use to specify whether OSPF routes are available only for unicast forwarding, only for multicast reverse path forwarding checks, or for both. Use the show ip route command to view the routes available for unicast forwarding. Use the show ip rpf-routes command to view the routes available for multicast reverse path forwarding checks. By default, OSPF routes are available for both unicast forwarding and multicast reverse path forwarding checks. Example
host1(config)#router ospf host1(config-router)#ip route-type unicast

Use the no version to restore the default value, both.

OSPF and BGP/MPLS VPNs

Some network topologies will use OSPF as the routing protocol between CE and PE routers in BGP/MPLS VPNs. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 3, Configuring BGP/MPLS VPNs, for information on configuring OSPF for this purpose.

Remote Neighbors
You can create OSPF remote neighbors to enable the router to establish neighbor adjacencies through unidirectional interfaces, such as MPLS tunnels, rather than the standard practice of using the same interface for receipt and transmission of OSPF packets. The remote neighbor can be more than one hop away through intermediate routers that are not running OSPF. OSPF uses the interface associated with the best route to reach the remote neighbor. A best route to the neighbor must exist in the IP routing table. You must explicitly configure a remote neighbor on an OSPF router. You must specify the remote neighbor with which the router will form an

9-38

CHAPTER 9 Configuring OSPF

adjacency and the source IP address the router will use for OSPF packets destined to its peer remote neighbor. To form an adjacency with its remote neighbor, all OSPF packets are sent to the remote neighbor as unicast packets with the destination IP address equal to the source IP address of the remote neighbor. Use the update-source loopback command to assign the source IP address to a remote neighbor. The connection between two remote neighbors is treated as an unnumbered point-to-point link that resides in the same area as that to which the pair of remote neighbors belongs. The rules of OSPF adjacency must be followed for remote neighbors to form an adjacency with each other; for example, the neighbors must be in the same OSPF area and have the same hello interval and dead interval, and so on. Once you have used the remote-neighbor command to specify the remote neighbors and the update-source loopback to assign the source IP address, you must set a TTL value with the ttl command, because a remote neighbor can be more than one hop away. Configuration of all other remote-neighbor attributes is optional.
authentication-key
Use to enable simple password authentication and assign a password for communication with OSPF remote neighbors. Example
host1(config-router-rn)#authentication-key 0 br549hee

Use the no version to delete the password.

authentication message-digest
Use to specify that MD5 authentication is to be used on the OSPF remote neighbor interface. Example
host1(config-router-rn)#authentication message-digest

There is no no version.

authentication-none
Use to specify that no authentication is to be used on the OSPF remote neighbor interface. Example
host1(config-router-rn)#authentication-none

There is no no version.

Remote Neighbors E-Series Routers

9-39

cost
Use to specify a cost metric for the OSPF remote-neighbor interface; the metric is used in the calculation of the SPF routing table. The default value is 10 if there is no route to the remote neighbor; otherwise, the default is calculated based on the bandwidth of the physical interface used to reach the remote neighbor and the OSPF autocost reference bandwidth. Example
host1(config-router-rn)#cost 235

Use the no version to restore the default value, as described above.

dead-interval
Use to set the time period that the OSPF router waits without seeing hello packets from a remote neighbor before declaring the neighbor to be down. Example
host1(config-router-rn)#dead-interval 180

Use the no version to restore the default value, 40 seconds.

hello-interval
Use to set the interval between hello packets that the router sends on the OSPF remote-neighbor interface. Specify a value in the range 165535 seconds; the default value is 40. Example
host1(config-router-rn)#hello-interval 15

Use the no version to restore the default value, 40.

message-digest-key md5
Use to enable MD5 authentication for the OSPF remote-neighbor interface and configure the MD5 key. Example
host1(config-router-rn)#message-digest-key 42 md5 0 sal29ute

If you delete all MD5 keys, MD5 authentication is still enabled; you must either configure an MD5 key or disable MD5 authentication with the authentication-none command. Use the no version to delete the MD5 key.

remote-neighbor
Use to configure an OSPF remote neighbor. Example
host1(config-router)#remote-neighbor 10.25.100.14 area 35672

Use the no version to remove the remote neighbor and any attributes configured for the remote neighbor.

9-40

CHAPTER 9 Configuring OSPF

retransmit-interval
Use to set the time between LSA retransmissions for the OSPF remote-neighbor interface when an acknowledgment for the LSA is not received. Specify a value in the range 13600 seconds; the default value is 5. Example
host1(config-router-rn)#retransmit-interval 10

Use the no version to restore the default value, 5.

transmit-delay
Use to set the estimated time it takes to transmit a link state update packet on the OSPF remote-neighbor interface. Specify a value in the range 03600 seconds; the default value is 1 second. Example
host1(config-router-rn)#transmit-delay 3

Use the no version to restore the default value, 1.

ttl
Use to configure a hop count by setting the value of the time-to-live field used by packets sent to an OSPF remote neighbor. Specify a value in the range 1255 seconds; the default value is 1 second. Example
host1(config-router-rn)#ttl 35

Use the no version to restore the default value, 1.

update-source
Use to specify the loopback interface whose local IP address is used as the source address for the OSPF connection to a remote neighbor. Example
host1(config-router-rn)#update-source loopback 1

Use the no version to delete the source address from the connection to the remote neighbor.

Disabling and Reenabling Incremental SPF

By default, when changes occur to a type 5 or type 7 LSA, OSPF recalculates new, loop-free routes for only the LSAs that change. When a subset of LSAs in the external link-state database change, a full recalculation is not necessary. However, the CLI allows you to disable incremental SPF, allowing the router to perform a full SPF on all external LSAs in the link-state database.

Configuring OSPF Traps E-Series Routers

9-41

disable-incremental-external-spf
Use to disable incremental external SPF on the router. When issued, this command results in a full SPF when an event occurs to trigger an external SPF. Example
host1(config-router)#disable-incremental-external-spf

Use the no version to reenable incremental SPF on this router.

Configuring OSPF Traps

You can use the traps command to specify OSPF traps. This command allows you to specify all or any number of the following trap settings: virtIfStateChange to indicate any state change on an OSPF virtual interface nbrStateChange to indicate any state change on a nonvirtual OSPF neighbor virtNbrStateChange to indicate any state change on a virtual OSPF neighbor ifConfigError to indicate any configuration mismatch with a nonvirtual neighbor virtIfConfigError to indicate any configuration mismatch with a virtual neighbor ifAuthFailure to indicate any authentication failure on a nonvirtual interface virtIfAuthFailure to indicate any authentication failure on a virtual interface ifRxBadPkt to indicate the receipt of a packet that the router cannot parse virtIfRxBadPkt to indicate the receipt of a packet on a virtual interface that the router cannot parse txRetransmit to indicate the retransmittal of a packet on a nonvirtual interface virtTxRetransmit to indicate the retransmittal of a packet on a virtual interface originateLsa to indicate the origination of a new LSA by this router

9-42

CHAPTER 9 Configuring OSPF

maxAgeLsa to indicate that an LSA in this router LSDB has reached MaxAge ifStateChange to indicate a state change on an OSPF interface
traps
Use to specify traps for OSPF. Example
host1(config-router-rn)#traps all

Use the no version to delete the specified trap, group of traps, or all traps.

Monitoring OSPF
Two sets of commands enable you to monitor OSPF operation on your router: the debug and the show commands. Both sets of commands provide information on your routers OSPF state and configuration. The task you are performing with each of these monitoring commands is basically the same for each command; that is, you are requesting information. The results of this request may vary. For instance, the debug commands provide information on problems with the network or the router, whereas the show commands provide information on the actual state and configuration of your router.
debug Commands

The debug commands provide information on the following OSPF items: Adjacencies Designated router General events Link-state advertisements Neighbors Packets received Packets sent Route events SPF events

Monitoring OSPF E-Series Routers

9-43

debug ip ospf
Use to display information on selected OSPF events. This command has many keywords that allow you to specify a variety of OSPF events. You can set the level of severity for the events you want displayed: 07. You can set the verbosity of the messages you want displayed: low, medium, high. Example
host1#debug ip ospf adj

Use the no version to cancel the display of any information on the designated variable.

ospf log-adjacency-changes
Use to enable the logging of changes in the state of an OSPF neighbor. Example
host1(config-router)#ospf log-adjacency-changes

Use the no version to disable the logging of changes in the state of an OSPF neighbor.

undebug ip ospf
Use to cancel the display of information on a selected event. The same OSPF variables can be designated as in the debug ip ospf command. Example
host1#undebug ip ospf adj

There is no no version.

show Commands

The show commands provide information on the following OSPF items: Routing processes Border routers Database Interfaces Neighbors Virtual links Internal statistics MPLS tunnels and opaque LSAs

9-44

CHAPTER 9 Configuring OSPF

You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. See E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.
show ip ospf
Use to display general information about OSPF routing processes. Field descriptions

Routing process process ID, router ID, domain ID OSPF administrative state enabled or disabled OSPF operational state enabled or disabled Incremental External SPF on or off Router router types: internal, area border, or autonomous system boundary routers OSPF Statistics packets sent and received TOS type number of types of service supported SPF timers timers configured on the router Maximum path splits maximum equal-cost paths supported Areas areas configured and their parameters Number of areas number of areas in the router
host1#show ip ospf Routing Process OSPF 1 with Router ID, 2.2.2.2, Domain ID 0.0.0.0 OSPF administrative state is enabled OSPF operational state is enabled Incremental External SPF is OFF Automatic virtual links configuration is enabled Ospf set trap field disabled Router is an Area Border Router (ABR) OSPF Statistics: Rcvd: 35 total, 0 checksum errors 20 hello, 9 database desc, 3 link state req 24 link state updates, 8 link state acks Sent: 51 total, 0 pkts dropped 2155 hello, 6 database desc, 3 link state req 32 link state updates, 10 link state acks LSA discard count: 0 Supports only single TOS(TOS0) routes SPF schedule delay 0 secs, Hold time between two SPFs 3 secs Maximum path splits 4 Area 0.0.0.1 SPF algorithm executed 20 times ABDR count 1

Example

Monitoring OSPF E-Series Routers

9-45

ASBDR count 0 LSA Count 2 Number of interfaces in this area is 2 Area ranges are: Area 0.0.0.3 SPF algorithm executed 20 times ABDR count 1 ASBDR count 0 LSA Count 3 Number of interfaces in this area is 1 Area ranges are: Number of active areas in this router is 2 2 normal, 0 stub, 0 NSSA.

show ip ospf border-routers

Use to display a list of OSPF border routers. Field descriptions

Destination destination's router ID Next Hop next hop toward the destination Router Type router type of the destination: either an ABR or ASBR or both Route Type type of this route: either an intra-area or interarea route Area area ID of the area that this route is learned from

Example
Interface fastethernet0 fastethernet0 fastethernet0 Router Type ABR/ASBR ABR/ASBR ABR Route Type Area INTRA INTRA INTRA 0.0.0.0 0.0.0.1 0.0.0.1

host1#show ip ospf border-routers Destination NEXT HOP 5.5.0.250 5.5.0 250 6.6.6.250 5.5.6.250 4.4.4.250 4.4.4.13

show ip ospf database

Use to display either the full OSPF database or a summary of it. Field descriptions

Link ID link-state ID of the LSA:

for router links, set to the routers OSPF router ID for network links, set to the IP interface address of the networks designated router for type 3 summary LSAs, set to an IP network number for type 4 summary LSAs, set to an ASBRs router ID for type 5 externals, set to an IP network number

Adv Router advertising routers ID Age link-state age Seq# link-state sequence number (detects old or duplicate LSAs) Checksum Fletcher checksum of the complete contents of the LSA

9-46

CHAPTER 9 Configuring OSPF

Example
host1#show ip ospf database OSPF Database Router Link States (Area 0.0.0.0) Link ID 5.1.101.1 ADV Router 5.1.101.1 Age 932 Seq# 0x80000069 0x80000087 0x80000087 0x800005bf Checksum 0x102f 0xaa4e 0xada6 0xaba5 0x6087

192.168.1.13 192.168.1.13 1763 0x80000099 192.168.1.10 192.168.1.10 285 192.168.1.11 192.168.1.11 401 192.168.24.6 192.168.24.6 622

Network Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# Checksum

56.56.56.220 5.6.6.1

499 0x80000069 0x26a0

192.168.1.12 192.168.254.6 622 0x8000009e 0xebc2 Summary Link States (Area 0.0.0.0) Link ID ADV Router 4.4.4.0 4.4.4.0 5.5.0.250 Age Seq# Checksum

497 0x8000005a 0x2ca6

192.168.1.13 528 0x80000059 0x 45d

AS Summary Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# Checksum

5.5.0.250 192.168.1.13 491 0x80000002 0xe9d4 AS External Link States Link ID ADV Router Age Seq# 8.8.8.0 5.5.0.250 Checksum

502 0x8000005f 0x2d67

Router Link States (Area 0.0.0.1) Link ID 5.5.0.250 ADV Router 5.5.0.250 Age Seq# Checksum

498 0x80000067 0xdec1

192.168.1.13 192.168.1.13 505 0x800000a5 0x3b32 Network Link States (Area 0.0.0.1) Link ID 4.4.4.13 5.1.0.0 5.2.0.0 5.2.0.0 ADV Router 192.168.1.13 192.168.1.13 5.5.0.250 192.168.1.13 Age Seq# 505 0x80000001 940 0x80000059 495 0x80000001 932 0x80000059 Checksum 0x410b 0x82c4 0x51bf 0x76cf

Monitoring OSPF E-Series Routers

9-47

5.3.0.0 5.3.0.0 56.56.56.0

5.5.0.250 192.168.1.13 5.5.0.250

495 0x80000001 932 0x80000059 495 0x80000062

0x45ca 0x6ada 0xc469

AS Summary Link States (Area 0.0.0.1) Link ID ADV Router Age Seq# 496 0x800000001 Checksum 0x51c0 5.5.0.250 5.5.0.250

show ip ospf database opaque-area

Use to display lists of information about the TE opaque LSAs. The TE router address LSA describes a stable IP address on the originating router that can be used for TE purposessuch as setting up TE LSPs to this address. The TE link LSA describes TE information about an interface on the originating router. Field descriptions

LS age age of LSA Options optional capabilities supported by the described portion of the
routing domain

LS Type type of LSA; opaque area TE router address or opaque area TE

link LSA

Link State ID link-state ID of the opaque LSA Advertising Router router ID of the router that originated the LSA LS Seq Number link-state sequence number to identify duplicate or old
LSIDs

Checksum checksum of the complete contents of the LSA Length length of the LSA in bytes TE router ID TE router ID of the originating router Link type point-to-point or multiaccess Link ID for point-to-point interfaces, this is the router ID of the router at the remote end; for multiaccess interfaces, this is the address of the DR

Local Address IP address of the local interface for the link Remote Address IP address of the remote (neighbors) interface for the
link

TE Metric link metric for traffic engineering purposes; can be different from
the standard OSPF link

Max BW maximum bandwidth that can be used on this link in this direction Max Reservable BW maximum bandwidth that can be reserved on this
link; can exceed the maximum bandwidth in the event of oversubscription

Max Unreserved BW amount of bandwidth not yet reserved at each of the

eight priority levels; each value is less than or equal to the maximum reservable bandwidth

Color bitmask that specifies the administrative group membership for this
link; a link that is a member of more than one group will have multiple bits set

9-48

CHAPTER 9 Configuring OSPF

Example
host1#show ip ospf database opaque-area Opaque-area Link States (Area 0.0.0.0) LS age: 914 Options: (TOS-capable, No Type7-LSA, ExternalRoutingCapability, No Multicast Capability, No External Attributes LS Type: Opaque-Area (TE Router Address) Link State ID: 1.0.0.0(Instance) Advertising Router: 100.1.1.1 LS Seq Number: 0x80000003 Checksum: 0xd293 Length: 28 TE Router-ID: 100.1.1.1 LS age: 919 Options: (TOS-capable, No Type7-LSA, ExternalRoutingCapability, No Multicast Capability, No External Attributes LS Type: Opaque-Area (TE Links) Link State ID: 1.0.0.1(Instance) Advertising Router: 100.1.1.1 LS Seq Number: 0x80000003 Checksum: 0xf66e Length: 124 Link Type: P2P Link ID: 1744896257 Local Address 14.1.1.2 Remote Address 14.1.1.1 TE Metric 0 Max BW 1000 kb/sec (125000 Bps) Max Reservable BW 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 0 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 1 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 2 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 3 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 4 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 5 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 6 1000 kb/sec (125000 Bps) Max Unreserved BW : pri 7 1000 kb/sec (125000 Bps) Color 0 LSA) LSA)

Monitoring OSPF E-Series Routers

9-49

show ip ospf interface

Use to display a list of OSPF interfaces. Field descriptions

Interface value (fastEthernet) status of the physical link and the operational
status of the protocol

Internet Address interface IP address Area area identifier: IP address Network type broadcast, NBMA, Point-to-Point, or Point-to-Multipoint Authentication type none, simple, or MD5 Interface cost metric for OSPF transmission Transmit Delay time between transmissions from the specified interface Interface State current state of the specified interface Priority routers priority on the specified interface Designated Router designated router ID and respective interface IP address IP address of the backup router

Backup Designated Router designated router ID and respective interface Interface timer intervals configuration of timer intervals: Hello, Dead, Wait,
and Retransmit

Neighbors number of neighbors and their state; adjacent neighbors

Example
host1#show ip ospf interface FastEthernet0 is up, OSPF line protocol is up OSPF interface configuration: Internet Address 192.168.1.250, Area 0.0.0.0 Network type BROADCAST, No authentication Cost: 1 Transmit Delay is 1 sec, Interface State DROTHER, Priority 1 Designated Router (Interface address) 192.168.1.107 Backup Designated Router (Interface address) 192.168.1.214 Timer intervals configured, Hello 10, Dead 40, Wait 120, Retransmit 5 Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.1.107 (Designated Router) Adjacent with neighbor 192.168.254.7 (Backup Designated Router)

show ip ospf internal-statistics

Use to display internal OSPF statistics, such as allocation failures for different OSPF components. Field descriptions

LSA bytes allocated number of bytes allocated for LSAs Router LSA bytes allocated number of bytes allocated for router LSAs Summary bytes allocated number of bytes allocated for summary LSAs

9-50

CHAPTER 9 Configuring OSPF

Neighbor RTX bytes allocated number of bytes allocated for neighbor

retransmissions

Timers bytes allocated number of bytes allocated for OSPF timers Ospf total bytes free total number of bytes free Ospf heap total bytes allocated total number of bytes allocated from the
OSPF heap

Neighbor allocation failures number of neighbor allocation failures LSA allocation failures number of LSA allocation failures LSA HDR allocation failures number of LSA header allocation failures DB Request allocation failures number of database request allocation failures failures

RTX allocation failures number of neighbor retransmission allocation LS Ack allocation failures number of LSA acknowledgment packet
allocation failures

DD pkt allocation failures number of database description packet allocation

failures

OSPF interface allocation failures number of interface allocation failures OSPF general packet allocation failures number of general packet
allocation failures Example
host1#show ip ospf internal-statistics Routing Process OSPF 1 with Router ID 5.72.3.1 Internal OSPF Statistics, bytes allocated/free: LSA bytes allocated:216 Router LSA bytes allocated:936 Summary bytes allocated:0 Neighbor RTX bytes allocated:0 Timers bytes allocated:352 Ospf total bytes free:824368 Ospf heap total bytes allocated:1048576 Internal OSPF Statistics, allocation failures: Neighbor allocation failures:0 LSA allocation failures:0 LSA HDR allocation failures:0 DB Request allocation failures:0 RTX allocation failures:0 LS Ack allocation failures:0 DD pkt allocation failures:0 OSPF interface allocation failures:0 OSPF general packet allocation failures:0

Monitoring OSPF E-Series Routers

9-51

show ip ospf neighbors

Use to display information on OSPF neighbors on a per-interface basis. Field descriptions

Neighbor ID neighbors router ID Pri router priority of neighbor State OSPF neighbors state
DR designated router BDR backup designated router DR Other neighbor to a designated router or a backup designated router

Dead Time interval since last hello packet from neighbor Address IP address of the neighbors interface Interface name of the specified interface and its port number

Neighbor ID 10.0.8.1 10.0.71.1 10.0.96.1 Pri 1 1 1

Example
Dead Time 00:00:39 00:00:42 00:00:28 Address 10.0.76.1 10.0.76.2 10.0.76.4 Interface fastEthernet11/0 fastEthernet11/0 fastEthernet11/0

host1#show ip ospf neighbors State TWO-WAY/DR Other FULL/DR FULL/BDR

show ip ospf remote-neighbor interface

Use to display all interfaces that are associated with OSPF remote neighbors. Example
host1#show ip ospf remote-neighbor interface OSPF remote-neighbor 221.221.221.221 interface configuration: Update-source loopback0 Remote-neighbor reachable: yes Area 0.0.0.0 Network type POINT-TO-POINT, No authentication Cost: 1 Transmit Delay is 1 sec, Interface State POINT-TO-POINT, Priority 1 No designated router on this network No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 221.221.221.221

show ip ospf spf-log

Use to display how often and why the router has run a full SPF calculation. Field descriptions

Intra SPF log log for SPF calculations run to compute intraarea LSAs Inter SPF log log for SPF calculations run to compute interarea LSAs

9-52

CHAPTER 9 Configuring OSPF

External SPF log log for SPF calculations run to compute routes outside
the OSPF routing domain

When amount of time since a full SPF calculation took place given in
hours:minutes:seconds; the previous 20 calculations are logged

Duration number of milliseconds to complete this SPF run; the elapsed

time is in actual clock time, not CPU time

LSA Router Id whenever a full SPF calculation is triggered by a new LSA,

the router ID is stored in the router

Triggers list of reasons that triggered a full SPF calculation

Example
host1#show ip ospf spf-log Intra SPF log When Duration LSA Router Id 23.23.23.3 23.23.23.3 12.12.12.2 23.23.23.3 23.23.23.3 23.23.23.3 12.12.12.2 23.23.23.3 Triggers Protocol Off LSA Add LSA Add LSA Update Protocol Off LSA Add LSA Add LSA Update 00:04:42 0.000 00:04:38 0.000 00:04:34 0.000 00:04:30 0.010 00:03:51 0.000 00:03:47 0.000 00:03:43 0.000 00:03:39 0.000 Inter SPF log When Duration LSA Router Id 23.23.23.3 23.23.23.3 12.12.12.2 23.23.23.3 23.23.23.3 23.23.23.3 12.12.12.2 23.23.23.3 Triggers Protocol Off LSA Add LSA Add LSA Update Protocol Off LSA Add LSA Add LSA Update 00:04:46 0.010 00:04:42 0.000 00:04:38 0.000 00:04:34 0.000 00:03:55 0.000 00:03:51 0.000 00:03:47 0.000 00:03:43 0.000 External SPF log When Duration LSA Router Id 23.23.23.3 23.23.23.3 12.12.12.2 23.23.23.3 23.23.23.3 23.23.23.3 12.12.12.2 23.23.23.3 Triggers Protocol Off LSA Add LSA Add LSA Update Protocol Off LSA Add LSA Add LSA Update 00:04:47 0.000 00:04:43 0.000 00:04:39 0.000 00:04:35 0.010 00:03:56 0.000 00:03:52 0.000 00:03:48 0.000 00:03:44 0.000

Monitoring OSPF E-Series Routers

9-53

show ip ospf virtual-links

Use to display the parameters and the current state of OSPF virtual links. Field descriptions

Virtual link to router identifies the OSPF neighbor and the current state of
the virtual link

Transmit Delay time between transmissions from the specified interface Timer intervals timer intervals configured for the link: Hello, Dead, and
Retransmit Example
host1#show ip ospf virtual-links Virtual link to router 192.168.1.13 in state POINT-TO-POINT Transmit Delay is 1 sec Timer intervals configured, Hello 10 sec, Dead 40 sec, Retransmit 5 sec

9-54

CHAPTER 9 Configuring OSPF

Configuring IS-IS

10
Page 10-1 10-10 10-11 10-11 10-11 10-12 10-14 10-20 10-35 10-36 10-37

This chapter describes how to configure Intermediate System-toIntermediate System (IS-IS) routing on your E-series router.
Topic Overview References Features Before You Run IS-IS Configuration Tasks Enabling IS-IS Configuring IS-IS Interface-Specific Parameters Configuring Global IS-IS Parameters Configuring IS-IS for MPLS Using IS-IS Routes for Multicast RPF Checks Monitoring IS-IS

Overview
IS-IS is a dynamic routing protocol developed by the International Organization for Standardization (ISO) and commonly referred to as ISO 10589. The original development of IS-IS was done at Digital Equipment Corporation for Phase V DECnet. The motivation to standardize IS-IS, however, was through the efforts of the American National Standards Institute (ANSI) X3S3.3 Network and Transport Layers Committee.

10-2

CHAPTER 10 Configuring IS-IS

Similar to the Open Shortest Path First (OSPF) routing protocol, IS-IS is a link-state protocol. It builds a complete and consistent picture of a networks topology by sharing link-state information across all network Intermediate System (IS) devices. The IS-IS routing protocol provides routing for pure Open Systems Interconnection (OSI) environments. IS-IS as implemented on the E-series router supports IP networks and enables you to configure IS-IS as an IP routing protocol only. In IS-IS, networks are partitioned into routing domains, which are further divided into areas. A two-level hierarchical routing design is used. With this model, routing is referred to as level 1, level 2, or both level 1 and level 2.
Terms

OSI internetworking has its own terminology. A number of terms used in IS-IS routing discussions are defined in Table 10-1.
Table 10-1 IS-IS terms Term area Meaning A group of contiguous networks and their attached hosts. Area boundaries are normally assigned by a network administrator. PDU sent by designated router to ensure database synchronization An OSI network layer protocol used by CLNS to handle data at the transport layer; the OSI equivalent of IP

complete sequence number PDU (CSNP) Connectionless-mode Network Protocol (CLNP)

Connectionless Network An OSI network layer service that enables data Service Protocol (CLNS) transmission without establishing a circuit and that routes messages independently of any other messages. end system (ES) intermediate system (IS) level 1 routing Any nonrouting network node or host A router Routing within an area Level 1 routers (or intermediate systems) track all the individual links, routers, and end systems within a level 1 area. Level 1 routers do not know the identity of routers or destinations outside their area. A level 1 router forwards all traffic for destinations outside its area to the nearest level 2 router within its area.

Overview E-Series Routers

10-3

Table 10-1 IS-IS terms (continued) Term level 2 routing Meaning Routing between areas Level 2 routers know the level 2 topology and know which addresses are reachable via each level 2 router. Level 2 routers track the location of each level 1 area. Level 2 routers are not concerned with the topology within any level 1 area (for example, the details internal to each level 1 area). Level 2 routers can identify when a level 2 router is also a level 1 router within the same area. Only a level 2 router can exchange packets with external routers located outside its routing domain.

link-state PDU (LSP)

PDU broadcast by link-state protocols that contains information about neighbors and path costs; used to maintain routing tables; also known as link-state advertisement

network entity title (NET) ISO network addresses used by CLNS networks; an identifier of a network entity in an end system or intermediate system. A NET consists of an area address (routing domain), system identifier, and selector. network service access point (NSAP) Hierarchical network address that specifies the point at which network services are made available to a transport layer entity in the OSI reference model. A valid NSAP address is unique and unambiguously identifies a single system. OSI term equivalent to packet, containing protocol control information and, possibly, user data. This chapter uses the term packet interchangeably with PDU. A collection of connected areas that provide full connectivity to all end systems located within them. A routing domain is partitioned into areas. Uniquely identifies a system within an area

protocol data unit (PDU)

routing domain

system identifier

10-4

CHAPTER 10 Configuring IS-IS

Figure 10-1 illustrates some of the terms described in Table 10-1 above.
Routing domain Intermediate Systems (ISs) Level 1 router Level 1 routing Level 1 router Level 1 router Level 1-2 router
Le ve l2
g013128

Area A

Area B

Area C

Level 1 router Level 1 routing

ng

Level 1 router Level 1 routing Level 1-2 router

ES ES End systems ES ES

ro

uti

Level 2 router

Level 2 routing

ES

End systems

ES

Figure 10-1 Overview of IS-IS topology

ISO Network Layer Addresses

ISO network layer addresses are flexible enough to make routing feasible in a worldwide Internet. Network layer addresses in ISO and IP are hierarchical and clearly identify level 1 and level 2 areas. These addresses can be up to 20 octets long; any packet that contains an address has one additional octet to specify the length of the address. An ISO addressalso known as the NSAP addressis broken into three parts: the area address, the system identifier (ID), and the NSAP selector.
area address system ID selector

The area address defines the routing domain and the area within the routing domain. The length of the ID field can be from 1 to 8 octets and uses a single fixed length for any one routing domain. The selector field is always 1 octet long. Usually, all end systems within the same area have the same area address. Some areas can have multiple addresses. The NSAP address is defined by the network entity title (NET) during configuration.
Level 1 Routing

A level 1 router looks at a packets area address and compares it with a destination address. If the area portion of the destination address matches

Overview E-Series Routers

10-5

its own areas address, the level 1 router uses the ID portion of the address to route the packet. If the area portion of the address does not match, the level 1 router routes the packet to a level 2 router within its area.
Level 2 Routing

Level 2 routers do not look at an areas internal structure, but simply route toward an area based on the area address. It is common for a level 2 router to also be a level 1 router in a particular area; these routers are sometimes referred to as level 1-2 routers. See Figure 10-1.
Dynamic Hostname Resolution

The system identifier of the NSAP address identifies a node in a network. System operators often find symbolic hostnames to be easier to use and remember than the system identifier. However, a static mapping of hostname to system identifier requires every router to maintain a table of the mappings; each table must contain the hostnames and system identifiers of every router in the network. The static mapping must be managed by router operators, and every change or addition of a mapping requires all the tables to be updated. Consequently, the static tables are likely to become rapidly outdated. The router supports dynamic resolution of hostnames to system identifiers. You can use the clns host command to map the hostname to the NSAP address, and therefore to the system ID. This mapping is inserted in the dynamic hostname type-length-value tuple (TLV type 137), and subsequently advertised when LSPs are transmitted. The value field contains the hostname, preferably the fully qualified domain name (FQDN) of the host, or a subset of the FQDN. You can display the TLV by issuing the show isis database detail command.
Authentication

The router supports hash function-based message authentication code (HMAC) MD5 authentication for IS-IS to prevent unauthorized routers from injecting false routing information into your network or forming adjacencies with your router. Authentication is disabled by default. When you enable IS-IS MD5 authentication, the router creates secure digests of the packets, encrypted according to the HMAC MD5 message-digest algorithms. The digests are inserted into the packets from which they are created. Depending on the commands you issue, the digests can be inserted into hello packets, link-state PDUs, complete sequence number PDUs, and partial sequence number PDUs.

10-6

CHAPTER 10 Configuring IS-IS

Commands

The area-message-digest-key command specifies an HMAC MD5 key that the router uses to create a message digest of each level 1 packetLSPs, CSNPs, and PSNPstransmitted by area routers. Using MD5 authentication for area routers protects against unauthorized routers injecting false routing information into the area portions of your network. The domain-message-digest-key command specifies an HMAC MD5 key that the router uses to create a message digest of each level 2 packetLSPs, CSNPs, and PSNPstransmitted by domain routers. Using MD5 authentication for domain routers protects against unauthorized routers injecting false routing information into the routing domain portions of your network. The isis message-digest-key command specifies an HMAC MD5 key that the router uses to create a message digest of level 1 or level 2 hello packets on the interface. Level 1 packets are the default. Using MD5 authentication on interfaces protects against intrusion by preventing unauthorized routers from forming adjacencies with your router.
Example

Suppose authentication is configured on router LA and router SanDiego, but not on router SanJose, as shown in Figure 10-2. Router LA and router SanDiego accept packets from each other because they contain message digests generated by an accepted key. Router SanJose accepts packets from router LA and router SanDiego, and simply ignores the message digest included in their packets. Router LA and router SanDiego reject packets from router SanJose because those packets do not include a message digest.

SanJose

LA

SanDiego

Figure 10-2 Packet flow between routers with and without authentication set

g013129

Overview E-Series Routers

10-7

Specifying Start and Stop Timing

With each of the MD5 commands, you can specify when the router will start and stop accepting packets that include a digest made with this key. You can also specify when the router will start and stop generating packets that include a digest made with this key. If you specify a time for any of these actions, you can further specify the day, month, and year. The default times are as follows: Start accepting keys (startAcceptTime) current time Stop accepting keys (stopAcceptTime) never Start generating keys (startGenTime) current time plus 2 minutes Stop generating keys (stopGenTime) never If you specify times, you must follow these guidelines to achieve appropriate timing between the actions: startAcceptTime must be less than startGenTime. stopGenTime must be less than stopAcceptTime. When a new key replaces an old one, the startGenTime time for the new key must be less than or equal to the stopGenTime time of the old key. For example, suppose you configure authentication on router A and router B. If the startGenTime for router A is earlier than the startAcceptTime for router B, router B does not accept packets from router A until the current time matches its startAcceptTime. The router accepts any packet authenticated with a key you have defined if the packet is received within the period defined for the key by its startAcceptTime and stopAcceptTime. If more than one key has been defined for that period, the router determines which key to use by comparing the startGenTime with the current time. When the startGenTime of a key matches the current time, the router starts using this key to transmit packets and stops using the previous key.
Example
host1(config-router)#area-message-digest-key 1 hmac-md5 mr942s7n start-accept 08:00:00 start-generate 9:00:00 stop-accept 23:00:00 stop-generate 22:59:59 host1(config-router)#area-message-digest-key 2 hmac-md5 dsb38h5f start-accept 08:00:00 start-generate 0:00:00 stop-accept 23:00:00 stop-generate 22:59:59

Both key 1 and key 2 are configured to be accepted between 08:00:00 and 23:00:00. When the current time reaches 09:00:00, the router begins using key 1 to transmit packets. When the current time reaches 10:00:00,

10-8

CHAPTER 10 Configuring IS-IS

the router begins using key 2 to transmit packets; key 1 is no longer used. Key 2 will continue to be used until a new key is configured and the new key's startGenTime matches the current time on the router.
Halting MD5 Authentication

To prevent key expiration from causing your network to revert to an unauthenticated condition, you cannot halt MD5 authentication by using the timers. When the stopGenTime time for a key is reached, the router does not stop generating the key if it was the last key issued. You must delete all keys to halt authentication. Use the no version of the command to delete a key.
Managing and Replacing Keys

A key has an infinite lifetime if you do not specify stopGenTime and stopAcceptTime. (As noted above, if the last key expires, the router continues to generate that key.) Many system operators choose to roll their keys over on a regular basis, such as every month. If you determine that a key is no longer secure, you should configure a new key immediately. We recommend the following practice for configuring new keys:
1 2 3

Configure the new key on all routers in the IS-IS network. Verify that the new key is working. Delete the old key from every router.

Each key has an associated key-ID that you specify. The key-ID is sent with the message digest, so that the receiving routers know which key was used to generate the digest. You also use the key-ID to delete a key.
Extensions for Traffic Engineering

The router supports new-style TLV tuples described in the Internet draft, IS-IS Extensions for Traffic Engineering. The router ID TLV (TLV type 134) contains the ID of the router that originates the LSP, providing a stable address that can always be referenced regardless of the state of node interfaces. The extended IP reachability TLV (type 135) carries IP prefixes and is similar to the IP reachability TLVs (types 128 and 130). The extended IS reachability TLV (type 22) contains information about a series of IS neighbors and is similar to the IS neighbor TLV (type 2). The older TLVs2, 128, 130each have a narrow metric field, providing for metric values ranging only from 063. The new TLVs22

Overview E-Series Routers

10-9

and 135have a new data structure that includes a wide metric field of 3 bytes (extended IS reachability; configurable) or four bytes (extended IP reachability; calculated). Both new TLVs provide for the use of sub-TLVs to carry more information about IS neighbors; however, only the extended IS reachability TLV currently has defined sub-TLVs, such as IPv4 interface and neighbor addresses. Use the metric-style commands to configure what style the router generates and accepts. The following behaviors are supported: Generates and accepts only old-style metrics Generates only old-style metrics, but accepts old style and new style Generates and accepts both old-style and new-style metrics (this option consumes the most system resources) Generates only new-style metrics, but accepts old style and new style Generates and accepts only new-style metrics Refer to the Internet draft, IS-IS Extensions for Traffic Engineering, for more information about these extensions.
Integrated IS-IS

The E-series router supports the Integrated IS-IS version of IS-IS. Integrated IS-IS provides a single routing algorithm to route both TCP/IP and OSI Connectionless Network Protocol (CLNP) packets. This design adds IP-specific information to the OSI IS-IS routing protocol. It supports IP subnetting, variable subnet masks, type of service (ToS), and external routing. Integrated IS-IS allows for the mixing of routing domains; that is, IP-only routers, OSI-only routers, and dual (IP and OSI) routers. OSI and IP packets are forwarded directly over the link layer services without needing mutual encapsulation. The E-series router supports IS-IS only for the routing and forwarding of TCP/IP packets. Forwarding of OSI packets is not supported.
Equal-Cost Multipath

IS-IS supports equal-cost multipath (ECMP) and installs into the routing table multiple entries for paths to the same destination. Each of these multiple paths to a given destination must have the same cost as the others, but a different next hop.

10-10

CHAPTER 10 Configuring IS-IS

References
For more information about the IS-IS protocol, consult the following resources: E-Series Release Notes, Appendix A, System Maximums refer to the Release Notes corresponding to your software release for information on maximum values. ISO International Standard 8473-1:1993 Information technology Protocol for providing the connectionless-mode network service ISO International Standard 9542:1988 (E) Information processing systems Telecommunications and information exchange between systems End System-to-Intermediate System Routing Exchange Protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473) ISO/IEC 10589:1992 Information technology Telecommunications and information exchange between systems Intermediate System-to-Intermediate System Intra-Domain Routing Exchange Protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473) Extended Ethernet Frame Size Support draft-ietf-isis-ext-eth-01.txt (November 2001 expiration) IS-IS Extensions for Traffic Engineering draft-ietf-isis-traffic-04.txt (August 2001 publication) Management Information Base for IS-IS draft-ietf-isis-wg-mib-10.txt (April 2003 expiration) RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments (December 1990) RFC 2763 Dynamic Hostname Exchange Mechanism for IS-IS (February 2000) RFC 2966 Domain-wide Prefix Distribution with Two-Level IS-IS (October 2000) RFC 2973 IS-IS Mesh Groups (October 2000) Routing IPv6 with IS-IS draft-ietf-isis-ipv6-03.txt (April 2003 expiration)
Note: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts.

Features E-Series Routers

10-11

Features
Some of the major IS-IS features supported by the router include: Optimization of route leaking from level 1 to level 2 Equal-cost paths maximum 32 equal paths Adjacency and LSP overrun Dynamic resolution of hostnames to system IDs Mesh groups Configurable LSP transmit and throttle intervals Route redistribution policies based on access lists between IS-IS levels Three-way handshake for point-to-point adjacencies HMAC MD5 authentication Support for bigger metric TLVs Domain-wide prefix distribution Traffic engineering for MPLS

Before You Run IS-IS

At least one IP address/router ID must be configured on your router for IS-IS to run.

Configuration Tasks
Configure Integrated IS-IS by completing the tasks in the order presented below. You must enable IS-IS. All other tasks are optional.
1 2 3 4 5

Enable IS-IS. Configure selected IS-IS interface-specific parameters. Configure selected global IS-IS parameters. Configure selected IS-IS parameters for monitoring and debugging purposes. Configure IS-IS parameters to enable CLNS packets to be recognized by your router and to monitor CLNS information.

10-12

CHAPTER 10 Configuring IS-IS

Enabling IS-IS
When enabling IS-IS, you must create an IS-IS routing process and assign it to specific interfaces rather than to networks. You can specify only a single IS-IS process per router. To enable IS-IS routing enter Global Configuration mode, and follow this procedure:
1

Specify an IS-IS process for IP. In this example, floor12 is specified as the tag name.
host1(config)#router isis floor12

The router is now in Router Configuration mode.

2

Configure Network Entity Titles (NETs) for the routing process that specify the ISO network address.
host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00

Enter Interface Configuration mode, and specify the interface that you want to actively route IS-IS.
host1(config)#interface atm 2/0

Specify the IS-IS process to apply to the interface. Use the tag name from step 1.
host1(config-if)#ip router isis floor12

You can repeat steps 3 and 4 to apply the IS-IS process to multiple interfaces.
ip router isis
Use to configure an IS-IS routing process on an IP interface. Before the IS-IS router process is useful, you must assign a NET with the net command, and enable some interfaces with IS-IS. Use the tag parameter to specify a meaningful name for a routing process. It must be unique among all IP routing processes for a given router. If you choose not to specify a tag name, a null tag is assumed, and the process is referenced with a null tag. Use the same tag name for ip router isis as you did for the router isis command. Example
host1(config-if)#ip router isis floor12

Use the no version to disable IS-IS for IP on the interface.

Enabling IS-IS E-Series Routers

10-13

net
Use to configure a NET for a specified routing process. The NET defines the ISO address and consists of an area address or ID, a system ID, and a selector. You must configure a minimum of one NET. You are allowed a maximum of three NETs per router. You can manually add multiple area IDs by adding multiple NETs with the same system ID. There is no default value; net must be configured for an IS-IS process to start. Multiple NETs can be temporarily useful when there has been a network reconfiguration where either multiple areas are merged, or one area is in the process of being split into more areas. Multiple area addresses enable you to renumber an area slowly, without needing to set aside time to renumber areas all at once. When you use IS-IS to do IP routing only, a NET must be configured to instruct the router about its system ID and area ID. Example If you are configuring a router with the area ID 47.0005.80ff.f800.0000.0001.0001 and the system ID 0000.0c11.1111, you would enter it as shown. The last byte of the NET is the N-selector byte and is always 0.
host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00

Use the no version to remove a specific NET. Remember that you must specify the NET. The last NET cannot be removed.

router isis
Always use the router isis command to enable the IS-IS routing protocol and to specify an IS-IS process for IP. Specify only one IS-IS process per router. Use the tag parameter to specify a meaningful name for a routing process. If you choose not to specify a tag name, a null tag is assumed, and the process is referenced with a null tag. Example
host1(config)#router isis floor12

Use the no version to disable IS-IS routing.

10-14

CHAPTER 10 Configuring IS-IS

Summary Example
host1(config)#router isis floor12 host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00 host1(config-router)#exit host1(config)#interface atm 2/0 host1(config-if)#ip router isis floor12 host1(config-router)#exit host1(config-if)#interface atm 2/1 host1(config-if)#ip router isis floor12

Configuring IS-IS Interface-Specific Parameters

You can change IS-IS interface-specific parameters; most can be configured independently of other attached routers. You are not required to alter any interface parameters; however, some parameters must be consistent across all routers in your network. If you change certain values from the defaults, you must configure them on multiple interfaces and routers. You can configure IS-IS interfaces as follows: Set an HMAC MD5 authentication password on an interface. Configure the IS-IS link-state metrics. Set the advertised complete sequence number PDU (CSNP) interval. Set the advertised hello interval and hello multiplier. Set the LSP transmission interval. Set the retransmission interval. Set the retransmission throttle interval. Specify the designated router election. Specify the interface circuit type. Configure a passive interface. In the following command guidelines, notice that many parameters are preset to a default value. If that parameter has been modified from its default, use the no version of the command to restore its default value.

Configuring IS-IS Interface-Specific Parameters E-Series Routers

10-15

isis authentication-key
Use to specify a password associated with an interface for authentication of IS-IS hellos. You can specify whether the password is for level 1 or level 2 hellos. Example
host1(config-if)#isis-authentication-key 0 red5flower6

Use the no version to delete the password.

isis circuit-type
Use to specify adjacency levels on a specified interface; however, normally, you do not need to use this command. Configure a router as a level 1-only, a level 1level 2 system, or a level 2-only system. Configure some interfaces to be level 2-only for routers that are between areas. This prevents wasting bandwidth by sending out unused level 1 hellos. On point-to-point interfaces, the level 1 and level 2 hellos are in the same packet. Level 1-2 is the default. Example
host1(config-if)#isis circuit-type level-2-only

Use the no version to restore the default value, level-1-2.

isis csnp-interval
Configure the isis csnp-interval level for a specified interface. The level can be configured independently for level 1 and level 2. For LAN interfaces: the default value is 10 seconds, which you probably do not need to change. For WAN interfaces: the default value is 0 seconds or disabled. On point-to-point subinterfaces use isis csnp-interval in conjunction with the isis mesh-group command. Completed sequence number PDUs are sent by the designated router to maintain database synchronization. Example
host1(config-if)#isis csnp-interval 30 level-1

Use the no version to restore the default value.

10-16

CHAPTER 10 Configuring IS-IS

isis hello-interval isis hello-multiplier

Use the isis hello-interval command to set the length of time (in seconds) between hello packets sent on a specific interface. Configure independently for level 1 and level 2, except on point-to-point interfaces because only a single type of hello packet is sent on serial links. For this reason, it is independent of levels 1 and 2. For example, you can specify an optional level for Frame Relay multiaccess networks. Use the isis hello-multiplier command to set a number by which to multiply the hello interval seconds. This number determines the total holding time transmitted in the IS-IS hello packet. The default is 3. Use when hello packets are frequently lost and IS-IS adjacencies are failing unnecessarily.

Holding time time a neighbor waits for another hello packet before
declaring the neighbor is down. It determines how quickly a failed link or neighbor is identified so that routes can be recalculated. Raise the hello multiplier and lower the hello interval simultaneously to make the hello protocol more reliable without increasing the time required to detect a link failure. Example
host1(config-if)#isis hello-interval 6 level-1 host1(config-if)#isis hello-multiplier 10 level-1

Use the no version to restore a default value.

isis lsp-interval
Use to configure the delay between successive IS-IS link-state PDU (LSP) transmissions. You can choose an interval in the range 14294967295 milliseconds. For example, setting 100 milliseconds allows 10 packets per second. The default value is 33 milliseconds. If your network has many IS-IS neighbors and interfaces, a particular router may have difficulty with the CPU load imposed by LSP transmission and reception. If this is the case, you can reduce the LSP transmission rate by issuing this command. Example
host1(config-if)#isis lsp-interval 100

Use the no version to restore the default value, 33.

isis message-digest-key
Use to configure HMAC MD5 authentication for an interface. Generates a secure, encrypted message digest of level 1 or level 2 hello packets and inserts the digest into the packet from which it is created. Level 1 is the default. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.

Configuring IS-IS Interface-Specific Parameters E-Series Routers

10-17

Example
host1(config-if)#isis message-digest-key 3 hmac-md5 wdi6c3s39n level-2

For point-to-point interfaces, configure keys only for level 1, because only one hello packet is sent (at level 1), not one at level 1 and one at level 2. Keys configured at level 2 are ignored for point-to-point interfaces. Use the no version to delete the MD5 key, specified by the key ID, from the interface.

isis metric
Use to configure a cost for a specified interface. You can select a number in the range 063 if you configured the router with the metric-style narrow command. You can select a number in the range 016277215 if you configured the router with the metric-style transition or the metric-style wide command. The default value is 10. The default metric is the value assigned when no quality of service (QoS) routing is performed. You can configure the default metric for a specified interface by selecting level 1 or level 2 routing. This resets the metric only for level 1 or level 2 routing, respectively. We recommend that you configure metrics on all interfaces that are related to link speed. If you do not, the IS-IS metrics are simply hop-count-like metrics. Example
host1(config-if)#isis metric 20 level-2

Use the no version to restore the default value, 10.

isis priority
Use to set the priority of use for your designated router. You can configure an individual priority for level 1 and level 2 by choosing a priority level in the range 0127. The default priority level is 64. Specifying the level 1 or level 2 keyword resets the priority only for level 1 or level 2 routing, respectively. Priorities are used to determine which router in the network is the designated intermediate system (DIS); the router with the highest priority becomes the DIS. Priorities are advertised in hellos. IS-IS has no backup designated router. Setting the priority to 0 reduces the chance of this router becoming the DIS, but does not prevent it. If a router with a higher priority is identified, it takes over the role from the current DIS. When priorities are equal, the highest MAC address breaks the tie and becomes the DIS. Example
host1(config-if)#isis priority 80 level-1

Use the no version to restore the default value, 64.

10-18

CHAPTER 10 Configuring IS-IS

isis retransmit-interval
Use to configure the number of seconds between the retransmission of IS-IS LSPs with the same LSP ID for point-to-point links. You can select an interval in the range 165535 seconds. The default value is 5 seconds. Specify a number greater than the expected round-trip delay between any two routers on your network. Always specify conservatively; otherwise, excessive retransmission will result. Because retransmissions occur only when LSPs are dropped, when you set isis retransmit-interval to a higher value, it has little effect on reconvergence. You should set to a higher value when routers have many neighbors and/or more paths over which LSPs can be flooded. Use a large value for serial lines. Example
host1(config-if)#isis retransmit-interval 60

Use the no version to restore the default value, 5.

isis retransmit-throttle-interval
Use to configure the maximum rate at which IS-IS LSPs are retransmitted on point-to-point links. The interval is the number of milliseconds between packets. You can choose an interval in the range 065535 milliseconds. The default delay value is 33 milliseconds. The isis retransmit-throttle-interval is the maximum rate at which IS-IS LSPs are retransmitted. It is different from isis lsp-interval, which is the rate at which LSPs are transmitted on the interface; and it is different from isis retransmit-interval, which is the period between successive retransmissions of the same LSP. Use all three commands with each other to control the load of routing traffic from one router to its neighbors. Typically, you can set this interval for very large networks with many LSPs and many interfaces as a way of controlling LSP retransmission traffic. Example
host1(config-if)#isis retransmit-throttle-interval 300

Use the no version to restore the default value, 33.

Configuring IS-IS Interface-Specific Parameters E-Series Routers

10-19

passive-interface
Use to configure an IS-IS interface such that its IP address is advertised in its link-state PDUs, but no IS-IS packets are sent from or received on the interface. Example The following commands configure loopback 0 as a passive interface and enable IS-IS on subinterfaces ATM 2/0.1 and ATM 2/1.1. IS-IS advertises the IP address of loopback 0 in its link-state PDUs, but runs only on ATM 2/0.1 and ATM 2/1.1:
host1(config)#router isis floor12 host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00 host1(config-router)#passive-interface loopback 0 host1(config-router)#exit host1(config)#interface atm 2/0.1 host1(config-if)#ip router isis floor12 host1(config-if)#exit host1(config)#interface atm 2/1.1 host1(config-if)#ip router isis floor12

You can override the passive-interface configuration simply by issuing the complementary command. For example, suppose you issue the following commands after the previous configuration:
host1(config-router)#passive-interface atm 2/0.1 host1(config-router)#exit host1(config)#interface loopback 0 host1(config-if)#ip router isis floor12

Now IS-IS advertises the IP address of ATM 2/0.1 in its link-state PDUs, but runs only on loopback 0 and ATM 2/1.1. You can also accomplish the equivalent of the passive-interface command by using the redistribute command to redistribute a connected route to level 1. Use the no version to delete the passive interface.

Summary Example
host1(config-router)#passive-interface loopback 0 host1(config-if)#interface atm 8/0.500 host1(config-if)#isis metric 20 level-2 host1(config-if)#isis csnp-interval 30 level-1 host1(config-if)#isis hello-interval 6 level-1 host1(config-if)#isis hello-multiplier 10 level-1 host1(config-if)#isis lsp-interval 100 host1(config-if)#isis retransmit-interval 60 host1(config-if)#isis retransmit-throttle-interval 300 host1(config-if)#isis priority 80 level-1 host1(config-if)#isis circuit-type level-2-only

10-20

CHAPTER 10 Configuring IS-IS

Configuring Global IS-IS Parameters

This section describes the commands you can use to globally configure optional IS-IS parameters. Set the maximum number of parallel routes. Set the mesh group. Suppress installation of default routes to level 1-2 routers. In the following command guidelines, notice that many parameters are preset to a default value. Use the no version of those commands to restore default values.
Setting Authentication Passwords

You can configure HMAC MD5 authentication either for an area or for a domain.
area-authentication-key
Use to specify a password used by neighboring routers for authentication of IS-IS level 1 LSPs, CSNPs, and PSNPs. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#area-authentication-key 0 bigtree

Use the no version to delete the password.

area-message-digest-key
Use to configure HMAC MD5 authentication for an area. Generates a secure, encrypted message digest of level 1 packets (LSPs, CSNPs, and PSNPs) and inserts the digest into the packet from which it is created. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#area-message-digest-key 1 hmac-md5 kd4s8hnEK

Use the no version to delete the MD5 key specified by the key ID.

domain-authentication-key
Use to specify a password used by neighboring routers for authentication of IS-IS level 2 LSPs, CSNPs, and PSNPs. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.

Configuring Global IS-IS Parameters E-Series Routers

10-21

Example
host1(config-router)#domain-authentication-key 8 4kl6n39us

Use the no version to delete the password.

domain-message-digest-key
Use to configure HMAC MD5 authentication for a domain. Generates a secure, encrypted message digest of level 2 packets (LSPs, CSNPs, and PSNPs) and inserts the digest into the packet from which it is created. You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted. Example
host1(config-router)#domain-message-digest-key 4 hmac-md5 4bFjt7es

Use the no version to delete the MD5 key specified by the key ID.

Configuring Redistribution

You can specify how IS-IS redistributes routes received from other routing protocols, redistributes routes according to new policies, and controls redistribution of routes with access lists and route maps.
access-list route-map
Use the access-list command to create a standard or extended access list. Use the route-map command to create a route map. For detailed information about configuring access lists and route maps, see Chapter 1, Configuring Routing Policy. Example 1 Configure three static routes:
host1(config)#ip route 20.20.20.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.20.21.0 255.255.255.0 192.168.1.0 host1(config)#ip route 20.21.0.0 255.255.255.0 192.168.1.0

2 Configure an access list with filters on routes 20.20.20.0/24 and 20.20.21.0/24:

host1(config)#access-list boston permit 20.20.0.0 0.0.255.255

3 Configure a route map that matches the previous access list and applies an internal metric type:
host1(config)#route-map 1 host1(config-route-map)#match ip address 1 host1(config-route-map)#set metric-type internal

10-22

CHAPTER 10 Configuring IS-IS

4 Configure redistribution into IS-IS of the static routes with route map 1:
host1(config)#router isis testnet host1(config-router)#redistribute static ip route-map 1

5 Use the show isis database command to verify the effect of the redistribution (the two static routes matching the route map are redistributed as level 2 internal routes):
host1#show isis database detail l2 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum 0x000002B7 LSP Holdtime ATT/P/OL 0000.0000.6666.00-00 NLPID: IP Address: 0xcc 192.168.1.105 0x3E1F 1198 0/0/0

Area Address: 47.0005.80FF.F800.0000.0001.0001

Metric: 10 IS 0000.0000.6666.01 Metric: 10 IS 0000.0000.3333.00 Metric: 10 IS 0000.0000.7777.00 Metric: 30 IP 20.20.21.0 255.255.255.0 Metric: 30 IP 20.20.20.0 255.255.255.0

Use the no version of the access-list command to remove the access list or the specified entry in the access list. Use the no version of the route-map command to remove an entry.

clear ip isis redistribution

Use to clear all the routes that have been previously redistributed into IS-IS and redistribute them using the current policy configured. Use when you have made changes to route maps or access lists that affect how routes are redistributed to IS-IS. Example
host1#clear ip isis redistribution

There is no no version.

disable-dynamic-redistribute
Use to halt the dynamic redistribution of routes that are initiated by changes to a route map. Dynamic redistribution is enabled by default. Example
host1(config-router)#disable-dynamic-redistribute

Use the no version to reenable dynamic redistribution.

redistribute
Use to redistribute routes from other routing protocols in the routing table to IS-IS. IS-IS advertises these routes within its level 1 and level 2 LSPs. The default is no source protocol defined for redistribution.

Configuring Global IS-IS Parameters E-Series Routers

10-23

This command can accomplish the same results as the passive-interface command by redistributing a connected route to level 1. Example
host1(config-router)#redistribute static ip

Use the no version to disable redistribution.

Redistributing Routes Between Levels

The two-level routing hierarchy of IS-IS can lead to suboptimal path selection in certain situations. Because a level 1 router by default has knowledge only of level 1 routes, traffic from a level 1 router to a router in another area passes through the nearest level 1-2 router as its next hop. Consider the topology shown in Figure 10-3.
Area 2 6 Level 1 routing 7 Level 1 8 Area 3 9

Level 1-2 Level 2 routing

Level 1-2 Area 1

Level 1-2

Level 2 routing

1 Level 2

Level 1-2

Level 1

Level 1 routing

Level 1

End system
Figure 10-3 Example of level 1 and level 2 routing

In this example, Router 4 in Area 1 considers Router 2 to be its next hop for interarea traffic, and Router 5 considers Router 3 to be its next hop for interarea traffic. Traffic from Router 4 to Router 8 passes through Router 2, requiring a total of five hops to the destination: Routers 2, 1, 3, 9, and 8. Similarly, five hops are required for traffic from Router 5 to Router 7.

g013130

ES

10-24

CHAPTER 10 Configuring IS-IS

Neither of these paths is optimal. For example, it would be shorter for traffic from Router 4 to take the four-hop path: Routers 5, 3, 9, and 8. You can configure IS-IS to redistribute routes between the routing levels; this is sometimes known as route leaking between levels. The redistribute isis ip command enables you to specify a route filter (an access list) and the direction of leakage, as shown in the following example:
host1(config)#access-list leakList permit ip 100.0.0.0 0.255.255.255 any host1(config)#router isis 1 host1(config-router)#redistribute isis ip level-1 into level-2 distribute-list leakList host1(config-router)#redistribute isis ip level-2 into level-1 distribute-list leakList

redistribute isis ip
Use to redistribute routes from level 1 to level 2 or from level 2 to level 1. Use the access list command to create a route filter to apply to the redistribution. Example
host1(config-router)#redistribute isis ip level-1 into level-2 distribute-list leakList

Use the no version to stop redistribution of routes between the specified levels.

Controlling Granularity of Routing Information

You can force the distribution of level 2 routing information to level 1 routers in other areas to improve the quality of the resulting routes, but at the cost of reduced scalability.
distribute-domain-wide
Use to increase the granularity of routing information within a domain. Domainwide prefix distribution enables a routing domain running with both level 1 and level 2 IS routers to distribute IP prefixes from level 2 to level 1 between areas. The major advantage for using domainwide prefix distribution is to improve the quality of the resulting routes within a domain by distributing more specific information. The major disadvantage of using domainwide prefix distribution is that it affects the scalability of IS-IS. When used, it increases the number of prefixes throughout the domain, causing increased memory consumption, transmission requirements, and computation requirements throughout the domain.

Configuring Global IS-IS Parameters E-Series Routers

10-25

A trade-off decision must be made between scalability and optimality.

host1(config-router)#distribute-domain-wide

Use the no version to halt the distribution of routes from level 2 to level 1.

Configuring Metric Type

Extensions to IS-IS traffic engineering enable the use of bigger metrics. You can specify whether your router accepts, generates, or accepts and generates only old-style metrics, only new-style metrics, or both.
metric-style narrow
Use to specify that the router generates and accepts only old-style TLV tuples. Old-style TLVs refers to TLVs having metrics with a narrow (six-bit) field that range in value from 063. New-style TLVs refers to TLVs having metrics with a wider field, as provided for in current extensions to IS-IS traffic engineering. Use the transition option to accept old-style and new-style metrics; only old-style metrics are generated. Specify whether the command applies to level 1, level 2, or both. Example
host1(config-router)#metric-style narrow level-2

Use the no version to restore the default, which is to generate and accept only old-style TLVs with narrow (six-bit) metric fields.

metric-style transition
Use to specify that the router generates and accepts both old-style and new-style TLV tuples. Old style refers to TLVs having metrics with a narrow (six-bit) field that range in value from 0 63. New style refers to TLVs having metrics with a wider field, as provided for in current extensions to IS-IS traffic engineering. Specify whether the command applies to level 1, level 2, or both. Example
host1(config-router)#metric-style transition level-1

Issuing this command results in more resource usage than issuing the metric-style narrow or metric-style wide commands. Use the no version to restore the default, which is to generate and accept only old-style TLVs with narrow (six-bit) metric fields.

metric-style wide
Use to specify that the router generates and accepts only new-style TLV tuples. Old style refers to TLVs having metrics with a narrow (six-bit) field that range in value from 0 63. New style refers to TLVs having metrics with a wider field, as provided for in current extensions to IS-IS traffic engineering.

10-26

CHAPTER 10 Configuring IS-IS

Use the transition option to accept old-style and new-style metrics; only new-style metrics are generated. Specify whether the command applies to level 1, level 2, or both. Example
host1(config-router)#metric-style wide level-1-2

Use the no version to restore the default, which is to generate and accept only old-style TLVs with narrow (six-bit) metric fields.

Setting the Administrative Distance

You can indicate the dependability of a routing information source by configuring the administrative distance for learned routes.
distance ip
Use to configure the administrative distance for IS-IS learned routes. The distance indicates the dependability of a routing information source. A higher relative value indicates lower dependability. Preference is always given to the routes with smaller values. Select a value between 1 and 255. A value of 255 means discard the route. Example
host1(config-router)#distance ip 50

Use the no version to restore the default value, 115.

Configuring Default Routes

You can specify a default route within IS-IS routing domains. You can also suppress the installation of a default route to level 1-2 routers by level 1 routers.
default-information originate
Use to generate a default route into an IS-IS routing domain. When you specify a route map with this command and the router has a route to 0.0.0.0 in the routing table, IS-IS originates an advertisement for 0.0.0.0 in its LSPs. When you do not specify a route map, the default route is advertised only in level 2 LSPs. For level 1 routing, look for the closest level 1-2 router to find the default route. The closest level 1-2 router is found by looking at the attach bit (ATT) in level 1 LSPs. The default is disabled. Example
host1(config-router)#default-information originate

Use the no version to disable the command.

Configuring Global IS-IS Parameters E-Series Routers

10-27

suppress-default
Use to prevent level 1 routers from automatically installing a default route to a level 1-2 router in order to reach destinations outside the area. Suppresses level 1-2 router from indicating to level 1 routers that it can reach other areas. Consequently, the level 1 routers do not consider the level 1-2 router to be the nearest attached level 2 router and do not install default routes to it. This command is useful, for example, if you issue the distribute-domain-wide command, which causes the level 2 routes to be leaked into the level 1 area. The level 1 routers then have knowledge of the routes outside the area and will not need to rely on the nearest attached level 2 router for any unknown destination. Example
host1(config-router)#suppress-default

Use the no version to disable suppression of default routes.

Setting Router Type

You can specify whether the router behaves as an IS-IS station router, area router, or both.
is-type
Use to configure the router to act as either a station router (level 1), an area router (level 2), or as both a station router and an area router (level 1-2). You should always configure the type of IS-IS router. Level 1-2 is the default. Example
host1(config-router)#is-type level-2-only

Use the no version to restore the default value, level-1-2.

Summarizing Routes

You can summarize routes redistributed into IS-IS or within IS-IS by creating aggregate addresses for the routes.
summary-address
Use to create aggregate addresses of routes that are redistributed from other protocols in the routing table or distributed between level 1 and level 2 by a summary address. This process is called route summarization. A single summary address includes groups of addresses for a given level. The metric value is used when the router advertises the summary address. When the metric value is not used, the value of the lowest cost route (the default) is used.

10-28

CHAPTER 10 Configuring IS-IS

This command reduces the size of the neighbors routing table and improves stability because a summary advertisement depends on many more specific routes. A disadvantage of summary addresses is that other routes might have less information to calculate the optimal routing table for all individual destinations. Example
host1(config-router)#summary-address 10.2.0.82 255.255.0.0 level-1-2

Use the no version to restore the default, the value of the lowest cost route.

Configuring the Router to Be Ignored

If you have a router through which you do not want IS-IS traffic to pass, you can set the overload bit, causing other IS-IS routers to ignore the router.
set-overload-bit
Use to configure the router to set the overload bit in its nonpseudonode LSPs. When set, other routers ignore the unreliable router in their SPF calculations until the router problems are corrected. You would normally set the overload bit only when a router runs into problems such as memory shortage that may result in routing table inaccuracies. When set, no paths through this router can be seen by other routers in the IS-IS area. IP prefixes directly connected to this router are still reachable. Set this command when you want to connect a router to an IS-IS network but you do not want real traffic flowing through it. For example, you could set the overload bit if a test router were connected to a production network. Example
host1(config-router)#set-overload-bit

Use the on-startup keyword to specify a period in seconds after router reboot during which the overload bit is set. Other systems cannot route through the router until the bit clears, by which time all interfaces and protocols are up and the router is fully operational. Example
host1(config-router)#set-overload-bit on-startup 900

There is no default value; the overload bit is not set. Use the no version to disable the setting.

Configuring Global IS-IS Parameters E-Series Routers

10-29

Ignoring LSP Errors

You can configure the router to ignore rather than purge LSPs received with errors.
ignore-lsp-errors
Use to enable your router to ignore rather than purge IS-IS LSPs that are received with internal checksum errors. Under normal conditions, the IS-IS protocol definition requires that received LSPs with incorrect data link checksums are to be purged by the receiver. This causes the LSP initiator to regenerate LSPs. If a network link causes data corruption while still delivering LSPs with correct data link checksums, a continuous cycle of regenerating and purging LSPs may result. This can render the network nonfunctional. Enabling this command prevents this continuous cycle from occurring because LSPs are ignored rather than purged. Example
host1(config-router)#ignore-lsp-errors

Use the no version to disable the function.

Logging Adjacency State Changes

You can configure the router to log messages that track when adjacencies change state between up and down.
log-adjacency-changes
Use to generate log messages that track IS-IS adjacency state changes (up or down). The default is not to log adjacency state changes. Recommended for monitoring large networks. The system logs messages by using the router error message facility. Specify the minimum severity (07) or verbosity (low, medium, high) of this log category's messages. Example
host1(config-router)#log-adjacency-changes severity 3 verbosity low

Alternatively, you can use the system log command to generate the desired log messages. Use the no version to disable the function.

10-30

CHAPTER 10 Configuring IS-IS

Configuring LSP Parameters

You can specify the following parameters for LSPs: Maximum transmission unit (MTU) Transmission rate Generation rate Maximum lifetime
lsp-mtu
Use to specify the MTU LSP size in bytes. The size must be less than or equal to the smallest MTU of any link in the area. Use this command to limit the size of LSPs generated by this router only. The router can receive LSPs of any size up to the maximum. You can set the value in the range 1289180. The default LSP MTU value is 1497. When a very large amount of information is generated by a single router, we recommend that you increase the LSP MTU. However, the default MTU is usually sufficient. If the MTU of a link is lowered to less than 1500 bytes, the LSP MTU must be lowered accordingly on each router in the network. If this is not done, routing may become unpredictable. Example
host1(config-router)#lsp-mtu 1500

Use the no version to restore the default value, 1497.

lsp-gen-interval
Use to set the minimum interval rate that LSPs are generated on a per-LSP basis. You can set an interval value in the range 0120 seconds. The default interval value is 5 seconds. When a link is changing state at a high rate, the default value limits the signalling of the changing state to once every 5 seconds. Because the generation of an LSP may cause all routers in the area to perform the shortest path first (SPF) calculation, controlling this interval can have an areawide effect. When you raise this interval, you reduce the load on the network imposed by a rapidly changing link. Example
host1(config-router)#lsp-gen-interval level-2 30

Use the no version to restore the default value, 5.

Configuring Global IS-IS Parameters E-Series Routers

10-31

lsp-refresh-interval
Use to set the LSP rate at which locally generated LSPs are periodically transmitted. The refresh interval determines the rate at which the router software periodically transmits the route topology information that it originates. These transmissions prevent the information from becoming obsolete. You can set the interval rate in the range 165535 seconds; the default is 900 seconds. LSPs must be periodically refreshed before their lifetimes expire. The refresh interval must be less than the LSP lifetime specified by max-lsp-lifetime. In the unlikely event that link stage database corruption is undetected, reducing the refresh interval reduces the amount of time that the corruption can persist. Increasing the interval reduces the link utilization caused by the flooding of refreshed packets. Example
host1(config-router)#lsp-refresh-interval 1000

Use the no version to restore the default value, 900.

max-lsp-lifetime
Use to set the maximum time that LSPs persist without being refreshed. You can select a maximum time in the range 165535 seconds. The default value is 1200 seconds (20 minutes). You might need to adjust the maximum LSP lifetime if you change the LSP refresh interval with the lsp-refresh-interval command. The maximum LSP lifetime must be greater than the LSP refresh interval. Example
host1(config-router)#max-lsp-lifetime 1500

Use the no version to restore the default value, 1200.

Specifying the SPF Interval

You can configure how often the router performs the shortest path first (SPF) calculation.
spf-interval
Use to control the minimum interval between the SPF calculations. You can select an interval value in the range 0120 seconds. The default value is 5 seconds. If you do not specify level1 or level2, the interval applies to both level 1 and level 2. SPF calculations are performed only when the topology of the area changes. They are not performed when external routes change. Controls how often the router software can perform the SPF calculation. The SPF calculation is processor-intensive. Therefore, it may be useful to limit how

10-32

CHAPTER 10 Configuring IS-IS

often calculation is done, especially when the area is large and the topology changes often. Increasing the SPF interval reduces the processor load of the router, but potentially slows down the rate of convergence. Example
host1(config-router)#spf-interval level-2 30

Use the no version to restore the default value, 5.

Defining the SPF Route Calculation Level

The IS-IS protocol uses the Dijkstra algorithm to compute IP node metrics when a change occurs within the IS-IS network. This calculation results in the IS-IS router containing a shortest path tree (SPT) that maps the shortest path to each node in the IS-IS network. By default, the router uses a partial route calculation (PRC) SPF to determine the next hop (when required). This partial computation occurs when the router receives link-state PDUs (LSPs) with only changes relating to IP prefixes (for example, the addition of a new IP prefix, change in attributes of an existing IP prefix, or the removal of an existing IP prefix). Because changes in IP prefixes happen more frequently than other events, using the PRC SPF results in faster IS-IS convergence and saves router resources. However, you can also specify that the router always use full SPF, recalculating the entire SPT, when resolving any IS-IS state changes.
full-spf-always
Use to enable and disable full SPF calculations for ISIS network changes. Example
host1(config-router)#full-spf-always

Use the no version to restore partial route calculation (PRC) mode for SPF calculations.

Configuring Global IS-IS Parameters E-Series Routers

10-33

Setting CLNS Parameters

You can specify transmission rates for ES and IS hello packets, the period for which the router considers ES and IS hello packets to be valid, and name-to-network service access point mappings.
clns configuration-time
Use to specify the rate (in seconds) at which ES hello and IS hello packets are sent. The hello packet recipient creates an adjacency entry for the router that sent it. If the next hello packet is not received within the specified interval, the adjacency times out, and the adjacent node is determined to be unreachable. In most cases, these parameters should be left at their default value, which is 10 seconds. Example
host1(config)#clns configuration 240

Use the no version to restore the default value, 10.

clns holding-time
Use to enable sender of an ES hello or IS hello packet to specify the length of time you consider the information in these packets to be valid. In most cases, these parameters should be left at their default value, which is 30 seconds. Example
host1(config)#clns holding-time 900

Use the no version to restore the default value, 30.

clns host
Use to define a name-to-NSAP mapping that can then be used with commands requiring NSAPs. The default is that no mapping is defined. The assigned NSAP name is displayed, where applicable, in show commands. The first character can be either a letter or a number. This command is generated after all other CLNS commands when the configuration file is parsed. As a result, the NVRAM version of the configuration cannot be edited to specifically change the address defined in the original clns host command. You must specifically change any commands that refer to the original address. This affects commands that accept names, such as the net command. Enables dynamic resolution of hostnames to system IDs (within the NSAP address). The hostname mapping is sent in the LSPs within the Dynamic Hostname type-length-value (TLV type 137). Display the TLV by issuing the show isis database detail command. Use the show hosts command to display the mapping.

10-34

CHAPTER 10 Configuring IS-IS

Example
host1(config)#clns host

Use the no version to restore the default state of no mapping defined.

Setting the Maximum Parallel Routes

You can configure how many parallel routes IS-IS supports to a destination.
maximum-paths
Use to control the maximum number of parallel routes IS-IS can support. You can select a number of routes (or paths) in the range 116. The default number for IS-IS is 4 paths. Example
host1(config-router)#maximum-paths 12

Use the no version to restore the default value, 4.

Configuring a Virtual Multiaccess Network

You can specify that interfaces within a given mesh group will act as a virtual multiaccess network.
isis mesh-group
Use when you want interfaces in the same mesh group to act as a virtual multiaccess network. LSPs seen on one interface in a mesh group will not be flooded to another interface in the same mesh group. Example
host1(config-if)#isis mesh-group blocked

Use the no version to disable the feature.

Summary Example
host1(config)#router isis floor12 host1(config-router)#net 47.0010.0000.0000.0000.0001.0001.1111.1111.1111.00 host1(config-router)#exit host1(config)#interface atm 0/1 host1(config-if)#ip router isis floor12 host1(config-if)#isis mesh-group blocked host1(config-if)#exit host1(config)#interface atm 1/0 host1(config-if)#ip router isis floor12 host1(config-router)#distribute-domain-wide

Configuring IS-IS for MPLS E-Series Routers

10-35

host1(config-router)#distance 100 ip host1(config-router)#default-information originate route-map 9 host1(config-router)#is-type level-1-2 host1(config-router)#summary-address 10.2.0.82 255.255.0.0 level-1-2 host1(config-router)#set-overload-bit host1(config-router)#ignore-lsp-errors host1(config-router)#log-adjacency-changes host1(config-router)#lsp-mtu 1500 host1(config-router)#lsp-refresh-interval 1000 host1(config-router)#lsp-gen-interval level-2 30 host1(config-router)#max-lsp-lifetime 1500 host1(config-router)#spf-interval level-2 30 host1(config-router)#maximum-paths 32 host1(config-router)#redistribute static ip host1(config-router)#exit host1(config)#clns configuration-time 120 host1(config)#clns holding-time 600

Configuring IS-IS for MPLS

IS-IS has several new commands to provide support for MPLS. See E-Series Routing Protocols Configuration Guide, Vol. 2, Chapter 2, Configuring MPLS, for a detailed discussion of MPLS. If you configure your tunnel with the tunnel mpls autoroute announce isis command, MPLS attempts to register the tunnel endpoint with IS-IS. You must enable this registration with IS-IS by issuing the mpls traffic-eng command. When you configure a node as the downstream endpoint of an LSP, you must provide a stable interface as the router ID for the endpoint. Typically you select a loopback interface because of its inherent stability. Use the mpls traffic-eng router-id command to specify the router ID. By default, IS-IS always uses the MPLS tunnel to reach the MPLS endpoint. Best paths determined by IS-IS SPF calculations are not considered. You can enable the consideration of best paths by issuing the mpls spf-use-any-best-path command. As a result, IS-IS considers metrics for IGP paths and the tunnel metric, and might forward traffic along a best path, through the MPLS tunnel, or both. Several show commands enable monitoring of MPLS information. See Monitoring IS-IS in this chapter for more information. MPLS traffic engineering requires that IS-IS generate the new-style TLVs that enable wider metrics. Use the metric-style wide command to

10-36

CHAPTER 10 Configuring IS-IS

generate the new-style TLVs. If you are using some IS-IS routers that still do not understand the new-style TLVs, use the metric-style transition command. See Extensions for Traffic Engineering (page 10-8) and Configuring Global IS-IS Parameters for detailed information about using the metric-style commands.
mpls spf-use-any-best-path
Use to enable SPF calculations to consider the IGP (IS-IS) best paths as well as the MPLS tunnel for forwarding traffic to the MPLS endpoint. By default, the MPLS tunnel is always selected for traffic to the tunnel endpoint; IGP paths are not considered. For traffic beyond the endpoint, the tunnel is considered equally with any other path. Example
host1(config-router)#mpls spf-use-any-best-path

Use the no version to disable the use of IGP best paths.

mpls traffic-eng
Use to enable flooding of MPLS traffic engineering link information into the specified IS-IS level. Flooding is disabled by default. Example
host1(config-router)#mpls traffic-eng level-1

Use the no version to disable flooding.

mpls traffic-eng router-id

Use to specify a very stable interface to be used as a router ID for MPLS traffic engineering. Typically you specify a loopback interface to provide the greatest stability, because this is flooded to all nodes. The interface acts as the destination node for tunnels originating at other nodes. Example
host1(config-router)#mpls traffic-eng router-id loopback 0

Use the no version to remove the interface as a router ID.

Using IS-IS Routes for Multicast RPF Checks

You can use the ip route-type command to specify whether IS-IS routes are available for only unicast forwarding protocols or only multicast reverse-path forwarding (RPF) checks. Routes available for unicast forwarding appear in the unicast view of the routing table, whereas routes available for multicast RPF checks appear in the multicast view of the routing table.

Monitoring IS-IS E-Series Routers

10-37

ip route-type
Use to specify whether IS-IS routes are available only for unicast forwarding, only for multicast reverse-path forwarding checks, or for both. Use the show ip route command to view the routes available for unicast forwarding. Use the show ip rpf-routes command to view the routes available for multicast reverse path forwarding checks. By default, IS-IS routes are available for both unicast forwarding and multicast reverse path forwarding checks. Example
host1(config)#router isis host1(config-router)#ip route-type unicast

Use the no version to restore the default value, both.

Monitoring IS-IS
The CLI has commands available for monitoring IS-IS parameters and CLNS parameters.
Monitoring IS-IS Parameters

You can monitor the IS-IS link-state database and IS-IS debug information. Use the commands in this section to: Display router information. Display information about SPF calculations. Monitor IS-IS summary address information. Display debug information. Display host. Display information about MPLS tunnels. Clear adjacencies. Display paths to intermediate systems. You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. Refer to E-Series System Basics Configuration Guide, Chapter 2, Command Line Interface, for details.

10-38

CHAPTER 10 Configuring IS-IS

clear isis adjacency

Use to remove entries from the adjacency database. Specify a hostname or the system ID of a neighbor to clear only adjacencies with that neighbor. Specify no options to remove all adjacencies from the database. Example
host1#clear isis adjacency

There is no no version.

debug isis
Use to obtain debug-related information about certain parameters. This command manipulates the same log as the Global Configuration log commands. You can select from these parameters:

adj-packets IS-IS adjacency-related packets mpls traffic-eng advertisements MPLS traffic-engineering agent
advertisements

mpls traffic-eng agents MPLS traffic-engineering agents snp-packets IS-IS CSNP/PSNP packets spf-events IS-IS Shortest Path First events spf-statistics IS-IS SPF timing and statistic data spf-triggers IS-IS SPF triggering events update-packets IS-IS update-related packets
host1#debug isis adj-packets

Example

Use the no version to disable debugging display.

show hosts
Use to display the name-to-NSAP mappings defined with the clns host command. Field descriptions

Static Host Table

name name assigned to the host ip address host IP address type type of host username username ncecessary to access the host password password necessary to access the host

Clns Host Alias Table

name name of the host alias area address area address of the host alias

Monitoring IS-IS E-Series Routers

10-39

system ID six-byte value of the host alias type type of host alias Example
host1:abc#show hosts Static Host Table ----------------name ---jkk ip address ---------10.10.0.73 type ---ftp username --------anonymous password -------null

Clns Host Alias Table --------------------name fred area address system ID type ----- -------------------------------- ----------------- -----47.0005.80FF.F800.0000.0001.0001 0000.0000.0011.00 static karen 47.0005.80FF.F800.0000.0001.0001 0000.0000.0012.00 static

show isis database

Use to display IS-IS link-state database information. Each option (described below) can be entered in an arbitrary string within a single command entry. Request specific show isis database statistics by selecting from these options:

lspid link-state protocol ID in form xxxx.xxxx.xxxx.yy-zz detail detailed link-state database information; if this option is not
specified, a summary display is provided

l1 level 1 routing link-state database l2 level 2 routing link-state database level-1 level 1 routing link-state database level-2 level 2 routing link-state database

Field descriptions

LSPID LSP identifier LSP Seq Num sequence number for the LSP. Enables other routers to
determine if they have received the latest information from source.

LSP Checksum checksum of the LSP packet LSP Holdtime number of seconds that the LSP remains valid ATT attach bit; indicates that the router is a level 2 router and can reach
other areas

P P bit; detects whether intermediate system is capable of area partition

repair

OL overload bit; determines whether intermediate system is congested Area Address area addresses that can be reached from the router NLPID ISO network layer protocol identifier IP Address IP address of the interface Hostname hostname of the router

10-40

CHAPTER 10 Configuring IS-IS

Router ID ID configured on the router Metric metric that indicates either of the following costs:
cost of adjacency between the originating router and the advertised neighbor cost between the advertising router and the advertised destination

IPv4 Interface Address address of the interface IPv4 Neighbor Address address of a neighbor
Example 1
host1#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 0x000013F5 0x00000007 0x0000308D 0x00000011 0x0000005F 0x8BAA 1198 0xEA1E 1199 0x8C30 1199 0x5EDF 1198 0xB082 1195 0x9860 1196 0/0/0 0/0/0 0/0/0 0/0/0 1/0/0 0/0/0 0000.0000.004E.00-00 0000.0000.3333.02-00 0000.0000.7500.00-00 0090.1A00.B000.00-00 0090.1A00.C000.00-00

0000.0000.3333.00-00* 0x0000020F

IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 0x00001355 0x00000007 0x00003315 0x00000BAF 0x00000016 0x00000071 0x0DA7 1198 0x566B 1199 0x8C30 1199 0x3627 1198 0x187A 1183 0xD624 1195 0x9358 1196 0/0/0 0/0/0 0/0/0 0/0/0 0/0/0 1/0/0 0/0/0 0000.0000.004E.00-00 0000.0000.3333.02-00 0000.0000.7500.00-00 0010.7B36.5FF7.00-00 0090.1A00.B000.00-00 0090.1A00.C000.00-00

0000.0000.3333.00-00* 0x00000257

Example 2
host1#show isis database detail LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL boston.00-00*0x000001160x4760 6551/0/0 Area Address: 47.0005.80FF.F800.0000.0000.0004 NLPID: IP Address: Router ID: 0x81 0xcc 10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.2 10.1.3.1 10.1.3.3

Hostname: boston Metric: 10 IS newyork.00 IPv4 Interface Address: IPv4 Neighbor Address: Metric: 10 IS washington.00 IPv4 Interface Address: IPv4 Neighbor Address: Metric: 10 IP 10.1.1.0/24

Metric: 10 IP 192.168.1.0/24

Monitoring IS-IS E-Series Routers

10-41

Metric: 10 IP 10.1.3.0/24 Metric: 20 IP 10.1.2.0/24

Example 3

host1#show isis database verbose IS-IS Level-1 Link State Database LSPID zion.00-00* NLPID: IP Address: Router ID: Metric: 0 LSP Seq Num 0x00000011 0x81 0xcc 222.9.1.1 222.9.1.1 ES 2220.0900.1001 0 221.1.1.1 221.1.1.2 50000 50000 LSP Checksum 0xBFAD LSP Holdtime 487 ATT/P/OL 0/0/0

Area Address: 47.0005.80FF.F800.0000.0000.0003

Hostname: zion

Metric: 10 IS london.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 50000 50000 50000 50000 30000 30000 30000 30000 0 0 221.1.6.1 221.1.6.2 50000 50000

Reservable link bandwidth:

TE default metric: Metric: 10 IS london.00

Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 50000 50000 50000 50000 30000 30000 30000 30000 0

Reservable link bandwidth:

TE default metric:

10-42

CHAPTER 10 Configuring IS-IS

Metric: 10 IS paris.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 0 0 0 0 0 0 0 0 0 0 221.1.4.1 221.1.4.4 0 0

Reservable link bandwidth:

TE default metric: Metric: 10 IP 221.1.1.0/24 Metric: 10 IP 221.1.6.0/24 Metric: 10 IP 221.1.4.0/24 Metric: 0 IP 222.9.1.1/32

show isis mpls adjacency-log

Use to display a log of the last 20 IS-IS adjacency changes. Field descriptions

When amount of time since recording the log entry Neighbor ID identifier for the neighbor IP Address IP address of the neighbor Interface interface from which neighbor was learned Status adjacency status, Up or Down Level IS-IS routing level

Example

host1#show isis mpls adjacency-log IS-IS MPLS TE log When 02:25:47 02:25:47 02:25:47 Neighbor ID 2220.0900.2002.00 2220.0900.2002.00 2220.0900.4004.00 IP Address 221.1.1.2 221.1.6.2 221.1.4.4 Interface Status at2/0.1 at2/0.6 at2/1.5 Up Up Up Level L1 L1 L1

Monitoring IS-IS E-Series Routers

10-43

show isis mpls advertisements

Use to display the last record flooded from MPLS. Field descriptions

System ID name or system ID of the MPLS tail-end (destination) router Router ID router ID for the router Link Count number of links that MPLS advertises Neighbor System ID identifier of the remote system in an area Administrative group TLV administrative group or color assigned to the link Interface IP address IP address of the interface Neighbor IP Address IP address of the neighbor Maximum link bandwidth bandwidth capacity of the link in bits per second Reservable link bandwidth amount of bandwidth reservable on the link (whether reserved or not) the link

Unreserved bandwidth amount of bandwidth available for reservation on Affinity Bits attributes flooded for the link
Example
host1#show isis mpls advertisements System ID: zion.00 Router ID: Link[1] Neighbor System ID: london.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: Link[2] Neighbor System ID: london.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: 0 221.1.6.1 221.1.6.2 50000 50000 50000 50000 50000 50000 30000 30000 30000 30000 0 0 221.1.1.1 221.1.1.2 50000 50000 222.9.1.1

Reservable link bandwidth:

TE default metric:

Reservable link bandwidth:

10-44

CHAPTER 10 Configuring IS-IS

Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: Link[3] Neighbor System ID: paris.00 Administrative group: IPv4 Interface Address: IPv4 Neighbor Address: Maximum link bandwidth: Unreserved bandwidth: Priority 0: Priority 1: Priority 2: Priority 3: Priority 4: Priority 5: Priority 6: Priority 7: 0 0 0 0 0 0 0 0 0 0 221.1.4.1 221.1.4.4 0 0 50000 50000 50000 50000 30000 30000 30000 30000 0

TE default metric:

Reservable link bandwidth:

TE default metric:

show isis mpls tunnel

Use to display information about tunnels used in the calculation of IS-IS next hops. Field descriptions

System Id

System Id name or system ID of the MPLS tail-end (destination) router Tunnel Name name of the MPLS tunnel interface Nexthop destination IP address of the MPLS tunnel Metric metric of the MPLS tunnel Mode metric mode, either absolute or relative

Example
Tunnel Name Tunnel2 Nexthop 2.2.2.2 2.2.2.2 3.3.3.3 3.3.3.3 Metric -3 11 -1 Mode Relative Absolute Relative

host1#show isis mpls tunnel dakota-router1.00 Tunnel1 jersey-router2.00 Tunnel3 Tunnel4

Monitoring IS-IS E-Series Routers

10-45

show isis spf-log

Use to display how often and why the router has run a full SPF calculation. Field descriptions

When amount of time since a full SPF calculation took place, given in
hours:minutes:seconds. The previous 20 calculations are logged.

Duration number of seconds to complete this SPF run. The elapsed time is
in actual clock time, not CPU time.

First Trigger LSP whenever a full SPF calculation is triggered by a new

LSP, the LSP ID is stored in the router

SpfType type of SPF run Triggers list of causes that triggered the SPF calculation
Example 1
ERX-40-20-33:2#sho isis spf-log Level 1 SPF log When Duration First Trigger LSP SpfType Triggers LSP Add LSP Add LSP Add LSP Sequence Update 00:01:45 0.000 00:01:36 0.000 00:01:31 0.000 00:00:08 0.000 0000.0000.0000.00-00 Full 0000.0000.0000.00-00 Full 0000.0101.0101.00-00 Full 0000.0101.0101.00-00 PRC

Example 2

ERX-40-20-33:2#sho isis spf-log detail Level 1 SPF log When Duration First Trigger LSP SpfType Triggers LSP Add 00:01:53 0.000 RTupdt 0.000 RtLeak 0.000 00:01:44 0.000 RTupdt 0.000 RtLeak 0.000 00:01:39 0.000 RTupdt 0.000 RtLeak 0.000 00:00:16 0.000 RTupdt 0.000 RtLeak 0.000 0000.0101.0101.00-00 PRC LSP Sequence Update 0000.0101.0101.00-00 Full LSP Add 0000.0000.0000.00-00 Full LSP Add 0000.0000.0000.00-00 Full

10-46

CHAPTER 10 Configuring IS-IS

show isis summary-addresses

Use to display the status of IS-IS aggregate addresses. Field descriptions

Address aggregate addresses advertised by summarization process Mask IP subnet masks used for the summary routes Level level for which multiple groups of addresses can be summarized Metric metric used to advertise the summary State state of the summary address
host1#show isis summary-addresses Address -------3.0.0.0 4.0.0.0 Mask ---------255.0.0.0 255.0.0.0 Level --------LEVEL-1 LEVEL-1-2 Metric -----0 5 State ------ENABLED ENABLED

Example

show isis topology

Use to display the paths to all intermediate systems or specific types of intermediate systems. Field descriptions

System ID name or system ID of the intermediate system Metric metric of the path to the intermediate system Next Hop destination IP address of the intermediate system Interface interface from which neighbor was learned SNPA subnetwork point of attachment; for a LAN circuit, it is the MAC address; not meaningful for a point-to-point circuit.

Example
IS-IS paths for level-1 routers -------------------------------

host1#show isis topology level-1

System-ID barcelona:vr2

Metric 10

Next Hop ------------barcelona:vr2

Intf -------at2/0.12

SNPA ----

------------- ------

undebug isis
Use to cancel the display of information about a selected event. The same IS-IS variables can be designated as in the debug isis command. Example
host1#undebug isis adj-packets

There is no no version.

Monitoring IS-IS E-Series Routers

10-47

Displaying CLNS

You can display the following information related to the CLNS protocol: CLNS information about interfaces Information about router adjacencies Information about ES and IS neighbors Protocol-specific information for each routing process Information about CLNS packets Global CLNS configurations You can set a statistics baseline for CLNS using the baseline clns command.
baseline clns
Use to set a statistics baseline for CLNS. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved. Use the optional interface-specifier parameter to specify an interface; otherwise the command sets a baseline for all interfaces. You cannot set a baseline for groups of interfaces. When baselining is requested, the time since the last baseline was set is displayed in days, hours, minutes, and seconds. Use the optional delta keyword with the show clns traffic command to specify that baselined statistics are to be shown. There is no no version. Example

host1#show clns traffic detail IS-IS: Baseline last set 0 days, 0 hours, 1 minutes, 41 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 6 IS-IS: Own LSPs Purged: 1 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 Interface: atm2/1.3 IS-IS: Baseline last set 0 days, 0 hours, 1 minutes, 43 seconds IS-IS: Protocol PDUs (in/out): 32/36 IS-IS: Init Failures: 0

10-48

CHAPTER 10 Configuring IS-IS

IS-IS: Adjacencies Changes: 1 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 0 IS-IS: Level-2 Designated IS Changes: 0 IS-IS: Invalid 9542s: 0 host1#baseline clns atm 2/1.3 host1#show clns traffic detail delta IS-IS: Baseline last set 0 days, 0 hours, 2 minutes, 27 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 6 IS-IS: Own LSPs Purged: 1 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 Interface: atm2/1.3 IS-IS: Baseline last set 0 days, 0 hours, 0 minutes, 8 seconds IS-IS: Protocol PDUs (in/out): 2/1 IS-IS: Init Failures: 0 IS-IS: Adjacencies Changes: 0 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 0 IS-IS: Level-2 Designated IS Changes: 0 IS-IS: Invalid 9542s: 0

clear isis database

Use to delete all entries from the IS-IS link-state database, or only the entries associated with the specified neighbor. Field descriptions

LSPID LSP identifier LSP Seq Num sequence number for the LSP. Enables other routers to
determine if they have received the latest information from source.

LSP Checksum checksum of the LSP packet LSP Holdtime number of seconds that the LSP remains valid ATT attach bit; indicates that the router is a level 2 router and can reach
other areas

P P bit; detects whether intermediate system is capable of area partition

repair

OL overload bit; determines whether intermediate system is congested

There is no no version.

Monitoring IS-IS E-Series Routers

10-49

Example

host1#show isis database IS-IS Level-1 Link State Database LSPID rtr1.00-00* rtrtwo.00-00 LSP Seq Num 0x00000009 0x00000005 LSP Checksum 0x568F 0xEC9B LSP Holdtime 1188 444 ATT/P/OL 0/0/0 0/0/0

IS-IS Level-2 Link State Database LSPID rtr1.00-00* rtrtwo.00-00 LSP Seq Num 0x00000010 0x0000000C LSP Checksum 0xF630 0xF8DA LSP Holdtime 1193 1188 ATT/P/OL 0/0/0 0/0/0

host1#clear isis database host1#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL

IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL

show clns
Use to display global CLNS information about the router. Field descriptions

Interfaces Enabled for CLNS number of interfaces that have the CLNS
routing protocol enabled

Configuration Timer interval (in seconds) after which the router sends out
IS hello packets

Default Holding Timer length of time (in seconds) that hello packets are
remembered

Packet Lifetime default value used in packets sourced by this router Intermediate system operation enabled (forwarding allowed) indicates
whether this router is configured to be an ES or an IS

IS-IS Level-1-2 Router shows whether IS-IS is running in this router, gives
tag information, and shows whether it is running level 1 or level 1-2

Routing for Area ISO (NSAP) address for the network Distribute domain wide enabled indicates whether distribute-domain-wide
is enabled

Area Authentication if area authentication is enabled, lists key-id, type of

authentication, start and stop accept times, and start and stop generate times for the key. An asterisk after the type indicates that the key is active.

Domain Authentication if domain authentication is enabled, lists key-id,

type of authentication, start and stop accept times, and start and stop generate times for the key. An asterisk after the type indicates that the key is active. Use the es-neighbors keyword to display information for IS-IS end-system adjacencies or the is-neighbors keyword to display information for IS-IS

10-50

CHAPTER 10 Configuring IS-IS

intermediate-system adjacencies. Neighbor entries are sorted according to the area in which they are located. The following fields are displayed when any of these keywords is used:

System Id six-byte value of router Interface interface on which the router was discovered State adjacency state, either Up or Init
Up believes that the ES or IS is reachable Init router is an IS and is waiting for an IS-IS hello message. IS-IS regards the neighbor as not adjacent.

Type level 1, level 2, and level 1-2 type adjacencies

L1 router adjacency for level 1 routing only L1L2 router adjacency for level 1 and level 2 routing L2 router adjacency for level 2 only

Priority IS-IS priority that the respective neighbor is advertising. The

highest-priority neighbor becomes the designated IS-IS router for the interface.

Circuit Id neighbors idea of what the designated IS-IS router is for the
interface Add the detail keyword to display area addresses and IP addresses. Example 1

host1#show clns Global CLNS Information: 3 Interfaces Enabled for CLNS NET: 47.0005.80FF.F800.0000.0001.0001.0000.0000.3333.00 Configuration Timer: 10, Default Holding Timer: 30, Packet Lifetime: 1200 Intermediate system operation enabled IS-IS level-1-2 Router: testnet Routing for Area: 47.0005.80FF.F800.0000.0001.0001 Distribution domain wide enabled Area Authentication: Key-id: 1 Type: hmac-md5 FRI JAN 14 09:57:41 2000 0 0 Start Accept: Stop Accept: Stop Generate: Key-id:

Start Generate: FRI JAN 14 09:59:41 2000

Domain Authentication: 1 Type: hmac-md5* WED JAN 12 19:01:52 2000 0 0 Start Accept: Stop Accept: Stop Generate:

Start Generate: WED JAN 12 19:03:52 2000

Monitoring IS-IS E-Series Routers

10-51

System Id

Example 2
Interface State up Type Priority L1L2 127 Circuit Id 0000.0000.0000.00 Circuit Id 0000.0000.0000.00

host1#show clns is-neighbors 0000.0000.7500 atm2/0.111 System Id Interface

host1#show clns is-neighbors detail State Type Priority L1L2 127 0000.0000.7500 atm2/0.111 up Ip Address(es):

Area Address(es): 47.0005.80FF.F800.0000.0001.0001 172.30.245.33

show clns interface

Use to display CLNS-specific information about each interface. Field descriptions

interface shows status of interface Checksums can be either enabled or disabled MTU shows the maximum transmission size for a packet on this interface Encapsulation describes encapsulation used by CLNP packets on this interface interface

Next ESH/ISH shows when the next ES hello or IS hello is sent on this Routing Protocol lists the area(s) that this interface is in. In most cases, an
interface will be in only one area.

Circuit type indicates whether the interface has been configured for local
routing (level 1), area routing (level 2), or local and area routing (level 1-2)

Authentication Level-1 if area authentication is enabled, lists key-id, type of

authentication, start and stop accept times, and start and stop generate times for the key. An asterisk after the type indicates the key is active.

Authentication Level-2 if domain authentication is enabled, lists key-id,

type of authentication, start and stop accept times, and start and stop generate times for the key. An asterisk after the type indicates the key is active.

Remaining fields display information about ISO CLNS routing protocols

enabled on the interface. For IS-IS, specifies the level 1 and level 2 metrics, priorities, interface IDs, next IS-IS hello interval, mesh group status, and number of active level 1 and level 2 adjacencies. Example
host1#show clns interface fastEthernet0/0 is up, line protocol is down Checksums Enabled, MTU 1500, Encapsulation SNAP Next ESH/ISH is 1 seconds Routing Protocol: IS-IS Circuit Type: level-1-2 Interface number 0x1, local circuit ID 0x1 Level-1 Metric: 10, Priority: 0, Circuit ID: 0000.0000.0000.01 Number of active level-1 adjacencies: 0 Level-2 Metric: 10, Priority: 0, Circuit ID: 0000.0000.0000.01

10-52

CHAPTER 10 Configuring IS-IS

Number of active level-2 adjacencies: 0 Next IS-IS LAN Level-1 Hello in 0 seconds Next IS-IS LAN Level-2 Hello in 0 seconds Mesh Group Inactive serial3/1:1/1.111 is up, line protocol is up Checksums Enabled, MTU 1600, Encapsulation Frame Relay Next ESH/ISH is 8 seconds Routing Protocol: IS-IS Circuit Type: level-1-2 Interface number 0x2, local circuit ID 0x2 Level-1 Metric: 10, Priority: 0, Circuit ID: 0000.0000.0000.02 Number of active level-1 adjacencies: 0 Level-2 Metric: 10, Priority: 0, Circuit ID: 0000.0000.0000.02 Number of active level-2 adjacencies: 0 Next IS-IS PTPT Hello in 3 seconds Mesh Group Inactive Authentication Level-1: Key-id: 1 Type: hmac-md5* WED JAN 12 18:56:20 2000 0 0 Start Accept: Stop Accept: Stop Generate: Key-id:

Start Generate: WED JAN 12 18:58:20 2000

Authentication Level-2: 1 Type: hmac-md5 FRI JAN 14 09:58:27 2000 0 0 Start Accept: Stop Accept: Stop Generate:

Start Generate: FRI JAN 14 10:00:27 2000

host1#show clns interface atm2/0.111 is up, line protocol is up Checksums Enabled, MTU 4470, Encapsulation ATM Next ESH/ISH is 2 seconds Routing Protocol: IS-IS Circuit Type: level-1-2 Interface number 0x1, local circuit ID 0x1
Level-1 Metric: 10, Priority: 0, Circuit ID:0000.0000.7500.07

Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 0, Circuit ID:0000.0000.0000.01 Number of active level-2 adjacencies: 1 Next IS-IS PTPT Hello in 7 seconds Mesh Group Inactive ethernet6/0 is up, line protocol is up Checksums Enabled, MTU 1500, Encapsulation SNAP Next ESH/ISH is 8 seconds Routing Protocol: IS-IS Circuit Type: level-1-2

Monitoring IS-IS E-Series Routers

10-53

Interface number 0x2, local circuit ID 0x2 Level-1 Metric: 10, Priority: 0, Circuit ID:0000.0000.3333.02 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 0, Circuit ID:0000.0000.3333.02 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 1 seconds Next IS-IS LAN Level-2 Hello in 3 seconds Mesh Group Inactive

show clns neighbors

Use to display information about ES and IS neighbors. Field descriptions

System Id six-byte value of router SNPA subnetwork point of attachment; the data link address Interface interface the router was learned from State state of the ES or IS Init router is an IS and is waiting for an IS-IS hello message. IS-IS regards the neighbor as not adjacent. Up believes the ES or IS is reachable

Holdtime number of seconds before this adjacency entry times out Type adjacency type. Possible values are as follows:
ES end-system adjacency either discovered via the ES-IS protocol or statically configured IS router adjacency either discovered via the ES-IS protocol or statically configured L1 router adjacency for level 1 routing only L1L2 router adjacency for level 1 and level 2 routing L2 router adjacency for level 2 only

Protocol protocol through which the adjacency was learned. Valid protocol
sources include ES-IS, IS-IS, and Static.
System Id 0000.0000.7500

Add keyword detail to display area addresses and IP addresses. Example

SNPA Interface atm2/0.111 172.30.245.33 State up Holdtime 30 Type Protocol L1L2 IS-IS

host1#show clns neighbors detail

Area Address(es): 47.0005.80FF.F800.0000.0001.0001 Ip Address(es):

10-54

CHAPTER 10 Configuring IS-IS

show clns protocol

Use to display protocol-specific information about a routing process. Field descriptions

IS-IS Router IS-IS router name System ID six-byte value of router IS-Type indicates the routing level (level 1, level 2, or both) that is enabled
on the router

Manual area addresses configured area addresses Routing for area address(es) identified for level 1 routing processes. For
level 2 routing processes, lists the domain address.

Interfaces supported by IS-IS lists interfaces and type Distance configured distance value Redistributing protocols being redistributed into IS-IS
Example
host1#show clns protocol IS-IS Router:testnet System Id: 0000.0000.3333.00 IS-Type: level-1-2 Manual area address(es):47.0005.80FF.F800.0000.0001.0001 Routing for area address(es):47.0005.80FF.F800.0000.0001.0001 Interfaces supported by IS-IS:atm2/0.111 - IP Distance: 115 Redistributing:

show clns traffic

Use to display all CLNS packets the router sees. Use the optional delta keyword to specify that baselined statistics are to be shown. Field descriptions

IS-IS: Baseline last set time since the baseline was set IS-IS: Corrupted LSPs number of LSPs received with errors IS-IS: L1 LSP Database Overloads number of overloads in level 1 IS-IS: L2 LSP Database Overloads number of overloads in level 2 IS-IS: Area Addresses Dropped number of area addresses that the router dropped maximum

IS-IS: Attempts to Exceed Max Sequence number of sequence wraps over IS-IS: Sequence Numbers Skipped number of LSPs received out of order IS-IS: Own LSPs Purged number of LSPs deleted IS-IS: System ID Length Mismatches number of unmatched system ID
lengths

IS-IS: Maximum Area Mismatches number of rejected hellos due to area

mismatches

IS-IS: Area/Domain Authentication Failures number of authentication

failures on received level 1 and level 2 LSP/SNPs

Monitoring IS-IS E-Series Routers

10-55

When you specify an interface, reports include the following additional field descriptions:

IS-IS: Protocol PDUs (in/out) number of packets in/out on interface IS-IS: Init Failures number of rejected hellos on interface IS-IS: Adjacencies Changes number of times adjacencies have
transitioned from down to up

IS-IS: Adjacencies Rejected number of times hellos are rejected because

of an incompatibility

IS-IS: Bad LSPs number of LSPs received with errors IS-IS: Level-1 Designated IS Changes number of times the level 1
designated router has changed

IS-IS: Level-2 Designated IS Changes number of times the level 2

designated router has changed

IS-IS: Invalid 9542s number of rejected ES hello packets IS-IS: Authentication Failures number of authentication failures on
received level 1 and level 2 hello packets

IS-IS: Interface IS-IS interface for which details are displayed

Add the detail keyword to show data for all interfaces. Example

host1#show clns traffic IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 15 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 5 IS-IS: Own LSPs Purged: 0 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 IS-IS: Area/Domain Authentication Failures: 0 host1#show clns traffic detail IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 40 seconds IS-IS: Corrupted LSPs: 0 IS-IS: L1 LSP Database Overloads: 0 IS-IS: L2 LSP Database Overloads: 0 IS-IS: Area Addresses Dropped: 0 IS-IS: Attempts to Exceed Max Sequence: 0 IS-IS: Sequence Numbers Skipped: 5 IS-IS: Own LSPs Purged: 0 IS-IS: System ID Length Mismatches: 0 IS-IS: Maximum Area Mismatches: 0 IS-IS: Area/Domain Authentication Failures: 0 Interface: fastEthernet0/0 IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 40 seconds

10-56

CHAPTER 10 Configuring IS-IS

IS-IS: Protocol PDUs (in/out): 62005/66617 IS-IS: Init Failures: 0 IS-IS: Adjacencies Changes: 2 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 2 IS-IS: Level-2 Designated IS Changes: 2 IS-IS: Invalid 9542s: 0 IS-IS: Authentication Failures: 0 Interface: serial3/2:1/1.222 IS-IS: Baseline last set 0 days, 21 hours, 12 minutes, 40 seconds IS-IS: Protocol PDUs (in/out): 10422/9522 IS-IS: Init Failures: 0 IS-IS: Adjacencies Changes: 1 IS-IS: Adjacencies Rejected: 0 IS-IS: Bad LSPs: 0 IS-IS: Level-1 Designated IS Changes: 0 IS-IS: Level-2 Designated IS Changes: 0 IS-IS: Invalid 9542s: 0 IS-IS: Authentication Failures: 0

Configuring VRRP

11
Page 11-1 11-2 11-3 11-7 11-8 11-12

This chapter describes how to configure the Virtual Router Redundancy Protocol (VRRP) on your E-series router.
Topic Overview References How VRRP Works How VRRP Is Implemented in the E-Series Router Configuring VRRP Monitoring VRRP

Overview
VRRP can prevent loss of network connectivity to end hosts if the static default IP gateway fails. By implementing VRRP, you can designate a number of routers as backup routers in the event that the default master router fails.
Note: It is important to understand that the term virtual router as defined in the E-Series System Basics Configuration Guide, Chapter 11, Configuring Virtual Routers, is different from what is implied by VRRP. In this chapter, the term virtual router always refers to a VRRP router; that is, a router that has enabled VRRP.

In case of a failure, VRRP dynamically shifts the packet-forwarding responsibility to a backup router. A redundancy scheme is created by VRRP, which allows hosts to keep a single IP address for the default gateway, but maps the IP address to a well-known virtual MAC address. VRRP provides this redundancy without user intervention or additional configuration at the end hosts.

11-2

CHAPTER 11 Configuring VRRP

VRRP is supported on the FE-2 line module and the GE/FE line module. VLANs and S-VLANs are fully supported.
Terminology

Table 11-1 provides definitions for the basic VRRP terms used in this chapter.
Table 11-1 VRRP definitions Term VRRP router Definition A router that is running VRRP. It may participate in one or more virtual router IDs (VRIDs). An IP redundancy instance can: Master router Act as a master with associated addresses it owns at an IP interface Act simultaneously as a backup for other routers with additional VRID mappings and priorities for those routers

The VRRP router that assumes the responsibility of forwarding packets sent to the IP address(es) associated with the virtual router, and that answers ARP requests for these IP addresses. If the IP address owner is available, then it always becomes the master. The VRRP router available to assume forwarding responsibility if the current master router fails. The IP interfaceVRID pair instance that has the associated IP address(es) as real interface address(es). This router, when up, responds to packets addressed to one of these IP addresses for ICMP pings or TCP connections. The IP address owner is the primary router. An IP address configured as primary from the set of real interface addresses. VRRP advertisements are always sent (by the master router) using the primary IP address as the source of the IP packet.

Backup router IP address owner

Primary IP address

References
For more information about VRRP, see: RFC 2338 Virtual Router Redundancy Protocol (April 1998) RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol (March 2000)
Note: It is important to have some background understanding of the Address Resolution Protocol (ARP) before configuring VRRP. See the section, Address Resolution Protocol (ARP), in Chapter 2, Configuring IP.

How VRRP Works E-Series Routers

11-3

How VRRP Works

The advantage of using VRRP is that you gain a higher availability for the default path without requiring configuration of dynamic routing or router discovery protocols on every end host. VRRP routers viewed as a redundancy group share the responsibility for forwarding packets as if they owned the IP address corresponding to the default gateway configured on the hosts. At any time, one of the VRRP routers acts as the master, and other VRRP routers act as backups. If the master router fails, a backup router becomes the new master. In this way, router redundancy is always provided, allowing traffic on the LAN to be routed without relying on a single router. There is always a master for the shared IP address. If the master goes down, an elected VRRP router forwards packets on behalf of the owner by taking over the virtual MAC address used by the owner. When implemented in your network, VRRP assumes that if any link to a subnet is active, the router has access to the entire subnet. VRRP leverages the broadcast capabilities of Ethernet. Provided that one of the routers in a VRRP configuration is running, ARP requests for the IP addresses assigned to the default gateway always receive replies. Additionally, end hosts can send packets outside their subnet without interruption.
Configuration Examples

Three VRRP configuration examples are described and illustrated in this section. They include: Basic VRRP configuration Common VRRP configuration VRRP configuration without the real address owner
Basic VRRP Configuration

As shown in Figure 11-1, the basic VRRP configuration uses a single VRID (VRID 1). Because R1 is the address owner, it serves as the master. Router R2 is the backup. The four end hosts on subnet 1 are configured to use 10.0.0.1/8 as the default router. IP address 10.0.0.1 is associated with VRID 1. In this example, if R1 becomes unavailable, R2 takes over VRID 1 and its associated IP addresses. Packets sent to IP destinations outside the 10.x.x.x subnet using 10.0.0.1 as the router are then forwarded by R2. Even though R2 assumes R1s forwarding responsibilities, it never

11-4

CHAPTER 11 Configuring VRRP

processes any packet with destination address (DA) 10.0.0.1. When R1 becomes active again, it takes over as the master and R2 reverts to backup. The VRRP MAC address is always: 00-00-5e-00-01-vrid. The valid VRID range is 0x010xFF.

subnet 2

R1 (master) interface address: 10.0.0.1/8 VRID 1 address: 10.0.0.1

R2 (backup) interface address: 10.0.0.2/8 VRID 1 address: 10.0.0.1

subnet 1

default gateway: 10.0.0.1/8

Figure 11-1 Basic VRRP configuration

Commonly Used VRRP Configuration

Figure 11-2 shows two physical routers backing each other up through VRRP. Routers R1 and R2 are both configured with VRID 1 and VRID 2. In this configuration, under normal circumstances the routing load is distributed between the two routers.

g013133

VRID 1 10.0.0.1

How VRRP Works E-Series Routers

11-5

default gateway: 20.0.0.252/8 VRID 3 20.0.0.251 subnet 2 VRID 4 20.0.0.252

default gateway: 20.0.0.251/8

VRID 3 address: 20.0.0.251 VRID 4 address: 20.0.0.252 interface address: 20.0.0.251/8

VRID 3 address: 20.0.0.251 VRID 4 address: 20.0.0.252 interface address: 20.0.0.252/8 R2 interface address: 10.0.0.254/8 VRID 1 address: 10.0.0.253 VRID 2 address: 10.0.0.254

R1 interface address: 10.0.0.253/8 VRID 1 address: 10.0.0.253 VRID 2 address: 10.0.0.254

subnet 1

VRID 1 10.0.0.253 default gateway: 10.0.0.253/8 Notes R1: master router for VRID 3 backup router for VRID 4 master router for VRID 1 backup router for VRID 2 default gateway: 10.0.0.254/8

VRID 2 10.0.0.254

R2: backup router for VRID 3 master router for VRID 4 backup router for VRID 1 master router for VRID 2

Figure 11-2 Commonly used VRRP configuration

g013132

11-6

CHAPTER 11 Configuring VRRP

VRRP Configuration Without the Real Address Owner

Figure 11-3 is noticeably similar to Figure 11-2 except that there is no real owner for the addresses configured by the VRIDs. Consequently, both routers R1 and R2 are configured as backup routers for VRID 1, VRID 2, VRID 3, and VRID 4.
default gateway: 20.0.0.252/8 VRID 3 20.0.0.251 subnet 2 VRID 4 20.0.0.252 default gateway: 20.0.0.251/8

VRID 3 address: 20.0.0.251 VRID 4 address: 20.0.0.252 interface address: 20.0.0.1/8

VRID 3 address: 20.0.0.251 VRID 4 address: 20.0.0.252 interface address: 20.0.0.2/8 R2 interface address: 10.0.0.2/8 VRID 1 address: 10.0.0.253 VRID 2 address: 10.0.0.254

R1 interface address: 10.0.0.1/8 VRID 1 address: 10.0.0.253 VRID 2 address: 10.0.0.254

subnet 1

default gateway: 10.0.0.253/8

default gateway: 10.0.0.254/8

Figure 11-3 VRRP configuration without the real address owner

Assuming that preemption is enabled, the router that is configured with the highest priority for each VRID becomes the master. If priorities are the same, the router that has the highest primary address becomes the master. This configuration shows how the address owner does not necessarily need to exist under VRRP. The configuration seems somewhat mysterious, since the PCs are never able to ping their gateway; however, they can talk to destinations outside their own subnet. IP multicast packets are used by the election protocol specified in VRRP to provide the router with redundancy. Therefore, VRRP can operate over a variety of multiaccess LAN technologies supporting IP multicast. It is important to remember that there is always one master for an IP address shared by the redundancy group.

g013131

VRID 1 10.0.0.253

VRID 2 10.0.0.254

How VRRP Is Implemented in the E-Series Router E-Series Routers

11-7

How VRRP Is Implemented in the E-Series Router

VRRP is implemented in the E-series router meet two goals. The first goal is to avoid the single point of failure inherent to hosts that have a single default gateway configured. The second goal is to keep the complexity of redundancy away from the hosts themselves. These goals are in compliance with RFC 2338 and RFC 2787. The association between VRIDs and IP addresses is coordinated among all participating VRRP routers. A scenario is provided to help you understand how VRRP is implemented in the router.
1 2

The E-series router assigns common VRIDs to the group of routers that are going to share IP addresses. The E-series router sends VRRP advertisements to well-known multicast addresses. The router that owns the addresses automatically becomes the master and sends periodic VRRP advertisement messages. A VRRP advertisement consists of the IP addresses that the master controls and the VRID. If the master stops advertising for a predetermined period of time, the remaining routers using the same VRID enter an election process to determine which router takes over the master responsibilities. If the master does not own the IP addresses for which it is responsible, it drops all packets that have DAs to these IP addresses. If the elected master fails, backup routers start the election process again. When the original master becomes operational again, it restarts broadcasting advertisements as long as preemption is enabled or the master is the address owner. Packet forwarding responsibility then shifts back to the original master router.

4 5 6

Router Election Rules

If the master router becomes unavailable, there are rules that govern election of the master router: The backup router assigned the highest priority for each VRID becomes the master. If two backup routers were assigned the same priority, the router that has the highest primary address becomes the master. For example, if several routers were all assigned the default priority of 100, then the IP addresses must be compared.

11-8

CHAPTER 11 Configuring VRRP

Router election on a VRRP router can also be determined by whether or not the preemption option is enabled. When a backup router detects a master router with a lower priority than the backup has, the backup router may either choose to leave the current master alone or take over the current master and become the master itself. When preemption is enabled, a backup router always preempts or takes over the responsibility of the master router. When preemption is disabled, the lower-priority backup is left in the master state.
Note: It is possible that ICMP redirects source address may be overridden when VRRP is in use. When a backup VRID acts as a master on a given IP interface, its ICMP redirects must fake the source IP address of the IP address owner. The IP address must be faked because hosts accept only an ICMP redirect that was sent by the hosts current gateway.

Configuring VRRP
You must perform certain steps to configure VRRP; others are optional.
Configuring the IP Interface

Before you configure VRRP, you must configure an IP interface and assign a primary IP address and subnet mask. When the IP address belongs to the owner of the VRID, it must be associated with the VRID you create. To configure an IP interface and IP address:
1

Configure an IP interface.
host1(config)#interface fastEthernet 4/0

Assign an IP address and a subnet mask.

host1(config-if)#ip address 194.50.1.42 255.255.255.0

Note: It is recommended that you complete all IP address configurations before you configure VRRP. If for any reason the IP address information is changed after you configure VRRP, you must revise the associated IP addresses configured on the related VRRP entries. If auto addresses are specified in the ip vrrp virtual-address command and they are used in conjunction with priority 255, you must disable and reenable the VRRP entry for the association list to be updated.

Configuring VRRP E-Series Routers

11-9

Creating VRIDs

A master or backup router running the VRRP protocol may participate in one or more VRID instances. There are several ways to create a VRID instance: It is recommended that you create and/or configure a VRID instance first, and enable it last. For example:
host1(config-if)#ip vrrp 198 host1(config-if)#ip vrrp 198 priority 255

You can create and enable a VRID instance by using the ip vrrp vrid enable command, as shown below.
host1(config-if)#ip vrrp 25 enable

You continue to configure the VRID by identifying the VRID each time a VRRP command is used. For example:
host1(config-if)#ip vrrp 175 authentication-type none

Alternatively, you can create a new VRID when configuring any VRRP command, providing it is the first time the VRID instance is used. For example, if you execute the command ip vrrp vrid preempt and it is the first time that VRID is used, a new VRID is created.
host1(config-if)#ip vrrp 16 preempt

Use the ip vrrp vrid enable command last. The new VRID is not enabled until you execute this command.
host1(config-if)#ip vrrp 198 enable host1(config-if)#ip vrrp 16 enable host1(config-if)#ip vrrp 175 enable

Configuration Steps

Before configuring VRRP, you may find it helpful to review the configuration examples in the earlier section How VRRP Works. To configure VRRP parameters:
1

(Optional) Create a VRID instance.

host1(config-if)#ip vrrp 25

(Optional) Set a VRRP advertisement interval for the same VRID.

host1(config-if)#ip vrrp 25 advertise-interval 50

11-10

CHAPTER 11 Configuring VRRP

Set the VRRP router priority for owner and/or backup router(s). This step is mandatory to configure priority for the owner VRID (255). This step is optional to configure priority for a backup VRID (1254). The default is 100.
host1(config-if)#ip vrrp 25 priority 255 host1(config-if)#ip vrrp 22 priority 254

(Optional) Set the preemption option. In this example a new VRID is created.
host1(config-if)#ip vrrp 10 preempt

Associate an IP address with a VRID.

host1(config-if)#ip vrrp 25 virtual-address 194.2.1.63 255.255.255.0

(Optional) Set the VRRP authentication type to either text or none.

host1(config-if)#ip vrrp 25 authentication-type none

(Optional) Configure the VRRP authentication key.

host1(config-if)#ip vrrp 25 authentication-key dublin

Enable the VRID instance.

host1(config-if)#ip vrrp 25 enable

ip vrrp
Use to create a VRID instance. The VRID range is between 1255. Example
host1(config-if)#ip vrrp 25

Use the no version to remove a VRID instance.

ip vrrp advertise-interval
Use to configure the advertisement interval time. The interval time can be configured for seconds or milliseconds. Use seconds to be in compliance with RFC 2338. If your VRID environment consists of only E-series routers, you can optionally use milliseconds. Example
host1(config-if)#ip vrrp 25 advertise-interval 50

Use the no version to restore the default, 1 second.

Configuring VRRP E-Series Routers

11-11

ip vrrp authentication-key
Use to specify the authentication key. Use the key keyword only when the authentication type is text. See ip vrrp authentication-type. Example
host1(config-if)#ip vrrp 25 authentication-key dublin

Use no ip vrrp authentication-key to set the authentication key to its default, empty string.

ip vrrp authentication-type
Use to specify the authentication type of either text or none. Example
host1(config-if)#ip vrrp 175 authentication-type none

Use no ip vrrp authentication-type to set the authentication type to its default, none.

ip vrrp enable
Use to enable an existing VRID instance. The VRID range is between 1255. The default is disable. Example
host1(config-if)#ip vrrp 175 enable

Use the no version to disable an existing VRID instance.

ip vrrp preempt
Use to enable preemption. When preemption is enabled, a backup router always takes over the responsibility of the master router. When preemption is disabled, the lowerpriority backup is left in the master state. Example
host1(config-if)#ip vrrp 10 preempt

The default is enabled. Use the no version to disable preemption.

ip vrrp priority
Use to configure the priority of VRRP routers. A value of 255 implies master router priority. A value of 1254 implies backup router priority. Example
host1(config-if)#ip vrrp 25 priority 255

Use the no version to set the priority to the default value, 100.

11-12

CHAPTER 11 Configuring VRRP

ip vrrp virtual-address
Use to associate an IP address with a VRID. If the auto keyword is used, associated addresses are automatically learned or configured, depending on the priority attribute. There is no default. Example
host1(config-if)#ip vrrp 25 virtual-address 194.2.1.63 255.255.255.0

Use no ip vrrp virtual-address to remove an IP address association with a VRID. If auto addresses are used, the no version clears the auto flag.

Monitoring VRRP
You can use several VRRP show commands to monitor the details of your VRRP configuration.
baseline ip vrrp
Sets the baseline on all VRRP statistics as the current value. Example
host1#baseline ip vrrp

show ip vrrp
Use to display a detailed summary of all VRIDs configured. Use the interface keyword to specify a specific Fast Ethernet or Gigabit Ethernet interface. Field descriptions

Interface Fast Ethernet or Gigabit Ethernet interface specifier and VRID primary address IP address used while in master state; not necessarily an
associated address

operational state state of the VRRP router: master, backup, or init; when
the operational state is backup, the current masters ip address is given

admin state administrative status: enabled or disabled up time number of seconds that the VRID has been enabled in non-init
state

interval VRRP advertisement interval: seconds/milliseconds last error status help text used to debug any error detected priority priority of VRRP router auth type the VRRP authentication type: none or text preemption VRRP router preemption status: enabled or disabled auto assoc address(es) IP addresses associated with VRID

Monitoring VRRP E-Series Routers

11-13

Example
Interface: fastEthernet5/0.0 vrrpVrid: 1 primary address: 10.0.0.2 operational state: backup (current master: 130.0.0.1) admin state: enabled up time: 145 seconds interval: 1 second last error status: no error priority: 101 auth type: none preemption: enabled auto assoc address(es): 10.0.0.1, 100.0.0.1, 101.0.0.1

show ip vrrp brief

Use to display a brief summary of all VRIDs configured. Use the interface keyword to specify a specific Fast Ethernet or Gigabit Ethernet interface. Field descriptions

Interface Fast Ethernet or Gigabit Ethernet specifier VRID VRRP router instance configured on this interface Primary Address IP address used while in master state; not necessarily an
associated address

State operational state of VRRP router: master, backup, or init Adv advertisement interval in seconds Pri priority assigned to this router Admin administrative state of the VRID: enabled or disabled
VRID Primary Address State ---- --------------- -----255 123.123.123.123 init 1 1.1.1.1 master Adv Pri Admin --- --- -------1 100 disabled 1 254 enabled

Example

Interface ----------------------fastEthernet12/8.1.1 gigabitEthernet12/8.1.1

show ip vrrp neighbor

Use to display neighbors known to the VRRP routers. Use the interface keyword to specify a specific Fast Ethernet or Gigabit Ethernet interface. Field descriptions

Interface Fast Ethernet or Gigabit Ethernet interface specifier and VRID of

neighbors known to VRRP router

time discovered date and time neighbor was detected primary address primary IP address of neighbor adv interval (sec) VRRP advertisement interval in seconds priority priority status of VRRP router (255 = owner)

11-14

CHAPTER 11 Configuring VRRP

auth type VRRP authentication type: none or text assoc address(es) IP addresses associated with VRID that are advertised
by neighbor Example
Interface: fastEthernet5/0.0 vrrpVrid: 1 time discovered: 08/09/2001 07:44 primary address: 10.0.0.1 adv interval (sec): 1 priority: 255 (owner) auth type: none assoc address(es): 10.0.0.1, 100.0.0.1, 101.0.0.1 Interface: fastEthernet5/0.1 vrrpVrid: 11 time discovered: 08/09/2001 07:44 primary address: 11.0.0.1 adv interval (sec): 1 priority: 255 (owner) auth type: none assoc address(es): 11.0.0.1, 110.0.0.1, 111.0.0.1

show ip vrrp statistics

Use to display statistics of configured VRRP routers and each individual VRID. Use the delta keyword with the show ip vrrp statistics command to view the baseline statistics. Use the interface keyword with the show ip vrrp statistics command to specify a specific Fast Ethernet or Gigabit Ethernet interface. Field descriptions

checksumErrors total number of VRRP packets received with an invalid

VRRP checksum value

versionErrors total number of VRRP packets received with an unknown or

unsupported version number

vrIdErrors total number of VRRP packets received with an invalid VRID for
this virtual router

iccErrors count of line module notifications that did not make it to the
controller

txErrors count of advertisements that did not get sent due to resource
limitations

rxErrors count of advertisements received that could not be parsed by

VRRP applications

Interface Fast Ethernet or Gigabit Ethernet interface specifier and VRID becomeMaster total number of times that this VRID state has transitioned
to master

advertiseRcvd total number of VRRP advertisements received advertiseIntervalErrors total number of VRRP advertisement packets
received for which the advertisement interval is different from the one configured for the VRID

Monitoring VRRP E-Series Routers

11-15

authFailures total number of VRRP packets received that do not pass the
authentication check

ipTtlErrors total number of VRRP packets received with IP TTL

(time-to-live) not equal to 255

priorityZeroPktsRcvd total number of VRRP packets received with a

priority of 0

priorityZeroPktsSent total number of VRRP packets sent with a priority of 0 invalidTypePktsRcvd total number of VRRP packets received with an
invalid value in the Type field

addressListErrors total number of VRRP packets received for which the

address list does not match the locally configured list for the VRID

invalidAuthType total number of VRRP packets received with an unknown

authentication type

authTypeMismatch total number of VRRP packets received with an

authentication type not equal to the locally configured authentication method

packetLengthErrors total number of VRRP packets received with a packet

length less than the length of the VRRP header Example of statistics per interface
host1#show ip vrrp statistics interface fastEthernet 4/0 Globals: checksumErrors: 0 versionErrors: 0 vrIdErrors: 1 iccErrors: 0 txErrors: 0 rxErrors: 0 Interface: fastEthernet4/0 vrrpVrid: 1 becomeMaster: 10 advertiseRcvd: 0 advertiseIntervalErrors: 0 authFailures: 0 ipTtlErrors: 0 priorityZeroPktsRcvd: 0 priorityZeroPktsSent: 9 invalidTypePktsRcvd: 0 addressListErrors: 0 invalidAuthType: 0 authTypeMismatch: 0 packetLengthErrors: 0 Interface: fastEthernet4/0 vrrpVrid: 50 becomeMaster: 0 advertiseRcvd: 1000 advertiseIntervalErrors: 0 authFailures: 0 ipTtlErrors: 0

11-16

CHAPTER 11 Configuring VRRP

priorityZeroPktsRcvd: 0 priorityZeroPktsSent: 0 invalidTypePktsRcvd: 0 addressListErrors: 0 invalidAuthType: 0 authTypeMismatch: 0 packetLengthErrors: 0

Example of statistics per interface and VRID

host1#show ip vrrp statistics interface fastEthernet 4/0 1 Interface: fastEthernet4/0 vrrpVrid: 1 becomeMaster: 0 advertiseRcvd: 0 advertiseIntervalErrors: 0 authFailures: 0 ipTtlErrors: 0 priorityZeroPktsRcvd: 0 priorityZeroPktsSent: 0 invalidTypePktsRcvd: 0 addressListErrors: 0 invalidAuthType: 0 authTypeMismatch: 0 packetLengthErrors: 0

show ip vrrp statistics global

Use to display the statistics of configured VRRP routers and each individual VRID. Use the delta keyword with the show ip vrrp statistics commands to view the baseline statistics. Field descriptions

checksumErrors total number of VRRP packets received with an invalid

VRRP checksum value

versionErrors total number of VRRP packets received with an unknown or

unsupported version number

vrIdErrors total number of VRRP packets received with an invalid VRID for
this virtual router

iccErrors count of line module notifications that did not make it to the
controller

txErrors count of advertisements that did not get sent due to resource
limitations

rxErrors count of advertisements received that could not be parsed by

VRRP applications

Monitoring VRRP E-Series Routers

11-17

Example
host1#show ip vrrp statistics global Globals: checksumErrors: 0 versionErrors: 0 vrIdErrors: 0 iccErrors: 0 txErrors: 0 rxErrors: 0

show ip vrrp summary

Use to display a summary count on all VRIDs configured. Field descriptions

ip interfaces with vrrp total number of VRIDs configured on ip interfaces entries total number of entries in all states entries enabled number of entries that were enabled entries with owner priority number of entries with owner priority entries in init state number of entries in the init state entries in backup state number of entries in backup state entries in master state number of entries in master state
host1#show ip vrrp summary ip interfaces with vrrp: 1 entries: 10 entries enabled: 10 entries with owner priority: 1 entries in init state: 0 entries in backup state: 9 entries in master state: 1

Example

11-18

CHAPTER 11 Configuring VRRP

Part 4

Internet Protocol Security

Configuring IPSec

12
Page 12-1 12-3 12-4 12-15 12-20 12-31 12-42

This chapter describes IPSec capabilities of the E-series router.

Topic Overview References IPSec Concepts IKE Overview Configuration Tasks Configuration Examples Monitoring IPSec

Overview
The IP security functionality covered in this chapter includes the following major areas: Encapsulating protocols, including AH and ESP, to provide security on specified packets The ISAKMP/IKE protocol suite to provide automatic negotiation of security associations including session keys

12-2

CHAPTER 12 Configuring IPSec

Terms

Table 12-1 defines terms and abbreviations that are used in this discussion of IPSec.
Table 12-1 IPSec terms and abbreviations Term 3DES AH CA DES DSS ESP HMAC IKE IKE endpoint Inbound traffic Definition Triple DES encryption/decryption algorithm Authentication Header. Provides authentication of the sender and of data integrity. certificate authority Data Encryption Standard encryption algorithm Digital Signature Standard authentication algorithm Encapsulating Security Payload, provides data integrity, data confidentiality and, optionally, senders authentication Hashed Message Authentication Code Internet Key Exchange IP address of the entity that is one of two endpoints in an IKE/ISAKMP SA. In the context of a secure interface, inbound traffic refers to already secured traffic arriving on that interface (identified based on its SPI). This traffic is cleared and checked against the security parameters set for that interface. IP security IP address of the entity that is one of two endpoints in an IPSec SA Internet Security Association and Key Management Protocol Security associations used to secure control channels between security gateways. These are negotiated via IKE phase I. Message Digest x hash algorithm A random value used to detect and protect against replay attacks In the context of a secure interface, outbound traffic is the clear traffic forwarded to the interface (either by policy or by routing) that should be secured according to security parameters set for that interface. Perfect forward secrecy Rivest-Shamir-Adleman encryption algorithm Security association. The set of security parameters that dictate how IPSec processes a packet, including encapsulation protocol and session keys. A single secure tunnel uses multiple SAs. A virtual connection between two security gateways used to exchange data packets in a secure way. A secure tunnel is made up of a local SA and a remote SA, where both are negotiated in the context of an ISAKMP SA.

IPSec IPSec endpoint ISAKMP ISAKMP SA MDx Nonce Outbound traffic PFS RSA SA

Secure tunnel

References E-Series Routers

12-3

Table 12-1 IPSec terms and abbreviations (continued) Term SHA SPI VPN Definition Secure Hash Algorithm Security parameter index Virtual private network

References
This IPSec implementation supports the following RFCs: RFC 2401 Security Architecture for the Internet Protocol (November 1998) RFC 2402 IP Authentication Header (November 1998) RFC 2403 The Use of HMAC-MD5-96 within ESP and AH (November 1998) RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH (November 1998) RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV (November 1998) RFC 2406 IP Encapsulating Security Payload (ESP) (November 1998) RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP (November 1998) RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) (November 1998) RFC 2409 The Internet Key Exchange (IKE) (November 1998) RFC 2410 The NULL Encryption Algorithm and Its Use With IPSec (November 1998) RFC 768 User Datagram Protocol (August 1980) For information on using digital certificates, see Chapter 13, Configuring Digital Certificates.

12-4

CHAPTER 12 Configuring IPSec

IPSec Concepts
This section provides an overview of IPSec concepts. IPSec provides security to IP flows through the use of authentication and encryption. Authentication verifies that data is not altered during transmission and ensures that users are communicating with the individual or organization that they believe they are communicating with. Encryption makes data confidential by making it unreadable to everyone except the sender and intended recipient. IPSec comprises two encapsulating protocols: Encapsulating Security Payload (ESP) provides confidentiality and authentication functions to every data packet. Authentication Header (AH) provides authentication to every data packet.
Secure IP Interfaces

Secure IP interfaces are virtual IP interfaces that can be configured to provide confidentiality and authentication services for the data flowing through such interfaces. The software provides these services using mechanisms created by the suite of IPSec standards established by the IETF. Secure IP interfaces connect the router to any other endpoint through the routed network and allow much of the same functionality as other IP interfaces. Traffic can reach a secure IP interface via routing and/or policy routing. A secure tunnel is a layer 2 entity. It is a point-to-point connection that is mapped on top of other IP interfaces. Secure tunnels carry only IP traffic. A secure IP interface is a layer 3 entity; that is, an IP interface mapped on top of a secure tunnel that inherits all security associated with it. Secure IP interfaces are a logical representation of a secure connection between two security endpoints, one of which is the local system. The remote endpoint can be another security gateway or a host.
RFC 2401 Compliance

RFC 2401 states that a security policy database (SPD) must exist for each physical interface in the router, and an administrator must configure

IPSec Concepts E-Series Routers

12-5

these SPDs to determine which traffic must be IPSec-protected, not IPSec-protected, or denied. The E-series router does not support a system-wide SPD. Instead, the router takes advantage of routing policies that are applied to physical interfaces to describe which traffic should be forwarded to a single IPSec tunnel, which traffic should be discarded, and so on. The router also applies IPSec selectors to traffic going into or coming out of a secure tunnel so that no unwanted traffic is allowed inside the tunnel. Supported selectors include IP addresses, subnets, and IP address ranges. Note that an implementation that strictly follows RFC 2401 requires a separate IPSec tunnel for each SPD entry.
IPSec Protocol Stack

Figure 12-1 shows the protocol stack on a client, an IPSec gateway, and a server. In the figure, HTTP and TCP are examples of higher-level protocols involved in the end-to-end communication; other end-to-end communication protocols are also supported. The layers where the data can be encrypted are shown in gray.

HTTP

HTTP

HTTP

TCP

TCP Private IP interworking Ethernet driver

TCP

Private IP

TCP

IP

Private IP Ethernet driver Server

Client

IPSec

IPSec

IPSec

ETH

Public IP Layer 2

IP

Public IP Layer 2 IPSec gateway

L2

IPSec gateway
Figure 12-1 IPSec tunneling stack

g013305

12-6

CHAPTER 12 Configuring IPSec

Figure 12-2 shows the packet encapsulation for IPSec tunneling.

Figure 12-2 IPSec tunneling packet encapsulation

Security Parameters

Secure IP interfaces allow tunneled traffic to be secured in many ways. For that, secure interfaces are associated with security parameters that are enforced for traffic that goes through these interfaces. Table 12-2 gives a brief description of all parameters used for a secure IP interface.
Table 12-2 Security parameters used on secure IP interfaces Security Parameter

Description Manual interfaces are configured manually on both local and remote security gateways. Signalled interfaces are able to dynamically set up connections between security gateways using ISAKMP/IKE.

Manual or signalled A secure IP interface can be either manual or signalled.

Operational VR

Operational parameters for the secure IP interface, including the virtual router context to which this interface belongs and the network prefix reachable through the interface. Transport network characteristics for the tunnel, including its virtual router context and source and destination IP addresses. A key generation approach that guarantees that every newly generated session key is not in any way related to the previous keys. PFS ensures that a compromised session key will not compromise previous and subsequent keys. A limit on time and traffic volume allowed over the interface before an SA needs to be renegotiated. The actual session-related parameters used by both security gateways to secure the traffic between them. The SA can be manually defined for manual secure IP tunnels or dynamically negotiated for signalled tunnels. Two sets of SA parameters exist. One for inbound traffic and another for outbound traffic.

Transport VR Perfect forward secrecy

Lifetime Inbound and outbound SAs

Transform set

The set of security parameters, including protocols and algorithms, that is considered adequate to provide a required security level to the traffic flowing through an interface.

g013306

Layer 2

Public IP

IPSec header

Private IP

Payload

IPSec trailer

IPSec Concepts E-Series Routers

12-7

Figure 12-3 shows the relationships of the various security parameters to the IPSec security interface. Each parameter is covered in detail in the following sections.

[Manual | Signaled] Mask IP address Operational VR Perfect forward secrecy [On | Off] Lifetime [Time-out] [Volume-out] Security association Tunnel ID Transport VR Destination IP address Source IP address

Secure IP interface

Inbound SA(s)

Transform set

Outbound SA(s)

SPI [AH | ESP] [NULL | MD5 | SHA1] Authentication key

Transform

SPI [AH | ESP]

[AH | ESP] [NULL | DES | 3DES] [NULL | MD5 | SHA1]

[NULL | MD5 | SHA1] Authentication key

[NULL | DES | 3DES] Encryption keys

[NULL | DES | 3DES]

g013307

Encryption keys

Figure 12-3 IPSec security parameters in relation to secure IP interface

12-8

CHAPTER 12 Configuring IPSec

Manual Versus Signalled Interfaces

The router supports both manual and signalled interfaces: Manual interfaces use a preconfigured set of SA parameters to secure traffic flowing through a secure IP interface. If SA parameters are not preconfigured for a manual secure interface, all traffic reaching the interface is dropped. Statistics are kept for dropped traffic. A manual secure IP tunnel must be manually provisioned in both peer security gateways. Signalled interfaces negotiate an SA on demand with the remote security gateway. The remote security gateway must also support SA negotiation; otherwise traffic is dropped. Again, statistics are kept for dropped traffic. The router supports SA negotiation within an IKE SA by means of the ISAKMP and IKE protocols. Only one IKE SA is maintained between a set of local and remote IKE endpoints. That means that if an IKE SA already exists between the two endpoints, it is reused. Secure IP interface parameters can be required, optional, or not applicable, depending on whether the interface is manual or signalled. Table 12-3 shows how the other security parameters fit with manual and signalled interfaces.
Table 12-3 Security parameters per IPSec policy type Security Parameter Transport VR Operational VR Perfect forward secrecy Lifetime Inbound and outbound SAs Transform set Manual Required Required Optional Optional Required Required Signalled Required Required Optional Optional Not Applicable Required

Operational Virtual Router

The operational VR for a secure IP tunnel is the VR in which a secure IP tunnel exists. The IP address and mask associated with a secure IP interface exist only within the operational VR under which the interface is declared. The VR defines the network prefix, which is reachable through the logical IP interface.

IPSec Concepts E-Series Routers

12-9

A secure IP tunnel is always a member of one and only one operational VR. Therefore, the operational VR attributes are mandatory for any secure tunnel. These attributes include: IP address and mask Virtual router where the secure IP interface exists
Transport Virtual Router

The transport VR for a secure IP tunnel is the VR in which both of the secure tunnel endpoints, the source and destination, are routable addresses. Normally, the transport VR is the default ISP routing infrastructure on top of which VPNs are provisioned. The IPSec service line module is a security gateway and, as such, is one of the endpoints for secure tunnels. The tunnel endpoints are the tunnel source and the tunnel destination IP addresses. The tunnel source IP address must be one of the local IP addresses configured on the router. The tunnel destination address must be a routable IP address within the transport VR routing tables. The transport VR information is required, although its explicit configuration is not. If omitted, the transport VR is assumed to be the same as the operational VR. However, the tunnel source and destination are mandatory elements.
Transport VR Definition

The transport VR definition includes:

Transport virtual router name If not explicitly configured, the operational VR is assumed. Tunnel source endpoint IP address used as the tunnel source endpoint on this end of the tunnel. In the case of signalled tunnels, the router monitors and transmits on port 500 of this address for IKE negotiations. The tunnel source endpoint must be a configured IP address on the transport VR, or the router indicates an error. Tunnel destination endpoint IP address associated with the termination or initiation point of the secure IP tunnel. This address must be routable within the context of the transport VR. Each secure IP tunnel can have a different remote IP address.

12-10

CHAPTER 12 Configuring IPSec

Perfect Forward Secrecy

PFS is an optional feature that causes every newly refreshed key to be completely unrelated to the previous key. PFS provides added security, but requires extra processing for a new Diffie-Hellmann key exchange on every key refresh. If PFS is enabled, the router mandates PFS during SA negotiation. The remote security gateway must accept PFS if the SA is to be successfully negotiated. On the other hand, if PFS is disabled, PFS may still be negotiated if the remote security gateway requests PFS. PFS supports three Diffie-Hellmann prime modulus groups: Group 1 A 768-bit Diffie-Hellmann prime modulus group Group 2 A 1024-bit Diffie-Hellmann prime modulus group Group 5 A 1536-bit Diffie-Hellmann prime modulus group SA negotiation favors the highest request. For example, if group 2 is requested locally, the remote security gateway must support group 2 for the SA negotiation to be successful. If group 1 is requested locally, then either groups 1 or 2 can be accepted, depending on requests from the remote security gateway.
Lifetime

You can set a lifetime for user SAs and IKE SAs. For information on setting the IKE SA lifetime, see Lifetime in the IKE Policies section later in this chapter. For signalled IPSec interfaces, both the inbound and outbound SA must be assigned a lifetime. The lifetime parameter controls the duration for which the SA is valid. When a user SA is established, both a timer and a traffic volume counter are set. When either counter reaches the limit specified by the SAs lifetime, a new SA is negotiated and the expired SA is deleted. The renegotiations refresh several SA parameters, including keys. Note the following about how the lifetime parameters work: To avoid delays in the data flow, a new user SA is actually renegotiated before the expiration. If the SA expires in the middle of processing a packet, the router finishes processing that packet. The actual user SA lifetime may not equal the value configured in the router.

IPSec Concepts E-Series Routers

12-11

There are both global and tunnel-specific lifetime parameters. If there is no tunnel-specific lifetime configured, the router uses the global lifetime. The global lifetime parameters have the following default settings:
> 8 hours for the time-based lifetime > 100 MB for the traffic-based lifetime

Lifetime parameters are valid only for user SAs established via IKE. Manually configured user SAs ignore this parameter. You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime. To set the tunnel lifetime, use the tunnel lifetime command. To set the global (default) lifetime, use the ipsec lifetime command.
Inbound and Outbound SAs

SA parameters are the actual session parameters used to secure a specific data flow associated with a specific secure IP interface. For manual secure IP interfaces, the system administrator sets SA parameters. Manually setting SA parameters allows provisioning of IP security to destinations that do not support SA negotiation via IKE. For signalled secure IP interfaces, the two security gateway peers negotiate SA parameters; the system administrator is not allowed to set any of the parameters. In fact, for some of these parameters, such as session keys, the system administrator is not granted even read-access. Similarly to IPSec SA, SA parameters are unidirectional. Therefore, for a two-way data flow, two SAs need to be establishedone for inbound traffic and another for outbound traffic. For each direction, SA parameters must be set for each transform associated with a secure IP interface. Therefore, two sets of SA parameters exist for each secure IP interface, one being the inbound SA parameters and the other the outbound SA parameters. The following parameters form each set of SA parameters: SPI A unique identifier for the SA used when securing this flow. An SPI is unique for a given destination IP address and protocol tuple. The destination IP address is either the remote secure IP interface endpoint for the outbound direction or the local secure IP interface endpoint for the inbound direction.

12-12

CHAPTER 12 Configuring IPSec

Encapsulation The encapsulation options include both an encapsulating protocol and an encapsulating mode. The protocol can be either ESP or AH. The mode is tunnel mode. Transforms The allowed transforms for given SA parameters depend on its encapsulation protocol. See Transform Sets for more information. Keys The session key used for the respective SA transform. The key length depends on the SA transform to which it applies, and is as follows:
> DES 8 bytes > 3DES 24 bytes > MD5 16 bytes > SHA 20 bytes Transform Sets

Transform sets are composed of security parameters that provide a required security level to a particular data flow. Transform sets are used during user SA negotiation to find common agreement between the local and the remote security gateway on how to protect that specific data flow. A transform set includes encapsulation protocols and transforms; for example, encryption/decryption/authentication algorithms. These parameters are grouped to specify the acceptable protection for a given data flow. Many transform sets are supported, since different traffic requires distinct security levels. A secure IP tunnel is associated with one transform set. Multiple secure IP tunnels can refer to the same transform set. Changing existing transform sets affects only future user SA negotiations. User SAs that are already established remain valid and do not use the changed transform set until they are renegotiated. For manually configured secure IP tunnels, the associated transform set must contain a single transform option.

IPSec Concepts E-Series Routers

12-13

Encapsulation Protocols Both the AH and ESP protocols are supported. See supported transforms in Table 12-4.

AH provides authentication. ESP provides data confidentiality and antireplay functions. ESP can also provide data authentication, although, in this implementation, ESP does not cover the outer IP header.
Encapsulation Modes IPSec supports two encapsulation modestunnel mode and transport mode. Currently the E-series router supports only tunnel mode. Tunnel mode creates a second IP header in the packet and uses both the local and remote security gateway addresses as source and destination IP addresses. Supported Transforms Table 12-4 describes the supported

transforms.
Table 12-4 Supported transforms Transform AH-MD5 AH-SHA Description IPSec performs AH protocol encapsulation using the MD5 hash function with HMAC message authentication. IPSec performs AH protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. IPSec performs ESP protocol encapsulation using the MD5 hash function with HMAC message authentication. IPSec performs ESP protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. IPSec performs ESP protocol encapsulation using the DES encryption algorithm. DES uses a 56-bit symmetric key and is considered a weak (breakable) encryption algorithm. IPSec performs ESP protocol encapsulation using the 3DES encryption algorithm. 3DES uses a 168-bit symmetric encryption key and is widely accepted as a strong encryption algorithm. Export control issues apply to products that ship from the USA with 3DES. Combination of ESP-MD5 and ESP-DES transforms. Combination of ESP-SHA and ESP-DES transforms. Combination of ESP-MD5 and ESP-3DES transforms. Combination of ESP-SHA and ESP-3DES transforms.

ESP-MD5 ESP-SHA

ESP-DES

ESP-3DES

ESP-DES-MD5 ESP-DES-SHA ESP-3DES-MD5 ESP-3DES-SHA

12-14

CHAPTER 12 Configuring IPSec

Table 12-5 shows the security functions achieved with the supported transforms, and provides a view of which combinations can be used, depending on security requirements.
Table 12-5 Combinations of supported security transforms Security Type Data authentication only Supported Transform Combinations AH-HMAC-MD5 AH-HMAC-SHA ESP-HMAC-MD5 ESP-HMAC-SHA Data confidentiality only Data authentication and confidentiality ESP-DES ESP-3DES ESP-DES-MD5 ESP-DES-SHA ESP-3DES-MD5 ESP-3DES-SHA

Note that the IPSec service line module does not support both the ESP and AH encapsulation modes concurrently on the same secure tunnel.
Negotiating Transforms Inside a transform set, IPSec transforms are numbered in a priority sequence.

During negotiation as an initiator of the user SA, the router uses transform number one first. If the remote system does not agree on the transform, the router then tries number two, and so on. If both end systems do not agree on a transform, the user SA fails and the secure IP tunnel is not established. During negotiation as a responder, the router compares the proposed transform from the remote end against each transform in the transform set. If there is no match, the router provides a negative answer to the remote end, which can either try another transform or give up. If no match is found, the secure IP tunnel is not established.
Other Security Features IP Security Policies

The E-series router does not support a system-wide security policy database (SPD). Instead, the router takes advantage of routing to forward traffic to and from a secure tunnel. The router still applies IPSec selectors to traffic going into or coming out of a secure tunnel so that no unwanted

IKE Overview E-Series Routers

12-15

traffic is allowed inside the tunnel. Supported selectors include IP addresses, subnets, and IP address ranges.
ESP Processing

The router supports both the encryption and authentication functions of ESP encapsulation as defined in RFC 2406. Specifically, the router supports: DES and 3DES encryption algorithms The HMAC-SHA and HMAC-MD5 authentication algorithms ESP security options on a per-tunnel (per-SA) basis Tunnel mode
AH Processing

The router supports AH encapsulation as defined in RFC 2402. Specifically, the router supports: HMAC-SHA and HMAC-MD5 authentication algorithms AH authentication options on a per-tunnel (per-SA) basis Tunnel mode
IPSec Maximums Supported

Refer to the E-Series Release Notes, Appendix A, System Maximums corresponding to your software release for information on maximum values.

IKE Overview
The IKE suite of protocols allows a pair of security gateways to: Dynamically establish a secure tunnel over which the security gateways can exchange tunnel and key information. Set up user-level tunnels or SAs, including tunnel attribute negotiations and key management. These tunnels can also be refreshed and terminated on top of the same secure channel.

12-16

CHAPTER 12 Configuring IPSec

IKE is based on the Oakley and Skeme key determination protocols and the ISAKMP framework for key exchange and security association establishment. IKE provides: Automatic key refreshing on configurable timeout. Support for public key infrastructure (PKI) authentication systems. Antireplay defense. IKE is layered on UDP and uses UDP port 500 to exchange IKE information between the security gateways. Therefore, UDP port 500 packets must be permitted on any IP interface involved in connecting a security gateway peer. The following sections expand on the IKE functionality available for the router.
Main Mode and Aggressive Mode

IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE phase 2 negotiations. IKE uses one of two modes for phase 1 negotiations: main mode or aggressive mode. The choice of main or aggressive mode is a matter of tradeoffs. Some of the characteristics of the two modes are: Main mode
> Protects the identities of the peers during negotiations and is

therefore more secure.

> Allows greater proposal flexibility than aggressive mode. > Is more time consuming than aggressive mode because more

messages are exchanged between peers. (Six messages are exchanged in main mode.) Aggressive mode
> Exposes identities of the peers to eavesdropping, making it less

secure than main mode.

> Is faster than main mode because fewer messages are exchanged

between peers. (Three messages are exchanged in aggressive mode.) The next section describes aggressive mode in more detail.

IKE Overview E-Series Routers

12-17

Aggressive Mode Negotiations

During aggressive mode phase 1 negotiations, the E-series router behaves as follows: When the router is the initiator, the router searches all policy rules to find those that allow aggressive mode. The router then selects the rule with highest priority and uses the rule to initiate phase 1 negotiation. If there are no policy rules with aggressive mode allowed, the router selects the highest-priority rule that allows main mode. When the router is the responder, the negotiation depends on what the initiator proposes, as well as what is configured in the policy rules. Table 12-6 outlines the possible combinations of initiator proposals and policy rules. As shown, allowing aggressive mode in a policy rule allows negotiation to take place no matter what the initiator requests.
Table 12-6 Initiator proposals and policy rules Initiator Requests Aggressive mode Aggressive mode Main mode Main mode Responder Policy Rule Aggressive allowed Aggressive not allowed Aggressive allowed Aggressive not allowed Match Yes No Yes Yes

The router responds to phase 1 negotiations with the highest priority policy rule that matches the initiator. A match means that all parameters, including the exchange type, match.
IKE Policies

An IKE policy defines a combination of security parameters to be used during the IKE SA negotiation. IKE policies are configured on both security gateway peers, and there must be at least one policy on the local peer that matches a policy on the remote peer. Failing that, the two peers will not be able to successfully negotiate the IKE SA, and no data flow will be possible. IKE policies are global to the router. Every IPSec service line module on a router uses the same set of policies when negotiating IKE SAs. The agreed-on IKE SA between the local system and a remote security gateway may vary, because it depends on the IKE policies used by each remote peer. However, the initial set of IKE policies the router uses is always the same and independent of which peer the router is negotiating with.

12-18

CHAPTER 12 Configuring IPSec

During negotiation, the router may skip IKE policies that require parameters that are not configured for the remote security gateway with which the IKE SA is being negotiated. You can define up to ten IKE policies, with each policy having a different combination of security parameters. A default IKE policy that contains default values for every policy parameter is available. This policy is used only when IKE policies are not configured and IKE is required. The following sections describe each of the parameters contained in an IKE policy.
Priority

Priority allows better (more secure) policies to be given preference during the negotiation process. The fact still remains that every IKE policy is considered secure enough to secure the IKE SA flow. During IKE negotiation all policies are scanned, one at a time, starting from the highest-priority policy and ending with the lowest-priority policy. The first policy that the peer security gateway accepts is used for that IKE session. This procedure is repeated for every IKE session that needs to be established.
Encryption

A specific encryption transform can be applied to an IKE policy. The supported encryption algorithms are: DES 3DES
Hash Function

A specific hash function can be specified to an IKE policy. The supported ones are: MD5 SHA-1 IKE also uses an authentication algorithm during IKE exchanges. This authentication algorithm is automatically set to the HMAC version of the specified hash algorithm. Therefore, you cannot have the hash function set to MD5 and authentication algorithm set to HMAC-SHA.

IKE Overview E-Series Routers

12-19

Authentication Mode

As part of the IKE protocol, one security gateway needs to authenticate the other security gateway to make sure that the IKE SA is established with the intended party. The E-series router supports two authentication methods: Digital certificates (using RSA algorithms) For digital certificate authentication, an initiator signs message interchange data using his private key, and a responder uses the initiators public key to verify the signature. Typically, the public key is exchanged via messages containing an X.509v3 certificate. This certificate provides a level of assurance that a peers identity (as represented in the certificate) is associated with a particular public key. For more information, see Chapter 13, Configuring Digital Certificates. Preshared keys With preshared key authentication mode, the same secret string (similar to a password) must be configured on both security gateways before the gateways can authenticate each other. It is not advisable to share a preshared key among multiple pairs of security gateways, because it reduces the keys security level. The router allows preshared keys to be up to 256 characters composed of any ASCII alphanumeric character.
Diffie-Hellman Group

An IKE policy must specify which Diffie-Hellmann group is used during the symmetrical key generation phase of IKE. The following Diffie-Hellmann groups are supported: Group 1 (768-bit) Group 2 (1024-bit) Group 5 (1536-bit)
Lifetime

Like a user SA, an IKE SA should not last indefinitely. Therefore, the router allows you to specify a lifetime parameter for an IKE policy. The timer for the lifetime parameter begins when the IKE SA is established using IKE.

12-20

CHAPTER 12 Configuring IPSec

IKE SA Negotiation

As the initiator of an IKE SA, the router sends its IKE policies to the remote peer. If the peer has an IKE policy that matches the encryption, hash, authentication method, and Diffie-Hellmann group settings, the peer returns the matching policy. The peers use the lesser lifetime setting as the IKE SA lifetime. If no match is found, the IKE SA fails, and a log alarm is generated. As the responder of an IKE negotiation, the router receives all IKE policies from a remote security gateway. The router then scans its own list of IKE policies to check whether a match exists, starting from the highest priority. If it finds a match, that policy is successfully negotiated. Again, the lifetime is negotiated to the lesser of the two lifetimes, and failures are logged.

Configuration Tasks
This section shows the steps to configure an IPSec license and IPSec parameters, create an IPSec tunnel, and define an ISAKMP/IKE policy. The next section contains configuration examples.
Configuring an IPSec License

You can purchase IPSec licenses, which allow additional IPSec tunnels in the E-series router. The number of additional tunnels depends on the number of IPSec Service line modules (ISMs) installed in the router and the type of license that you purchase. Table 12-7 shows how many tunnels are allowed in the router depending on how many ISMs are installed and the type of license configured on the router.
Table 12-7 Number of IPSec tunnels allowed in E-series routers Number of ISMs in Chassis One Two Number of IPSec Tunnels Allowed in System Without a License 2,500 5,000 Level 1 License 5,000 7,500 7,500 Level 2 License 5,000 10,000 10,000

Three (for redundancy) 5,000

If you have two ISMs in one chassis and have not purchased an IPSec license, you can configure 5,000 tunnels on the router. If you remove one of the ISMs, the router allows all 5,000 tunnels to migrate to the remaining ISM. However, on reload, the router brings up only 2,500 tunnels.

Configuration Tasks E-Series Routers

12-21

license ipsec-tunnels
Use to specify an IPSec tunnel license.
Note: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative.

Example
host1(config)#license ipsec-tunnels g1k23b23eb2j

Use the no version to disable the license.

Configuring IPSec Parameters

To configure IPSec:
1

For each endpoint, create a transform set that provides the desired encryption and authentication.
host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha host1(config)#ipsec transform-set customerBprotection ah-hmac-md5

Add a preshared key that the routers use to authenticate each other.
host1(config)#ipsec key manual pre-share 5.2.0.1 host1(config-manual-key)#key customerASecret

Once you enter a preshared key, the router encrypts the key and displays it in masked form to increase the security of the key. If you need to reenter the key, you can enter it in its masked form using this command. To see the masked form of the key:
host1#show config ! ipsec key manual pre-share 10.10.1.1 masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO !

To enter the masked key:

host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO

12-22

CHAPTER 12 Configuring IPSec

Define the local endpoint used for ISAKMP/IKE negotiations for all IPSec tunnels in the router.
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router vr#8

(Optional) Set the global (default) lifetime for all SAs on the router.
host1(config)#ipsec lifetime kilobytes 42000000

ipsec key manual

Use to specify that a peer use a manual key for authentication during the tunnel establishment phase, and display the prompt that lets you enter the manual key. To enter a key, use the key command. Specify the peer using its IP address. You must enter this command in the virtual router context where the IP address of the peer is defined. Example
host1(config)#ipsec key manual pre-share 10.10.1.1 host1(config-manual-key)#

Use the no version to delete a manually configured key from the router.

ipsec lifetime
Use to set the global (default) lifetime in seconds and/or volume of traffic. The IPSec lifetime applies to tunnels that do not have a tunnel lifetime defined. When either limit is reached, the SA is renegotiated. To set a lifetime for all SAs on a tunnel, use the tunnel lifetime command. To set a lifetime for a specific SA, use the lifetime command. Example 1
host1(config)#ipsec lifetime kilobytes 42000000

Example 2
host1(config)#ipsec lifetime seconds 8600

Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours).

ipsec local-endpoint
Use to define a default local endpoint for ISAKMP/IKE negotiations and all IPSec tunnels for a transport virtual router. You must specify the IP address used as the local endpoint and the transport virtual router on which the IP address is defined.

Configuration Tasks E-Series Routers

12-23

Example
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router VR#8

Use the no version to delete a local endpoint. You cannot remove an endpoint if a tunnel is referencing the endpoint.

ipsec transform-set
Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality. Transform sets used for manually configured tunnels can have one transform. Transform sets used for signalled tunnels can have up to six transforms. The actual transform used on the tunnel is negotiated with the peer. Transforms are numbered in a priority sequence in the order in which you enter them. Example
host1(config)#ipsec transform-set espSet esp-3des-hmac-md5 esp-3des-null-auth

Use the no version to delete a transform set. You cannot remove a transform set if a tunnel is referencing the transform set.

key
Use to enter a manual preshared key. Preshared keys can have up to 256 characters composed of any ASCII alphanumeric character. To include spaces in the key, enclose the key in quotation marks. Example
host1(config-manual-key)#key dj5fe23owi8er49fdsa

Example
host1(config-manual-key)#key my key with spaces

There is no no version. To delete a key, use the no version of the ipsec key manual command.

masked-key
Use to enter the preshared key in masked form. For security purposes, the router displays the key only in masked form. If you delete the key or reboot the router to factory defaults, you can use this command to reenter the key in its masked form so that the key is not visible while you enter it. To see the masked key, use the show config command.

12-24

CHAPTER 12 Configuring IPSec

Example
host1#show config ! ipsec key manual pre-share 10.10.1.1 masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO ! host1#configure terminal host1(config)#ipsec key manual pre-share 10.10.1.1 host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO

There is no no version. To delete a key, use the no version of the ipsec key manual command.

Creating an IPSec Tunnel

To create an IPSec tunnel:

1

Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface.
host1(config)#virtual-router vrA host1:vrA(config)#

Create an IPSec tunnel, and specify the transport VR.

host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)#

Specify the IP address of this tunnel interface.

host1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0

Specify the transform set that ISAKMP uses for SA negotiations.

host1:vrA(config-if)#tunnel transform-set customerAprotection

Configure the local endpoint of the tunnel.

host1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0

Configure the peer endpoint of the tunnel.

host1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0

Specify an existing interface address that the tunnel uses as its source address.
host1:vrA(config-if)#tunnel source 5.1.0.1

Configuration Tasks E-Series Routers

12-25

Set the address of the remote tunnel endpoint.

host1:vrA(config-if)#tunnel destination 5.3.0.1 host1:vrA(config-if)#exit

For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs.
host1:vrA(config-if)#tunnel session-key-inbound esp-3des-hmac-md5 xj82k14OWaRqy dj3EwxNQ98z3bPw9 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 tM967dq3KvZ3j52r HeI38pkRn963wEg4

10 (Optional) Configure PFS on this tunnel.

host1:vrA(config-if)#tunnel pfs group 5

11 (Optional) Set the tunnel type to signalled or manual. The default is

signalled.
host1:vrA(config-if)#tunnel signaling manual

12 (Optional) Set the renegotiation time of the SAs in use by this tunnel.
host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000

13 (Optional) Set the MTU size for the tunnel.

host1(config-if)#tunnel mtu 2240

interface tunnel
Use to create or configure an IPSec tunnel interface. To establish the tunnel on a virtual router other than the current virtual router context, use the transport-virtual-router keyword. Example
host1(config)#interface tunnel ipsec:jak transport-virtual-router tvr041 host1(config-if)#

Use the no version to remove the tunnel.

tunnel destination
Use to set the address of the remote tunnel endpoint. Example
host1(config-if)#tunnel destination 10.10.11.12

Use the no version to remove the address.

12-26

CHAPTER 12 Configuring IPSec

tunnel lifetime
Use to set the renegotiation time of the SAs in use by this tunnel. To configure the lifetime in amount of data, use the kilobytes keyword. To configure the lifetime in number of seconds, use the seconds keyword. If you include the seconds keyword as the first keyword on the command line, you can also include the kilobytes keyword on the same line. Before either the volume of traffic or number of seconds limit is reached, the SA is renegotiated, which ensures that the tunnel does not go down during renegotiation.
host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000

Use the no version to set the lifetime to the default lifetime, which you define using the ipsec lifetime command.

tunnel local-identity
Use to configure the local identity (selector) of the tunnel. Specify the identity using one of the following keywords:

address specifies an IP address as the local identity subnet specifies a subnet as the local identity range specifies a range of IP addresses as the local identity
Example 1
host1(config-if)#tunnel local-identity range 10.10.1.1 10.10.2.1

Example 2
host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0

Use the no version to set the default identity, which is subnet 0.0.0.0 0.0.0.0

tunnel mtu
Use to set the MTU size for the tunnel. Example
host1(config-if)#tunnel mtu 2240

Use the no version to set the MTU to the default of 1440.

tunnel peer-identity
Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords:

address specifies an IP address as the peer identity subnet specifies a subnet as the peer identity range specifies a range of IP addresses as the peer identity

Configuration Tasks E-Series Routers

12-27

Example 1
host1(config-if)#tunnel peer-identity range 10.10.1.1 10.10.2.2

Example 2
host1(config-if)#tunnel peer-identity subnet 130.10.1.1 255.255.255.0

Use the no version to remove the peer identity.

tunnel pfs group

Use to configure perfect forward secrecy on this tunnel. Assign a Diffie-Hellman prime modulus group using one of the following keywords:

1 768-bit group 2 1024-bit group 5 1536-bit group

Example
host1(config-if)#tunnel pfs group 5

Use the no version to remove PFS from this tunnel.

tunnel session-key-inbound
Use to manually configure the authentication and/or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signalling set to manual. To see a list of available algorithm sets, use the online Help. Keys are an arbitrary hexadecimal string. If the algorithm set includes:

DES, create an 8-byte key 3DES, create a 24-byte key MD5, create a 16-byte key SHA, create a 20-byte key
host1(config-if)#tunnel session-key-inbound esp-3des-hmac-md5 xj82kl40WaQp03i7 5bv0k4hm23z6uPn9

Example

Use the no version to remove inbound session keys from a tunnel.

tunnel session-key-outbound
Use to manually configure the authentication and/or encryption algorithm sets, SPI, and session keys for outbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signalling set to manual. To see a list of available algorithm sets, use the online Help. The SPI is a number from 256 to 4294967295 that identifies an SA.

12-28

CHAPTER 12 Configuring IPSec

Keys are an arbitrary hexadecimal string. If the algorithm set includes:

DES, create an 8-byte key 3DES, create a 24-byte key MD5, create a 16-byte key SHA, create a 20-byte key
host1(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 tM967dq3KvZ3j52r HeI38pkRn963wEg4

Example

Use the no version to remove outbound session keys from a tunnel.

tunnel signaling
Use to set the tunnel type to signalled (ISAKMP) or manual. Specify a keyword:

isakmp uses ISAKMP/IKE to negotiate SAs and to establish keys manual specifies that security parameters and keys are configured
manually Example
host1(config-if)#tunnel signaling manual

Use the no version to restore the default, isakmp.

tunnel source
Use to specify an existing interface address that will serve as the tunnels source address. Example
host1(config-if)#tunnel source 10.10.2.8

Use the no version to remove the tunnel source.

tunnel transform-set
Use to specify the transform set that ISAKMP uses during SA negotiations on this tunnel. You create transform sets using the ipsec transform-set command. Example
host1(config-if)#tunnel transform-set espSet

Use the no version to remove the transform set from a tunnel.

Defining an ISAKMP/IKE Policy

ISAKMP/IKE policies define parameters that the router uses during ISAKMP/IKE phase 1 negotiation. To create an ISAKMP/IKE policy:
host1(config)#ipsec isakmp-policy-rule 3 host1(config-isakmp-policy)#

Configuration Tasks E-Series Routers

12-29

You can then set the following parameters, or use the default settings: Allow aggressive mode negotiation.
host1(config-isakmp-policy)#aggressive-mode

Specify the authentication method.

host1(config-isakmp-policy)#authentication pre-share

Specify the encryption algorithm.

host1(config-isakmp-policy)#encryption 3des

Assign a Diffie-Hellman group.

host1(config-isakmp-policy)#group 5

Set the hash algorithm.

host1(config-isakmp-policy)#hash md5

Specify the lifetime of IKE SAs created using this policy.

host1(config-isakmp-policy)#lifetime 360

aggressive-mode
Use to allow aggressive mode negotiation for the tunnel. If you allow aggressive mode negotiation, the tunnel proposes aggressive mode to the peer in connections that the policy initiates. If the peer initiates a negotiation, the tunnel accepts the negotiation if the mode matches this policy. Example
host1(config-isakmp-policy)#aggressive-mode

Use the no version to set the negotiation mode to main mode.

authentication
Use to specify the authentication method the router uses in the IKE policy, preshared keys or RSA signature. Example
host1(config-isakmp-policy)#authentication pre-share

Use the no version to restore the default, preshared keys.

encryption
Use to specify one of the following encryption algorithms to use in the IKE policy:

3des 168-bit 3DES-CBC des 56-bit DES-CBC

12-30

CHAPTER 12 Configuring IPSec

Example
host1(config-isakmp-policy)#encryption 3des

Use the no version to restore the default encryption algorithm, 3DES.

group
Use to assign a Diffie-Hellman group to the IKE policy. Specify:

1 768-bit group 2 1024-bit group 5 1536-bit group

Example
host1(config-isakmp-policy)#group 5

Use the no version to restore the default, 1024-bit group.

hash
Use to set the hash algorithm for the IKE policy:

md5 MD5 (HMAC variant) sha SHA-1 (HMAC variant)

Example
host1(config-isakmp-policy)#hash md5

Use the no version to restore the default, sha.

ipsec isakmp-policy-rule
Use to define an ISAKMP/IKE policy. When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies from 1 to 10000, with 1 having the highest priority. You can add up to 10 ISAKMP/IKE policies per router. Example
host1(config)#ipsec isakmp-policy-rule 3 host1(config-isakmp-policy)#

Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.

lifetime
Use to specify the lifetime of IKE SAs. The range is 60 to 86400 seconds.
host1(config-isakmp-policy)#lifetime 360

Use the no version to reset the SA lifetime to the default, 28800 seconds.

Configuration Examples E-Series Routers

12-31

Refreshing SAs

To refresh ISAKMP/IKE or IPSec SAs:

host1(config)#ipsec clear sa tunnel ipsec:Aottawa2boca phase 2

ipsec clear sa
Use to refresh ISAKMP/IKE or IPSec SAs. To reinitialize all SAs, use the all keyword. To reinitialize SAs on a specific tunnel, use the tunnel keyword. To reinitialize SAs on tunnels that are in a specific state, use the state keyword. To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase keyword. Example
host1(config)#ipsec clear sa all phase 2

There is no no version.

Configuration Examples
This section contains examples of two IPSec applications. The first example shows a customer who replaces a leased line network with an IPSec network that allows the company to connect its corporate locations over the Internet. The second example provides leased line replacement to two customers who use address schemes in the same range.
Configuration Notes

Both the local and remote identities shown in these examples serve two purposes: They identify multiple IPSec tunnels between the same endpoints. They filter traffic going into and coming out of the tunnels so that it is within the specified range. If the configuration requires that only one IPSec tunnel exists between two endpoints and no traffic filtering is required, you can omit the tunnel local-identity and tunnel peer-identity commands.
Example 1

In Figure 12-4 customer A is using Frame Relay to connect its corporate offices in three cities: Boston, Ottawa, and Boca.

12-32

CHAPTER 12 Configuring IPSec

Ottawa

Boca

Boston
Figure 12-4 Customer As corporate Frame Relay network

Customer A hires ISP-X to provide a leased line replacement over an IP infrastructure using IPSec. ISP-X can offer a replacement for long-haul Frame Relay links by creating IPSec tunnels to carry customer As traffic securely between the sites over the public or ISP-provided IP network. This alternative will cost only a fraction of the price of the Frame Relay links. Figure 12-5 shows the connectivity scheme.

200.1.0.1/16 ISP-X 100.1.0.1 Public ip network

10.2.0.1/16 ISP-X 100.2.0.1

Ottawa

ERX1

Boca

ERX2

Boston

ERX3

ISP-X 100.3.0.1
g013053

200.3.0.1/16

Figure 12-5 ISP-X uses E-series routers to connect corporate offices over the Internet

To configure the connections as shown in Figure 12-5:

1

On each E-series router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet.
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha

g013054

Configuration Examples E-Series Routers

12-33

erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha

On each E-series router, create preshared keys that the three routers will use to authenticate each other:
erx1(config)#ipsec key manual pre-share 100.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 100.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 100.1.0.1 erx3(config-manual-key)#exit erx3(config-manual-key)#key customerASecret erx3(config)#ipsec key manual pre-share 100.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit

On erx1 create two IPSec tunnels, one to carry customer As traffic between Ottawa and Boston and another to carry the traffic between Ottawa and Boca: Tunnel 1:
erx1(config)#interface tunnel ipsec:Aottawa2boston erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.3.0.1 erx1(config-if)#ip address 200.3.0.0 255.255.0.0 erx1(config-if)#exit

Tunnel 2:
erx1(config)#interface tunnel ipsec:Aottawa2boca erx1(config-if)#tunnel transform-set customerAprotection

12-34

CHAPTER 12 Configuring IPSec

erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.2.0.1 erx1(config-if)#ip address 200.2.0.0 255.255.0.0 erx1(config-if)#exit

On erx2 create two IPSec tunnels, one to carry customer As traffic between Boca and Ottawa and another to carry the traffic between Boca and Boston: Tunnel 1:
erx2(config)#interface tunnel ipsec:Aboca2ottawa erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.1.0.1 erx2(config-if)#ip address 200.1.0.0 255.255.0.0 erx2(config-if)#exit

Tunnel 2:
erx2(config)#interface tunnel ipsec:Aboca2boston erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.3.0.1 erx2(config-if)#ip address 200.3.0.0 255.255.0.0 erx2(config-if)#exit

Configuration Examples E-Series Routers

12-35

Finally, on erx3 create two IPSec tunnels, one to carry customer As traffic between Boston and Ottawa and another to carry the traffic between Boston and Boca: Tunnel 1:
erx3(config)#interface tunnel ipsec:Aboston2ottawa erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.1.0.1 erx3(config-if)#ip address 200.1.0.0 255.255.0.0 erx3(config-if)#exit

Tunnel 2:
erx3(config)#interface tunnel ipsec:Aboston2boca erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.2.0.1 erx3(config-if)#ip address 200.2.0.0 255.255.0.0 erx3(config-if)#exit

The configuration is complete. Now customer A traffic between different cities flows through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated. Of course, this example shows the basic secure encapsulation of customer traffic over the untrusted IP network. You can add features such as key refreshing.

12-36

CHAPTER 12 Configuring IPSec

Example 2

Example 2, shown in Figure 12-6, enhances the previous example by having the same ISP-X providing leased line replacement to two customers who use address schemes in the same range. There are two ways to solve scenarios in which different customers use similar IP address schemes: One solution is to have different transport virtual routersa configuration similar to example 1, except that a different VR domain is possible. Another solution, as described in this example, simply duplicates the endpoints for the transport VR. This example assumes that the transport VR is the default VR.

Customer A Customer B 10.1.0.1/16 10.1.0.1/16 vrA vrB ISP-X 5.1.0.1 5.1.0.2

Customer A Customer B 10.2.0.1/16 10.2.0.1/16 vrA vrB ISP-X 5.2.0.1 5.2.0.2

Ottawa

ERX1

Public ip network

Boca

ERX2

Boston vrA

ERX3 vrB

ISP-X 5.3.0.1 5.3.0.2 Layer 2 connection, such as Frame Relay or ATM, that is trusted by the customer
g013052

Customer A Customer B 10.3.0.1/16 10.3.0.1/16

Figure 12-6 Connecting customers who use similar address schemes

Configuration Examples E-Series Routers

12-37

To configure the connections as shown in Figure 12-6:

1

On each E-series router, create a protection suite that provides customer A with 3DES encryption and SHA-1 authentication, and customer B with AH authentication using MD5.
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx1(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerBprotection ah-hmac-md5

On each E-series router, create a protection suite that the three routers will use to authenticate each other:
erx1(config)#ipsec key manual pre-share 5.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.2.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit

12-38

CHAPTER 12 Configuring IPSec

erx3(config)#ipsec key manual pre-share 5.1.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit

On erx1, create two IPSec tunnels, one to carry customer As traffic and another to carry customer Bs traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. The endpoints for the tunnels should be created in the ISP default virtual router. Virtual router A:
erx1(config)#virtual-router vrA erx1:vrA(config)#

Tunnel from Ottawa to Boston on virtual router A:

erx1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default erx1:vrA(config-if)#tunnel transform-set customerAprotection erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.3.0.1 erx1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrA(config-if)#exit

Tunnel from Ottawa to Boca on virtual router A:

erx1:vrA(config)#interface tunnel ipsec:Aottawa2boca transport-virtual-router default erx1:vrA(config-if)#tunnel transform-set customerAprotection erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.2.0.1 erx1:vrA(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#exit

Configuration Examples E-Series Routers

12-39

Virtual router B:
erx1(config)#virtual-router vrB erx1:vrB(config)#

Tunnel from Ottawa to Boston on virtual router B:

erx1:vrB(config)#interface tunnel ipsec:Bottawa2boston transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.3.0.2 erx1:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#exit

Tunnel from Ottawa to Boca on virtual router B:

erx1:vrB(config)#interface tunnel ipsec:Bottawa2boca transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.2.0.2 erx1:vrB(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrB(config-if)#exit

On erx2, create two IPSec tunnels, one to carry customer As traffic and another to carry customer Bs traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. The endpoints for the tunnels should be created in the ISP default virtual router. Virtual router A:
erx2(config)#virtual-router vrA erx2:vrA(config)#

Tunnel from Boca to Ottawa on virtual router A:

erx2:vrA(config)#interface tunnel ipsec:Aboca2ottawa transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1

12-40

CHAPTER 12 Configuring IPSec

erx2:vrA(config-if)#tunnel destination 5.1.0.1 erx2:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx2:vrA(config-if)#exit

Tunnel from Boca to Boston on virtual router A:

erx2:vrA(config)#interface tunnel ipsec:Aboca2boston transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.3.0.1 erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#exit

Virtual router B:
erx2(config)#virtual-router vrB erx2:vrB(config)#

Tunnel from Boca to Ottawa on virtual router B:

erx2:vrB(config)#interface tunnel ipsec:Bboca2ottawa transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel source 5.2.0.2 erx2:vrB(config-if)#tunnel destination 5.1.0.2 erx2:vrB(config-if)#ip address 10.1.0.0 255.255.0.0 erx2:vrB(config-if)#exit

Tunnel from Boca to Boston on virtual router B:

erx2:vrB(config)#interface tunnel ipsec:Bboca2boston transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel source 5.2.0.2 erx2:vrB(config-if)#tunnel destination 5.3.0.2 erx2:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrB(config-if)#exit

Configuration Examples E-Series Routers

12-41

Last, on erx3, create two IPSec tunnels, one to carry customer As traffic and another to carry customer Bs traffic. Virtual router A:
erx3(config)#virtual-router vrA erx3:vrA(config)#

Tunnel from Boston to Ottawa on virtual router A:

erx3:vrA(config)#interface tunnel ipsec:Aboston2ottawa transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.1.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit

Tunnel from Boston to Boca on virtual router A:

erx3:vrA(config)#interface tunnel ipsec:Aboston2boca transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.2.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit

Virtual router B:
erx3(config)#virtual-router vrB erx3:vrB(config)#

Tunnel from Boston to Ottawa on virtual router B:

erx3:vrB(config)#interface tunnel ipsec:Bboston2ottawa transport-virtual-router default erx3:vrB(config-if)#tunnel transform-set customerBprotection erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel source 5.3.0.1 erx3:vrB(config-if)#tunnel destination 5.1.0.1 erx3:vrB(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrB(config-if)#exit

12-42

CHAPTER 12 Configuring IPSec

Tunnel from Boston to Boca on virtual router B:

erx3:vrB(config)#interface tunnel ipsec:Bboston2boca transport-virtual-router default erx3:vrB(config-if)#tunnel transform-set customerBprotection erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel source 5.3.0.1 erx3:vrB(config-if)#tunnel destination 5.2.0.1 erx3:vrB(config-if)#ip address 10.2.0.0 255.255.0.0 erx3:vrB(config-if)#exit

The configuration is complete. Customer As traffic and customer Bs traffic can flow through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated.

Monitoring IPSec
This section contains information on troubleshooting and monitoring IPSec.
System Event Logs

To troubleshoot and monitor IPSec, use the following system event logs:
> auditIpsec Lower layers of IKE SA negotiations > ikepki Upper layers of IKE SA negotiations > stTunnel Secure tunnel interface

For more information on using event logs, see E-Series System Basics Configuration Guide, Chapter 12, Logging System Events.
show Commands

To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands.
show ike policy-rule
Use to display the configuration of IKE phase 1 policy rules. Field descriptions

Protection suite priority priority number assigned to the policy rule encryption algorithm encryption algorithm used in the IKE policy: des, 3des hash algorithm hash algorithm used in the IKE policy: SHA, MD5

Monitoring IPSec E-Series Routers

12-43

authentication method authentication method used in the IKE policy: RSA

signature, preshared keys

Diffie-Hellman group size of the Diffie-Hellman group: 768-bit, 1024-bit,

1536-bit

lifetime lifetime of SAs created with this policy: 60 to 86400 seconds aggressive mode allowed or not allowed
Example
host1#show ike policy-rule IKE Policy Rules: Protection suite priority: 5 encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys) hash algorithm :SHA Secure Hash Standard authentication method:RSA Signatures Diffie-Hellman group :5 (1536 bit) lifetime aggressive mode :7200 seconds :Not Allowed

Protection suite priority: 6 encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys) hash algorithm :SHA Secure Hash Standard authentication method:Pre Shared Keys Diffie-Hellman group :2 (1024 bit) lifetime aggressive mode :28800 seconds :Not Allowed

show ike sa
Use to display IKE phase 1 SAs running on the router. Field descriptions

Source local IP address of phase 1 negotiation Destination remote IP address of phase 1 negotiation Time(s) time remaining in phase 1 lifetime, in seconds State current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. The number in brackets corresponds to the state number. Possible states are: MM_SA_I Sent SA initiator has sent initial main mode SA payload to the responder MM_SA_R Sent SA responder has sent a response to the initial main mode SA MM_KE_I Sent KE initiator has sent initial main mode key exchange to the responder MM_KE_R Sent KE responder has sent a response to the key exchange

12-44

CHAPTER 12 Configuring IPSec

MM_FINAL_I Sent final packet initiator has sent the final packet in the main mode negotiation MM_FINAL_R Sent final packet responder has finished main mode negotiation MM_DONE_I Done initiator has finished main mode negotiation AM_SA_I Sent SA, KE initiator has sent initial aggressive mode SA payload and key exchange to the responder AM_SA_R Sent SA, KE responder has sent aggressive mode SA payload
and key exchange to the initiator

AM_FINAL_I Sent final packet initiator has finished aggressive mode negotiation AM_DONE_R Done responder has finished aggressive mode negotiation Example
host1#show ike sa IKE Phase 1 SA's: Source 10.13.0.99 10.13.1.99 10.13.2.99 10.13.3.99 10.13.4.99 10.13.5.99 10.13.6.99 10.13.7.99 10.13.8.99 Destination 10.13.0.100 10.13.1.100 10.13.2.100 10.13.3.100 10.13.4.100 10.13.5.100 10.13.6.100 10.13.7.100 10.13.8.100 Time(s) State 12585 12584 12584 12591 12598 12632 12658 12690 12716 MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9) MM_DONE_I Done(9)

show ipsec lifetime

Use to display the configured IPSec default lifetime. Example
host1#show ipsec lifetime Default lifetime in seconds is '7200'. Default lifetime in kilobytes is '4294967295'.

show ipsec local-endpoint

Use to display the address and transport virtual router of local endpoints. To display the local endpoint of a specific transport virtual router, include the virtual router name. Example
host1#show ipsec local-endpoint transport-virtual-router default Local endpoint for transport-virtual-router default is '0.0.0.0'.

Monitoring IPSec E-Series Routers

12-45

show ipsec transform-set

Use to display transform sets configured on the router. To display a specific transform set, include the transform set name. Field descriptions

Transform-set displays the transforms in the transform set

Example 1
host1#show ipsec transform-set Transform-set: Highest security = {esp-3des-hmac-sha }. Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha }.

Example 2
host1#show ipsec transform-set transform-esp-3des-hmac-sha Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha}.

show ipsec tunnel detail

Use to display the running configuration and statistics for each tunnel. Field descriptions

IPSEC tunnel name and state of tunnel for which information is displayed Tunnel operational configuration configuration running on the tunnel
Tunnel type manual, signaled Tunnel mtu MTU size of the tunnel Tunnel localEndpoint IP address of local tunnel endpoint Tunnel destination address IP address of tunnel destination Tunnel transport virtual router name of transport virtual router over which tunnel runs Tunnel transform set tunnel transform set in use on this tunnel Tunnel local identity IP address of local endpoint identity that ISAKMP uses Tunnel peer identity IP address of peer endpoint identity that ISAKMP uses Tunnel inbound spi/SA SPI and SA in use on traffic received from the tunnel Tunnel outbound spi/SA SPI and SA in use on traffic sent to the tunnel Tunnel lifetime seconds configured lifetime in seconds Tunnel lifetime kilobytes configured lifetime in kilobytes Tunnel pfs PFS group in use on the tunnel: 0 (PFS is not in use), 1 (768-bit group), 2 (1024-bit group), 5 (1536-bit group) Tunnel administrative state Up, Down

Tunnel Statistics displays statistics on traffic received on and sent from this
tunnel InUserPackets number of user packets received InUserOctets number of octets received from user packets InAccPackets number of encapsulated packets received

12-46

CHAPTER 12 Configuring IPSec

InAccOctets number of octets received in encapsulated packets InAuthErrors number of authentication errors received InReplayErrors number of replay errors in received traffic InPolicyErrors number of policy errors in received traffic InOtherRxErrors number of packets received that have errors other than those listed above InDecryptErrors number of decryption errors in received traffic InPadErrors number of packets received that had invalid values after the packet was decrypted OutUserPackets number of user packets sent OutUserOctets number of octets sent in user packets OutAccPackets number of encapsulated packets sent OutAccOctets number of octets sent in encapsulated packets OutPolicyErrors number of packets arriving at tunnel for encapsulation that do not meet specified tunnel identifier (selector) OutOtherTxErrors number of outbound packets that have errors other than those listed above Example
host1#show ipsec tunnel detail IPSEC tunnel s0l1e3d0 is up Tunnel operational configuration: Tunnel type is signaled Tunnel mtu is 1440 Tunnel localEndpoint is 10.255.1.13 Tunnel destination address is 10.255.1.14 Tunnel transport virtual router is vr00 Tunnel transform set is transform-esp-3des-hmac-sha Tunnel local identity is ipAddress: 10.0.10.3 Tunnel peer identity is ipAddress: 10.0.11.3 Tunnel inbound spi is 0x13c00201, SA is esp-3des-hmac-sha. Tunnel outbound spi is 0x12b90209, SA is esp-3des-hmac-sha. Tunnel lifetime seconds is 7200 Tunnel lifetime kilobytes is 102400 Tunnel pfs is group 5 Tunnel administrative state is Up Tunnel Statistics : InUserPackets InUserOcets InAccPackets InAccOcets InAuthErrors InReplayErrors InPolicyErrors InOtherRxErrors 297 306232 297 322864 0 0 0 0

Monitoring IPSec E-Series Routers

12-47

InDecryptErrors InPadErrors OutUserPackets OutUserOctes OutAccPackets OutAccOcets OutPolicyErrors OutOtherTxErrors

0 0 316 317424 316 335120 0 0

show ipsec tunnel summary

Use to display a summary of all tunnels configured on the router. Field descriptions

Total number of ipsec interface number of tunnels configured on the router Administrative status number of tunnels with an administrative status of
enabled and disabled

Operational status number of tunnels with an operational status of up,

down, lower layer down, not present Example
host1#show ipsec tunnel summary Total number of ipsec interface is 40 Administrative status Operational status up 40 enabled 40 down 0 disabled 0 lower-down 0 not-present 0

show ipsec tunnel virtual-router

Use to display the status of tunnels configured on a virtual router. To display only tunnels that are in a specific state, use the state keyword. To display tunnels that are using a particular IP address, use the ip keyword. Field descriptions

For a description of fields, see the show ipsec tunnel detail command.
Example
host1#show ipsec tunnel virtual-router default ip 10.255.1.13 IPSEC tunnel s0l1e3d0 is up IPSEC tunnel s0l1e3d1 is up IPSEC tunnel s0l2e3d0 is up IPSEC tunnel s0l2e3d1 is up IPSEC tunnel s0l3e3d0 is up IPSEC tunnel s0l4e3d0 is up IPSEC tunnel s0l4e3d1 is up IPSEC tunnel s0l5e3d0 is up

12-48

CHAPTER 12 Configuring IPSec

show license ipsec-tunnels

Use to display the IPSec license key configured on the router and the number of tunnels allowed on the router. Example
host1#show license ipsec-tunnels ipsec-tunnels license is 'g1k23b23eb2j' which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards.

Configuring Digital Certificates

13
Page 13-1 13-2 13-3 13-7 13-12

This chapter describes the digital certificates feature on your E-series router.
Topic Overview References IKE Authentication Using Digital Certificates Configuration Tasks Monitoring Digital Certificates

Overview
You can use digital certificates in place of preshared keys for IKE negotiations. For more information about IKE, see IKE Overview in Chapter 12, Configuring IPSec.

13-2

CHAPTER 13 Configuring Digital Certificates

Terms

Table 13-1 defines terms and abbreviations that are used in this discussion of digital certificates.
Table 13-1 Digital certificate terms and abbreviations Term 3DES Base64 CA Certificate Certificate revocation list (CRL) ESP IKE PKCS PKCS10 Root CA Root certificate RSA SA Definition Triple DES encryption/decryption algorithm Method used to encode certificate requests and certificates before they are sent to or from the CA. Certificate authority. An organization that creates digital certificates. Binds a person or entity to a public key using a digital signature. A list of certificates that a CA has revoked Encapsulating Security Payload; provides data integrity, data confidentiality and, optionally, senders authentication Internet Key Exchange Public-Key Cryptography Standards; a series of standards established by RSA Laboratories PKCS #10, which describes a syntax for certification requests CA that signs the certificates of subordinate CAs Self-signed public key certificate for a root CA. Root certificates are used to verify other certificates Rivest-Shamir-Adleman encryption algorithm Security association. The set of security parameters that dictate how IPSec processes a packet, including encapsulation protocol and session keys. A single secure tunnel uses multiple SAs.

References
Digital certificates support: RFC 2986 PKCS #10: Certification Request Syntax Specification Version 1.7 (November 2000) RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile (January 1999) For more information on IPSec and IKE, see Chapter 12, Configuring IPSec.

IKE Authentication Using Digital Certificates E-Series Routers

13-3

IKE Authentication Using Digital Certificates

As part of the IKE protocol, one security gateway needs to authenticate another security gateway to make sure that IKE SAs are established with the intended party. The E-series router supports two authentication methods: Digital certificates (using RSA algorithms) For digital certificate authentication, an initiator signs message interchange data using his private key, and a responder uses the initiators public key to verify the signature. Typically, the public key is exchanged via messages containing an X.509v3 certificate. This certificate provides a level of assurance that a peers identityas represented in the certificateis associated with a particular public key. Preshared keys With preshared key authentication, the same secret must be configured on both security gateways before the gateways can authenticate each other. The following sections provide information on digital certificates. For information on using preshared keys, see IKE Overview in Chapter 12, Configuring IPSec.
Signature Authentication

The following are key steps for using public key cryptography to authenticate a peer. These steps are described in more detail in the following sections.
1

Generating a private/public key pair. Before the router can place a digital signature on messages, it requires a private key to sign, and requires a public key so that message receivers can verify the signature.

Obtaining a public key certificate. The router requires at least one public key certificate, which binds the router identity to its public key. The CA verifies the identity represented on the certificate and then signs the certificate. The router sends the certificate to IKE peers during negotiations to advertise the router public key.

13-4

CHAPTER 13 Configuring Digital Certificates

Obtaining a root CA certificate. The router requires at least one root CA certificate to send to IKE peers, and also to verify that a peers certificate is genuine.

Authenticating the peer. As part of IKE negotiations, the router receives its peers digital signature in a message exchange. The router must verify the digital signature using the peers public key. The public key is contained in the peers certificate, which often is received during the IKE negotiation. To ensure that the peer certificate is valid, the router verifies its digital signature using the CA public key contained in the root CA certificate. The router and its IKE peer require at least one common trusted root CA for authentication to work.

Generally, only step 4 above is required each time a Phase 1 negotiation happens. The first three steps are required only if keys are compromised or router certificates require renewal.
Generating Private/Public Key Pairs

The E-series router needs at least one valid pair of public/private keys whenever it uses any of the public key methods for authenticating an IKE peer. The E-series router can generate its own public/private key pairs. The public/private key pair supports the RSA standard (1024 or 2048 bits). The private key is used only by the E-series router. It is never exchanged with any other nodes. It is used to place a digital signature on IKE authentication messages. When generated, it is securely stored internally to the E-series router in flash memory. Access to the private key is never allowed, not even to a system administrator or a network management system. Private key storage includes protection mechanisms to prevent improper private key usage, including encryption with 3DES using a unique internally generated key. The key is also tied to SRP-specific data to prevent swapping flash disks between routers. The public key is used in the generation of the router certificate request, which is sent to a CA. Based on the certificate request, the CA generates a public key certificate for the E-series router. The router public/private key pair is a global system attribute. It does not matter how many IPSec service line modules exist in the router; only one set of keys is available at any given moment. The private/public key pair applies across all virtual routers and is persistent across reloads and booting to factory defaults.

IKE Authentication Using Digital Certificates E-Series Routers

13-5

Obtaining a Public Key Certificate

Once the public key is generated, the router must obtain a public key certificate from a CA, a process called certificate enrollment. The E-series router supports manual certificate enrollment, which works as follows:
1 2 3 4 5

An operator generates a certificate request by supplying identity information. The E-series router creates a certificate request file and makes it available to the operator. The operator supplies the certificate request file to a CA for approval, typically by copying and pasting the file to a Web page. The CA approves the request and generates a certificate. The operator copies the certificate file onto the E-series router so that it can be used for IKE negotiations.

The standards supported for this enrollment are PKCS #10 certificate requests and X.509v3 certificates. Certificates are encoded in base64 (MIME) so that the files are easily transferred through cut and paste operations and e-mail.
Obtaining a Root CA Certificate

Downloading the root CAs self-signed certificate is also done manually. An operator obtains the root CA certificate, typically through a Web browser, and copies the certificate file to the E-series router so that the router can use it as part of IKE negotiations. The standards supported for obtaining root CAs are X.509v3, base64, and BER-encoded certificates.
Authenticating the Peer

The E-series router validates X.509v3 certificates from the peer by confirming that the ID payload passed in IKE matches the identifiers in the peer certificate. The router also verifies that the signature is correct, based on the root CA public key.
Note: The E-series router does not support certificate chains (where a root CA signs the certificate of a subordinate CA, and a subordinate CA signs the peer certificate), so validation must be done on each stage up to the root CA that both peers trust).

The E-series router also validates the certificate based on its time window, so correct UTC time on the router is essential. In addition to the certificate checks, the E-series router confirms that message data received

13-6

CHAPTER 13 Configuring Digital Certificates

from the peer has the correct signature based on the peers public key as found in its certificate. Once complete, the IKE authentication is done and quick-mode negotiation of SAs can proceed.
Checking CRLs

To use CRL checking, you must copy CRL files that are published by CAs to the E-series router. Using the ike crl command, you can control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. The ike crl command has three settings: Ignored Allows negotiations to succeed even if a CRL is invalid or the peers certificate appears in the CRL; this is the most lenient setting. Optional If the router finds a valid CRL, it uses it. Required Requires a valid CRL, and the certificates belonging to the E-series router or the peer must not appear in the CRL; this is the strictest setting. Based on the CRL setting, you can expect that phase 1 IKE negotiations will succeed or fail depending on the following conditions: CRL OK The certificate revocation list is present for the CA and valid (not expired). CRL expired The CRL is present on the E-series router but is old Missing CRL There is no CRL on the router for the CA. Peer Cert revoked The CRL contains the peer certificate. ERX Cert revoked The CRL contains the E-series routers certificate. Table 13-2 shows some examples of how the CRL setting affects the outcome of IKE phase 1 negotiations. It shows common problem conditions such as ERX Cert revoked.
Table 13-2 Outcome of IKE phase 1 negotiations CRL Setting Condition CRL OK CRL expired Missing CRL Peer Cert revoked Optional Succeed Succeed Succeed Fail Ignored Succeed Succeed Succeed Succeed Required Succeed Fail Fail Fail

Configuration Tasks E-Series Routers

13-7

Table 13-2 Outcome of IKE phase 1 negotiations (continued) CRL Setting Condition ERX Cert revoked Optional Fail Ignored Succeed Required Fail

File Extensions

Table 13-3 describes the file extensions that digital certificates use on the E-series router.
Table 13-3 File extensions File Extension .crq .cer Description Used for certificate request files that are generated on the E-series router and taken to CAs for obtaining a certificate. Used for public certificate files. The public certificates for root CAs and the router public certificates are copied to the E-series router. They are autorecognized as belonging to the E-series router or CA by certificate subject name and issuer name (in a CA they are the same). The E-series router supports multiple CAs. Used for certificate revocation lists that are obtained offline from CAs and copied to the E-series router. CRLs indicate which certificates from a particular CA are revoked.

.crl

In addition, router IKE identity information and private keys are kept on the flash disk in hidden areas not visible to users. (These files do not appear when you enter a dir command).

Configuration Tasks
To set up digital certificates:
1

Generate RSA key pairs.

host1(config)#ipsec key generate rsa 2048 Please wait................................................. .......................... IPsec Generate Keys complete

In your IKE policy, set the authentication method to RSA signatures.

host1(config)#ipsec isakmp-policy-rule 1 host1(config-isakmp-policy)#authentication rsa-sig

Note: For more information on setting up IKE policies, see Defining an ISAKMP/IKE Policy in Chapter 12, Configuring IPSec.

13-8

CHAPTER 13 Configuring Digital Certificates

Enter IPSec Identity Configuration mode.

host1(config)#ipsec identity host1(config-ipsec-identity)#

Specify the information that the router uses to generate a certificate request.
a

Specify a country name.

host1(config-ipsec-identity)#country CA

Specify a common name.

host1(config-ipsec-identity)#common-name Jim

Specify a domain name.

host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com

Specify an organization.

host1(config-ipsec-identity)#organization juniperNetworks host1(config-ipsec-identity)#exit host1(config)#

Generate a certificate request using certificate parameters from the IPSec identity configuration.
host1(config)#ipsec certificate-request generate rsa myrequest.crq

Once the certificate request is generated, you need to copy the file from the E-series router and send it to the CA. Typically, you will copy the file and paste it to a CAs Web page. When you receive the certificate from the CA, copy the certificate to the E-series router, and then inform the router that a new certificate exists.
host1(config)#ipsec certificate-database refresh

(Optional) Set the sensitivity of how the router handles CRLs.

host1(config)#ike crl ignored

(Optional) To delete RSA key pairs, use the ipsec key zeroize command.
host1(config)#ipsec key zeroize rsa

Configuration Tasks E-Series Routers

13-9

authentication
Use to specify the authentication method that the router uses in the IKE policy to RSA signature. Example
host1(config-isakmp-policy)#authentication rsa-sig

Use the no version to restore the default, preshared keys.

common-name
Use to specify a common name used to generate certificate requests. Example
host1(config-ipsec-identity)#common-name Jim

Use the no version to remove the common name.

country
Use to specify a country name used to generate certificate requests. Example
host1(config-ipsec-identity)#country CA

Use the no version to remove the country name.

domain-name
Use to specify the domain name that the router uses in IKE authentication messages and to generate certificate requests. The domain name is used in the SubjectAlternative DNS certicate extensions and as an FQDN (fully qualified domain name) ID payload for IKE negotiations. Example
host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com

Use the no version to remove the domain name.

ike crl
Use to control how the router handles certificate revocation lists (CRLs) during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords:

ignored allows negotiations to succeed even if a CRL is invalid or the

peers certificate appears in the CRL; this is the most lenient setting

optional if the router finds a valid CRL, it uses it; this is the default setting required requires a valid CRL; either the certificates that belong to the
E-series router or the peer must not appear in the CRL; this is the strictest setting

13-10

CHAPTER 13 Configuring Digital Certificates

Example
host1(config)#ike crl ignored

Use the no version to return the CRL setting to the default, optional.

ipsec certificate-database refresh

Use to inform the E-series router that a public key certificate has been copied to the router. The router then verifies public certificates found on its disk against its private key and prepares the certificates for use.
Note: On reload, the router scans all certificate files and determines which files are router public certificates and which are root CA certificates.

Example
host1(config)#ipsec certificate-database refresh

There is no no version.

ipsec certificate-request generate

Use to cause the router to generate a certificate request using certificate parameters from the IPSec identity configuration. Include a name for the certificate request file. The file name must have a .crq extension. Once the router generates the certificate, use offline methods to send the certificate request file to the CA. Example
host1(config)#ipsec certificate-request generate rsa myrequest.crq

There is no no version.

ipsec identity
Use to enter IPSec Identity Configuration mode where you can specify information that the router uses in certificate requests and during negotiations with its peers. Example
host1(config)#ipsec identity host1(config-ipsec-identity)#

Use the no version to remove the identity configuration.

ipsec isakmp-policy-rule
Use to define an ISAKMP/IKE policy. When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies from 1 to 10000, with 1 having the highest priority.

Configuration Tasks E-Series Routers

13-11

Example
host1(config)#ipsec isakmp-policy-rule 3 host1(config-isakmp-policy)#

Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.

ipsec key generate

Use to generate RSA key pairs. Include a length of 1024 or 2048 bits. The generated keys can be used only after the CA issues a certificate for them. Example
host1(config)#ipsec key generate rsa 4096 Please wait................................................. .......................... IPsec Generate Keys complete

There is no no version. To remove a key pair, use the ipsec key zeroize command.

ipsec key zeroize

Use to delete RSA key pairs. Include one of the following keywords

rsa removes the RSA key pair from the router pre-share removes all preshared keys from the router all removes all keys within the VR context from the router
Example
host1(config)#ipsec key zeroize rsa

There is no no version.

organization
Use to specify the organization used in the Subject Name field of certificates. Example
host1(config-ipsec-identity)#organization juniperNetworks

Use the no version to remove the organization name.

13-12

CHAPTER 13 Configuring Digital Certificates

Monitoring Digital Certificates

Use the following show commands to display IKE certificates, CRLs, and your IKE configuration.
show ike certificates
Use to display the IKE certificates and CRLs on the E-series router. Specify the type of certificate you want to display:

all all certificates configured on the router crl certificate revocation lists peer peer certificates public-certs public certificates root-cas root CA certificates

Use the hex-format keyword to display certificate data, such as serial numbers, in hexadecimal format. Doing so allows easier comparison with CAs, such as Microsoft, that display certificates in hex format. Example

Certificate = SerialNumber = 4882201

host1#show ike certificates public-certs

SubjectName = <C=CA, O=Juniper Networks, CN=Trev Larock> IssuerName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> Validity = NotBefore = 2003 Feb NotAfter = 2003 Mar PublicKeyInfo = PublicKey = Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}} Modulus n (1024 bits) : 13225766016639784111076637633741932992106377577699283110795188796052482 65342146764124357160800571914230195127208418504109976431218877486359782 05039116157265311149909398062120023292037934003177853958261330798885742 78483784295640530834307567681635251787413138487842020206430811996635774 6473467422163528513914011 Exponent e ( 65537 Extensions = Available = authority key identifier, subject key identifier, key usage(critical), subject alternative names, CRL distribution points, extended key usage SubjectAlternativeNames = Following names detected = DNS (domain name server name) Viewing specific name types = 17 bits) : 5th, 00:37:07 GMT 7th, 01:07:07 GMT

Monitoring Digital Certificates E-Series Routers

13-13

DNS = treverx1.unispherenetworks.com KeyUsage = DigitalSignature [CRITICAL] CRLDistributionPoints = % Entry 1 FullName = Following names detected = URI (uniform resource indicator) Viewing specific name types = URI = ldap://193.64.193.154:389/CN=SSH%20Test%20CA%201%20No%20Liabilities ,O=SSH%20Communications%20Security%20Corp,C=FI?certificaterevocatio nlist AuthorityKeyID = KeyID = : 3d cb be 20 64 49 16 1d 88 b7 98 67 93 f0 5d 42 81 2e bd 0c SubjectKeyID = KeyId = : cb 89 0a 07 8c b1 bd a0 5a 8d 9f fb 08 6f ae bf fc 22 37 2b ExtendedKeyUsage = clientAuth (1.3.6.1.5.5.7.3.2) ikeIntermediate (1.3.6.1.5.5.8.2.2) host1#show ike certificates root-cas Certificate = SerialNumber = 1538512 SubjectName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> IssuerName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> Certificate seems to be self-signed. * Signature verification success. Validity = NotBefore = 2001 Aug NotAfter = 2004 Aug PublicKeyInfo = PublicKey = Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}} Modulus n (1024 bits) : 11917611287778603070080534566511562975214407448390943179928807818173885 47247666155825989542261220981799976308014604905009354671795084636946388 05807250595102357061876406491725197545378029185127138910656474019020750 57893862702272777323679505496338679231604634989591340666076231855527357 3617925277649092630861237 Exponent e ( 65537 17 bits) : 1st, 07:08:32 GMT 1st, 07:08:32 GMT

13-14

CHAPTER 13 Configuring Digital Certificates

Extensions = Available = authority key identifier, subject key identifier, key usage(critical), subject alternative names, basic constraints(critical) SubjectAlternativeNames = Following names detected = EMAIL (rfc822) Viewing specific name types = EMAIL = [email protected] KeyUsage = DigitalSignature KeyCertSign CRLSign [CRITICAL] BasicConstraints = PathLength = 0 cA = TRUE [CRITICAL]

show ike configuration

Use to display a summary of the IKE configuration. Field descriptions

Ike identity information from your IKE identify configuration that the router
uses to generate certificate requests

CRL Check setting of the CRL check: optional, required, ignored

Example
host1#show ike configuration Ike configuration: Ike identity: Domain Name :treverxsys2.juniper.net Common Name :Sys2 ERX Organization:Juniper Networks Country CRL Check:optional :CA

show ike identity

Use to display the IKE identity configuration. Example
host1#show ike identity Ike identity: Domain Name :myerx.kanata.junipernetworks.com Common Name :jim Organization:junipernetworks Country :ca

Configuring L2TP with IPSec

14
Page 14-1 14-2 14-2 14-7 14-7 14-13

This chapter describes the L2TP with IPSec feature on your E-series router.
Topic Overview References How Secure Remote Access Works Configuration Tasks for Client PC Configuration Tasks for E-Series Routers Monitoring L2TP over IPSec

Overview
IPSec remote access allows clients to connect to a corporate VPN over the public Internet with a secure connection. IPSec remote access works by running an L2TP tunnel on top of an IPSec transport mode connection. The secure tunnel runs from the client PC to the E-series router that terminates the secure tunnel. Using L2TP with IPSec, B-RAS clients can securely connect to a corporate or other VPN in addition to another unsecured connection to the Internet.

14-2

CHAPTER 14 Configuring L2TP with IPSec

References
This IPSec with L2TP implementation supports: RFC 3193 Securing L2TP using IPSec (November 2001) RFC 2661 Layer Two Tunneling Protocol L2TP (August 1999) RFC 2401 Security Architecture for the Internet Protocol (November 1998) For more information on related router features, see: Chapter 12, Configuring IPSec Chapter 13, Configuring Digital Certificates E-Series Broadband Access Configuration Guide, Chapter 5, Configuring L2TP

How Secure Remote Access Works

On the router side of the L2TP connection, the E-series router acts as the L2TP Network Server (LNS). On the PC client side of the connection, the client acts as the L2TP Access Concentrator (LAC) and runs L2TP/IPSec software that is built into specified Microsoft Windows operating systems. Both sides of the connection run IPSec in transport mode with Encapsulating Security Payload (ESP) encryption and authentication. In the model shown in Figure 14-1, a client PC connects to its local provider, who gives the client a public IP address. Using the public IP address, the client PC initiates an IPSec connection toward the L2TP/IPSec gateway for the private network that it wants to connect to. After establishing the IPSec connection, the client establishes an L2TP tunnel to the same L2TP/IPSec gateway, which provides the client with another IP interface to access the private network it is connecting to. The L2TP tunnel is completely protected by the IPSec connection established earlier.

How Secure Remote Access Works E-Series Routers

14-3

IP interface on top of L2TP/IPSec tunnel, for secure VPN traffic

RADIUS server

RADIUS server

PC client

Access network

ISP

Public IP network

VPN provider

IP interface over access network for public network access

Figure 14-1 L2TP with IPSec application

Setting Up the Secure Connection

Figure 14-2 gives an overview of the process used to set up a secure connection between the client PC and the E-series router.

Internet 1. First IP interface PC 2. IKE SA 3. Secure IP interface ERX B-RAS + IPSec VPN Content

g013168 g013308

Figure 14-2 L2TP with IPSec model

To set up the secure connection shown in Figure 14-2:

1 2

Obtain an IP address from your ISP, using a normal B-RAS termination. IKE signals a security association (SA) between the client PC and the E-series router. Two unidirectional SAs are established to secure data traffic. The IPSec connection secures UDP port 1701.

Set up an L2TP tunnel and session between the client PC (the LAC) and the E-series router (the LNS). The tunnel runs over the SAs that IKE established.

14-4

CHAPTER 14 Configuring L2TP with IPSec

L2TP with IPSec Control and Data Frames

L2TP defines control and data messages used for L2TP/IPSec. Figure 14-3 shows an L2TP/IPSec encapsulated control frame. The gray area indicates the encrypted part of the frame.

Data link header

IP header

IPSec ESP header

UDP header

L2TP message

IPSec ESP trailer

IPSec auth trailer

Data link trailer

g013609

Encrypted by IPSec
Figure 14-3 L2TP/IPSec encapsulated control frame

Figure 14-4 is an L2TP/IPSec encapsulated data frame. The gray area shows the encrypted part of the frame.

Data link header

IP header

IPSec ESP header

UDP header

L2TP message

PPP header

PPP payload

IPSec ESP trailer

IPSec auth trailer

Data link trailer

Authenticated by IPSec
Figure 14-4 L2TP/IPSec encapsulated data packet

Compatibility and Requirements

This section covers various compatibility issues and requirements for the IPSec/L2TP traffic.
End-to-End Security

L2TP/IPSec provides security only between tunnel endpoints. It does not provide end-to-end security. For end-to-end security, you need additional security for the connection beyond the router.

g013608

Encrypted by IPSec

How Secure Remote Access Works E-Series Routers

14-5

Client Software Supported

The L2TP/IPSec software supports the following client PC operating systems and L2TP and IPSec applications: Windows 2000 and Windows XP running built-in IPSec VPN software. Microsoft L2TP/IPSec VPN client for Windows NT, Windows 98, and Windows Me. SafeNet client software.
Interactions with NAT

Network address translation (NAT) devices can change the IP address and/or port number of a traversing IP packet. Encrypted frames, where an ESP header follows the IP header, may or may not get through the NAT device. You can set up the router to run in NAT passthrough mode, which causes the router to not generate or check UDP checksums. The reason is that a NAT device may change the IP address while the UDP header is encrypted. In this case, the UDP checksum cannot be recalculated. Not generating or checking UDP checksums does not compromise security, because IPSec protects UDP with an authentication algorithm far stronger than UDP checksums. To set up the router to run in NAT passthrough mode, use the application l2tp-nat-passthrough command. For the router to accept an IP address that is changed by NAT, configure the IP address in the IPSec transport profile as the wildcard.
Tunnel Creation

The E-series router can have both secured and unsecured L2TP tunnels. When you configure L2TP, you can differentiate the secured and unsecured tunnels in the L2TP destination profile with the enable ipsec transport command. Unsecured L2TP tunnels are not allowed on the IPSec service module.
Interaction Between IPSec and PPP

PPP defines the ECP and CCP modes, and these modes are currently not supported in the E-series router. There will be no interaction related to encryption directives between IPSec and PPP.

14-6

CHAPTER 14 Configuring L2TP with IPSec

Number of L2TP/IPSec Connections

The IPSec service module allows up to 5,000 secure tunnels and L2TP/IPSec connections combined.
LNS Change of Address

For L2TP applications, the LNS may change the IP address from its end when an incoming call is terminated. If this is done in an L2TP tunnel protected by IPSec, the following procedure must be followed:
1 2 3

The LNS must send a StopCCN to the LAC, with the Result and Error Code AVP present. The Result Code must be set to 2 (General Error), and the Error Code should be set to 7 (Try Another). The optional error message must be present, and the contents must contain only the IP address (ASCII, dotted decimal encoded) that the LNS wants to use for subsequent communications. The StopCCN message must be sent with the same address and port that the LAC used to send the SCCRQ.

In the above scenario, the LACthat is, the client PCneeds to establish a new IPSec tunnel toward the new LNS address before a new SCCRQ can be sent to the new destination.
LNS Change of Port

In the L2TP world, the LNS is allowed to change its port number; this functionality is currently not supported in the E-series router. IPSec allows only port 1701 to be used for L2TP/IPSec tunnels. However, the LAC is allowed to use any source port it desires.
Group Preshared Key

Group preshared keys allow the provisioning of secure remote access via L2TP/IPSec to networks that do not use a certificate authority (CA) to issue certificates. A group preshared key is associated with a local IP address in the E-series router and is used to authenticate L2TP/IPSec clients that target this IP address as their VPN server address.
Caution: Group preshared keys are not fully secure, and we recommend that you use digital certificates in place of group preshared keys. Group preshared keys are open to man-in-the-middle attacks. To reduce this risk, the E-series router accepts only IPSec connections that specify L2TP traffic selectors for security associations (SAs) that are negotiated over IKE connections authenticated with group preshared keys.

Configuration Tasks for Client PC E-Series Routers

14-7

Configuration Tasks for Client PC

To set up client PCs, you need to: Create an IPSec security policy to secure L2TP traffic to the E-series router. Get a certificate for the client or set up preshared keys. Create a VPN connection to the router. Log the client on to the E-series router.

Configuration Tasks for E-Series Routers

The main configuration tasks for setting up IPSec over L2TP are: Set up IP connectivity to L2TP clients; for example, PPPoE, DHCP, or static IP. Set up digital certificates on the router, or configure preshared keys for IKE authentication. To set up digital certificates, see Chapter 13, Configuring Digital Certificates. To set up preshared keys, see Configuring IPSec Parameters in Chapter 12, Configuring IPSec. Create IPSec policies. See Defining an ISAKMP/IKE Policy in Chapter 12, Configuring IPSec. Configure RADIUS authentication and accounting. See E-Series Broadband Access Configuration Guide, Chapter 1, Configuring Remote Access. Configure L2TP destination profiles. See next section. Configure IPSec transport profiles. See section later in this chapter.
Configuring L2TP Destination Profiles

To configure an L2TP destination profile:

1

Create a destination profile that defines the location of the LAC, and access L2TP Destination Profile Configuration mode.
host1(config)#l2tp destination profile boston4 ip address 192.168.76.20 host1(config-l2tp-dest-profile)#

14-8

CHAPTER 14 Configuring L2TP with IPSec

Specify that for L2TP tunnels associated with this destination profile, the router accepts only tunnels protected by IPSec.
host1(config-l2tp-dest-profile-host)#enable ipsec-transport

Define the L2TP host profile, and enter L2TP Destination Profile Host Configuration mode.
host1(config-l2tp-dest-profile)#remote host default host1(config-l2tp-dest-profile-host)#

(Optional) Assign a profile name for a remote host.

host1(config-l2tp-dest-profile-host)#profile georgeProfile1

Specify the local IP address to be used in any packets sent to the LAC.
host1(config-l2tp-dest-profile-host)#local ip address 10.0.0.1

For information on other L2TP destination profile commands, see Configuring the LNS in E-Series Broadband Access Configuration Guide, Chapter 5, Configuring L2TP.
enable ipsec-transport
Use to specify that the router accepts only L2TP tunnels protected by an IPSec transport connection. Example
host1(config-l2tp-dest-profile-host)#enable ipsec-transport

Use the no version to disable IPSec transport mode.

Configuring IPSec Transport Profiles

To create an IPSec transport profile:

Boston(config)#ipsec transport profile secureL2tp virtual-router default ip address 0.0.0.0 Boston(config-ipsec-transport-profile)#

You can then set any of the following parameters for the profile. Specify the type of application that the profile secures.
Boston(config-ipsec-transport-profile)#application l2tp-nat-passthrough

Set a lifetime range for the IPSec connection in volume of traffic and/or seconds.
Boston(config-ipsec-transport-profile)#lifetime seconds 3600 28800 kilobytes 102400 4294967295

Configuration Tasks for E-Series Routers E-Series Routers

14-9

Configure perfect forward secrecy for connections created with this IPSec transport profile.
host1(config-ipsec-transport-profile)#pfs group 5

Specify the transform set(s) that an IPSec transport connection uses to negotiate a transform algorithm.
Boston(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha esp-3des-hmac-md5

Specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection, and enter Local IPSec Transport Profile mode.
Boston(config-ipsec-transport-profile)#local ip address 10.10.1.1 Boston(config-ipsec-transport-profile-local)#

Configure a key for IKE negotiations.

a

Enter the unencrypted key.

host1(config-ipsec-transport-profile-local)#pre-share secretforL2tp

The router encrypts the key and stores it in encrypted form. You can no longer retrieve the unencrypted.
b

Display the encrypted key.

Note: The show config command displays the key in its encrypted (masked) format.
host1#show config ! ipsec transport profile secureL2tp virtual-router default ip address 10.0.0.0 local ip address 0.0.0.0 pre-share-masked AAAAGAAAAAIAAAACmQGsvejwZkiSLTFOWvjianwzRyr41KgE !

Enter the encrypted key in the local transport profile.

host1(config-ipsec-transport-profile-local)#pre-share-maske d AAAAGAAAAAIAAAACmQGsvejwZkiSLTFOWvjianwzRyr41KgE

If you must reenter the key (for example, on a system reload using the show config output command to configure the router), you can use the masked-key. If you know the unencrypted key, you can enter it using the pre-share command.

14-10

CHAPTER 14 Configuring L2TP with IPSec

application
Use to specify the type of application that is secured by connections created with this IPSec transport profile. To specify the application, use one of the following keywords:

l2tp secures L2TP traffic l2tp-nat-passthrough secures L2TP traffic and also allows clients to
connect from behind NAT devices that support IPSec passthrough. To allow these clients to connect, the router: Does not generate or verify UDP checksums. This does not compromise security, because IPSec protects UDP packets with an authentication algorithm far stronger than UDP checksums. Provides IPSec filtering based on the received IP address (the NAT public IP address), rather than filtering based on the negotiated IKE identities. Example
Boston(config-ipsec-transport-profile)#application l2tp-nat-passthrough

Use the no version to return to the default application, L2TP.

ipsec transport profile

Use to create a transport profile for IPSec and access the IPSec transport profile configuration prompt. To create a new profile, you must include the following keywords:

virtual-router name of the virtual router on which you want to create the
profile

ip address remote endpoint for the IPSec transport connection. You can
enter a fixed IP address or the wildcard address, 0.0.0.0. If you use the wildcard address, the profile accepts any remote client connection, which is a typical scenario for secure remote access. Example
Boston(config)#ipsec transport profile secureL2tp virtual-router default ip address 0.0.0.0 Boston(config-ipsec-transport-profile)#

Use the no version to delete the profile.

lifetime
Use to set a lifetime range for the IPSec connection in volume of traffic and/or in seconds. If the PC client offers a lifetime within this range, the router accepts the offer. If the PC client offers a lifetime outside of this range, the router rejects the connection. Example
Boston(config-ipsec-transport-profile)#lifetime seconds 900 86400 kilobytes 100000 4294967295

Use the no version to restore the default values, 1000004294967295 KB and 90086400 seconds (124 hours).

Configuration Tasks for E-Series Routers E-Series Routers

14-11

local ip address
Use to specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection and to enter Local IPSec Transport Profile Configuration mode. You can enter this command multiple times in an IPSec transport profile. You can enter a fixed IP address or the wildcard address, 0.0.0.0. The wildcard address has a lower precedence than a fixed IP address.
Caution: We do not recommend that you use address 0.0.0.0 because it allows any address to accept IKE calls, and it creates a group preshared key, which is not fully secure.

Example
Boston(config-ipsec-transport-profile)#local ip address 192.168.1.2 host1(config-ipsec-transport-profile-local)#

Use the no version to delete the IP address.

pfs group
Use to configure perfect forward secrecy for connections created with this IPSec transport profile. Assign a Diffie-Hellman prime modulus group using one of the following keywords:

1 768-bit group 2 1024-bit group 5 1536-bit group

Example
host1(config-ipsec-transport-profile)#pfs group 5

Use the no version to remove PFS from this profile, which is the default setting.

pre-share
Use to configure an unencrypted (red) preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for the local IP address. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.
Caution: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes where the missed security does not pose a risk to the provider.

After you enter the preshared key, use the show config command to see the encrypted form of the key. You then enter the encrypted key with the pre-share-masked command. To have preshared key authentication take place, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode.

14-12

CHAPTER 14 Configuring L2TP with IPSec

Example
host1(config-ipsec-transport-profile-local)#pre-share secretforL2tp

Use the no version to remove the key.

pre-share-masked
Use to specify an encrypted preshared key. To obtain this key, you enter an unencrypted key using the pre-share command. You then run the show config command, and the router displays the preshared key in encrypted form. You enter the encrypted key using this command. The router uses the preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for any local IP address specified for this transport profile. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.
Caution: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes, where the missed security does not pose a risk to the provider.

To have preshared key authentication take place, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode. Example
host1(config-ipsec-transport-profile-local)#pre-sharemasked AAAAGAAAAAcAAAACZquq4ABieTUBuNBELSY8b/L3CX/RcPX7

There is no no version. To remove a key, use the no pre-share command.

transform-set
Use to specify the transform set(s) that an IPSec transport connection can use to negotiate a transform algorithm. Each transform in the set provides a different combination of data authentication and confidentiality. Example
Boston(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha

Use the no version to reset the transform to the default, esp-edes-hmac-sha.

Monitoring L2TP over IPSec E-Series Routers

14-13

Monitoring L2TP over IPSec

This section contains information on troubleshooting and monitoring L2TP over IPSec.
System Event Logs

To troubleshoot and monitor L2TP over IPSec, use the following system event log:
> itm IPSec transport mode

For more information on using event logs, see E-Series System Basics Configuration Guide, Chapter 12, Logging System Events.
show Commands

To display information on L2TP over IPSec profiles and connections, use the following show commands.
show ipsec transport interface
Use to display information on transport connections. Field descriptions

Connection number of the IPSec transport connection Operational Status status of the connection: up, down Transport virtual-router name of the transport virtual router for which
configuration and statistics are displayed Virtual router virtual router on which this profile is configured Local ip address local endpoint address Peer ip address remote endpoint address Local identity shows the subnet, protocol, and port Remote identity shows the subnet, protocol, and port Transported-application type of application the connection is protecting Inbound SA algorithm and SPI Outbound SA algorithm and SPI Pfs group PFS group being used for the connection Lifetime configured lifetime in seconds and kilobytes

Statistics
InUserPackets number of user packets received InUserOctets number of octets received from user packets InAccPackets number of encapsulated packets received InAccOctets number of octets received in encapsulated packets InAuthErrors number of authentication errors received InReplyErrors number of reply errors in received traffic

14-14

CHAPTER 14 Configuring L2TP with IPSec

InPolicyErrors number of policy errors in received traffic InOtherRxErrors number of packets received that have errors other than those listed above InDecryptErrors number of decryption errors in received traffic InPadErrors number of packets received that had invalid values after the packet was decrypted OutUserPackets number of user packets sent OutUserOctets number of octets sent in user packets OutAccPackets number of encapsulated packets sent OutAccOctets number of octets sent in encapsulated packets OutPolicyErrors number of packets arriving at the transport connection for encapsulation that do not meet the specified identifier (selector) OutOtherTxErrors number of outbound packets that have errors other than those listed above Example
boston#show ipsec transport interface Connection 1 Up Connection 2 Up There are 2 connections found.

Connection 1

Example

boston#show ipsec transport interface 1 Operational Status Up Configuration Attributes Transport virtual-router default Local ip address 1.2.3.4 Peer Local ip address 5.6.7.8 identity is subnet 1.2.3.4 255.255.255.255, proto 17, port 1701

Remote identity is subnet 5.6.7.8 255.255.255.255, proto 17, port 1701 Transported-application l2tp Inbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Outbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Pfs group 5 Lifetime seconds 3600 kilobytes 102400

Connection 1

Example

boston#show ipsec transport interface detail 1 Operational Status Up Configuration Attributes Transport virtual-router default Local ip address 1.2.3.4 Peer Local ip address 5.6.7.8 identity is subnet 1.2.3.4 255.255.255.255, proto 17, port 1701

Remote identity is subnet 5.6.7.8 255.255.255.255, proto 17, port 1701 Transported-application l2tp

Monitoring L2TP over IPSec E-Series Routers

14-15

Inbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Outbound SA esp-3des-hmac-md5 Spi 0x1abcd0101 Pfs group 5 Lifetime seconds 3600 kilobytes 102400 Statistics InUserPackets InUserOctets InAccPackets InAccOctets InAuthErrors InReplyErrors InPolicyErrors InOtherRxErrors InDecryptErrors InPadErrors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

OutUserPackets OutUserOctets OutAccPackets OutAccOctets OutPolicyErrors OutOtherRxErrors InDecryptErrors InPadErrors 0

show ipsec transport interface summary

Use to display a summary of existing IPSec transport connections by application and state. Field descriptions

ipsec transport interfaces interfaces by type of application total total number of IPSec transport interfaces for each application up number of IPSec transport interfaces that are currently up down number of IPSec transport interfaces that are currently down

Example
total 1234 7044 8278 up 1001 43 1044 down 233 7001 7234

boston#show ipsec transport interface summary ipsec transport interfaces l2tp l2tp-nat-passthrough total

------------------------------------------------------

show ipsec transport profile

Use to display the configuration of an IPSec transport profile. Field descriptions

IPSec transport profile name of the profile

14-16

CHAPTER 14 Configuring L2TP with IPSec

Virtual router virtual router on which this profile is configured Peer address remote endpoint address Application type of application that this profile is protecting Lifetime range in seconds lifetime range in seconds configured for the profile Lifetime range in kilobytes lifetime range in kilobytes configured for the profile TransformSet transform set(s) configured for the profile Pfs group PFS group configured for the profile; 0 (zero) means that PFS is not configured for the profile Local ip address local endpoint address Example
host1#show ipsec transport profile IPSEC transport profile secureL2tp 1 Ipsec transport profile found

Example
host1#show ipsec transport profile secureL2tp IPSEC transport profile secureL2tp Virtual router default Peer address 0.0.0.0 Application l2tp Lifetime range in seconds 3600 86400 Lifetime range in kilobytes 102400 4294967295 TransformSet transport-esp-3des-md5 Pfs group 0 Local ip address : 0.0.0.0

Index
A
ABRs (area border routers), OSPF configuring area range 9-12 defined 9-2 access-list command 1-17, 1-23, 4-11 IS-IS 10-21 OSPF 9-27 access lists, BGP 1-16 to 1-24 access lists, IP monitoring 1-44, 2-57 redirecting traffic with null interface instead 1-26 redistributing access routes 1-7 redistributing static routes 1-18 specifying multicast groups 5-22 address commands, OSPF address area 9-14 address authentication key 9-23 address authentication message-digest 9-23 address authentication-none 9-24 address cost 9-14 address dead-interval 9-14 address hello-interval 9-14 address message-digest-key 9-24 address network 9-34 address passive-interface 9-15 address priority 9-15 address retransmit-interval 9-15 address transmit-delay 9-15 address commands, RIP address 8-9 address authentication key 8-9 address authentication mode 8-10 address receive version 8-10 address send version 8-10 address ranges, IS-IS 10-27 Address Resolution Protocol. See ARP adjacencies, clearing IS-IS 10-38 adjacency, OPSF 9-2 adjacency levels, IS-IS 10-15 displaying information on 10-49 logging changes between 10-29 administrative distance IP, setting 2-23 IS-IS 10-26 OSPF 9-30 RIP 8-12 advertising DVMRP routes 5-60, 5-66 aggregate addresses IS-IS 10-27 OSPF routing 9-12 application layer, TCP/IP 2-4 area-authentication-key command 10-20 area border routers, OSPF. See ABRs area commands area 9-20 area default-cost 9-20 area nssa 9-20 area range 9-12 area stub 9-20 area IDs (OSPF packets) 9-2 area-message-digest-key command 10-6, 10-20 areas, IS-IS 10-2 areas, OSPF 9-2 configuring 9-19 to 9-22 defining 9-5, 9-9 stub areas 9-3, 9-20 area virtual-link commands area virtual-link 9-21 area virtual-link authentication-key 9-24 area virtual-link authentication message-digest 9-24 area virtual-link authentication-none 9-25 area virtual-link dead-interval 9-21 area virtual-link hello-interval 9-21 area virtual-link message-digest-key md5 9-25 area virtual-link retransmit-interval 9-22 area virtual-link transmit-delay 9-22 ARP (Address Resolution Protocol) hosts 2-14 monitoring 2-57 physical and logical addresses 2-6 arp commands arp 2-17 arp timeout 2-17 AS (autonomous system) 9-3 ASBR (autonomous system boundary router) default route and 9-30

2 Index

OSPF 9-3 AS-path, BGP access lists, modifying 1-12 filtering 1-19 to 1-21 AS-path attribute 1-19 assert messages 5-37 assigning multicast groups 5-21 audience for documentation xx authentication IS-IS, halting 10-8 IS-IS HMAC MD5 10-5, 10-16, 10-20 IS-IS key commands 10-6 IS-IS MD5 packet timing 10-7 IS-IS MD5 start and stop timing 10-7 managing and replacing IS-IS keys 10-8 OSPF 9-3, 9-6, 9-25 OSPF, configuring 9-22 to 9-26 RIP 8-3 type 9-3 authentication commands authentication key 8-19 authentication message-digest 9-38 authentication mode 8-19 authentication-key command 9-38 authentication-none command 9-38 autocost, OSPF routing 9-31 automatic virtual link, OSPF 9-22 automatic virtual-link command 9-22 autonomous system boundary router. See ASBR auto-RP router PIM S-DM 5-45 PIM SM 5-44

baseline ipv6 3-20 baseline ipv6 interface 3-21 baseline ip vrrp 11-12 BGP (Border Gateway Protocol), OSPF routing with 9-7 BGP/MPLS VPNs, interaction with OSPF 9-37 BGP/MPLS VPNs, multicast services over configuring 5-47 overview 5-39 BGP multicasting 5-74 BGP protocol clearing IP routing table 1-43 communities 1-8, 1-13, 1-35 community lists 2-60 reinstalling routes in IP routing table 1-43 well-known communities 1-32 border routers, OSPF 9-45 B-RAS applications, creating an IP profile 2-11 B-RAS applications, creating an IPv6 profile 3-11 broadcast addressing 2-19 to 2-20 broadcast storms 2-20

C
CDs E-series routers documentation CD xxi JUNOSe software CD xxiii certificate revocation list. See CRL checksum computation 6-4 CIDR (Classless Interdomain Routing) 2-8, 9-3 Class D IPv4 addresses 5-15 classes of IP addresses 2-6 Classless Interdomain Routing. See CIDR clear arp command 2-17 clear ip commands clear ip dvmrp route 5-68 clear ip interface 2-28 clear ip isis redistribution 10-22 clear ip mroute 5-4 clear ip ospf redistribution 9-29 clear ip pim auto-rp 5-50 clear ip pim interface count 5-50 clear ip pim remote-neighbor count 5-50 clear ip prefix-list 1-27, 1-28 clear ip prefix-tree 1-30 clear ip routes 1-43, 2-28 clear ipv6 interface command 3-14 clear isis commands clear isis adjacency 10-38 clear isis database 10-48

B
backbone area, OSPF 9-19 backup router 11-7 defined 11-2 election process and 11-7 VRRP 11-1 bandwidth, OSPF interface cost by 9-31 baseline commands baseline clns 10-47 baseline ip 2-55 baseline ip dvmrp 5-69 baseline ip igmp 5-25 baseline ip igmp-proxy interface 5-32 baseline ip ospf 9-28 baseline ip rip 8-23 baseline ip tcp 2-55 baseline ip udp 2-56

3 E-Series Routers

CLNP (Connectionless-mode Network Protocol) 10-2 CLNS (Connectionless Network Service Protocol) defined 10-2 displaying 10-47 to 10-48 clns commands clns configuration-time 10-33 clns holding-time 10-33 clns host 10-5, 10-33 See also show clns commands 10-33 communities, BGP 1-8, 1-13, 1-31, 1-35 community lists, BGP 1-32, 2-60 complete sequence number PDU. See CSNP configuring 5-6 DVMRP 5-62 IGMP 5-18 IGMP proxy 5-30 IP tunnels 6-3 PIM 5-44 routing policy 1-1 VRRP 11-8 to 11-12 Connectionless-mode Network Protocol. See CLNP Connectionless Network Service Protocol. See CLNS connectionless protocols 2-2, 3-2 connection-oriented protocols 2-2 conventions defined icons xx syntax xx text xx cost, IS-IS interface 10-17 cost, OSPF routing 9-16 autocost 9-31 default cost 9-20 equal-cost multipath 9-7 cost command 9-39 creating an IP profile access-routes 2-12 address 2-12 directed-broadcast 2-12 mtu (maximum transmission unit) 2-12 redirects 2-12 unnumbered 2-12 virtual-router 2-12 creating an IPv6 profile address 3-11 ipv6-virtual-router 3-11 mtu (maximum transmission unit) 3-11 unnumbered 3-11

creating OSPF interfaces 9-8 CRL (certificate revocation list) 13-2 CRL (certificate revocation lists) checking 13-6 file extension 13-7 viewing on E-series router 13-12 cryptographic authentication, OSPF 9-6 CSNP (complete sequence number PDU) 10-2 CSNP interval, IS-IS interface 10-15 customer support xxiv

D
database, OSPF 9-45 datagrams, IP 2-2 fragmenting and reassembling 2-3, 2-20 dead interval, OSPF 9-17, 9-21 dead-interval command 9-39 debounce-time command 8-10 debug commands 8-22, 9-42 debug ip ospf 9-43 debug ip pim 5-51 debug ip rip 8-22 debug isis 10-38 debug-related information, IS-IS 10-38, 10-46 default-information originate command 1-24 IS-IS 10-26 OSPF 9-30 RIP 8-11 default-metric command 8-11 default routes cost, OSPF 9-20 IP routing 2-26 IS-IS routing 10-26 OSPF routing 9-30 suppressing IS-IS 10-27 deleting DVMRP routes 5-68 IP multicast routes 5-4 IS-IS redistribution information 10-22 OSPF interfaces 9-8 OSPF redistribution information 9-29 dense mode multicasting protocols 5-5 description, adding to IP interfaces 2-30, 3-16 designated routers. See DRs destination, tunnel 6-2 destination address (DA), VRRP 11-4 digital certificates authenticating the peer 13-5 base64 13-2 checking CRLs 13-6

4 Index

configuring 13-7 file extensions 13-7 generating private/public key pairs 13-4 monitoring 13-12 obtaining a public key certificate 13-5 obtaining a root CA certificate 13-5 overview 13-1 signature authentication 13-3 viewing on E-series routers 13-12 X.509v3 13-3 directed broadcast packets 2-19 directly connected networks 8-1 disable command 5-67, 8-11 disable-dynamic-redistribute command DVMRP 5-66 IS-IS 10-22 OSPF 9-30 RIP 8-11 disable-incremental-external-spf command 9-41 disabling DVMRP 5-67 IGMP 5-25 disabling dynamic route redistribution DVMRP 5-66 ISIS 10-22 OSPF 9-30 RIP 8-11 distance, RIP administrative 8-12 distance commands 8-12 distance 2-24 distance ip 2-24, 10-26 distance ospf 9-30 Distance Vector Multicast Routing Protocol. See DVMRP distribute-domain-wide command 10-24 distribute-list command 8-12, 8-20 documentation set, E-series xxii CD xxi comments on xxiii domain, OSPF 9-3 domain-authentication-key command 10-20 domain-message-digest-key command 10-6, 10-21 domain-wide prefix distribution 10-24 downstream interface 5-30 dropped packets, troubleshooting 2-65 DRs (designated routers) IS-IS routing 10-17 OSPF routing 9-3 PIM routing 5-34

DVMRP 5-59 to 5-74 advertising routes 5-60, 5-66 configuring limits 5-62 summary addresses 5-63 default router, configuring 5-61 deleting routes 5-68 disabling 5-67 enabling on an interface 5-61 on a virtual router 5-61 exchanging unicast routes 5-66 filtering reports 5-62 metric 5-64 monitoring 5-69 to 5-74 neighbors 5-59 pruning 5-59 reassembly of tunnel packets 7-2 removing 5-67 summary addresses 5-63 tunnels 5-68, 6-2 using with IGMP 5-62 using with PIM 5-43, 5-62 dynamic hostname resolution, IS-IS 10-5, 10-33 dynamic route redistribution, disabling in DVMRP 5-66 in IS-IS 10-22 in OSPF 9-30 in RIP 8-11

E
ECMP (equal-cost multipath) IP 2-32 IS-IS 10-9, 10-34 OSPF 9-7, 9-31 RIP 8-6, 8-14 enabling directed broadcasts 2-20 DVMRP 5-61 ICMP Router Discovery Protocol 2-39 IGMP 5-18, 5-19 IGMP proxy 5-31 IP multicasting 5-4 IP redirects 2-39 IS-IS 10-12 to 10-14 MD5 authentication 9-26 OSPF 9-9 to 9-13 PIM 5-42, 5-43 PIM SSM 5-49 unreachable messages (ICMP) 2-39

5 E-Series Routers

endpoints, tunnel 6-2 end system. See ES (end system) entry, routing table 2-22 equal-cost multipath. See ECMP ERX-14xx models xix ERX-7xx models xix ES (end system) hello packet rate 10-33 neighbor information 10-53 E-series documentation set xxii comments on xxiii E-series models xix E-series router IP features of 2-5 IPv6 features of 3-2 IS-IS features 10-11 routing policy 1-1 to 1-54 E-series routers documentation set CD xxi Ethernet controllers 2-6 exchanging DVMRP unicast routes 5-66 exit-remote-neighbor command 8-20 extended communities, BGP 1-35 external routes, OSPF 9-5

group membership queries 5-15 reports 5-16

H
hashcheck process 9-23 hash functions 9-22 hello interval 5-41 IS-IS interface 10-16, 10-33 OSPF interface 9-17, 9-21 PIM 5-43, 5-47, 5-53, 5-55 hello-interval command 9-39 hello multiplier, IS-IS interface 10-16 hello packet validity rate, IS-IS 10-33 Hello protocol 9-3 HMAC MD5 authentication, IS-IS 10-5 IS-IS area-wide password 10-20 IS-IS domain-wide password 10-21 IS-IS password on the interface 10-16 hold time IS-IS 10-16 IS-IS SPF 10-31 PIM SM 5-41 SPF 9-33 hop count 5-64, 8-2 host access routes on PPP interface 2-26 hosts 2-3

F
fabric congestion 2-65 Fast Ethernet (FE) modules 11-2 filtering AS paths 1-19 DVMRP reports 5-62 network prefixes 1-16 undesirable traffic 1-26 filter lists, BGP 1-19 to 1-21 flooded broadcast packets 2-19 flooding 9-3 forwarding table 2-22 fragmenting IP datagrams 2-3, 2-20 full spf, IS-IS 10-32 full-spf-always command 10-32

I
ICMP (Internet Control Message Protocol) 2-38 to 2-39 echo request packets IP 2-40 IPv6 3-14 icmp update-source command 2-39 icons defined, notice xx identifying DVMRP neighbors 5-59 IP multicast groups 5-16 IGMP 5-39 IGMP (Internet Group Management Protocol) 5-15 to 5-34 configuring 5-19 disabling 5-25 enabling 5-18, 5-19 limiting groups on interfaces 5-22 monitoring 5-14, 5-25 to 5-29 performing host functions 5-30

G
gateways 2-3 Gigabit Ethernet (GE) modules 11-2 global IP routing table 2-22 GRE, reassembly of tunnel packets 7-2 GRE tunnels 6-2 group (multicast) addressing 2-7

6 Index

querier 5-19 removing 5-25 specifying version 5-19 igmp commands igmp disable 5-25 igmp promiscuous 5-24 IGMP proxy 5-29 configuring 5-30 enabling 5-31 monitoring 5-32 to 5-34 version 5-29 IGMP reports, accepting 5-24 ignore-lsp-errors command 10-29 IGP (interior gateway protocol) 5-59, 9-3 IKE (Internet Key Exchange) aggressive mode characteristics 12-16 aggressive mode negotiations 12-17 initiator proposals and policy rules 12-17 main mode characteristics 12-16 overview 12-15 SA negotiation 12-20 using digital certificates 13-3 IKE policies 12-17 authentication mode 12-19 Diffie-Hellman group 12-19 encryption algorithms 3DES 12-18 DES 12-18 hash function MD5 12-18 SHA-1 12-18 lifetime 12-19 priority 12-18 importing routes. See redistributing routes incremental SPF 9-40 installing the system software xix instance, route map 1-3 Integrated IS-IS routing 10-9 interarea routes, OSPF 9-5 interface commands interface ip 2-35 interface tunnel 6-4, 12-25 interface-event-disable command 8-12 interfaces IPv6, enabling and disabling 3-14 NAT, marking 4-8 interior gateway protocol. See IGP intermediate system. See IS (intermediate system) Intermediate System-to-Intermediate System. See IS-IS

Internet addresses 2-6 internet community, BGP 1-32 Internet Control Message Protocol. See ICMP Internet Group Management Protocol. See IGMP Internet Key Exchange. See IKE Internet Layer, TCP/IP 2-4 interval rate, LSP (IS-IS) 10-30 intra-area routes, OSPF 9-5 investigating IP multicast routes 5-74 IP 2-1 to 2-81 ARP protocol 2-6, 2-14, 2-57 assigning router IDs 2-25 broadcast addressing 2-19 to 2-20 ECMP 2-32 E-series router features 2-5 functions of 2-2 ICMP and 2-38 to 2-39 layers of 2-3 to 2-4 managing the routing table 1-43 monitoring 2-56 to 2-81 profile 2-11 to 2-14 reachability commands 2-40 routing 2-21 to 2-33 source address verification 2-27 ip access-route table-map command 1-26 IP addresses 2-6 to 2-9 class D 5-15 classes of 2-6 for multicasting 5-15 interfaces without (unnumbered) 2-26 IP address owner, VRRP 11-2 matching routes destination 1-9 multinetting 2-10 OSPF routing costs and 9-16 prefix lists 1-27 prefix trees 1-30 primary adding 2-10 deleting 2-10 primary IP address, VRRP 11-2 router IDs and 2-25 secondary adding 2-10 deleting 2-10 VRRP 11-7, 11-8 ip commands ip access-routes 2-12, 2-26 ip address 2-10, 2-12 ip alwaysup 2-30 ip as-path access-list 1-19

7 E-Series Routers

ip bgp-community new-format 1-34 ip broadcast-address 2-20 ip community-list 1-34 ip debounce-time 2-30 ip description 2-30 ip directed-address 2-20 ip directed-broadcast 2-12 ip disable-forwarding 2-29 ip extcommunity-list 1-36 ip icmp update-source 2-40 ip ignore-df-bit 2-21 ip irdp 2-39 ip mask-reply 2-39 ip mtu 2-13, 2-21 ip multicast-routing 5-4 ip multicast-routing disable-rpf-check 5-8 ip multipath round-robin 2-32 ip prefix-list 1-17, 1-27 ip prefix-tree 1-17, 1-30, 8-12 ip proxy-arp 2-18 ip redirects 2-13, 2-39 ip refresh-route 1-43, 2-28 ip route 1-27, 2-25 ip router-id 2-25 ip router isis 10-12 ip route-type 5-8, 8-18, 9-37, 10-37 ip rpf-route 5-6 ip sa-validate 2-27 ip share-interface 2-36 ip share-nexthop 2-36 ip shutdown 2-27 ip source-route 2-29 ip speed 2-31 ip split-horizon 8-13 ip tunnel reassembly 7-2 ip unnumbered 2-13 ip unnumbered loopback 2-26 ip unreachables 2-39 ip vrrp 11-10 ip vrrp advertise-interval 11-10 ip vrrp authentication-key 11-11 ip vrrp authentication-type 11-11 ip vrrp enable 11-9, 11-11 ip vrrp preempt 11-11 ip vrrp priority 11-9, 11-11 ip vrrp virtual-address 11-8, 11-12 no ip interface 2-27 See also show ip commands 2-12 ip dvmrp commands ip dvmrp 5-61, 5-68

ip dvmrp accept-filter 5-63 ip dvmrp announce-list 5-66 ip dvmrp auto-summary 5-64 ip dvmrp disable 5-67 ip dvmrp metric-offset 5-64 ip dvmrp routehog-notification 5-62 ip dvmrp route-limit 5-62 ip dvmrp summary-address 5-64 ip dvmrp unicast-routing 5-67 See also show ip dvmrp commands 5-61, 5-68 IP fragmentation, reassembling for tunnel packets 7-1 ip igmp commands ip igmp 5-19 ip igmp access-group 5-22 ip igmp group limit 5-22 ip igmp immediate-leave 5-20 ip igmp last-member query-interval 5-20 ip igmp promiscuous 5-24 ip igmp-proxy 5-31 ip igmp-proxy unsolicited-report-interval 5-31 ip igmp-proxy V1-router-present-time 5-31 ip igmp querier 5-19 ip igmp querier-timeout 5-20 ip igmp query-interval 5-21 ip igmp query-max-response-time 5-21 ip igmp robustness 5-21 ip igmp static-exclude 5-23 ip igmp static-group 5-21 ip igmp static-include 5-23 ip igmp version 5-19 See also show ip igmp commands 5-19 IP in IP tunnels 6-2 IP interface, creating 2-35 IP interfaces adding a description 2-30, 3-16 clearing 2-28 moving 2-37 primary 2-33 removing IP configuration 2-27 setting a baseline 2-28 shared 2-33 sharing 2-33 shutting down 2-27 unnumbered 2-26 IP multicast groups assigning to an interface 5-21 identifying 5-16 leaving 5-16 maintaining membership of 5-16

8 Index

reporting 5-15 specifying 5-22 IP multicasting benefits of 5-2 deleting routes 5-4 dense mode protocols 5-5 enabling 5-4 M-BONE 5-59 monitoring 5-8 sparse mode protocols 5-5 IP multicast interfaces, monitoring 5-14 IP multicast routes 5-74 ip nat commands address 4-12 ip nat 4-8 ip nat inside source list 4-13 ip nat inside source static 4-9 ip nat outside source list 4-14 ip nat outside source static 4-10 ip nat pool 4-12 ip nat translation 4-15 ip nat translation max-entries 4-8 ip ospf commands ip ospf authentication-key 9-25 ip ospf authentication message-digest 9-25 ip ospf authentication-none 9-26 ip ospf cost 9-16 ip ospf dead-interval 9-17 ip ospf hello-interval 9-17 ip ospf message-digest-key 9-26 ip ospf network 9-35 ip ospf priority 9-17 ip ospf retransmit-interval 9-17 ip ospf shutdown 9-30 ip ospf transmit-delay 9-18 ip pim commands ip pim 5-43 ip pim query-interval 5-43 ip pim rp-address 5-45 ip pim send-rp-announce 5-45 ip pim send-rp-discovery scope 5-46 ip pim spt-threshold 5-46 See also show ip pim commands 5-43 IP profile, B-RAS 2-11 IP reassembly of tunnel packets 7-1 configuring 7-2 monitoring 7-3 ip rip commands ip rip 8-12 ip rip authentication key 8-13

ip rip authentication mode 8-13 ip rip receive version 8-13 ip rip send version 8-13 See also show ip rip commands IPSec AH 12-4 AH processing 12-15 concepts 12-4 configuration examples 12-31 tasks 12-20 configuring IPSec parameters 12-21 ISAKMP/IKE policy 12-28 tunnels 12-24 digital certificates 13-1 encapsulation modes 12-13 encapsulation protocols 12-13 ESP 12-4 ESP processing 12-15 L2TP with IPSec 14-1 license 12-20 monitoring 12-42 overview 12-1 packet encapsulation 12-6 protocol stack 12-5 reassembly of tunnel packets 7-2 remote access 14-1 secure IP interfaces 12-4 security parameters 12-6 security parameters per policy type 12-8 tunnel destination endpoint 12-9 tunnel source endpoint 12-9 See also L2TP with IPSec 14-1 ipsec certificate commands ipsec certificate-database refresh 13-10 ipsec certificate-request generate 13-10 ipsec commands ipsec clear 12-31 ipsec identity 13-10 ipsec isakmp-policy-rule 12-30, 13-10 ipsec key generate 13-11 ipsec key manual 12-22 ipsec key zeroize 13-11 ipsec lifetime 12-22 ipsec local-endpoint 12-22 ipsec transform-set 12-23 key 12-23 masked-key 12-23

9 E-Series Routers

IPSec identity commands common-name 13-9 country 13-9 domain-name 13-9 ipsec identity 13-10 organization 13-11 IPSec security parameters inbound SAs 12-6, 12-11 in relation to IPSec interface 12-7 lifetime 12-6 lifetime for user SAs 12-10 manual versus signalled 12-6, 12-8 negotiating transforms 12-14 operational VR 12-6, 12-8 outbound SAs 12-6, 12-11 perfect forward secrecy (PFS) 12-6, 12-10 per IPSec policy type 12-8 transform combinations supported 12-14 transform sets 12-6, 12-12 transforms supported 12-13 transport VR 12-6, 12-9 IPSec transport local profile commands pre-share 14-11 pre-share-masked 14-12 IPSec transport profile commands application 14-10 ipsec transport profile 14-10 lifetime 14-10 local ip address 14-11 pfs group 14-11 transform-set 14-12 IP security policies 12-14 IP tunnels 6-1 to 6-12 configuring 6-3 monitoring 5-14, 6-8 IPv6 address, defining 3-12 addressing compression and 3-6 prefix 3-6 scope 3-7 structure 3-8 types of 3-6 understanding 3-5 configuring neighbor discovery 3-17 enabling and disabling 3-14 E-series router features 3-2 headers extensions 3-5 standard 3-4

ICMP and 3-8 instance, creating an 3-16 interface, unnumbered 3-12 interfaces clearing 3-14 managing 3-14 license 3-11 monitoring 3-21 to 3-35 neighbor discovery, defining 3-18 neighbors, creating 3-17, 3-20 overview 3-2 packet headers 3-3 ping and 3-8 profile 3-11 to 3-13 references 3-3 static routes and 3-13 traceroute and 3-8 ipv6 commands ipv6 3-16 ipv6 address 3-12 ipv6 description 3-16 ipv6 enable 3-14 ipv6 mtu 3-12 ipv6 nd 3-18 ipv6 nd dad attempts 3-19 ipv6 nd ns-interval 3-18 ipv6 nd reachable-time 3-18, 3-19 ipv6 neighbor 3-17, 3-20 ipv6 neighbor proxy 3-19 ipv6 route 3-13 ipv6 routes 3-17 ipv6 unnumbered 3-12 ipv6 virtual-router 3-12 ipv6 nd commands ipv6 nd 3-18 ipv6 nd dad attempts 3-19 ipv6 nd ns-interval 3-18 ipv6 nd reachable-time 3-18 IPv6 profile, B-RAS 3-11 IRDP (ICMP Router Discover Protocol) 2-39 IS (intermediate system) 10-2 hello packet rate 10-33 neighbor information 10-53 ISAKMP policy commands aggressive-mode 12-29 authentication 12-29, 13-9 encryption 12-29 group 12-30 hash 12-30 lifetime 12-30

10 Index

IS-IS (Intermediate System-to-Intermediate System) 10-1 to 10-56 adjacencies, clearing 10-38 configuring 10-11 to 10-35 default routes 10-26 for MPLS 10-35 global parameters 10-20 to 10-35 interface-specific parameters 10-14 to 10-19 redistribution 10-21 displaying CLNS 10-47 to 10-48 dynamic hostname resolution 10-33 ECMP 10-9 enabling 10-12 to 10-14 hello packet validity rate 10-33 HMAC MD5 authentication for level 1 packets 10-21 for level 2 packets 10-20 on the interface 10-16 Integrated IS-IS 10-9 level 1 routing 10-4 level 2 routing 10-5 LSPs. See LSPs (link state packets), IS-IS monitoring 10-37 to 10-46 MPLS and 10-35 redistributing routes between levels 10-23 route leaking 10-23 router type 10-27 routes summarizing 10-27 using for multicast RPF checks 10-36 routing levels/layers 10-2, 10-3, 10-4, 10-17, 10-27 starting and stopping MD5 packets 10-7 suboptimal paths, correcting 10-23 summarizing routes 10-27 suppressing default routes 10-27 system identifier 10-3 topology elements 10-4 traffic engineering 10-35 troubleshooting 10-38 isis commands isis authentication-key 10-15 isis circuit-type 10-15 isis csnp-interval 10-15 isis hello-interval 10-16 isis hello-multiplier 10-16 isis lsp-interval 10-16 isis mesh-group 10-34 isis message-digest-key 10-6, 10-16

isis metric 10-17 isis priority 10-17 isis retransmit-interval 10-18 isis retransmit-throttle-interval 10-18 See also show isis commands 10-6 IS-IS protocol, OSPF routing with 9-7 ISO 10589. See IS-IS ISO address 10-3 is-type command 10-27

J
join messages 5-39

L
L2F, reassembly of tunnel packets 7-2 L2TP, reassembly of tunnel packets 7-2 l2tp ignore-receive-data-sequencing command 7-3 L2TP with IPSec 14-1 client software supported 14-5 compatibility 14-4 configuring client PC 14-7 E-series router 14-7 IPSec transport profiles 14-8 L2TP destination profiles 14-7 control and data frames 14-4 group preshared key 14-6 how it works 14-2 LNS change of address 14-6 of port 14-6 overview 14-1 references 14-2 requirements 14-4 setting up secure connection 14-3 tunnel creation 14-5 with NAT 14-5 with PPP 14-5 leakage, OSPF route 9-6 leave group membership messages 5-16 leaving an IP multicast group 5-16 level 1 routing, IS-IS 10-2, 10-4 level 2 routing, IS-IS 10-3, 10-5 levels of IS-IS routing 10-2, 10-3, 10-4, 10-17, 10-27 license ipsec-tunnels command 12-21 license ipv6 command 3-11 lifetime, IPSec 12-10, 12-19 limited broadcast packets 2-19

11 E-Series Routers

limiting IGMP groups on interfaces 5-22 limiting translation entries 4-8 line modules, forwarding table on 2-22 link state advertisements. See LSAs link state metrics, IS-IS 10-17 link state packets. See LSPs local-as community, BGP 1-32 local routing table 2-21 log-adjacency-changes command 10-29 logical addresses 2-6 loopback interfaces 6-3 LSAs (link state advertisements) 9-3 opaque LSAs 9-6 retransmit interval and transmit delay 9-17, 9-22 LSDB (link state database) 9-5 lsp-gen-interval command 10-30 lsp-mtu command 10-30 lsp-refresh-interval command 10-31 LSPs (link state packets), IS-IS ignoring errors 10-29 interval rate 10-30 MTU 10-30 overload bit 10-28 refresh interval 10-31 retransmission interval 10-18 retransmission throttle interval 10-18 transmission interval 10-16

M
MAC addresses and ARP 2-14 defined 2-6 manual IPSec interfaces 12-8 manuals, E-series xxii comments on xxiii on CD xxi map tag, route map 1-3 master router 11-1 to 11-11 match commands 1-8 to 1-11 and route maps 1-2 match as-path 1-8 match community 1-8 match distance 1-8 match extcommunity 1-8, 1-36 match ip address 1-9, 1-27, 1-30, 1-31 match ip next-hop 1-9, 1-10, 1-27, 1-29, 1-30, 1-31 match level 1-10 match metric 1-10

match metric-type 1-10 match route-type 1-10 match-set summary prefix-tree 1-31, 8-14 match tag 1-11 match-set summary prefix-tree 1-30 maximum-paths command IP 2-32 IS-IS 10-34 OSPF 9-31 RIP 8-14 maximum transmission unit. See MTU max-lsp-lifetime command 10-31 M-BONE (multicast backbone of the Internet) 5-59 MD5 authentication IS-IS 10-5 OSPF 9-22, 9-25, 9-26 mesh group, setting (IS-IS) 10-34 message-digest-key md5 command 9-39 message digests 9-22 metric, DVMRP 5-64 metric, setting 2-25 metrics, OSPF default 9-33 metric-style commands metric-style narrow 10-25 metric-style transition 10-25 metric-style wide 10-25 MIB, OSPF 9-7 MIBs xxiii models ERX-14xx xix ERX-7xx xix E-series xix monitoring ARP 2-57 DVMRP 5-69 to 5-74 IGMP 5-14, 5-25 to 5-29 IGMP proxy 5-32 to 5-34 IP 2-56 to 2-81 IP multicast interfaces 5-14 IP multicast settings 5-8 IP tunnels 5-14, 6-8 IPv6 3-21 to 3-35 IS-IS 10-37 to 10-46 mrinfo requests 5-14 NAT 4-23 OSPF 9-42 to 9-53 PIM 5-14, 5-51 to 5-59 routing policy 1-43 to 1-54 RPF routes 5-6

12 Index

mpls commands mpls spf-use-any-best-path (IS-IS) 10-36 mpls spf-use-any-best-path (OSPF) 9-36 mpls traffic-eng (IS-IS) 10-36 mpls traffic-eng area 9-36 mpls traffic-eng router-id 9-36 mpls traffic-eng router-id (IS-IS) 10-36 mrinfo requests, support for 5-14 mtrace command 5-74 MTU (maximum transmission unit) IP 2-3, 2-21 IP tunnels 6-4 IPv6 3-12 IS-IS 10-30 OSPF 9-13 multicast, addressing 2-7 multicast group port limit command 5-23 multicasting, IP. See IP multicasting multicast services over BGP/MPLS VPNs configuring 5-47 overview 5-39 multihomed hosts 2-3 multinetting 2-9

N
NAT (Network Address Translation) configuration examples 4-15 to 4-22 NAT (Network Address Translation) access list rules, creating 4-10 address pools, defining 4-11 address translation dynamic 4-6 inside source 4-5 outside source 4-6 static 4-6 bidirectional 4-3 configuration types 4-2 configuring 4-1 dynamic address translation, defining 4-10 dynamic inside source translation, creating 4-13 dynamic outside source translation, creating 4-14 interfaces, specifying inside and outside 4-8 monitoring 4-23 order of operations 4-7 overview 4-2 references 4-7 static address translation, defining 4-9 terms 4-4

inside global address 4-5 inside local address 4-5 outside global address 4-5 outside local address 4-5 timeouts, defining 4-14 traditional 4-2 basic 4-3 NAPT (Network Address Port Translation) 4-3 translation entries, limiting 4-8 translation rules, defining 4-12 translations, clearing 4-15 twice 4-4 ND (neighbor discovery) configuring 3-17 understanding 3-9 neighbor commands neighbor 8-15, 9-35 neighbor distribute-list 1-17, 1-25 neighbor filter-list 1-19, 1-25 neighbor prefix-list 1-17, 1-25 neighbor prefix-tree 1-17, 1-25 neighbor send-community 1-35 neighboring routers, OSPF 9-3, 9-51 neighbors, DVMRP 5-59 NET (network entity title) 10-3, 10-12, 10-13 net command 10-13 network area command 9-9 network command 8-15 network entity title. See NET network interface layer (TCP/IP) 2-3 Network Layer addresses 10-4 network masks 2-7 to 2-8 network prefixes, filtering 1-16 network service access point. See NSAP next-hop routers, setting/redistributing routes 1-9, 1-10, 1-14, 1-29 no-advertise community, BGP 1-32 no area command 9-20 no-export community, BGP 1-32 no-export-subconfed community, BGP 1-32 no ipv6 command 3-16 nonbroadcast networks 9-3 notice icons defined xx not-so-stubby area, OSPF. See NSSA NSAP (network service access point) 10-3, 10-5, 10-33 NSSA (not-so-stubby area), OSPF 9-3, 9-20 null authentication, OSPF 9-6 null interface 1-26

13 E-Series Routers

O
opaque LSAs, OSPF 9-6 Open Shortest Path First. See OSPF OSPF (Open Shortest Path First) 9-1 to 9-53 ABRs 9-2 adjacency 9-2 areas, defining 9-5 ASBR 9-3 authentication MD5 9-25 simple password 9-6, 9-25 autocost 9-31 automatic virtual links 9-22 backbone area 9-19 BGP/MPLS VPNs and 9-37 BGP and 9-7 clearing IP routing table 1-43 configuring areas 9-19 to 9-22 authentication 9-22 to 9-26 incremental SPF 9-40 interfaces 9-13 to 9-18 NBMA networks 9-34 remote neighbors 9-37 traps 9-41 creating interfaces 9-8 database 9-45 dead interval 9-17 default cost 9-20 deleting interfaces 9-8 domain 9-3 ECMP 9-7 enabling 9-9 interaction with BGP/MPLS VPNs 9-37 MD5 authentication 9-25 metrics, default 9-33 MIB 9-7 monitoring 9-42 to 9-53 password authentication, simple 9-6, 9-25 reinstalling routes in IP routing table 1-43 route leakage 9-6 routes, using for multicast RPF checks 9-37 routing costs 9-16 routing priority 9-5 SPF hold time interval 9-33 stub area 9-3 topology elements 9-4 traffic engineering 9-35 transmit delay 9-18, 9-22 troubleshooting 9-42

virtual links 9-6 ospf commands ospf auto-cost reference-bandwidth 9-31 ospf enable 9-10, 9-11 ospf log-adjacency-changes 9-31, 9-43 ospf shutdown 9-31 See also show ospf commands overload bit, IS-IS 10-28

P
packets, IP 2-2 broadcast packets 2-19 echo request and trace packets 2-42 ICMP messages and 2-38 packets, IPv6 echo request and trace 3-15 packet switching networks 2-2 parallel routes, maximum number of 2-32, 8-14, 9-31, 10-34 passive-interface command 8-15, 9-32, 10-19 passwords IS-IS area authentication 10-20 IS-IS authentication 10-16 IS-IS domain authentication 10-21 OSPF MD5 authentication 9-25 OSPF simple password authentication 9-6, 9-25 PDU (protocol data unit) 10-3 perfect forward secrecy 12-10 physical addresses 2-6 PIM (Protocol Independent Multicast) 5-34 to 5-59 displaying events 5-51 enabling on an interface 5-43 on a virtual router 5-42 monitoring 5-14, 5-51 to 5-59 removing 5-49 resetting counters and mappings 5-50 using with DVMRP 5-43, 5-62 using with IGMP 5-43 See also PIM DM, PIM SM, and PIM S-DM PIM dense mode. See PIM DM pim disable command 5-43 PIM DM (PIM dense mode) 5-35 See also PIM PIM S-DM (PIM sparse-dense mode) 5-42 configuring auto-RP router 5-45 PIM SM (PIM sparse mode) 5-38 configuring auto-RP router 5-44 hold time 5-41

14 Index

joining groups 5-39 multicast services over BGP/MPLS VPNs configuring 5-47 overview 5-39 pruning 5-39 remote neighbors configuring 5-47 creating 5-39 setting a threshold 5-46 timers 5-41 PIM sparse mode See also PIM SM PIM sparse-dense mode See PIM S-DM PIM SSM (PIM source-specific multicast) enabling 5-49 requirements for IGMPv3 5-49 ping command 2-40, 3-8 Point-to-Point Protocol. See PPP PPP (Point-to-Point Protocol), host access routes 2-26 prefixes, filtering network 1-16 prefix lists 1-27 prefix trees 1-30 preventing recursive tunnels 6-7 primary IP addresses 2-10 interface 2-33 priority IS-IS designated router 10-17 OSPF routing 9-5, 9-17 profile, creating 2-11, 3-11 profile command 2-12, 2-13, 2-14, 3-11, 3-13 protocol data unit. See PDU Protocol Independent Multicast. See PIM protocol number 2-2 protocols (IP), monitoring 1-47 prune messages 5-5, 5-36, 5-39

Q
query-interval command 5-47

R
reachability commands IP 2-40 IP multicast 5-74 reassembling IP datagrams 2-3 receive version command 8-20 recursive tunnels, preventing 6-7

redirects, IP 2-39 redistribute command 1-25 DVMRP 5-65 IS-IS 10-22 OSPF 9-6, 9-32 RIP 8-15 redistribute isis ip command 10-24 redistributing routes, DVMRP 5-65 redistributing routes between IS-IS levels 10-23 redistribution policy (IP), monitoring 1-48, 2-69, 2-72, 3-30 redistribution routes clearing all (IS-IS) 10-22 clearing all (OSPF) 9-29 disabling dynamic (DVMRP) 5-66 disabling dynamic (IS-IS) 10-22 disabling dynamic (OSPF) 9-30 disabling dynamic (RIP) 8-11 setting 8-15, 9-32, 10-22 redundancy, tunnel server 6-3 refresh interval, LSP (IS-IS) 10-31 regular expressions and routing policy 1-37 AS-path lists 1-37 community lists 1-38 community number format 1-38 examples 1-40 metacharacters defined 1-38 specifying as literals 1-39 release notes xxiii reliable protocols 2-38, 3-8 remote-neighbor command 5-47, 8-20, 9-39 remote neighbors OSPF 9-37 PIM SM 5-39 PIM SM, configuring 5-47 RIP 8-19 removing DVMRP 5-67 PIM 5-49 See also deleting rendezvous point router. See RP routers reporting IP multicast groups 5-15 request messages, RIP 8-2 resetting PIM counters and mappings 5-50 response messages, RIP 8-2 Response Time Reporter. See RTR retransmission interval, IS-IS 10-18 retransmission throttle interval, IS-IS 10-18

15 E-Series Routers

retransmit interval and transmit delay 9-17, 9-22 OSPF 9-17, 9-22 retransmit-interval command 9-40 reverse-path forwarding. See RPF RIP (Routing Information Protocol) 8-1 to 8-28 authentication 8-3 clearing IP routing table 1-43 configuring 8-7 to 8-15 debounce interval 8-10 disabling dynamic route distribution 8-11 ECMP 8-6 maximum number of parallel routes 8-14 message types 8-2 monitoring 8-22 to 8-28 purging the routing table 8-12 reinstalling routes in IP routing table 1-43 remote neighbors 8-19 request messages 8-2 response messages 8-2 route specificity 8-16 route tags 8-3 split horizon mechanism 8-6 subnet masks 8-4 summarizing routes 8-5 triggered updates, disabling 8-18 troubleshooting 8-22 using routes for multicast RPF checks 8-18 route leakage, OSPF 9-6 route leaking between IS-IS levels 10-23 route-map command 1-11, 5-65, 8-16, 9-27, 10-21 route maps and routing policy 1-2 to 1-16 deny keyword 1-3 filtering incoming/outgoing routes with access lists 1-22 to 1-24 instance 1-3 map tag 1-3 match clause 1-2 monitoring 1-54 permit keyword 1-3 sequence number 1-3 set clause 1-2 route maps, IP, monitoring 2-80 router commands router dvmrp 5-66, 5-68 router igmp 5-25 router isis 10-13 router ospf 9-10, 9-11 router pim 5-43, 5-49

router rip 8-16, 8-18 router IDs 2-25, 9-3 router type, IS-IS 10-27 routes summarizing IS-IS 10-27 summarizing RIP 8-5 using for other protocols 5-8 using IS-IS 10-36 using OSPF 9-37 using RIP 8-18 route tags, RIP 8-3 routing, IP 2-21 to 2-33 adding host route to peer on PPP interface 2-26 default routes 2-26 disabling forwarding of packets 2-29 identifying a router 2-25 maximum number of parallel routes 2-32 monitoring 1-49, 1-50, 2-61, 2-72, 2-74 routing operations 2-25 routing tables 2-21 to 2-27 source address validation 2-27 static routes 2-25 See also IP routing, IPv6 See also IPv6 hop limit 3-13 monitoring 3-28, 3-31 static routes 3-13 routing, IS-IS clearing redistribution information 10-22 default route and routing domain 10-26 designated routers 10-17 integrated 10-9 layers/levels of 10-2, 10-3, 10-4, 10-17 maximum number of parallel routes 10-34 OSPF routing with 9-7 route summarization 10-27 routing domains 10-3 setting redistribution routes 10-22 specifying type (level) 10-27 See also IS-IS routing, OSPF clearing redistribution information 9-29 cost 9-16 autocost 9-31 default routing cost 9-20 equal-cost multipath 9-7 default route and routing domain 9-30 displaying information about 9-44

16 Index

intra-area, interarea, external routes 9-5 leakage 9-6 maximum number of parallel routes 9-31 priority 9-5, 9-17 See also OSPF routing, RIP debounce interval 8-10 maximum number of parallel routes 8-14 purging the routing table 8-12 route specificity 8-16 triggered updates, disabling 8-18 routing information base (RIB) 2-21 Routing Information Protocol. See RIP routing policy community 1-31 community list 1-32 configuring 1-1 managing the routing table 1-43 monitoring 1-43 overview 1-1 prefix lists 1-27 prefix trees 1-30 route maps 1-2 troubleshooting 1-43 routing policy, BGP access lists 1-16 to 1-24 monitoring 1-43 to 1-54 route maps 1-2 to 1-16 routing table entry 2-22 global IP 2-22 local 2-21 routing table, managing the IP 1-43 RP (rendez-vous point) routers 5-44 configuring, automatic 5-45 configuring, static 5-44 RP (rendezvous point) routers assigning automatically 5-45 configuring, automatic 5-44 RPF (reverse-path forwarding) 5-5 RPF routes, monitoring 5-6 RTR (Response Time Reporter) 2-42 collecting history 2-46 collecting statistics 2-46 configuring 2-43 monitoring 2-50 options 2-44 probe configuring 2-43 scheduling 2-48

shutting down 2-49 reaction conditions 2-47

S
secondary IP addresses 2-10 secure IP interfaces 12-4 security parameters 12-6 send-more-specific-routes-disable command 8-16 send version command 8-21 sequence number, route map 1-3 set commands 1-12 to 1-16 and route maps 1-2 set as-path prepend 1-12 set automatic-tag 1-12 set comm-list delete 1-12 set community 1-13, 1-35 set dampening 1-13 set distance 1-13 set extcommunity 1-14, 1-36 set ip next-hop 1-14 set level 1-14 set local-preference 1-14 set metric 1-15 set metric-type 1-15 set origin 1-16 set route-type 1-16 set tag 1-16 set weight 1-16 set-overload-bit command 10-28 setting administrative distance, IP 2-23 baseline DVMRP 5-69 IGMP 5-25 IGMP Proxy 5-32 DVMRP hop-count 5-64 metric 2-25 threshold, PIM SM 5-46 shared IP interfaces configuring 2-34 moving 2-37 primary interface 2-33 shared interface 2-33 shared trees 5-38, 5-39, 5-46 shortest path trees. See SRTs show access-list command 1-44, 2-57 show arp command 2-57 show clns commands show clns 10-49 show clns interface 10-51

17 E-Series Routers

show clns neighbors 10-53 show clns protocol 10-54 show clns traffic 10-54 show dvmrp commands show dvmrp tunnel 6-8 show dvmrp tunnel summary 6-9 show gre commands show gre tunnel 6-10 show gre tunnel summary 6-12 show host command 10-38 show ike commands show ike certificates 13-12 show ike configuration 13-14 show ike identity 13-14 show ike policy-rule 12-42 show ike sa 12-43 show ip commands show ip 2-58 show ip address 2-58 show ip as-path-access-list 1-45, 2-60 show ip community-list 1-45, 2-60 show ip dynamic-interface-prefix 2-61 show ip extcommunity-list 1-37 show ip forwarding-table 2-61 show ip interface 2-61 show ip interface shares 2-65 show ip mroute 5-8 show ip mroute count 5-10, 5-11 show ip mroute summary 5-12 show ip prefix-list 1-46 show ip prefix-list detail 1-46 show ip prefix-list summary 1-46 show ip prefix-tree 1-47 show ip prefix-tree detail 1-47 show ip prefix-tree summary 1-47 show ip protocols 1-47, 2-69 show ip redistribute 1-48, 2-72, 3-30 show ip route 1-49, 2-72 show ip route slot 1-50, 2-74 show ip rpf-route 5-6 show ip static 1-51, 2-74 show ip tcp statistics 2-75 show ip traffic 1-51 show ip tunnel reassembly statistics 7-3 show ip udp statistics 2-80 show ip vrrp 11-12 show ip vrrp brief 11-13 show ip vrrp neighbors 11-13 show ip vrrp statistics 11-14 show ip vrrp statistics global 11-16

show ip dvmrp commands show ip dvmrp 5-69 show ip dvmrp interface 5-70 show ip dvmrp mroute 5-71 show ip dvmrp neighbor 5-71 show ip dvmrp route 5-73 show ip dvmrp routeNextHop 5-74 show ip igmp commands show ip igmp 5-25 show ip igmp groups 5-26 show ip igmp interface 5-27 show ip igmp interface brief 5-28 show ip igmp-proxy 5-32 show ip igmp-proxy groups 5-32 show ip igmp-proxy interface 5-33 show ip multicast commands show ip multicast protocols 5-12 show ip multicast protocols brief 5-13 show ip multicast routing 5-14 show ip nat commands show ip nat statistics 4-23 show ip nat translations 4-24 show ip ospf commands show ip ospf 9-44 show ip ospf border-routers 9-45 show ip ospf database 9-45 show ip ospf database opaque-area 9-47 show ip ospf interface 9-49 show ip ospf internal-statistics 9-49 show ip ospf neighbors 9-51 show ip ospf remote-neighbor interface 9-51 show ip ospf spf-log 9-51 show ip ospf virtual-links 9-53 show ip pim commands show ip pim auto-rp 5-51 show ip pim dense-mode sg-state 5-52 show ip pim interface 5-53 show ip pim neighbor 5-54 show ip pim remote-neighbor 5-55 show ip pim rp 5-55 show ip pim rp-hash 5-56 show ip pim sparse-mode sg-state 5-56 show ip pim sparse-mode unicast-route 5-58 show ip pim spt-threshold 5-58 show ip rip commands 8-23 to 8-26 show ip rip 8-23 show ip rip brief 8-25 show ip rip database 8-26 show ip rip network 8-27 show ip rip stats 8-28

18 Index

show ip rip summary-address 8-28 show ipsec commands show ipsec lifetime 12-44 show ipsec local-endpoint 12-44 show ipsec transform-set 12-45 show ipsec tunnel detail 12-45 show ipsec tunnel summary 12-47 show ipsec tunnel virtual-router 12-47 show license ipsec-tunnels 12-48 show IPSec transport profile commands show ipsec transport interface 14-13 show ipsec transport interface summary 14-15 show ipsec transport profile 14-15 show ipv6 commands show ipv6 3-22 show ipv6 address 3-22 show ipv6 neighbors 3-28 show ipv6 protocols 3-29 show ipv6 route 3-31 show ipv6 static 3-32 show ipv6 traffic 3-32 show ipv6 udp statistics 3-34 show license ipv6 3-35 show isis commands show isis database 10-39 show isis mpls adjacency-log 10-42 show isis mpls advertisements 10-43 show isis mpls tunnel 10-44 show isis spf-log 10-45 show isis summary-addresses 10-46 show isis topology 10-46 show multicast group limit command 5-29 show profile commands show profile 2-68, 3-28 show profile brief 2-81 show route-map command 1-54, 2-81 signalled IPSec interfaces 12-8 simple password authentication, OSPF 9-6, 9-25 snmp trap ip link-status command 2-31 software, installing xix source, tunnel 6-2 source address verification 2-27 source-rooted trees. See SRTs sparse mode multicast protocols 5-5 specifying IP multicast groups 5-22 SPF, incremental 9-40 SPF calculations, information on 9-51, 10-45 SPF hold time interval 9-33 IS-IS 10-31

spf-interval command 10-31 split-horizon command 8-21 split horizon mechanism 8-6 SPTs (shortest path trees). See SRTs SRP module, global IP routing table on 2-22 SRTs (source-rooted trees) 5-35, 5-39, 5-46, 5-59 starting IS-IS MD5 packets 10-7 static routes 1-51, 2-25, 2-74, 3-13, 3-32, 5-6, 6-7 static tunnels 6-1 to 6-12 stopping IS-IS MD5 packets 10-7 stub areas, OSPF 9-3, 9-20 subnet addressing 2-7 subnet masks, RIP 8-4 summarizing RIP routes 8-5 summary-address command 10-27, 9-12 summary addresses DVMRP routing 5-63 IS-IS routing 10-27 OSPF routing 9-12 supernets 2-9 suppress-default command 10-27 suppressing IS-IS default routes 10-27 syntax conventions defined xx system identifier, IS-IS 10-3

T
table forwarding 2-22 global IP routing 2-22 local routing 2-21 table-map command (RIP) 8-17, 9-32 table-map command, IP 1-26 TCP/IP protocol suite defined 2-2 layers of 2-3 to 2-4 text conventions defined xx timers PIM SM 5-41 RIP 8-17 timers commands timers 8-17 timers spf 9-33 time-to-live command 8-21 TLV for resolution of IS-IS dynamic hostname 10-5, 10-33 topology IS-IS 10-4 OSPF 9-4 trace packets 2-42, 3-15, 5-74 traceroute command 2-40, 2-42, 3-8, 3-15

19 E-Series Routers

traffic, IP 1-51, 2-11 to 2-80 traffic engineering and IS-IS 10-35 and OSPF 9-35 transform sets, IPSec 12-12 transmit delay, OSPF 9-18, 9-22 transmit-delay command 9-40 transport layer (TCP/IP) 2-4 transport network 6-7 traps, OSPF 9-41 traps command 9-42 triggered-update-disable command 8-18 troubleshooting dropped packets 2-65 IS-IS 10-38 OSPF 9-42 RIP 8-22 routing policy 1-43 TSM (Tunnel Service line module) installing 6-2 monitoring parameters 6-8 redundancy 6-3 ttl command 9-40 tunnel commands, IP tunnel checksum 6-4 tunnel destination 6-4 tunnel mtu 6-4 tunnel source 6-5 tunnel commands, IPSec tunnel destination 12-25 tunnel lifetime 12-26 tunnel local-identity 12-26 tunnel mtu 12-26 tunnel peer-identity 12-26 tunnel pfs group 12-27 tunnel session-key-inbound 12-27 tunnel session-key-outbound 12-27 tunnel signaling 12-28 tunnel source 12-28 tunnel transform set 12-28 tunnels, IP 6-1 to 6-12 DVMRP (IP in IP) 6-2 endpoints 6-2 GRE 6-2 tunnels, reassembling tunnel packets 7-1 Tunnel Service line module. See TSM type-length-value for resolution of IS-IS dynamic hostname 10-5, 10-33

U
UDP (User Datagram Protocol) 8-2 undebug commands undebug ip ospf 9-43 undebug ip pim 5-51 undebug ip rip 8-22 undebug isis 10-46 unicast routes, DVMRP 5-66 unnumbered interface IP 2-26 IPv6 3-12 unreachable messages (ICMP) 2-39 unreliable protocols 2-2, 2-38, 3-8 updates, BGP AS-path filters for 1-19 to 1-21 update-source command 5-48, 8-21, 9-40 updating the system software xix upstream interface 5-29 User Datagram Protocol. See UDP

V
validating source addresses 2-27 virtual links, OSPF 9-3, 9-6, 9-22 virtual MAC address 11-1 virtual-router command 2-13 Virtual Router Redundancy Protocol (VRRP). See VRRP VRID (virtual router ID) configuration 11-9 creating 11-8, 11-9 router election rules 11-7 VRRP (Virtual Router Redundancy Protocol) advertisement interval 11-9 advertisement messages 11-7 authentication key 11-10 authentication type 11-10 backup router 11-1, 11-7 configuration examples 11-3 to 11-6 configuring 11-8 to 11-12 Fast Ethernet (FE) modules 11-2 Gigabit Ethernet (GE) modules 11-2 how it works 11-3 implementation 11-7, 11-8 MAC address 11-1 master router 11-1 to 11-11 monitoring 11-12 overview 11-1 preemption 11-8, 11-11 router election rules 11-7

20 Index

router priority 11-10 VLAN support 11-2 VRRP router defined 11-2 vrrp commands ip vrrp 11-10 ip vrrp advertise-interval 11-10 ip vrrp authentication-key 11-11 ip vrrp authentication-type 11-11 ip vrrp enable 11-9, 11-11 ip vrrp preempt 11-9, 11-11 ip vrrp priority 11-11 ip vrrp virtual-address 11-12

W
well-known communities, BGP 1-32

X
X.509v3 certificates 13-3