Configuring Logical Interfaces

Use the information in this chapter to understand and configure the types of logical, or virtual, interfaces supported on Cisco routers and access servers. This chapter includes the following configuration instructions and examples:

Configure a Loopback Interface Configure a Null Interface Configure a Tunnel Interface

For examples of configuration tasks, see Logical Interface Configuration Examples at the end of this chapter. For hardware technical descriptions and information about installing interfaces, refer to the hardware installation and configuration publication for your product. For complete descriptions of the logical interface commands, refer to the Interface Commands chapter of the Cisco IOS Interface Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

Configure a Loopback Interface

You can specify a software-only interface called a loopback interface to emulate an interface. It is supported on all platforms. A loopback interface is a virtual interface that is always up and allows BGP and RSRB sessions to stay up even if the outbound interface is down. You can use the loopback interface as the termination address for BGP sessions, for RSRB connections, or to establish a Telnet session from the devices console to its auxiliary port when all other interfaces are down. You can also use a loopback interface to configure IPX-PPP on asynchronous interfaces. To do so, you must associate an asynchronous interface with a loopback interface configured to run IPX. In applications where other routers or access servers attempt to reach this loopback interface, you should configure a routing protocol to distribute the subnet assigned to the loopback address. Packets routed to the loopback interface are rerouted back to the router or access server and processed locally. IP packets routed out the loopback interface but not destined to the loopback interface are dropped. This means that the loopback interface serves as the Null 0 interface also.
Note Loopback does not work on an X.21 DTE because the X.21 interface definition does not

include a loopback definition.

Configuring Logical Interfaces IC-135

Configure a Null Interface

To specify a loopback interface and enter interface configuration mode, use one of the following commands in global configuration mode:
Command interface loopback number interface loopback slot/port interface loopback slot/port-adapter/port Purpose Begin interface configuration. Begin interface configuration for the Cisco 7200 series or the Cisco 7500 series. Begin interface configuration for the Cisco 7500 series.

See the section Run Interface Loopback Diagnostics in the Overview of Interface Configuration chapter in this publication.

Configure a Null Interface

The Cisco IOS software supports a null interface. This pseudo-interface functions similarly to the null devices available on most operating systems. This interface is always up and can never forward or receive traffic; encapsulation always fails. The only interface configuration command that you can specify for the null interface is no ip unreachables. The null interface provides an alternative method of filtering traffic. You can avoid the overhead involved with using access lists by directing undesired network traffic to the null interface. To specify the null interface, use the following command in global configuration mode:
Command interface null 0 Purpose Begin interface configuration.

Specify null 0 (or null0) as the interface type and number. The null interface can be used in any command that has an interface type as an argument. The following example configures a null interface for IP route 127.0.0.0:
ip route 127.0.0.0 255.0.0.0 null 0

Configure a Tunnel Interface

Tunneling provides a way to encapsulate arbitrary packets inside of a transport protocol. This feature is implemented as a virtual interface to provide a simple interface for configuration. The tunnel interface is not tied to specific passenger or transport protocols, but rather, it is an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. Because tunnels are point-to-point links, you must configure a separate tunnel for each link. Tunneling has the following three primary components:

Passenger protocol, which is the protocol you are encapsulating (AppleTalk, Banyan VINES, CLNS, DECnet, IP, or IPX) Carrier protocol, which is one of the following encapsulation protocols: Generic route encapsulation (GRE), Ciscos multiprotocol carrier protocol Cayman, a proprietary protocol for AppleTalk over IP EON, a standard for carrying CLNP over IP networks

IC-136

Cisco IOS Interface Configuration Guide

Advantages of Tunneling

NOS, IP over IP compatible with the popular KA9Q program Distance Vector Multicast Routing Protocol (DVMRP) (IP in IP tunnels, defined by RFC 20036)

Transport protocol, which is the protocol used to carry the encapsulated protocol (IP only)

Figure 22 illustrates IP tunneling terminology and concepts.

Figure 22 IP Tunneling Terminology and Concepts

k t

To understand the process of tunneling, consider connecting two AppleTalk networks with a non-AppleTalk backbone, such as IP. The relatively high bandwidth consumed by the broadcasting of Routing Table Maintenance Protocol (RTMP) data packets can severely hamper the backbones network performance. This problem can be solved by tunneling AppleTalk through a foreign protocol, such as IP. Tunneling encapsulates an AppleTalk packet inside the foreign protocol packet, which is then sent across the backbone to a destination router. The destination router then de-encapsulates the AppleTalk packet and, if necessary, routes the packet to a normal AppleTalk network. Because the encapsulated AppleTalk packet is sent in a directed manner to a remote IP address, bandwidth usage is greatly reduced. Furthermore, the encapsulated packet benefits from any features normally enjoyed by IP packets, including default routes and load balancing.

Advantages of Tunneling
The following are several situations where encapsulating traffic in another protocol is useful:

To provide multiprotocol local networks over a single-protocol backbone To provide workarounds for networks containing protocols that have limited hop counts; for example, AppleTalk (see Figure 23) To connect discontinuous subnetworks To allow virtual private networks across wide-area networks (WANs)

Configuring Logical Interfaces IC-137

Configure a Tunnel Interface

Figure 23

Providing Workarounds for Networks with Limited Hop Counts

Router Tunnel

Router

Router

Router

Router

If the path between two computers has more than 15 hops, they cannot communicate with each other, but it is possible to hide some of the hops inside the network with a tunnel.

Special Considerations
The following are considerations and precautions to observe when you configure tunneling:

Encapsulation and decapsulation at the tunnel end points are slow operations; in general, only processor switching is supported. However, fast switching of GRE tunnels was introduced in Cisco IOS Release 11.1 for the Cisco 2500 series and the Cisco 4000 series of routers. Consider security and topology issues. Be careful not to violate access control lists. You can configure a tunnel with a source and destination that are not restricted by firewall routers. Tunneling might create problems with transport protocols with limited timers (for example, DECnet) due to increased latency. Be aware of the environments across which you create tunnels. You might be tunneling across fast FDDI rings or through slow 9600-bps phone lines; some passenger protocols function poorly in mixed media networks. Multiple point-to-point tunnels can saturate the physical link with routing information. Routing protocols that make their decisions based solely on hop count will often prefer a tunnel over a multipoint real link. A tunnel might appear to be a one-hop, point-to-point link and have the lowest-cost path, but may actually cost more. For example, in the topology shown in Figure 24, packets from Host 1 will travel across networks w, q, and z to get to Host 2 instead of taking the path w, x, y, z because it appears shorter.

IC-138

Cisco IOS Interface Configuration Guide

S2299

IP Tunneling Configuration Task List

Figure 24

Tunnel Precautions: Hop Counts

An even worse problem will occur if routing information from the tunneled network mixes with the transport networks information. In this case, the best path to the tunnel destination is via the tunnel itself. This is called a recursive route and will cause the tunnel interface to temporarily shut down. To avoid recursive routing problems, keep passenger and transport network routing information disjointed: Use a different AS number or tag. Use a different routing protocol. Use static routes to override the first hop (but watch for routing loops).

If you see line protocol down, as in the following example, it might be because of a recursive route:
%TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing

IP Tunneling Configuration Task List

If you want to configure IP tunneling, you must perform the tasks in the following sections:

Specify the Tunnel Interface Configure the Tunnel Source Configure the Tunnel Destination

The tasks in the following tunnel configuration sections are optional: Configure the Tunnel Mode Configure End-to-End Checksumming Configure a Tunnel Identification Key Configure a Tunnel Interface to Drop Out-of-Order Datagrams Configure Asynchronous Host Mobility

For commands that monitor IP tunnels, see the section Monitor and Maintain the Interface in the Interface Configuration Overview chapter. For examples of configuring tunnels, see the section IP Tunneling Examples at the end of this chapter.

Configuring Logical Interfaces IC-139

Configure a Tunnel Interface

Specify the Tunnel Interface

To specify a tunnel interface and enter interface configuration mode, use one of the following commands in global configuration mode:
Command interface tunnel number interface tunnel slot/port interface tunnel slot/port-adapter/port Purpose Begin interface configuration. Begin interface configuration for the Cisco 7200 series. Begin interface configuration for the Cisco 7500 series.

Configure the Tunnel Source

You must specify the tunnel interfaces source address by using the following command in interface configuration mode:
Command tunnel source {ip-address | type number} Purpose Configure the tunnel source.

Note You cannot have two tunnels using the same encapsulation mode with exactly the same source

and destination address. The workaround is to create a loopback interface and source packets off the loopback interface.

Configure the Tunnel Destination

You must specify the tunnel interfaces destination by using the following command in interface configuration mode:
Command tunnel destination {hostname | ip-address} Purpose Configure the tunnel destination.

Configure the Tunnel Mode

The encapsulation mode for the tunnel interface defaults to generic route encapsulation (GRE), so this command is considered optional. However, if you want a mode other than GRE, you must configure it by using the following command in interface configuration mode:
Command tunnel mode {aurp | cayman | dvmrp | eon | gre ip | nos} Purpose Configure the tunnel mode.

If you are tunneling AppleTalk, you must use either the AppleTalk Update Routing Protocol (AURP), Cayman or GRE tunneling mode. Cayman tunneling is designed by Cayman Systems and enables routers and access servers to interoperate with Cayman GatorBoxes. You can have Cisco devices at either end of the tunnel, or you can have a GatorBox at one end and Cisco router or access server at the other end. Use Distance Vector Multicast Routing Protocol (DVMRP) mode when a router or access server connects to a mrouted router to run DVMRP over a tunnel. It is required to configure Protocol-Independent Multicast (PIM) and an IP address on a DVMRP tunnel.

IC-140

Cisco IOS Interface Configuration Guide

Configure End-to-End Checksumming

Caution Do not configure a Cayman tunnel with an AppleTalk network address.

If you use GRE, you must have only Cisco routers or access servers at both ends of the tunnel connection. When you use GRE to tunnel AppleTalk, you must configure an AppleTalk network address and a zone. Use the following commands to tunnel AppleTalk using GRE:
Step
1 2 3 4 5 6

Command interface tunnel number appletalk cable-range start-end [network.node] appletalk zone zone-name tunnel source {ip-address | type number} tunnel destination {hostname | ip-address} tunnel mode gre ip

Purpose Enable tunneling on the interface. Assign a cable range to an interface. Set a zone name for the connected AppleTalk network. Specify the interface out which the encapsulated packets will be sent, or specify the routers IP address. Specify the IP address of the router at the far end of the tunnel. Enable GRE tunneling.

Configure End-to-End Checksumming

Some passenger protocols rely on media checksums to provide data integrity. By default, the tunnel does not guarantee packet integrity. By enabling end-to-end checksums, the Cisco IOS software drops corrupted packets. To enable such checksums on a tunnel interface, use the following command in interface configuration mode:
Command tunnel checksum Purpose Configure end-to-end checksumming.

Configure a Tunnel Identification Key

You can enable an ID key for a tunnel interface. This key must be set to the same value on the tunnel endpoints. Tunnel ID keys can be used as a form of weak security to prevent misconfiguration or injection of packets from a foreign source.
Note IP multicast traffic is not supported when a tunnel ID key is configured unless the traffic is

process-switched. You must configure the no ip mroute-cache command in interface configuration mode on the interface if an ID key is configured. This note applies only to Cisco IOS Release 12.0 and earlier releases.

The tunnel ID key is available with GRE only.

Note When GRE is used, the ID key is carried in each packet. We do not recommend relying on

this key for security purposes.

To configure a tunnel ID key, use the following command in interface configuration mode:
Command tunnel key key-number Purpose Configure a tunnel identification key. Configuring Logical Interfaces IC-141

Configure a Tunnel Interface

Configure a Tunnel Interface to Drop Out-of-Order Datagrams

You can optionally configure a tunnel interface to drop datagrams that arrive out of order. This is useful when carrying passenger protocols that function poorly when they receive packets out of order (for example, LLC2-based protocols). This option is available with GRE only. To use this option, use the following command in interface configuration mode:
Command tunnel sequence-datagrams Purpose Configure a tunnel interface to drop out-of-order datagrams.

Configure Asynchronous Host Mobility

Increasingly, remote users are accessing networks through dial-up telephone connections. In contrast to local users who can connect directly into the network, remote users must first dial into an access server. The access server supports a packet tunneling strategy that extends the internetworkin effect creating a virtual private link for the mobile user. When a user activates asynchronous host mobility, the access server on which the remote user dials into becomes a remote point-of-presence (POP) for the users home network. Once logged in, users experience a server environment identical to the one that they experience when they connect directly to the home access server. Once the network layer connection is made, data packets are tunneled at the physical and/or data link layer instead of at the protocol layer. In this way, raw data bytes from dial-in users are transported directly to the home access server, which processes the protocols. Figure 25 illustrates the implementation of asynchronous host mobility on an extended internetwork. A mobile user connects to an access server on the internetwork and, by activating asynchronous host mobility, is connected to a home access server configured with the appropriate user name. The user sees an authentication dialog or prompt from the home system and can proceed as if he or she were connected directly to that device.
Figure 25 Asynchronous Host Mobility

The remote user implements asynchronous host mobility by executing the tunnel command in user EXEC mode. The tunnel command sets up a network layer connection to the specified destination. The access server accepts the connection, attaches it to a virtual terminal (VTY), and runs a command parser capable of running the normal dial-in services. After the connection is established, data is transferred between the modem and network connection with a minimum of interpretations. When communications are complete, the network connection can be closed and terminated from either end.

IC-142

Cisco IOS Interface Configuration Guide

Logical Interface Configuration Examples

Refer to the Cisco Access Connection Guide for information about setting up the network layer connection with the tunnel command.

Logical Interface Configuration Examples

This section provides examples that illustrate configuration of IP tunnels.

IP Tunneling Examples
The following example shows an IP tunneling configuration with commented (!) explanations:
!Creates the interface interface tunnel 0 !enables IPX on the interface novell network 1e !enables appletalk appletalk cable-range 4001-4001 128 !enables IP ip address 10.1.2.3. 255.255.255.0 !enables DECnet DECnet cost 4 !sets the source address, or interface, for packets tunnel source ethernet 0 !determines where the encapsulated packets are to go tunnel destination 131.108.14.12 !sets the protocol tunnel mode gre !computes a checksum on passenger packets if protocol doesnt already have reliable !checksum tunnel checksum needed !sets the id key tunnel key 42 !set to drop out of order packets tunnel sequence-datagrams

Routing Two AppleTalk Networks across an IP-Only Backbone Example

Figure 26 is an example of connecting multiprotocol subnetworks across a single-protocol backbone. The configurations of router A and router B follow Figure 26.

Configuring Logical Interfaces IC-143

Logical Interface Configuration Examples

Figure 26

Connecting AppleTalk Networks across an IP-Only Backbone

Router A

Physics department AppleTalk network

Tunnel

Router A

Router

Router

Router B

Campus backbone (IP only)

Router B

Router A
interface ethernet 0 description physics department AppleTalk lan appletalk cable-range 4001-4001 32 ! interface fddi 0 description connection to campus backbone ip address 36.0.8.108 255.255.255.0 interface tunnel 0 tunnel source fddi 0 tunnel destination 36.0.21.20 appletalk cable-range 5313-5313 1

IC-144

Cisco IOS Interface Configuration Guide

S1533a

Chemistry department AppleTalk network

IP Tunneling Examples

Router B
interface ethernet 0 description chemistry department appletalk lan appletalk cable-range 9458-9458 3 ! interface fddi 0 description connection to campus backbone ip address 36.0.21.20 255.255.255.0 interface tunnel 0 tunnel source fddi 0 tunnel destination 36.0.8.108 appletalk cable-range 5313-5313 2

Routing a Private IP Network and a Novell Net across a Public Service Provider Example
Figure 27 is an example of routing a private IP network and a Novell network across a public service provider. The configuration of router A and router B follow Figure 27.
Figure 27 Creating Virtual Private Networks Across WANs

Boston

Router A

Tunnel

Public Service Provider

Router B

Menlo Park

Configuring Logical Interfaces IC-145

S2538

Logical Interface Configuration Examples

Router A
interface ethernet 0 description boston office ip address 10.1.1.1 255.255.255.0 novell network 1e ! interface serial 0 description connection to NEARnet ip address 192.13.2.1 255.255.255.0 ! interface tunnel 0 tunnel source serial 0 tunnel destination 131.108.5.2 ip address 10.1.2.1 255.255.255.0 novell network 1f

Router B
interface ethernet 0 description menlo park office ip address 10.1.3.1 255.255.255.0 novell network 31 ! interface serial 4 description connection to BARRnet ip address 131.108.5.2 255.255.255.0 ! interface tunnel 0 tunnel source serial 4 tunnel destination 192.13.2.1 ip address 10.1.2.2 255.255.255.0 novell network 1f

IC-146

Cisco IOS Interface Configuration Guide