Compare Products

Hide

Clear All

VS

Home> Support> Downloads>

RG-Router Implementation Cookbook (V1.3)

2018-06-27 View:


 

 

        Ruijie Networks – InnovationBeyond Networks

 

 

 

 

 

 

 

RG-RouterImplementation Cookbook (V1.3)

 

 

 

 

 

 

 

 

 

 

 

 

Copyright Statement

Ruijie Networks©2013

Ruijie Networks reserves all copyrights ofthis document. Any reproduction, excerption, backup, modification,transmission, translation or commercial use of this document or any portion ofthis document, in any form or by any means, without the prior written consentof Ruijie Networks is prohibited.

 

,锐捷中英文组合(横式),锐捷网络logo(中文),锐捷logo(英文),,, , , ,  , ,   areregistered trademarks of Ruijie Networks. Counterfeit is strictly prohibited.

 

Exemption Statement

This document is provided “as is”. Thecontents of this document are subject to change without any notice. Pleaseobtain the latest information through the Ruijie Networks website. RuijieNetworks endeavors to ensure content accuracy and will not shoulder anyresponsibility for losses and damages caused due to content omissions,inaccuracies or errors.


       Preface

This guide provides an overview and explainshow to configure the various features for the RG-RSR30-44 Router, RG-RSR20-14ERouter, RG-RSR10-02E Router, RG-RSR10-02 Router, and RG-RSR 77 series Router.Some information may not apply to your particular router model.

Audience

l  Network Engineers

l  Network Administrator

 

Obtain Technical Assistance

l  Ruijie Networks Websites : http://www.ruijienetworks.com

l  Ruijie Service Portal : http://caseportal.ruijienetworks.com

 

Welcome to report error and give advice inany Ruijie manual to Ruijie Service Portal

 

Related Documents

l  Product Datasheet

RG-RSR30-44 Reliable Multi-Service RouterDatasheet

RG-RSR20-14E Reliable Multi-Service RouterDatasheet

RG-RSR10-02E Reliable Multi-Service RouterDatasheet

RG-RSR10-02 Reliable Multi-Service RouterDatasheet

RG-RSR77-X Core Service distributed RouterDatasheet

l  Hardware Installation Guide

RG-RSR30 Series Routers HardwareInstallation and Reference Guide

RG-RSR20-14E Series Routers HardwareInstallation and Reference Guide

RG-RSR10-02E Series Routers HardwareInstallation and Reference Guide

RG-RSR10 (20) Series Router HardwareInstallation and Reference Guide

RG-RSR77 Series Router Hardware Installationand Reference Guide

l  RGOS Configuration guide

RG-RSR30 Series Router RGOS ConfigurationGuide

RG-RSR20-14E Series Router RGOSConfiguration Guide

RG-RSR10-02E Series Router RGOSConfiguration Guide

RG-RSR10 (20) Series Router RGOSConfiguration Guide

RG-RSR77 Series Router RGOS ConfigurationGuide

l  RGOS Command Reference

RG-RSR30 Series Router RGOS CommandReference

RG-RSR20-14E Series Router RGOS CommandReference

RG-RSR10-02E Series Router RGOS CommandReference

RG-RSR10 (20) Series Router RGOS CommandReference

RG-RSR77 Series Router RGOS CommandReference

l  White Paper

White Paper for Ruijie ERPS Technology

White Paper for REF Technology

White Paper for WAN TransmissionAcceleration Technology of Routers

Revision History

Date

Change contents

Reviser

2016.5

Initial publication V1.0

TAC Oversea

2017.2

Add now chapters of 1.1.3 Distributed Router Upgrade , 2.1.4 Syslog, 2.4.6 VPDN 2.0, 2.6.5 DLDP, 3.1 4G Solutions, 5.1 Detailed Configuration for Internet Access on publication V1.1

TAC Oversea

2017.10

Add new chapter of 3.3.2        Import Configuration Using FUNC Key

TAC Oversea

 

 

 

 

 

 

 

 

 

      Index

 

1      Preface. 1-2

2      Index. 2-4

3      Maintenance. 3-1

3.1           FirmwareUpgrade. 3-1

3.1.1       Upgradein Xmodem Mode. 3-1

3.1.2       Upgradein Router Mode. 3-7

3.1.3       DistributedRouter Upgrade. 3-13

3.2           PasswordRestoration. 3-27

3.2.1       PasswordRestoration with RGOS Version 10.X. 3-27

3.2.2       PasswordRestoration on RSR77. 3-30

3.2.3       PasswordRestoration on 4G Router 3-32

3.3           UpgradeFirmware and Import Configuration Using FUNC Key  3-35

3.3.1       UpgradeFirmware Using Fun Key. 3-35

4      Configuration. 4-37

4.1           BasicFunction Configuration. 4-37

4.1.1       InitialConfiguration. 4-37

4.1.2       RuijieExpress Forwarding (REF) 4-38

4.1.3       DHCP. 4-40

4.1.4       Syslog. 4-47

4.2           IProuting. 4-49

4.2.1       StaticRoute. 4-49

4.2.2       RIP. 4-59

4.2.3       OSPF. 4-69

4.2.4       BGP. 4-88

4.2.5       RouteControl 4-97

4.2.6       Policy-BasedRouting. 4-108

4.2.7       Routingacross VRFs. 4-112

4.3           FixedSwitch Modules. 4-118

4.4           Security. 4-119

4.4.1       ACL. 4-119

4.4.2       NAT. 4-125

4.4.3       IPSEC.. 4-143

4.4.4       GRE. 4-179

4.4.5       L2TPVPN.. 4-182

4.4.6       VPDN2.0. 4-188

4.4.7       LocalAttack Protection. 4-214

4.5           NetworkManagement and Monitoring. 4-216

4.5.1       IPFIX. 4-216

4.6           Reliability. 4-228

4.6.1       BFD.. 4-228

4.6.2       VRRP. 4-238

4.6.3       2.6.3Link-Based Interface Backup. 4-241

4.6.4       GR.. 4-243

4.6.5       DLDP. 4-244

4.7           QOS. 4-247

4.7.1       TrafficClassification and Marking. 4-247

4.7.2       CongestionAvoidance. 4-258

4.7.3       TrafficControl 4-266

4.7.4       GenericTraffic Shaping (GTS) 4-272

4.7.5       QoSImplementation Guide. 4-274

5      SolutionConfiguration Guide. 5-279

5.1           4GSolutions. 5-279

5.1.1       4GProducts and Common Commands. 5-279

5.1.2       4GTypical Scenario Configuration Guide. 5-281

5.1.3       OtherFunction Configuration for a 4G Router 5-308

5.1.4       ConfiguringWiFi for the 4G Router 5-314

5.1.5       4GFAQs and Faults. 5-315

6      DeviceStatus Detection. 6-316

6.1           CheckClock. 6-316

6.2           CheckLog. 6-317

6.3           CheckHardware Status. 6-317

6.4           CheckCPU Utilization. 6-318

6.5           CheckMemory Utilization. 6-319

6.6           CheckFlow Table Status. 6-319

6.7           CheckInterface Status. 6-320

6.8           BasicFault Information Collection. 6-321

7      DetailedCase Study. 7-322

7.1           DetailedConfiguration for Internet Access. 7-322

7.1.1       InternetAccess Configuration Guide. 7-322


 

      Maintenance

1.1     Firmware Upgrade

1.1.1    Upgrade in Xmodem Mode

 

I. Topology

 

II. Upgrade in Xmodem Mode

Notes:

The default baud rate of the SIC-3G card is115,200 Bd during startup and the baud rate for accessing the main screen is9,600 Bd after startup. If the startup baud rate is changed to another value,select the new baud rate for login.

1.      Power on the device and press Ctrl+C to access the BootLoader mainmenu.

2.      (Optional) If the current baud rate of the SIC-3G card is 115,200Bd, skip this step. Otherwise, perform the following step:

Note: Changing the baud rate to 115,200 Bd aims at acceleratingtransmission speed over Xmodem.

1)  Select6. Scattered utilities.

2)  Select4. Set baudrate.

3)  Select2. Change baudrate to 115200.

4)  Changethe baud rate for logging in to a terminal to 115,200 Bd and press Enter.The change is successful if the console displays correct information.

3.      Press Ctrl+Z twice to return to the BootLoader main menu.

4.      (Optional) If the main program of the SIC-3G card is lost, go toStep 4. Otherwise, perform the following step:

1)     Select 4. File management utilities to access the filemanagement submenu.

2)     Select 1. Remove a file. Enter rgos.bin after the "The filenameyou want to remove:" prompt is displayed, and then press Enter.

3)     Press Ctrl+Z to return to the BootLoader main menu.

5.      Transfer the automatic upgrade package to the SIC-3G card.

1)     Select 1. XModem utilities.

2)     Select 1. Upgrade Main program.

3)     Send the Xmodem file.

To send the Xmodem file by usingSecureCRT, choose Option > Session Option from the main menu;in the Session Option dialog box, choose Terminal > X/Y/Zmodemand click 1024 bytes (Xmodem-1k/Ymodem-1k) in X/Ymodem send packetsize.

Choose Transfer > Send Xmodemfrom the main menu, select the bin file used for upgrade (name the bin file rgos.bin),and click OK to start upgrade.

6.      Restart the SIC-3G card for the automatic upgrade package to run.

1)     After downloading ends, press Ctrl+Z to return to the BootLoadermain menu, and select 6. Scattered utilities.

2)    Select 2. Reload system.

The card upgrade is inprogress. Please wait patiently.

 

III. Upgrade Verification

1)     After the upgrade ends, the card automatically restarts and entersthe major release till the PCI BUS Scan/Setup End screen is displayed.

2)     Change the baud rate for the PC to connect to the SIC-3G cardconsole to 9,600 Bd, and press Enter to enter the major releaseenvironment. Then, the upgrade is complete.

 

1.1.2    Upgrade in Router Mode

 

Features

The NMX-24ESW switch fabric module of theRSR20 series routers adopts the distributed system architecture. The NMX-24ESWswitch fabric module is equipped with an independent CPU, memory, flash memory,and other hardware, and has an independent main program. The NMX-24ESW switchfabric module can be upgraded in router mode or independently.

Upgrade in router mode:

The software version of the switch fabricmodule is bound into the software version of the router. An upgrade channel isestablished between the router and the switch fabric module, and the routerdirectly transmits the software version of the switch fabric module to theflash memory of the latter, thereby achieving remote upgrade of the switchfabric module.

The RSR20 series routers of 10.3(5t86)/10.3(5b6) p3 and later versions support switch fabric module upgrade in routermode.

Independent upgrade of the switch fabricmodule

The network port of the switch fabric moduleis connected to an external TFTP server through a network cable, and the TFTPserver transmits the software version of the switch fabric module to the flashmemory of the latter.

The switch fabric module of all versionssupports this upgrade mode.

 

I. Upgrade Steps

1.      Log in to the switch fabric module from the router.

In router mode, run the service-modulefastEthernet 5/0 session command to enter the switch fabric module.

RSR20-14#service-module fastEthernet 5/0 session     //Enter the switch fabric module. If the switchfabric module is seated in Slot 5,enter5/0; if it is seated in Slot 6, enter 6/0.

Ruijie#      //If the device prompt is changed to Ruijie#, you enter theswitch fabric module successfully.

 

2.      Back up the original software version of the switch fabric module.

Notes:

If the current main program running on theswitch fabric module is rgos.bin, run the copyflash:rgos.bin flash:rgos.bak command for backup;if the main program is rgnos.bin, run the copyflash:rgnos.bin flash:rgnos.bakcommand for backup.

The following example is based on the mainprogram rgos.bin running on the switch fabric module.

a.      Display the name of the current main program running on the switchfabric module.

Ruijie#dir

 

    ModeLink      Size               MTime Name

------------ --------- ------------------- ------------------

<DIR>   1         0 1970-01-01 08:00:00 dev/

<DIR>   1         0 1970-01-01 08:00:03 ram/

<DIR>   2         0 1970-01-01 08:00:35 tmp/

<DIR>   0         0 1970-01-01 08:00:00 proc/

           1         8 1970-01-04 10:15:00 priority.dat

1   5885184 1970-01-01 09:42:03 rgos.bin //The current main program running on the switch fabric module isrgos.bin.

           1   5885184 1970-01-01 08:07:19 rgos.10.2(2).33474

--------------------------------------------------------------

3 Files(Total size 11770376 Bytes), 4 Directories.

Total31457280 bytes (30MB) in this device, 17907712 bytes (17MB) available.

b.      Back up the software version of the switch fabric module.

Ruijie#copyflash:rgos.bin flash:rgos.bak  //Backup the software version of the switch fabric module as rgos.bak.

Ruijie#dir

 

    ModeLink      Size               MTime Name

------------ --------- ------------------- ------------------

<DIR>   1         0 1970-01-01 08:00:00 dev/

<DIR>   1         0 1970-01-01 08:00:03 ram/

<DIR>   2         0 1970-01-01 08:00:35 tmp/

<DIR>   0         0 1970-01-01 08:00:00 proc/

           1         8 1970-01-04 10:15:00 priority.dat

1  5885184 1970-01-01 08:05:51 rgos.bak    //The software version of the switch fabric module is backedup successfully.

           1   5885184 1970-01-01 09:42:03 rgos.bin

--------------------------------------------------------------

3 Files(Total size 11770376 Bytes), 4 Directories.

Total31457280 bytes (30MB) in this device, 17907712 bytes (17MB) available.

c.     Press Ctrl+X to exit from the switch fabric module to therouter mode.

3.      Upgrade the main program of the router.

For the upgrade method, see section"Main Program Upgrade" (choose Daily Maintenance>SoftwareUpgrade>Mid-range and Low-end Series Router Upgrade>10.x VersionUpgrade> Main Program Upgrade).

4.      Display the software versions of the router and switch fabricmodule.

1)      Display the software version of the router in router mode.

RSR20-14#dir

 

    ModeLink      Size               MTime Name

------------ --------- ------------------- ------------------

<DIR>   1         0 1970-01-01 00:00:00 dev/

<DIR>    2         0 2013-03-29 02:15:55 esw/ //Directoryfor storing the software version of the switch fabric module

<DIR>   2         0 2011-05-23 03:40:19 log/

<DIR>   2         0 2013-03-29 04:31:32 mnt/

<DIR>   1         0 2013-03-29 04:31:26 ram/

<DIR>   2         0 2013-03-29 04:31:46 tmp/

<DIR>   0         0 1970-01-01 00:00:00 proc/

           1      1263 2013-01-31 14:19:56 config_0113.bak

1   7248608 2013-03-29 02:15:36 rgos.bin //Softwareversion of the router

--------------------------------------------------------------                                                                

2 Files(Total size 7249871 Bytes), 7 Directories.

Total33030144 bytes (31MB) in this device, 20160512 bytes (19MB) available.

2)      Display the software version of the switch fabric module in routermode.

Notes:

For RSR20 series routers of 10.3(5t86),10.3(5b6)p3, and later versions, the software version of the switch fabricmodule is packaged into the main program of the router. After the routerupgrade is complete, the router automatically decompresses the software versionof the switch fabric module into the esw folder in the flash memory.

RSR20-14#cd esw //Accessthe directory for storing the software version of the switch fabric module.

RSR20-14#dir

 

    ModeLink      Size               MTime Name

-------- ------------- ------------------- ------------------

1   4221664 2013-03-29 02:16:04 esw_install.bin //Mainprogram file of the switch fabric module

--------------------------------------------------------------

1 Files(Total size 4221664 Bytes), 0 Directories.

Total33030144 bytes (31MB) in this device, 20160512 bytes (19MB) available.

5.       Return to the main program of the router in the flash memory andenable the terminal monitor function.

RSR20-14#cd ..      //Return to the main program of the router in the flashmemory.

RSR20-14#terminal monitor    //Enable the terminal monitor function.

6.      Shut down services of the switch fabric module, and deliver the mainprogram of the switch fabric module from the flash memory of the router to theflash memory of the switch fabric module.

Notes:

1)      It takes about 15 minutes to transmit thesoftware version of the switch fabric module from the router to the flashmemory of the switch fabric module.

2)      When the prompt "Upload completed" is displayed, wait another 8-15 minutes (15 minutes arerecommended) to ensure that the version files of the switch fabric module areall received.

3)      Do not perform destructive operations such aspower-off and restart during upgrade of the switch fabric module. Otherwise,the upgrade of the switch fabric module will fail.

4)      If the switch fabric module or router isrestarted before version files of the switch fabric module are all received,the version files may be damaged and the switch fabric module may fail tostart. In this case, run the RSR20-14#service-module fastEthernet 5/0 resetcommand in router mode to restart the switch fabric module, press Ctrl+Cto enter the Ctrl layer of the switch fabric module, press Ctrl+Q toenter the CLI mode, and then run the Ctrl>rename rgos.bak  rgos.bincommand to restore the original main program of the switch fabric module. Then,run the Ctrl>reload command to restart the switch fabric module andrestore services.

RSR20-14#esw-switch shut-service    //Shut down services of the switch fabricmodule.

RSR20-14#esw-upgrade xmodem slot 5 //Transmitthe software version of the switch fabric module in the flash memory of therouter to the flash memory of the switch fabric module (if the switch fabric module is seated in Slot 5, enter slot 5; if it is seated in Slot6, enter slot6).

*Mar 29 06:09:29:%UPGRADE-6-ESW_CARD_UPRADE: Now start transmit file.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#*Mar29 06:24:45: %UPGRADE-6-ESW_CARD_UPRADE: Upload completed, 4221664 bytes ofvalid data has been transferred.

*Mar 2906:24:45: %UPGRADE-6-ESW_CARD_UPRADE: Please wait a few minutes(about 8-15min) for the switch card upgrading until you can login the card. //Wait another 8-15 minutes (15minutes are recommended) to ensure that version files of the switch fabricmodule are all received.

7.      Enable services of the switch fabric module, log in to the switch fabricmodule, and check its software version.

RSR20-14#esw-switch open-service   //Enable services of the switch fabric module.

RSR20-14#service-module fastEthernet 5/0 session   //Enter the switchfabric module. If the switch fabric module is seated in Slot 5, enter 5/0; ifit is seated in Slot 6, enter 6/0.

8.      (Optional) Rename the main program file of the switch fabric module.

If the original mainprogram of the switch fabric module is rgnos.bin, skip to Step 9.

Notes:

l  If the original main program file of the switch fabric module is rgnos.bin,the version file transmitted over Xmodem directly replaces it and the file doesnot need to be renamed. The switch fabric module fails if it is renamed.

l  If the original main program file of the switch fabric module is rgos.bin,the new program file needs to be renamed rgos.bin to ensure successfulupgrade. The following example is based on the original main program file rgos.binof the switch fabric module.

1)      Display the main program file of the switch fabric module.

Ruijie#dir

 

    ModeLink      Size               MTime Name

------------ --------- ------------------- ------------------

<DIR>   1         0 1970-01-01 08:00:00 dev/

<DIR>   1         0 1970-01-01 08:00:03 ram/

<DIR>   2         0 1970-01-01 08:00:35 tmp/

<DIR>   0         0 1970-01-01 08:00:00 proc/

           1         8 1970-01-04 10:15:00 priority.dat

1   4221696 1970-01-01 08:51:00 rgnos.bin //Newmain program of the switch fabric module

1   5885184 1970-01-01 08:05:51 rgos.bak //Originalmain program backup of the switch fabric module

1   5885184 1970-01-01 09:42:03 rgos.bin //Originalmain program of the switch fabric module

--------------------------------------------------------------

4 Files(Total size 15992072 Bytes), 4 Directories.

Total31457280 bytes (30MB) in this device, 12918784 bytes (12MB) available.

2)     Rename the new main program of the switch fabric module rgos.bin.

Ruijie#renameflash:rgnos.bin flash:rgos.bin   //The new main program directly replaces the original main program.

3)     Check whether the new main program is renamed successfully.

Ruijie#dir

 

    ModeLink      Size               MTime Name

------------ --------- ------------------- ------------------

<DIR>   1         0 1970-01-01 08:00:00 dev/

<DIR>   1         0 1970-01-01 08:00:03 ram/

<DIR>   2         0 1970-01-01 08:00:35 tmp/

<DIR>   0         0 1970-01-01 08:00:00 proc/

           1         8 1970-01-04 10:15:00 priority.dat

           1   5885184 1970-01-01 08:05:51 rgos.bak

1   4221696 1970-01-01 08:51:00 rgos.bin //The new main program is successfully renamed rgos.bin.

9.      Press Ctrl+X to exit the switch fabric module and restart the routerto complete upgrade of the switch fabric module.

Notes:

1)     The switch fabric module can be managed on the screen of the router.It is not recommended that the switch fabric module be independently restartedand upgraded. If some management commands become available after the switchfabric module is independently restarted, the router needs to be restarted.

2)     When the system reaches the state "FastEthernet 0/0, changedstate to up" after router restart, wait 4-5 minutes for the switchfabric module to complete upgrade. Then, the system is restarted completely.This waiting is required only after the upgrade of the switch fabric module iscomplete, and is not required in normal restart.

RSR20-14#reload   //Restart the router to complete the upgrade.

Proceedwith reload? [no]y

 

II. Upgrade Verification

Check whether the softwareversions of both the router and switch fabric module are upgraded successfully.

1)     Check whether the router is upgraded successfully.

RSR20-14#showversion

Systemdescription      : Ruijie Router (RSR20-14) by Ruijie Networks

Systemstart time       : 2013-03-29 7:7:40

Systemuptime           : 0:0:3:36

Systemhardware version : 1.00

Systemsoftware version : RGOS 10.3(5T86),Release(154167)

SystemBOOT version     : 10.3.154167

2)     Enter the switch fabric module and check whether it is upgradedsuccessfully.

Ruijie#showversion

Systemdescription      : Ruijie Switch Service Module(NM2-24ESW) by Ruijie NetworkCo., Ltd..

Systemstart time       : 1970-1-1 8:0:0

Systemhardware version : 2.0

Systemsoftware version : RGOS 10.2(3T42),Release(153542)

Systemboot version     : 10.2.21580

SystemCTRL version     : 10.2.45595

Systemserial number    : 0000000000000

Deviceinformation:

  Device-1

   Hardware version : 2.0

   Software version : RGOS 10.2(3T42),Release(153542)

    BOOTversion     : 10.2.21580

CTRLversion     : 10.2.45595

    SerialNumber    : 0000000000000

 

1.1.3    Distributed Router Upgrade

Instructions for Distributed RouterUpgrade

I. RSR distributed routers include thefollowing series:

RSR30-X SPU10 V2

RSR50E-40

RSR77 series (RSR7704/RSR7708/RSR7716)

RSR77-X series (RSR7708-X/RSR7716-X)

Upgrade in CTRL mode

II. Upgrade at the CTRL Layer

1)     Generally only when an upgrade fails or the main program is lost,the upgrade is performed at the CTRL layer. To upgrade at the CTRL layer, youmust connect the cable between a router and a PC to the MGMT interface on themain processing unit (MPU) of the router.

2)     If send download request is displayed during startup and thedevice cannot enter the user mode, it indicates that functions of the currentsoftware version are lost and you need to upgrade the version at the CTRLlayer.

III. Upgrade Steps

1.      Prepare the upgrade file on the PC and start the TFTP Server.

1)      Put the software upgrade file and the TrivialFile Transfer Protocol (TFTP) Server in the same folder (rename the softwareversion to rgos.bin).

2)      Double click startftp.exe to start the TFTPServer.

2.      Restart the router and enter command mode at the CTRL layer.

Restart the router. When Press Ctrl+Cto enter Ctrl .... is displayed, press Ctrl+C to enter command mode at theCTRL layer. Ctrl> prompt is displayed.

3.       Check card identification.

Before the upgrade, check cardidentification. If any card fails to be identified, please stop the process incase all cards fail to be upgraded. If any card is in UNKNOWN status, itindicates that this card fails to be upgraded and you need to restart thedevice. If the card is still in UNKNOWN status after restart, contact Ruijietechnical support engineers for upgrade guidance.

Run the upgrade–slot command to checkthe upgrade path of the device. The following is an example:

Note:Perform upgrade only when all cards areidentified.

4.      Transmit the automatic upgrade package to the router.

Connect the cable between the PC and therouter to the MGMT interface on the MPU of the router. Run the TFTPcommand to transmit the automatic upgrade package.

When the prompt SUCCESS: UPGRADING OKis displayed on the router, it indicates that the upgrade package has beentransmitted to the router.

5.       Upgrade line cards.

Run the upgrade -slot all -forcecommand to upgrade the version of line cards.

The router automatically upgrades all linecards.

6.      Reset the system to run the automatic upgrade package.

Note:

1.      Do not perform any dangerous operation such as reset or power cutoffwhen running the automatic upgrade package until the upgrade process isfinished.

2.      After the running process is finished, the system is automaticallyreset to boot a new system.

IV. Verification

1)      Run the show version command to displaythe device version and check whether the upgrade is successful.

Note:

Run the show version command todisplay the MAIN, CTRL, and BOOT versions of the MPU and all line cards. If allof these are the latest versions, the upgrade is successful.

2)      Run the show version slot command todisplay the status of each slot card. Confirm that the software status of eachline card is running. The following is an example:

If the status is installed orruning-config for a long time after software upgrade, please immediatelycontact Ruijie for technical support.

 

Upgrade in Main Program Mode (via TFTP)

I. Upgrade Steps

1.      Configure an IP address for the router Ethernet interface.

Configure an IP address for the router.

Note:

Ensure that the PC can ping the router.Disable the firewall of the PC before upgrade.

2.      Prepare the upgrade file on the PC and start the TFTP Server.

1)     Put the software upgrade file and the TFTP server in the samefolder.

2)     Double click startftp.exe to start the TFTP Server.

3.      Check card identification.

Before the upgrade, check cardidentification. If any card fails to be identified, please stop the process incase all cards fail to be upgraded. If any card is in no card status, itindicates that this card fails to be upgraded and you need to restart thedevice. If the card is still in no card status after restart, contact Ruijietechnical support engineers for upgrade guidance.

Run the show upgrade command to checkthe upgrade path of the device.The following is an example:

Perform upgrade only when all cards areidentified. Only the line cards or engines of the version to be released aredisplayed while the slot number of the active engine is not displayed. That is,if RSR77 has two engines, the standby engine instead of the active engine isdisplayed; if RSR77 has only one engine, the slot number of the engine is notdisplayed.

4.      Transmit the automatic upgrade package to the router.

Run the copy tftp: flash:/rgos.bincommand to transmit the upgrade file to the router.

 

After transmission, the system automaticallyverifies the validity of the file. If the standby supervisor module has beeninserted before upgrade, the installation package is automatically synchronizedto the standby supervisor module. When the prompt SUCCESS: UPGRADING OKis displayed, it indicates that the automatic upgrade package has beentransmitted to the router.

Note:

1)      If the prompt Verify the image .......[ok]is displayed, it indicates successful transmission and verification.

2)      If the prompt System is running defragment,please wait....Press Ctrl+C to quit..... is displayed, it indicates thatthe router is running defragment and please wait.

3)      If the prompt Transmission fail or ......is displayed, it indicates that transmission fails. Check whether the PC canping the router, whether the designated directory of TFTP Server is correct,and whether the file name is correct.

4)      If the prompt ERROR: THE BINARY FILE CANNOTBE USED IN CURRENT PRODUCT !!! is displayed, it indicates that validityverification fails (the automatic upgrade package is not applicable to thecurrent product). Please check whether the correct automatic upgrade package isused.

5.      Decompress the upgrade package to line cards (if the current version is 3b21 or a later version, it isrecommended but not mandatory to upgrade it to a later version).

Note:

1)       The new and old versions of RSR77 series routers have the sameupgrade command: upgrade system rgos.bin, and are only different in the user interface(UI). If the current version is 10.4 (3b15) p1 or a later version, as theupgrade function is optimized and the upgrade time is reduced, the UI isdifferent from that of an earlier version.

2)       After the upgrade system rgos.bin command is run to upgradeand restart the device, the old version of the BOOT layer may remain but itdoes not matter. If it is required to keep the versions of the MAIN layer, CTRLlayer, and BOOT layer consistent, run the following command.

a.      The following is a upgrade UI example for 10.4 (3b15) p1 and a laterversion.

After the automatic upgrade package isdownloaded to the device, run the upgrade system rgos.bin command toupgrade line cards.

Note:

The device is upgraded automatically. Thefollowing red box indicates the line cards and corresponding MAIN layer, CTRLlayer, and BOOT layer to be upgraded.

Note:

After the upgrade process is finished, theupgrade result is displayed, specifying the line cards implementing imageupgrade in this process, image type, and upgrade results. OK indicatessuccessful upgrade. FAIL indicates failed upgrade.

3)      The following is a upgrade UI example for 10.4(3b15) p1 and an earlier version.

After the automatic upgrade package isdownloaded to the device, run the upgrade system rgos.bin command toupgrade line cards.

Note:

The device is upgraded automatically. Thefollowing red box indicates the line cards and corresponding MAIN layer, CTRLlayer, and BOOT layer to be upgraded.

6.      Reset the system to run the automatic upgrade package.

Note:

Do not perform any dangerous operation suchas reset or power cutoff when running the automatic upgrade package until theupgrade process is finished.

 

II. Verification

1)      Run the show version command to displaythe device version and check whether the upgrade is successful.

Note:

a)      Run the show version command to displaythe MAIN versions of the MPU and all line cards. If all of these are the latestversions, the upgrade is successful.

b)      The MAIN, CTRL, and BOOT versions can beinconsistent. When the manual upgrade is performed, the upgrade systemautomatically determines whether to upgrade CTRL/BOOT versions based on theupgrade policy in the installation package. Upgrade versions as required.

2)      Run the show version slot command todisplay the status of each slot card. Confirm that the software status of eachslot card is running. The following is an example:

If the status is installed orruning-config for a long time after software upgrade, please immediatelycontact Ruijie for technical support.

 

Upgrade in Main Program Mode (via FTP)

I. Note to Upgrade via FTP

As the PC where the new version is stored istranslating a private Intranet address to a public address, the device cannotbe upgraded via TFTP. By upgrade via File Transfer Protocol (FTP), enable FTPServer on the PC and transmit the software version to the device via FTP.

II. Upgrade Tips

1.      Enable FTP Server on the device.

2.      Transmit the software version to the device with the PC as an FTP client.

3.      Restart the device to confirm the upgrade result.

III. Upgrade Steps

1.      Log in to the device to be upgraded and enable FTP Server.

Ruijie(config)#ftp-serverenable    --->Enables FTPServer.

Ruijie(config)#ftp-serverusername ruijie --->Configures FTP Server user name.

Ruijie(config)#ftp-serverpassword ruijie --->Configures FTP Server password.

Ruijie(config)#ftp-servertopdir /   --->Configures the directory where receivedfiles are stored for FTP Server. For the upgrade file, the directory must beindicated by "/".

2.      Configure FTP parameters for the PC to log in to the device andtransmit the new version to the device.

Put the bin file to beuploaded in a root directory of a disk, such as C:\.

Choose Menu > Run > CMD,and then press Enter.

Enter disk C (where the bin file is stored)and enable FTP Server.

Log in to the device to configure parameters.

3.      Transmit the bin file to the device.

The file is transmitted.

Run the bye command to disable theconnection to FTP Server.

4.      Restart the device to check the upgrade result.

Log in to the device and run the DIRcommand to confirm whether the size in bytes of the rgos.bin file is consistentwith the size in the release notes.

For a RSR77/77-X/50E-40 device, upgrade linecards.

Save the configuration of the device, and restartthe device.

Run the Ruijie#writecommand to save the configuration:

Run the Ruijie#reloadcommand to restart the device:

After restart, run the show versioncommand to confirm whether the device has been upgraded to the target version.

 

1.2     Password Restoration

1.2.1    Password Restoration with RGOS Version 10.X

 

I. Password Restoration Requirements

If an administrator forgets the loginpassword, the administrator can enter the Boot layer to restore the password byusing a configuration cable, and previous configuration needs to be reserved.

 

II. Password Restoration Principle

The device reads the config.text fileduring startup and the password is stored in the config.text file.Therefore, enter the BootLoader mode of the device and rename the file. Whenthe device fails to locate the config.text file during startup, itdirectly enters the system. After the device enters the system, name theconfiguration file config.text, set a new password and save it. Then,you can log in to the device by using the new password next time.

 

III. Password Restoration

1.      Get a configuration cable ready for password restoration. The deviceneeds to be restarted and password restoration needs to be completed at theBoot layer.

2.      Rename the configuration file rather than delete it during passwordrestoration. Otherwise, the configuration will be lost.

 

IV. Configuration Steps

1.      Restart the router to enter the CLI mode of the Boot layer.

Notes:

The operations of entering the CLI mode ofthe Boot layer from RSR routers are different for routers with RGOS later thanor earlier than 10.4. You can directly enter the CLI mode of routers with RGOSlater than 10.4, and you need to enter the menu mode first if the routers runRGOS earlier than 10.4.

1)     Enter the CLI mode of the Boot layer from the router with RGOS laterthan 10.4.

Restart the router. When the "PressCtrl+C to enter Boot ..." prompt is displayed, press Ctrl+C toenter the CLI mode of the Boot layer. The BootLoader> prompt isdisplayed.

2)     Enter the CLI mode of the Boot layer from the router with RGOSearlier than 10.4.

a.      Restart the router. When the "Press Ctrl+C to enter Boot Menu..." prompt is displayed, press Ctrl+C to enter the menu mode ofthe Boot layer.

b.      In menu mode of the Boot layer, press Ctrl+Q to enter the CLImode of the Boot layer. The BootLoader> prompt is displayed.

2.      Rename the configuration file.

BootLoader>rename config.text config.bak

3.      Restart the device.

BootLoader>reload

4.      Restore the configuration file.

5.      Set a new password and save device configuration.

RSR20-14E#configureterminal

RSR20-14E(config)#enable secret ruijie      //Set a new password.

RSR20-14E(config)#end

RSR20-14E#write        //Save device configuration.

After a new password is set, you can use itto log in to the system. Other configuration keeps unchanged.

 

1.2.2    Password Restoration on RSR77

 

I. Password Restoration Requirements

If an administrator forgets the loginpassword, the administrator can enter the Ctrl layer to restore the password byusing a configuration cable, and previous configuration needs to be reserved.

 

II. Password Restoration Principle

The device reads the config.text fileduring startup and the password is stored in the config.text file.Therefore, enter the Ctrl layer of the device and rename the file. When thedevice fails to locate the config.text file, it directly enters thesystem. After the device enters the system, name the configuration file config.text,set a new password and save it. Then, you can log in to the device by using thenew password next time.

 

III. Password Restoration

1.Get a configuration cable ready for password restoration. The device needs tobe restarted and password restoration needs to be completed at the Ctrl layer.

2.Rename the configuration file rather than delete it during passwordrestoration. Otherwise, the configuration will be lost.

 

IV. Steps

1.      Restart the router to enter the CLI mode of the Ctrl layer.

Restart the router. When the "PressCtrl+C to enter Ctrl ..." prompt is displayed, press Ctrl+C toenter the CLI mode of the Ctrl layer. The Ctrl> prompt is displayed.

2.      Rename the configuration file.

Ctrl>renameconfig.text config.bak   // Rename the configurationfile config.bak.

3.      Restart the device.

Ctrl>reload

4.      Restore the configuration file.

Note:

To copy the configuration file of routerswith RGOS earlier than 10.4, the command must be copy flash:/config.bak flash:/config.text and a slash (/) must be added behind flash: to indicate theabsolute path. The slash (/) does not need to be added for routers with RGOSlater than 10.4.

5.      Set a new password and save device configuration.

RSR7708#configureterminal

RSR7708(config)#enablesecret ruijie

RSR7708(config)#end

RSR7708#*Mar 8 10:36:56: %SYS-5-CONFIG_I: Configured from console by console

*Mar  8 10:36:56:%PARAM-6-CONFIG_SYNC: Sync'ing the running configuration to the standbysupervisor.

*Mar  810:36:56: %PARAM-6-CONFIG_SYNC: The running configuration has been successfullysynchronized to the standby supervisor.

RSR7708#write

Buildingconfiguration...

[OK]

RSR7708#*Mar 8 10:37:01: %PARAM-6-CONFIG_SYNC: Sync'ing the startup configuration to thestandby supervisor.

*Mar  810:37:01: %PARAM-6-CONFIG_SYNC: The startup configuration has been successfullysynchronized to the standby supervisor.

After a new password is set, you can use itto log in to the system. Other configuration keeps unchanged.

 

1.2.3    Password Restoration on 4G Router

I. Steps

RSR10-01G series 4Grouters realize the password recovery by utilizing the “FUNC” button ofdevices. The recovery steps are as follows:

1.      Restart thedevice, and press the “FUNC” key immediately for 6-10s.

2.      Changed the IP address of PC in same segment as router, using thedefault IP address to login the router Web interface

1)     Change the IPaddress of PC into 192.168.1.0/24 segment, we suggest modify the IP address tobe the unique IP address of network, such as 192.168.1.2.

2)     Access http://192.168.1.1with Chrome or Firefox browser, using account and password:  admin/admin

.

3)     The webinterface will redirect to a recovery page.

The recovery interface displays the original IP addressof this device, the IP address usually is LAN gateway of Intranet. And thispage also provides three options at the same time.

 

A.     Recover tothe latest configuration: use this function, the configuration of device willnot be changed, it is used to the circumstance that the customer remembers theaccount and password of the device, but forget the IP address.

B.     Reset thelogin password of web only: using this function, users can login the device byusing “admin” as username and password, but all configuration is same as before(Attention: you need to login the router by using original IP address insteadof 192.168.1.1 after using this function)

1)     Perform theoperation of resetting the password

input the new password and click thereset button t reset the web password

2)         Accessthe original IP address

(the IP address is 192.168.100.254 during theinstance.)

Change the IP address of PC to be anyaddress during the 192.168.100.0 segment. Then open http://192.168.100.254using web browser, login with admin (username) and ruijie( new password).

 

C.     Factoryreset, it will clear all configuration and recover the device into defaultlogin account and IP address.

 

 

1.3     Upgrade Firmware and Import Configuration Using FUNC Key

1.3.1    Upgrade Firmware Using Fun Key

 

Features

You can upgrade the device software inone-key mode by using the FUNC key. No commands need to be executed forthe upgrade.

Notes:

1.      The FUNC key must exist on the device or supervisor module(this key does not exist on devices of earlier versions and therefore, theone-key upgrade is not supported in such devices).

2.      Access and convergence switches support one-key upgrade sinceversion 3b12.

3.      The RSR77 router supports one-key upgrade since version 3b21.

Principle

After the device is normally started andsuccessfully identifies a USB flash drive or SD card, press the FUNC key.The system interrupts the current task and executes the FUNC key processingtask. In the FUNC key processing task, the system detects whether an SD card orUSB flash drive is inserted into the current device. If not, the systemdirectly resets. If a storage medium is identified, the system scans thestorage medium to detect whether an installation package in the specified filename format exists in the root directory. If an installation package in thecorrect format is detected, the system upgrades the device. After the upgradeends, the system resets and restarts using the new software version.

Upgrade Steps

1.      Get ready the bin file required for upgrade.

Copy the bin file into the root directory ofthe USB flash drive and rename it rgos.bin. It is strongly recommendedthat only one bin file be stored in the USB flash drive.

2.      Insert the USB flash drive into the USB port of the device.

Wait till the USB indicator on the panelturns solid green, indicating that the device has correctly identified the USBflash drive.

3.      Press FUNC to upgrade the device (the device cannot be powered off).

Use a small object to press the FUNCkey. After FUNC is pressed, the device automatically starts upgrade. TheUSB indicator blinks and the device automatically resets after upgrade. Afterthe SYS indicator turns solid green, the upgrade is complete. Log in to thedevice to check the version.

Verification

Run the show version command to checkwhether the device is upgraded successfully.

Ruijie#showversion

Systemdescription      : Ruijie Router (RSR20-14-E) by Ruijie Networks

Systemstart time       : 2015-01-29 11:53:33

Systemuptime           : 11:2:44:28

System hardwareversion : 1.00

System software version : RGOS 10.3(3b23), Release(174201)

SystemBOOT version     : 10.3.150859

Systemserial number    : 123456789efagd

Ruijie#

For RSR77 routers, run the show versionslot command to display operating status of cards in slots and check that SoftwareStatus of each card is running. The following figure shows an example.

If you wait for a long time after softwareupgrade but Status is always installed or running-config,immediately contact Ruijie Network to seek technical support.

 

      Configuration

1.1     Basic Function Configuration

1.1.1    Initial Configuration

 

Features

There is no startup configuration on Ruijierouters by default. You can log in to the management device by using a consolecable. The following initial configuration is recommended to facilitatemanagement and maintenance of devices.

 

Configuration

Host name (recommended):

Ruijie(config)#hostnameXWRJ    //Name the device XWRJ.

XWRJ(config)#

 

Interface description (recommended):

XWRJ(config)#interfacef0/0

XWRJ(config-if-FastEthernet0/0)#description To_BJ

 

System clock (mandatory):

Systemtime is very important. Fault logs and the CA certificate rely on timestamp.

Ruijie>enable 

Ruijie#clock set 10:00:00 12 1 2012     //Set the clock in the format ofhh:mm:ssmmddyyyy.

Ruijie#configure terminal        //Enter global configuration mode.

Ruijie(config)#clock timezone beijing 8    /Set the device time zone to East Area 8 (Beijingtime).

 

Log recording (recommended):

Record logs in the flash memory. Historylogs are very useful for locating a fault. Note: Debug logs can be recordedonly after the log level is set to 7.

XWRJ(config)#loggingfile flash:log 2000000 7

 

Management IP address (recommended):

In general, loopback 0 is used as themanagement interface according to customer network planning.

XWRJ(config)#interfaceloopback 0

XWRJ(config-if-Loopback0)#ip address 1.1.1.1 255.255.255.255

 

Telnet (recommended):

Configure the telnet function for allnetwork devices. If the telnet function is not configured, faults can behandled only at site.

XWRJ(config)#enablesecret 0 ruijie     //The enable password must be configured for the telnet function.

XWRJ(config)#linevty 0 4

XWRJ(config-line)#password0 ruijie

XWRJ(config-line)#login

 

Password encryption (recommended):

Router(config)# service password-encryption      //This command encryptsall passwords configured on the device.

 

1.1.2    Ruijie Express Forwarding (REF)

 

Features

Ruijie Express Forwarding (REF) isRuijie-specific fast forwarding technology. All functions of the current routersoftware version are implemented based on the REF platform. The IP REF function must be configured on allLayer-3 interfaces. If the REF function is notcorrectly enabled, device functions may be unavailable or the device may runabnormally.

The following exceptions may arise if theREF function is not correctly enabled on the device:

1.      The CPU utilization of the device is high.

2.      High delay, packet loss, and other exceptions occur on customerservices forwarded or processed by the device.

3.      Some functions are unavailable on the device.

4.      The device runs abnormally and the device breaks down or restarts.

The REF function needs to be configured onthe following devices:

RSR10, RSR20, RSR30,NPE50, RSR50, and RSR50E-80 series routers

The REF function does not need to beconfigured on the following devices:

RSR810, RSR820, RSR10-02E, RSR20-14E/F,RSR30-X, RSR50E-40, RSR77, RSR77-X series routers and new products releasedlater, on which the IP REF function is enabled for all Layer-3 interfaces bydefault

Enabling the REF

1.      Ensure that the IP REF function is configured on all Layer-3interfaces of routers during project testing and engineering implementation.

2.      Pay attention to the REF configuration of Layer-3 interfaces ofrouters during network inspection. If the REF function is not correctlyconfigured, configure IP REF in a timely manner.

Note: Services may be interrupted instantaneously when IP REF isconfigured. Therefore, configure it in non-peak hours of services.

3.      The interfaces, on which the IP REF function needs to be configured,are as follows:

Ethernet interfaces:

     interface FastEthernet

   ip ref

     interface GigabitEthernet

   ip ref

Virtual interfaces:

     interface Dialer

   ip ref

     interface Group-Async

   ip ref

  interface Multilink

      ip ref

     interface Tunnel

      ip ref

     interface Virtual-ppp

      ip ref

     interface Virtual-template

      ip ref

     interface Vlan

      ip ref

WAN interfaces:

     interface Async

   ip ref

     interface ATM

   ip ref

     interface  Pos

   ip ref

     interface Serial

   ip ref

     Controller e1

   ip ref

     Controller sonet

ip ref

Note: The IPREF function cannot be configured on some interfaces of routers with RGOSearlier than 10.4. You do not need to memorize such interfaces but remember thefollowing configuration principle: In interface configuration mode, run the ipref command. If ip ref is executed, the IP REF function is needed onthe interface.

 

1.1.3    DHCP

1.1.3.1    DHCP Basic Configuration

 

Features

The Dynamic Host Configuration Protocol(DHCP) operates based on client/server mode. The DHCP server dynamicallyallocates IP addresses, gateway addresses, DNS server addresses, and otherparameters for clients.

DHCP supports two mechanisms for IP addressallocation:

l  Dynamic allocation: The DHCP server allocates an IP address to aclient for a limited period of time (or until the client explicitlyrelinquishes the IP address).

l  Manual allocation: Network administrators specify IP addresses forclients. Administrators can allocate specifiedIP addresses to clients by using DHCP.

 

Scenarios

DHCP needs to be enabled on routers to meetenterprises' requirement that a host connecting to the network should be ableto automatically obtain an IP address without extra configuration.

 

I.Networking Requirements

Requirement 1: common DHCP configuration

Requirement 2: Static IP addresses need to beallocated to specific PCs.

 

II. Networking Topology

III. Configuration Tips

1.      Enable the DHCP service.

2.      Configure the DHCP address pool.

3.      (Optional) Configure IP addresses that cannot be allocated to PCs.

4.      (Optional) Specify static IP addresses that need to be allocated tospecific PCs.

5.      Verify and save the configuration.

 

IV. Configuration Steps

Requirement 1: common DHCP configuration

1.      Enable the DHCP service.

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#servicedhcp     //Enable the DHCPservice(the DHCP service is disabled on RSR series routers by default and this command must be executed to enable it).

2.      Configure the DHCP address pool.

Ruijie(config)#ip dhcp pool ruijie  //Create a DHCP address pool named ruijie.

Ruijie(dhcp-config)#lease 1 2 3 //1, 2, and 3 indicate day, hour, and minute respectively (addressesare released after 24 hours by default).

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0 //The range of addresses that can be allocatedis 192.168.1.1 to 192.168.1.254.

Ruijie(dhcp-config)#dns-server 8.8.8.8  6.6.6.6 //8.8.8.8 indicates the IP address of theprimary DNS server and 6.6.6.6 indicates the IP address of the secondary DNSserver.

Ruijie(dhcp-config)#default-router 192.168.1.1 //Gateway address. Only the IP address is required while the subnetmask is not needed.

Ruijie(dhcp-config)#exit

4.      (Optional) Configure IP addresses that cannot be allocated to PCs.

Ruijie(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10   //192.168.1.1to 192.168.1.10 should not be allocated by the DHCP server.

5.      Verify and save the configuration.

Ruijie(config)#end

Ruijie#write     //Verify and save the configuration.

 

Verification

1)     Set the network adapter of a PC to automatically obtain an IPaddress and then check whether the network adapter successfully obtains an IPaddress.

Right-click the network adapter of the PC,choose Status from the shortcut menu, and then click Details. TheIP address obtained by the network adapter and other parameter values aredisplayed.

2)     Display information about the IP address dynamically allocated onthe router.

Requirement 2: Static IP addresses need tobe allocated to specific PCs.

DHCP manual allocation. Assume that the PCwith the MAC address of f0de.f17f.cb4c is required to automatically obtain theIP address 192.168.1.88.

Therefore, the DHCP server needs to allocatestatic IP addresses to clients with specific MAC addresses. There are twomethods of allocating IP addresses based on the client MAC address identifierin the clients' DHCP requests:

1)     Run the client-identifier 01+mac address command (01indicates that the network type is Ethernet).

2)      Run the hardware-address   macaddress command.

Notes:

It is recommended that the client-identifier command be executed to allocate static IP addresses toclients with specific MAC addresses. If IP addressesfail to be manually allocated using the client-identifier command, runthe hardware-address command.

1.      Enable the DHCP service.

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#servicedhcp      //Enable the DHCPservice(the DHCP service is disabled on RSR series routers by default and this command must be executed to enable it).

2.      Specify static IP addresses that need to be allocated to specificPCs.

Ruijie(config)#ip dhcp pool zhangsan //Set the name of the static IP address poolto zhangsan.

Ruijie(dhcp-config)#client-identifier01f0.def1.7fcb.4c//Configure the client MAC address (this mode is recommended).

(Optional) Ruijie(dhcp-config)#hardware-address f0de.f17f.cb4c  //Configure the client MAC address (attempt this commandif an IP address fails to be manually allocated using the client-identifiercommand).

Ruijie(dhcp-config)#host 192.168.1.88 255.255.255.0   //Configure thestatic IP address to be allocated and its subnet mask.

Ruijie(dhcp-config)#dns-server 8.8.8.8  6.6.6.6 //8.8.8.8 indicates the IP address of theprimary DNS server and 6.6.6.6 indicates the IP address of the secondary DNSserver.

Ruijie(dhcp-config)#default-router 192.168.1.1 //Configure the user gateway.

3.      Verify and save the configuration.

Ruijie(config)#end

Ruijie#write     //Verify and save the configuration.

Verification

1)     Set the network adapter of a PC to automatically obtain an IPaddress and then check whether the network adapter successfully obtains an IPaddress.

Right-click the network adapter of the PC,choose Status from the shortcut menu, and then click Details. TheIP address obtained by the network adapter and other parameter values aredisplayed.

2)     Display information about the allocated IP address on the router.

 

 

1.1.3.2    DHCP Relay

 

Features

The Dynamic Host Configuration Protocol(DHCP) relay is also called DHCP relay agent. If a DHCP client is in the sameIP network segment as the DHCP server, the DHCP client can correctly obtain anIP address that is dynamically allocated. If a DHCP client is not in the sameIP network segment as the DHCP server, DHCP relay agent is required. DHCP relayagent breaks the limitation that a DHCP server must exist in each IP networksegment. It is capable of transmitting DHCP messages to a DHCP server in a differentIP network segment and transmitting messages from a server to a DHCP clientthat is not in the same IP network segment as the DHCP server.

 

Scenarios

An enterprises needs to deploy a DHCP serverbut intranet users are not in the same network segment as the DHCP server. TheDHCP relay function needs to be enabled on the gateway router of the users.

 

I.Networking Requirements

1)     The DHCP server is an intranet server with the IP address of192.168.2.100.

2)     Intranet user hosts are connected to a router, which is in adifferent IP network segment from the DHCP server. The user hosts canautomatically obtain IP addresses only by using DHCP relay.

 

II. Networking Topology

 

III. Configuration Tips

1.      Enable the DHCP service.

2.      Enable DHCP relay.

3.      Verify and save the configuration.

 

IV. Configuration Steps

Notes:

1)      The DHCP server can be a Windows- orLinux-based host with the DHCP service enabled or a router or switch configuredwith the DHCP service.

2)      If an RSR router functions as a DHCPserver, see section "DHCP" for the configuration (choose TypicalConfiguration>Basic Function Configuration>DHCP>DHCP).

3)      Ensure that the DHCPserver functions properly. Test method: Connect a PC to a switch that is in thesame network segment as the DHCP server and set the server IP address to be inthe same IP address segment as the DHCP client. Then, check whether the PCautomatically obtains an IP address.

1.      Enable the DHCP service.

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#servicedhcp      //Enable the DHCP service(the DHCP service is disabled on RSR series routers by default and this command must be executed to enable it).

2.      Enable DHCP relay.

Ruijie(config)#ip helper-address 192.168.2.100 //Set the address of the DHCP relay to192.168.2.100.

3.      Verify and save the configuration.

Ruijie(config)#end

Ruijie#write     //Check that the configuration iscorrect and save the configuration.

 

V. Verification

1)     Set the network adapter of a PC to automatically obtain an IPaddress and then check whether the network adapter successfully obtains an IPaddress.

Right-click the network adapter of the PC,choose Status from the shortcut menu, and then click Details. TheIP address obtained by the network adapter and other parameter values aredisplayed.

 

2)     Display information about the IP address dynamically allocated onthe router.

1.1.4    Syslog

Features:

During operation, the device may encounterstatus changes (for example, the link status may switch between UP and DOWN)and some events (such as abnormal packets and handling exceptions). Ruijieproduct logs provide a mechanism where in case of status changes or events,messages in a fixed format are automatically generated and displayed in relatedwindows (such as the console and Virtual Teletype Terminal (VTY)) or saved inrelated media (such as the memory buffer and flash) or transmitted to a set oflog servers on the network for network diagnosis and troubleshooting by theadministrator. To facilitate the administrator to read and manage logs andpackets, the logs and packets can be marked with timestamps and numbers andclassified by priorities.

I.Networking Requirements

When an exception occurs in the device, theadministrator can check the cause via logs, and analyze and locate faults.

 

II. Configuration Tips

1.      Enable/disable logs.

2.      Enable log display on the VTY window.

3.      Configure the buffer memory space for logs.

4.      Save logs in the flash.

5.      Send logs to the Syslog Server on the network.

6.      Enable the log timestamp.

7.      Run the CLI command to save logs.

 

III. Configuration Steps

1.      Enable/disable logs.

Logs are enabled by default. If logs aredisabled, the device will not print logs on the user window or send them to theSyslog Server or save them in related media (such as the buffer memory orflash).

Ruijie(config)#loggingon      //Enables logs.

Ruijie(config)#nologging on    //Disables logs.Generally it is not recommended.

2.      Enable log display on the VTY window.

Note:

Log in to the device through Telnet and SSH.Logs are not displayed by default. To display them, run the terminal monitorcommand.

Ruijie#terminalmonitor //Enables log display onthe VTY window.

Ruijie#terminalno monitor      //Disables logdisplay on the VTY window.

3.      Configure the buffer memory space for logs.

Ruijie(config)#loggingbuffered 1000000  7       //1000000indicates that the buffer memory space of logs is 1,000,000 bytes (when logsexceed the threshold, old logs are overwritten). 7 indicates that all logs(including debugging data) are saved.

 

4.      Save logs in the flash.

   

Ruijie(config)#loggingfile flash:log 6000000  7     //6000000indicates that the buffer memory space of logs is 6,000,000 bytes (when logsexceed the threshold, old logs are overwritten). 7 indicates that all logs(including debugging data) are saved. 16 log.txt files are generated bydefault. Each file has a size of 6 MB and all files occupy 6*16=72 MB in theflash. Please rationally assign the value based on the total size of the flash.

 

Note:

When an exception occurs in the device, youneed to collect logs and it is recommended to save them in the flash (logs aresaved only in the memory by default and may be lost in case of power failure ordevice restart.)

a)      Send logs to the Syslog Server on the network.

Ruijie(config)#loggingserver 192.168.1.2            //192.168.1.2indicates the address of the Syslog Server.

Ruijie(config)#logging trap 7            //(Optional) Configures logs to be sent tothe Syslog Server. 7 indicates that all logs (including debugging data) aresaved.

Ruijie(config)#logging source interface loopback 0       //(Optional) Configures the source IPaddress where the device sends the syslog packets.

 

Note:

When an exception occurs in the device, youneed to collect logs and it is recommended to send them to the Syslog Server onthe network (logs are saved only in the memory by default and may be lost incase of power failure or device restart.)

5.      Enable the log timestamp.

Ruijie(config)#servicetimestamps debug datetime msec //Enablesthe timestamp for debugging data.

Ruijie(config)#servicetimestamps log datetime msec  //Enablesthe timestamp for common logs.

6.      Run the CLI command to save logs.

Ruijie(config)#logginguserinfo command-log

 

1.2     IP routing

1.2.1    Static Route

1.2.1.1    Basic Configuration of Static Route

 

Features

Static routes are manually configured routes.With static routes, data packets can be transmitted to a specified targetnetwork along preset paths. When no dynamic routing protocol is available forlearning routes to some target networks, configuring static routes is verysignificant.

 

Scenarios

The network scale of an enterprise is small,with less than five routers, and mutual communication and data sharing arerequired throughout the network. Static routes can be configured on all routersin the network to meet this requirement.

 

I.Networking Requirements

Configure static routes to implement networkconnectivity.

 

II. Networking Topology

 

 

III. Configuration Tips

1.      Configure IP addresses for interfaces of Router R1.

2.      Configure IP addresses for interfaces of Router R2.

3.      Configure a static route for Router R1.

4.      Configure a static route for Router R2.

5.      Save the configuration.

 

IV. Configuration Steps

1.       Configure IP addresses for interfaces of Router R1.

  Ruijie>enable    //Enter privileged EXEC mode.

  Ruijie#configureterminal     //Enter globalconfiguration mode.

  Ruijie(config)#interfacefastethernet 0/1

  Ruijie(config-if-FastEthernet 0/1)#ip address192.168.1.254 255.255.255.0

  Ruijie(config-if-FastEthernet 0/1)#interface fastethernet0/0

  Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.1255.255.255.0

  Ruijie(config-if-FastEthernet 0/0)#exit

2.       Configure IP addresses for interfaces of Router R2.

  Ruijie>enable

  Ruijie#configureterminal    

  Ruijie(config)#interfacefastethernet 0/1

  Ruijie(config-if-FastEthernet 0/1)#ip address192.168.2.254 255.255.255.0

  Ruijie(config-if-FastEthernet 0/1)#interface fastethernet0/0

  Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.2255.255.255.0

  Ruijie(config-if-FastEthernet 0/0)#exit

3.      Configure a static route for Router R1.

Notes:

1)     The next hop of static routes can be configured to two forms(next-hop IP address and local outbound interface). If the next hop of a staticroute is configured to local outboundinterface, it is considered that the static route is a directly-connected route. In an Ethernet link, ARPinformation about each destination address needs to beparsed. If default routes are configured for a network egress and the next hopis configured to local outbound interface, a large number of ARP packets needto be parsed, which occupies large space in the ARP table. If the ARP proxyfunction is disabled at the peer end, the network may fail. If the next hop ofa static route is configured to next-hop IP address, the static route is deemedto be a common recursive route.

2)     When configuring static routes in an Ethernetlink, configure the next hop in the form of outbound interface + next-hop IPaddress. If default routes are configured for a network egress, do notconfigure the next hop to local outbound interface.

3)     It is recommended that the next hop of staticroutes be configured to local outbound interface for PPP and HDLC WAN links.

Ruijie(config)#ip route 192.168.2.0 255.255.255.0192.168.3.2   //Configurea static route for forwarding data packets with the destination IP address of192.168.2.0/24 to the device with the IP address of 192.168.3.2.

4.      Configure a static route for Router R2.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0192.168.3.1   //Configure astatic route for forwarding data packets with the destination IP address of192.168.1.0/24 to the device with the IP address of 192.168.3.1.

5.      Save the configuration.

Ruijie(config)#end  //Return to privileged EXEC mode.

Ruijie#write      //verify and save the configuration.

 

V. Verification

1.      Ping the intranetaddress of the peer end from an intranet PC. If the ping succeeds, the staticroute is configured correctly.

To ping the intranet address of the peer end,do as follows: Choose Start>Run. In the Run dialog box,enter cmd. In the window that is displayed, enter ping X.X.X.X(X.X.X.X indicates the intranet IP address of the peer end).

2.      Run the Ruijie#show  ip route command to display informationabout routes.

Example of the static route configured forRouter R1:

Ruijie#showip route

Codes:C -connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

Gateway oflast resort is no set

S192.168.2.0/24 [1/0] via 192.168.3.2

C192.168.3.0/24is directly connected, FastEthernet 0/0

C192.168.3.1/32is local host.

C192.168.1.0/24is directly connected, FastEthernet 0/1

C192.168.1.254/32is local host.

 

1.2.1.2    Floating Static Route

Features

When multiple routes with the same prefix exist ona network, the route with a smaller administrative distance (AD) value (routereliability, a smaller value indicates a higher route priority) is selected asthe active route and the route with a larger AD value is used as a standbyroute. When the next hop of the active route is unreachable, the active routedisappears and the standby route takes effect and becomes active. When multiplepaths are reachable to a destination network, you can configure multiple staticroutes and set the AD value for the static routes to implement backup of activeand standby links. This function is called floating static routing.

 

Scenarios

An enterprise has two egress links, with onefunctioning as active and the other functioning as standby. Normally, users ofthe enterprise access the network through the active link. When the active linkfails, the router automatically switches traffic to the standby link, ensuringnormal operation of the network. In this case, the floating static routingfunction can be enabled on the router.

 

I.Networking Requirements

1.      The router has two paths reachable to the destination network.

2.      When the active link (F0/0 in the example) fails (the interface isdown or the link is disconnected), the standby link becomes active.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure interface IP addresses for Router R1.

2.      Configure interface IP addresses for Router R2.

3.      Configure a static route for Router R1.

4.      Configure a static route for Router R2.

 

IV. Configuration Steps

1.      Configure interface IP addresses for Router R1.

     Ruijie>enable                

     Ruijie#configureterminal    

     Ruijie(config)#interface fastethernet 0/2

     Ruijie(config-if-FastEthernet 0/2)#ip address192.168.4.1 255.255.255.0

     Ruijie(config-if-FastEthernet 0/2)#interfacefastethernet 0/1

     Ruijie(config-if-FastEthernet 0/1)#ip address192.168.1.254 255.255.255.0

     Ruijie(config-if-FastEthernet 0/1)#interfacefastethernet 0/0

     Ruijie(config-if-FastEthernet 0/0)#ip address192.168.3.1 255.255.255.0

     Ruijie(config-if-FastEthernet 0/0)#exit

2.      Configure interface IP addresses for Router R2.

     Ruijie>enable                

     Ruijie#configureterminal    

    Ruijie(config)#interfacefastethernet 0/2

     Ruijie(config-if-FastEthernet 0/2)#ip address192.168.4.2 255.255.255.0

     Ruijie(config-if-FastEthernet 0/2)#interfacefastethernet 0/1

     Ruijie(config-if-FastEthernet 0/1)#ip address192.168.2.254 255.255.255.0

     Ruijie(config-if-FastEthernet 0/1)#interfacefastethernet 0/0

     Ruijie(config-if-FastEthernet 0/0)#ip address192.168.3.2 255.255.255.0

     Ruijie(config-if-FastEthernet 0/0)#exit

3.      Configure a static route for Router R1.

Notes:

1)     The next hop of static routes can be configured to two forms(next-hop IP address and local outbound interface). If the next hop of a staticroute is configured to local outboundinterface, it is considered that the static route is a directly-connected route. Inan Ethernet link, ARP information about each destination address needs to be parsed. If defaultroutes are configured for a network egress and the next hop is configured tolocal outbound interface, a large number of ARP packets need to be parsed,which occupies large space in the ARP table. If the ARP proxy function isdisabled at the peer end, the network may fail. If the next hop of a staticroute is configured to next-hop IP address, the static route is deemed to be acommon recursive route.

2)     It is recommended that the next hop of a static route be configuredto next-hop IP address in an Ethernet link. If default routes are configured fora network egress, do not configurethe next hop to local outbound interface.

3)     The next hop of static routes can be configured to local outboundinterface or next-hop IP address in PPP and HDLC WAN links, because PPP andHDLC links are point-to-point links and Layer-2 address resolution is notinvolved.

4)     If the next hop of a static route is configured to local outboundinterface, it is considered that the static route is a directly-connected route and thedefault AD is 0. If the next hop of a static route is configured to next-hop IPaddress, it is considered that the static route is a common recursive route and thedefault AD is 1.

Ruijie(config)#ip route 192.168.2.0 255.255.255.0192.168.3.2      //Configure a static route for forwarding data packetswith the destination IP address of 192.168.2.0/24 to the device with the IPaddress of 192.168.3.2.

Ruijie(config)#ip route 192.168.2.0 255.255.255.0192.168.4.2 10 //Configure a staticroute for forwarding data packets with the destination IP address of192.168.2.0/24 to the device with the IP address of 192.168.4.2 and set AD to10 (the default AD is 1 and a smaller AD indicates a higher route priority).

4.      Configure a static route for Router R2.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0192.168.3.1  //Configurea static route for forwarding data packets with the destination IP address of192.168.1.0/24 to the device with the IP address of 192.168.3.1.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0192.168.4.1 10   //Configure a static route for forwarding datapackets with the destination IP address of 192.168.1.0/24 to the device withthe IP address of 192.168.4.1 and set AD to 10 (the default AD is 1 and asmaller AD indicates a higher route priority).

 

V. Verification

 

Example of the static route configured forRouter R1:

1.      Remove the cable of the active link (F0/0)connected to Router R1 and run the Ruijie#show  ip route command todisplay the route and check whether the route is switched to the standby link:

Example of the staticroute configured for Router R1:

2.      When the active link (F0/0 in the example) isnormal, run the Ruijie#show  ip route command to display the route:

Ruijie#showip route

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

Gateway oflast resort is no set

S    192.168.2.0/24 [1/0] via 192.168.3.2       //Data packets destined for 192.168.2.0 aretransmitted along the active link F0/0 and the next hop is 192.168.3.2.

C    192.168.1.0/24is directly connected, FastEthernet 0/1

C   192.168.1.254/32 is local host.

C   192.168.3.0/24 is directly connected, FastEthernet 0/0

C   192.168.3.1/32 is local host.

C   192.168.4.0/24 is directly connected, FastEthernet 0/2

C    192.168.4.1/32is local host.

 

 

Ruijie#showip route

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

Gateway oflast resort is no set

S    192.168.2.0/24 [10/0] via 192.168.4.2       //Data packets destined for 192.168.2.0 aretransmitted along the standby link F0/2 and the next hop is 192.168.4.2. Theactive/standby links are switched successfully.

C   192.168.1.0/24 is directly connected, FastEthernet 0/1

C   192.168.1.254/32 is local host.

C    192.168.4.0/24is directly connected, FastEthernet 0/2

C   192.168.4.2/32 is local host.

 

1.2.1.3    VRF Static Route

 

Features

When multiple interfaces on a router belongto the same Virtual Routing & Forwarding (VRF) table and data needs to beforwarded by these interfaces, VRF static routing needs to be configured fordata forwarding.

 

I.Networking Requirements

As shown in the following figure, InterfacesF0/0 and F0/2 of Router R1 belong to the VRF table named abc, Router R2 is acommon global router, and network-wide interworking needs to be implemented.

 

II. Networking Topology

 

III. Configuration Tips

1. Configure a VRF table named abc on Router R1.

2. Configure basic IP addresses.

3. Add interfaces on Router R1 to the VRF table.

4. Configure static routes.

 

IV. Configuration Steps

1.      Configure a VRF table named abc on Router R1.

Notes:

VRF is locally effective. When VRF is enabledat the local end, interfaces on the local router that belong to the same VRFtable can interwork with each other. Interfaces that belong to different VRFtables are logically isolated, regardless of whether VRF is enabled on the peerrouter.

Ruijie(config)#hostnameR1

R1(config)#ipvrf abc //Enable a VRF tablenamed abc on the router.

R1(config-vrf)#exit

2.      Configure basic IP addresses.

R1(config)#interfacefastEthernet 0/2

R1(config-if-FastEthernet0/2)#ip ref

R1(config-if-FastEthernet0/2)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet0/2)#exit

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip ref

R1(config-if-FastEthernet0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip ref

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip ref

R2(config-if-FastEthernet0/1)#ip address 10.2.1.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

3.      Add interfaces on Router R1 to the VRF table.

Notes:

When an interface is added to a VRF table andan IP address has been configured for the interface, the IP address will be deleted andyou need to reconfigure an IP address for the interface.

R1(config)#interfacefastEthernet 0/2

R1(config-if-FastEthernet0/2)#ip vrf forwarding abc//Configure the VRF table named ABC.

% Interface FastEthernet 0/2 IP address 192.168.1.1 removeddue to enabling VRF abc

R1(config-if-FastEthernet0/2)#ip address 192.168.1.1 255.255.255.0       //Reconfigure an IP address for Interface F0/2.

R1(config-if-FastEthernet0/2)#exit

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip vrf forwarding abc   //Addthe interface to the VRF table named abc.

%Interface FastEthernet 0/0 IP address 10.1.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet0/0)#ip address 10.1.1.1 255.255.255.0   //Reconfigure an IP address for the interface.

R1(config-if-FastEthernet0/0)#exit

4.      Configure static routes.

Notes:

In addition to commands for configuringstatic routes, the vrf abc command needs to be executed forconfiguring VRF static routes. The precautions for configuring VRF staticroutes are the same as those for configuring common static routes. For details,see static route configuration.

R1(config)#iproute vrf abc 10.2.1.0 255.255.255.0 192.168.1.2         //Configure a static route in the VRF table namedabc.

R2(config)#iproute 10.1.1.0 255.255.255.0 192.168.1.1        //Configure a common static route on R2 because VRF is notenabled on Router R2.

 

V. Verification

1.      Ping the intranet address of the peer end froman intranet PC. If the ping operation succeeds, the VRF static routing isconfigured correctly.

To ping theintranet address of the peer end, do as follows: Choose Start > Run. In theRun dialog box, enter cmd. In the window that is displayed, enter ping X.X.X.X(X.X.X.X indicates the intranet IP address of the peer end).

2.      Run the show ip route vrf abc command todisplay the VRF route.

R1#show iproute vrf abc 

RoutingTable: abc

 

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

 

Gateway oflast resort is no set

C   10.1.1.0/24 is directly connected, FastEthernet 0/0

C   10.1.1.1/32 is local host.

S    10.2.1.0/24 [1/0] via 192.168.1.2

C   192.168.1.0/24 is directly connected, FastEthernet 0/2

C   192.168.1.1/32 is local host.

1.2.2    RIP

1.2.2.1    Basic configuration of RIP

 

Features

The Routing Information Protocol (RIP) is anold routing protocol, which is widely applied in small-sized networks andnetworks using the same medium. RIP adopts the distance vector algorithm andtherefore it is a distance vector protocol. RIPv1 is defined in RFC 1058 andRIPv2 is defined in RFC 2453. Ruijie RGOS software supports both RIPv1 andRIPv2. RIP uses UDP packets to exchange routing information and the UDP port IDis 520. Normally, RIPv1 packets are broadcast packets while RIPv2 packets aremulticast packets, with the multicast address of 224.0.0.9. RIP sends an updatepacket every other 30 seconds. If a device fails to receive a route updatepacket from the peer end within 180 seconds, it marks all routes from the peerend as unreachable. After that, if the device still fails to receive a routeupdate packet from the peer end within 120 seconds, the device deletes theroutes from the routing table.

 

Scenarios

The network scale of an enterprise is small,with less than ten routers, and mutual communication and data sharing arerequired throughout the network. Therefore, RIP needs to be enabled on allrouters in the network.

 

I.Networking Requirements

The RIP protocol needs to run on routersthroughout the network so that routes across the network are reachable.

      

II. Networking Topology

III. Configuration Tips

1.      Configure basic IP addresses for routersthroughout the network.

2.      Enable RIP on routers throughout the network andadvertise interfaces to the RIP process.

 

IV. Configuration Steps

1.      Configure basic IP addresses for routersthroughout the network.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/0

R3(config-if-FastEthernet0/0)#ip address 10.4.1.1 255.255.255.0

R3(config-if-FastEthernet0/0)#exit

R3(config)#interfacefastEthernet 0/1

R3(config-if-FastEthernet0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/1)#exit

2.      Enable RIP on routers throughout the network andadvertise interfaces to the RIP process.

Notes:

1)      There are two RIP versions: RIPv1 and RIPv2.RIPv2 uses multicast update packets to replace broadcast update packets andcarries mask information of routes in the packets. Therefore, RIPv2 isrecommended.

2)      When the network command is executed toadvertise a network over RIP, onlythe classful network is advertised even if a subnetaddress is entered in this command. All interfaces that belong to this classfulnetwork will be advertised to the RIP process.

3)      By default, RIP performs automatic summarization atthe border of the classful network. If the classful network is discontinuous, a routing learningexception will be incurred. Therefore, it is recommended that automaticsummarization be disabled after RIP is enabled, and manual summarization beadopted.

R1(config)#routerrip

R1(config-router)#version2         //Enable RIPv2.

R1(config-router)#noauto-summary       //Disableautomatic summarization.

R1(config-router)#network192.168.1.0     //Advertise thenetwork segment 192.168.1.0 to the RIP process.

R1(config-router)#network10.0.0.0

R1(config-router)#exit

 

R2(config)#routerrip

R2(config-router)#version2

R2(config-router)#noauto-summary

R2(config-router)#network192.168.1.0

R2(config-router)#network192.168.2.0

R2(config-router)#exit

 

R3(config)#routerrip

R3(config-router)#version2

R3(config-router)#noauto-summary

R3(config-router)#network192.168.2.0

R3(config-router)#network10.0.0.0

R3(config-router)#exit

 

V. Verification

Check routes on routers throughout thenetwork. If each router successfully learns routes throughout the network, RIPis configured correctly.

 

 

1.2.2.2    RIP in VRF

 

Features

The Routing Information Protocol (RIP) is anold routing protocol, which is widely applied in small-sized networks andnetworks using the same medium. RIP adopts the distance vector algorithm andtherefore it is a distance vector protocol.  RIPv1 is defined in RFC 1058 andRIPv2 is defined in RFC 2453. Ruijie RGOS software supports both RIPv1 andRIPv2.  RIP uses UDP packets to exchange routing information and the UDP portID is 520. Normally, RIPv1 packets are broadcast packets while RIPv2 packetsare multicast packets, with the multicast address of 224.0.0.9. RIP sends anupdate packet every other 30 seconds. If a device fails to receive a route update packet from thepeer end within 180 seconds, it marks all routes from the peer end asunreachable. After that, if the device still fails to receive a route updatepacket from the peer end within 120 seconds, the device deletes the routes fromthe routing table.

 

I.Networking Requirements

As shown in the following figure, InterfacesF0/0 and F0/2 of Router R1 belong to a VRF table named abc, and Router R2 is acommon global router. The RIP protocol needs to be configured on routersthroughout the network to so that routes across the network are reachable.

      

II. Networking Topology

III. Configuration Tips

1.      Configure a VRF table named abc on Router R1.

2.      Configure basic IP addresses.

3.      Add interfaces on Router R1 to the VRF table.

4.      Enable RIP on routers throughout the network andadvertise interfaces to the RIP process.

 

IV. Configuration Steps

1.      Configure a VRF table named abc on Router R1.

Notes:

VRF is locally effective. When VRF is enabledat the local end, interfaces on the local router that belong to the same VRFtable can interwork with each other. Interfaces that belong to different VRF tablesare logically isolated, regardless of whether VRF is enabled on the remoterouter.

Ruijie(config)#hostnameR1

R1(config)#ipvrf abc //Enable a VRF tablenamed abc on the router.

R1(config-vrf)#exit

2.      Configure basic IP addresses.

R1(config)#interfacefastEthernet 0/2

R1(config-if-FastEthernet0/2)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet0/2)#exit

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip address 10.2.1.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

3.      Add interfaces on Router R1 to the VRF table.

Notes:

When an interface is added to a VRF table andan IP address has been configured for the interface, the IP address will be deleted andyou need to reconfigure an IP address for the interface.

R1(config)#interfacefastEthernet 0/2

R1(config-if-FastEthernet0/2)#ip vrf forwarding abc

% Interface FastEthernet 0/2 IP address 192.168.1.1 removeddue to enabling VRF abc

R1(config-if-FastEthernet0/2)#ip address 192.168.1.1 255.255.255.0       //Reconfigure an IP address for Interface F0/2.

R1(config-if-FastEthernet0/2)#exit

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip vrf forwarding abc

% InterfaceFastEthernet 0/0 IP address 10.1.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

4.      Enable RIP on routers throughout the network andadvertise interfaces to the RIP process.

Notes:

To configure VRF RIP, run the address-familyipv4 vrf command after enabling RIP. The precautions for configuring VRFRIP are the same as those for configuring common RIP. For details, see RIPbasic configuration.

R1(config)#routerrip

R1(config-router)#address-familyipv4 vrf abc //Enable RIPafter enabling the VRF table named abc.

R1(config-router-af)#version2     //Enable RIPv2.

R1(config-router-af)#noauto-summary    //Disable automaticsummarization.

R1(config-router-af)#network192.168.1.0   //Advertise thenetwork segment 192.168.1.0 to the RIP process.

R1(config-router-af)#network10.0.0.0

R1(config-router-af)#exit

R1(config-router)#exit

 

R2(config)#routerrip

R2(config-router)#version2

R2(config-router)#noauto-summary

R2(config-router)#network192.168.1.0

R2(config-router)#network10.0.0.0

R2(config-router)#exit

 

V. Verification

Check the VRF routing table on Router R1 andglobal routing tables on other routers. If each router successfully learnsroutes throughout the network, VRF RIP is configured correctly.

R1#show iproute vrf abc

RoutingTable: abc

 

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

 

Gateway oflast resort is no set

C   10.1.1.0/24 is directly connected, FastEthernet 0/0

C   10.1.1.1/32 is local host.

R    10.2.1.0/24 [120/1] via 192.168.1.2, 00:02:53,FastEthernet 0/2

C   192.168.1.0/24 is directly connected, FastEthernet 0/2

C   192.168.1.1/32 is local host.

 

1.2.2.3    Redistribution

 

Features

The route redistribution functionimports routes learnt from other routing protocols to the Routing InformationProtocol (RIP) domain.

 

Scenarios

Multiple routing protocols are enabled on thenetwork of an enterprise, and mutual communication and data sharing arerequired throughout the network. Therefore, routes learnt by other routingprotocol need to be imported to the RIP domain.

 

I.Networking Requirements

In addition to RIP, other routing protocolsrun on the network, and routes learnt by other routing protocols need to beredistributed to RIP.    

       

II. Networking Topology

 

III. Configuration Tips

1.      Configure IP addresses and basic RIP informationfor routers throughout the network.

2.      Configure a static route destined for thenetwork 10.1.2.0/24 on Router R1.

3.      Redistribute the static route to the RIPdomain.

 

IV. Configuration Steps

1.      Configure IP addresses and basic RIP informationfor routers throughout the network.

For the configuration, see RIP basicconfiguration (choose Typical Configuration>IP Routing>RIP>BasicConfiguration).

2.      Configure a static route destined for thenetwork 10.1.2.0/24 on Router R1.

R1(config)#iproute 10.1.2.0 255.255.255.0 192.168.11.2

3.      Redistribute the static route to the RIP domain.

Notes:

1)     The commands for RIP to redistribute routes learnt by other routingprotocols are as follows:

R1(config)#routerrip

R1(config-router)#redistribute?

 bgp        Border Gateway Protocol (BGP)

 connected   Connected

 ospf        Open Shortest Path First (OSPF)

 static       Static routes

1)      External routesimported by RIP are effective routes on the local router and must be the routes that can be displayed after the show ip route command isexecuted on the local router.

2)      A metric must be specified for external routes imported by RIP. The default metric value isinfinite and the imported external routes with the metric unspecified areineffective.

The following example is based on importof a static route by RIP. The import of other routes is the same as that of astatic route.

R1(config)#routerrip

R1(config-router)#redistributestatic metric 1      //Redistributethe static route to the RIP domain and set metric to 1.

R1(config-router)#exit

 

V. Verification

Check routes on other routers. If the otherrouters successfully learn the route destined for the external network10.1.2.0/24, redistribution is configured correctly.

 

1.2.2.4    Summarization

 

Features

The route summarization function enables theRouting Information Protocol (RIP) to summarize specific routes learnt by orgenerated by RIP and transfer them to RIP neighbors, so as to reduce routeentries on routers.

 

Scenarios

There are numerous IP network segments in thenetwork of an enterprise. Route summarization can be configured on routers toreduce route entries on the routers and improve router performance.

 

I.Networking Requirements

Specific routes learnt by RIP need to besummarized to reduce route entries.

 

II. Networking Topology

III. Configuration Tips

1.      Configure IP addresses and basic RIP informationfor routers throughout the network.

2.      Configure route summarization.

 

IV. Configuration Steps

1.      Configure IP addresses and basic RIP informationfor routers throughout the network.

For the configuration, see RIP basicconfiguration (choose Typical Configuration > IP Routing > RIP> Basic Configuration).

2.      Configure route summarization.

Notes:

1)      RIP can summarize routes generated by RIP orlearnt from neighbors on outbound interfaces, but cannot perform supernettingsummarization on these routes.

2)      Automatic summarization mustbe disabled before routes learnt or generated by RIPare manually summarized.

R1(config)#routerrip

R1(config-router)#noauto-summary       //Disableautomatic summarization.

R1(config-router)#exit

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip rip summary-address 10.1.0.0 255.255.0.0     //Summarize the route as 10.1.0.0/16.

R1(config-GigabitEthernet0/0)#exit

 

V. Verification

Check routes on routers throughout thenetwork. If all the routers correctly learn the summarized route, routesummarization of RIP is configured correctly.

 

1.2.3    OSPF

1.2.3.1    Basic Configuration of OSPF

 

Features

The Open Shortest Path First (OSPF) protocolis a link status-based internal gateway routing protocol, developed by the OSPFWorking Group of Internet Engineering Task Force (IETF). OSPF is exclusivelydesigned for IP. It directly runs at the IP layer and the protocol ID is 89.OSPF packets are exchanged in multicast mode, with the multicast address of224.0.0.5 (to all OSFP routers) or 224.0.0.6 (to designated routers). When anOSPF routing domain is large, a hierarchical structure is often adopted. That is,an OSPF routing domain is divided into several areas, which are interconnectedthrough a backbone area. Each non-backbone area needs to be directly connectedto the backbone area.

 

Scenarios

The network scale of an enterprise is large,with more than ten routers, and mutual communication and data sharing arerequired throughout the network. Therefore, OSPF needs to be enabled on allrouters in the network.

 

I.Networking Requirements

The OSPF protocol needs to run on routersthroughout the network so that routes across the network are reachable.

 

II. Networking Topology

III. Configuration Tips

1.      Configure basic IP addresses for routersthroughout the network.

2.      Enable OSPF on routers throughout the networkand advertise interfaces to a specified area.

3.      (Optional) Adjust the OSPF network type forEthernet interfaces.

 

IV. Configuration Steps

1.      Configure basic IP addresses for routersthroughout the network.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

R1(config)#interfaceloopback 0        //Configure theaddress of Interface loopback 0 as router ID of OSPF.

R1(config-Loopback0)#ip address 1.1.1.1 255.255.255.255 

R1(config-Loopback0)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

R2(config)#interfaceloopback 0

R2(config-if-Loopback0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback0)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/0

R3(config-if-FastEthernet0/0)#ip address 192.168.3.1 255.255.255.0

R3(config-if-FastEthernet0/0)#exit

R3(config)#interfacefastEthernet 0/1

R3(config-if-FastEthernet0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/1)#exit

R3(config)#interfaceloopback 0

R3(config-if-Loopback0)#ip address 3.3.3.3 255.255.255.255

R3(config-if-Loopback0)#exit

 

Ruijie(config)#hostnameR4

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.3.2 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 10.4.1.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

R1(config)#interfaceloopback 0

R1(config-Loopback0)#ip address 4.4.4.4 255.255.255.255

R1(config-Loopback0)#exit

2.      Enable OSPF on routers throughout the networkand advertise interfaces to a specified area.

Notes:

1)      An OSPF process ID only indicates an OSPFprocess on the local router. OSPF process IDs of routers throughout the networkcan be different.

2)      When establishing a neighbor relationship, OSPFdetects the area ID in the hello packet from the peer end. If the local router and peer router are in thesame link, the OSPF area IDs at both ends must be the same.

3)      The network command is described asfollows: It is used to define an interface on which OSPF is to be enabled. Suchan interface is matched using the form of IP network segment + wildcard mask (0means that the equivalent bit must match and 1 means that the equivalent bitdoes not matter). It is recommended that the interface IP address be appendedbehind network and the wildcard mask be set to 0.0.0.0. Then, theinterface with the IP address will be advertised to the OSPF process.

R1(config)#routerospf 1      //Enable OSPF and setthe process ID to 1.

R1(config-router)#network192.168.1.1 0.0.0.0 area 1     //Advertisethe interface with the IP address of 192.168.1.1 to the OSPF area 1.

R1(config-router)#network10.1.1.1 0.0.0.0 area 1

R1(config-router)#exit

 

R2(config)#routerospf 1

R2(config-router)#network192.168.1.2 0.0.0.0 area 1

R2(config-router)#network192.168.2.1 0.0.0.0 area 0

R2(config-router)#exit

 

R3(config)#routerospf 1

R3(config-router)#network192.168.2.2 0.0.0.0 area 0

R3(config-router)#network192.168.3.1 0.0.0.0 area 2

R3(config-router)#exit

 

R4(config)#routerospf 1

R4(config-router)#network192.168.3.2 0.0.0.0 area 2

R4(config-router)#network10.4.1.1 0.0.0.0 area 2

R4(config-router)#exit

3.      (Optional) Adjust the OSPF network type forEthernet interfaces.

Notes:

The default OSPF network type of Ethernetinterfaces is broadcast. A Designated Router (DR)/Backup Designated Router(BDR) is elected within 40 seconds of waiting time. For point-to-point Ethernetinterconnection interfaces, it is recommended that the OSPF network type of interfaces at both ends beset to point-to-point, to accelerate convergence of the OSPF neighborrelationship.

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip ospf network point-to-point        //Set the OSPF network type of the interface topoint-to-point (The OSPF network type at both ends of a link must be the same).

R2(config-if-FastEthernet0/1)#exit

 

R3(config)#interfacefastEthernet 0/1

R3(config-if-FastEthernet0/1)#ip ospf network point-to-point

R3(config-if-FastEthernet0/1)#exit

 

V. Verification

1.      Check whether an OSPF neighbor relationship is establishedbetween adjacent routers and the neighbor status. If adjacentrouters successfully establish a neighbor relationship and the neighbor statusis full, OSPF runs properly.

Notes:

When the OSPF network type is multi-accessnetwork, the neighbor relationship between DR others is 2-way and the neighborstatus cannot be full.

 

2.       Check routes on routers throughout the network. If each routersuccessfully learns routes throughout the network, OSPF is configuredcorrectly.

 

1.2.3.2    OSPF in VRF

 

Features

The OpenShortest Path First (OSPF) protocol is a link status-based internal gatewayrouting protocol, developed by the OSPF Working Group of Internet EngineeringTask Force (IETF). OSPF is exclusively designed for IP. It directly runs at theIP layer and the protocol ID is 89. OSPF packets are exchanged in multicastmode, with the multicast address of 224.0.0.5 (to all OSFP routers) or224.0.0.6 (to designated routers). When an OSPF routing domain is large, ahierarchical structure is often adopted. That is, an OSPF routing domain isdivided into several areas, which are interconnected through a backbone area.Each non-backbone area needs to be directly connected to the backbone area.

 

I.Networking Requirements

As shown inthe following figure, Interfaces F0/0 and F0/2 of Router R1 belong to a VRFtable named abc and Router R2 is a common global router. The OSPF protocolneeds to be configured on routers throughout the network (the entire network isin Area 0) so that routes across the network are reachable.

      

II. Networking Topology

III. Configuration Tips

1.       Configure a VRF table named abc on Router R1.

2.       Configure basic IP addresses.

3.       Add interfaces on Router R1 to the VRF table.

4.      Enable OSPF on routers throughout the networkand advertise interfaces to the OSPF process.

 

IV. Configuration Steps

1.      Configure a VRF table named abc on Router R1.

Notes:

VRF islocally effective. When VRF is enabled at the local end, interfaces on thelocal router that belong to the same VRF table can interwork with each other.Interfaces that belong to different VRF tables are logically isolated,regardless of whether VRF is enabled on the remote router.

Ruijie(config)#hostnameR1

R1(config)#ipvrf abc //Enable a VRF tablenamed abc on the router.

R1(config-vrf)#exit

2.      Configure basic IP addresses.

R1(config)#interfacefastEthernet 0/2

R1(config-if-FastEthernet0/2)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet0/2)#exit

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

R1(config)#interfaceloopback 0        //Configure theaddress of Interface loopback 0 as router ID of OSPF.

R1(config-Loopback0)#ip address 1.1.1.1 255.255.255.255 

R1(config-Loopback0)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip address 10.2.1.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

R2(config)#interfaceloopback 0

R2(config-if-Loopback0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback0)#exit

3.      Add interfaces on Router R1 to the VRF table.

Notes:

1)       When an interface is added to a VRF table and an IP address isconfigured for the interface, the IPaddress will be deleted and you need to reconfigure anIP address for the interface.

2)       When the address of the loopback interface is used as router ID ofOSPF, the loopback interface does not need to be added to the VRF table.

R1(config)#interfacefastEthernet 0/2

R1(config-if-FastEthernet0/2)#ip vrf forwarding abc  //Addthe interface to the VRF table.

% Interface FastEthernet 0/2 IP address 192.168.1.1 removeddue to enabling VRF abc

R1(config-if-FastEthernet0/2)#ip address 192.168.1.1 255.255.255.0       //Reconfigure an IP address for Interface F0/2.

R1(config-if-FastEthernet0/2)#exit

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip vrf forwarding abc

%Interface FastEthernet 0/0 IP address 10.1.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

4.      Enable OSPF on routers throughout the networkand advertise interfaces to the OSPF process.

Notes:

Toconfigure VRF OSPF, associate the OSPF process with a relevant VRF table duringenabling of the OSFP process. The precautions for configuring VRF OSPF are thesame as those for configuring common OSPF. For details, see OSPF basicconfiguration.

R1(config)#routerospf 1 vrf abc//Enable OSPF process 1 in the VRF table named abc.

R1(config-router)#network192.168.1.1 0.0.0.0 area 0   //Advertisethe interface with the IP address of 192.168.1.1 to the OSPF area 1.

R1(config-router)#network10.1.1.1 0.0.0.0 area 0

R1(config-router)#exit

 

R2(config)#routerospf 1

R2(config-router)#network192.168.1.2 0.0.0.0 area 0

R2(config-router)#network10.2.1.1 0.0.0.0 area 0

R2(config-router)#exit

 

V. Verification

1.      Check whether an OSPF neighbor relationship isestablished between adjacent routers and the neighbor status. If adjacentrouters successfully establish a neighbor relationship and the neighbor statusis full, OSPF runs properly.

R1#show ipospf neighbor

 

OSPFprocess 1, 1 Neighbors, 1 is Full:

NeighborID     Pri   State                BFD State  Dead Time   Address        Interface

2.2.2.2              1   Full/BDR                -            00:00:36    192.168.1.2     FastEthernet 0/2

Check theVRF routing table on Router R1 and global routing tables on other routers. Ifeach router successfully learns routes throughout the network, VRF OSPF isconfigured correctly.

R1#show iproute vrf abc

RoutingTable: abc

 

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

 

Gateway oflast resort is no set

C   10.1.1.0/24 is directly connected, FastEthernet 0/0

C   10.1.1.1/32 is local host.

O    10.2.1.0/24 [110/2] via 192.168.1.2, 00:10:21,FastEthernet 0/2

C    192.168.1.0/24is directly connected, FastEthernet 0/2

C   192.168.1.1/32 is local host.

 

1.2.3.3    Redistribution

 

Features

The route redistribution function importsroutes learnt from other routing protocols to the Open Shortest Path First(OSPF) domain.

 

Scenarios

Multiple routing protocols are enabled on thenetwork of an enterprise, and mutual communication and data sharing arerequired throughout the network. Therefore, routes learnt by other routingprotocol need to be imported to the OSPF domain.

 

I.Networking Requirements

In addition to OSPF, other routing protocolsrun on the network, and routes learnt by other routing protocols need to beredistributed to OSPF.

 

II. Networking Topology

III. Configuration Tips

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

2.      Configure a static route destined for thenetwork 10.1.2.0/24 on Router R1.

3.      Redistribute the static route to the OSPFdomain.

 

IV. Configuration Steps

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

For the configuration, see OSPF basicconfiguration (choose Typical Configuration > IP Routing > OSPF> Basic Configuration).

2.      Configure a static route destined for thenetwork 10.1.2.0/24 on Router R1.

R1(config)#iproute 10.1.2.0 255.255.255.0 192.168.11.2

3.      Redistribute the static route to the OSPFdomain.

Notes:

1)     The commands for OSPF to redistribute routes learnt from otherrouting protocols are as follows:

R1(config)#routerospf 1

R1(config-router)#redistribute?

 bgp        Border Gateway Protocol (BGP)

 connected  Connected

 ospf       Open Shortest Path First (OSPF)

 rip        Routing Information Protocol (RIP)

 static     Static routes

2)     There are two metric types for external routes imported by OSPF:type 1 and type 2.

a.      Metric type 1: The internal cost is superposed when routes aretransmitted within the OSPF domain. If an internal network needs to select aroute for an imported external route, type 1 is recommended (the default metrictype is 2 for imported external routes).

b.      Metric type 2: The internal cost is not superposed when routesare transmitted within the OSPF domain.

R1(config)#routerospf 1

R1(config-router)#redistributestatic metric-type ?

  1  SetOSPF External Type 1 metrics     

2     Set OSPF External Type 2 metrics

3)     External routes imported by OSPF are effective routes on the localrouter and must be the routes that can be displayed after the show ip routecommand is executed on the local router.

4)     When a route is redistributed to the OSPF domain, subnets must be appended.Otherwise, only main class network routes are redistributed.

The following example is based on import of astatic route by OSPF. The import of other routes is the same as that of astatic route.

R1(config)#routerospf 1

R1(config-router)#redistributestatic subnets //Redistribute the static route.

R1(config-router)#exit

 

V. Verification

Check routes on other routers. If the routerssuccessfully learn the route destined for the external network 10.1.2.0/24,redistribution is configured correctly.

 

1.2.3.4    Summarization

 

Features

The route summarization of the Open ShortestPath First (OSPF) reduces the size of the routing table on routers. The OSPFroute summarization can be configured only on Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs). ABRs summarize routes inside an OSPF domain while ASBRssummarize routes outside an OSPF domain. OSPF cannot summarize intra-area routes.

 

Scenarios

There are numerous IP network segments in thenetwork of an enterprise. Route summarization can be configured on routers toreduce route entries on routers and improve router performance.

 

I.Networking Requirements

Specific routes learnt by OSPF need to besummarized to reduce route entries.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

2.      Redistribute the external static route10.1.2.0/24 to the OSPF domain.

3.      Summarize the intra-domain route.

4.      Summarize the inter-domain route.

 

IV. Configuration Steps

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

For the configuration, see OSPF basicconfiguration (choose Typical Configuration>IP Routing>OSPF>BasicConfiguration).

2.      Redistribute the external static route10.1.2.0/24 to the OSPF domain.

For the configuration, see OSPFredistribution (choose Typical Configuration>IP Routing>OSPF>Redistribution).

3.      Summarize the intra-domain route.

Summarize the route 10.4.1.0/24 on Router R4as the route 10.4.0.0/16 on Router R3.

R3(config)#routerospf 1

R3(config-router)#area2 range10.4.0.0 255.255.0.0    //Summarizethe intra-domain route (the area appended behind area must be the area from which the route comes).

R3(config-router)#exit

4.      Summarize the inter-domain route.

Notes:

OSPF only summarizes external routes on ASBRsfrom which the external routes are distributed.

Summarize the static route 10.1.2.0/16 thatis distributed to Router R1 as 10.1.0.0/16 on Router R1.

R1(config)#routerospf 1

R1(config-router)#summary-address10.1.0.0 255.255.0.0      //Summarizethe inter-domain route.

R1(config-router)#exit

 

V. Verification

Check routes on routers throughout thenetwork. If intra-domain and inter-domain routes are all correctly summarized,route summarization of OSPF is configured correctly.

 

1.2.3.5    Stub Area

 

Features

A stub area, located at the distal end of anOSPF domain, is capable of filtering out type4 and type5 Link StateAdvertisements (LSAs) to reduce the size of the link status database androuting table.

 

I.Networking Requirements

Requirement 1: Configure Area 2 as a stubarea to filter out type 4 and type 5 LSAs.

Requirement 2: Configure Area 2 as a totallystub area to filter out type 3, type 4, and type 5 LSAs.

 

II. Networking Topology

III. Configuration Tips

1.      A stub area is capable of filtering out type 4and type 5 LSAs and one type 3 LSA default route is generated on the AreaBorder Router (ABR).

2.      A totally stub area is capable of filtering outtype 3, type 4, and type 5 LSAs and one type 3 LSA default route is generatedon the ABR.

3.      Routers in a stub area are not allowed to importroutes outside an OSPF domain.

 

IV. Configuration Steps

Requirement 1: Configure Area 2 as a stubarea to filter out type 4 and type 5 LSAs.

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

For the configuration, see OSPF basicconfiguration (choose Typical Configuration>IP Routing>OSPF>BasicConfiguration).

2.      Configure a static route on Router R1 anddistribute it to the OSPF domain.

For the configuration, seeOSPF redistribution (choose Typical Configuration>IP Routing>OSPF>Redistribution).

3.      Configure Area 2 as a stub area.

Notes:

1)      When an area is configuredas a stub area, all routers in the area must beconfigured as the stub area.

2)      The backbone area (Area 0)cannot be configured as a stub area.

3)      Virtual links cannottraverse a stub area.

R3(config)#routerospf 1

R3(config-router)#area 2 stub      //Configure Area 2 as a stub area.

R3(config-router)#exit

 

R4(config)#routerospf 1

R4(config-router)#area2 stub

R4(config-router)#exit

Requirement 2: Configure Area 2 as a totallystub area to filter out type 3, type 4, and type 5 LSAs.

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

For the configuration, see OSPF basicconfiguration (choose Typical Configuration>IP Routing>OSPF>BasicConfiguration).

2.      Configure a static route on Router R1 anddistribute it to the OSPF domain.

For the configuration, seeOSPF redistribution (choose Typical Configuration>IP Routing>OSPF>Redistribution).

3.      Configure Area 2 as a totally stub area.

Notes:

When an area is configured as a totallystub area, all routers in the areamust be configured as the stub area and the no-summary parameter must beset on the ABR.

R3(config)#routerospf 1

R3(config-router)#area 2 stub no-summary   //Configure Area 2 as a totally stub area.

R3(config-router)#exit

 

R4(config)#routerospf 1

R4(config-router)#area2 stub

R4(config-router)#exit

 

V. Verification

1.      Verification of the stub area

Check routes on routers in the stub area. Ifinter-domain routes are filtered out but inter-area routes persist, and an OIAdefault route is generated, the stub area is configured correctly.

2.      Verification of the totally stub area

Check routes on routers in the totally stubarea. If both inter-domain routes and inter-area routes are filtered out and anOIA default route is generated, the totally stub area is configured correctly.

 

1.2.3.6    NSSA Area

 

Features

A Not-So-Stubby Area (NSSA), located at thedistal end of an OSPF domain, is capable of filtering out type 4 and type 5Link State Advertisements (LSAs) to reduce the size of the link status databaseand routing table.

 

I.Networking Requirements

Requirement 1: Configure Area 2 as an NSSA tofilter out type 4 and type 5 LSAs, and import external static routes.

Requirement 2: Configure Area 2 as a totallyNSSA to filter out type 3, type 4, and type 5 LSAs, and import external staticroutes.

 

II. Networking Topology

III. Configuration Tips

1.      An NSSA is capable of filtering out type 4 andtype 5 LSAs and no type 3 LSA default route is generated on the Area BorderRouter (ABR).

2.      A totally NSSA is capable of filtering out type3, type 4, and type 5 LSAs and one type 3 LSA default route will be generatedon the ABR.

3.      Routers in an NSSA are allowed to import routesoutside an OSPF domain.    

 

IV. Configuration Steps

Requirement 1: Configure Area 2 as an NSSAto filter out type 4 and type 5 LSAs, and import external static routes.

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

For the configuration, see OSPF basicconfiguration (choose Typical Configuration > IP Routing > OSPF> Basic Configuration).

2.      Configure a static route on Router R1 and RouterR4 each, and distribute them to the OSPF domain.

For the configuration, seeOSPF redistribution (choose Typical Configuration > IP Routing >OSPF > Redistribution).

3.      Configure Area 2 as an NSSA.

Notes:

1)       When an area isconfigured as an NSSA, all routers in the area must be configured as the NSSA.

2)      The backbone area (Area 0) cannot be configuredas an NSSA.

R3(config)#routerospf 1

R3(config-router)#area 2 nssa      //Configure Area 2 as an NSSA.

R3(config-router)#exit

 

R4(config)#routerospf 1

R4(config-router)#area2 nssa

R4(config-router)#exit

Requirement 2: Configure Area 2 as atotally NSSA to filter out type 3, type 4, and type 5 LSAs, and import externalstatic routes.

1.      Configure IP addresses and basic OSPFinformation for routers throughout the network.

For the configuration, see OSPF basicconfiguration (choose Typical Configuration > IP Routing > OSPF> Basic Configuration).

2.      Configure a static route on Router R1 and RouterR2 each, and distribute them to the OSPF domain.

For the configuration, seeOSPF redistribution (choose Typical Configuration > IP Routing >OSPF > Redistribution).

3.      Configure Area 2 as a totally NSSA.

Notes:

When an area is configured as a totallyNSSA, all routers in the area must be configured as the totally NSSA and the no-summaryparameter must be set on the ABR.

R3(config)#routerospf 1

R3(config-router)#area 2 nssa no-summary   //Configure Area 2 as a totally NSSA.

R3(config-router)#exit

 

R4(config)#routerospf 1s

R4(config-router)#area2 nssa

R4(config-router)#exit

 

V. Verification

1.      Verification of the NSSA

Check routes on routers in the NSSA. Ifinter-domain routes are filtered out but inter-area routes persist, and routesoutside the OSPF domain can be successfully imported (other routers in the NSSAlearns the OSPF NSSA routes), the NSSA is configured correctly.

 

2.      Verification of the totally NSSA

Check routes on routers in the totally NSSA.The totally NSSA is configured correctly if inter-domain routes and inter-arearoutes are filtered out, routes outside the OSPF domain can be successfullyimported (other routers in the NSSA learns the OSPF NSSA routes), and one OIAdefault route is generated.

 

1.2.4    BGP

1.2.4.1    Basic Configuration of IBGP

 

Features

The Border Gateway Protocol (BGP) is anExterior Gateway Protocol (EGP) used for communication between routers indifferent Autonomous Systems (ASs). BGP is used to exchange networkaccessibility information between different ASs and eliminate routing loops byusing its own mechanism. BGP uses TCP as the transmission protocol. Thereliable transmission mechanism of TCP ensures transmission reliability of BGP.Routers running BGP are called BGP speakers. BGP speakers between which a BGPsession is established are called BPG peers.

Two modes can be used to establish BGP peersbetween BGP speakers: Internal BGP (IBGP) and External BGP (EBGP). IBGP refersto a BGP connection established within an AS while EBGP refers to a BGPconnection established between different ASs. In a word, EBGP completesexchange of routing information between different ASs while IBGP completestransfer of routing information within an AS.

 

I.Networking Requirements

1)      Router R1 and Router R2 both belong to AS123 andan IBGP neighbor relationship needs to be established between Router R1 andRouter R2.

2)       Routes are advertised to neighbors over IBGP.

 

II. Networking Topology

III. Configuration Tips

1.      Configure basic IP addresses for routersthroughout the network.

2.      Configure a static route on Router R1 and RouterR2 to ensure Interfaces Loopback 0 of Router R1 and Router R2 are reachable.

3.      Configure an IBGP neighbor relationship.

4.      Advertise routes to BGP.

 

IV. Configuration Steps

1.      Configure basic IP addresses for routers throughout the network.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

R1(config)#interfaceloopback 0        //Configure theaddress of Interface Loopback 0 as the update source address of BGP.

R1(config-Loopback0)#ip address 1.1.1.1 255.255.255.255

R1(config-Loopback0)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

R2(config)#interfaceloopback 0

R2(config-if-Loopback0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback0)#exit

 

3.      Configure a static route on Router R1 and RouterR2 to ensure Interfaces Loopback 0 of Router R1 and Router R2 are reachable.

R1(config)#iproute 2.2.2.2 255.255.255.255 192.168.1.2

R2(config)#iproute 1.1.1.1 255.255.255.255 192.168.1.1

 

4.      Configure an IBGP neighbor relationship.

Notes:

1)     If the AS ID of a BGP neighbor of a router is consistent with the ASID of the router, an IBGP neighbor relationship is established; if their AS IDsare different, an EBGP neighbor relationship is established.

2)     Selection of the update source address for a BGP neighborrelationship

a.      An EBGP neighbor relationship is established atthe border of an AS. It is recommended that the address of a directly connectedinterface be used as the update source address of the EBGP neighbor. In thisway, IGP is not necessary because the directly connected interface isreachable.

b.      An IBGP neighbor relationship is establishedwithin an AS. It is recommended that the loopback address be used as the updatesource address of the IBGP neighbor because the loopback address is reliable(the BGP neighbor flapping will not be incurred due to breakdown of a physicalline) and IGP is often used inside the AS to make the route to the updatesource address reachable.

3)    IBGP supports split horizon. That is, routes learntfrom an IBGP neighbor will not be transferred to other IBGP neighbors but will betransferred to EBGP neighbors.

R1(config)#routerbgp 123//Enable the BGP process, with the AS ID of 123.

R1(config-router)#neighbor2.2.2.2 remote-as 123     //Specifythe address of a BGP neighbor and the AS ID of the neighbor.

R1(config-router)#neighbor2.2.2.2 update-source loopback 0       //Configure the update source address of BGP.

R1(config-router)#exit

 

R2(config)#routerbgp 123

R2(config-router)#neighbor1.1.1.1 remote-as 123

R2(config-router)#neighbor1.1.1.1 update-source loopback 0

R2(config-router)#exit

 

5.      Advertise routes to BGP.

Notes:

In BGP, the network command is used tospecify the routes to be advertised to the BGP process rather than specify theinterfaces to be enabled with BGP, which is different from the networkcommand in RIP and OSPF. Routes advertised to the BGP process using the networkcommand must be the routes that are displayed after the show ip route commandis executed and whose mask is consistent with the value of the maskparameter.

R1(config)#routerbgp 123

R1(config-router)#network10.1.1.0 mask 255.255.255.0

R1(config-router)#exit

 

V. Verification

1.      Check whether a BGP neighbor relationship isestablished between routers and the neighbor status. If a BGP neighborrelationship is established normally and State is Established,IBGP runs normally.

2.      Check routes on IBGP neighbor routers. If routes advertisedby the peer end are learnt, IBGP is configuredcorrectly.

 

1.2.4.2    Basic Configuration of EBGP

 

Features

The Border Gateway Protocol (BGP) is anExterior Gateway Protocol (EGP) used for communication between routers indifferent Autonomous Systems (ASs). BGP is used to exchange networkaccessibility information between different ASs and eliminate routing loops byusing its own mechanism. BGP uses TCP as the transmission protocol. Thereliable transmission mechanism of TCP ensures transmission reliability of BGP.Routers running BGP are called BGP speakers. BGP speakers between which a BGPsession is established are called BPG peers.

Two modes can be used to establish BGP peersbetween BGP speakers: Internal BGP (IBGP) and External BGP (EBGP). IBGP refersto a BGP connection established within an AS while EBGP refers to a BGPconnection established between different ASs. In a word, EBGP completesexchange of routing information between different ASs while IBGP completestransfer of routing information within an AS.

 

I.Networking Requirements

1)     Router R1 belongs to AS1, Router R2 belongs to AS2, and an EBGPneighbor relationship needs to be established between Router R1 and Router R2.

2)     Routes are advertised to neighbors over EBGP.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure basic IP addresses for routers throughout the network.

2.      Configure an EBGP neighbor relationship.

3.      Advertise routes to the BGP process.

 

IV. Configuration Steps

1.      Configure basic IP addresses for routers throughout the network.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

R2(config)#interfacefastEthernet 0/1

R2(config-if-FastEthernet0/1)#ip address 10.4.1.1 255.255.255.0

R2(config-if-FastEthernet0/1)#exit

2.      Configure an EBGP neighbor relationship.

Notes:

1)     If the AS ID of a BGP neighbor of a router is consistent with the ASID of the router, an IBGP neighbor relationship is established; if their AS IDsare different, an EBGP neighbor relationship is established.

R1(config)#routerbgp 1

R1(config-router)#neighbor192.168.1.2 remote-as 2

R1(config-router)#exit

 

R2(config)#routerbgp 2

R2(config-router)#neighbor192.168.1.1 remote-as 1

R2(config-router)#exit

3.      Advertise routes to the BGP process.

R1(config)#routerbgp 1

R1(config-router)#network10.1.1.0 mask 255.255.255.0

R1(config-router)#exit

 

R2(config)#routerbgp 2

R2(config-router)#network10.4.1.0 mask 255.255.255.0

R2(config-router)#exit

Notes:

In BGP, the network command is used tospecify the routes to be advertised to the BGP process rather than specify theinterfaces to be enabled with BGP, which is different from the networkcommand in RIP and OSPF. Routes advertised to the BGP process using the networkcommand must be the routes that are displayed after the show ip route commandis executed and whose mask is consistent with the value of the maskparameter.

 

 

V. Verification

1.     Check whether a BGP neighbor relationship isestablished between routers and the neighbor status. If a BGP neighbor relationship is establishednormally and State is Established, EBGP runs normally.

2.      Check routes on EBGP neighbor routers. If routes advertised by thepeer end are learnt, EBGP is configured correctly.

 

1.2.4.3    Route Reflector

 

Features

Route reflector solves the split horizonproblem of the Internal Border Gateway Protocol (IBGP).

 

I.Networking Requirements

As shown in the following networkingtopology, Router R1 and Router R3 fail to learn BGP routes of the peer end dueto split horizon of IBGP neighbors. Therefore, the route reflector needs to beconfigured to solve split horizon problem of IBGP neighbors.

 

II. Networking Topology

III. Configuration Tips

1.      Configure IP addresses and basic IBGP information for routersthroughout the network.

2.      Configure a route reflector.

 

III. Configuration Steps

1.      Configure IP addresses and basic IBGP information for routersthroughout the network.

For the configuration, see "IBGPBasic Configuration" (choose Typical Configuration>IP Routing>BGP>IBGPBasic Configuration).

2.      Configure a route reflector.

ConfigureRouter R2 as a route reflector and specify Router R1 as a client.

R2(config)#routerbgp 123

R2(config-router)#neighbor1.1.1.1 route-reflector-client          //Specify R1 to be the client of the route reflector onRouter R2.

R2(config-router)#exit

Notes:

1)     When a router is configured as the client of a route reflector, theBGP neighbor relationship with the client will be broken.

2)     A route reflector must have learnt IBGP routes so that it can reflect routes.

3)     A route reflector can mutually reflect routes between a non-clientand a client and between clients but cannot reflect routes learnt from anon-client to other non-clients.

 

V.Verification

Check routes throughout the network. IfRouter R1 and Router 3 successfully learn routes from the peer end, the routereflector is configured correctly.

 

1.2.5    Route Control

 

Similarities:

Both can be used to matchthe route prefix.

Differences:

ACL can be used to filterIP packets by five elements while prefix-list can be used only to match theroute prefix.

Selection:

Either ACL or prefix-listis acceptable when the route prefix needs to be matched. When the route prefixwith different mask lengths in a large network segment needs to be matched,prefix-list is preferred.

 

distribute-list and route-map

Similarities:

Both can be used to filterroutes.

Differences:

1)     Distribute-list can be used only to filter route entries and doesnot support route attribute modification. route-map can be used to filter routeentries and supports route attribute modification.

2)     Route-map can be used to forcibly change the next hop of datapackets to implement policy-based routing (PBR).

3)     Distribute-list can be applied in routing protocol redistribution,route transfer between distance vector routing protocol neighbors (it can beused to filter routes because routes are transferred between distance vectorrouting protocol neighbors), and route submission to the routing table by thelink state routing protocol (LSAs rather than routes are transferred betweenlink state routing protocol neighbors and therefore it cannot be used to filterLSAs transferred between neighbors).

4)     Route-map is applied in routing protocol redistribution and routetransfer between BGP neighbors.

Selection:

The selection of distribute-list orroute-map depends on the application scenario. If both can be used but the routeattribute needs to be modified, route-map is preferred. If the route attributedoes not need to be modified, either is acceptable.

 

1.2.5.1    Distribute-list

 

Features

Distribute-list controls route updates andfilters route entries. It does not support route attribute modification.

 

I.Networking Requirements

Redistribute RIP routes to the OSPF domain onRouter R2. Route filtering is required during redistribution, and only theroutes 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30 are allowed to beredistributed to the OSPF domain.

 

II. Networking Topology

III. Configuration Tips

1.      Configure basic IP addresses.

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces tothe RIP process.

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces tothe OSPF process.

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

5.      Use an ACL or prefix-list to match the routes to be learnt.

6.      Redistribute RIP routes to the OSPF process on Router R2 and usedistribute-list to filter routes.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostnameR1

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

R1(config)#interfaceloopback 1

R1(config-if-Loopback1)#ip address 172.16.1.1 255.255.255.224

R1(config-if-Loopback1)#exit

R1(config)#interfaceloopback 2

R1(config-if-Loopback2)#ip address 172.16.1.33 255.255.255.240

R1(config-if-Loopback2)#exit

R1(config)#interfaceloopback 3

R1(config-if-Loopback3)#ip address 172.16.1.49 255.255.255.248

R1(config-if-Loopback3)#exit

R1(config)#interfaceloopback 4

R1(config-if-Loopback4)#ip address 172.16.1.57 255.255.255.252

R1(config-if-Loopback4)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/2

R2(config-if-FastEthernet0/2)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/2)#exit

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/1

R3(config-if-FastEthernet0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/1)#exit

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces tothe RIP process.

R1(config)#routerrip

R1(config-router)#version2     //Enable RIPv2.

R1(config-router)#noauto-summary     //Disable automaticsummarization.

R1(config-router)#network172.16.0.0     //Advertise theclassful network 172.16.0.0 to the RIP process.

R1(config-router)#network192.168.1.0  

R1(config-router)#exit

 

R2(config)#routerrip

R2(config-router)#version2

R2(config-router)#noauto-summary

R2(config-router)#network192.168.1.0

R2(config-router)#exit

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces tothe OSPF process.

R2(config)#routerospf 1    //Enable OSPF Process 1.

R2(config-router)#network192.168.2.1 0.0.0.0 area 0    //Advertisethe interface with the IP address of 192.168.2.1 to Area 0 of OSPF Process 1.

R2(config-router)#exit

 

R3(config)#routerospf 1

R3(config-router)#network192.168.2.2 0.0.0.0 area 0

R3(config-router)#exit

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

R2(config)#routerospf 1

R2(config-router)#redistributerip subnets    //Redistribute RIProutes to the OSPF process. Subnets must be appended.

R2(config-router)#exit

5.      Use an ACL or prefix-list to match the routes tobe learnt.

Notes:

1)       Both ACL and prefix-list can be used to match route entries. Selecteither of them.

2)       When the route prefix with different mask lengths in a large networksegment needs to be matched, prefix-list is preferred. You can also use an ACLbut you need to enter multiple entries.

In the following example, the route entries172.16.1.32/27, 172.16.1.48/28, and 172.16.1.56/29 need to be matched, threeACE entries are required in the ACL but only one entry is required in theprefix-list.

1)     Use an ACL to match route entries.

Notes:

The ACL is used to match route entrieshere and the mask is set to 0.0.0.0 to precisely match route entries.

R2(config)#ipaccess-list standard 1

R2(config-std-nacl)#10permit 172.16.1.32 0.0.0.0

R2(config-std-nacl)#20permit 172.16.1.48 0.0.0.0

R2(config-std-nacl)#30permit 172.16.1.56 0.0.0.0

R2(config-std-nacl)#exit                 

2)     Use a prefix-list to match route entries.

Notes:

1)       The prefix-list can be used only to match route entries. It cannotbe used to filter data packets.

2)       The prefix-list matches subnets in a network segment, where geindicates the mask length that a mask length must be greater than or equal towhile le indicates the mask length that a mask length must be smallerthan.

3)       The prefix-list is also matched from top to bottom and the last entrydeny any is at the bottom.

R2(config)#ipprefix-list ruijie seq 10 permit 172.16.1.0/24 ge 28 le 30   //Define a prefix-list named ruijie to matchthe route prefix 172.16.1.0/24 with the subnet mask length greater than orequal to 28 and smaller than or equal to 30.

6.      Redistribute RIP routes to the OSPF process onRouter R2 and use distribute-list to filter routes.

Notes:

1)     Route entries filtered by distribute-list are matched by the ACL andprefix-list. The route entries to be filtered are determined by ACL andprefix-list.

2)     distribute-list can be applied in routing protocol redistribution,route transfer between distance vector routing protocol neighbors (it can beused to filter routes because routes are transferred between distance vectorrouting protocol neighbors), and route submission to the routing table by thelink state routing protocol (LSAs rather than routes are transferred betweenlink state routing protocol neighbors and therefore it cannot be used to filterLSAs transferred between neighbors).

The following examples use thedistribute-list to call an ACL and prefix-list to filter routes.

1)     Use the distribute-list to apply an ACL to filter routes.

R2(config)#routerospf 1   

R2(config-router)#distribute-list1out rip     //Filter routes when RIP routes are redistributedto the OSPF process (note that the direction must be out).

R2(config-router)#exit

2)     Use the distribute-list to call a prefix-list to filter routes.

R2(config)#routerospf 1

R2(config-router)#distribute-listprefix ruijie out rip    //Filter routes when RIP routes areredistributed to the OSPF process (note that the direction must be out).

R2(config-router)#exit

Supplement:

1)     The distance vector protocol uses the distribute-list to filterroute entries transmitted between neighbors. The commands are as follows:

R2(config)#routerrip

R2(config-router)#distribute-list1infastEthernet 0/2 //1 indicates ACL 1 and the prefix-list can bealso used. In indicates routes learnt from neighbors and out indicates routestransferred to neighbors. Specific interfaces can be also appended.

2)     The link state protocol uses the distribute-list to filter routeentries to be submitted to the routing table.

R2(config)#routerospf 1

R2(config-router)#distribute-list1 in //1 indicates ACL 1 and a prefix-list can be also used. The direction must be in.

 

V. Verification

Check route entries on Router R3. If RouterR3 successfully learns the route entries 172.16.1.32/28, 172.16.1.48/29, and172.16.1.56/30, the distribute-list used for route filtering is configuredcorrectly.

R3#show iproute

 

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

 

Gateway oflast resort is no set

O E2 172.16.1.32/28 [110/20] via192.168.2.1, 00:02:45, FastEthernet 0/1

O E2 172.16.1.48/29 [110/20] via192.168.2.1, 00:02:29, FastEthernet 0/1

O E2 172.16.1.56/30 [110/20] via192.168.2.1, 00:02:21, FastEthernet 0/1

C   192.168.2.0/24 is directly connected, FastEthernet 0/1

C   192.168.2.2/32 is local host.

 

1.2.5.2     Route-map

 

Features

Route-map controls route updates and supportsroute attribute modification.

 

I.Networking Requirements

Redistribute RIP routes to the OSPF domain onRouter R2. Route filtering is required during redistribution, and only theroutes 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30 are allowed to beredistributed to the OSPF domain. The type of the imported external route isOE1 and the metric value is 50.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure basic IP addresses.

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces tothe RIP process.

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces tothe OSPF process.

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

5.     Use an ACL or prefix-list to match the routes to be learnt.

6.      Configure route-map.

7.      Redistribute RIP routes to the OSPF process on Router R2 and callroute-map for routing control.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostnameR1

R1(config)#interfacefastEthernet 0/0

R1(config-if-FastEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet0/0)#exit

R1(config)#interfaceloopback 1

R1(config-if-Loopback1)#ip address 172.16.1.1 255.255.255.224

R1(config-if-Loopback1)#exit

R1(config)#interfaceloopback 2

R1(config-if-Loopback2)#ip address 172.16.1.33 255.255.255.240

R1(config-if-Loopback2)#exit

R1(config)#interfaceloopback 3

R1(config-if-Loopback3)#ip address 172.16.1.49 255.255.255.248

R1(config-if-Loopback3)#exit

R1(config)#interfaceloopback 4

R1(config-if-Loopback4)#ip address 172.16.1.57 255.255.255.252

R1(config-if-Loopback4)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacefastEthernet 0/2

R2(config-if-FastEthernet0/2)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet0/2)#exit

R2(config)#interfacefastEthernet 0/0

R2(config-if-FastEthernet0/0)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet0/0)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/1

R3(config-if-FastEthernet0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/1)#exit

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces tothe RIP process.

R1(config)#routerrip

R1(config-router)#version 2     //Enable RIPv2.

R1(config-router)#no auto-summary     //Disable automatic summarization.

R1(config-router)#network 172.16.0.0     //Advertise the classful network 172.16.0.0 tothe RIP process.

R1(config-router)#network192.168.1.0  

R1(config-router)#exit

 

R2(config)#routerrip

R2(config-router)#version2

R2(config-router)#noauto-summary

R2(config-router)#network192.168.1.0

R2(config-router)#exit

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces tothe OSPF process.

R2(config)#routerospf 1    //Enable OSPF Process 1.

R2(config-router)#network192.168.2.1 0.0.0.0 area 0    //Advertisethe interface with the IP address of 192.168.2.1 to Area 0 of OSPF Process 1.

R2(config-router)#exit

 

R3(config)#routerospf 1

R3(config-router)#network192.168.2.2 0.0.0.0 area 0

R3(config-router)#exit

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

R2(config)#routerospf 1

R2(config-router)#redistribute rip subnets    //Redistribute RIP routes to the OSPF process.Subnets must be appended.

R2(config-router)#exit

5.      Use an ACL or prefix-list to match the routes to be learnt.

Notes:

1)     Both ACL and prefix-list can be used to match route entries. Selecteither of them.

2)     If several subnet routes in a network segment need to be matched,the prefix-list is preferred. You can also use an ACL but you need to entermultiple entries.

In the following example, the routeentries 172.16.1.32/27, 172.16.1.48/28, and 172.16.1.56/29 need to be matched,three ACE entries are required in the ACL but only one entry is required in theprefix-list.

1)     Use an ACL to match route entries.

Notes:

The ACL is used to match route entrieshere and the mask is set to 0.0.0.0 to precisely match route entries.

R2(config)#ipaccess-list standard 1

R2(config-std-nacl)#10permit 172.16.1.32 0.0.0.0

R2(config-std-nacl)#20permit 172.16.1.48 0.0.0.0

R2(config-std-nacl)#30permit 172.16.1.56 0.0.0.0

R2(config-std-nacl)#exit                 

2)     Use a prefix-list to match route entries.

Notes:

1)     The prefix-list can be used only to match route entries. It cannotbe used to filter data packets.

2)     The prefix-list matches subnets in a network segment, where geindicates the mask length that a mask length must be greater than or equal towhile le indicates the mask length that a mask length must be smallerthan.

3)     The prefix-list is matched from top to bottom, which is the same asthe matching sequence and rules of the ACL.

R2(config)#ip prefix-list ruijie seq 10 permit172.16.1.0/24 ge 28 le 30   //Definea prefix-list named ruijie to match the route prefix 172.16.1.0/24 with thesubnet mask length greater than or equal to 28 and smaller than or equal to 30.

6.      Configure route-map.

Notes:

1)     route-map can be used to filter routes and modify route attributes.

2)     route-map can use multiple matching conditions (including routeentries, metric value, and metric type) whereas distribute-list can be usedonly to match route entries.

3)     route-map is matched from top to bottom andthere is an implicit deny any at the end of any route-map.

4)     The execution logic of route-map is as follows:

route-map aaapermit 10
        match x y z    //Multiple match conditions are
compiled horizontally, which arein the OR relationship. That is, the match statement is matched as long as one conditionis met.
        match a 
                set b   //
Multiple set statements are compiled vertically and multiple set actions will be executedsimultaneously.
                set c

route-map aaapermit20
  match p

match q       //Multiple match conditions are compiled vertically, which are inthe AND relationship. That is, the match statement is matched only when all theconditions are met.
                set r

route-map aaadeny any (hidden in the system)

The execution logic is as follows:

 If (x or y or z)
        then set (b and c)
        else if (p and q)
                then set r
                else deny

 

Match ip address of route-map can be used to match an ACL or prefix-list but onlyeither of them can be selected. See the following examples.

1)     Match ip address uses an ACL formatching.

R2(config)#route-mapaaa permit 10

R2(config-route-map)#match ip address 1 //Match route entries in ACL 1.

R2(config-route-map)#set metric-type type-1     //Set the type to 1 for imported external routes.

R2(config-route-map)#set metric 50  //Set metric to 50 for imported external routes.

R2(config-route-map)#exit

2)     Match ip address uses a prefix-list formatching.

R2(config)#route-mapaaa permit 10

R2(config-route-map)#match ip address prefix-list ruijie //Match route entries in the prefix-list namedruijie.

R2(config-route-map)#setmetric-type type-1  

R2(config-route-map)#setmetric 50

R2(config-route-map)#exit

7.      Redistribute RIP routes to the OSPF process onRouter R2 and call route-map for routing control.

Notes:

Route-map can beapplied during routeredistribution or establishment of a BGP neighbor relationship usingthe neighbor command.

R2(config)#routerospf 1

R2(config-router)#redistribute rip subnets route-map aaa//Apply route-map aaa when RIProutes are redistributed to the OSPF process.

R2(config-router)#exit

Supplement:

Theconfiguration commands of applying route-map for establishment of a BGPneighbor relationship are as follows:

R2(config)#routerbgp 1

R2(config-router)#neighbor 10.1.1.1 route-map aaa in //inindicates that control is performed on routes learnt from the neighbor and outindicates that control is performed on routes distributed to the neighbor(route-map is used for the BGP neighbor for routing control. After route-map isconfigured, routes of the BGP neighbor need to be soft reset so that theconfiguration takes effect. Do not perform this operation in peak hours ofservices).

 

V. Verification

Check route entries on Router R3. Route-mapused for routing control is configured correctly if Router R3 successfullylearns route entries 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30, theroutes are of OE1 type, and the cost is changed.

R3#show iproute

 

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

 

Gateway oflast resort is no set

O E1 172.16.1.32/28 [110/51] via192.168.2.1, 00:03:14, FastEthernet 0/1

O E1 172.16.1.48/29 [110/51] via192.168.2.1, 00:03:14, FastEthernet 0/1

O E1 172.16.1.56/30 [110/51] via192.168.2.1, 00:03:14, FastEthernet 0/1

C    192.168.2.0/24is directly connected, FastEthernet 0/1

C   192.168.2.2/32 is local host.

 

1.2.6    Policy-Based Routing

 

Features

Policy-Based Routing (PBR) provides a datapacket routing and forwarding mechanism that is more flexible than destinationaddress-based routing and forwarding. PBR flexibly selects a route based on thesource address, destination address, port ID, and packet length of IP/IPv6packets.

 

Scenarios

An enterprise has two egress paths, some PCsin the intranet access the Internet through one egress path and the other PCsin the intranet access the Internet through the other egress path. In thiscase, the PBR function can be enabled on routers.

 

I.Networking Requirements

As shown in the following networkingtopology, Router R1 has two egresses to the external network: Router R3 andRouter R4. The intranet 172.16.1.0/24 needs to access the external network throughRouter R3 and the intranet 172.16.2.0/24 needs to access the external networkthrough Router R4.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure basic IP addresses.

2.      Configure basic IP routes to ensure routes throughout the networkare reachable.

3.      Configure ACLs on Router R1 to match the traffic of the intranet.

4.      Configure PBR.

5.      Apply PBR.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

R1(config)#interfacegigabitEthernet 0/2

R1(config-GigabitEthernet0/2)#ip address 192.168.3.1 255.255.255.0

R1(config-GigabitEthernet0/2)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacegigabitEthernet 0/0

R2(config-GigabitEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-GigabitEthernet0/0)#exit

R2(config)#interfacegigabitEthernet 0/1

R2(config-GigabitEthernet0/1)#ip address 172.16.1.1 255.255.255.0

R2(config-GigabitEthernet0/1)#exit

R2(config)#interfacegigabitEthernet 0/2

R2(config-GigabitEthernet0/2)#ip address 172.16.2.1 255.255.255.0

R2(config-GigabitEthernet0/2)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/0

R3(config-if-FastEthernet0/0)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/0)#exit

 

Ruijie(config)#hostnameR4

R4(config)#interfacefastEthernet 0/0

R4(config-if-FastEthernet0/0)#ip address 192.168.3.2 255.255.255.0

R4(config-if-FastEthernet0/0)#exit

2.      Configure basic IP routes to ensure routes throughout the networkare reachable.

R1(config)#iproute 172.16.0.0 255.255.0.0 192.168.1.2

R2(config)#iproute 100.1.1.0 255.255.255.0 192.168.1.1

R3(config)#iproute 172.16.0.0 255.255.0.0 192.168.2.1

R4(config)#iproute 172.16.0.0 255.255.0.0 192.168.3.1

3.      Configure ACLs on Router R1 to match the traffic of the intranet.

R1(config)#ipaccess-list standard 10          //ConfigureACL 10 to match the traffic of intranet 172.16.1.0/24.

R1(config-std-nacl)#10permit 172.16.1.0 0.0.0.255

R1(config-std-nacl)#exit

R1(config)#ipaccess-list standard 20      //ConfigureACL 20 to match the traffic of intranet 172.16.2.0/24.

R1(config-std-nacl)#10permit 172.16.2.0 0.0.0.255

R1(config-std-nacl)#exit

4.      Configure PBR.

R1(config)#route-mapruijiepermit10        //Configure a route-mapnamed ruijie.

R1(config-route-map)#matchip address 10     //Match trafficof intranet ACL 10.

R1(config-route-map)#setip next-hop 192.168.2.2 //Setthe next-hop address of IP packets to 192.168.2.2.

R1(config-route-map)#exit

R1(config)#route-mapruijiepermit 20

R1(config-route-map)#matchip address 20

R1(config-route-map)#setip next-hop 192.168.3.2

R1(config-route-map)#exit

Notes:

1)     Route-map matches traffic from top tobottom. When traffic matches the PBR, data is forwarded based on the matched policy and the match stops.

2)     There is a deny all statement in the route-map. Intranet trafficthat does not match PBR is not discarded but routed and forwarded as normal IPpackets.

3)     Set ip next-hop can be used to set thenext-hop IP address or outbound interface of data packets. The next-hop IPaddress is recommended.

6.      Apply PBR.

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip policy route-map ruijie //Apply PBR.

R1(config-GigabitEthernet0/0)#exit

Notes:

The PBR must be applied in inboundinterfaces of data packets rather than in outbound interfaces of data packets.Actually, PBR forcibly sets the next hop of data packets when data packets aretransmitted into a router. In outbound interfaces, a router has conducted IProuting on data packets and sends out the data packets. Therefore, PBR does nottake effect in the outbound direction.

 

V. Verification

Track routes to the external network100.1.1.0/24 by using the source address on Router R2. If the intranet172.16.1.0/24 accesses the external network through R3 and the intranet172.16.2.0/24 accesses the external network through R4, PBR is configuredcorrectly.

R2#traceroute100.1.1.1 source 172.16.1.1

< pressCtrl+C to break >

Tracingthe route to 100.1.1.1

 

 1   192.168.1.1 0 msec 0 msec 0 msec

2    192.168.2.2 10 msec 0 msec10 msec     //The intranet172.16.1.0/24 accesses the external network through Router R3.

Otherpaths are omitted here.

 

R2#traceroute100.1.1.1 source 172.16.2.1

< pressCtrl+C to break >

Tracingthe route to 100.1.1.1

 

 1   192.168.1.1 0 msec 0 msec 0 msec

2    192.168.3.2 10 msec 0 msec10 msec     //The intranet172.16.2.0/24 accesses the external network through Router R4.

Otherpaths are omitted here.

1.2.7    Routing across VRFs

Features:

The VPN Routing and Forwarding table (VRF) isused to solve conflicts between local routes. The connection between a PE and aCE should be correlated with a VRF. Each VRF can be assumed as a "virtualrouter" and routing between VRFs is isolated.

A VRF consists of:

1.      An independent routing table;

2.      A set of interfaces belonging to this VRF;

3.      A set of routing protocols only applicable to this VRF.

 

As forwarding between VRFs is isolated, howis route connectivity between VRFs realized? There are two common methods:static routing and policy-based routing to implement routing across VRFs.

Routing across VRFs through StaticRouting:

Configuration Template 1:

ip route[vrf vrf_name] network mask [interface-type interface-number] [ip-address]

 

Configuration Example 1:

ip routevrf vpn1 10.0.0.0 255.0.0.0 GigabitEthernet 3/1/0 12.0.0.1

 

Configuration Explanation 1:

Add a static route to 10.0.0.0/8 segmentin the VRF VPN1. Data packets to this segment are forwarded from the GI3/1/0interface to the next-hop interface 12.0.0.1.

The outbound interface (the GI3/1/0interface in the example) indicates the VRF to which data packets aretransferred, that is, specifies the VRF to which the outbound interfacebelongs. It indicates that the destination segment will be transferred to thisVRF.

 

//If no VRF is added on an interface, thisinterface belongs to a global VRF, namely a global routing table.

//As VRF transfer is marked by theoutbound interface, configure a static route in the form of outbound interface+ next hop IP address. Otherwise, the ARP resolution will fail and data cannotbe transferred.

Configuration Template 2:

ip route[vrf vrf_name] network mask  ip-address global

 

Configuration Example 2:

ip routevrf vpn1 10.0.0.0 255.0.0.0 12.0.0.1 global

 

Configuration Explanation 2:

Global indicates a global routing table.

Add a static route to 10.0.0.0/8 segmentin the VRF VPN1. Data packets to this segment are forwarded from the globalrouting table to the next-hop interface 12.0.0.1.

Difference between Configuration Template1 and Configuration Template 2:

"Configuration Template 1"supports routing across VRFs between VRFs, and between any VRF and a globalrouting table.

"Configuration Template 2"supports routing across VRFs between any VRF and a global routing table onlyand cannot support routing across VRFs between any VRFs.

Routing across VRFs Through Policy-basedRouting:

1)     Define the ACL interesting traffic.

ipaccess-list extended 100

 10 permitip 10.0.0.0 0.255.255.255 any

 

2)     Define policy-based routing.

route-mapinternet permit 10

 match ipaddress 100

 set vrfvpn1

//set vrf: Routes IPpackets through the specified interface using a VRF instance. The priority ofpolicy-based routing is higher than that of common routing. This command cannotnot be configured together with set ip [default] nexthop or set[default ]interface. Select routes for IP packets that are received fromthe interface and match the match rules using a VRF specified by set vrf,no matter whether this VRF and the interface that receives the packets belongto the same VRF.

3)     Apply policy-based routing on the interface.

interfaceGigabitEthernet 3/1/0

 ip policyroute-map internet

 

 

I. Actual Networking Requirements

The Multiprotocol Label Switching (MPLS) VPNhas been widely used. As known to all, the public network and VPN carried byMPLS cannot access each other because they are across VRFs which isolate thepublic network from the private network.

The networks have a requirement that somenon-VPN services need to be carried by a public network. That is, some servicesare not included in the VPN can be accessed through a public network. Asgenerally VPN services and non-VPN services have no need for mutual access, thetwo can be carried by the same public network.

However, some networks have a specialrequirement that non-VPN services need to access the Internet while theInternet egress belongs to a VRF instance of MPLS VPN. How to realize mutualaccess between non-VPN services and VPN services becomes an issue.

Requirements:

The department A and office MAN belongs to anon-VPN service and needs to realize mutual access with other non-VPN services.

The department A and office MAN needs toaccess the Internet.

Non-VPN services other than the department Aand office MAN cannot access the Internet.

Topology Description:

This topology is the actual topology of anetwork.

The part with yellow shading refers to thepublic network and carries VPN services and non-VPN services at the same time.

At the Internet egress, the interface thatconnects two RSR7716 routers to a RSR7708 router belongs to the VRF Internet.

 

II. Network Topology

 

III. Analog Networking Requirements

PC 1 belongs to a non-VPN service and needsto realize mutual access with other non-VPN services.

PC 1 needs to access the Internet.

Non-VPN services other than PC 1 cannotaccess the Internet.

IV. Network Topology

V. Configuration Tips

Data transmission is bidirectional. Ruijieconsiders the route connectivity both from PC 1 to the Internet and from theInternet to PC 1.

From PC 1 to the Internet:

Requirement: PC 1 needs to access the Internet,but non-VPN services other than PC 1 cannot access the Internet. Therefore,implement the VRF policy-based routing in the direction of the ingress GI3/1/0of PE 1. Routing across VRFs is allowed in the PC 1 segment only and blocked inother segments.

Import a default route to the globalrouting table on PE 1 so that non-VPN services on the public network can learnthe default route to the Internet.

From the Internet to PC 1:

PE 1 needs a reverse route. Ruijie usesthe static routing across VRFs to reverse to the PC1 segment.

PE 1 needs to redistribute the staticroute to OSPF in VRF so that the egress router can learn the non-VPN route.

 

VI. Configuration Steps

Routing across VRFs is generally applied toPEs on the MPLS VPN, but it is VRF transfer in essence and unrelated to theMPLS.Therefore, MPLS VPN configuration is not involved in this example.

PE 1 Configuration:

1.      Basic configuration for route connectivity.

ip vrfvpn1  

interfaceGigabitEthernet 3/1/0

   ippolicy route-map internet

   ipaddress 12.0.0.2 255.255.255.0

interfaceGigabitEthernet 3/1/1

   ip vrfforwarding vpn1

   ipaddress 23.0.0.2 255.255.255.0

interfaceLoopback 0

   ipaddress 2.2.2.2 255.255.255.255

routerospf 1

   network2.2.2.2 0.0.0.0 area 0

   network12.0.0.2 0.0.0.0 area 0

  default-information originate always

routerospf 10 vrf vpn1

  redistribute static subnets

   network23.0.0.2 0.0.0.0 area 0

 

2.      Routing policy from PC 1 to the Internet (via policy-based routing)

route-mapinternet permit 10

   matchip address 100

   set vrfvpn1

ipaccess-list extended 100

   10permit ip 10.0.0.0 0.255.255.255 any

interfaceGigabitEthernet 3/1/0

   ippolicy route-map internet

 

3.      Routing policy from the Internet to PC 1 (via static routing)

ip routevrf vpn1 10.0.0.0 255.0.0.0 GigabitEthernet 3/1/0 12.0.0.1

 

PE 2 Configuration:

interfaceGigabitEthernet 0/0

   ip ref

   ipaddress 12.0.0.1 255.255.255.0

interfaceGigabitEthernet 0/1

   ip ref

   ipaddress 10.0.0.254 255.255.255.0

interfaceLoopback 0

   ip ref

   ipaddress 1.1.1.1 255.255.255.255

routerospf 1

   network1.1.1.1 0.0.0.0 area 0

   network10.0.0.0 0.0.0.255 area 0

   network12.0.0.1 0.0.0.0 area 0

 

Configuration for the Internet egressrouter

interfaceGigabitEthernet 0/0

   ip ref

   ipaddress 23.0.0.3 255.255.255.0

interfaceLoopback 0

   ip ref

   ipaddress 3.3.3.3 255.255.255.255

routerospf 1

  redistribute static subnets

   network23.0.0.3 0.0.0.0 area 0

  default-information originate

ip route0.0.0.0 0.0.0.0 Loopback 0

 

 

VII. Verification

1.      PC 1 can ping the Internet egress router 3.3.3.3.

PC1#ping3.3.3.3

Sending 5,100-byte ICMP Echoes to 3.3.3.3, timeout is 2 seconds:

  <press Ctrl+C to break >

!!!!!

Successrate is 100 percent (5/5), round-trip min/avg/max = 1/12/20 ms

 

1.3     Fixed Switch Modules

 

Features

The RSR10-02E, RSR20-04E, and RSR20-14E/Frouters have fixed switch ports. These routers are designed using a newarchitecture and therefore, the configuration is different from that of theNMX-24ESW switch module. The fixed switch modules have the followingcharacteristics:

1.      You cannot log in to fixed switch modules and they do not need to bemanaged separately (there is no centralized or distributed management).

2.      All configurations of fixed switch modules are completed on therouter CLI (integrated routing and switching are implemented).

3.      The method for configuring the switching function of fixed switchmodules is the same as the configuration method on the switch.

Configuration Examples

(Note: The following configurationis completed on the router CLI.)

1.      Create VLAN 10 and VLAN 20.

Ruijie#configterminal

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie(config)#vlan10

Ruijie(config-vlan)#exi

Ruijie(config)#vlan20

2.      Configure the SVI addresses for VLAN 10 and VLAN 20.

Ruijie(config)#interfacevlan 10

Ruijie(config-if-VLAN10)#ip address 10.0.0.1 255.255.255.0

Ruijie(config-if-VLAN10)#exit

Ruijie(config)#interfacevlan 20

Ruijie(config-if-VLAN20)#ip address 20.0.0.1 255.255.255.0

3.      Configure attribute of switch ports.

Ruijie(config)#interfacefastEthernet 1/1

Ruijie(config-if-FastEthernet1/1)#switchport mode access

Ruijie(config-if-FastEthernet1/1)#switchport access vlan 10

Ruijie(config-if-FastEthernet1/1)#exit

Ruijie(config)#interfacefastEthernet 1/2

Ruijie(config-if-FastEthernet1/2)#switchport mode access

Ruijie(config-if-FastEthernet1/2)#switchport access vlan 20

Ruijie(config-if-FastEthernet1/2)#exit

Ruijie(config)#interfacefastEthernet 1/3

Ruijie(config-if-FastEthernet1/3)#switchport mode trunk

 

1.4     Security

1.4.1    ACL

1.4.1.1    Standard ACL

 

A standard ACL can only match source IPaddresses.

 

Application Scenario

During security policysetting, a standard ACL can be used to control all traffic from certain IPaddresses or a network segment, for example, prohibiting certain IP addressesfrom accessing all resources. An extended ACL can be used to control partialtraffic from certain IP addresses or a network segment, for example,prohibiting certain IP addresses from accessing another network segment.

 

I.Networking Requirements

The intranet IP address PC1 192.168.1.2 isprohibited from accessing the Internet, but other IP addresses are not prohibited.

 

II. Network Topology

 

 

III. Configurations Tips

1.      Configure a standard ACL in global mode.

2.      Apply the standard ACL on the intranet interface.

3.      Save the configuration.

 

IV. Configuration Steps

1.      Configure a standard ACL in global mode

Notes:

(1)    The number of a standard ACL ranges from 1 to 99 and from 1300 to1999. The number of an extended ACL ranges from 100 to 199 and from 2000 to2699.

(2)    A standard ACL can onlymatch source IP addresses, but an extended ACL canmatch five elements of the data stream (source IP address, destination IPaddress, source port, destination port, and protocol number).

(3)    An ACL matches the ACE entries from top to down (according to theascending order of the sequence numbers of the ACE entries). After finding amatch, the ACL executes the action (allow/deny) of the related ACE entry anddoes not match any other ACE entries.

(4)    An ACL contains animplicit ACE entry (deny any) that denies alltraffic.(4) To prohibit a certain network segment while allowing other networksegments, after configuring an ACE entry denying the traffic, add an ACE entry"permit any" to allow other traffic.

Ruijie(config)#ipaccess-list standard 1 //Creates a standard ACL 1

Ruijie(config-std-nacl)#10deny 192.168.1.2 0.0.0.0 //Configuresthe ACL entry with a sequence number of 10 to match the IP address 192.168.1.2(IP address + wildcard mask)

Ruijie(config-std-nacl)#20permit any      // Configures topermit other traffic

Ruijie(config-std-nacl)#exit

2.      Call the standard ACL on the intranet interface

Ruijie(config)#interfacefastEthernet 0/0

Ruijie(config-if-FastEthernet0/0)#ip access-group 1 in       //Appliesthe ACL 1 on the intranet interface

3.      Save the configuration

Ruijie(config-if-FastEthernet0/0)#end

Ruijie#write       //Verifies and saves the configuration

 

V. Verification

Test whether the intranet PCs can access theInternet. If PC1 cannot access the Internet but other PCs can, theconfiguration is correct.

1.      Show configuration of the ACL.

Ruijie#showaccess-lists

ipaccess-list standard 1

10 deny192.168.1.2 0.0.0.0

20 permitany

2.      Show application of the ACL on the interface.

Ruijie#showip access-group

ipaccess-group 1 in

Applied Oninterface FastEthernet 0/0.

 

1.4.1.2    Extended ACL

 

Function Introduction:

An extended ACL can match five elements ofthe data stream (source IP address, destination IP address, source port,destination port, and protocol number).

 

Application Scenario:

During security policy setting, an extendedACL can be used to control partial traffic from certain IP addresses or anetwork segment. For example, to prohibit an IP address from accessingwebsites, an extended ACL can be written with the source IP address being theaforesaid IP address, the destination IP address being any IP address, and thedestination port being 80 (the HHTP port is 80).

 

I.Networking Requirements

PC1 is prohibited from accessing the Webservice of 100.100.100.100 (TCP port80), but other traffic is all permitted.

 

II. Network Topology

 

III. Configurations Tips

1.      Configure an extended ACL in global mode

2.      Apply the extended ACL on the intranet interface

3.      Save the configuration

 

IV. Configuration Steps

1.      Configure an extended ACL in global mode

(1)    The number of a standard ACL ranges from 1 to 99 and from 1300 to1999. The number of an extended ACL ranges from 100 to 199 and from 2000 to2699.

(2)    A standard ACL can onlymatch source IP addresses, but an extended ACL canmatch five elements of the data stream (source IP address, destination IPaddress, source port, destination port, and protocol number).

(3)    An ACL matches the ACE entries from top to down (according to theascending order of the sequence numbers of the ACE entries). After finding amatch, the ACL executes the action (allow/deny) of the related ACE entry anddoes not match any other ACE entries.

(4)    An ACL contains animplicit ACE entry (deny any) that denies alltraffic.To prohibit a certain network segment while allowing other networksegments, after configuring an ACE entry denying the traffic, add an ACE entry"permit any" to allow other traffic.

Ruijie(config)#ipaccess-list extended 100

Ruijie(config-ext-nacl)#10deny tcp 192.168.1.2 0.0.0.0 100.100.100.100 0.0.0.0 eq 80    //Configures an extended ACL to prohibit theintranet PC1192.168.1.2 fromaccessingPort80 of 100.100.100.100.

Ruijie(config-ext-nacl)#20permit ip any any    //Configures topermit other traffic (mandatory)

Ruijie(config-ext-nacl)#exit

2.      Apply the extended ACL on the intranet interface

Ruijie(config)#interfacefast Ethernet 0/0

Ruijie(config-if-FastEthernet0/0)#ip access-group 254.00 cm    //Appliesthe ACL on the interface

3.      Save the configuration

Ruijie(config-if-FastEthernet0/0)#end

Ruijie#write       //Verifies and saves theconfiguration

 

V. Verification

1.      Test whether theintranet PC1 can access the Web service of100.100.100.100 and other traffic. If PC1 cannot access the Web service of100.100.100.100 but can access other traffic, the configuration is correct.

2.      Show configuration of the ACL.

Ruijie#showaccess-lists

ip access-listextended 100

10 denytcp host 192.168.1.2 host 100.100.100.100 eq www

20 permitip any any

3.      Show application of the ACL on the interface.

Ruijie#showip access-group

ipaccess-group 100 in

Applied Oninterface Fast Ethernet 0/0.

 

1.4.1.3    Reflexive ACL

 

Function Introduction:

Reflexive ACLs can be used for one-wayaccess. A temporary access list is automatically generated based on the L3 andL4 information of the traffic originated by the intranet. The temporary accesslist is created according to the following principles: the protocol is notchanged, the source IP address and the destination IP address are exchanged,and the source port and the destination port are exchanged. The router allowstraffic to enter the intranet only when the L3 and L4 information of thereturned traffic exactly matches that of the temporary access list createdbased on the outbound traffic.

Application Scenario

During security policy setting,standard/extended ACLs can be used to match IP traffic. Besides, reflexive ACLscan also be used to meet one-way access demands. Only when one end activelyinitiates an access session, the return packets from the peer can be passed. Ifthe peer actively initiates an access session, the access is denied by the ACL.

I.Networking Requirements

The loopback 0 address 1.1.1.1 of R1 canactively access loopback 0 3.3.3.3 of R3, but R3 cannot actively access R1, soas to realize one-way access from R1 to R3.

 

II. Network Topology

        thismessage://0cf41154-3b79-4300-ae90-42e445c0e45b.png

 

III. Configurations Tips

1.      Complete basic configuration for each device, including theconfiguration of interface IP addresses and routers.

2.      Configure a reflexive ACL on R2.

IV. Configuration Steps

1.      Complete basic configuration for each device, including theconfiguration of interface IP addresses and routers

Omitted.

3.      Configure a reflexive ACL

R2(config)#ipaccess-list extended 100

R2(config-ext-nacl)#permitip host 1.1.1.1 host 3.3.3.3

R2(config)#intergi0/0

R2(config-if-GigabitEthernet0/0)#ip access-group 100 in reflect

R2(config)#ipaccess-list extended 101

R2(config-ext-nacl)#denyip any any

R2(config)#intergi0/1

R2(config-if-GigabitEthernet0/0)#ip access-group 101 in 

 

V. Verification

1.      After configuration, the ping from loopback 0 of R1 to loopback 0 ofR3 shows to be successful.

R1#ping3.3.3.3 source 1.1.1.1

Sending 5,100-byte ICMP Echoes to 3.3.3.3, timeout is 2 seconds:

  <press Ctrl+C to break >

!!!!!

Successrate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

2.      The ping from loopback 0 of R3 to loopback 0 of R1 is failed.

R3#ping1.1.1.1 source 3.3.3.3           

Sending 5,100-byte ICMP Echoes to 1.1.1.1, timeout is 2 seconds:

  <press Ctrl+C to break >

.....

Successrate is 0 percent (0/5)

 

1.4.2    NAT

 

Features:

NAT: refers to Network Address Translation. Duringnormal data forwarding, the source and destination addresses at the IP headerand the port number are not changed. However, when NAT is enabled, the packetheader contents are changed, implementing functions such as hiding realaddresses of inside and outside hosts, enabling multiple hosts to share a fewIP addresses to access inside and outside networks, implementing overlapping ofIP addresses, and server load balance.

 

Port Address Translation (PAT): also known as Network Address Port Translation (NAPT) or port reusingof NAT. It is used to implement network address translation by mapping anddistinguishing data streams based on IP addresses and port numbers so thatmultiple inside hosts can access an outside network using one or a few legal IPaddresses.

 

NAT terms:

Inside local: inside local address (the realaddress of an inside host, generally a private address).

 

Inside global: inside global address (theaddress of an inside host for accessing outside networks after NAT; it is alegal IP address allocated by ISP).

 

Outside local: outside local address (theaddress of an outside host after NAT; it is generally a private IP address.When an inside host accesses the outside host, the outside host is consideredas an inside host instead of an outside host.)

 

Outside global: outside global address (thereal address of an outside host; it is a legal IP address on the Internet).

 

1.4.2.1    Source IP Address Translation

1.4.2.2    PPPOE

 

Ruijie products supportPPP over Ethernet (PPPOE) for Dial-on-Demand Routing (DDR).Similar to DDR, theproducts are featured by dialing stimulation upon data communication andautomatic disconnection after idle timeout.

The PPPOE implementation of the products issimilar to that of senior DDR (DDR Profiles).An Ethernet interface is bound toa logic dialer interface, and the logic dialer interface implements specificnegotiation.

 

Application Scenario

An enterprise rents the broadband dialingline of a Telecom operator to access Internet resources.

 

I.Networking Requirements

Intranet users use the RG-RSR router toaccess Internet, and the Internet line is the ADSL dialing line.

 

II. Network Topology

 

 

III. Configurations Tips

1.      Configure dialing.

2.     Configure NAT.

3.      Configure the default route.

 

IV. Configuration Steps

1.      Enable PPPOE on the physical interface

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#interfaceFastEthernet 0/0

Ruijie(config-if-FastEthernet0/0)#pppoe enable                                //Enables PPPOE

Ruijie(config-if-FastEthernet0/0)# pppoe-client dial-pool-number 5 no-ddr  //Binds the Ethernet interface tothe dialer pool 5

Ruijie(config-if-FastEthernet0/0)# ip ref                                          //Enable Ruijie ExpressForwarding (REF). If the command is not identified, REF is enabled by default.

Ruijie(config-if-FastEthernet0/0)#exit

2.      Configure the logic dialer interface

Ruijie(config)#interfacedialer 0

Ruijie(config-if-dialer0)# ip ref                           //EnablesREF. If the command is not identified, ref is enabledby default.

Ruijie(config-if-dialer0)#encapsulation ppp           //EncapsulatesPPP

Ruijie(config-if-dialer0)#ppp chap hostname pppoe      //Configuresthe CHAP-encrypted user name: pppoe

Ruijie(config-if-dialer0)#ppp chap password  pppoe     /Configuresthe CHAP-encrypted password: pppoe

Ruijie(config-if-dialer0)#ppp pap sent-username pppoe password pppoe         //Configures PAP-encrypted user name and password

Ruijie(config-if-dialer0)#ip address negotiate              //Negotiatesto obtain the IP address

Ruijie(config-if-dialer0)#dialer pool 5                     //Associatesthe dialer pool 5

Ruijie(config-if-dialer0)#dialer-group 1               //Rulesstimulating dialing

Ruijie(config-if-dialer0)#dialer idle-timeout 300  //Thedialer is disconnected when the idle time of 300s times out

Ruijie(config-if-dialer0)#mtu 1492

Ruijie(config-if-dialer0)#exit

Ruijie(config)#access-list1 permit any                            

Ruijie(config)#dialer-list1 protocol ip permit         //Globaldialer list

3.      Configure NAT

Ruijie(config)#access-list 100permit ip any any        //Defines the data stream to execute NAT. The parameter is set to "any" here.

Ruijie(config)#ipnat pool ruijie prefix-length 24            //Configures the NAT address pool to "ruijie"and match 24bits mask.

Ruijie(config-ipnat-pool)#addressinterface dialer 0 match interface dialer 0    //Configures IP NAT translation. To forward data fromdialer 0, use the address of dialer 0 for NAT.

 Ruijie(config-nat-pool)#exit

Ruijie(config)#ipnat inside source list 100 pool ruijie overload  // Configures the NAT policy. "100" indicatesaccess-list 100 and "ruijie" indicates the address pool of NAT.

 Ruijie(config)#interfacedialer 0

Ruijie(config-if-dialer0)#ip nat outside                      //Indicates an Internet NAT interface

 Ruijie(config-if-dialer0)#interface fastEthernet 0/1      

Ruijie(config-if-FastEthernet0/1)#ip nat inside          //Indicatesan intranet NAT interface

Ruijie(config-if-FastEthernet0/1)#ip address 192.168.1.1 255.255.255.0         //Configures an intranet IP address as the intranetgateway

 Ruijie(config-if-FastEthernet0/1)#ip ref

4.      Configure the default route

Ruijie(config)#iproute 0.0.0.0 0.0.0.0  dialer 0

 

V. Verification

1.      Check whether dialing is successful

Ruijie#showip interface brief

Interface                        IP-Address(Pri)         OK?      Status  

FastEthernet0/0                  no address            YES       DOWN    

FastEthernet0/1                 192.168.1.1/24          YES       UP      

dialer0                           222.168.1.2           YES       UP

Note: If theconfiguration is correct, the IP address is displayed after "dialer0".

2.      After the IP address, mask and gateway of an intranet computer are configuredto 192.168.1.x, 255.255.255.0 and 192.168.1.1 respectively, and the DNS iscorrectly configured, the computer can access Internet.

 

1.4.2.3    Basic Network Access Configuration for Routerwithout Switching Interface

 

Introduction:

This section introduces basic network accessconfigurations for routers without switching interfaces. The router modelsinclude RSR1002, RSR20-04, RSR20-14, RSR20-18, RSR20-24, RSR30-44 (withoutNMX-24ESW card), RSR30-X, RSR50 series, and RSR77 series. It is common that therouters have routing interfaces but do not have switching interfaces. Ifmultiple PCs need to access the Internet, a switch is needed in the insidenetwork. This section introduces how to access Internet through NAT and how tomap the inside network server to the Internet.

Features:

Port Address Translation (PAT): also known as Network Address Port Translation (NAPT).It is usedto implement network address translation by mapping and distinguishing datastreams based on IP addresses and port numbers of outside interfaces so thatmultiple inside hosts can access an outside network using IP addresses of theoutside interfaces. It is often used when there is only one public networkaddress.

Address pool translation: It is used to implement network address translation by mapping anddistinguishing data streams based on IP addresses and port numbers of thepublic address pool so that multiple inside hosts can access the outsidenetwork using a few public IP addresses. It is often used when one outboundinterface has multiple public IP addresses.

Static NAT: Itis used to map IP addresses of inside hosts to public IP addresses in the oneto one manner, or map IP addresses and port numbers of inside hosts to publicIP addresses and port numbers in the one to one manner. It is often used to mapan IP address of an inside host to a public IP address, or map a port of aninside server to a port of a public address so that the inside server can beaccessed through the public IP address or public IP address + port number.

 

Scenarios

An enterprise can rent a private line of anoperator for network access. The following describes three scenarios forrelevant functions:

Scenario 1: When there is only one public IPaddress, the IP addresses of all inside network users need to be translatedinto the IP address of the outside network interface, so that all insidenetwork users can access the outside network.

Scenario 2: When there is a public IP addresssegment, the IP addresses of all inside network users need to be translatedinto the IP addresses in the public IP address segment, so that the insidenetwork users can access the outside network.

Scenario 3: The inside network server ismapped to a public IP address so that outside network users can access theresources on the inside network server through the public IP address.

 

I.Networking Requirements

An RSR router is used as the Internet egress,and all inside PC gateways are on this router. The router is used to access theoutside network, the IP address (port number) of the inside network server ismapped to a public IP address (port number), so as to provide services foroutside users.   

 

II. Network Topology

 

 

III. Configurations Steps

1.      Configure basic IP addresses.

2.      Configure basic IP routes.

3.      Configure the DHCP server.

4.      Define the inside network port and outside network port for NAT.

5.      Configure ACLs on R1, and match the inside network traffic for NAT.

6.      Configure a NAT policy for scenario 1.

7.      Configure a NAT policy for scenario 2.

8.      Configure a NAT policy for scenario 3.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 172.168.1.254 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

3.      Configure basic IP routes.

R1(config)#iproute 0.0.0.0 0.0.0.0 192.168.2.2      // Configures the outbound route to the default route ofthe Internet.

4.      Configure the DHCP server.

Ruijie(conf)#servicedhcp //Enables the DHCP service.

Ruijie(conf)#ip dhcp pool ruijie //ruijie refersto the name of the DHCP address pool, and can be named at random.

Ruijie(dhcp-config)#netw172.16.1.0 255.255.255.0 //Indicatesthe network segment of the IP addresses from which a computer will obtain an IPaddress.

Ruijie(dhcp-config)#default-router172.16.1.254 //Indicates thegateway address of the f0/1 interface connected to the computer, that is, theIP address of the f0/1 interface.

Ruijie(dhcp-config)#dns-server202.96.113.34 202.96.13.35  //Indicatesthe computer's DNS. The former one is the active DNS, and the latter one is thestandby DNS.

5.      Define the inside network port and outside network port for NAT.

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip nat outside      //Configuresthe outside network port for NAT.

R1(config-GigabitEthernet0/1)#exit

R1(config)#intgigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip nat inside //Configures theinside network port for NAT.

R1(config-GigabitEthernet0/0)#exit

5.      Configure ACLs on R1, and match the inside network traffic for NAP.

R1(config)#ipaccess-list standard 10

R1(config-std-nacl)#10permit 172.16.1.0 0.0.0.255

R1(config-std-nacl)#exit

6.      Configure a NAT policy for scenario 1.

R1(config)#ipnat inside source list 10 interface gigabitEthernet 0/1 overload     //Performs NAT for traffic matched by ACL 10,and translates the traffic into the address of the gigabitEthernet 0/1interface.

7.      Configure a NAT policy for scenario 2.

(1)    Configure the Internet address pool.

R1(config)#ipnat pool ruijie netmask 255.255.255.0         //Configures a public address pool named ruijie.

R1(config-ipnat-pool)#address192.168.2.10 192.168.2.11  //Indicatesthe start and end IP addresses of a public address.

R1(config-ipnat-pool)#address192.168.2.15 192.168.2.15 //If thereare multiple discontinuous public addresses, multiple public address segmentscan be configured.

R1(config-ipnat-pool)#exit

Notes:

a.      The IP addresses in the public address pool may not be in the samenetwork segment as the IP addresses of outside network ports, as long as theyare available IP addresses allocated by the outside network.

b.      The start and end IP addresses of the public addresses can bediscontinuous.

(2)    Configure a NAT policy.

R1(config)#ipnat inside source list 10 pool ruijie overload      //Performs NAT for traffic matched to ACL 10, andtranslates the traffic into address in the address pool named ruijie.

Notes:

The parameter overload is used to performNAT overload. If the parameter overload is not added, it indicates that dynamicone-to-one IP mapping is performed, instead of port translation. However, thiscannot solve the problem of insufficient public addresses. The purpose ofperforming NAT at the network egress is to solve the problem of insufficientpublic addresses, and thus the parameter overload must be added.

8.      Configure a NAT policy for scenario 3.

Map the IP address 172.16.1.100 of theinside network server to a public IP address 192.168.2.168; or map the TCP Port80 of inside network 172.16.1.100 to Port 10 of public network 192.168.2.168.

The following are examples of one-to-onemapping based on IP addresses and port mapping based on TCP and UDP:

(1)    One-to-one mapping based on IP addresses

R1(config)#ipnat inside source static 172.16.1.100 192.168.2.168 permit-inside      //Maps inside network 172.16.1.100 to publicnetwork 192.168.2.168.

(2)     Port mapping based on TCP and UDP

R1(config)#ipnat inside source static tcp 172.16.1.100 80 192.168.2.168 80 permit-inside      //Maps the TCPport 23 of inside network 172.16.1.100 to port 23 of public network192.168.2.168.

Notes:

(1)    Static NAT can be used for one-to-one mapping of IP addresses andport mapping based on TCP and UDP.

(2)    The permit-inside function: When an insidenetwork server is statically mapped to a public address, if an inside networkPC needs to access the server through the public address, the parameterpermit-inside must be configured. The parameter permit-inside is recommendedwhen static NAT is configured.

 

V. Verification

Verification for scenario 1: test whether theinside network can access the outside network. If an inside network PC canaccess the outside network, the NAT configuration is correct. The NATtranslation entries on the outbound router are displayed as follows:

 

Verification for scenario 2: test whether theinside network can access the outside network. If an inside network PC canaccess the outside network, the NAT configuration is correct. The NATtranslation entries on the outbound router are displayed as follows:

1.4.2.4    Multiple Egresses NAT and Permit-inside function

 

Features:

If an outside network has multiple egresses,when data packets are forwarded through different outside interfaces, theinside and outside data streams are translated into different IP addresses +port numbers. In addition, the permit-inside function enables an inside host toaccess an inside server through a public network address.

 

Scenario

An enterprise rents private lines of multipleoperators for network access. An inside server needs to be mapped to twooutside interfaces so that outside users can access the resources on theserver. To enable inside users to access the inside server through the IPaddresses of the outside interfaces (sometimes a domain name is needed toaccess the server, but the resolved domain name maps to the public IP address),you can use the permit-inside function of NAT to enable both inside and outsideusers to access the server through the public address.

 

I.Networking Requirements

As shown in the network topology below, R1has two egresses to an outside network: R3 and R4. The required implementationis as follows: inside users in the network segment of access the outsidenetwork through R3 and that the inside addresses are translated into the publicaddress of the egress; inside users in the network segment of access theoutside network through R4 and the inside addresses are translated into thepublic address of the egress. The address 172.16.1.100 of an inside serverneeds to be translated into the public address192.168.2.168, and both insideand outside PCs need to access the server through the public address.

      

II. Network Topology

 

III. Configurations Tips

1.      Configure basic IP addresses.

2.      Configure basic IP routes.

3.      Define the inside port and outside port for NAT.

4.      Configure an ACL on R1, and match the inside traffic for NAT.

5.      Configure the public address pool.

6.      Configure an NAT policy.

7.      Configure static NAT.

8.      Configure an ACL on R1 and match the inside traffic.

9.      Configure a policy route.

10.   Apply the policy route.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

R1(config)#interfacegigabitEthernet 0/2

R1(config-GigabitEthernet0/2)#ip address 192.168.3.1 255.255.255.0

R1(config-GigabitEthernet0/2)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacegigabitEthernet 0/0

R2(config-GigabitEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-GigabitEthernet0/0)#exit

R2(config)#interfacegigabitEthernet 0/1

R2(config-GigabitEthernet0/1)#ip address 172.16.1.1 255.255.255.0

R2(config-GigabitEthernet0/1)#exit

R2(config)#interfacegigabitEthernet 0/2

R2(config-GigabitEthernet0/2)#ip address 172.16.2.1 255.255.255.0

R2(config-GigabitEthernet0/2)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/0

R3(config-if-FastEthernet0/0)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/0)#exit

 

Ruijie(config)#hostnameR4

R4(config)#interfacefastEthernet 0/0

R4(config-if-FastEthernet0/0)#ip address 192.168.3.2 255.255.255.0

R4(config-if-FastEthernet0/0)#exit

2.      Configure basic IP routes so that the entire network is accessible.

R1(config)#iproute 172.16.0.0 255.255.0.0 192.168.1.2

R2(config)#iproute 100.1.1.0 255.255.255.0 192.168.1.1

R2(config)#iproute 192.168.0.0 255.255.0.0 192.168.1.1

3.      Define the inside port and outside port for NAT.

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip nat outside      //Configuresthe outside interface for the first NAT.

R1(config-GigabitEthernet0/1)#exit

R1(config)#interfacegigabitEthernet 0/2

R1(config-GigabitEthernet0/1)#ip nat outside      //Configuresthe outside interface for the second NAT.

R1(config-GigabitEthernet0/1)#exit

R1(config)#intgigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip nat inside   //Configuresthe inside interface for NAT.

R1(config-GigabitEthernet0/0)#exit

4.      Configure an ACL on R1, and match the inside traffic for NAT.

R1(config)#ipaccess-list standard 10

R1(config-std-nacl)#10permit 172.16.1.0 0.0.0.255

R1(config-std-nacl)#20permit 172.16.2.0 0.0.0.255

R1(config-std-nacl)#exit

5.      Configure the public address pool.

Notes:

If multiple public egresses are availableand data packets are forwarded from different egresses, NAT needs to beperformed to match the available public address of a corresponding egress.Ruijie devices use the parameter match interface in the NAT address poolto match the outbound interface for sending data packets. The source addressesof the data packets are translated into the available public address of theoutbound interface through NAT.

R1(config)#ipnat pool nat_ruijie netmask 255.255.255.0     //Configuresthe public address pool nat_ruijie for NAT.

R1(config-ipnat-pool)#address192.168.2.10 192.168.2.11 match interface GigabitEthernet 0/1   //When data packets are forwarded through theGigabitEthernet 0/1 interface, the addresses are translated into 192.168.2.10 -192.168.2.11through NAT.

R1(config-ipnat-pool)#address192.168.3.10 192.168.3.11 match interface GigabitEthernet 0/2    //When data packets are forwarded through theGigabitEthernet 0/2 interface, the addresses are translated into 192.168.3.10 -192.168.3.11through NAT.

R1(config-ipnat-pool)#exit

6.      Configure the source address translation through NAT.

R1(config)#ipnat inside source list 10 pool nat_ruijie overload  //Translatesthe traffic matched to ACL 10 into addresses in the nat_ruijie address pool,and performs NAT overload.

Notes:

The parameter overload is used toperform NAT overload. If the parameter overload is not added, dynamicone-to-one IP mapping will be performed and port number port translation willnot be performed. This cannot solve the problem of insufficient publicaddresses. If NAT is performed at the network egress to solve the problem ofinsufficient public addresses, theparameter overload must be added.

7.      Configuring static NAT

Notes:

Static NAT can be used for one-to-onetranslation of IP addresses and port number translation based on TCP and UDP.

1)     permit-inside: Whenan inside server is statically mapped to a public address, if an inside PCneeds to access the server through the publicaddress, the parameter permit-inside must be configured. The parameterpermit-inside is recommended when static NAT is configured.

The following describes the examples ofone-to-one IP address mapping and port number mapping based on TCP and UDP:

One-to-one IP address mapping

R1(config)#ipnat inside source static 172.16.1.100 192.168.2.168 permit-inside  //Maps the inside address 172.16.1.100 to thepublic address 192.168.2.168.

2)     Port number mapping based on TCP and UDP

R1(config)#ipnat inside source static tcp 172.16.1.100 23 192.168.2.168 23  permit-inside  //Maps inside 172.16.1.100 TCP port 23 to public192.168.2.168 TCP port 23.

8.      Configure an ACL on R1 and match the inside traffic

Notes:

Restricted by the flow table processingmechanism of Ruijie, the permit-inside function and the policy-based routing ofNAT are conflicting with each other. Therefore, it is necessary to deny thetraffic in the network segment from inside users to the server in the ACL of apolicy route. The policy route is not executed when inside users accesses theserver. The configuration is as follows:

R1(config)#ipaccess-list extended 110        //ConfiguresACL 110 to match the access traffic from the inside network segment172.16.1.0/24 to the outside network.

R1(config-ext-nacl)#10deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

R1(config-ext-nacl)#20permit ip 172.16.1.0 0.0.0.255 any

R1(config)#ipaccess-list extended 120      //ConfiguresACL 120 to match the access traffic from the inside network segment172.16.1.0/24 to the outside network.

R1(config-ext-nacl)#10deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

R1(config-ext-nacl)#20permit ip 172.16.2.0 0.0.0.255 any

R1(config-ext-nacl)#exit

 

If the deny rule is not configured for thetraffic between inside servers and users the data translation analysis is asfollows:

If an inside PC 172.16.2.10 accesses theserver through 192.168.2.168, the translation process is as follows:

 

Source IP address

Destination IP address

Before translation

172.16.2.10

192.168.2.168

After translation

192.168.2.168

172.16.1.100

Based on the flow table processing mechanismof Ruijie, the data flow is deemed as a data flow with the source IP address of172.16.2.10 and the destination IP address of172.16.1.100 after thetranslation. Therefore, when configuring a policy route ACL, such traffic mustbe discarded first (that is, all the traffic from the inside network segment tothe network segment where the server resides); otherwise, such traffic will beredirected by policy-based routing to the next hop of the specified outside interface. In addition, since the networksegment 172.16.1.0 where the server resides is also configured withpolicy-based routing, the above problem also exists on the server.

9.      Configure a policy route.

R1(config)#route-mapruijiepermit10        //Configures route-mapruijie.

R1(config-route-map)#matchip address 110    //Matches thetraffic of inside network ACL 110.

R1(config-route-map)#setip next-hop 192.168.2.2  //Forciblysets the next hop of IP packets to 192.168.2.2 and sets the egress to R3.

R1(config-route-map)#exit

R1(config)#route-mapruijiepermit 20

R1(config-route-map)#matchip address 120

R1(config-route-map)#setip next-hop 192.168.3.2

R1(config-route-map)#exit

10.   Apply the policy route.

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip policy route-map ruijie //Applies the policy route.

R1(config-GigabitEthernet0/0)#exit

 

V. Verification

1.      Test whether an inside PC can access an outside network, and checkwhether the policy route is selected. If 172.16.1.0/24 can access the outsidenetwork through R3, and 172.16.2.0/24 can access the outside network throughR4, the configurations of the multi-egress NAT and policy route are correct.

R2#traceroute100.1.1.1 source 172.16.1.1

< pressCtrl+C to break >

Tracingthe route to 100.1.1.1

 

 1   192.168.1.1 0 msec 0 msec 0 msec

2    192.168.2.2 10 msec 0 msec10 msec     //172.16.1.0/24accesses the outside network through R3.

Other routes are omitted.

2.      Test whether inside and outside PCs can access the server throughthe public IP address. If all inside PCs can access the server through thepublic IP address, the configuration of static NAT is correct. When the insidePCs access the server through the public address, and the NAT mapping table isas follows:

 

1.4.2.2          Outside Source IP Address Translation

 

Features:

When an inside host needs to access anoutside network without introducing an outside route, the IP address + port number ofthe outside host can be translated into the IP address + port number of theinside network through outside source IP address translation.

 

I.Networking Requirements

Due to the security policy for the insidenetwork, only mutual access between inside PCs is allowed.

When inside PCs need to access an outsideserver, the outside source IP address translation function of NAT can be usedto translate the public address of the outside server into an inside address sothat the inside users do not know that they have accessed the outside network.

 

II. Network Topology

 

III. Configurations

1.      Configure basic IP addresses.

2.      Configure basic IP routes.

3.      Define the inside port and outside port for NAT.

4.      Configure the outside source address translation of NAT.

 

IV. Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostnameR1

R1(config)#interfacegigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet0/0)#exit

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet0/1)#exit

 

Ruijie(config)#hostnameR2

R2(config)#interfacegigabitEthernet 0/0

R2(config-GigabitEthernet0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-GigabitEthernet0/0)#exit

R2(config)#interfacegigabitEthernet 0/1

R2(config-GigabitEthernet0/1)#ip address 172.16.1.1 255.255.255.0

R2(config-GigabitEthernet0/1)#exit

R2(config)#interfacegigabitEthernet 0/2

R2(config-GigabitEthernet0/2)#ip address 172.16.2.1 255.255.255.0

R2(config-GigabitEthernet0/2)#exit

 

Ruijie(config)#hostnameR3

R3(config)#interfacefastEthernet 0/0

R3(config-if-FastEthernet0/0)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet0/0)#exit

2.      Configure the IP route.

R1(config)#iproute 172.16.0.0 255.255.0.0 192.168.1.2

R1(config)#iproute 100.1.1.0 255.255.255.0 192.168.2.2

R2(config)#iproute 192.168.0.0 255.255.0.0 192.168.1.1

R3(config)#iproute 172.16.0.0 255.255.0.0 192.168.2.1      //Configures the return route from the outside network toinside network (If the outsidenetwork has no return route to the inside network, the inside source IP addresstranslation needs to be performed on the egress router).

3.      Define the inside port and outside port for NAT.

R1(config)#interfacegigabitEthernet 0/1

R1(config-GigabitEthernet0/1)#ip nat outside      //Configuresthe outside interface for NAT.

R1(config-GigabitEthernet0/1)#exit

R1(config)#intgigabitEthernet 0/0

R1(config-GigabitEthernet0/0)#ip nat inside//Configures theinside interface for NAT.

R1(config-GigabitEthernet0/0)#exit

4.      Configure the outside source address translation of NAT.

Notes:

(1)    The outside source IP address translation can be used for one-to-oneIP address translation and port number translation based on TCP and UDP.

(2)    During the outside source IP address translation, the inside localaddress of the outside server may not be in the network segment on the egressrouter. The inside local address is only required to be reached by the insideroute and be able to route packets of inside PCs accessing the server to theegress router.

The following describes the examples ofone-to-one IP address mapping and port number mapping based on TCP and UDP:

1)     One-to-one IP address mapping

R1(config)#ipnat outside source static 100.1.1.1 192.168.1.168       //When the inside network accesses 192.168.1.168,translates the destination IP address into 100.1.1.1.1

2)     Port mapping based on TC P and UDP

R1(config)#ipnat outside source static tcp 100.1.1.1 23 192.168.1.168 23     //When the inside network accesses TCP Port 23 of192.168.1.168, translates the destination IP address into Port 23 of 100.1.1.1.

 

V. Verification

Test whether the inside network can beaccessed by a private IP addresses visible on the local network through theoutside server. If the outside server can be normally accessed, the NATconfiguration of the outside source IP address translation is correct. The NATtranslation entries on the egress router are displayed as follows:

 

1.4.3    IPSEC

1.4.3.1    IPSEC Debug

 

Description of IPSec Debugging

Notes: To debug IPSec, youneed to enable "debug crypto isakmp" and "debug cryptoipsec". The customer business may be affected due to IPSec debugging.Therefore, customer permission must be obtained before debugging, and IPSecdebugging must be performed during non-peak hours.

R1#ping3.3.3.3 sou 1.1.1.1

Sending 5,100-byte ICMP Echoes to 3.3.3.3, timeout is 2 seconds:

< pressCtrl+C to break >

*Oct 1812:26:54: %7: Get acquire: 1.1.1.1/0.0.0.0 -> 3.3.3.3/0.0.0.0  //Triggers interesting traffic, from 1.1.1.1 to3.3.3.3.

*Oct 1812:26:54: %7: Get acquire: negotiate source 10.1.1.1 -> dest 202.100.1.100  //Negotiates with the peer 202.100.1.100.

*Oct 1812:26:54: %7:  set acquire!

*Oct 1812:26:54: %7: receve sa acquire

*Oct 1812:26:54: %7: Acqurire negociate with 202.100.1.100

*Oct 1812:26:54: %7: (33) sending packet to 202.100.1.100 (I) MM_SI1_WR1, MM_SA_SETUP // Sends the first packet of Phase 1to negotiate with the IKE policy parameter.

*Oct 1812:26:54: %7: sendout main I1, and wait R1

*Oct 1812:26:54: %7: IKE recvmsg 124 bytes.

*Oct 1812:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 1812:26:54: %7: Not IKE NAT negotiate pkt.

*Oct 1812:26:54: %7: (33) received packet from 202.100.1.100, (I) MM_SI1_WR1,MM_SA_SETUP  // Receives the secondpacket of Phase 1.

*Oct 1812:26:54: %7:   Exchange type : 0x2<sa><vendor ID><vendor ID>

*Oct 1812:26:54: %7:  extract_payload done!

*Oct 1812:26:54: %7: main mode r1 process

*Oct 1812:26:54: %7: (33) Checking ISAKMP transform 1 against priority 10 policy

*Oct 1812:26:54: %7:     encryption DES-CBC

*Oct 1812:26:54: %7:     hash SHA

*Oct 1812:26:54: %7:     auth pre-share

*Oct 1812:26:54: %7:     default group 1

*Oct 1812:26:54: %7:     life type in seconds

*Oct 1812:26:54: %7: life duration 86400 orginal:86400

*Oct 1812:26:54: %7: (33) atts are acceptable                            // Receives from the peer end the policy fieldmatched with this end.

*Oct 1812:26:54: %7: vendor_id=0x4a 0x13 0x1c 0x81 0x7 0x3 0x58 0x45 0x5c 0x57 0x280xf2 0xe 0x95 0x45 0x2f

*Oct 1812:26:54: %7:  nat_t's vendor id is detected, nat_vid_t_index=0.//The detection result shows that the peer endsupports NAT-T.

*Oct 1812:26:54: %7: vendor_id=0x4a 0x13 0x1c 0x81 0x7 0x3 0x58 0x45 0x5c 0x57 0x280xf2 0xe 0x95 0x45 0x2f //Indicatesthe vendor_id in RFC3947 used to detect whether the packet passes through theNAT device.

*Oct 18 12:26:54:%7: vendor_id=0xaf 0xca 0xd7 0x13 0x68 0xa1 0xf1 0xc9 0x6b 0x86 0x96 0xfc 0x770x57 0x1 0x0

*Oct 1812:26:54: %7:  dpd's vendor id is detected.

*Oct 1812:26:54: %7: (33) sending packet to 202.100.1.100 (I) MM_SI2_WR2, MM_KEY_EXCH   //Sends the third packet of Phase 1.

*Oct 1812:26:54: %7: IKE message packet process over.

*Oct 1812:26:54: %7: IKE recvmsg 200 bytes.

*Oct 1812:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 1812:26:54: %7: Not IKE NAT negotiate pkt.

*Oct 1812:26:54: %7: (33) received packet from 202.100.1.100, (I) MM_SI2_WR2,MM_KEY_EXCH //Receives the fourthpacket of Phase 1.

*Oct 1812:26:54: %7:   Exchange type :0x2<key><nonce><NAT-D><NAT-D>

*Oct 1812:26:54: %7:  extract_payload done!

*Oct 18 12:26:54:%7: main mode process R2:(33) processing NONCE payload.

*Oct 1812:26:54: %7: (33)main mode process R2:SKEYID state generated

*Oct 1812:26:54: %7: Local has been NAT.  //Indicatesthat the IP address of the local end has been translated through NAT.

*Oct 1812:26:54: %7:  Local machine IP is 10.1.1.1, port is 500.

*Oct 1812:26:54: %7: Local IP NAT-D hash:, len=20

*Oct 1812:26:54: %7: 0xe3,0x9f,0x02,0x7f,0x11,0x14,0x2a,0xc6,0xe8,0x5d,0x03,0x3d,0xbf,0x41,0x69,0x20,

*Oct 1812:26:54: %7: 0x46,0xa7,0x1a,0xb7,

*Oct 1812:26:54: %7: Peer recv local IP NAT-D hash:, len=20

*Oct 1812:26:54: %7: 0x28,0xea,0x92,0x1d,0x40,0x68,0x5b,0xd5,0xb3,0x88,0x5c,0x5b,0x18,0xd6,0x63,0xcd,//Checks whether hash of local NAT-Dis consistent with hash of received NAT-D. If not, it can be determined thatthe IP address of the peer has been translated through NAT.

*Oct 1812:26:54: %7: 0x3c,0xcf,0xe2,0xb7,

*Oct 1812:26:54: %7: Local record peer NAT-D hash:, len=20

*Oct 1812:26:54: %7: 0xf8,0x61,0x67,0x99,0x1b,0xbb,0xe0,0xc3,0xa1,0xad,0xec,0xac,0x5f,0x0c,0xb5,0x1e,

*Oct 1812:26:54: %7: 0xae,0x48,0xf5,0x1b,

*Oct 1812:26:54: %7: Peer recv NAT-D hash:, len=20

*Oct 1812:26:54: %7: 0xf8,0x61,0x67,0x99,0x1b,0xbb,0xe0,0xc3,0xa1,0xad,0xec,0xac,0x5f,0x0c,0xb5,0x1e,

*Oct 1812:26:54: %7: 0xae,0x48,0xf5,0x1b,

*Oct 1812:26:54: %7:  Peer hasn't been NAT. //Checkswhether hash of NAT-D of the peer recorded locally is consistent with hash ofNAT-D received from the peer. If yes, it can be determined that the IP addressof the peer hasn't been translated through NAT.

*Oct 1812:26:54: %7: (33) sending packet to 202.100.1.100 (I) MM_SI3_WR3, MM_VERIFY   //Sends the fifth packet of Phase 1 used foridentity verification.

*Oct 1812:26:54: %7: IKE message packet process over.

*Oct 1812:26:54: %7: IKE recvmsg 72 bytes.

*Oct 1812:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 1812:26:54: %7: IKE NAT negotiate pkt.

*Oct 1812:26:54: %7: (33) received packet from 202.100.1.100, (I) MM_SI3_WR3,MM_VERIFY       //Receives the sixthpacket of Phase 1 used for identity verification.

*Oct 1812:26:54: %7:   Exchange type : 0x2<id><hash>

*Oct 1812:26:54: %7:  extract_payload done!

*Oct 1812:26:54: %7: (33) (auth pre-share) processing ID payload. message ID = 0

*Oct 1812:26:54: %7: (33) (auth pre-share) processing HASH payload. message ID = 0

*Oct 1812:26:54: %7: (33) (auth pre-share) SA has been authenticated with202.100.1.100

*Oct 1812:26:54: %7: (main mode)(33) (I)Phase_1 negotiate complete!               // Indicates that the negotiation of Phase 1 iscompleted and the negotiation enters Phase 2.

*Oct 1812:26:54: %7: ++++++++++++++Fill quick sa's dpd_mode(0).

*Oct 1812:26:54: %7: (33) Beginning Quick Mode exchange, M-ID of 1336559833

*Oct 1812:26:54: %7:   life seconds 3600

*Oct 1812:26:54: %7:   life kilobytes 4608000

*Oct 1812:26:54: %7:   mode 3

*Oct 1812:26:54: %7:   hash 1

*Oct 1812:26:54: %7: 0 0 0 34 1 3 4 1 10 10 b7 6c 0 0 0 28 1 2 0 0 80 1 0 1 0 2 0 4 00 e 10 80 1 0 2 0 2 0 4 0 46 50 0 80 4 0 3 80 5 0 1

*Oct 1812:26:54: %7: (33)(quick mode) sending packet to 202.100.1.100 (I) QM_SI1_WR1  // Sends the first packet of Phase2.

*Oct 1812:26:54: %7: IKE message packet process over.

*Oct 1812:26:54: %7: IKE recvmsg 176 bytes.

*Oct 1812:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 1812:26:54: %7: IKE NAT negotiate pkt.

*Oct 1812:26:54: %7: find phase 2 quick sa!

*Oct 1812:26:54: %7: (33) (1336559833)received packet from 202.100.1.100, (I)QM_SI1_WR1  //Receives the second packetof Phase 2.

*Oct 1812:26:54: %7:   Exchange type :0x20<hash><sa><nonce><id>

*Oct 1812:26:54: %7:  extract_payload done!

*Oct 1812:26:54: %7: (quick mode)(isakmp_id---33) process r1:processing SA payload.message ID = 1336559833a 0 0 40 0 0 0 1 0 0 0 1 0 0 0 34 1 3 4 1 7b 72 b2 44 00 0 28 1 2 0 0 80 1 0 1 0 2 0 4 0 0 e 10 80 1 0 2 0 2 0 4 0 46 50 0 80 4 0 3 805 0 1

*Oct 1812:26:54: %7:  set->lifebak_sec=3600

*Oct 1812:26:54: %7:  Check Attr successful!

*Oct 1812:26:54: %7: (quick_mode)(I)phase 2 sa established,begining to updatesab!          //Indicates that theSA of Phase 2 is generated and it starts to upgrade SAB.

*Oct 1812:26:54: %7: (33) Creating IPSec SAs-esp.

*Oct 1812:26:54: %7:     inbound SA has spi 269530988

*Oct 1812:26:54: %7:     protocol esp, DES_CBC

*Oct 1812:26:54: %7:     auth MD5

*Oct 1812:26:54: %7:  fill esp in success!

*Oct 1812:26:54: %7:     outbound SA has spi 2071114308

*Oct 1812:26:54: %7:     protocol esp, DES_CBC

*Oct 1812:26:54: %7:     auth MD5

*Oct 18 12:26:54:%7:  fill esp out success!

*Oct 1812:26:54: %7:    lifetime of 3600 seconds, soft 3555 seconds

*Oct 1812:26:54: %7:    lifetime of 4607000 kilobytes, soft 256 kilobytes

*Oct 1812:26:54: %7: +++++++++++++Fill sab' dpd_mode(0)

*Oct 1812:26:54: %7: add first sab into salink.

*Oct 1812:26:54: %7:  life_seconds=3600

*Oct 1812:26:54: %7:  life_back_seconds=3600

*Oct 1812:26:54: %7: (quick mode)(isakmp_id---33) sending packet to 202.100.1.100 (I)QM_IDLE  //Sends the third packetof Phase 2.

*Oct 1812:26:54: %7: (quick mode)(isakmp_id---33)process r1:Phase_2 negotiatecomplete!

*Oct 1812:26:54: %7: ike's tunnel (number=1)established.

*Oct 1812:26:54: %7: IKE message packet process over.

.!!!!

Successrate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

 

1.4.3.2    Basic Configuration

1.4.3.3    IPSEC Static Tunnel

 

Features

When IPSec static tunnels are used fornetworking, you need to manually configure the two ends of each IPSec tunnel,but dynamic negotiation is not needed. However, with the increase of encryptedpoints and tunnels, it is more difficult to configure and maintain IPSectunnels. Therefore, the static tunnel technology is generally used in scenarioswith fewer encrypted points.

 

Scenario

If the headquarters of a company and itsbranches need to mutually share data through their inside networks and hopethat the data are not easily intercepted, cracked or stolen by hackers duringtransmission, you can create an IPSec VPN on the network devices of theheadquarters and branches. The IPSec VPN not only enables the headquarters andbranches to directly access the resources of each other, but also encrypts thedata during transmission, so as to ensure data security. If both theheadquarters and branches use static IP addresses, a static IPSec VPN can beused.

 

Working Principle

The IPSec VPN has two negotiation stages:ISAKMP and IPSec. At the ISAKMP stage, the protection policies of the two endsare negotiated to verify the validity of the peers, generate the encryptionkey, and protect the negotiation of the IPSec SA at the second stage. At theIPSec stage, the protection policies for IPSec SA are determined, includingwhether to use AH or ESP, transmission mode or tunnel mode, and what theprotected data is. The negotiationpurpose of the second stage is to generate the IPSec SA for protecting IP data.The IPSec communication peers must reach an agreement on the security policiesat the first and second stages; otherwise, the IPSec negotiation fails.

 

I.Networking Requirements

Two LANs access the Internet (or a privatenetwork) through two RSR routers respectively. In addition, the networksegments 192.168.0.0/24 and 192.168.1.0/24 of the two LANs need to communicatewith each other, and the communication traffic must be encrypted.

In this scenario, a static IPSec VPN isdeployed on the two RSR routers to implement communication between the LANs andmeet the data encryption requirements.

II. Network Topology

 

 

III. Configurations

1.      Configure routers R1 and R2 so that R1 and R2 can access theInternet and can be successfully pinged by each other.

2.      Configure a static IPSec VPN tunnel on R1.

(1)    Configure the interesting traffic of IPSec.

(2)    Configure the ISAKMP policy.

(3)    Configure the pre-shared key.

(4)    Configure the IPSec transform set.

(5)    Configure the IPSec cryptomap.

(6)    Apply the crypto map to an interface.

3.      Configure a route on R1 to direct the traffic to LAN 2 to the egress.

4.      Configure a static IPSec VP tunnel on R2.

(1)    Configure the interesting traffic of IPSec.

(2)    Configure the ISAKMP policy.

(3)    Configure the pre-shared key.

(4)    Configure the IPSec transform set.

(5)    Configure the IPSec crypto map.

(6)    Apply the crypto map to an interface.

5.      Configure a route on R2 to direct the network segment route of LAN 1to the egress.

Notes:

The IP network segments ofLAN1 and LAN2 to be mutually accessed shall not be overlapped.

Since RSR50 and RSR50Einvolve the IPSec function, they must be configured with AIM-VPN encryptioncards (For details about how to check whether RSR50 and RSR50E have beenconfigured with AIM-VPN encryption cards, see the appendix at the end of thisdocument).

IV. Configuration Steps

1.      Configure routers R1 and R2 so that R1 and R2 can access theInternet and can be successfully pinged by each other.

2.      Configure a static IPSec VPN tunnel onR1.

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.00.0.0.255  //Specifies thetraffic with source address 192.168.0.0/24 and destination network192.168.1.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

cryptoisakmp keepalive 5 periodic  //Configuresthe IPSec DPD detection function.

crypto isakmp policy 1//Creates a new ISAKMP policy.

authenticationpre-share      //Specifies"pre-shared key" as the authentication method. Configures"authentication rsa-sig" in case of digital certificates, and"authentication digital-email" in case of digital envelopes.

group 2    //

encryption3des      //Specifies 3DES forencryption.

(3)    Configure the pre-shared key.

cryptoisakmp key 0 ruijie address 10.0.0.2  //Specifies"ruijie" as the pre-shared key of peer 10.0.0.2. The same key shouldbe used at the peer end. The key does not need to be configured when digitalcertificates/envelopes are used for authentication.

(4)    Configure the IPSec transform set.

cryptoipsec transform-set myset  esp-des esp-md5-hmac //Specifies that ESP encapsulation, DES encryption andMD5 verification are used for IPsec.

(5)    Configure the IPSec encryption map.

crypto mapmymap 5 ipsec-isakmp //Creates a crypto map named "mymap".

set peer10.0.0.2//Specifies the peer address.

settransform-set myset//Specifies myset as the IPsectransform set.

matchaddress 101//Specifies ACL 101 as the interesting address.

(6)    Apply the encryption map to an interface.

interface GigabitEthernet0/0

ip add 10.0.0.1 255.255.255.0

crypto mapmymap

3.      Configure a route on R1 to direct the traffic to LAN 2 to theegress.

     iproute 192.168.1.0 255.255.255.0 10.0.0.2

4.      Configure a static IPSec VPN tunnel on R2.

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.00.0.0.255  //Specifies thetraffic with source address 192.168.1.0/24 and destination network192.168.0.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

cryptoisakmp policy 1  //Creates a newISAKMP policy.

authenticationpre-share      //Specifies"pre-shared key" as the authentication method. Configures"authentication rsa-sig" in case of digital certificates, and "authentication digital-email"in case of digital envelops.

encryption3des      //Specifies 3DES forencryption.

group 2

(3)    Configure the pre-shared key.

cryptoisakmp key 0 ruijie address 10.0.0.1  //Specifies "ruijie" as the pre-shared key of peer 10.0.0.1.The same key should be used at the peer end. The key does not need to beconfigured in case of digital certificates/envelopes.

(4)    Configure the IPSec transformation set.

cryptoipsec transform-set myset  esp-des esp-md5-hmac //Specifies ESP encapsulation, DES encryption and MD5Verification for IPSec.

(5)    Configure the crypto map.

crypto mapmymap 5 ipsec-isakmp     //Createsa crypto map named "mymap".

set peer10.0.0.1      //Specifies thepeer address.

settransform-set myset    //Specifiesmysetas the transform set.

matchaddress 101     //Specifies ACL101 as the interesting traffic

(6)    Apply the crypto map to an interface

interface GigabitEthernet0/0

ip add10.0.0.2 255.255.255.0

crypto mapmymap

5.      Configure a route on R2 to direct the traffic to Lan 1 to the egress.

     iproute 192.168.0.0 255.255.255.0 10.0.0.1

 

V. Verification

1.      In R1, ping 192.168.1.1 with source IP address 192.168.0.1 Thecommunication is normal.

R1#ping192.168.1.1 source 192.168.0.1

Sending 5,100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< pressCtrl+C to break >

.!!!!

2.      Check whether the negotiation about the ISAKMP and IPSec SA havebeen successful on R1.

Ruijie#show crypto isakmp sa  //Shows the result of ISAKMP SA negotiation.

destinationsourcestateconn-idlifetime(second)

10.0.0.210.0.0.1IKE_IDLE084129//The ISAKMP negotiation is successfuland the status is IKE_IDLE.

Ruijie#show crypto ipsec sa //Shows the result of IPSec SA negotiation.

Interface: GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to theinterface.

local ipv4 addr 10.0.0.1    //Indicates the IP address used during ISAKMP/IPSecnegotiation.

media mtu 1500

==================================

sub_map type:static, seqno:5, id=0

local  ident (addr/mask/prot/port):(192.168.0.0/0.0.0.255/0/0))    //Indicatesthe source IP addresses of the interesting traffic.

remote  ident(addr/mask/prot/port):(192.168.1.0/0.0.0.255/0/0)) //Indicates the destination IP addresses of theinteresting traffic.

PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4    //Indicates the number of packets successfullyencapsulated, encrypted and digested.

#pkts decaps:4, #pkts decrypt:4, #pkts verify 4//Indicates the number of packets successfullydecapsulated, decrypted and verified. When data is encrypted through IPSec forcommunication, you can see constant increasing of the preceding statisticcounts when you repeatedly run the command show crypto ipsec sa.

#send errors 0, #recv errors 0  //Indicates the number of packets that are incorrectlysent and received. Normally, the counts do not increase.

Inbound esp sas:

spi:0x2ecca8e (49072782)    //Indicates the inbound SPI of the IPSec SA.

transform:esp-des esp-md5-hmac    //Indicates that the IPSec encryption transform set isesp-des esp-md5-hmac.

in use settings={Tunnel Encaps,}   //Indicates that the tunnel mode is used.

crypto map mymap 5

sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of theSA is: 4606998 kilobytes/1324 seconds.

IV size:8 bytes   //Indicates that the length of IV vector is 8 bytes.

Replay detection support: Y   //Indicates the anti-replay processing.

Outbound esp sas:

spi:0x5730dd4b (1462820171)//Indicates the outbound SPI of the IPSec SA. When theinbound SPI and outbound SPI are displayed, it indicates that the IPSec SAnegotiation is successful.

transform: esp-des esp-md5-hmac

 in use settings={Tunnel Encaps,}

crypto map mymap 5

sa timing: remaining key lifetime (k/sec): (4606998/1324)

IV size: 8 bytes

Replay detection support: Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured withAIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPNencryption cards. IPSec is processed through processes, and therefore itsperformance is very low. For packets of 500pps 60Byte, 50 packets are lost andthe packet loss rate is 10%. For packets of larger than 2Kpps, the packet lossrate is 100%.

If IPSec is used when there is no AIM-VPNencryption card, function failures related to IPSec may occur. For example:even when data streams are encrypted with small traffic, the CPU usage is about100%; or large packets cannot be successfully pinged.

An AIM-VPN card is a pluggable card with asize similar to that of a RAM card. It is inserted inside the management board.

You can use the following method to checkwhether the management board is configured with an AIM-VPN card:

RSR50#debugsu

RSR50(support)#pcishow

RSR50(support)#

*Jan 2913:41:23: %7: =================BEGIN====================

*Jan 2913:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 2913:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 2913:41:23: %7: =================_^_====================

As long as 0x0020 is shown, the management card has theAIM-VPN card.

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the log function is disabled (), theoutput information of the pci show command is empty. If you log in tothe device through the vty line, the corresponding information will be outputonly when the terminal monitor is enabled.

 

1.4.3.4    IPSEC Dynamic Tunnel

 

Features

A dynamic IPSec tunnel is generally used in atopology with multiple branches. The dynamic tunnel is configured at thecentral point to receive IPSec VPN dial-in data from the branches. The centralpoint is easy for configuration and maintenance, and has high expansibility.

 

Scenario

If the headquarters of a company and itsbranches need to mutually share data through their intranets and hope that thedata will not be easily intercepted or cracked by hackers during transmission,you can create an IPSec VPN between the network devices of the headquarters andbranches. The IPSec VPN not only enables the headquarters and branches todirectly access the resources of each other, but also encrypts the data duringtransmission, so as to ensure data security. If static IP addresses are used inthe headquarters while the dial-up mode is used in the branches (the IPaddresses are not permanent, a dynamic IPSec VPN can be used.

 

I.Networking Requirements

Due to business development, a company setsup multiple branches all over the country. The egress router in theheadquarters is connected to the Internet through a dedicated line of a Telecomoperator, while the branches are connected to the Internet through a dedicatedline or ADSL. The branches need to access the business server in theheadquarters, and communication data between the branches and the headquartersneeds to be encrypted to ensure business security.

A dynamic IPSec VPN can be deployed on theegress router in the headquarters to receive dial-in data from the branches, soas to enable mutual business access between the headquarters and the branches,and encrypt relevant data.

 

II. Network Topology

III. Configuration Tips

1.      Configure routers in the headquarters and its branches, so that therouters can access the Internet.

2.      Configure a dynamic IPSec VPN tunnel on the egress router in theheadquarters.

(1)    Configure the ISAKMP policy.

(2)    Configure the pre-shared key.

(3)    Configure the IPSec transform set.

(4)    Configure the dynamic crypto map.

(5)    Map the dynamic IPSec encryption map to thestatic IPSec encryption map.

(6)    Apply the encryption map to an interface.

3.      Configure the route on the router of the headquarters, and directthe branches to the egress.

4.      Configure a static IPSec VPN tunnel on therouters of the branches.

(1)    Configure the interesting traffic of IPSec.

(2)    Configure the ISAKMP policy.

(3)    Configure the pre-shared key.

(4)    Configure the IPSec transform set.

(5)    Configure the crypto map.

(6)    Apply the encryption map to an interface.

6.      Configure the routes on the routers of the branches, and direct thetraffic to the headquarters to the egress.

Notes:

l  The IP network segments of LAN 1 and LAN 2 to be mutuallyaccessed must not be overlapped.

l  Since RSR50 and RSR50E involve the IPSec function,they must be configured with AIM-VPN encryption cards (For details about how tocheck whether RSR50 and RSR50E have been configured with AIM-VPN encryptioncards, see the appendix at the end of this section).

IV. Configuration Steps

1.      Configure routers in the headquarters and its branches, so that therouters can access the Internet

It must be ensure that theping from branches to the headquarters’ public IP address is successful.

2.      Configure a dynamic IPSec VPN tunnel on the egress router of theheadquarters.

(1)    Configure the ISAKMP policy.

crypto isakmp policy 1   //Creates a new ISAKMP policy.

encryption 3des        //Specifies to use 3DES for encryption.

authentication pre-share            //Specifies the authentication method is"pre-shared key". Configures "authentication rsa-sig" incase of digital certificates, and "authentication digital-email" incase of digital envelopes.

(2)    Configure the pre-shared key.

crypto isakmp key 0 ruijie address 0.0.0.00.0.0.0                 //Configuresthe pre-shared key to "ruijie". The same key shall be configured forthe IPSec client. Because the IP address at the peer end is dynamic, theaddress 0.0.0.0 0.0.0.0 is used to represent all IPSec clients.

(3)    Configure the IPSec transform set.

crypto ipsec transform-set myset esp-des esp-md5-hmac   //Specifies IPSec to use ESP forencapsulation, DES for encryption and MD5 for verification.

(4)    Configure the IPSec crypto map.

crypto dynamic-map dymymap 5             //Creates a dynamic IPSec crypto map named"dymymap".

set transform-set myset                           //Specifies the transform set to"myset".

(5)    Map the dynamic crypto map to the static crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dymymap   //Maps the dynamiccrypto map "dymymap" to the static crypto map "mymap".

(6)    Apply the crypto map to an interface.

interfaceGigabitEthernet 0/0

 cryptomap mymap

3.      Configure the route on the router of the headquarters, and directthe traffic to the branches to the egress.

  ip route192.168.1.0 255.255.255.0 10.0.0.2

ip route192.168.2.0 255.255.255.0 10.0.0.2

ip route192.168.3.0 255.255.255.0 10.0.0.2

......

4.      Configure the static IPSec VPN tunnel on the routers of the branches(takingbranch1 as an example).

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.00.0.0.255  //Specifies thetraffic with source address 192.168.1.0/24 and destination network192.168.0.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

cryptoisakmp keepalive 5 periodic //Configuresthe IPSec DPD detection function.

cryptoisakmp policy 1            //Createsa new ISAKMP policy.

authenticationpre-share          //Specifiesthe authentication method is "pre-shared key". Configures"authentication rsa-sig" in case of digital certificates, and"authentication digital-email" in case of digital envelopes.

encryption3des                 //Specifiesto use 3DES for encryption.

(3)    Configure the pre-shared key.

cryptoisakmp key 0 ruijie address 10.0.0.1  //Specifies "ruijie" as the pre-shared key of the peer10.0.0.1. The same key shall be used on the egress router of the headquarters. Thekey does not need to be configured in case of digital certificates/envelopes.

(4)    Configure the IPSec transform set.

cryptoipsec transform-set myset  esp-des esp-md5-hmac //Specifies IPSec to use ESP for encapsulation, DES forencryption and MD5 for verification.

(5)    Configure the crypto map

crypto mapmymap 5 ipsec-isakmp //Creates acrypto map named "mymap"

set peer10.0.0.1                 //Specifiesthe peer address.

settransform-set myset           //Specifiesthe transform set as "myset".

matchaddress 101               //SpecifiesACL 101 as the interesting traffic .

(6)    Apply the encryption map to an interface.

interfacedialer 0

crypto mapmymap

5.      Configure the routes on the routers of the branches, and direct thetraffic to the headquarters to the egress.

  ip route192.168.0.0 255.255.255.0 dialer 0

 

V. Verification

1.      Ping 192.168.0.1 from the router of branch 1 with source IP address192.168.1.1. The communication is normal.

R1#ping192.168.0.1 source 192.168.1.1

Sending 5,100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< pressCtrl+C to break >

.!!!!

2.      On the router of branch1, check whether ISAKMP and IPSec SAnegotiations are successful.

Ruijie#showcrypto isakmp sa                                     //Shows the result of ISAKMP SA negotiation.

 destination      source            state                    conn-id           lifetime(second)

10.0.0.2         10.0.0.1          IKE_IDLE                 0                84129                //The ISAKMPnegotiation is successful and the status is IKE_IDLE.

Ruijie#show crypto ipsecsa                                             //Shows the result of IPSec SA negotiation.

Interface: GigabitEthernet 0/0

Crypto maptag:mymap    //Indicates the name ofthe crypto map applied to the interface.

local ipv4 addr 10.0.0.1                  //Indicates the IP address used duringISAKMP/IPSec negotiation.

         media mtu 1500

         ==================================

         sub_map type:static, seqno:5, id=0

        local  ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))  //Indicates the source IP address of theinteresting traffic.

remote ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))//Indicates the destination IP address of theinteresting traffic.

         PERMIT

#pktsencaps: 4, #pkts encrypt: 4, #pkts digest 4    //Indicates the number of packets successfully encapsulated,encrypted and digested.

#pktsdecaps:4, #pkts decrypt:4, #pkts verify 4    //Indicates the number of packets successfully decapsulated,decrypted and verified. When data is encrypted through IPSec for communication,you can see constant increasing of the preceding statistic counts when yourepeatedly run the command show crypto ipsec sa.

#send errors 0, #recv errors 0    //Indicates the number of packets that are incorrectly sentand received. Normally, the counts do not increase.

 Inboundesp sas:

spi:0x2ecca8e(49072782)                   //Indicatesthe inbound SPI of IPSec SA.

               transform: esp-des esp-md5-hmac  //Indicates that the IPSec encryption transformset is esp-des esp-md5-hmac.

in use settings={Tunnel Encaps,}         //Indicates that the tunnel mode is used.

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec):(4606998/1324)  //Indicates that theremaining lifetime of the SA is: 4,606,998 kilobytes/1,324 seconds.

               IV size: 8 bytes   //Indicates that the length of IV vector is 8 bytes.

Replay detection support: Y   //Indicates the anti-replay processing.

 Outboundesp sas:

spi:0x5730dd4b(1462820171)//Indicates the outboundSPI of IPSec SA. Only when the inbound SPI and outbound SPI are both displayed,the IPSec SA negotiation is successful.

               transform: esp-des esp-md5-hmac

               in use settings={Tunnel Encaps,}

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec):(4606998/1324)

               IV size: 8 bytes

               Replay detection support:Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured withAIM-VPN encryption cards?

RSR50 and RSR50E have noembedded VPN encryption cards. IPSec is processed through processes, andtherefore its performance is poor. For packets of 500pps 60Byte, 50 packets arelost and the packet loss rate is 10%. For packets of larger than 2Kpps, thepacket loss rate is 100%.

If IPSec is used whenthere is no AIM-VPN encryption card, function failures related to IPSec mayoccur. For example, the CPU utilization is constantly at 100%, even though theencrypted data traffic is light. , or the ping with large packets size wouldfail.

An AIM-VPN card is apluggable card with a size similar to that of a memory bank. It is insertedinside the management board.

You can use thefollowing method to check whether the management board is configured with anAIM-VPN card:

RSR50#debugsu

RSR50(support)#pcishow

RSR50(support)#

*Jan 2913:41:23: %7: =================BEGIN====================

*Jan 2913:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 2913:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23:%7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 2913:41:23: %7: =================_^_====================

As long as 0x0020 is displayed, the management board has theAIM-VPN card.

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the logging function is disabled (),the output data of the pci show command is empty. If you log in to thedevice through the VTY line, the corresponding data will be output only whenthe terminal monitor is enabled.

 

1.4.3.5    IPSEC Dynamic Tunnel with Domain Name Authentication

 

Features

A dynamic IPSec tunnel is generally used in atopology with multiple branches. The dynamic tunnel is configured at thecentral point to receive IPSec VPN dial-in information from the branches. Thecentral point is easy for configuration and maintenance, and has highexpansibility.

Because IP addresses in the branches are notstatic, it is unable to use the IP addresses to specify different pre-sharedkeys. If the same pre-shared key is used in all branches, the key is easilyleaked, and thus network security is under threat. This problem can be solvedthrough domain name authentication. Different domain names are allocated todifferent branches and different keys are specified to different domain names.In this way, key security is guaranteed.

I.Networking Requirements

Due to business development, a company setsup multiple branches all over the country. The egress router in theheadquarters is connected to the Internet through a dedicated line of a Telecomoperator, while the branches are connected to the Internet through a dedicatedline or ADSL. The branches need to access the business server in theheadquarters, and communication data between the branches and the headquartersneeds to be encrypted to ensure business security.

A dynamic IPSec VPN can be deployed on theegress router in the headquarters to receive dial-in information from thebranches, so as to enable mutual business access between the headquarters andthe branches, and encrypt relevant data. When the branches use the IPSec VPN toaccess the Internet in dial-up mode, the key of each branch is authenticatedseparately.

II. Network Topology

III. Configuration Tips

1.      Configure routers in the headquarters and its branches, so that therouters can access the Internet.

2.      Configure a dynamic IPSec VPN tunnel on the egress router in theheadquarters.

(1)    Configure the ISAKMP policy.

(2)    Configure the pre-shared key.

(3)    Configure the ISAKMP mode as automaticidentification.

(4)    Configure the IPSec transform set.

(5)    Configure the dynamic IPSec crypto map.

(6)    Map the dynamic IPSec encryption map to thestatic IPSec encryption map.

(7)    Apply the encryption map to an interface.

3.      Configure the route on the router of theheadquarters, and direct the traffic to the branches to the egress.

4.      Configure the static IPSec VPN tunnel onthe routers of the branches.

(1)    Configure the self-identity.

(2)    Configure interesting traffic of IPSec.

(3)    Configure the ISAKMP policy.

(4)    Configure the pre-shared key.

(5)    Configure the IPSec transform set.

(6)    Configure the crypto map.

(7)    Apply the encryption map to an interface.

5.      Configure the routes on the routers of the branches, and direct thetraffic to headquarters to the egress.

Notes:

l  The IP network segments of LAN 1 and LAN 2 to bemutually accessed must not be overlapped.

l  Since RSR50 and RSR50E involve the IPSec function,they must be configured with AIM-VPN encryption cards (For details about how tocheck whether RSR50 and RSR50E have been configured with AIM-VPN encryptioncards, see the appendix at the end of this section).

IV. Configuration Steps

1.      Configure routers in the headquarters and its branches, so that therouters can access the Internet.

        It must be ensure that the ping frombranches to the headquarters’ public IP address is successful.

2.      Configure a dynamic IPSec VPN tunnel on the egress router of the headquarters.

(1)    Configure the ISAKMP policy.

crypto isakmp policy 1     //Creates a new ISAKMP policy.

encryption 3des        //Specifies to use 3DES for encryption.

authentication pre-share            //Specifies the authentication method is"pre-shared key". Configures "authentication rsa-sig" incase of digital certificates, and "authentication digital-email" incase of digital envelopes.

(3)    Configure the pre-shared key.

cryptoisakmp key 0 password3 hostname site3.ruijie.com.cn

cryptoisakmp key 0 password2 hostname site2.ruijie.com.cn

cryptoisakmp key 0 password1 hostname site1.ruijie.com.cn     //Configures the pre-shared key of each branchseparately, and uses hostname to specify the name of each branch.

(4)    Configure the ISAKMP mode as automatic identification.

cryptoisakmp mode-detect       //Configuresthe ISAKMP mode as automatic identification, so that negotiations can bereceived from the branches in IKE aggressive mode.

(5)    Configure the IPSec encryption transform set.

crypto ipsec transform-set myset esp-des esp-md5-hmac      //Specifies IPSec to use ESP forencapsulation, DES for encryption and MD5 for verification.

(5)    Configure the dynamic IPSec crypto map

crypto dynamic-map dymymap5             //Creates a dynamic IPSec crypto map named "dymymap".

set transform-set myset                     //Specifies thetransform set to "myset".

(6)    Map the dynamic crypto map to the static crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dymymap   //Maps the dynamiccrypto map "dymymap" to the static crypto map "mymap".

(7)    Apply the encryption map to an interface.

interfaceGigabitEthernet 0/0

   cryptomap mymap

3.      Configure the router on the router of the headquarters, and directthe traffic to the branches to the egress.

     iproute 192.168.1.0 255.255.255.0 10.0.0.2

ip route192.168.2.0 255.255.255.0 10.0.0.2

ip route192.168.3.0 255.255.255.0 10.0.0.2

......

4.      Configure the static IPSec VPN tunnel on the routers of the branches(taking branch1 as an example).

(1)    Configure the self-identity.

self-identity fqdn site1.ruijie.com.cn  //Configures the self-identity to"site1.ruijie.com".

(2)    Configure the interesting traffic of IPSec

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.00.0.0.255  //Specifies thetraffic with source address 192.168.1.0/24 and destination network192.168.0.0/24 as interesting traffic.

(3)    Configure the ISAKMP policy

cryptoisakmp keepalive 5 periodic //Configuresthe IPSec DPD detection function.

cryptoisakmp policy 1            //Createsa new ISAKMP policy.

authenticationpre-share         //Specifies theauthentication method is "pre-shared key". Configures"authentication rsa-sig" in case of digital certificates, and"authentication digital-email" in case of digital envelopes.

encryption3des                 //Specifiesto use 3DES for encryption.

(4)    Configure the pre-shared key.

cryptoisakmp key 0 password1 address 10.0.0.2  //Specifies "password1" as the pre-shared keyof the peer 10.0.0.1. The key must be the same as that specified by theheadquarters for the branch. The key does not need to be configured in case ofdigital certificates/envelopes.

(3)    Configure the IPSec transform set.

cryptoipsec transform-set myset  esp-des esp-md5-hmac //Specifies IPSec to use ESP for encapsulation, DES forencryption and MD5 for verification.

(6)    Configure the crypto map.

crypto mapmymap 5 ipsec-isakmp //Creates acrypto map named "mymap".

set peer10.0.0.2                 //Specifiesthe peer address.

settransform-set myset           //Specifiesthe transform set to "myset".

setexchange-mode aggressive   //Specifiesto use the aggressive mode to initiate IKE negotiations.

matchaddress 101               //SpecifiesACL 101 as the interesting traffic.

(7)    Apply the encryption map to an interface.

interfacedialer 0

    cryptomap mymap

5.      Configure the routes on the routers of the branches, and direct thetraffic to the headquarters to the egress.

ip route192.168.0.0 255.255.255.0 dialer 0

 

V. Verification

1.      Pint 192.168.0.1 from the router of branch 1 with source IP address192.168.1.1. The communication is normal.

R1#ping192.168.0.1 source 192.168.1.1

Sending 5,100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< pressCtrl+C to break >

.!!!!

2.      On the router of branch1, check whether ISAKMP and IPSec SA negotiationsare successful.

Ruijie#showcrypto isakmp sa                                   //Shows the result of ISAKMP SA negotiation.

 destination      source            state                    conn-id           lifetime(second)

10.0.0.2          10.0.0.1          IKE_IDLE                0                 84129                //The ISAKMP negotiation is successfuland the status is IKE_IDLE.

Ruijie#showcrypto ipsec sa                                             //Shows the result of IPSec SA negotiation.

Interface:GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to theinterface.

local ipv4addr 10.0.0.1                  //Indicatesthe IP address used during ISAKMP/IPSec negotiation.

        media mtu 1500

        ==================================

        sub_map type:static, seqno:5, id=0

         local  ident (addr/mask/prot/port):(192.168.0.0/0.0.0.255/0/0))   //Indicatesthe source IP address of the interesting traffic.

remote  ident (addr/mask/prot/port):(192.168.1.0/0.0.0.255/0/0))//Indicatesthe destination IP address of the interesting traffic.

        PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4//Indicates the number of packets successfullyencapsulated, encrypted and digested.

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4//Indicates the number of packets successfullydecapsulated, decrypted and verified. When data is encrypted through IPSec forcommunication, you can see constant increasing of the preceding statisticcounts when you repeatedly run the command show crypto ipsec sa.

#senderrors 0, #recv errors 0//Indicatesthe number of packets that are incorrectly sent and received. Normally, thecounts do not increase.

 Inbound esp sas:

spi:0x2ecca8e (49072782)                //Indicates the inbound SPI of IPSec SA.

              transform: esp-des esp-md5-hmac    //Indicatesthat the IPSec encryption transform set is esp-des esp-md5-hmac.

in usesettings={Tunnel Encaps,}         //Indicatesthat the tunnel mode is used.

               cryptomap mymap 5

              sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SAis: 4,606,998 kilobytes/1,324 seconds.

              IV size: 8 bytes   //Indicates thatthe length of IV vector is 8 bytes.

Replaydetection support: Y   //Indicatesthe anti-replay processing.

 Outbound esp sas:

spi:0x5730dd4b (1462820171)//Indicates the outbound SPI of IPSec SA. Only when theinbound SPI and outbound SPI are both displayed, the IPSec SA negotiation issuccessful.

              transform: esp-des esp-md5-hmac

              in use settings={Tunnel Encaps,}

              crypto map mymap 5

              sa timing: remaining key lifetime (k/sec): (4606998/1324)

              IV size: 8 bytes

              Replay detection support: Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured withAIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPNencryption cards. IPSec is processed through processes, and therefore itsperformance is poor. For packets of 500pps 60Byte, 50 packets are lost and thepacket loss rate is 10%. For packets of larger than 2Kpps, the packet loss rateis 100%.

If IPSec is used when there is no AIM-VPNencryption card, function failures related to IPSec may occur. For example, theCPU utilization is constantly at 100%, even though the encrypted data trafficis light. , or the ping with large packets size would fail.

An AIM-VPN card is a pluggable card with asize similar to that of a memory bank. It is inserted inside the managementboard.

You can use the following method to checkwhether the management board is configured with an AIM-VPN card:

RSR50#debugsu

RSR50(support)#pcishow

RSR50(support)#

*Jan 2913:41:23: %7: =================BEGIN====================

*Jan 2913:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 2913:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 2913:41:23: %7: =================_^_====================

As long as 0x0020 is displayed, the management board has theAIM-VPN card.

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the logging function is disabled (),the output information of the pci show command is empty. If you log into the device through the VTY line, the corresponding information will beoutput only when the terminal monitor is enabled.

 

1.4.3.6    IPSEC Dynamic Tunnel Based on DigitalCertificate

 

Features

A dynamic IPSec tunnel is generally used in atopology with multiple branches. The dynamic tunnel is configured at thecentral point to receive IPSec VPN dial-in information from the branches. Thecentral point is easy for configuration and maintenance, and has highexpansibility.

When the pre-shared key is used forauthentication, the key is easily leaked. If digital certificates are used forauthentication, the security of identity authentication can be effectivelyguaranteed.

 

Scenario

The headquarters of a company and itsbranches need to mutually share data through their intranets and hope that thedata will not be easily intercepted or cracked by hackers during transmission.The branches are connected to the Internet through ADSL in the dial-up mode (thatis, the IP addresses accessing the Internet are not permanent). Theheadquarters and the branches use a digital certificate to verify validity ofeach other. For this purpose, you can deploy a dynamic IPSec VPN based on thedigital certificate on the network devices in the headquarters, and deploy astatic IPSec VPN based on the digital certificate on the network devices in thebranches.

 

I.Networking Requirements

Due to business development, a company setsup multiple branches all over the country. The egress router in theheadquarters is connected to the Internet through a dedicated line of a telecomoperator, while the branches are connected to the Internet through a dedicatedline or ADSL. The branches need to access the business server in the headquarters,and communication data between the branches and the headquarters needs to beencrypted to ensure business security.

A dynamic IPSec VPN can be deployed on theegress router in the headquarters to receive dial-in information from thebranches, so as to enable mutual business access between the headquarters andthe branches, and encrypt relevant data. The branches and the headquarters usea digital certificate to verify the identity of each other.

II. Network Topology

III. Configuration

1.      Configure routers in the headquarters andbranches, so that the routers can access the Internet.

2.      Import the digital certificate on the egressrouter of the headquarters and routers of the branches.

3.      Configure a dynamic IPSec VPN tunnel on theegress router of the headquarters.

4.      Configure the route on the router of theheadquarters, and direct the traffic to the branches to the egress.

5.      Configure a static IPSec VPN tunnel on therouters of the branches.

6.      Configure the routes on the routers of the subsidiaries,and direct the traffic to the headquarters to the egress.

Notes:

l  The IP network segments of LAN 1 and LAN 2 to bemutually accessed must not be overlapped.

l  Since RSR50 and RSR50E involve the IPSec function,they must be configured with AIM-VPN encryption cards (For details about how tocheck whether RSR50 and RSR50E have been configured with AIM-VPN encryptioncards, see the appendix at the end of this section).

IV. Configuration Steps

1.      Configure routers in the headquarters and itsbranches, so that the routers can access the Internet.

        It must be ensured that the ping frombranches to the headquarters’ public IP address is successful.

2.      Import the digital certificate on the egressrouter of the headquarters and routers of the branches

Based on on-site environment and customerdemands, select an appropriate method to import the digital certificate. Fordetailed operations of digital certificate import, refer to the section CADigital Certificate Configuration (Typical Configuration--->Security--->CADigital Certificate Configuration).

3.      Configure a dynamic IPSec VPN tunnel on theegress router of the headquarters.

(1)    Configure the ISAKMP policy.

crypto isakmp policy 1//Creates a new ISAKMP policy.

encryption 3des        //Specifies to use 3DES for encryption.

authentication rsa-sig                //Specifies the authentication method is"digital certificate". The default authentication method is digitalcertificate.

(2)    Configure the IPSec transform set.

crypto ipsec transform-set myset esp-des esp-md5-hmac//Specifies IPSec to use ESP forencapsulation, DES for encryption and MD5 for verification.

(3)    Configure the dynamic IPSec encryption map.

crypto dynamic-map dymymap 5             //Creates a dynamic IPSec Crypto map named"dymymap".

set transform-set myset                           //Specifies the transform set to"myset".

(4)    Map the dynamic IPSec Crypto map to thestatic IPSec Crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dymymap   //Maps the dynamicIPSec Crypto map "dymymap" to the static IPSec Crypto map"mymap".

(5)    Apply the encryption map to an interface.

interfaceGigabitEthernet 0/0

    cryptomap mymap

(6)    Disable the certificate time and validity check.

crypto pki trustpoint center               //Enters the corresponding trust point ofthe certificate.

time-check none                              //Disables the certificate time check.

revocation-check none                     //Indicates not to check whether thecertificate is revoked.

Notes:It is recommended to disable the certificate time check and revocation listcheck; otherwise, the IPSec negotiation may fail.

4.      Configure the route on the router of theheadquarters, and direct the traffic to the branches to the egress.

  ip route192.168.1.0 255.255.255.0 10.0.0.2

ip route192.168.2.0 255.255.255.0 10.0.0.2

ip route192.168.3.0 255.255.255.0 10.0.0.2

......

5.      Configure the static IPSec VPN tunnel on therouters of the branches(taking branch1 as an example).

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.00.0.0.255  //Specifies thetraffic with source address 192.168.1.0/24 and destination network192.168.0.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

cryptoisakmp keepalive 5 periodic  //Configuresthe IPSec DPD detection function.

cryptoisakmp policy 1            //Createsa new ISAKMP policy.

encryption3des                      //Specifiesto use 3DES for encryption.

authentication rsa-sig                //Specifies the authentication method is"digital certificate". The default authentication method is digitalcertificate.

(3)    Configure the IPSec encryption transform set.

cryptoipsec transform-set myset  esp-des esp-md5-hmac //Specifies IPSec to use ESP for encapsulation, DES forencryption and MD5 for verification.

(4)    Configure the IPSec encryption map.

crypto mapmymap 5 ipsec-isakmp //Creates ancrypto map named "mymap".

set peer10.0.0.2                              //Specifiesthe peer address.

settransform-set myset                  //Specifiesthe transform set to "myset".

interestingtraffic 101                         //SpecifiesACL 101 as the interesting traffic.

(5)    Apply the crypto map to an interface.

interfacedialer 0

    cryptomap mymap

(6)    Disable the certificate time and validity check.

crypto pki trustpoint center               //Enters the corresponding trustpoint of thecertificate.

time-check none                              //Disables the certificate time check.

revocation-check none                     //Indicates not to check whether thecertificate is revoked.

Notes: It is recommendedto disable the certificate time check and revocation list check; otherwise, theIPSec negotiation may fail.

6.      Configure the routes on the routers of thebranches, and direct the traffic to the headquarters to the egress.

  ip route192.168.0.0 255.255.255.0 dialer 0

 

V. Verification

1.      Ping192.168.0.1 from the router of branch 1 with source IP address192.168.1.1. The communication is normal.

R1#ping192.168.0.1 source 192.168.1.1

Sending 5,100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

<pressCtrl+C to break >

.!!!!

2.      On the router of branch1, check whether ISAKMP and IPSec SAnegotiations are successful.

Ruijie#showcrypto isakmp sa                                     //Shows the result of ISAKMP SA negotiation.

 destination      source            state          conn-id           lifetime(second)

10.0.0.2          10.0.0.1          IKE_IDLE        0                 84129                //The ISAKMP negotiation is successfuland the status is IKE_IDLE.

Ruijie#showcrypto ipsec sa                                             //Shows the result of IPSec SA negotiation.

Interface:GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to theinterface.

local ipv4addr 10.0.0.1                  //Indicatesthe IP address used during ISAKMP/IPSec negotiation.

        media mtu 1500

        ==================================

sub_maptype:static, seqno:5, id=0

         local  ident (addr/mask/prot/port):(192.168.0.0/0.0.0.255/0/0))   //Indicatesthe source IP address of the interesting traffic.

remote  ident (addr/mask/prot/port):(192.168.1.0/0.0.0.255/0/0))//Indicatesthe destination IP address of the interesting traffic.

        PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4  //Indicates the number of packets successfullyencapsulated, encrypted and digested.

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4     //Indicates the number of packets successfullydecapsulated, decrypted and verified. When data is encrypted through IPSec forcommunication, you can see constant increasing of the preceding statisticcounts when you repeatedly run the command show crypto ipsec sa.

#senderrors 0, #recv errors 0    //Indicatesthe number of packets that are incorrectly sent and received. Normally, thecounts do not increase.

 Inbound esp sas:

spi:0x2ecca8e (49072782)                   //Indicates the inbound SPI of IPSec SA.

              transform: esp-des esp-md5-hmac    //Indicatesthat the IPSec encryption transform set is esp-des esp-md5-hmac.

in usesettings={Tunnel Encaps,}         //Indicatesthat the tunnel mode is used.

              crypto map mymap 5

              sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SAis: 4,606,998 kilobytes/1,324 seconds.

              IV size: 8 bytes   //Indicates thatthe length of IV vector is 8 bytes.

Replaydetection support: Y   //Indicatesthe anti-replay processing.

 Outbound esp sas:

spi:0x5730dd4b (1462820171)   //Indicates the outbound SPI of IPSec SA. Only when theinbound SPI and outbound SPI are both displayed, the IPSec SA negotiation issuccessful.

              transform: esp-des esp-md5-hmac

              in use settings={Tunnel Encaps,}

              crypto map mymap 5

              sa timing: remaining key lifetime (k/sec): (4606998/1324)

              IV size: 8 bytes

              Replay detection support: Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured withAIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPNencryption cards. IPSec is processed through processes, and therefore itsperformance is poor. For packets of 500pps 60Byte, 50 packets are lost and thepacket loss rate is 10%. For packets of larger than 2Kpps, the packet loss rateis 100%.

If IPSec is used when there is no AIM-VPNencryption card, function failures related to IPSec may occur. For example, theCPU utilization is constantly at 100%, even though the encrypted data trafficis light. , or the ping with large packets size would fail.

An AIM-VPN card is a pluggable card with asize similar to that of a memory bank. It is inserted inside the managementboard.

You can use the following method to checkwhether the management board is configured with an AIM-VPN card:

RSR50#debugsu

RSR50(support)#pcishow

RSR50(support)#

*Jan 2913:41:23: %7: =================BEGIN====================

*Jan 2913:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 2913:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23:%7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 2913:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 2913:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 2913:41:23: %7: =================_^_====================

As long as 0x0020 is displayed, the management board has theAIM-VPN card.

*Jan 2913:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the logging function is disabled (),the output information of the pci show command is empty. If you log into the device through the VTY line, the corresponding information will beoutput only when the terminal monitor is enabled.

 

1.4.3.7    Extended Configuration

1.4.3.8    IPSEC DPD Configuration

 

Features

Dead Peer Detection (DPD) is a mechanism inthe IPSec protocol that detects the liveness of peers so as to avoidinterruption of data communication needing to be encrypted when thecommunication between two peers is interrupted or the other peer still usesIPSec to send the data encapsulation to a peer when the IPSec SA at the peer isdisabled.

When a peer detects the other peer is deadthrough DPD, the local peer will clear the corresponding ISAKMP and IPSec SA.At the same time, if there is a new match address (or the Auto Up is enabled),the ISAKMP and IPSec SA negotiations are initiated again.

It does not need to configure DPD on bothIPSec peers. Generally, DPD only need to be configured on the peer initiatingdata transmission. For example, in a headquarters-branch topology, if all thebusiness data transmission is firstly initiated by a branch to communicate withthe headquarters while the headquarters has no demand of accessing the branch,DPD only needs to be configured in the branch.

I.Networking Requirements:

DPD is configured in a branch to detect theliveness of the IPSec peers between the branch and the headquarters, so as toavoid interruption of data communication between the branch and theheadquarters, which may be caused by the failure of data decryption at theheadquarter—the branch sends encrypted data to the headquarters after the IPSecSA of the branch is abnormally deleted in the headquarters’ router.

II. Network Topology:

 

 

III. Configuration Tips

1.      Configure basic IPSec functions.

2.      Configure DPD on branch1.

IV. Configuration Steps

1.      Configure basic IPSec functions.

Based on field environment and customerdemands, select an appropriate IPSec deployment scheme. For detailedconfigurations, refer to the section Basic Configuration (TypicalConfiguration--->Security--->IPSec--->Basic Configuration).

2.      Configure DPD on branch 1.

crypto isakmp keepalive 10 on-demand         //Configures the DPD detection period as 10seconds and the detection mode as on-demand.

Notes: DPD has twodetection modes: periodical detection and on-demand detection. The on-demanddetection mode is generally used.

Periodical detection:When the configured time expires, the system will actively and periodicallysend DPD detection messages. The maximum number of retransmission times is 5 bydefault.

On-demand detection:ADPD detection message is sent only when the idle time of the tunnel exceedsthe configured time and a packet is sent.

V. Verification

1.      Initiate a match address on the branch to the headquarters, so as tocreate ISAKMP SA and IPSec SA between the branch and the headquarters.

2.      Disconnect the cable of the egress port of the router in theheadquarters. After detecting that the peer is unreachable, the branch clearsISAKMP and IPSec SA, and initiates a negotiation again.

site1#showcrypto isakmp sa

destination      source            state                    conn-id           lifetime(second)  //Indicates that there is no successful ISAKMP SAnegotiation.

site1#showcrypto ipsec sa

Interface:FastEthernet 0/0

        Crypto map tag:mymap

local ipv4addr 10.0.0.2

        media mtu 1500

        ==================================

        sub_map type:static, seqno:10, id=0

        local  ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))

        remote  ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))

        PERMIT

        #pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0

        #pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0

        #send errors 2, #recv errors 0

 

No sa iscreated now.     //Indicates thatthere is no successful IPSec SA negotiation.

 

1.4.3.9    IPSEC Reverse Route Injection

 

Features

IPSec Reverse Route Injection is generallyapplied in the router of the headquarters in a headquarters-branch IPSec VPN. Throughthis function, when the IPSec negotiation between a branch and its headquartersis successful, the router of the headquarters will automatically inject thenetwork segment of the branch into the route table, so that the headquarterscan correctly forward data to the branch.

The working principle of IPSec Reverse RouteInjection is that: when the IPSec negotiation between a branch and itsheadquarters is successful, the router of the headquarters will check the matchaddress of the successful IPSec SA negotiation to learn about the networksegment information of the branch, add the network segment information into theroute table, and use the IP address of the branch as the next hop.

For example, the IPSec match address ofbranch1 is: branch network segment 192.168.1.0/24——>headquarters networksegment 192.168.0.0/24. After successful IPSec negotiation, the IPSec matchaddress of the headquarters router corresponding to the branch is: headquartersnetwork segment 192.168.0.0/24——>branch network segment 192.168.1.0/24. Thematch address shows that the network segment of the branch needing tocommunicate with the headquarters is "192.168.1.0/24". At this time,the headquarters router adds the network segment 192.168.1.0/24 into the routetable through Reverse RouteInjection, and uses the IP address of branch1 as thenext hop.

I.Networking Requirements:

Use IPSec Reverse Route Injection todynamically inject the route information of a branch into the headquartersrouter, so as to enable communication between the headquarters and the branch.

II. Network Topology:

III. Configuration Tips

1.      Configure basic IPSec functions.

2.      Configure Reverse Route Injection on the headquarters router.

3.      Re-distribute the reversely injected route to the dynamic routingprotocol (optional, taking OSPF as an example).

IV. Configuration Steps

1.      Configure basic IPSec functions.

Based on on-site environment and customerdemands, select an appropriate IPSec deployment scheme. For detailedconfigurations, refer to the section Basic Configuration (TypicalConfiguration--->Security--->IPSec--->Basic Configuration).

2.      Configure Reverse Route Injection on the headquarters router.

cryptodynamic-map dymymap 5

reverse-route                                 //Configures Reverse RouteInjection.

Notes:

l  Similar to a static route, the injected routethereby has an administrative distance of 1 and a weight of xxx by default. Theexpansion parameter can be used to modify the administrative distance andmetric value of the injected route, or mark the injected route.

l  The remote-peer parameter can only be used toperform reverse route injection for a specific peer.

l  The route injected thereby can be associated withBFD or TRACK.

Ruijie(config-crypto-map)#reverse-route ?

<1-255>      Distance

  bfd          Configure bfd

  remote-peer  Match address of packets to encrypt

  tag          Set tag for this route

  track        Install route depending on tracked item

  weight       Route weight

<cr>

3.      Re-distribute the reversely injected route to the dynamic routingprotocol (optional, taking OSPF as an example).

routerospf 1

   redistribute static subnets

 

V. Verification

1.      After the IPSec negotiation between branch 1 and the headquarters issuccessful, a route directed to branch 1 is dynamically generated in theheadquarters router:

Ruijie(config)#showip route

Codes:  C- connected, S - static, R - RIP, B - BGP

        O- OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

Gateway oflast resort is no set

C   10.0.0.0/24 is directly connected, GigabitEthernet 0/0

C   10.0.0.1/32 is local host.

C   192.168.0.0/24 is directly connected, Loopback 0

C   192.168.0.1/32 is local host.

S    192.168.1.0/24 [1/0] via 10.0.0.2                  //Indicates the route reversely injected by theheadquarters after the IPSec VPN of branch 1 is successfully dialed. It should be noted that, if the next hop addressof a static route is reached through the default route, because the defaultroute is not recursive, Reverse Route Injection may fail.

2.      After the corresponding IPSec SA is cleared on branch1, thecorresponding route entry disappears from the headquarters router:

center#showip route

Codes:  C- connected, S - static, R - RIP, B - BGP

   O -OSPF, IA - OSPF inter area

        N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1- OSPF external type 1, E2 - OSPF external type 2

        i- IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia- IS-IS inter area, * - candidate default

Gateway oflast resort is no set

C   10.0.0.0/24 is directly connected, GigabitEthernet 0/0

C   10.0.0.1/32 is local host.

C   192.168.0.0/24 is directly connected, Loopback 0

C   192.168.0.1/32 is local host.

 

1.4.3.10 IPSEC Multi-Peer Mutual Backup

 

Features

The IPSecmulti-peer mutual backup function enables the router to automatically switch tothe backup peer (multiple backup peers can be configured) for IPSec VPNnegotiation when the IPSec VPN negotiation with the master peer is failed, soas to realize redundant backup of an IPSec VPN.

I.Networking Requirements:

Theheadquarters router is connected to the Internet through two egresses: one isChina Telecom and the other is China Unicom. When the line of China Telecom isinterrupted, a branch can establish an IPSec VPN with the headquarters routerthrough the line of Chine Unicom, so as to ensure normal communication betweenthe branch and the headquarters.

II. Network Topology:

III. Configuration:

1.      Configure basic IPSec functions.

2.      Configure the IPSec multi-peer mutual backupfunction on the branch router.

3.      Configure IPSec DPD on the branch router.

IV. Configuration Steps

1.      Configure basic IPSec functions.

Based on site environment and customerdemands, select an appropriate IPSec deployment scheme. For detailedconfigurations, refer to the section "Basic Configuration" (TypicalConfiguration--->Security--->IPSec--->Basic Configuration).

(1)    Apply the IPSec encryption map to the two egresses of the headquartersrouter.

interfaceGigabitEthernet 0/0

crypto mapmymap                       //Appliesthe crypto map to the egress of China Telecom.

interfaceGigabitEthernet 0/1

crypto mapmymap                       //Appliesthe crypto map to the egress of China Unicom.

(2)    If the pre-shared key is used for authentication, specify thepre-shared keys for the corresponding IP addresses of the two egresses on thebranch router.

cryptoisakmp key 0 ruijie address x.x.x.x

cryptoisakmp key 0 ruijie address y.y.y.y   //Specifies the pre-shared keys corresponding to the IP address ofChine Telecom and the IP address of Chine Unicom, respectively.

2.      Configure the IPSec multi-peer mutual backup function on the branchrouter.

crypto mapmymap 5 ipsec-isakmp

set peerx.x.x.x                          //Specifiesthe public IP address of China Telecom as the master peer.

set peery.y.y.y                          //Specifiesthe public IP address of China Unicom as the backup peer.

3.      Configure IPSec DPD on the branch router.

For the configuration method of IPSec DPD,refer to the section "IPSec DPD Configuration" (TypicalConfiguration-->Security--->IPSec--->Extension Configuration--->IPSEC DPD Configuration).

Notes:

To use the IPSecmulti-peer mutual backup function, you need to enable IPSec DPD on the branchrouter, so that the branch router can detect the peer faults and automaticallyswitch to the backup peer.

 

V. Verification

1.      Initiate a data connection on the branch router to access theheadquarters so as to create an IPSec VPN.

It can beseen that, an IPSec VPN is successfully created between the branch and theheadquarters using the public IP address of China Telecom.

Ruijie#showcrypto isakmp sa

 destination      source            state                    conn-id           lifetime(second)

x.x.x.x   10.0.0.1IKE_IDLE                0                 84129            //x.x.x.xis the public IP address of China Telecom.

2.      Disconnect the egress cable of China Telecom on the headquartersrouter, and continue to initiate a data connection on the branch router toaccess the headquarters.

It can beseen that, an IPSec VPN is successfully created between the branch and theheadquarters using the public IP address of China Unicom.

Ruijie#showcrypto isakmp sa

 destination      source            state                    conn-id           lifetime(second)

y.y.y.y   10.0.0.1IKE_IDLE                0                 84129            //y.y.y.yis the public IP address of China Unicom.

 

1.4.3.11 IPSEC Automatic Tunnel Connection (autoup)

 

Features

Generally, an IPSec tunnel is created throughnegotiation after data streams are triggered. When automatic tunnel connection (autoup)is enabled, the tunnel is automatically triggered inside the IPSec module,which means that, as long as IPSec is configured, no matter whether datastreams are triggered, the device will automatically initiate an IPSecnegotiation.

I.Networking Requirements:

The branch and the headquarters need to use adynamic IPSec VPN to encrypt business data exchanged mutually. Because theheadquarters needs to access the application server of branch 1 from time totime, no matter whether branch 1 needs to access the headquarters or not, theIPSec VPN between branch 1 and the headquarters needs to be enabledpermanently.

II. Network Topology:

III. Configuration:

1.      Configure basic IPSec functions.

2.      Enable IPSec automatic tunnel connection on branch 1.

IV. Steps

1.      Configure basic IPSec functions.

Based on site environment and customer demands, selectan appropriate IPSec deployment scheme. For detailed configurations, refer to thesection "Basic Configuration" (Typical Configuration--->Security--->IPSec--->BasicConfiguration).

2.      Enable IPSec automatic tunnel connection on branch 1.

R1(config)#cryptomap mymap 10 ipsec-isakmp

R1(config-crypto-map)#setautoup                                   //Enables IPSec automatic tunnel connection.

Notes: The "setautoup" command is ineffective under a dynamic map.

V. Verification

When IPSec automatic tunnel connection isenabled on the router of branch 1, no matter whether branch 1 triggers datastreams to access the headquarters, an IPSec tunnel will be created throughautomatic negotiation.

Ruijie#showcrypto isakmp sa                                     //Shows the result of ISAKMP SA negotiation.

 destination      source        state             conn-id        lifetime(second)

10.0.0.2          10.0.0.1       IKE_IDLE         0                84129                //The ISAKMP negotiation is successfuland the status is IKE_IDLE.

Ruijie#showcrypto ipsec sa                                             //Shows the result of IPSec SA negotiation.

Interface:GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the encryption map applied to theinterface.

local ipv4addr 10.0.0.1                  //Indicatesthe IP address used during ISAKMP/IPSec negotiation.

        media mtu 1500

        ==================================

        sub_map type:static, seqno:5, id=0

         local  ident (addr/mask/prot/port):(192.168.0.0/0.0.0.255/0/0))    //Indicatesthe source IP addresses of the interesting traffic.

remote  ident (addr/mask/prot/port):(192.168.1.0/0.0.0.255/0/0))//Indicatesthe destination IP addresses of the interesting traffic.

        PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4//Indicates the number of packets successfullyencapsulated, encrypted and digested.

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4//Indicates the number of packets successfullydecapsulated, decrypted and verified. When data is encrypted through IPSec forcommunication, you can see constant increasing of the preceding statisticcounts when you repeatedly run the command show crypto ipsec sa.

#senderrors 0, #recv errors 0//Indicatesthe number of packets that are incorrectly sent and received. Normally, thecounts do not increase.

 Inbound esp sas:

spi:0x2ecca8e (49072782)                   //Indicates the inbound SPI of IPSec SA.

              transform: esp-des esp-md5-hmac    //Indicatesthat the IPSec transform set is esp-des esp-md5-hmac.

in usesettings={Tunnel Encaps,}         //Indicatesthat the tunnel mode is used.

              crypto map mymap 5

              sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SAis: 4,606,998 kilobytes/1,324 seconds.

              IV size: 8 bytes   //Indicates thatthe length of IV vector is 8 bytes.

Replaydetection support: Y   //Indicatesthe anti-replay processing

 Outbound esp sas:

spi:0x5730dd4b (1462820171)//Indicates the outbound SPI of IPSec SA. When the inboundSPI and outbound SPI are displayed, it indicates that the IPSec SA negotiationis successful.

              transform: esp-des esp-md5-hmac

           in use settings={Tunnel Encaps,}

              crypto map mymap 5

              sa timing: remaining key lifetime (k/sec): (4606998/1324)

               IVsize: 8 bytes

              Replay detection support: Y

 

1.4.4    GRE

 

Features

Generic Routing Encapsulation (GRE) is aprotocol used to encapsulate data packets of certain network layer protocols(for example, IP and IPX), so that the encapsulated data packets can betransmitted in another network layer protocol (for example, IP).GRE uses thetunnel technology, and is a Layer 3 tunnel protocol for Virtual PrivateNetworks (VPNs).

A tunnel is a virtual point-to-pointconnection. It provides a channel so that encapsulated data packets can betransmitted over the channel, and data packets can be encapsulated anddecapsulated at two ends of the tunnel respectively.

 

Scenario

When the headquarters of a company and itsbranches need to mutually share information through their inside networks andthe data security is not highly emphasized, a GRE VPN can be employed on thenetwork devices of the headquarters and branches to enable the headquarters andbranches to mutual access resources of each other.

 

I.Networking Requirements

The two LANs access the Internet through theegress routers respectively. Besides, the two egress routers use a GRE tunnelto enable users of the two LANs to mutually access each other.

II. Network Topology

 

III. Configuration Tips

1.      Configure routers R1 and R2 so that R1 and R2 can access theInternet and can be successfully pinged by each other.

2.      Configure a GRE tunnel on R1.

3.      Configure a route on R1 to direct the network segment route of LAN 2to the GRE tunnel.

4.      Configure a GRE tunnel on R2.

5.      Configure a route on R2 to direct the traffic to LAN 1 to the GREtunnel.

Notes: The IP networksegments of LAN 1 and LAN 2 to be mutually accessed must not be overlapped.

IV. Configuration Steps

1.      Configure routers R1 and R2 so that R1 and R2 can access theInternet and can be successfully pinged by each other.

R1

interfaceFastethernet 0/0

ip ref

ip address222.100.100.1 255.255.255.252

ip route0.0.0.0 0.0.0.0 222.100.100.2

R2

interfaceFastethernet 0/0

ip ref

ip address222.200.200.1 255.255.255.252

ip route0.0.0.0 0.0.0.0 222.200.200.2

2.      Configure a GRE tunnel on R1.

Ruijie>enable                        //Enters the privileged mode.

Ruijie#configureterminal               //Enters theglobal configuration mode.

Ruijie(config)#interfacetunnel 1

Ruijie(config-if-Tunnel1)# ip address 172.16.100.1 255.255.255.0    //Configures the IP address of the GRE tunnel.

Ruijie(config-if-Tunnel1)#tunnel source 222.100.100.1              //Configures the source IP address of the GRE tunnel (the IPaddress of the outbound interface of R1).

Ruijie(config-if-Tunnel1)#tunnel source 222.100.100.1              //Configures the destination IP address of the GRE tunnel(the IP address of the outbound interface of R2).

Ruijie(config-if-Tunnel1)#exit

3.      Configure a route on R1 to direct the network segment route of LAN 2to the GRE tunnel.

Ruijie(config)#iproute 192.168.2.0 255.255.255.0 Tunnel 1 172.16.100.2  

//Accesses 192.168.2.0/24, and sends the packet throughtunnel 1 to 172.16.100.2 (IP address of the peer GRE tunnel).

4.      Configure a GRE tunnel on R2.

Ruijie>enable                        //Enters the privileged mode.

Ruijie#configureterminal               //Enters theglobal configuration mode.

Ruijie(config)#interfacetunnel 1

Ruijie(config-if-Tunnel1)# ip address 172.16.100.2 255.255.255.0    //Configures the IP address of the GRE tunnel.

Ruijie(config-if-Tunnel1)#tunnel source 222.200.200.1              //Configures the source IP address of the GRE tunnel (the IPaddress of the outbound interface of R2).

Ruijie(config-if-Tunnel1)#tunnel source 222.100.100.1              //Configures the destination IP address of the GRE tunnel(the IP address of the outbound interface of R1).

6.      Configure a route on R2 to direct the network segment route of LAN 1to the GRE tunnel.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 Tunnel 1172.16.100.1   //Accesses192.168.1.0/24, and sends the packet from tunnel 1 to 172.16.100.1 (the IPaddress of the peer VPN tunnel).

 

V. Verification

1.      Ping the address of LAN 2 on a PC of LAN 1.

C:\Users\Administrator>ping192.168.2.1

Pinging32-byte data in 192.168.2.1:

Reply from192.168.2.1:byte=32 time=2ms TTL=248

Reply from192.168.2.1:byte=32 time=1ms TTL=248

Reply from192.168.2.1:byte=32 time=1ms TTL=248

Reply from192.168.2.1:byte=32 time=2ms TTL=248

 

Pingstatistics information of 192.168.2.1:

Datapacket:sent = 4, received = 4, lost = 0 (0% lost),

Estimatedround-trip time (in milliseconds):

Shortest =1ms, longest = 2ms, average = 1ms

2.      Show the GRE tunnel status on the router.

Ruijie#showinterfaces tunnel 1

Index(dec):11(hex):b

Tunnel 1 is UP, line protocol is UP   

Hardwareis Tunnel

Interfaceaddress is: 172.16.100.2/24

  MTU 1480bytes, BW 9 Kbit

 Encapsulation protocol is Tunnel, loopback not set

Keepaliveinterval is no set

  Carrierdelay is 0 sec

  RXloadis 1 ,Txload is 1

  Tunnelsource 222.200.200.1 (FastEthernet 0/0), destination 222.100.100.1

  TunnelTTL 255

  Tunnelprotocol/transport IPIP

  Queueingstrategy: FIFO

  Outputqueue 0/40, 0 drops;

   Inputqueue 0/75, 0 drops

  5minutes input rate 0 bits/sec, 0 packets/sec

  5minutes output rate 0 bits/sec, 0 packets/sec

5 packetsinput, 500 bytes, 0 no buffer, 0 dropped         //Indicates that there are data packets inputted from theGRE tunnel.

   Received 0 broadcasts, 0 runts, 0 giants

    0input errors, 0 CRC, 0 frame, 0 overrun, 0 abort

5 packetsinput, 600 bytes, 0 no buffer, 0 dropped         //Indicates that there are data packets outputted from theGRE tunnel.

0 outputerrors, 0 collisions, 0 interface resets

1.4.5    L2TP VPN

 

Features

In the voluntary tunnel mode: A remote access client runs the L2TP software and functions as anLAC in the L2TP connection model. The remote client/LAC (called as "LACcustomer" in RFC 2661) is connected to LNS, and PPP frames are directlyforwarded through the L2TP tunnel between the customer and LNS. It is generallyused for mutual connection between the headquarters and branches of a company.

 

Scenarios

The headquarters of a company and itsbranches need to mutually share data through their inside networks, the datasecurity is not highly emphasized, and the headquarters uses local user namesand passwords to verify routers of branches. For this purpose, you can forciblyenable L2TP VPN on the network devices of the headquarters and branches andconfigure the PPP authentication mode as local authentication.

 

I.Networking Requirements

Due to business development, a companycreates multiple branches all over the country. The egress router of theheadquarters is connected to the Internet through a dedicated line of a Telecomoperator, while the branches are connected to the Internet through a dedicatedline or ADSL. The branches need to access the business server in theheadquarters, and communication data between the branches and the headquartersneeds to be encrypted to ensure business security.

For this purpose, you can create an L2TP VPNbetween egress routers of the headquarters and the branches, so as to realizemutual access between them.

II. Network Topology

Simulated topology:

III. Configuration Tips

The major difference between configurationsof L2TP VPN 2.0 and 1.0 lies in the configuration of LNS: 1. A virtual-vpdn 2.0interface must be created firstly; 2. The vpdn-group of LNS must be specifiedas source-ip 3, and the virtual-vpdn interface must be configured with a staticIP address; 4. A new command must be used to configure and call the addresspool. Notes: The virtual-vpdninterface automatically adjusts MSS (the length of header encapsulated by LETPis deducted). However, when the interface is used together with other VPNs, theMSS must be modified manually.

The configuration steps are as follows:

1.      Configure LNS VPDN.

2.      Configure the LNS address pool and user information.

3.      Configure the LNS virtual-vpdn interface.

4.      Configure the PPP dial-up of the branch router.

5.      Configure the L2TP Class of the branch router.

6.      Configure the L2TP pseudowire-class interface of the branch router.

7.      Configure the Virtual-ppp interface of the branch router.

IV. Configuration Steps

1.      Configure LNS VPDN.

vpdnenable

interfacevirtual-vpdn 1    //Creates avirtual-vpdn interface first. The interface must be created in advance.

vpdn-group1

   accept-dialin

source-ip12.1.1.2    //It must be configured.The IP address is the destination address of the LAC dial-in request packet,and is generally the egress address of the dedicated line.

       protocol l2tp        

virtual-vpdn1         //It requires that theprotocol is set to L2TP; otherwise, this command is not displayed duringconfiguration.

l2tp tunnelauthentication                     //EnablesL2TP tunnel authentication based on demands.

l2tptunnel password ruijie                    //Configures the L2TP tunnel authentication password as"ruijie" based on demands.

Notes:

(1)    After enabling tunnel authentication andconfiguring the password on LNS, you must enable tunnel authentication andconfigure the same password on the L2TP client; otherwise, L2TP negotiationwill fail.

(2)    If the destination IP address of the LAC dial-inrequest packet is the loopback address of LNS, the source-ip command isineffective and must be replaced with the bind slot-id command. The"slot-id" indicates the card slot number of the dedicated lineegress. The command is supported in the 10.4(3b31)p1 version or latterversions.

2.      Configure the LNS address pool and user information.

vpdn pool test 100.1.1.1 100.1.1.100     //Configures the address pool of the L2TP user. Thecommand used is different from the one used for configuring L2TP.

username test password test            //Adds the account and password information ofthe L2TP client needing local authentication.

3.      Configure the LNS virtual-vpdn interface.

interfaceVirtual-vpdn 1

 pppauthentication chap

ip address10.1.1.1 255.255.255.0 //Thevirtual-vpdn interface must be configured with a static IP address.

vpdnintf_pool test              //Callsthe address pool configured for VPDN on the interface. The command used isdifferent from the one used for configuring L2TP.

 

======Configurations of the branch router (client/LAC)remain the same, and are exactly the same as the configurations of the clientof L2TP VPN 1.0 in the voluntary tunnel mode.=======

 

4.      Configure the PPP dial-up of the branch router.

You need to ensure that the branch routerhas been correctly connected to the Internet and can communicate with LNS.

In case of ADSLdial-up, refer to "Typical Configuration"--->"WAN interfaceConfiguration"--->"ADSL Dial-up".

5.      Configure the L2TP Class of the branch router.

l2tp-classl2x

hostnamesite1           //It is optional.

authentication          //Enables L2TP tunnelauthentication.

passwordruijie          //Configures theL2TP tunnel authentication password as "ruijie".

Notes: The tunnelauthentication password configured on the L2TP client must be the same withthat on LNS; otherwise, L2TP negotiation will fail.

7.      Configure the L2TP pseudowire-class interface of the branch router.

pseudowire-classpw

encapsulationl2tpv2        //Specifies to useL2TP V2 for encapsulation.

protocoll2tpv2 l2x           //SpecifiesL2TP V3 as the tunnel protocol and "l2x" as the L2TP class.

ip localinterface gi 0/0    //Specifies thesource IP address for L2TP tunnel negotiation. The address is the address ofthe extranet port.

8.      Configure the Virtual-ppp interface of the branch router.

interfaceVirtual-ppp 1

    ip ref

ppp chaphostname test              //Configuresthe hostname of the CHAP test

ppp chappassword test               //Configuresthe password of CHAP test

ip addressnegotiate                      //Configuresthe IP address to be automatically allocated.

pseudowire12.1.1.2 1 pw-class pw    //Specifiesthe LNS address, and specifies to use pseudowire-class of "pw".

 

V. Verification

1.      Show the status information of L2TP client.

(1)After configuration, the branch router automatically initiates L2TP dial-up. Ifthe dial-up is successfully, run the show ip interface brief command on thebranch router, and the result shows that the status of the interface is"UP" and the correct IP address is obtained.

(2)In the route table, already generated is a host route of the virtual-vpdninterface address of LNS that is directly connected to the virtual-pppinterface.

(3)TheL2TP client can be pinged to the virtual-vpdn interface address of LNS.

2.      Show the status information on LNS.

(1)    Run the show vpdn command on LNS to show the user informationsuccessfully dialed in:

Two users have been dialed in.

(2)    Show the corresponding vpdn interface on LNS.

Only one virtual-vpdn interface isgenerated.

(3)    Confirm the route table of a corresponding client.

The host routes of two dialed-in clientsare generated.

 

1.4.6    VPDN 2.0

L2TP 2.0 Compulsory Tunnel Mode – LocalUser Authentication

Features

In L2TP Compulsory Tunnel Mode, the L2TP Access Concentrator (LAC) ends calls from remote accessclients, and then extends PPP sessions to the L2TP Network Server (LNS) intunnel mode via an intermediate network. In this mode, the remote accessclients are not required to know L2TP and only have to dial in to the LAC viaPPP. 3G solutions adopt this mode.

 

Scenario

A company rents a 3G network from an Internetservice provider (ISP). Its branch routers need to dial in to the intranet ofthe headquarters via the 3G network. The headquarters authenticates branchrouters by the local user names and passwords. For this purpose, you can setthe compulsory L2TP tunnel mode between the ISP network and the headquartersintranet, and configure local authentication for PPP authentication.

 

I.Networking Requirements

Take a 3G scenario for example: RSR seriesrouters are used as the LNS and converge L2TP sessions of all clients. PerformCHAP authentication and assign IP addresses for all users on the local LNS.

II. Network Topology

 

Anolog Topology:

 

III. Configuration Tips

The major difference between configurationsof L2TP VPN 2.0 and 1.0 is LNS configuration: 1. A virtual-vpdn 2.0 interfacemust be created first; 2. The source IP address of the VPDN-Group of the LNSmust be specified; 3. The virtual-vpdn interface must be configured with astatic IP address; 4. A new command must be used to configure and call theaddress pool. Note: The virtual-vpdn interface automatically adjusts the MSS(the length of the header encapsulated by the L2TP is deducted). However, whenthe interface is used together with other VPNs, the MSS must be modifiedmanually.

Configuration Steps:

1.      Configure the LNS VPDN.

2.      Configure the LNS address pool and user information.

3.      Configure the LNS virtual-vpdn interface.

4.      Configure PPP dial-up for branch routers.

IV. Configuration Steps

1.      Configure the LNS VPDN.

vpdnenable

interfacevirtual-vpdn 1   //Creates avirtual-vpdn 2.0 interface first. The interface must be created in advance.

vpdn-group1

   accept-dialin

       source-ip 172.18.10.201    //(Mandatory)It indicates the destination address of the LAC dial-in request packet and isgenerally the egress address of the dedicated line.

protocoll2tp       

       virtual-vpdn 1              //Itrequires that the protocol is set to L2TP. Otherwise, this command is notdisplayed during configuration.

l2tptunnel authentication                       //Enables L2TP tunnel authentication as required.

l2tptunnel password ruijie                 //Setsthe L2TP tunnel authentication password to ruijie.

 

Note:

1)     After configuring tunnel authentication and password on the LNS,configure the same on the L2TP client. Otherwise, L2TP negation fails.

2)     If the destination address of the LAC dial-in request packet is theloopback address of the LNS, the source-ip command will not take effectand must be replaced with the bind slot-id command. The slot-id indicatesthe line card slot number of the dedicated line egress. This command issupported in the 10.4 (3b31) p1 version or later versions.

2.      Configure the LNS address pool and user information.

vpdn pooltest 100.1.1.1 100.1.1.100      //Configuresthe address pool for the L2TP user. The command is different from the one forconfiguring the L2TP.

usernameruijie@ruijie.com.cn password ruijie

usernametest@ruijie.com.cn password test              //Adds the account and password of the L2TP client forlocal authentication.

 

3.      Configure the LNS virtual-vpdn interface.

interfaceVirtual-vpdn 1

 pppauthentication chap

 ipaddress 10.1.1.1 255.255.255.0     //Thevirtual-vpdn interface must be configured with a static IP address.

vpdnintf_pool test                 //Callsthe address pool configured for the VPDN on the interface. The command isdifferent from the one for configuring the L2TP.

 

4.      Configure the LNS compatibility command. (Optional)

In the 3G scenario, after configuration, the3G client dial-up may fail because the LNS is incompatible with the LAC. Testthe following compatibility commands separately.

Run the command to enable the LNS to ignorethe PPP authentication message from the LAC and force the LNS to perform anotherCHAP authentication on the Client.

Ruijie(config)#vpdn-group1

Ruijie(config-vpdn)#force-local-chap

 

Run the command to enable the LNS to ignorethe PPP negotiation message from the LAC and force the LNS to renegotiate LCPwith Client.

Ruijie(config)#vpdn-group1

Ruijie(config-vpdn)#force-local-lcp

 

Run the command to ignore errors reported bycontrol packets.

Ruijie(config)#vpdn-group1

Ruijie(config-vpdn)#lcp renegotiation always

 

5.      Configure PPP dial-up for remote clients.

(1)    In the 3G scenario, see Typical Configuration > WAN InterfaceConfiguration > 3G Interface Dial-up > 3G VPDN.

(2)    In case of ADSL dial-up, see Typical Configuration > WANInterface Configuration > ADSL Dial-up.

(3)    Dial up through common serial ports.

interfaceSerial0/0

ip addressnegotiated                   //Obtain addresses from the LNS through negotiation.

encapsulationppp                    

ppp chaphostname test@ruijie.com.cn

ppp chappassword  test

 

V. Verification

After configuration, dial-up is triggered onthe L2TP client (or 3G client). If dial-up is successful, run the show vpdncommand to view users that have successfully dialed in on the LNS.

1.      Run the show vpdn command to view tunnels established on the LNS.

As shown in the above figure, one tunnel hasbeen established and two clients has been connected to the LNS.

View information on the virtual-vpdninterface.

Two clients have dialed in. There is only onevirtual-vpdn interface as the logical interface.

2.      After the tunnel is established, view PPP negotiation result on theclients.

3.      The clients obtain the IP addresses through successful PPPnegotiation. View host routes learned by both clients.

4.      Test network connectivity.

L2TP 2.0 Compulsory Tunnel Mode – AAAAuthentication

Features

In L2TP Compulsory Tunnel Mode, the LAC ends calls from remote access clients, and then extendsPPP sessions to the LNS in tunnel mode via an intermediate network. In thismode, the remote access clients are not required to know L2TP and only have todial in to the LAC via PPP. 3G solutions adopt this mode.

Scenario

A company rents a 3G network from an ISP. Itsbranch routers need to dial in to the intranet of the headquarters via the 3Gnetwork. The headquarters authenticates branch routers by AAA. For thispurpose, you can set the compulsory L2TP tunnel mode between the ISP networkand the headquarters intranet, and configure AAA authentication for PPPauthentication.

I.Networking Requirements

Take a 3G scenario for example: RSR seriesrouters are used as the LNS and converge L2TP sessions of all clients. Performauthentication and assign IP addresses for all users on the RADIUS Server.

II. Network Topology

 

Anolog Topology:

III. Configuration Tips

The major difference between configurationsof L2TP VPN 2.0 and 1.0 is LNS configuration: 1. A virtual-vpdn 2.0 interfacemust be created first; 2. The source IP address of the VPDN-Group of the LNSmust be specified; 3. The virtual-vpdn interface must be configured with astatic IP address; 4. A new command must be used to configure and call theaddress pool. Note: The virtual-vpdn interface automatically adjusts the MSS(the length of the header encapsulated by the L2TP is deducted). However, whenthe interface is used together with other VPNs, the MSS must be modifiedmanually.

Configuration Steps:

1.      Configure the LNS VPDN.

2.      Configure the LNS address pool.

3.      Configure the LNS virtual-vpdn interface.

4.      Configure the LNS AAA authentication.

5.      Configure the LNS AAA accounting.

6.      Configure the LNS compatibility command. (Optional)

7.      Configure PPP dial-up for remote clients.

IV. Configuration Steps

1.      Configure the LNS VPDN.

vpdnenable

interfacevirtual-vpdn 1  //Creates avirtual-vpdn interface first. The interface must be created in advance.

vpdn-group1

   accept-dialin

       source-ip 172.18.10.201    //(Mandatory)It indicates the destination address of the LAC dial-in request packet and isgenerally the egress address of the dedicated line.

protocoll2tp       

virtual-vpdn1            //It requires that theprotocol is set to L2TP. Otherwise, this command is not displayed duringconfiguration.

l2tptunnel authentication                       //Enables L2TP tunnel authentication as required.

l2tptunnel password ruijie          //Setsthe L2TP tunnel authentication password to ruijie.

 

Note:

1)     After configuring tunnel authentication and password on the LNS,configure the same on the L2TP client. Otherwise, L2TP negation fails.

2)     If the destination address of the LAC dial-in request packet is theloopback address of the LNS, the source-ip command will not take effectand must be replaced with the bind slot-id command. The slot-idindicates the line card slot number of the dedicated line egress. This commandis supported in the 10.4 (3b31) p1 version or later versions.

2.      Configure the LNS address pool.

vpdn pooltest 100.1.1.1 100.1.1.100               //Configures the address pool for the L2TP user. Thecommand is different from the one for configuring the L2TP.

 

3.      Configure the LNS virtual-vpdn interface.

  

interfaceVirtual-vpdn 1

 pppauthentication chap

 ipaddress 10.1.1.1 255.255.255.0   //Thevirtual-vpdn interface must be configured with a static IP address.

vpdnintf_pool test               //Callsthe address pool configured for the VPDN on the interface. The command isdifferent from the one for configuring the L2TP.

 

4.      Configure the LNS AAA authentication.

aaanew-model

     radius-server host 192.168.57.222 key ruijie   //Specifies the RADIUS Server and the key.

aaaauthentication ppp default group radius  //Specifies the RADIUS protocol for PPP authentication.

 

5.      Configure the LNS AAA accounting.

aaanew-model

aaaaccounting update periodic 1        //Setsthe accounting update interval to 1 minute. It is 5 minutes by default and 1minute at least.

aaaaccounting update                      //Enablesaccounting update.

aaaaccounting network default start-stop group radius  //Specifies the RADIUS protocol for start-accounting andend-accounting requests of network users.

 

Note:

Enable AAA accounting only when the RADIUSServer assigns IP addresses to users from the address pool, because the AAAaddress pool assigns and releases IP address using the user accountingfunction. If AAA assigns static IP addresses to AAA users, do not enable AAAaccounting.

6.      Configure the LNS compatibility command. (Optional)

In the 3G scenario, after configuration, the3G client dial-up may fail because the LNS is incompatible with the LAC. Testthe following compatibility commands separately.

Run the command to enable the LNS to ignorethe PPP authentication message from the LAC and force the LNS to performanother CHAP authentication on the Client.

Ruijie(config)#vpdn-group1

Ruijie(config-vpdn)#force-local-chap

 

Run the command to enable the LNS to ignorethe PPP negotiation message from the LAC and force the LNS to renegotiate LCPwith Client.

Ruijie(config)#vpdn-group1

Ruijie(config-vpdn)#force-local-lcp

 

Run the command to ignore errors reported bycontrol packets.

Ruijie(config)#vpdn-group1

Ruijie(config-vpdn)#lcp renegotiation always

 

7.      Configure PPP dial-up for remote clients.

(1)    In the 3G scenario, see Typical Configuration > WAN InterfaceConfiguration > 3G Interface Dial-up > 3G VPDN.

(2)    In case of ADSL dial-up, see Typical Configuration > WANInterface Configuration > ADSL Dial-up.

(3)    Dial up through common serial ports.

interfaceSerial0/0

ip addressnegotiated                       //Obtainaddresses from the LNS through negotiation.

encapsulationppp                    

ppp chaphostname test@ruijie.com.cn

ppp chappassword  test

 

V. Verification

1.      View VPDN tunnels established on the LNS.

After configuration, dial-up is triggered onthe L2TP client (or 3G client). If dial-up is successful, run the show vpdncommand to view users that have successfully dialed in on the LNS.

View information on the virtual-vpdninterface.

Two clients dial in. There is only onevirtual-vpdn interface as the logical interface.

2.      After the tunnel is established, view PPP negotiation result on theclient.

3.      The clients obtain the IP addresses through successful PPPnegotiation. View host routes learned by both clients.

4.      Test network connectivity.

 

L2TP 2.0 Voluntary Tunnel Mode – LocalUser Authentication

Features

In voluntary tunnel mode, a remote client runs the L2TP software and functions as an LAC inthe L2TP connection model. The remote client/LAC ("LAC customer" inRFC 2661) is connected to the LNS. PPP frames are directly forwarded throughthe L2TP tunnel between the customer and the LNS. It is generally used formutual access between the headquarters and branches of a company.

Scenario

If the headquarters of a company and itsbranches need to share data through their intranets and the data security isnot highly emphasized, the headquarters verifies branch routers by the localuser names and passwords. For this purpose, you can enable L2TP VPN incompulsory mode on the network devices of the headquarters and branches, andconfigure local authentication for PPP authentication.

I.Networking Requirements

Due to business development, a company setsup multiple branches all over the country. The egress router in theheadquarters is connected to the Internet through a dedicated line of an ISP,while the branches are connected to the Internet through a dedicated line orADSL. The branches need to access the service server in the headquarters, andcommunication data between branches and the headquarters needs to be encryptedto ensure service security.

For this purpose, you can create an L2TP VPNbetween egress routers of the headquarters and the branches to realize mutualaccess.

II. Network Topology

Anolog Topology:

III. Configuration Tips

The major difference between configurationsof L2TP VPN 2.0 and 1.0 is LNS configuration: 1. A virtual-vpdn 2.0 interfacemust be created first; 2. The source IP address of the VPDN-Group of the LNSmust be specified; 3. The virtual-vpdn interface must be configured with astatic IP address; 4. A new command must be used to configure and call theaddress pool. Note: The virtual-vpdn interface automatically adjusts the MSS(the length of the header encapsulated by the L2TP is deducted). However, whenthe interface is used together with other VPNs, the MSS must be modifiedmanually.

Configuration Steps:

1.      Configure the LNS VPDN.

2.      Configure the LNS address pool and userinformation.

3.      Configure the LNS virtual-vpdn interface.

4.      Configure PPP dial-up for branch routers.

5.      Configure an L2TP CLASS for branch routers.

6.      Configure an L2TP pseudowire-class interface forbranch routers.

7.      Configure a virtual-ppp interface for branchrouters.

IV. Configuration Steps

1.      Configure the LNS VPDN.

vpdnenable

interfacevirtual-vpdn 1  //Creates a virtual-vpdn2.0 interface first. The interface must be created in advance.

vpdn-group1

   accept-dialin

       source-ip 12.1.1.2    //(Mandatory)It indicates the destination address of the LAC dial-in request packet and isgenerally the egress address of the dedicated line.

protocoll2tp       

       virtual-vpdn 1              //Itrequires that the protocol is set to L2TP. Otherwise, this command is notdisplayed during configuration.

l2tptunnel authentication           //EnablesL2TP tunnel authentication as required.

l2tptunnel password ruijie         //Setsthe L2TP tunnel authentication password to ruijie.

 

Note:

1)     After configuring tunnel authentication and password on the LNS,configure the same on the L2TP client. Otherwise, L2TP negation fails.

2)     If the destination address of the LAC dial-in request packet is theloopback address of the LNS, the source-ip command will not take effectand must be replaced with the bind slot-id command. The slot-idindicates the line card slot number of the dedicated line egress. This commandis supported in the 10.4 (3b31) p1 version or later versions.

2.      Configure the LNS address pool and user information.

vpdn pooltest 100.1.1.1 100.1.1.100   //Configuresthe address pool for the L2TP user. The command is different from the one forconfiguring the L2TP.

usernametest password test            //Addsthe account and password of the L2TP client for local authentication.

 

3.      Configure the LNS virtual-vpdn interface.

interfaceVirtual-vpdn 1

 pppauthentication chap

 ipaddress 10.1.1.1 255.255.255.0  //Thevirtual-vpdn interface must be configured with a static IP address.

vpdnintf_pool test              //Callsthe address pool configured for the VPDN on the interface. The command isdifferent from the one for configuring the L2TP.

 

The configuration of branch routers(client/LAC) is the same as that of L2TP VPN 1.0 clients in voluntary tunnelmode.

4.      Configure PPP dial-up for branch routers.

Ensure that branch routers have beenconnected to the Internet and communicate with the LNS.

In case of ADSL dial-up, see TypicalConfiguration > WAN Interface Configuration > ADSLDial-up.

5.      Configure an L2TP CLASS for branch routers.

l2tp-classl2x

   hostname site1 //Optional.

authentication          //Enables L2TP tunnelauthentication.

passwordruijie            //Sets L2TP tunnelauthentication password to ruijie.

 

Note: Configure the same tunnelauthentication and password on the L2TP client as that on the LNS. Otherwise,L2TP negation fails.

6.      Configure an L2TP pseudowire-class interface for branch routers.

pseudowire-classpw

   encapsulation l2tpv2   //SpecifiesL2TPv2 for encapsulation.

protocoll2tpv2 l2x   //Specifies L2TPv2 asthe tunneling protocol and "l2x" as the L2TP class.

ip localinterface gi 0/0       ///Specifiesthe source IP address for L2TP tunnel negotiation. It is the address of theexternal network interface.

 

7.      Configure a virtual-ppp interface for branch routers.

interfaceVirtual-ppp 1

    ip ref

    pppchap hostname test    //Configuresthe user name of CHAP authentication.

ppp chappassword test                          //Configuresthe password of CHAP authentication.

ip addressnegotiate                          //ConfiguresIP addresses to be automatically assigned.

pseudowire12.1.1.2 1 pw-class pw           //Specifiesthe LNS address and "pw" as the pseudowire-class.

 

V. Verification

1. View the status on the L2TP client.

1)    Afterconfiguration, the branch router automatically initiates L2TP dial-up. Ifdial-up is successful, run the show ip interface brief command to confirm thatthe interface is UP and a correct IP address has been obtained.

2)     View the routing table and confirm that an IP address of the LNSvirtual-vpdn interface directly connected to the virtual-ppp interface.

3)     The L2TP client can ping the IP address of the virtual-vpdninterface of the LNS.

2. View the status on the LNS.

(1)    Run the show vpdn command to view users that have dialed in.

Two users have dialed in.

(2)    View the VPDN interface generated on the LNS.

Only one virtual-vpdn interface is generated.

(3)    Check routing tables generated for the two clients.

Two host routes are generated for the twoclients.

 

L2TP 2.0 Voluntary Tunnel Mode – AAAAuthentication

Features

In voluntary tunnel mode, a remote client runs the L2TP software and functions as an LAC inthe L2TP connection model. The remote client/LAC ("LAC customer" inRFC 2661) is connected to the LNS, and PPP frames are directly forwardedthrough the L2TP tunnel between a customer and the LNS. It is generally usedfor mutual access between the headquarters and branches of a company.

Scenario

If the headquarters of a company and itsbranches need to share data through their intranets and the data security isnot highly emphasized, the headquarters verifies branch routers by the localuser names and passwords. For this purpose, you can enable L2TP VPN incompulsory mode on the network devices of the headquarters and branches, andconfigure local authentication for PPP authentication.

I.Networking Requirements

Due to business development, a company setsup multiple branches all over the country. The egress router in theheadquarters is connected to the Internet through a dedicated line of an ISP,while the branches are connected to the Internet through a dedicated line orADSL. The branches need to access the service server in the headquarters, andcommunication data between branches and the headquarters needs to be encryptedto ensure service security.

For this purpose, you can create an L2TP VPNbetween egress routers of the headquarters and the branches to realize mutualaccess.

II. Network Topology

Anolog Topology:

III. Configuration Tips

The major difference between configurationsof L2TP VPN 2.0 and 1.0 is LNS configuration: 1. A virtual-vpdn 2.0 interfacemust be created first; 2. The source IP address of the VPDN-Group of the LNSmust be specified; 3. The virtual-vpdn interface must be configured with astatic IP address; 4. A new command must be used to configure and call theaddress pool. Note: The virtual-vpdn interface automatically adjusts the MSS(the length of the header encapsulated by the L2TP is deducted). However, whenthe interface is used together with other VPNs, the MSS must be modifiedmanually.

Configuration Steps:

1.      Configure the LNS VPDN.

2.      Configure the LNS address pool.

3.      Configure the LNS virtual-vpdn interface.

4.      Configure the LNS AAA authentication.

5.      Configure the LNS AAA accounting.

6.      Configure PPP dial-up for branch routers.

7.      Configure an L2TP CLASS for branch routers.

8.      Configure an L2TP pseudowire-class interface forbranch routers.

9.      Configure a virtual-ppp interface for branchrouters.

IV. Configuration Steps

1.      Configure the LNS VPDN.

vpdnenable

interfacevirtual-vpdn 1   //Creates avirtual-vpdn interface first. The interface must be created in advance.

vpdn-group1

   accept-dialin

       source-ip 172.18.10.201     //(Mandatory)It indicates the destination address of the LAC dial-in request packet and isgenerally the egress address of the dedicated line.

protocoll2tp       

       virtual-vpdn 1            //Itrequires that the protocol is set to L2TP. Otherwise, this command will not bedisplayed during configuration.

l2tptunnel authentication                       //Enables L2TP tunnel authentication as required.

l2tptunnel password ruijie                     //Sets the L2TP tunnel authentication password to ruijie.

 

Note:

1)     After configuring tunnel authentication and password on the LNS,configure the same on the L2TP client. Otherwise, L2TP negation fails.

2)     If the destination address of the LAC dial-in request packet is theloopback address of the LNS, the source-ip command will not take effectand must be replaced with the bind slot-id command. The slot-idindicates the line card slot number of the dedicated line egress. This commandis supported in the 10.4 (3b31) p1 version or later versions.

2.      Configure the LNS address pool.

vpdn pooltest 100.1.1.1 100.1.1.100               //Configures the address pool of the L2TP user. The commandis different from the one for configuring the L2TP.

 

3.      Configure the LNS virtual-vpdn interface.

interfaceVirtual-vpdn 1

 pppauthentication chap

 ipaddress 10.1.1.1 255.255.255.0     //Thevirtual-vpdn interface must be configured with a static IP address.

vpdnintf_pool test               //Callsthe address pool configured for the VPDN on the interface. The command isdifferent from the one for configuring the L2TP.

 

4.      Configure the LNS AAA authentication.

aaanew-model

radius-serverhost 192.168.57.222 key ruijie   //Specifiesthe RADIUS Server and the key.

aaaauthentication ppp default group radius         //Specifies the RADIUS protocol for PPP authentication.

 

5.      Configure the LNS AAA accounting.

aaanew-model

aaaaccounting update periodic 1      //Setsthe accounting update interval to 1 minute. It is 5 minutes by default and 1minute at least.

aaaaccounting update                      //Enablesaccounting update.

aaaaccounting network default start-stop group radius //Specifies the RADIUS protocol for start-accounting andend-accounting requests of network users.

 

Note:

Enable AAA accounting only when the RADIUSServer assigns IP addresses to users from the address pool, because the AAAaddress pool assigns and releases IP address using the user accountingfunction. If AAA assigns static IP addresses to AAA users, do not enable AAAaccounting.

The configuration of branch routers(client/LAC) is the same as that of L2TP VPN 1.0 clients in voluntary tunnelmode.

6.      Configure PPP dial-up for branch routers.

Ensure that branch routers have beenconnected to the Internet and can communicate with the LNS.

In case of ADSL dial-up, see TypicalConfiguration > WAN Interface Configuration > ADSL Dial-up.

7.      Configure an L2TP CLASS for branchrouters.

l2tp-classl2x

   hostname site1

   authentication  //Enables L2TPtunnel authentication.

passwordruijie            //Sets L2TP tunnelauthentication password to ruijie.

 

Note: Configure the same tunnel authentication password on the L2TPclient as that on the server. Otherwise, L2TP negation fails.

8.      Configure an L2TP pseudowire-classinterface for branch routers.

pseudowire-classpw

   encapsulation l2tpv2 //SpecifiesL2TPv2 for encapsulation.

protocoll2tpv2 l2x         //SpecifiesL2TPv2 as the tunneling protocol and "l2x" as the L2TP class.

ip localinterface gi 0/0        ///Specifiesthe source IP address for L2TP tunnel negotiation. It is the address of theexternal network interface.

 

9.      Configure a virtual-ppp interface forbranch routers.

interfaceVirtual-ppp 1

    ip ref

    pppchap hostname test               //Configuresthe user name of CHAP authentication.

ppp chappassword test                             //Configures the password of CHAP authentication.

ip addressnegotiate                                    //Configures IP addresses to be automatically assigned.

pseudowire172.18.10.201 1 pw-class pw           //Specifiesthe LNS address and "pw" as the pseudowire-class. 

 

V. Verification

1.      Run the show vpdn command to checkwhether an L2TP tunnel is established.

(1)    LAC/Client

(2)    LNS

2.      Confirm that a tunnel has beenestablished. Check whether the IP address of the virtual-ppp interface on theLAC/client is obtained.

The IP address assigned by the LNS has beenobtained.

3.      Check whether there is a host route tothe peer end.

(1)    LAC/Client

(2)    LNS

4.      Verification

(1)    LAC/client

(2)    LNS

 

1.4.7    Local Attack Protection

 

Features:

Working Principle:

The local attack protection feature is apacket rate limit technology. It limits the rate of various packets sent to theCPU for processing, so as to avoid effects on data forwarding of the wholemachine due to high CPU usage after a great amount of packets are sent to theCPU for processing.

Applying Rules:

Since this feature limits the rates based onpacket types, it may also limit the rates of normal packets and thus affect theforwarding of normal packets (for example, the normal fragmented packets needto be sent to the CPU for processing). Therefore, this feature is not recommended in a clean network environment.(This feature is disabled by default in devices other than RSR77).

Command Interpretation:

control-plane

!

control-planeprotocol

 noacpp        //Globally limits therate of the protocol plane.

!

control-planemanage

 noport-filter  //Filters TCP and UDPnot enabled locally.

 noarp-car    //Limits the rate of ARP.

 noacpp        //Globally limits therate of the management plane.

!

control-planedata

 noglean-car   //Matches the packetswhich are directly connected to the route but of which the IP is not resolved.

 noacpp        //Globally limits therate of the data plane.

Scenario:

1.      The CPU usage is high because a great amount of abnormal packets aresent to the CPU for processing. Other situations resulting in high CPU usageinclude:

(1)    There are many fragmented packets needing to be reassembled by theCPU: Use the ACPP on the data plane to control the rate.

(2)    There are packets of which the routes are unreachable, and thus theCPU needs to process the packets and replies that the routes are unreachable:Use the glean-car on the data plane to control the rate.

(3)    As for attacks on the local IP address: Use ACPP on the data planeto control the rate.

Others.

2.      If the size of a specific packet in the network can be predicted,you can configure a threshold value to avoid abnormal attacks. For example, ifit can be predicted that there are 10 normal ARP packets per second, you canmake the following configuration:

control-planemanage

port-filter

 arp-car10

 no acpp

Recommended Configuration:

Unless otherwise required, it is recommendedto enable the local attack protection feature through the followingconfiguration:

control-plane

!

control-planeprotocol

acppbw-rate 300 bw-burst-rate 600

!

control-planemanage

port-filter

 arp-car10

 acppbw-rate 300 bw-burst-rate 600

!

control-planedata

glean-car5

 acppbw-rate 300 bw-burst-rate 600

1.5     Network Management and Monitoring

1.5.1    IPFIX

1.5.1.1    IPv4

 

Features

IP Flow Information Export (IPFIX) is a standard protocol for flow information measurementthat is released by Internet Engineering Task Force (IETF).The advantages ofthe protocol lie in that:

1.      The protocol can be applied to network devices and managementsystems of any manufacturers and is able to export traffic statistics based onthe network device.  This makes it easy for network administrators to extractand display important traffic statistics.

2.      The export format is highly extensible. Therefore, if therequirements for traffic monitoring change, a network administrator simplyneeds to modify configurations instead of upgrading software or managementtools.

IPFIX is based on "flow". Networkdevices indicate the network traffic through seven key fields: source IPaddress, destination IP address, source port, destination port, type of Layer-3protocol, type of service, and input logic interface. If all these key fieldsare matched in different IP packets, these packets will be regarded as the sameflow. By recording the characteristics of the flow (for example, duration andaverage packet length), we can understand the network application and performoptimization, security detection and traffic-based billing accordingly.

IPFIX includes three devices: Export,Collector and Analyzer. The following describes the relationship among thesedevices:

1.      The Export device analyzes the network traffic, extracts qualifiedtraffic statistics and exports them to the Collector device. Generally, theExport device is a network device that enables IPFIX, for example, a router ora switch.

2.      The Collector device analyzes packets of the Export device andcollects statistics in the database for the Analyzer device to analyze.

3.      The Analyzer device extracts statistics from the Collector deviceand processes them to provide a basis for services. The data is displayed on agraphical interface.

NOTE: In the currentapplication scenario, the Collector device and the Analyzer device are usuallyintegrated into a single server. Forexample, the devices can be integrated into a NetFlow server.

 

Scenario

If an enterprise network administrator whoneeds to monitor the network traffic collects traffic data of the router(including interface traffic and device-forwarded traffic) by deploying theNetFlow server, IPFIX can be enabled on the router to transmit traffic data tothe network management software.

 

I.Networking Requirements:

The RSR50 router serves as an egress. ANetFlow server is deployed in the inside network to process traffic data thattravels through the egress.

II. Network Topology:

 

III. Configuration:

1.      Configure IPFIX for the router.

2.      Configure the NetFlow server.

 

IV. Steps

1.      Configure IPFIX for the router.

(1)     Configure the IP address and port ID of the target NetFlow server.The default port ID is 9996.

ipflow-export destination 10.0.0.2 9996

(2)   Configure the source IP address of the exported flowrecords. By default, the address is the IP address of the outbound interface.

ipflow-export source gigabitEthernet 0/1

(3)    Configure the flow template export frequency.

ipflow-export template timeout-rate 5

ipflow-export template refresh-rate 30

NOTE: According to Step 3,flow templates are retransmitted every 30 packets or every five minutes. Bydefault, flow templates are retransmitted every 20 packets or every fiveminutes.

(4)    Configure the packet format for flow record export.

ipflow-export version 9  //Exportsflow records in Version 9 format through IPFIX.

NOTE: Ruijie routerssupport IPFIX and Version 9 formats. However, as certain analysis software doesnot support Version 9 format, IPFIX format is recommended.

(5)    Configure the aging flow records in the cache.

ipflow-cache timeout active 1             //Configures the aging time for active flows as 1 minute.

ipflow-cache timeout inactive 10        //Configuresthe aging time for inactive flows as 10 seconds.

IPFIX counts traffic based on the data flowsforwarded by the router. Only when a flow ages will the flow information andtraffic be converted into CFLOW data, encapsulated into User Datagram Protocol(UDP) packets and transmitted to the server. The following describes how tojudge whether a flow ages.

(1)     If no packets of the flow are detected within a time period(inactive time), such flow ages, and flow information should be exported.

(2)     When a flow lasts for a long time, you cannot record its informationwithout limit; instead, you can set a time limit (active time). When the timelimit is exceeded, the flow should be aged and the flow information should beexported.

The aging time for data flows varies indifferent applications. For example, data flows of Hyper Text TransportProtocol (HTTP) generate unexpected traffic. Each flow will rapidly age so thatIPFIX can send the state of the flow to the NetFlow server in real time. Dataflows of File Transfer Protocol (FTP) and Xunlei might age after all downloadsare finished. If downloading a file by FTP takes one hour, as the default agingtime for active flows is 30 minutes, the state of FTP data flows is updatedevery 30 minutes and transmitted to the NetFlow server. As a result, linetraffic is very instable and large unexpected traffic is often generated.

 Therefore, configuration of the aging timefor flow records in the cache is critical.

NOTE: The parameters offlow record aging are very important. Improper configuration will result infaults such as inaccurate traffic, so the values described above arerecommended (aging time for active/inactive flows is 1 minute/10 seconds,respectively).

(6)    Enable traffic counting.

ipaccess-list standard 1

10 permitany              //Configures theAccess Control List (ACL) to define the traffic to be counted.

interfacegigabitEthernet 0/0

ip flowegress            //Enables trafficcounting at the egress.

ip flowingress          //Enables trafficcounting at the ingress.

flow-sample255 filter 1     //Configures theflow sampling rate and associates the traffic to be counted.

NOTE: It is recommendedto configure the flow sampling rate by running the ip flow sample fix xx filtery command on routers RSR77 later than Version 3B21.

Command interpretation:

The sampling rate cannot be adjusted byrunning the "flow-sample 255 filter 1" command. Even if"255" is configured, the sampling rate is 1:1.

 The sampling rate can be adjusted byrunning the "ip flow-sample fix xx filter y" command. Run the"ip flow-sample fix 2 filter 1" commend to configure the samplingrate as 1:2.

Notes:

1. AsIPFIX of RSR routers is implemented by software, the sampling rate cannot beconfigured on versions earlier than 3B21. However, you can filter thesampled data flows through standard or extended ACLs.

2.After running the ip flow egress or ip flow ingress command onthe interface, you must run the flow-sample command to configure flowfiltration; otherwise, port traffic cannot be converted into IPFIX traffic.

2.      Configure the NetFlow server.

Check whether the monitoring port matches theexport destination port of the RSR router. If the two ports are not matched,the server cannot analyze traffic.

NOTE: For detailedconfiguration, see the NetFlow Analyzer Operation Manual.pdf.

 

V. Verification

1.       Display the interfaces on which NetFlow is enabled.

Ruijie#showip flow interface

GigabitEthernet0/0

  ip flowingress

  ip flowegress

2.       Display flow information in the cache.

Ruijie#showip flow cache

ip flowswitching cache, 60000 entries

    38active, 59962 inactive

    activeflows timeout in 1 minutes

   inactive flows timeout in 10 seconds

 

Protocol      Total Flows    Total packets  Total bytes    Active time   

tcp-http      14             71             14296          294           

udp-ntp       1              1              76             62            

udp-http      2              2              60             123           

udp-dns       6              10             896            296           

udp-other     1425           2081           122699         82620         

udp           1434           2094           123731         83101

tcp           14             71             14296          294           

Total:        1448           2165           138027         83395         

 

Displayentries in main cache :

SrcIf  SrcIPAddress      DstIf   DstIPAddress      Pr   Tos  SrcPort DstPortPkts        ActiveTime 

1      84.229.249.50     2   192.168.33.187    17   0    4671    23887   0       37

2      192.168.33.187    1   83.149.116.231    17   0    15005   4254    1       54

2      192.168.33.187    1   193.138.230.251   17   0    15005   4254    1       9

2      192.168.33.187    1   190.51.222.59     17   0    23887   11331   1       41

2      192.168.33.187    1   88.191.40.237     17   0    15005   3310    1       24

2      192.168.51.34     65535 192.168.51.255    17   0    137     137     0      7

2      192.168.33.62     1   192.168.33.255    17   0    137     137     1        13

NOTE:Flows in the cache are activated. After flows age, the device will transmitflow statistics to the NetFlow server.

3.       Display exported flow information.

Ruijie#showip flow export

cache formain metering process:

      flow export is enabled

       Exporting flows to 10.0.0.2 (2055)

       Exporting using source interface GigabitEthernet 0/1

       Template export information:

          Template timeout = 5 minutes

          Template refresh rate = 30 packets

       total 2070 packets metering

       total 0 packets dropped for no memory

       total 1366 flows exported in 180 udp datagrams

        0ipfix message export failed

NOTE: When the NetFlowserver cannot detect traffic, pay attention to

 the show ip flowexport command. Confirm the exported destination addresses, ports andpacket statistics.

4.       Display the monitored data on the NetFlow server.

(1)     Display interface traffic and rates.

(2)     Display real-time traffic on an interface.

 

Appendix: FAQ

1.      UDP packets of IPFIX can be captured on the NetFlow server, but datacannot be obtained.

Check configurations of firewall andantivirus software on the operating system (OS).

2.      The real-time flow diagram on the NetFlow server is inaccurate andfluctuates wildly.

The flow aging parameter is set to a lowvalue.

ip flow-cache timeout active 1

ip flow-cache timeout inactive 10

The shorter the aging time is, the moreaccurate the real-time traffic value is.

3.      RSR routers cannot configure the sampling rate of IPFIX.

As IPFIX of RSR routers is used forsoftware implementation, sampling does not take effect despite the flow-samplepacket-number filter acl-name command. The purpose of running this commandis to filter the traffic transmitted to the IPFIX module (the traffic isgenerated by running the ip flow ingress and ip flow egresscommands on the port) by using an ACL so as to analyze the traffic matched tothe ACL and export traffic data to the NetFlow server. The packet-numparameter makes no sense. The ultimate sampling rate is 1:1.

As IPFIX of the switch is implemented byhardware, the sampling rate can be modified.

4.      The NetFlow server cannot display the interface name.

By default, the NetFlow server cannotdisplay the interface name but the index number. To have the interface namedisplayed, configure Simple Network Management Protocol (SNMP) parameters onthe router and add an SNMP management device to the NetFlow server.

Add an SNMP management device to theNetFlow server:

 

 

1.5.1.2    IPv6

 

Scenario

If an enterprisenetwork administrator who needs to monitor the network traffic collects trafficdata of the router (including interface traffic and device-forwarded traffic)by deploying the NetFlow server, IPFIX can be enabled on the router to transmittraffic data to the network management software.

Currently,only RSR77 routers with versions later than Release 3B21 support IPv6 IPFIX.

I.Networking Requirements:

The RSR7708router serves as an egress. A NetFlow server is deployed in the inside networkto process traffic data that travels through the egress.

II. Network Topology:

III. Configuration Tips

1.      Configure IPFIX for the router.

2.      Configure the NetFlow server.

IV. Configuration Steps

1.      Configure IPFIX for the router.

(1)    Configure the IP address and port ID of the target NetFlow server.

ipv6flow-export destination 140.1.1.66 2055         //The exported flow records should be sent to the IP addressof the collector as well as the port monitored by the collector. The port IDmust be consistent with that of the server.

(2)   Configure the source IP address of the exported flowrecords. By default, the address is the IP address of the outbound interface.

ipv6flow-export source GigabitEthernet 1/2/0  //Configures the IPv6 address of the interface as the sourceIPv6 address of exported packets.

(3)    Configure the flow template export frequency.

ipv6flow-export template timeout-rate 5   //Configuresthe frequency of data template and option retransmission. Retransmits atemplate every 5 minutes.

ipv6flow-export template refresh-rate 10  //Configuresthe frequency of data template and option transmission. Transmits a templateevery 10 packets.

(4)    Configure the packet format for flow recordexport.

ipv6flow-export version 9  //Specifiesthe IPFIX version.

NOTE: Ruijie routerssupport IPFIX and Version 9 formats. However, as certain analysis software doesnot support Version 9 format, IPFIX format is recommended.

(5)     Configure the aging flow records in the cache.

ipv6flow-cache timeout active 1   //Configuresthe aging time for active flows. If flows last for a long time, export the flowinformation every minute.

ipv6flow-cache timeout inactive 10            //Configures the aging time for inactive flows. If nopackets are detected within 10 seconds, export the flow information.

NOTE: The parameters offlow record aging are very important. Improper configuration will result infaults such as inaccurate traffic, so the values described above arerecommended (aging time for active/inactive flows is 1 minute/10 seconds,respectively).

For informationon active and inactive flows, see the "IPv4" section.

(6)     Enable traffic counting.

ipv6access-list v6

 10 permitipv6 any any     //Analyzes alltraffic on the interface.

interfaceGigabitEthernet 1/2/0

 ipv6 flowegress //Enables sampling at the egress.

 ipv6 flowingress //Enables sampling at theingress.

 ipv6flow-sample fix 1 filter v6   //Samplesthe ACL v6-matched packet flows at a rate of 1:1.

2.     Configure the NetFlow server.

See the"IPv4" section.

 

V. Verification

1.      Display the interfaces on which NetFlow isenabled.

Ruijie#showipv6 flow interface

2.      Display flow information in the cache.

Ruijie#showipv6 flow cache

As no traffic is generated in the test, theresult is 0.

3.      Display exported flow information.

Ruijie#showipv6 flow export

4.      Display the monitored data on the NetFlowserver.

See the "IPv4" section.

 

1.5.1.3    MPLS

 

Scenario

If an enterprise network administrator whoneeds to monitor the Multiple Protocol Label Switching (MPLS) traffic collectstraffic data of the router (including interface traffic and device-forwardedtraffic) by deploying the NetFlow server, IPFIX can be enabled on the router totransmit traffic data to the network management software.

Currently, only RSR77routers with versions later than Release 3B21 support MPLS IPFIX.

I.Networking Requirements:

Two RSR7708 routers serve as Provider Edge(PE) devices for the deployment of an MPLS Virtual Private Network (VPN). ANetFlow server is deployed in the inside network to process traffic data thattravels through the egress.

II. Network Topology:

III. Configuration Tips

1.      Configure IPFIX for the router.

2.      Configure the NetFlow server.

IV. Configuration Steps

Release 3B21 and laterversions support MPLS IPFIX, and the Real-time Intelligent InfrastructureLibrary (RIIL) supports MPLS IPFIX-based presentation. IPFIX configuration onan MPLS VPN is unrelated to the MPLS VPN type. L2 VPN and L3 VPN share the samecommand and method.

1.      Configure IPFIX for the router.

(1)    Enable IPFIX sampling for MPLS.

ipflow-cache mpls label-positions            //Enables MPLS sampling.

ipflow-cache mpls label-positions 1 2 3  //Configures the positions of sampling labels. There is no samplinglabel by default.

(2)    Configure the IP address and port ID of the target NetFlow server.

ipflow-export destination 10.1.1.2 9996        //The exported flow records should be sent to the IP addressof the collector as well as the port monitored by the collector. The port IDmust be consistent with that of the server.

(3)    Configure the source IP address of the exported flow records. Bydefault, the address is the IP address of the outbound interface.

ipflow-export source GigabitEthernet 3/0/1    //Configures the IPv6 address of the interface as the sourceIPv6 address of exported packets.

(4)    Configure the flow template export frequency.

ipflow-export template timeout-rate 5   //Configures the frequency of data template and option retransmission.Retransmits a template every 5 minutes.

ipflow-export template refresh-rate 10  //Configuresthe frequency of data template and option transmission. Transmits a templateevery 10 packets.

(5)    Configure the packet format for flow record export.

ipflow-export version 9    //Specifiesthe IPFIX version.

NOTE: Ruijie routerssupport IPFIX and Version 9 formats. However, as certain analysis software doesnot support Version 9 format, IPFIX format is recommended.

(6)    Configure the aging flow records in the cache.

ipflow-cache timeout active 1   //Configuresthe aging time for active flows. If flows last for a long time, export the flowinformation every minute.

ipflow-cache timeout inactive 10           //Configures the aging time for inactive flows. If nopackets are detected within 10 seconds, export the flow information.

NOTE: The parameters offlow record aging are very important. Improper configuration will result infaults such as inaccurate traffic, so the values described above are recommended(aging time for active/inactive flows is 1 minute/10 seconds, respectively).

Forinformation on active and inactive flows, see the "IPv4" section.

(7)   Enable traffic counting.

ipaccess-list standard 1

 10 permitany     //Analyzes all traffic onthe interface.

interfaceGigabitEthernet 3/0/1

 ip flowegress    //Enables sampling at theegress.

 ip flowingress   //Enables sampling at theingress.

 ipflow-sample fix 1 filter 1       //Samplesthe ACL 1-matched packet flows at a rate of 1:1.

2.    Configure the NetFlow server.

See the "IPv4"section.

V. Verification

1.      Display the interfaces on which NetFlow is enabled.

Ruijie#showip flow interface

2.      Display flow information in the cache.

Ruijie#showip flow cache

3.      Display exported flow information.

Ruijie#showip flow export

4.      Display the monitored data on the NetFlow server.

See the "IPv4"section.

 

1.6     Reliability

1.6.1    BFD

1.6.1.1    Multihop BFD

 

Scenario

An enterpriserents a Multi-Service Transmission Platform (MSTP) line from an InternetService Provider (ISP)to configure static recursive routing. As the localrouter at the egress cannot detect intermediate link interruption and whetherthe next hop of static recursive routing is reachable, routes cannot beconverged and thereby causes faults to the network. In this case, you can associatestatic routing with multihop Bidirectional Forwarding Detection (BFD) on therouter to detect interruption of the ISP's network and timely switch to otherbackup lines to access the Internet.

 

I.Networking Requirements

RSR-Aserves as a router of a financial service office. Two MSTP links are connected.Floating static routing is used. ISP-A serves as an active link. When ISP-A isunavailable, the device switches to ISP-B. Without a detection mechanism, anEthernet link considers a line available if the interface is in UP state.Therefore, BFD protocol is used as a link detection protocol.Different from"direct BFD association", a router serves as the ISP, that is, theconnectivity of the entire link must be detected every two hops for routingswitchover.

 

II. Network Topology

 

III. Configuration Tips

Access port:

1.      Configure floating static routing.

2.      Associate BFD with static routing.

3.      Configure static Address Resolution Protocol (ARP)-based binding.

Aggregation port:

1.      Configure floating static routing.

2.      Associate BFD with static routing.

3.      Configure static ARP-based binding.

 

IV. Configuration Steps

Access port:

1.      Configure floating static routing.

RSR-A(config)#interfacegigabitEthernet 0/0

RSR-A(config-GigabitEthernet0/0)#ip address 1.1.1.2 255.255.255.0

RSR-A(config)#interfacegigabitEthernet 0/1

RSR-A(config-GigabitEthernet0/1)#ip address 2.2.2.2 255.255.255.0

RSR-A(config)#iproute 0.0.0.0 0.0.0.0  gigabitEthernet0/0 4.4.4.1          

//NOTE: Configure the next hop as 4.4.4.1 to detect theconnectivity of the entire link.

RSR-A(config)#iproute 0.0.0.0 0.0.0.0   2.2.2.1 200     //Configures the floating routing.

2.     Associate BFD with static routing.

RSR-A(config)#interfacegigabitEthernet 0/0

RSR-A(config-GigabitEthernet0/0)#bfd interval 500 min_rx 500 multiplier 3

//Configures BFD time, which is necessary because BFD isenabled on the interface by running this command.

500/500/3 isrecommended, which means to transmit a detection packet every 500 ms andannounce link failure if no response is received after transmitting consecutive3 packets.

RSR-A(config-GigabitEthernet 0/0)#nobfd echo    

//Ctrl mode is recommended, and the default mode is BFD echomode.

Ctrl mode is recommended for connection to devices of otherindustry peers; otherwise, connection might fail.

RSR-A(config)#ip route static bfd GigabitEthernet 0/0 4.4.4.1 source 1.1.1.2          //AssociatesBFD with static routing.

3.      Configure static ARP-based binding.

RSR-A(config)#arp 4.4.4.1 0011.1111.111 arpa

//You must bind the address of the next hop based on ARP, orARP cannot be parsed.0011.1111.1111 is the Media Access Control (MAC)address of the port GI0/0 on ISP-A.

Aggregation port:

1.      Configure floating static routing.

RSR-B(config)#interfacegigabitEthernet 0/0

RSR-B(config-GigabitEthernet0/0)#ip address 4.4.4.1 255.255.255.0

RSR-B(config)#interfacegigabitEthernet 0/1

RSR-B(config-GigabitEthernet0/1)#ip address 3.3.3.1 255.255.255.0

RSR-B(config)#iproute 192.168.1.0 255.255.255.0 gigabitEthernet0/0 1.1.1.2

RSR-B(config)#iproute 192.168.1.0 255.255.255.0 3.3.3.2 200

2.      Associate BFD with static routing.

RSR-B(config)#interfacegigabitEthernet 0/0

RSR-B(config-GigabitEthernet0/0)#bfd interval 500 min_rx 500 multiplier 3

RSR-B(config-GigabitEthernet0/0)#no bfd echo

RSR-B(config)#iproute static bfd GigabitEthernet 0/01.1.1.2 source 4.4.4.1

3.      Configure static ARP-based binding.

RSR-A(config)#arp 1.1.1.2 0022.2222.2222arpa

//You mustbind the address of the next hop based on ARP.0022.2222.2222 is the MACaddress of the portGI0/1 on ISP-A.

 

V. Verification

1.      Run the show bfd neighbors command toconfirm the state of BFD neighbors.

R1#sh bfdnei

OurAddr  NeighAddr  LD/RD RH/RS  Holdown(mult)  State  Int           

1.1.1.2  4.4.4.1       2/1  Up       0(5   )        Up     GigabitEthernet 0/0

2.      Run the show ip route command to displaythe routing table.

3.       If configuration and link are correct, run the tracertcommand on RSR-A to trace the inside network address of the aggregation port soas to confirm that ISP-A is used as the path.

4.      Shut down the GI0/0 port on RSR-B to simulate anISP-A failure. Then run the tracert command on RSR-A to trace the insidenetwork address of the aggregation port so as to confirm that the path isswitched to ISP-B.

 

1.6.1.2    BFD for RIP

 

Scenario

An enterprise rents a Multi-ServiceTransmission Platform (MSTP) line from an Internet Service Provider (ISP) toconfigure Routing Information Protocol (RIP). As the local router at the egresscannot detect intermediate link interruption, routers cannot be convergedquickly and the device cannot switch to other backup lines timely. In thiscase, you can associate RIP with Bidirectional Forwarding Detection (BFD) onthe router to quickly detect interruption of the ISP's network and timelyswitch to other backup lines to improve user experience.

 

I.Networking Requirements

Connect Router A to Router B through theLayer-2 switch. Generate routes by running RIP. Enable association between RIPand BFD on interfaces of the routers. BFD quickly detects faults on the linkbetween Router B and the Layer-2 switch and notifies RIP to trigger quickconvergence.

 

II. Network Topology

 

III. Configuration Tips

1.      Configure RIP routing.

2.     Associate RIP with BFD.

(1)    Enable BFD on the interface.

(2)    Select BFD mode.

(3)    Associate RIP with BFD.

 

IV. Configuration Steps

Router A configuration:

1.      Configure RIP routing.

RSR-A(config)#interfacegigabitEthernet 2/1
RSR-A(config-GigabitEthernet 2/1)#ip ref

RSR-A(config-GigabitEthernet2/1)#ip address 192.168.3.1 255.255.255.0

RSR-A(config)#interfacegigabitEthernet 1/1

RSR-A(config-GigabitEthernet1/1)#ip ref

RSR-A(config-GigabitEthernet1/1)#ip address 192.168.1.1 255.255.255.0

RSR-A(config-router)# router rip 

RSR-A(config-router)# version 2

RSR-A(config-router)# network 192.168.3.0

RSR-A(config-router)# network 192.168.1.0

2.     Associate RIP with BFD.

RSR-A(config)#interfacegigabitEthernet 2/1

RSR-A(config-GigabitEthernet2/1)#bfd interval 500 min_rx 500 multiplier 3

//Configures BFD time, which is necessary because BFD isenabled on the interface by running this command.

500/500/3 isrecommended, which means to transmit a detection packet every 500 ms andannounce link failure if no response is received after transmitting consecutive3 packets.

RSR-A(config-GigabitEthernet2/1)#no bfd echo    

//Ctrl mode is recommended, and the default mode is BFD echomode.

Ctrl mode is recommended for connection to devices of other industry peers; otherwise, connection might fail.

RSR-A(config-GigabitEthernet2/1)#ip rip bfd //Associates RIPwith BFD on the correct interface.

Router B configuration:

1.      Configure RIP routing.

RSR-B(config)#interfacegigabitEthernet 2/1
RSR-B(config-GigabitEthernet 2/1)#ip ref

RSR-B(config-GigabitEthernet2/1)#ip address 192.168.3.2 255.255.255.0

RSR-B(config)#interfacegigabitEthernet 1/1

RSR-B(config-GigabitEthernet1/1)#ip ref

RSR-B(config-GigabitEthernet1/1)#ip address 192.168.2.1 255.255.255.0

RSR-B(config-router)# router rip 

RSR-B(config-router)# version 2

RSR-B(config-router)# network 192.168.3.0

RSR-B(config-router)# network 192.168.2.0

2.      Associate RIP with BFD.

RSR-B(config)#interfacegigabitEthernet 2/1

RSR-B(config-GigabitEthernet2/1)#bfd interval 500 min_rx 500 multiplier 3

RSR-B(config-GigabitEthernet2/1)#no bfd echo    

RSR-B(config-GigabitEthernet2/1)#ip rip bfd

 

V. Verification

1. Run the show bfd neighbors commandto confirm the state of BFD neighbors.

 

1.6.1.3    BFD for OSPF

 

Scenario

An enterprise rents a Multi-ServiceTransmission Platform (MSTP) line from an Internet Service Provider (ISP) toconfigure Open Shortest Path First (OSPF). As the local router at the egresscannot detect intermediate link interruption, routes cannot be converged quicklyand the device cannot switch to other backup lines timely. In this case, youcan associate OSPF with Bidirectional Forwarding Detection (BFD) on the routerto quickly detect interruption of the ISP's network and timely switch to otherbackup lines to improve user experience.

 

I.Networking Requirements

Connect Router A to Router B through theLayer-2 switch. Generate routes by running OSPF. Enable association between OSPF and BFD oninterfaces of the routers. BFD quickly detects faults on the link betweenRouter B and the Layer-2 switch and notifies OSPF to trigger quick convergence.

 

II. Network Topology

 

III. Configuration Tips

1.      Configure OSPF routing.

2.      Associate OSPF with BFD.

(1)    Enable BFD on the interface.

(2)    Select BFD mode.

(3)    Associate OSPF with BFD.

 

IV. Configuration Steps

Router A configuration:

1.      Configure OSPF routing.

RSR-A(config)#interfacegigabitEthernet 2/1
RSR-A(config-GigabitEthernet 2/1)#ip ref

RSR-A(config-GigabitEthernet2/1)#ip address 192.168.3.1 255.255.255.0

RSR-A(config)#interfacegigabitEthernet 1/1

RSR-A(config-GigabitEthernet1/1)#ip ref

RSR-A(config-GigabitEthernet1/1)#ip address 192.168.1.1 255.255.255.0

RSR-A(config-router)# router ospf 123

RSR-A(config-router)# network 192.168.3.0 0.0.0.255 area 0

RSR-A(config-router)# network 192.168.1.0 0.0.0.255 area 0 

2.     Associate OSPF with BFD.

RSR-A(config)#interfacegigabitEthernet 2/1

RSR-A(config-GigabitEthernet2/1)#bfd interval 500 min_rx 500 multiplier 3

//Configures BFD time, which is necessary because BFD isenabled on the interface by running this command.

500/500/3 isrecommended, which means to transmit a detection packet every 500 ms andannounce link failure if no response is received after transmitting consecutive3 packets.

RSR-A(config-GigabitEthernet 2/1)#nobfd echo    

//Ctrl mode is recommended, and the default mode is BFD echomode.

Ctrl mode is recommended for connection to devices of otherindustry peers; otherwise, connection might fail.

RSR-A(config-GigabitEthernet 2/1)#ip ospf bfd   //Associates OSPF with BFD on the correctinterface.

Router B configuration:

1.      Configure OSPF routing.

RSR-B(config)#interfacegigabitEthernet 2/1
RSR-B(config-GigabitEthernet 2/1)#ip ref

RSR-B(config-GigabitEthernet2/1)#ip address 192.168.3.2 255.255.255.0

RSR-B(config)#interfacegigabitEthernet 1/1

RSR-B(config-GigabitEthernet1/1)#ip ref

RSR-B(config-GigabitEthernet1/1)#ip address 192.168.2.1 255.255.255.0

RSR-B(config-router)# router ospf 123

RSR-B(config-router)# network 192.168.3.0 0.0.0.255 area 0

RSR-B(config-router)# network 192.168.2.0 0.0.0.255 area 0 

2.      Associate OSPF with BFD.

RSR-B(config)#interfacegigabitEthernet 2/1

RSR-B(config-GigabitEthernet2/1)#bfd interval 500 min_rx 500 multiplier 3

RSR-B(config-GigabitEthernet2/1)#no bfd echo    

RSR-B(config-GigabitEthernet2/1)#ip ospf bfd

 

V. Verification

1.      Run the show bfd neighbors command to confirm the state ofBFD neighbors.

 

1.6.1.4    BDF for BGP

 

Scenario

An enterprise rents a Multi-Service TransmissionPlatform (MSTP) line from an Internet Service Provider (ISP) to configure Border Gateway Protocol(BGP). As the local router at the egress cannot detect intermediate link interruption, routescannot be converged quickly and the device cannot switch to other backup linestimely. In this case, you can associate BGP with Bidirectional ForwardingDetection (BFD) on the router to quickly detect interruption of the ISP'snetwork and timely switch to other backup lines improve user experience.

 

I.Networking Requirements

Connect Router A to Router B through theLayer-2 switch. Generate routes by running BFD. Enable association between BFDand BFD on interfaces of the routers.BFD quickly detects faults on the linkbetween Router B and the Layer-2 switch and notifies BGP to trigger quickconvergence.

 

II. Network Topology

 

III. Configuration Tips

1.      Configure BGP routing.

2.     Associate BGP with BFD.

(1)     Enable BFD on the interface.

(2)     Select BFD mode.

(3)     Associate BGP with RIP.

 

IV. Configuration Steps

Router A configuration:

1.      Configure BGP routing.

RSR-A(config)#interfacegigabitEthernet 2/1
RSR-A(config-GigabitEthernet 2/1)#ip ref

RSR-A(config-GigabitEthernet2/1)#ip address 172.16.11.1 255.255.255.0

RSR-A(config)#interfacegigabitEthernet 1/1

RSR-A(config-GigabitEthernet1/1)#ip ref

RSR-A(config-GigabitEthernet1/1)#ip address 172.19.0.1 255.255.255.0

RSR-A(config-router)# router bgp 45000

RSR-A(config-router)# bgp log-neighbor-changes

RSR-A(config-router)# neighbor  172.16.11.2 remote-as  40000

RSR-A(config-router)# address-family ipv4

RSR-A(config-router-af)#neighbor  172.16.11.2 activate

RSR-A(config-router-af)#no auto-summary

RSR-A(config-router-af)#no synchronization

RSR-A(config-router-af)#network  172.19.0.0  mask 255.255.255.0

2.      Associate BGP with BFD.

RSR-A(config)#interfacegigabitEthernet 2/1

RSR-A(config-GigabitEthernet2/1)#bfd interval 500 min_rx 500 multiplier 3

//Configures BFD time, which is necessary because BFD isenabled on the interface by running this command.

500/500/3 isrecommended, which means to transmit a detection packet every 500 ms andannounce link failure if no response is received after transmitting consecutive3 packets.

RSR-A(config-GigabitEthernet0/0)#no bfd echo    

//Ctrl mode is recommended, and the default mode is BFD echomode.

Ctrl mode is recommended for connection to devices of otherindustry peers; otherwise, connection might fail.

RSR-A(config-router)# router bgp 45000

RSR-A(config-router)# neighbor 172.16.11.2 fall-over bfd     //Associates BGP with BFD.

Router B configuration:

1.      Configure BGP routing.

RSR-B(config)#interfacegigabitEthernet 2/1
RSR-B(config-GigabitEthernet 2/1)#ip ref

RSR-B(config-GigabitEthernet2/1)#ip address 172.16.11.2 255.255.255.0

RSR-B(config)#interfacegigabitEthernet 1/1

RSR-B(config-GigabitEthernet1/1)#ip ref

RSR-B(config-GigabitEthernet1/1)#ip address 172.20.0.1 255.255.255.0

RSR-B(config-router)# router bgp 40000

RSR-B(config-router)# bgp log-neighbor-changes

RSR-B(config-router)# neighbor  172.16.11.1 remote-as  45000

RSR-B(config-router)# address-family ipv4

RSR-B(config-router-af)#neighbor  172.16.11.1 activate

RSR-B(config-router-af)#no auto-summary

RSR-B(config-router-af)#no synchronization

RSR-B(config-router-af)#network  172.20.0.0  mask 255.255.255.0

2.      Associate BGP with BFD.

RSR-B(config)#interfacegigabitEthernet 2/1

RSR-B(config-GigabitEthernet2/1)#bfd interval 500 min_rx 500 multiplier 3

RSR-B(config-GigabitEthernet0/0)#no bfd echo    

RSR-B(config-router)# router bgp 40000

RSR-B(config-router)# neighbor 172.16.11.1 fall-over bfd

 

V. Verification

1.      Run the show bfd neighbors command to confirm the state ofBFD neighbors.

 

1.6.2    VRRP

 

Features:

Virtual Router Redundancy Protocol (VRRP)adopts master/backup mode to ensure that when the master router is faulty, abackup router functions without affecting internal and external communicationor modifying parameters of the inside network. Multiple routers under VRRP aremapped to one virtual router. VRRP ensures that only one router serves as avirtual router to transmit packets. The host transmits packets to the virtualrouter, and such router is selected as a master router. If the master routerfails, one of the backup routers will replace it. Under VRRP, it seems that ahost on a local area network (LAN) uses only one router, and the route remainsfunctional even when the first-hop router fails.

 

Scenario

An enterprise has two gateway routers (masterand backup). Redundancy backup is required between them. Normally, the masterrouter is used. When the master router is faulty, the system automaticallyswitches to the backup router. In this case, you can enable VRRP on bothrouters for redundancy backup.

 

I.Networking Requirements

1.Two routers are available on the inside network to connect egress devices.

2.Gateway backup is performed on both routers. The inside network has only onegateway address.

3.When the uplink interface or line of either router is disconnected,master/backup switchover can be automatically triggered for networkconnectivity.

II. Network Topology

 

III. Configuration Tips

1.      Perform basic Internet configuration (deploy according to networkdesign).

2.      Configure VRRP on the inside network port.

3.      Configure a virtual gateway address on the client.

 

 

IV. Configuration Steps

R1 configuration:

Ruijie>enable

Ruijie#configureterminal

Ruijie(config)#interfacefastEthernet 0/0

Ruijie(config-if-FastEthernet0/0)#ip address 192.168.1.1 255.255.255.0      //Configures the real interface IP address.

Ruijie(config-if-FastEthernet0/0)#vrrp 1 ip 192.168.1.254           //Specifies a virtual VRRP address.

Ruijie(config-if-FastEthernet0/0)#vrrp 1 priority 120               //Specifies VRRP priority for the interface. The higher thevalue, the higher the priority. The default is 100.

Ruijie(config-if-FastEthernet0/0)#vrrp 1 track FastEthernet 1/0 30    //When the detection uplink port f1/0 is down, the priorityis lowered to 30, and the system switches to the backup gateway.

Ruijie(config-if-FastEthernet0/0)#end     

Ruijie#write           //Verifies and saves theconfiguration.

R2 configuration:

Ruijie#configureterminal

Ruijie(config)#interfacefastEthernet 0/0

Ruijie(config-if-FastEthernet0/0)#ip address 192.168.1.2 255.255.255.0     

Ruijie(config-if-FastEthernet0/0)#vrrp 1 ip 192.168.1.254

Ruijie(config-if-FastEthernet0/0)#end     

Ruijie#write          //Verifies and saves theconfiguration.

 

 

V. Verification

1.      Run the sh vrrp  brief command to display the VRRPnegotiation state:

Ruijie#shvrrp  brief

Interface                Grp       Pri        timer          Own               Pre           State         Master addr                Group

 addr                             

FastEthernet0/0        1        120         3                 -                   P            Master      192.168.1.1           192.168.1.254

Interface               VRRP group priority keepalive time Is the interface address is preempted?     VRRP state Local address Virtualgateway address

No. The gateway address is the VRRP group address.

Ruijie#showvrrp 1

FastEthernet0/0 - Group 1

State isMaster                                    //The address of this interface is a master address.

Virtual IPaddress is 192.168.1.254 configured           //Indicates the VRRP group IP address.

VirtualMAC address is 0000.5e00.0101             //Indicates the VRRP group MAC address.

Advertisementinterval is 1 sec                          //Indicates the interval of VRRP packets.

Preemptionis enabled                              //Indicates that VRRP preemption is enabled.

min delayis 0 sec

Priorityis 120       //It indicates VRRPpriority.

MasterRouter is 192.168.1.1  (local), priority is 120       //Indicates the master VRRP address and priority.

MasterAdvertisement interval is 1 sec             //Indicates the interval of master VRRP packets.

MasterDown interval is 3 sec                 //If master VRRP packets are not received within 3 seconds,the master VRRP address does not function.

 

1.6.3    Link-Based Interface Backup

 

Features

Link-based interface backup:

(1)     When active links are connected, standby interfaces are DOWN.

(2)     If active links are disconnected and the routes to destinationaddresses are lost, the system will enable standby links within the backuptime.

(3)     If active links are re-connected, the system will disable standbyinterfaces and switch to active links within the backup time.

 

Scenario

An enterprise rents two egress lines. The wireddedicated line serves as the active line, which is normally used to forwardtraffic. The 3G line serves as the standby line. As traffic-based accounting isapplied to the 3G line, the line is normally in standby mode. When the wireddedicated line is disconnected, the 3G line is enabled. In this case, you canconfigure the 3G interface as the standby interface to enable redundancybackup.

 

I.Networking Requirements

1.      All users transmit data through the dedicatedline, and the 3G line serves as a standby line.

2.      To save 3G traffic, the system prohibits 3Gdialing when the active link is connected.

3.      When the dedicated line is faulty, the systemswitches to the 3G line.

II. Network Topology

 

III. Configuration Tips

1.      Configure the standby interface for the activeinterface.

2.      Configure the active/standby switchover delay.

3.      Configure routing between the active and standbyinterfaces.

 

 

IV. Configuration Steps

Router configuration:

interface dialer 0         //Configures the active link (Asymmetric Digital SubscriberLine, ADSL) interface.

standby delay 0 0      //Configures the time for switchover to the standbyinterface. 0 indicatesimmediate switchover.

standby interface async 1   //Configures the standby interface (3G dialer interface).

ip route 0.0.0.0 0.0.0.0 dialer 0    //Configures routing.

ip route 0.0.0.0 0.0.0.0 async 1   

//Fordetailed ADSL and 3G dialing configuration, see the corresponding section.

 

 

V. Verification

1.      Run the show interface command to displaythe state of the standby interface.

Ruijie#showinterface async 1

async 1 is standby mode  , line protocol is DOWN

//The interface is in standby mode and DOWN.

 

 

1.6.4    GR

 

Features

Technical Background:

1.      Devices of distributed architecture that supportuninterrupted forwarding require separation of the control plane and the dataplane.

2.      The control plane calculates routing and assignsentries. The data plane forwards data according to these forwarded entries.

3.      During active/standby engine switchover, thestandby engine with information on the data plane can quickly replace theactive engine to forward data. However, the standby engine has no informationon the control plane (such as information on the dynamic routing database orneighborship). As a result, the adjacent device detects dynamic protocolinterruption, its dynamic route re-converges, and thereby black-hole or bypassroute is generated on the entire network.

4.      The convergence time for a dynamic route ismeasured in minutes, which is not adequate for uninterrupted forwarding.

Principle:

Graceful Restart (GR) aims to realizeuninterrupted data forwarding during protocol restart. During active/standbyswitchover of supervisor modules, GR maintains the entries forwarded by dynamicrouting neighbors and refreshes them after new neighbors complete negotiationand convergence so that the network topology keeps stable, the forwarding tableis maintained, and service is uninterrupted.

Roles of GR:

Restarter: It is a device that enables GR.

Helper: It is a device adjacent to theRestarter to assist it in GR.

 

Scenario

The router of an enterprise has dual controlengines. When the active engine is faulty, the device switches to the standbyengine, and the dynamic routing protocol re-converges, which results in networkinterruption. To solve this problem, you can enable GR on the router tomaintain routing forwarded entries and data forwarding during active/standbyengine switchover, and refresh the entries after the routing protocolre-converges to shorten the network interruption time and improve userexperience.

 

GR Configuration

RIP-GR configuration: Configure the Restarter on the local end rather than on theadjacent device because Routing Information Protocol (RIP) supports the Helper.

RSR7708(config)#routerrip

RSR7708(config-router)#graceful-restart

OSPF-GR configuration: Configure the Restarted on the local end and the Helper on theadjacent device. (By default, the Helper is enabled on Ruijie devices andenabled in most cases on partners' devices.)

RSR7708(config)#routerospf 1

RSR7708(config-router)#graceful-restart

BGP-GR configuration: Configure the Restarter on both ends. //Border Gateway Protocol (BGP) neighbors must be re-established.

RSR7708(config)#routerbgp 1

RSR7708(config-router)#bgpgraceful-restart

Notes:

1.       Routers with a single control engine do notsupport the GR Restarter, so GR is configured on routers with dual controlengines such as RSR77, RSR77-X and RSR50E-40.

2.       The GR Helper is enabled by default on Ruijiedevices.

 

1.6.5    DLDP

Basic Configuration for DLDP

Functions and Principles

As the Ethernet has no link keepaliveprotocol, the MSTP dedicated line is connected via the Ethernet interface inthe WAN. While the intermediate link of an ISP is often unavailable, the statusof the local end protocol is UP, resulting in slow route convergence and moredifficulties in locating faults. Device Link Detection Protocol (DLDP) sendsICMP packets to check whether the peer end is reachable and whethercommunication over the MSTP dedicated line is normal. If the peer end isunreachable, set the interface protocol status to DOWN and accelerateconvergence of status for application-based routes related to the interface.

Configuration Description

In interface configuration mode, use thefollowing command syntax for configuration.

Dldp ip [next-hop ip]interval  x retry y resume z

Dldp ip: Indicates the destination addressfor detection, that is, the reachability of ICMP packets to this address.

Next-hop ip: If the destination address andthe interface are not in the same network segment, add the next-hop IP addressof the interface.

Interval: Indicates the interval of sendingICMP echoes. It is 10 tickets by default (1 ticket ≈ 10 ms), that is, 10 ICMPechoes are sent every second. It can be changed based on the actual condition.100 is recommended, that is, one ICMP echo is sent every second.

Retry: Configures retransmission times. It is3 times by default.

Resume: Sets the recovery threshold of thedevice link. The threshold indicates the required times of receivingconsecutive responses for detection packets before the link status is recoveredfrom DOWN to UP. Link recovery time = Resume times * DLDP IP interval.  Thevalue is 1 by default.

Scenario

DLDP is generally used when a company rentsan MSTP dedicated line from an ISP. The local egress router of the companycannot detect communication interruption in the intermediate link, resulting inslow route convergence or even convergence failure, and unavailable Internetaccess. To solve this problem, you can enable DLDP on the outbound interface,which can detect network interruption of the ISP and promptly switch to otherbackup links for users to access the Internet.

I.Networking Requirements

RSR-A serves as an access router of afinancial service office. It is connected to two MSTP links and uses a floatingstatic route with ISP-A as the active link and ISP-B as the backup link. AsEthernet links have no detection mechanism, a link is considered available aslong as the interface status is UP. Therefore, DLDP should be used as the linkdetection protocol.

Devices on the aggregation port have the samelink detection problem, so enable DLDP on the aggregation port.

II. Network Topology

III. Configuration Tips

Access Port:

1.      Configure a floating static route.

2.      Configure DLDP.

Aggregation Port:

1.      Configure a floating static route.

2.      Configure DLDP.

 

IV. Configuration Steps

Access Port:

1.      Configure a floating static route.

RSR-A(config)#interfacegigabitEthernet 0/0

RSR-A(config-GigabitEthernet0/0)#ip address 1.1.1.2 255.255.255.0

RSR-A(config)#interfacegigabitEthernet 0/1

RSR-A(config-GigabitEthernet0/1)#ip address 2.2.2.2 255.255.255.0

RSR-A(config)#iproute 0.0.0.0 0.0.0.0 1.1.1.1

RSR-A(config)#iproute 0.0.0.0 0.0.0.0 2.2.2.1 200       //Indicates a floating static route.

 

2.      Configure DLDP.

RSR-A(config)#interfacegigabitEthernet 0/0

RSR-A(config-GigabitEthernet0/0)#dldp 1.1.1.1 interval 100       //Configuresthe peer address for DLDP detection. It is recommended to set the detectioninterval to at least one second so as to alleviate pressure on the aggregationport. 100 indicates that 100*10 ms=1s.

//If the address of the hopping device is detected, forexample 3.3.3.3, configure next-hop IP address to dldp 3.3.3.3 1.1.1.1 interval100;

//If the peer devices are not from Ruijie, note that ifother vendors set rate limit for ping packets by default, DLDP detection on theaccess devices may be affected. (As H3C and Huawei devices set rate limit forping packets by default, disable it).

RSR-A(config)#interfacegigabitEthernet 0/1

RSR-A(config-GigabitEthernet0/1)#dldp 2.2.2.1 interval 100

 

Aggregation Port:

1.      Configure a floating static route.

RSR-B(config)#interfacegigabitEthernet 0/0

RSR-B(config-GigabitEthernet0/0)#ip address 1.1.1.1 255.255.255.0

RSR-B(config)#interfacegigabitEthernet 0/1

RSR-B(config-GigabitEthernet0/1)#ip address 2.2.2.1 255.255.255.0

RSR-B(config)#iproute 192.168.1.0 255.255.255.0 1.1.1.2

RSR-B(config)#iproute 192.168.1.0 255.255.255.0 2.2.2.2 200

 

2.      Configure DLDP.

RSR-B(config)#interfacegigabitEthernet 0/0

RSR-B(config-GigabitEthernet0/0)#dldp 1.1.1.2 interval 100 

RSR-B(config-GigabitEthernet0/0)#dldp passive

//Servesas the aggregation port. It is recommended to set it to the passive mode andalleviate the burden on it.Configurations for the detection interval of theaggregation port and access port are the same.

RSR-B(config)#interfacegigabitEthernet 0/1

RSR-B(config-GigabitEthernet0/1)#dldp 2.2.2.2 interval 100

RSR-B(config-GigabitEthernet0/1)#dldp passive

 

V. Verification

1.      Run the show dldp interface command to check the status ofDLDP.

2.      If both the configuration and link status are correct, perform atracert on the intranet address of the aggregation port on the RSR-A andconfirm that the path taken is ISP-A.

3.      Shut down the GI0/0 interface on the RSR-B to simulate an ISP-Afault. Perform a tracert on the intranet address of the aggregation port on theRSR-A and confirm that the path is switched to ISP-B.

 

1.6.6    RNS+Track

Features

RNS(Ruijie Network Service) is used tomonitor end to end connection by detecting whether there is a response packet receivedfrom peer. RNS function is able to send ICMP echo and DNS request for probing.By integrating with Track object, it allows to monitor whether an IP isreachable or Interface is up or not.

Scenario

An enterprise has multi egress lines from ISPand request the company services can be switchover to the other egress even oneof Internet line is down.

Configuration Steps

1.      Create RNS profile

Ruijie>enable

Ruijie(config)#iprns 1  --->Create RNS profile number 1

Ruijie(config-ip-rns)#icmp-echo12.12.12.1 out-interface gigabitEthernet 0/0 source-ipaddr 12.12.12.2 --->UseICMP-echo to detect destination 12.12.12.1 and output interface gigabitEthernet0/0, source IP address 12.12.12.2

Notesif needs to specifythe next hop on RNS profile, add next-hopx.x.x.x parameter.

Ruijie(config-ip-rns-icmp-echo)#timeout5000 --->Detection timeout threshold 5000 msec

Ruijie(config-ip-rns-icmp-echo)#frequency5000 --->Detection interval threshold 5000 msec

Ruijie(config-ip-rns-icmp-echo)#exit

Ruijie(config)#

2.      Create Track template

Ruijie(config)#track1 rns 1 --->Create track template and bind with RNS profile

Ruijie(config-track)#delayup 10 down 10   --->delay interval for track status change

Ruijie(config-track)#exit

3.      Track integrating with Static Route

Ruijie(config)#ip route 10.1.1.0 255.255.255.0 gigabitEthernet 0/01.1.1.1 track 1----> Integrating

withstatic route. If the track status is down, this route will be invalidated.

4.      Track integrating with Policy Map(partial command)

Ruijie(config-route-map)#setip next-hop verify-availability 12.12.12.1 track 1  ---> Integrating

withpolicy route. If the track status is down, this policy route will be invalidated.

Verification

Verify track status(show track)

Ruijie#showtrack 1

Track 1

  ReliableNetwork Service 1

  Thestate is Down   --->status

1change,current state last:648 secs

  Delay up10 secs,down 10 secs

Verify RNS status(show ip rns statiscs)

Ruijie#showip rns statistics

IP rnsindex    1

Number ofsuccesses:2 --->success times

Number offailures:16  --->failure times

Round-tripmin/avg/max = 10/12/15 ms

1.7     QOS

1.7.1    Traffic Classification and Marking

I. Definition

Traffic classification refers to theclassification of traffic into different priorities or service types. Forexample, the first three bits of the Type of Service (ToS) field in an IPpacket header or the Differentiated Service Code Point (DSCP) field is used tomark a packet. After packet classification, other QoS features can be appliedto different classes to achieve congestion management and traffic shaping basedon classes.

Packet classification refers to simpleclassification based on Layer-2 or Layer-3 information. It is a collection ofpacket classification mechanisms.

Packet marking is a function that allowsnetwork devices to mark packet classes.

 

II. Purpose

The main purpose of traffic marking is toenable other application systems or devices to make clear the packet classesand then process the packets as agreed.

Packet classification and marking are thebasis for QoS implementation.

Technology for packet classification: ACL andIP precedence

Packets are transferred to other modulesbased on classification results or marked (colored) for differentiated use bythe core network

 

III. Methods

Three methods are available:

Class-map

CAR

PBR

 

IV. Method Selection

Class-map is themost recommended method. Class-map is combined with CBWFQ/LLQ, offering uniform and clear commands. Note that the function of class-map method islimited for interface applying in input direction.

Input direction for interfaces with class-mapmethod is not supported by baseline v10.3 while it is supported by baselinev10.4.

CAR method comes second.

PBR method is effective only in inputdirection.

 

1.7.1.1    IP Priority and DSCP Priority

 

Features:

IP priority and DSCP priority:

As shown in the figure above, the ToS fieldin the IP packet header has 8 bits, in which the first three bits indicate IPpriority ranging from 0 to 7.In RFC 2474, the ToS field in an IP packet headeris redefined as the DS (Differentiated Services) field, in which the first sixbits (0 to 5th) indicate DSCP priority ranging from 0 to 63 and the last twobits (6th to 7th) are reserved bits.

 

EXP priority:

EXP priority is indicated in an MPLS labelfor marking MPLS QoS.

Encapsulation structure of an MPLS label

 

In the figure above, the Exp field is the EXPpriority with 3 bits, ranging from 0 to 7.

 

IP priority/DSCP/EXP mapping comparisontable:

 

IP priority binary value/decimalvalue/keyword comparison table:

DSCP priority binary value/decimalvalue/keyword comparison table:

 

 

1.7.1.2    Class Map

 

Features:

A class map defines a traffic classification:network traffic that is of interest to you. A policy map defines a series ofactions (functions) that you want to apply to a set of classified inboundtraffic.

 

I.Networking Requirements

For RSR-A routers, the following data ismarked:

1.       For VOIP traffic, IP priority is 5

2.       For telnet traffic, IP priority is 4

3.       For traffic from 172.16.1.0, IP priority is 2

 

II. Network Topology

 

III. Configuration Tips

1.       Classify traffic by ACL.

2.       Define a class mapping list, and associate class-map with an ACL.

Router(config)#class-map?

 WORD       class-map name

match-all Logical-AND all matching statements under this classmap-----------The matchcondition is "and" (logical "and")

match-any Logical-OR all matching statements under this classmap-----------The matchcondition is "or"(logical "or")

Router(config)#class-mapruijie -----------------If only the name is given but match-all or match-any isnot indicated, match-all is used by default

3.       Define a policy mapping list, associate with class-map, and markclass-map classes.

4.       Apply policy-map on the target interface.

 

IV. Configuration Steps

1.       Classify traffic by ACL.

RSR-A(config)#access-list100 permit udp any any range 16384 32767

RSR-A(config)#access-list101 permit tcp any any eq 23

RSR-A(config)#access-list102 permit ip 172.16.1.0 0.0.0.255 any

2.       Define a class mapping list, and associate class-map with an ACL.

RSR-A(config)#class-mapVOIP             //Note that thenaming is case-sensitive here

RSR-A(config-cmap)#match access-group 100

RSR-A(config-cmap)#class-map TELNET

RSR-A(config-cmap)#match access-group 101

RSR-A(config-cmap)#class-map  NETWORK

RSR-A(config-cmap)#match access-group 102

3.       Define a policy mapping list, associate with class-map, and markclass-map classes.

RSR-A(config)#policy-mapruijie

RSR-A(config-pmap)#classVOIP

RSR-A(config-pmap-c)#setip precedence 5

RSR-A(config-pmap-c)#classTELNET

RSR-A(config-pmap-c)#setip precedence 4

RSR-A(config-pmap-c)#classNETWORK

RSR-A(config-pmap-c)#setip precedence 2

4.       Apply policy-map on the target interface

RSR-A(config)#interfacegigabitEthernet 0/0

RSR-A(config-if-GigabitEthernet0/0)#service-policy output ruijie       //Specifies the direction in which the traffic policyshould be applied (either on packets coming into the interface or packetsleaving the interface).Input direction for interfaces with class-map method isnot supported by baseline v10.3 while it is supported by baseline v10.4.

 

V. Verification

1.     Run the show policy-map interface gigabitEthernet0/0command to display the policy applied on the target interface.

 

1.7.1.3    CAR

 

Features:

CAR has two features: rate limit and prioritysetting. CAR statements require both rate limit and IP precedenceconfigurations.

CAR is used to classify packets based ontheir ToS or CoS values (IP or DSCP precedence for IP packets) and QuintetVector (protocol port IDs of the source and destination addresses), mark thesepackets and monitor traffic.

 

I.Networking Requirements

For RSR-A routers, the following data ismarked:

1.      For VOIP traffic, DSCP priority is 10.

2.      For telnet traffic, DSCP priority is 20.

3.      For traffic from 172.16.1.0, DSCP priority is30.

 

II. Network Topology

 

III. Configuration Tips

1.      Classify traffic by ACL.

2.      Configure rate-limit to mark traffic classes.

 

 

IV. Configuration Steps

1.      Classify traffic by ACL.

RSR-A(config)#access-list100 permit udp any any range 16384 32767

RSR-A(config)#access-list 101 permit tcp any any eq 23

RSR-A(config)#access-list 102 permit ip 172.16.1.00.0.0.255 any

2.      Configure rate-limit to mark trafficclasses.

RSR-A(config)#interfacegigabitEthernet 0/1        //Accessesthe interface requiring the marking policy

RSR-A(config-if-GigabitEthernet0/1)#rate-limit input access-group 10020000000 2000000 4000000 conform-action set-dscp-transmit 10 exceed-action transmit

RSR-A(config-if-GigabitEthernet0/1)#rate-limit input access-group 101 20000000 2000000 4000000 conform-action set-dscp-transmit 20 exceed-action transmit

RSR-A(config-if-GigabitEthernet0/1)#rate-limit input access-group 102 20000000 2000000 4000000 conform-action set-dscp-transmit 30 exceed-action transmit

//Everytraffic class is defined with a rate-limit command

Notes:

1.      The rate-limit command is used only for marking in inputdirection

2.      For the rate-limit command itself, a rate limit must be set.However, if the interface bandwidth is 2Mbps and the rate limit is set to20Mbps, it equals to no rate limit because the set value is larger.

3. Referto the empirical values below to configure B and C values.

B=A/10  

C=A/5

Command interpretation:

Ruijie(config-if)#rate-limit { input  |  output}  bps  burst-normal burst-max conform-actionaction exceed-action   action 

Input|output: expected input/outputtraffic limit.

Bps: expected traffic rate upper limit(unit: bps).

Burst-normal burst-max: size of the tokenbucket (unit: bytes).

Conform-action: processing policy fortraffic conforming to the rate limit.

Exceed-action: Exceed-action: processingpolicy for traffic exceeding the rate limit.

Action: The following processing policiesare available.

Continue to matchthe next policy

l Continue: Matches the next policy

l Drop: Drops the packet

l Set-dscp-continue: Sets a DSCP field for the packet, and continuesto match the next policy

l Set-dscp-transmit: Sets a DSCP field for the packet, and transmitsthe packet

l Set-dscp-continue: Sets an IP Precedence field for the packet, andcontinues to match the next policy

l Set-prec-transmit: Sets an IP Precedence field for the packet, andtransmits the packet

l Transmit: Transmits the packet

 

V. Verification

1.      Run the sho rate-limit interface gigabitEthernet 0/1 commandto display the policy applied on the target interface.

 

1.7.1.4    PBR

 

Features:

Policy routing is apacket forwarding mechanism that is more flexible than routing based on atarget network. Using the policy routing, a devicedecides how to process the packet to be routed based on the routing map.

 

I.Networking Requirements

For RSR-A routers, the following data ismarked:

1.      For VOIP traffic, DSCP priority is 10.

2.      For telnet traffic, DSCP priority is 20.

3.      For traffic from 172.16.1.0, DSCP priority is30.

 

II. Network Topology

 

III. Configuration Tips

1.      Classify traffic by ACL.

2.      Define a route-map policy, and mark trafficclasses.

3.      Apply the route-map policy onthe targetinterface.

 

IV. Configuration Steps

1.      Classify traffic by ACL.

RSR-A(config)#access-list100 permit udp any any range 16384 32767

RSR-A(config)#access-list 101 permit tcp any any eq 23

RSR-A(config)#access-list 102 permit ip 172.16.1.00.0.0.255 any

2.      Define a route-map policy, and mark trafficclasses.

RSR-A(config)#route-mapruijie

RSR-A(config-route-map)#match ip address 100

RSR-A(config-route-map)#set ip dscp 10           //Runs the set command to set DSCP or IPPrecedence

RSR-A(config-route-map)#match ip address 101

RSR-A(config-route-map)#set ip dscp 20     

RSR-A(config-route-map)#match ip address 102

RSR-A(config-route-map)#set ip dscp 30 

3.      Apply the route-map policy on the targetinterface.

RSR-A(config)#interfacegigabitEthernet 0/2        //Accessesthe target interface and applies the route-map policy in input direction

RSR-A(config-if-GigabitEthernet0/1)#ip policy route-map ruijie

 


V. Verification

1.      Run the show ip policy command to display the policy appliedon the target interface.

 

1.7.2    Congestion Avoidance

1.7.2.1    PQ

 

Features:

In Priority Queuing (PQ), packets with highercommunication priorities can be transmitted prior to packets with lowerpriorities, so as to ensure timely transmission of packets with higherpriorities.

PQ is used to define strict priorities forimportant network data, and flexibly specify priorities based on networkprotocols (e.g. IP protocol), lengths of packets at data input interfaces, andsource addresses/destination addresses, so as to ensure the fastest processingof the most important network data on network nodes.

 

I.Networking Requirements

For RSR-A routers, the following data isprocessed based on priorities in the order of VOIP, telnet, 172.16.1.0 segment,and other traffic.

1.       VOIP traffic is provided with the highest priority to ensure lowlatency.

2.       Telnet traffic is provided with a medium priority.

3.       Traffic from 172.16.1.0 is provided with a low priority.

 

II. Network Topology

 

III. Configuration Tips

1.       Classify traffic by ACL.

2.       Define a PQ policy.

3.       Apply the PQ policy on the target interface.

 

IV. Configuration Steps

1.       Classify traffic by ACL.

RSR-A(config)#access-list100 permit udp any any range 16384 32767

RSR-A(config)#access-list101 permit tcp any any eq 23

RSR-A(config)#access-list102 permit ip 172.16.1.0 0.0.0.255 any

2.       Define a PQ policy.

RSR-A(config)#priority-list1 protocol iphigh list 100

RSR-A(config)#priority-list1 protocol ipmedium list101

RSR-A(config)#priority-list1 protocol ipnormal list102

//NOTE:

1. PQ is classified intofour classes in the priority order of high>medium>normal>low.

2. Queuing can beestablished based on interfaces, for example, priority-list 1 interfacegigabitEthernet 0/0 low.

3.       Apply the PO policy on the target interface.

RSR-A(config)#intgigabitEthernet 0/1

RSR-A(config-if-GigabitEthernet 0/1)#priority-group 1

 

V. Verification

1.      Run the show queue interface gigabitEthernet 0/1 commandto display the PQ policy applied on the target interface.

 

1.7.2.2    CBWFQ

 

Features:

Class Based WeightedFair Queuing (CBWFQ) extends functions of standard Weighted Fair Queuing (WFQ) and supports custom data flow classes. Data flow classes canbe defined based on multiple conditions (protocol/ACL/input interface).

CBWFQ can specify the minimum bandwidthguarantee value or proportion for each class based on the policy.

Differences between CBWFQ and LLQ:

(1)     CBWFQ is weighted fair, which guarantees the minimum bandwidth butcannot ensure low latency;

(2)     Low Latency Queuing (LLQ) is an additional PQ based on CBWFQ,namely, LLQ=CBWFQ+PQ. Latency-sensitive data, such asVOIP, can be placed in PQ to ensure low latency.

NOTE: Ruijie queuing mechanism has a defaultqueue. All undefined data flows are subject to the default queue. In case ofnetwork congestion, the default queue is processed with a low priority bydefault and occupies the unallocated bandwidth. This is similar to Ciscodefault queue. However, Cisco default queue needs configuration while Ruijiedefault queue needs no configuration.

I.Networking Requirements

For RSR-A routers, serial2/1 is the outboundinterface and the bandwidth is 2M. The following traffic classes need bandwidthguarantee:

1.      Production network traffic is provided with800Kbps bandwidth guarantee.

2.      Office network traffic is provided with1,000Kbps bandwidth guarantee.

 

II. Network Topology

 

III. Configuration Tips

1.      Configure a bandwidth proportion for the targetinterface.

2.      Classify traffic by ACL.

3.      Define a class mapping list, and associateclass-map with ACL.

Router(config)#class-map?

  WORD       class-map name

match-all Logical-AND all matching statements under this classmap-----------The matchcondition is "and" (logical "and")

match-any Logical-OR all matching statements under this classmap-----------The matchcondition is "or" (logical "or")

Router(config)#class-mapruijie -----------------If only the name is given but match-all or match-any isnot indicated, match-all is used by default

4.      Define a policy mapping list, associate withclass-map, and provide class-map with bandwidth guarantee.

5.      Apply policy-map on the target interface.

 

IV. Configuration Steps

1.      Configure a bandwidth proportion for the targetinterface.

RSR-A(config)#interfaceSerial 2/1

RSR-A(config-if - Serial 2/1)#max-reserved-bandwidth 95

//By default, the total bandwidth allocated to all classesmust not exceed 75% of the available bandwidth on the interface. The remaining25% is used to transmit control data flow and routing data flow. Therecommended proportion is 95%-99%, which ensures full use of link bandwidth andthe reserved bandwidth used by control packets such as routing and negotiationpackets.

2.      Classify traffic by ACL.

RSR-A(config)#access-list100 permit ip 192.168.1.0 0.0.0.255 any     //Define the production network data flow

RSR-A(config)#access-list101 permit ip 172.16.1.0 0.0.0.255 any       //Define the office network data flow

3.      Define a class mapping list, and associateclass-map with ACL.

RSR-A(config)#class-mapSC             //Define theproduction traffic classes. Note that naming is case-sensitive here

RSR-A(config-cmap)#matchaccess-group 100

RSR-A(config-cmap)#class-mapBG      //Define the office trafficclasses

RSR-A(config-cmap)#matchaccess-group 101

4.      Define a policy mapping list, associate withclass-map, and mark class-map classes.

RSR-A(config)#policy-mapruijie

RSR-A(config-pmap)#class SC

RSR-A(config-pmap-c)#bandwidth800     //The production trafficclass is provided with 800Kbps bandwidth guarantee.Bandwidth is the keyword of CBWFQ bandwidth guarantee (Unit: Kbps).

RSR-A(config-pmap-c)#class BG

RSR-A(config-pmap-c)#bandwidth1000    //Bandwidth proportion maybe configured, e.g. bandwidth percent 50

5.      Apply policy-map on the target interface.

RSR-A(config)#interfaceSerial 2/1

RSR-A(config-if- Serial 2/1)#service-policy output ruijie       //Queue scheduling, which can only be applied in outputdirection

 

 


V. Verification

1.      Run the show policy-map interface Serial2/1 command to display the CBWFQ policy applied on the targetinterface.

 

 

1.7.2.3    LLQ

 

Features:

Low Latency Queuing (LLQ) is a feature tobring strict PQ to CBWFQ. LLQ allows traffic with a strict priority to be givenpreferential treatment and get the bandwidth before services for other CBWFQqueues.

Low Latency Queuing: LLQ applies the absolutepriority queuing technology to CBWFQ, thereby mitigating shaking voice. Theabsolute priority queuing technology is applicable to latency-sensitive data(such as voice and video).This feature allows latency-sensitive data to be sentfirst.

Though various real-time data flows can beadded to PQ, we recommend that the most demanding data such as voice and videobe added.

Differences between CBWFQ and LLQ:

(1)     CBWFQ is weighted fair, which guarantees the minimum bandwidth butcannot ensure low latency;

(2)    LLQ is an additional PQ based on CBWFQ, namely,LLQ = CBWFQ + PQ. Latency-sensitive data, such as VOIP, can be placed in PQ toensure low latency.

NOTE: Ruijie queuing mechanism has a defaultqueue. All undefined data flows are subject to the default queue. In case ofnetwork congestion, the default queue is processed with a low priority bydefault and occupies the unallocated bandwidth. This is similar to Ciscodefault queue. However, Cisco default queue needs configuration while Ruijiedefault queue needs no configuration.

I.Networking Requirements

For RSR-A routers, serial2/1 is the outboundinterface and the bandwidth is 2M. The following traffic classes need bandwidthguarantee:

1.      Video monitoring needs low latency and 500Kbpsbandwidth guarantee.

2.      Production traffic network needs 600Kbpsbandwidth guarantee.

3.      Office network traffic needs 800Kbps bandwidthguarantee.

 

II. Network Topology

 

III. Configuration Steps

1.      Configure a bandwidth proportion for the targetinterface.

2.      Classify traffic by ACL.

3.      Define a class mapping list, and associateclass-map with ACL.

Router(config)#class-map?

 WORD       class-map name

match-all Logical-AND all matching statements under this classmap  -----------The match condition is "and"(logical "and")

match-any Logical-OR all matching statements under this classmap  -----------The match condition is "or"(logical "or")

Router(config)#class-mapruijie -----------------If only thename is given but match-all or match-any is not indicated, match-all is used bydefault

4.      Define a policy mapping list, associate withclass-map, and provide class-map with bandwidth guarantee.

5.      Apply policy-map on the target interface

 

IV.Steps

1.      Configure a bandwidth proportion for the targetinterface.

RSR-A(config)#interfaceSerial 2/1

RSR-A(config-if- Serial 2/1)#max-reserved-bandwidth95

//By default, the total bandwidth allocated to all classesshould not exceed 75% of the available bandwidth on the interface. Theremaining 25% is used to transmit control data flow and routing data flow. Therecommended proportion is 95%-99%, which ensures full use of link bandwidth andthe reserved bandwidth used by control packets such as routing and negotiation packets.

2.      Classify traffic by ACL.

RSR-A(config)#access-list100 permit ip 192.168.1.0 0.0.0.255 any     //Define the video network data flow

RSR-A(config)#access-list101 permit ip 172.16.1.0 0.0.0.255 any       //Define the production network data flow

RSR-A(config)#access-list102 permit ip 172.16.1.0 0.0.0.255 any       //Define the office network data flow

3.      Define a class mapping list, and associateclass-map with ACL.

RSR-A(config)#class-mapSP             //Define the video traffic class. Note that namingis case-sensitive here

RSR-A(config-cmap)#match access-group 100

RSR-A(config-cmap)#class-mapSC      //Define the productiontraffic class

RSR-A(config-cmap)#match access-group 101

RSR-A(config-cmap)#class-mapBG      //Define the office trafficclass

RSR-A(config-cmap)#match access-group 102

4.      Define a policy mapping list, associate withclass-map, and mark class-map classes.

RSR-A(config)#policy-mapruijie

RSR-A(config-pmap)#classSP

RSR-A(config-pmap-c)#priority 500          //The video traffic class is provided with500Kbps bandwidth guarantee. Priority is the keyword of LLQ bandwidth guarantee(Unit: Kbps).

RSR-A(config-pmap)#classSC

RSR-A(config-pmap-c)#bandwidth600     //The production trafficclass is provided with 800Kbps bandwidth guarantee. Bandwidth is the keyword ofCBWFQ bandwidth guarantee (Unit: Kbps).

RSR-A(config-pmap-c)#classBG

RSR-A(config-pmap-c)#bandwidth 800    //Bandwidth proportion may be configured, e.g.bandwidth percent 50

5.      Apply policy-map on the target interface

RSR-A(config)#interfaceSerial 2/1

RSR-A(config-if- Serial 2/1)#service-policy output ruijie       //Queue scheduling, which can be applied only in outputdirection

 

 

V. Verification

1.      Run the show policy-map interface Serial2/1 command to display the CBWFQ policy applied on the targetinterface.

 

 

1.7.3    Traffic Control

 

I. Differences between rate-control andrate-limit:

1.       Rate-control is used for bandwidth andsession limits of each user in an ACL while rate-limit is used for overallbandwidth limit with an ACL or an interface as a group. They are different incontrol objects and granularities.

2.      Rate-limit canbe used both in input direction and output direction while rate-control isgenerally used at the egress and applicable to uploadand download directions.

II. Differences between GTS and rate-limit:

1.      Generic Traffic Shaping (GTS) has a cache mechanism by which packetsexceeding the preset traffic are cached and the traffic is made smooth. As rate-limithas no cache mechanism, such packets are dropped directly.

2.      GTS functional module is used after the interface queuing mechanismwhile rate-limit is used before packets enter the queue. As a result, whenrate-limit is used, the queuing mechanism remains ineffective while GTS can becombined with the queuing mechanism to form a complete QoS guarantee mechanism.

 

1.7.3.1    Rate-Limit

 

Features:

CAR has two features: rate limit and prioritysetting. CAR statements require both rate limitand IP precedence configurations.

CAR is used to classify packets based ontheir ToS or CoS values (IP or DSCP precedence for IP packets) and QuintetVector (protocol port IDs of the source and destination addresses), mark thesepackets and monitor traffic.

CAR is used in traffic policing, usually forrate limit. Note the difference between rate limit and bandwidth guarantee inthe queuing mechanism.

Rate limit means that a traffic class cannotexceed the defined bandwidth value, no matter whether the link has idlebandwidth.

Bandwidth guarantee means that a trafficclass can occupy the idle bandwidth or get certain bandwidth guarantee based onpolicy in case of link congestion.

 

Scenario

A user needs tolimit the traffic rate for an interface. Once the interface traffic exceeds thethreshold, the excessive traffic is droppedwhile the traffic within the threshold is transferred. In this case, therate-limit feature may be configured.

 

I.Networking Requirements

RSR-A router, as a network access router, isconnected to the headquarters through a 10M MSTP dedicated line. There are 3sub-interfaces, respectively serving video, intranet data and Internet data. Independentbandwidth is allocated to the three services and must not be occupied:

1.      Video connection sub-interface is GI0/0.1 withthe rate limit of 2Mbps

2.      Intranet connection sub-interface is GI0/0.2with the rate limit of 3Mbps

3.      Internet connection sub-interface is GI0/0.3with the rate limit of 5Mbps

 

II. Network Topology

 

III. Configuration Tips

1.      Classify traffic by ACL.

2.      Configure rate-limit.

 

 

IV. Configuration Steps

1.      Classify traffic by ACL.

RSR-A(config)#access-list100 permit ip 192.168.1.0 0.0.0.255 any     //Defines the video network data flow

2.      Configure rate-limit

RSR-A(config)#interfacegigabitEthernet 0/0.1        //Accessesthe video sub-interface

RSR-A(config-if-GigabitEthernet 0/0.1)#rate-limit output2000000 200000 400000 conform-action transmit  exceed-action drop

RSR-A(config)#interfacegigabitEthernet 0/0.2        //Accessesthe intranet sub-interface

RSR-A(config-if-GigabitEthernet 0/0.2)#rate-limit output 3000000 300000 600000 conform-action transmit  exceed-action drop

RSR-A(config)#interfacegigabitEthernet 0/0.3        //Accessesthe Internet sub-interface

RSR-A(config-if-GigabitEthernet 0/0.3)#rate-limit output 5000000 500000 1000000 conform-action transmit  exceed-action drop

//NOTE:

1.      This is interface-based rate limit, so it is not necessary to defineACL.

2.      The rate-limit command is used to configure the limited rate,token bucket and burst rate. Refer to the empirical values below to configure Band C values.

1.      

B=A/10  

C=A/5

Command interpretation:

Ruijie(config-if)#rate-limit { input  |  output}  bps  burst-normal burst-max conform-actionaction exceed-action   action 

Input|output: expected input/outputtraffic limit.

Bps: expected traffic rate upper limit(unit: bps).

Burst-normal burst-max: size of the tokenbucket (unit: bytes).

Conform-action: processing policy fortraffic conforming to the rate limit.

Exceed-action: processing policy fortraffic exceeding the rate limit.

Action: The following processing policies areavailable.

Continue to match the next policy

l Continue: Matches the next policy

l Drop: Drops the packet

l Set-dscp-continue: Sets a DSCP field for the packet, and continuesto match the next policy

l Set-dscp-transmit: Sets a DSCP field for the packet, and transmitsthe packet

l Set-dscp-continue: Sets an IP Precedence field for the packet, andcontinues to match the next policy

l Set-prec-transmit: Sets an IP Precedence field for the packet, andtransmits the packet

l Transmit: Transmits the packet

 

V. Verification

1.      Run the sho rate-limit interface gigabitEthernet 0/0.1 commandto display the rate limit applied on the target interface.

 

1.7.3.2    Rate-Control

 

Features:

The purpose of ratecontrol is to prevent a user or an application from occupying too manyresources (such as bandwidth). The object is controlled by an ACL in terms ofpermissible bandwidth, maximum concurrent connections, and new connections peruser in a user group. Uplink and downlink bandwidthsare controlled respectively. If uplink and downlink bandwidth configurationsare the same, the system automatically changes the keyword to both. Concurrentconnections and new connection rates are optional.

Differences betweenrate-control and rate-limit:

1.       Rate-control is used forbandwidth and session limits of each user in an ACL while rate-limit is usedfor overall bandwidth limitwith an ACL or an interface as a group. They are different in control objectsand granularities.

2.       Rate-limit can be usedboth in input direction and output direction while rate-control is generallyused at the egress and applicableto upload and download directions.

 

Scenario

An enterprise needs to limit the traffic ofintranet users and the maximum traffic threshold of each user is the same. Oncethe traffic of a user exceeds the threshold, the excessive traffic is droppedwhile the traffic within the threshold is transferred. All users have the sametraffic behavior. In this case, the rate-control feature may be configured.

 

I.Networking Requirements

RSR-A router is used as the egress router ofa campus network. Due to the previous unlimited rates, many students useBT/Thunder or other P2P software to download, leading to network congestion andinsufficient bandwidth in peak hours. Teachers in the network management centerwant to limit downloading via the router. They request to ensure the web pageopening first while BT is not completely prohibited but cannot occupy largebandwidth;

Two methods can be used to meet the requirements:

Method 1: Limit the bandwidth per user.

This method is direct and easy.

Method 2: Limit sessions via UDP concurrentconnection per user.

Characteristics of P2P applications:

UDP protocol is most used to download a fileand connection with hundreds of users is created. Independent control of UDPprotocol will not affect TCP protocol, so TCP protocol is used by web pages. Itis a good way to limit sessions via UDP concurrent connection.

In terms of the second method, the bandwidthper user is set to 2Mb/s, maximum UDP new connections per second are set to 5,and maximum UDP connections are set to 100.

 

II. Network Topology

 

III. Configuration Tips

1.       Use an ACL to define the user group and protocol requiring ratelimit.

2.       Configure rate-control to control sessions per user.

 

 

IV. Configuration Steps

1.       Use an ACL to define the user group and protocol requiring ratelimit.

RSR-A(config)#ipaccess-list extended 199

RSR-A(config-ext-nacl)#5 deny udp any any eq domain     //Domainname resolution (DNS) is the perquisite for opening web pages, so DNS packetsmust not be limited

DNS packets are limited

RSR-A(config-ext-nacl)#20 deny ip any any   //Except DNS packets,other packets are not limited

2.       Configure rate-control to control sessions per user.

RSR-A(config)#interfaceGigabitEthernet 0/0        //In theegress application, this step is generally used in the outside interface in theNAT environment

RSR-A(config-GigabitEthernet0/0)#ip rate-control 199 bandwidth both 256

//In an ACL, the uploading and downloading bandwidth of eachIP address is 2 MB/S and 256 KB/S respectively.

 

Session limit is also available, such as ip rate-control 199 bandwidth both 256 session total 100 rate 5       ///In an ACL, the uploading anddownloading bandwidth of each IP address is 2 MB/s and 256 KB/S respectively,maximum UDP connections are 100, and maximum UDP new connections per second are5 (not recommended for actual deployment)

 

V. Verification

1.       Run the show ip rate-control command to display the ratecontrol policy applied on the target interface.

 

1.7.4    Generic Traffic Shaping (GTS)

 

Features:

Ruijie Generic Traffic Shaping (GTS) can beused for shaping of irregular packet flows or packet flows not conforming tothe preset traffic characteristics, so as to facilitate bandwidth matchingbetween upstream and downstream.

GTS is achieved through the packet bufferzone and token bucket. When packet flows are transmitted at a high rate, thepacket flows are cached in the buffer zone and then uniformly transmitted underthe control of the token bucket.

Differences betweenGTS and rate-limit:

1.       GTS has a cache mechanism by which packets exceeding the presettraffic are cached and the traffic is made smooth. As rate-limit has no cachemechanism, such packets are dropped directly.

2.       GTS functional module is used after the interface queuing mechanismwhile rate-limit is used before packets enter the queue. As a result, whenrate-limit is used, the queuing mechanism remains ineffective while GTS can becombined with the queuing mechanism to form a complete QoS guarantee mechanism.

 

Scenario

When an enterprise rents a dedicated linefrom Telecom operator, the available bandwidth may be far less than thephysical bandwidth on the interface (such as MSTP dedicated line), resulting inpacket loss and affecting user experience. We can limit rates by limiting thetraffic on the outbound interface to the available bandwidth of the operator, cachethe excessive traffic and transfer packets in small traffic.

 

I.Networking Requirements

RSR-A router serves as a network accessrouter with an MSTP dedicated line as the egress and the bandwidth of 2M.

 

II. Network Topology

 

III. Configuration Tips

1.      Run the tracffic-shap command for trafficshaping on the target interface.

 

 

IV. Configuration Steps

1.      Run the tracffic-shaprate command for traffic shaping on thetarget interface.

RSR-A(config)#interfaceGigabitEthernet 0/0 

RSR-A(config-GigabitEthernet0/0)#traffic-shape rate 1900000

//NOTE:

(1)    The configuration value is 1.9Mbps (unit: bps).

(2)    Token bucket and burst parameters are optionalwhich will be automatically generated by the system, so manual configuration isnot recommended.

RSR-A(config-GigabitEthernet 0/0)#traffic-shape rate 2000000 ?

<0-100000000> Bits per interval,sustained

<cr>

Tips:

The MSTP link bandwidthprovided by the operator is 2Mbps, but the configuration value is 1.9Mbpsbecause the former is a design value. The difference between the design valueand the practical value will affect QoS performance. For example, the practicalvalue is 1.9Mbps but GTS configuration value is 2Mbps. When the traffic reaches1.99Mbps, the queuing mechanism is not effective while 0.09Mbps traffic hasbeen dropped by the operator and packets with a high priority are dropped inequal proportion. In this case, QoS performance cannot be ensured.

2.       Empiric value:

Ethernet link: 95% of the bandwidthprovided by the operator

ATM link: 80% of the bandwidth provided bythe operator. NOTE: As QoS is an IP-layer function, after data entering the ATMinterface is encapsulated as a cell, extra packet overhead will be incurred.Therefore, if ATM bandwidth is 10Mbps and GTS rate limit is 8Mbps, the overheadis approximately 10Mbps together with the ATM cell.

 

V. Verification

1.      Run the sho queue interface gigabitEthernet 0/0commandto display the policy applied on the target interface.

 

1.7.5    QoS Implementation Guide

 

Features:

The implementation of QoS is an integrationof "traffic classification and marking", "congestion management(queuing mechanism)" and "traffic shaping" rather than merelythe applying of queuing mechanism.

CBWFQ and LLQ must be applied in combinationwith GTS.

NOTE: Ruijie queuing mechanism has a defaultqueue. All undefined data streams are subject to the default queue. In case ofnetwork congestion, the default queue is processed with a low priority bydefault and occupies the unallocated bandwidth. This is similar to Ciscodefault queue. However, Cisco default queue needs configuration while Ruijiedefault queue needs no configuration.

 

I.Networking Requirements

RSR-A serves as a financial access routerwith GI0/0 as the outbound interface, the leased MSTP dedicated line, and thebandwidth of 2M. The following traffic classes must be provided with bandwidthguarantee by LLQ mechanism, and the corresponding traffic must be marked tofacilitate control:

1.      Video monitoring needs low latency and 500Kbpsbandwidth guarantee, and IP precedence is set to 5

2.      Production network traffic needs 600Kbpsbandwidth guarantee, and IP precedence is set to 4

3.      Office network traffic needs 800Kbps bandwidthguarantee, and IP precedence is set to 2

 

II. Network Topology

 

III. Configuration Tips

1.      Traffic class marking

2.      LLQ queuing policy configuration

(1)    Configure a bandwidth proportion.

(2)    Classify traffic by ACL.

(3)    Define a class mapping list, and associateclass-map with ACL.

(4)    Define a policy mapping list, associate withclass-map, mark class-map classes and apply a QoS policy.

(5)    Apply policy-map on the target interface.

3.      GTS configuration

 

IV. Configuration Steps

a)      Traffic class marking

Trafficclasses can be marked either in input direction or output direction with the class-map, CAR or PBR method.

In theLLQ or CBWFQ scenario, the class-map method is recommendedfor marking.Marking is synchronized with LLQ or CBWFQ configuration so as to streamline configuration.

Thefollowing procedure marks traffic classes with the class-map method. If other marking methodsare needed, refer to the section "Traffic Classification and Marking"(Typical Configuration--->QoS--->Traffic Classification and Marking).

2.      LLQ queuing policy configuration

(1)    Configure a bandwidth proportion.

RSR-A(config)#interfaceGigabitEthernet 0/0

RSR-A(config-GigabitEthernet 0/0)#max-reserved-bandwidth 95

//By default, the total bandwidth allocated to all classesmust not exceed 75% of the available bandwidth on the interface. The remaining25% is used to transmit control data stream and routing data stream. Therecommended proportion is 95%-99%, which ensures full use of link bandwidth andthe reserved bandwidth used by control packets such as routing and negotiation packets.

(2)    Classify traffic by ACL.

RSR-A(config)#access-list100 permit ip 192.168.1.0 0.0.0.255 any     //Defines the video network data flow

RSR-A(config)#access-list101 permit ip 172.16.1.0 0.0.0.255 any       //Defines the production network data flow

RSR-A(config)#access-list102 permit ip 172.16.1.0 0.0.0.255 any       //Defines the office network data flow

(3)    Define a class mapping list, and associateclass-map with ACL.

RSR-A(config)#class-mapSP             //Define the videotraffic class. Note that naming is case-sensitive here

RSR-A(config-cmap)#matchaccess-group 100

RSR-A(config-cmap)#class-mapSC      //Define the productiontraffic class

RSR-A(config-cmap)#matchaccess-group 101

RSR-A(config-cmap)#class-mapBG      //Define the office trafficclass

RSR-A(config-cmap)#matchaccess-group 102

(4)    Define a policy mapping list, associate withclass-map, mark class-map classes and apply a QoS policy.

RSR-A(config)#policy-mapruijie

RSR-A(config-pmap)#classSP

RSR-A(config-pmap-c)#priority 500    //The video traffic class is provided with 500Kbpsbandwidth guarantee. Priority is the keyword of LLQ bandwidth guarantee (Unit:Kbps).

RSR-A(config-pmap-c)#setip precedence 5 //Configures IPprecedence for bandwidth guarantee ad marking at the same time

RSR-A(config-pmap)#classSC

RSR-A(config-pmap-c)#bandwidth600     //The production trafficclass is provided with 600Kbps bandwidth guarantee. Bandwidth is the keyword ofCBWFQ bandwidth guarantee (Unit: kbps).

RSR-A(config-pmap-c)#setip precedence 4 //Configures IPpriority for bandwidth guarantee ad marking at the same time

RSR-A(config-pmap-c)#classBG

RSR-A(config-pmap-c)#bandwidth 800    //Bandwidth proportion may be configured, e.g.bandwidth percent 50

RSR-A(config-pmap-c)#setip precedence 2   //Configures IPpriority for bandwidth guarantee ad marking at the same time

(5)    Apply policy-map on the target interface.

RSR-A(config)#interfaceGigabitEthernet 0/0

RSR-A(config-if - Serial 0/0)#service-policy outputruijie       //Queue scheduling,which can only be applied in the output direction

3.      GTS configuration

RSR-A(config-GigabitEthernet 0/0)#traffic-shape rate 1900000

//Tips:

(1)    Purpose: Gigabit Interface is connected to MSTP, so GI0/0 interfaceis in Gigabit full-duplex mode.

In case of interface congestion, the queuing mechanismis effective. However, Gigabit Interface here will not be congested, and packets aredropped at the operator end.GTS plays the role of traffic shaping and providesa reference bandwidth for QoS module, namely, the network is congested when thetraffic exceeds 2Mbps and the queuing mechanism is scheduled on demand.

(2)    The MSTP link bandwidth provided by the operator is 2Mbps, but theconfiguration value is 1.9Mbps because the former is a design value. Thedifference between the design value and the practical value will affect QoSperformance. For example, the practical value is 1.9Mbps but GTS configurationvalue is 2Mbps. When the traffic reaches 1.99Mbps, the queuing mechanism is noteffective while 0.09Mbps traffic has been dropped by the operator and packetswith high priorities are dropped in equal proportion. In this case, QoSperformance cannot be ensured.

(3)    Empiric value:

Ethernet link: 95% of the bandwidthprovided by the operator

ATM link: 80% of the bandwidth provided bythe operator. NOTE: As QoS is an IP-layer function, after data entering the ATMinterface is encapsulated as a cell, extra packet overhead will be incurred.Therefore, if ATM bandwidth is 10Mbps and GTS rate limit is 8Mbps, the overheadis approximately 10Mbps together with the ATM cell.

 

//Remarks:

Bandwidth: Remaining available interface bandwidth

 Percent: All available interface bandwidth

All available bandwidth:75% of the interface bandwidth. This proportion may beadjusted with the max-reserved-bandwidth command. If GTS traffic-shapingis configured on the interface, all available bandwidth is 75% of the trafficafter shaping.

 

V. Verification

1.      Run the show policy-map interface command to display LLQpolicy on the target interface.

2.      Run the sho queue interface gigabitEthernet 0/0commandto display GTS and queue scheduling on the target interface.

      Solution Configuration Guide

1.1     4G Solutions

1.1.1    4G Products and Common Commands

Ruijie 4G Routers

Ruijie 4G Routers

Ruijie 4G routers fall into two types: boxrouters and SIC-4G line cards connected to devices. The following is anintroduction to the two types of devices.

1.      Line Cards of Box Routers

A box router is commonly known as a 4G mobilerouter with a built-in 4G module and it can be used separately. Box routersinlcude RSR820-T and RSR10-01G-T series. Box routers are divided into specificmodels by different ISP standards and functions can be simply distinguished byspecific models (view the specific model and hardware version on the label ofthe router base).

The following is the naming rule of Ruijiebox routers.

T indicates 4G.

W indicates that WiFi function is supported.

M indicates application in the car scenario.

A indicates that multi-standard 7communication modes for 2G, 3G, and 4G are supported.

For example, RSR820-TW (MA) indicates thatthis model has 4G and WiFi functions, is applicable to the car scenario, andsupports 7 modes.

2.      SIC-4G-LTE Line Cards

A SIC-4G-LTE line card supports 7 modes,namely all communication modes for 2G, 3G, and 4G. A line card cannot beseparately used and should be used in combination with an access router host ofa specific model. The supported host models include RSR1002E/RSR2004E/RSR20-14Eand RSR20-14F. The following is the specific combination.

RSR1002E/RSR2004E: 10.4 (3b35), Release(183253) and later versions are supported. The latest version is recommended.The hardware version of a host is not restricted, that is, a host with anyhardware version is supported.

RSR20-14E/F: 10.4 (3b34), Release (183259)and later versions are supported. The latest version is recommended. Thehardware version of a host is restricted: Only a hosts with a hardware versionlatter than V1.2 is supported. A host with hardware V1.1 is not supported

 

Common Commands

1.      4G Interface Type

All 4G interfaces used by 4G devices areCellular interfaces. The interfaces of box routers, such as RSR820-T andRSR10-01G-T series, are Cellular 0/0 by default. The interfaces of SIC-4G-LTEare Cellular x/0 (x indicates the slot number of the module).

2.      Command Interpretation

1)     Configuring the APN number

Ruijie(config-if-Cellular0/0)#profilecreate master apn apn-string        //(Optional)The apn-string is the APNstring assigned by the ISP. For public networkdial-up, the APN number is automatically generated.

 

2)     Configuring the user name and password

Ruijie(config-if-Cellular0/0)#profilecreate master username uname password 0 pw      //(Optional) It sets the dial-up user name and password touname and pw.

 

3)     Selecting the 4G network access mode

Ruijie(config-if-Cellular0/0)#plmn mode  { auto | manual } {cdma-1x|cdma2000 | fdd-lte | gsm | lte | td-lte |td-scdma }     //Configures the ISPaccess mode. Auto indicates automatic access. Manual indicates compulsoryaccess of a mode without manual selection generally, and 4G is the primarychoice.

 

4)     Configuring authentication mode switch

profileauthtype pap_protocol | chap_protocol | papchap_protocol

 

5)     Configuring communication link detection

Ruijie(config)#iprns 1

Ruijie(config-ip-rns)#icmp-echo10.1.1.1 out-interface cellular 0/0

Ruijie(config-ip-rns-icmp-echo)#timeout1000

Ruijie(config-ip-rns-icmp-echo)#frequency1000

Ruijie(config)#track1 rns 1

Ruijie(config-track)#delaydown 2

Ruijie(config-track)#delayup 2

Ruijie(config-if-Cellular0/0)#profilecreate master track track_id 

//(Recommended)Configuring TRACK enables real-time detection of the communication status of linksand initiation of dial-up again after communication interruption to promptlyrecover the communication of links.

Explanation on the traffic consumed byTRACK configuration:

 

Note: Configuring TRACK support for link detection mayincur extra traffic expenses. The following is the specific calculationformula.

Size of one ICMPrequest/reply packet = 100 (ICMP header + load) + 20 (IP header) = 120 bytes

Traffic generated in onedetection cycle = 120 (ICMP request) + 120 (ICMP reply) = 240 bytes

In case one detectioncycle is 10 seconds, traffic generated in one day = 240*6*60*24 = 2073600 bytes= 2.07 MB.

In case one detectioncycle is 10 seconds, traffic generated in one month = 2.07*30 = 62.1 MB.

6)     Configuring the interesting traffic to trigger dial-up

Ruijie(config)#access-list 100 permit ip any host 7.7.7.7

Ruijie(config)#interfacecellular 0/0

Ruijie(config-if-Cellular0/0)# apply detect dial-list 100

Ruijie(config-if-Cellular0/0)# apply dial-on-demand

//Configures theinteresting traffic to trigger dial-up. ID number 100 in the ACL rule is usedas the condition for triggering 4G dial-up, that is, an IP packet with anysource IP address and the destination IP address 7.7.7.7 triggers 4G dial-up.

 

7)      Configuring a backup wired link on the 4G interface

Ruijie(config)#interfacecellular 0/0

Ruijie(config-if-Cellular1)# apply detect interface vlan 10 track 10

Ruijie(config-if-Cellular1)# apply dial-on-demand

//Enables disaster recoverydetection on the 4G interface. When the returned status of track object 10 isDOWN, the 4G interface automatically performs dial-up. When the returned statusof track object 10 is UP, the 4G interface stops dial-up.

 

1.1.2    4G Typical Scenario Configuration Guide

4G-based Internet Access Scenario

4G Router as Internet NAT Egress

Features

A 4G router dials in a 4G network of an ISPto provide Internet services for clients connected to the router.

 

Scenario

1. Some new communities or remote areasunreachable for ADSL/PON lines of an ISP can access Internet resources via the4G network.

2. Internet services are needed in mobilescenarios (such as mobile office and on-board WiFi).

I.Networking Requirements

Several intranet users are connected to the4G router. The 4G router dials in the Internet via 4G to provide Internetaccess for intranet users.

II. Network Topology

III. Configuration Tips

1.      Configure the 4G interface of the router to dial in 4G Internet.

2.      Configure a default route.

3.      Configure TRACK support for the 4G interface. (Recommended)

4.      Configure intranet services (intranet gateway and DHCP).

5.      Configure an NAT policy.

IV. Configuration Steps

1.      Configure the 4G interface of the router to dialin 4G Internet.

The 4G router dials in the 4G interface ofthe Internet without manual configuration. After a 4G card is inserted, thedevice automatically detects the 4G network type and automatically perform 4Gdial-up with the default APN account (APN: cmnet; password: blank).

Run the show ip interface and showcellular info commands to check whether dial-up is successful.

2.      Configure a default route.

ip route0.0.0.0 0.0.0.0 cellular 0/0

 

3.      Configure TRACK support for the 4G interface.(Recommended)

ip rns 1

 icmp-echo8.8.8.8  out-interface celluar0/0  //Itis recommended to change the detection address 8.8.8.8 to the local InternetDNS address so as to reduce delay and packet loss and ensure accurate linkdetection.

frequency10000      //The detection frequencyis 10 seconds. It can be lowered to increase the switchover speed in case offaults.

timeout10000      //The detection intervalof packet timeout is 10 seconds. It can be lowered to increase the switchoverspeed in case of faults.

track 1rns 1

 delay up30 down 30 //If all detectionpackets fail to reach the peer end within 30 seconds, the track status ischanged to DOWN and dial-up is triggered again. If all detection packets reachthe peer end within 30 seconds, the track status is changed to UP.

exit

interfacecellular 0/0

profilecreate master track 1

 

Note: Configuring TRACKsupport for link detection may incur extra traffic expenses. The following isthe specific calculation formula.

Size of one ICMPrequest/reply packet = 100 (ICMP header + load) + 20 (IP header) = 120 bytes

Traffic generated in onedetection cycle = 120 (ICMP request) + 120 (ICMP reply) = 240 bytes

In case one detectioncycle is 10 seconds, traffic generated in one day = 240*6*60*24 = 2073600 bytes= 2.07 MB.

In case one detectioncycle is 10 seconds, traffic generated in one month = 2.07*30 = 62.1 MB.

In actual application,it is recommended to set the detection cycle to 10 seconds.

4.      Configure intranet services (intranet gatewayand DHCP).

a)      Configure the intranet gateway.

interfacevlan 1

 ipaddress 192.168.1.1 255.255.255.0       //Sets the IP address of the intranet gateway to192.168.1.1.

 

b)      Configure DHCP services (as required).

servicedhcp

ip dhcppool ruijie

network192.168.1.0 255.255.255.0

dns-server8.8.8.8  6.6.6.6           //Configuresdifferent primary/secondary DNS servers for different ISPs and differentprovinces.It is recommended to configure the local DNS after confirmation withthe ISP, ensuring fast DNS parsing.

default-router 192.168.1.1

ip dhcp excluded-address 192.168.1.1

 

5.      Configure an NAT policy.

interfacevlan 1

ip natinside

interfacecellular 0/0

ip natoutside

ipaccess-list standard 10

10 permit192.168.1.0 0.0.0.255

ip natinside source list 10 interface cellular 0/0 overload

 

V. Verification

1.       On the 3G client router, run the show ip interface briefcommand to confirm that the Cellular interface has obtained the IP address andboth "status" and "protocol" are UP.

Ruijie#showip interface brief

Interface      IP-Address(Pri)         IP-Address(Sec)      Status        Protocol

Cellular0/0     10.230.7.181/32      no address             up             up                       //TheCellular interface has obtained the IP address, indicating successful 4Gdial-up.

 

2.      The router can ping the address of the public network.

Ruijie#ping8.8.8.8

Sending 5,100-byte ICMP Echoes to 192.168.0.111, timeout is 2 seconds:

  <press Ctrl+C to break >

!!!!!

Successrate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

3.      The intranet interface connected to the PC can automatically obtainthe IP address, and the PC can access the Internet.

 

 

4G-based Internal Private Network DataIntercommunication

Internet-based Networking

Internet-based Video and Data TransmissionSolution

I. Internet-based 4G Router Solution forVideo and Data Transmission

A 4G SIM card carried by a 4G router is apublic network card of an ISP, namely a common network card. The IP addressautomatically obtained by the 4G interface is assigned by the ISP. The 4Grouter uses the public network address to directly communicate with egressdevices at the aggregation port via the Internet.

For Internet-based networking, two solutionsare available to realize communication between the 4G router and theaggregation center: NAT solution and VPN solution.

NAT Solution:

(The access portcan actively access the aggregation port while the aggregation port cannotactively access the access port.)

 

Advantages:The 4G router only provides basic NAT function and simple deployment. Thecamera can actively be registered at the upper server through NAT, so that itis managed by the upper end and returns videos.

Disadvantages:It is complicated to manage the intranet camera. As the camera passes throughdouble NATs: NAT configured on the 4G router and NAT at the ISP egress (the 4Ginterface of the 4G router first obtains the internal private network addressof the ISP and then translates the private address to access the ISP's Internet), the upper server cannot access or manage thecamera directly via the IP address. As all video surveillance device manufacturershave released their own solutions, please confirm the specific solution withDVR vendors.

Networking Requirements:

1.      A 4G SIM card is a common SIM card with theInternet function enabled (to dynamically obtain the IP address).

2.      The headquarters has an Internet egress with afixed IP address (if it is a dynamic address, an dynamic domain name should bedeployed and the lower camera should support domain name registration).

3.      The headquarters is equipped with a video serverwhich is mapped to the Internet on the egress device.

VPN Solution:

(The 4G routerand the central aggregation router can access each other.)

Advantages: Asthe 4G router and upper aggregation router establish a VPN connection, thecamera and upper video server are in the same intranet and the IP address ofthe camera is fixed, which facilitates management.

Disadvantages:The VPN function should be deployed on the 4G router and central aggregationrouter, and (static or dynamic) routes on both ends should be connected, makingdeployment and maintenance of the network devices difficult.

Networking Requirements:

1.      If L2TP or IPSec VPN is deployed, the 4G SIMcard can be a common SIM card with the Internet function enabled (todynamically obtain the IP address).

2.      If GRE VPN is deployed, the 4G SIM card isrequired to obtain the static IP address of the public network.

3.      The headquarters has an Internet egress with afixed IP address (if it is a dynamic address, an dynamic domain name should bedeployed).

4.      Egress devices on both ends support VPN(L2TP/IPSec/GRE VPN).

1.1.2.1    NAT Networking Solution (for Video or DataTransmission)

Features

A 4G router dials in a 4G network of an ISPto provide Internet services for cameras connected to the router.

Scenario

Videos need to be returned via the 4G network(the camera actively transmits data to the central server).

I.Networking Requirements

1.      The camera can be actively registered at theupper server through NAT, and the upper server can manage it and retrievevideos on it.Note that:

1)       After a common 4G SIM card is used to dial in the Internet, the 4Grouter first obtains a private network address and passes through double NATsfrom the camera to the public network. (The IP address obtained is the privatenetwork 10.x.x.x. After it is mapped on the 4G router, the camera still cannotbe accessed.

2)       As different manufacturers have surveillance devices of differentmodels, confirm with the manufacturer whether a device is applicable in thisscenario.

2.      A 4G SIM card is a common SIM card with theInternet function enabled (to dynamically obtain the IP address).

3.      The headquarters has an egress with a fixed IPaddress.

For Internet-based networking, an egresswith a fixed IP address is required (if it is a dynamic address, an dynamicdomain name should be deployed and the lower camera should support domain nameregistration).

4.      The headquarters is equipped with a video serverwhich is mapped to the Internet on the egress device.

II. Network Topology

III. Configuration Tips

1.      Configure the router to dial in the 4G Internet.

2.      Configure a default route.

3.      Configure TRACK support for the 4G interface. (Recommended)

4.      Configure intranet services (intranet gateway and DHCP).

5.      Configure an NAT policy.

6.      Enable video transmission optimization.

IV. Configuration Steps

1.      Configure the router to dial in the 4G Internet.

The 4G router dials in the 4G interface ofthe Internet without manual configuration. After a 4G card is inserted, thedevice automatically detects the 4G network type and automatically perform 4Gdial-up with the default APN account (APN: cmnet; password: blank).

Run the show ip interface and showcellular info commands to check whether dial-up is successful.

2.      Configure a default route.

ip route0.0.0.0 0.0.0.0 cellular 0/0

 

3.      Configure TRACK support for the 4G interface.(Recommended)

     

ip rns 1

 icmp-echo8.8.8.8 out-interface celluar0/0        //It is recommended to change the detection address 8.8.8.8to the local Internet DNS address or another address directly accessible in APNnetwork so as to reduce delay and packet loss and ensure accurate linkdetection.

frequency10000           //The detectionfrequency is 10 seconds. It can be lowered to increase the switchover speed incase of faults.

timeout10000       //The detection intervalof packet timeout is 10 seconds. It can be lowered to increase the switchoverspeed in case of faults.

track 1rns 1

 delay up30 down 30     //If all linkdetection packets time out within 30 seconds, the track status is changed toDOWN and dial-up is triggered again. If all link detection packets are receivedfrom  the peer within 30 seconds, the track status is changed to UP.

exit

interfacecellular 0/0

profilecreate master track 1

 

Note: Configuring TRACK support for link detection mayincur extra traffic expenses. The following is the specific calculationformula.

Size of one ICMPrequest/reply packet = 100 (ICMP header + Load) + 20 (IP header) = 120 bytes

Traffic generated in onedetection cycle = 120 (ICMP request) + 120 (ICMP reply) = 240 bytes

In case one detectioncycle is 10 seconds, traffic generated in one day = 240*6*60*24 = 2073600 bytes= 2.07 MB.

In actual application,it is recommended to set the detection cycle to 10 seconds.

4.      Configure intranet services (intranet gatewayand DHCP).

(1)    Configure the intranet gateway.

interfacevlan 1

 ipaddress 192.168.1.1 255.255.255.0           //Sets the IP address of the intranet gateway to192.168.1.1.

 

(2)    Configure DHCP services (as required).

servicedhcp

ip dhcppool ruijie

network192.168.1.0 255.255.255.0

dns-server8.8.8.8  6.6.6.6        //Configures different primary/secondary DNS serversfor different ISPs.

default-router192.168.1.1

ip dhcpexcluded-address 192.168.1.1

 

5.      Configure an NAT policy.

interfacevlan 1

ip natinside

interfacecellular 0/0

ip natoutside

ipaccess-list standard 10

10 permit192.168.1.0 0.0.0.255

ip natinside source list 10 interface cellular 0/0 overload

 

6.      Enable video transmission optimization.

1)     Enable video transmission optimization on the 4G router.

wan-taenable //Enables the videotransmission optimization function.

ipaccess-list extended 101 //Definesthe video data flow to be optimized from the camera 192.168.1.2 to the server66.1.1.0.

10 permitip host 192.168.1.2 66.1.1.0 0.0.0.255

wan-tapolicy video  //Configures the videotransmission optimization policy. TCP acceleration feature is used by default.

match-portall

interfaceCellular 0/0  //Enables the videotransmission optimization function on the interface.

wan-ta-policyvideo list 101

 

2)     Enable the video transmission optimization(WAN-TA+RTP shaping) function on the aggregation router. (Optional for aggregation routers of other vendors)

wan-taenable //Enables the video transmission optimization function.

ipaccess-list extended 101 //Definesthe video data flow to be optimized.

10 permitip any any

wan-tapolicy video

trafficclassifier rtp or  //Enables thevideo shaping function.

  if-matchacl 101

trafficbehavior rtp

 rtp-shapingdelay 2000 clock-rate 90000

trafficpolicy rtp

 classifierrtp behavior rtp precedence 1

interfaceGigabitEthernet 1/1/0

wan-ta-policyvideo list 101

traffic-policyrtp inbound

 

Note: Forthe detailed video transmission optimization configuration, see VideoTransmission Optimization in Ruijie Router Implementation Manual.

 

V. Verification

1.      On the 3G client router, run the show ipinterface brief command to confirm that the Cellular interface has obtainedthe IP address and both "status" and "protocol" are UP.

Ruijie#showip interface brief

Interface         IP-Address(Pri)                 IP-Address(Sec)      Status      Protocol

Cellular0/0   10.230.7.181/32                      no address          up               up                   //The Cellular interface has obtained the IP address, indicatingsuccessful 4G dial-up.

 

2.      The camera can access the public network.

Ruijie#ping8.8.8.8

Sending 5,100-byte ICMP Echoes to 192.168.0.111, timeout is 2 seconds:

  <press Ctrl+C to break >

!!!!!

Successrate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

3.      The camera can be registered at the videoserver, and the video server can manage it and retrieve videos on it.

1.1.2.2    [Recommended] L2TP VPN Networking Solution (forVideo or Data Transmission)

Features

The branch 4G router dials in the 4G publicnetwork and establishes an L2TP VPN connection with the central end to meet therequirement for communication between the branch intranet segment 192.168.1.0and the headquarters intranet 192.168.2.0.

Scenario

Branches and the headquarters of a companyhave the requirements for mutual access, for example:

1.      The branches and headquarters can access data ofeach other via the internal private network.

2.      The communication between the advertisingservice system and the central point can be established, so that theheadquarters can push advertisements and other information to the servicesystem.

3.      Data communication between a financial branchand the headquarters can be established (if no production service is involved,4G VPDN private network+L2TP+IPSec instead of the 4G Internet is recommendedfor transportation).

I.Networking Requirements

1.      The 4G SIM card can be a common card whichobtains the dynamic IP addresses.

2.      The headquarters has an Internet egress with afixed IP address.

3.      If it is a dynamic address, an dynamic domainname should be deployed.

4.      The egress router of the headquarters supportsL2TP VPN

II. Network Topology

III. Configuration Steps

Part I Basic Configuration for the Branch4G Router

1.      Configure the router to dial in the 4G Internet/APN private network.

After the 4G SIM card is inserted, thedevice performs automatic dial-up Internet access upon startup without manualconfiguration.

2.      Configure the intranet gateway and DHCP.

interfacevlan 1

 ipaddress 192.168.1.1 255.255.255.0       //Sets the IP address of the intranet gateway to192.168.1.1.

service dhcp

ip dhcp pool ruijie

network 192.168.1.0 255.255.255.0

dns-server 8.8.8.8 114.114.114.114     //Configures the primary DNS (8.8.8.8) and secondary DNS(6.6.6.6) based on the actual condition.

default-router 192.168.1.1

ip dhcp excluded-address 192.168.1.1

 

3.      Configure routes for the 4G router.

ip route0.0.0.0 0.0.0.0 cellular 0/0            //Configures a route to the external network interface ofthe central end.

ip route192.168.2.0 255.255.255.0 virtual-ppp 0 //Configures a route to the intranet interface of thecentral end.

 

4.      Configure L2TP VPN for branch routers and central aggregationrouters.

l2tp-classl2x

authentication

passwordruijie  

pseudowire-classpw       // Note: Configure the sametunnel authentication password on the L2TP client as that on the server.Otherwise, L2TP negation fails.

   encapsulation l2tpv2    protocol l2tpv2 l2xinterface Virtual-ppp 1

    ppppap sent-username test password test    ip address 100.0.0.2 255.255.255.  //If there are multiple branches, the IPaddresses of other branches may be assigned in order. If the second solution isadopted, run the ip address negotiate command instead.

pseudowire10.0.0.1 12 pw-class pw   //10.0.0.1indicates the public address of the central aggregation router. If the centralend uses a domain name, replace the IP address with the domain name andconfigure the DNS on the device, that is, set the IP name to server x.x.x.x(which indicates the IP address of the domain name server).

 

5.      Configure TRACK support for the 4G interface. (Recommended)

ip rns 1

 icmp-echo10.0.0.1 out-interface celluar0/0         //It is recommended to use the public address of thecentral aggregation router as the detection address so as to reduce delay andpacket loss and ensure accurate link detection.

frequency3000 //The detection frequency is 3seconds. It can be lowered to increase the switchover speed in case of faults.

timeout3000  //The detection interval ofpacket timeout is 10 seconds. It can be lowered to increase the switchoverspeed in case of faults.

track 1rns 1

 delay up5 down 5 //If all detection packetstime out within 5 seconds, the track status is changed to DOWN and dial-up istriggered again. If all detection packets can be received from peer within 5seconds, the track status is changed to UP.

exit

interfacecellular 0/0

profilecreate master track 1

 

Note: Configuring TRACKsupport for link detection may incur extra traffic expenses. The following isthe specific calculation formula.

Size of one ICMPrequest/reply packet = 100 (ICMP header + Load) + 20 (IP header) = 120 bytes

Traffic generated in onedetection cycle = 120 (ICMP request) + 120 (ICMP reply) = 240 bytes

In case one detectioncycle is 10 seconds, traffic generated in one day = 240*6*60*24 = 2073600 bytes= 2.07 MB.

In actual application,it is recommended to set the detection cycle to 10 seconds.

6.      Enable the video transmission optimization function on the 4G router(required for video data transmission).

wan-taenable    //Enables the videotransmission optimization function.

ipaccess-list extended 101  //Definesthe video data flow to be optimized from the camera 192.168.1.2 to the server.

10 permit iphost 192.168.1.2 192.168.2.0  0.0.0.255

wan-tapolicy video  //Configures the videotransmission optimization policy with TCP acceleration feature.

match-portall

interfaceCellular 0/0  //Enables the videotransmission optimization function on the interface.

wan-ta-policyvideo list 101

 

Part II Configuring the CentralAggregation Router (take Ruijie RSR routers as an example and see theconfiguration guides for other vendors' devices)

1.      Configure the central aggregation router toaccess the Internet egress via the dedicated line.

intergi0/0  //Configures the publicnetwork interface.

ip add10.0.0.1 255.255.255.0

intergi0/1 //Configures the intranetinterface.

ip add192.168.2.1 255.255.255.0 

 

2.      Configure routes for the central aggregation router.

ip route0.0.0.0 0.0.0.0 gi0/0 10.0.0.2        //Configures a default route for the public network access.

ip route192.168.1.0 255.255.255.0 100.0.0.2  //Configuresa static route to the intranet of branch 1.

 

3.      Configure L2TP VPN for the central aggregationrouter (taking the VPN 1.0 and local authentication as an example).

1)     (Optional) Configure the tunnel authentication user name, passwordand address pool on the 4G router.

ip localpool p1 100.0.0.2 100.0.0.100   //(Optional).If the virtual-ppp interface of the 4G router is set to a fixed IP address, itis not recommended to configure p1 address pool.

usernametest password test //Configures theuser name and password for the 4G router to dial in VPDN, corresponding to theuser name and password of the virtual-ppp interface of the 4G router.

 

2)     VPDN tunnel configuration

ip add 192.168.2.1255.255.255.0 

interfaceloopback 1

   ipaddress 100.0.0.1 255.255.255.255

interfaceVirtual-Template 1

pppauthentication pap chap

ipunnumbered Loopback 1

peerdefault ip address pool p1      //(Optional).It is configured only when the second solution is adopted and the IP address ofthe virtual-ppp interface of 4G router is assigned dynamically. If thevirtual-ppp interface is configured with a fixed IP address, it is notrecommended to configure p1 address pool.

vpdnenable

vpdn-group1

accept-dialin

protocoll2tp

virtual-template1

l2tptunnel authentication

l2tptunnel password ruijie

 

4.      Enable the videotransmission optimization (WAN-TA+RTP shaping) function on the aggregationrouter. (Optional for aggregation routers of other vendors)

wan-taenable //Enables the videotransmission optimization function.

ipaccess-list extended 101 //Definesthe video data flow to be optimized.

10 permitip any any

wan-tapolicy video

trafficclassifier rtp or  //Enables thevideo shaping function.

  if-matchacl 101

trafficbehavior rtp

 rtp-shapingdelay 2000 clock-rate 90000

trafficpolicy rtp

 classifierrtp behavior rtp precedence 1

interfaceGigabitEthernet 1/1/0

wan-ta-policyvideo list 101

traffic-policyrtp inbound

 

Note: For thedetailed video transmission optimization configuration, see Video TransmissionOptimization in Typical Configuration.

V. Verification

1.      View the L2TP status on the branch 4Grouter.

1)     After configuration, the branch router automatically initiates L2TPdial-up. If dial-up is successful, run the show ip interface brief command toconfirm that the interface is UP and a correct IP address has been obtained.

2)     View the routing table and confirm that an IP address of the LNSvirtual-template interface directly connected to the virtual-ppp interface.

3)     The L2TP client can ping the IP address of the virtual-templateinterface of the LNS.

2.      View the status of the centralaggregation router.

Run the show vpdn command to viewusers that have dialed in.

Supplemental Note:

In the foregoing example, interconnectionbetween intranets of both ends are implemented through a static route. Thedynamic routing protocol can also be used. The following is an example:

Solution 2: Dynamic Routing Protocol(taking OSPF as an example)

//When the IP address ofthe virtual-ppp address of the 4G router is assigned by the central router, a dynamicroute is applicable and easy for configuration.

 

1)     Configure the OSPF routing protocol for the central aggregationrouter.

routerospf 1

network192.168.2.1 0.0.0.0 area 0

network100.0.0.1 0.0.0.0 area 0    //100.0.0.1indicates the IP address of the virtual-template interface, namely, the IPaddress of the unnumber loopback interface in interface configuration mode.Based on the actual requirement, redistribute the central service segment tothe OSPF domain via the network or the static route redistribution, so that abranch can learn the service route of the central service segment.

 

2)     Configure the OSPF routing protocol for the branch 4G router.

routerospf 1

network100.0.0.0 0.0.0.255  area 0 //Indicatesthe address segment of the virtual-ppp interface.

redistributeconnected subnetsnetwork 192.168.1.0 255.255.255.0 //Advertises the intranet address route of the 4G router.

 

1.1.2.3    IPSec VPN Networking Solution (for Video or DataTransmission)

Features

The branch 4G router dials in the 4G publicnetwork and establishes an IPSec VPN connection with the central end to provideencrypted data transmission for a branch and the central end.

Scenario

Branches and the headquarters have therequirements for mutual access. For example:

1.      The branches and headquarters access data ofeach other via the internal private network.

2.      The communication between the advertisingservice system and the central point can be established, so that theheadquarters can push advertisements and other information to the servicesystem.

3.      Data communication between a financial branchand the headquarters can be established (if no production service is involved,4G VPDN private network+L2TP+IPSec instead of the 4G Internet is recommended tocarry it).

I.Networking Requirements

1.      The 4G SIM card can obtain the public IP address.

2.      The headquarters has an Internet egress with a fixed IP address.

3.      If it is a dynamic address, the egress should support the dynamicdomain name function.

4.      The egress router of the headquarters support IPSec VPN.

II. Network Topology

Network Planning

IV. Configuration Steps

Part I Basic Configuration for the Branch4G Router

1.      Configure the router to dial in the 4GInternet/APN private network.

After the 4G SIM card isinserted, the device performs automatic dial-up Internet access upon startupwithout manual configuration.

2.      Configure the intranet gateway and DHCP.

interfacevlan 1

 ipaddress 192.168.1.1 255.255.255.0        //Sets the IP address of the intranet gateway to192.168.1.1.

servicedhcp

ip dhcppool ruijie

network192.168.1.0 255.255.255.0

dns-server8.8.8.8 114.114.114.114   //Configuresthe primary DNS (8.8.8.8) and secondary DNS (6.6.6.6) based on the actual condition.

default-router192.168.1.1

ip dhcpexcluded-address 192.168.1.1

 

3.      Configure routes for the 4G router.

ip route0.0.0.0 0.0.0.0 cellular 0/0       //Configuresa route to the external network interface of the central end.

 

4.      Configure IPSec VPN for a branch.

1)      Set IPSec interesting traffic to the trafficfrom the branch 192.168.1.0/24 to the headquarters 192.168.0.0/24.

access-list101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

 

2)      Configure the ISAKMP policy.

cryptoisakmp keepalive 5 periodic

cryptoisakmp policy 1

authenticationpre-share

encryption3des

 

3)      Configure the pre-shared key.

cryptoisakmp key 0 ruijie address 10.0.0.1//10.0.0.1      //10.0.0.1 indicates the public address of the egress of thecentral aggregation router. If the central end uses the domain name, replacethe IP address with a domain name and configure the DNS on the device, that is,set the IP name to server x.x.x.x (which indicates the IP address of the domainname server).

 

 

4)      Configure the IPSec encryption transform set.

cryptoipsec transform-set mysetesp-des esp-md5-hmac

 

5)      Configure the IPSec crypto map.

crypto mapmymap 5 ipsec-isakmp

set peer 10.0.0.1     //Specifies the IP address of theIPSec center. 10.0.0.1 indicates the public address of the egress of thecentral aggregation router. If the central end uses the domain name, replacethe IP address with a domain name and configure the DNS on the device, that is,set the IP name to server x.x.x.x (which indicates the IP address of the domainname server).

settransform-set myset

matchaddress 101

set autoup

 

6)      Apply the crypto map to the interface.

interfacecellular 0/0

crypto mapmymap

 

5.      Configure TRACK support for the 4G interface.(Recommended)

ip rns 1

 icmp-echo10.0.0.1 out-interface celluar0/0           //It is recommended to use the public address of thecentral aggregation router as the detection address so as to reduce delay and packetloss and ensure accurate link detection.

frequency3000     //The detection frequencyis 3 seconds. It can be lowered to increase the switchover speed in case offaults.

timeout3000  //The detection interval ofpacket timeout is 10 seconds. It can be lowered to increase the switchoverspeed in case of faults.

track 1rns

1 delay up5 down 5   //If all detectionpackets fail to reach the peer end within 5 seconds, the track status ischanged to DOWN and dial-up is triggered again. If all detection packets reachthe peer end within 5 seconds, the track status is changed to UP.

exit

interfacecellular 0/0

profilecreate master track 1

 

Note: Configuring TRACKsupport for link detection may incur extra traffic expenses. The following isthe specific calculation formula.

Size of one ICMPrequest/reply packet = 100 (ICMP header + load) + 20 (IP header) = 120 bytes

Traffic generated in onedetection cycle = 120 (ICMP request) + 120 (ICMP reply) = 240 bytes

In case one detectioncycle is 10 seconds, traffic generated in one day = 240*6*60*24 = 2073600 bytes= 2.07 MB.

In actual application,it is recommended to set the detection cycle to 10 seconds.

6.      Enable the video transmission optimizationfunction on the 4G router (required for video data transmission).

wan-taenable    //Enables the videotransmission optimization function.

ipaccess-list extended 101    //Definesthe video data flow to be optimized from the camera 192.168.1.2 to the server.

10 permitip host 192.168.1.2 192.168.2.0  0.0.0.255  //Configures the video transmission optimization policywith TCP acceleration feature.

match-portall

interfaceCellular 0/0  //Enables the videotransmission optimization function on the interface.

wan-ta-policyvideo list 10

 

Part II Configuring the CentralAggregation Router (take Ruijie RSR routers as an example and see theconfiguration guides for other vendors' devices)

1.      Configure the central aggregation router to access the Internetegress via the dedicated line.

intergi0/0      //Configures the publicnetwork interface.

ip add10.0.0.1 255.255.255.0

intergi0/1       //Configures theintranet interface.

ip add192.168.2.1 255.255.255.0 

 

2.      Configure routes for the central aggregation router.

ip route0.0.0.0 0.0.0.0 gi0/0 10.0.0.2      //Configuresa default route for the public network access.

 

3.      Configure IPSec VPN for the central aggregation router.

1)     Configure the ISAKMP policy.

cryptoisakmp policy 1

 encryption3des

 authenticationpre-share

2)    Configure the pre-shared key.

cryptoisakmp key 0 ruijie address 0.0.0.0 0.0.0.0

 

3)    Configure IPSec encryption transform set.

cryptoipsec transform-set myset esp-des esp-md5-hmac

 

4)    Configure the IPSec crypto map.

cryptodynamic-map dymymap 5

 settransform-set myset

 reverse-route      //Configures the reverse routeinjection (RRI) function. If this function is not configured (or not supportedby devices of other vendors), deploy the static or dynamic routing protocol onboth ends of the IPSec.

 

5)   Mapthe dynamic IPSec crypto map to the static IPSec crypto map.

crypto mapmymap 10 ipsec-isakmp dynamic dymymap

 

6)   Applythe crypto map to the interface (for example, the dedicated line interfaceG0/0)

interfaceGigabitEthernet 0/0

 cryptomap mymap

 

4.      Enable the video transmission optimizationfunction. (Recommended. Aggregation routers of other vendors do not have this function.)

wan-taenable     //Enables the videotransmission optimization function.

ipaccess-list extended 101     //Definesthe video data flow to be optimized.

10 permitip any any

wan-tapolicy video

trafficclassifier rtp or       //Enablesthe video shaping function.

  if-matchacl 101

trafficbehavior rtp

 rtp-shapingdelay 2000 clock-rate 90000

trafficpolicy rtp

 classifierrtp behavior rtp precedence 1

interfaceGigabitEthernet 1/1/0

wan-ta-policyvideo list 101

traffic-policyrtp inbound

 

V. Verification

1.      On the 4G client router, run the show ip interface briefcommand to confirm that the Cellular interface has obtained the IP address andboth "status" and "protocol" are UP.

Ruijie#showip interface brief

Interface       IP-Address(Pri)         IP-Address(Sec)      Status      Protocol

Cellular0/0     10.230.7.181/32      no address                  up           up     //The Cellular interface has obtained the IPaddress, indicating successful 4G dial-up.

 

2.      Use the source address 192.168.1.1 on the router to ping theheadquarters 192.168.2.1.

Ruijie#ping192.168.2.1 source 192.168.1.1

Sending 5,100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

  <press Ctrl+C to break >

!!!!!

Successrate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

3.      IPSec SA has been established on the router.

Successful IPSec tunnel negotiation goesthrough two stages: successful ISAKMP SA negotiation and IPSec SA negotiation.

Ruijie#showcrypto isakmp sa

 destination      source              state        conn-id               lifetime(second)

 10.0.0.1        10.230.7.18       1IKE_IDLE        0                          84129   //ISAKMP negotiation is successful, and thestatus is IKE_IDLE.

Ruijie#showcrypto ipsec sa

......

#pktsencaps: 4, #pkts encrypt: 4, #pkts digest 4 //Indicates the number of packets successfully encapsulated,encrypted and digested.

#pktsdecaps: 4, #pkts decrypt: 4, #pkts verify 4  //Indicates the number of packets successfullydecapsulated, decrypted and verified. When data is encrypted through IPSec forcommunication, repeatedly run the show command.

      Inbound esp sas:

spi:0x2ecca8e(49072782)      //When the inboundesp sas and outbound esp sas are displayed, it indicates that the IPSec SA negotiationis successful.

        Outbound esp sas:

spi:0x5730dd4b(1462820171)

 

1.1.2.4    4G Router-based Multi Links in Backup Mode

4G link as the backup for the wireddedicated line

Features

The 4G link serves as the backup for a wiredline. When the wired line is abnormal, the router promptly switches to the 4Glink and resumes services.

Scenario

Financial branches, chain hotels, andbranches of other SMEs have the requirements for backup lines.

I.Networking Requirements

A 4G router wired link and 4G dual links areused for Internet access. The wired link serves as the active link and isconnected to the wired network via the GE0 interface belonging to VLAN 2. 4Gdual links serve as the backup link. Generally, all links are forwarded via thewired link. When the wired link is abnormal, services are automaticallyswitched to 4G dual links; when the wired link is recovered, services areautomatically switched back to the wired link.

II. Network Topology

 

III. Configuration Tips

1.      Configure the central aggregation router as theVPN server.

2.      Configure the branch 4G router as the VPNclient.

3.      Enable wired link connectivity detection on the4G router.

4.      Configure the active/standby routing protocolswitch solution.

IV. Configuration Steps

1.      Configure the central aggregation router as theVPN server.

Based on the VPNtechnology chosen, see 4G Typical Scenario Configuration Guide.

2.      Configure the branch 4G router as the VPNclient.

Based on the VPNtechnology chosen, see 4G Typical Scenario Configuration Guide.

3.      Configure the active/standby routing protocolswitch solution.

1)     Routing Protocol Switch Solution for the 4G Router

a.       Configure a RNS test.

  ip rns10

icmp-echo50.7.154.1 out-interface VLAN 2  next-hop 50.7.154.1 //Sends packets for detection from the wired interface tocheck the availability of the wired line. When the Ethernet interface performsa RNS test on a specified interface, detect the reachability of the next-hopaddress.

timeout3000                 //If an ICMPpacket is received in response in 3 seconds, it indicates timeout of thepacket.*

frequency3000              //Indicates thatdetection packets are sent at intervals of 3s.

ntime 3             //Timeout for three times indicatesthat the RNS test fails.*

track 10rns 10       

delay down3 up 3         /Associates TRACKwith an RNS policy. If the RNS test fails, the TRACK status is changed to DOWNwith a 3-second delay. If no delay time is configured, the TRACK status ischanged to DOWN immediately.*

ip rns 20

icmp-echo8.8.8.8 out-interface cellulaer 0/0         //Sends packets for detection from the wired interface tocheck the availability of the wired line. When the Ethernet interface performsan RNS test on a specified interface, detect the reachability of the next-hopaddress.

timeout3000                 //If an ICMPpacket is received in response in 3 seconds, it indicates timeout of thepacket.*

frequency3000             /Indicates thatdetection packets are sent in an interval of 3s.

ntime 3             //Timeout for three times indicatesthat the RNS test fails.*

track 20rns 20       

delay down3 up 3  //Associates TRACK with anRNS policy. If the RNS test fails, the TRACK status is changed to DOWN with a 3second delay. If no delay time is configured, the TRACK status is changed toDOWN immediately.*

 

b.       Configure a floating default route on the 4G router to control datatraffic switch between a wired link and a 4G link.          

ip route0.0.0.0 0.0.0.0 VLAN 2  50.7.154.1 track 10            //Configures a default route to direct traffic to the activelink interface.

ip route0.0.0.0 0.0.0.0  Cellular 0/0 100    //Configuresa floating default route to direct the traffic to the 4G interface. Due to alow priority, the traffic is not sent from this link when the wired link isavailable.

 

c.       Enable correlation between the wired interface and 4G interface.

interfaceCellular 0/0

applydetect interface vlan 1 track 10   //Enabledisaster recovery detection on the 4G interface. When the returned status oftrack object 10 is DOWN, the 4G interface automatically performs dial-up. Whenthe returned status of track object 10 is UP, the 4G interface stops dial-up.Multiple detection statements can be configured. In this case, only when thereturned status of the track object correlated to each statement is DOWN, the4G interface performs dial-up. If the returned status of a track objectcorrelated to a statement is UP, the 4G interface stops dial-up.

applydial-on-demand    //Enables/disablescorrelation between the wired interface and 4G interface.

profilecreate master track 20    //Indicatescorrelation between the interface status and track object 2, which is similarto the keepalive function. When it is enabled, the status of track object 2 isDOWN and the interface performs dial-up again.

 

d.      If an IPSec tunnel is configured on the 4Ginterface, run the following command to disconnect it from the device by force when the wired link is recovered.

cryptoisakmp link-redundency backup Cellular 0/0 track 10     //When the returned status of track object 10 is UP, theIPSec tunnel on the 4G interface is disconnected by force.

 

e.      If the SVI interface is used for wired link detection on theexternal network interface, it is recommended to run the following command toensure that status of the SVI interface is changed to DOWN as the status of thelayer-2 port is DOWN.*

ruijie(config)#svi-interfacedetecting

 

2)     Route Switch Solution for the Headquarters Intranet

Switch theroutes from the headquarters intranet to the branch intranet, so that thetraffic is sent to the wired dedicated line when the wired link is available orthe aggregation router with a 4G backup link when the wired link is abnormal.Multiple solutions are available. The following is a brief description of theconfiguration.

a.      IPSec RRI Solution

The aggregation router with a 4G backuplink and the lower end establish an IPSec VPN, and use the RRI function toinject branch routes into the aggregation router. The aggregation router andthe intranet run the dynamic routing protocol to advertise branch routes to theheadquarters intranet. The priority of a redistributed route should be lowerthan that of a route from the headquarters intranet to a branch. Priorities canbe subject to the weight of a route.

b.      Dynamic Routing Protocol for the Whole Network

The aggregation router with a 4G backuplink and the 4G router establish an L2TP/GRE VPN, and run the dynamic routingprotocol. The aggregation router and the intranet also run the dynamic routingprotocol to advertise branch routes to the headquarters intranet. The priorityof a redistributed route should be lower than that of a route from theheadquarters intranet to a branch. Priorities can be subject to the weight of aroute.

V. Verification

1.      Generally all services are forwarded via thewired link.

2.      Shut down the wired interface or disconnect thewired link. Services are automatically switched to the 4G link.

3.      When the wired link is recovered, services areautomatically switched back to the wired link.

4.      4G Dual Link Dial-up in Backup Mode

这里漏了标题

Features

One 4G link serves as the backup for theother 4G link. When the active 4G link is abnormal, the router promptlyswitches to the standby 4G link and resumes services.

Scenario

Financial branches, chain hotels, andbranches of other SMEs have the requirements for backup 4G links.

I.Networking Requirements

The 4G router is connected to the financialaggregation network using dual 4G SIM cards. The active Unicom 4G SIM cardUnicom is used to access the network while the standby Mobile 4G SIM card is inbackup mode. When the active Unicom link is abnormal, the data is switched tothe backup 4G Mobile link; when it is recovered, services are switched back.

II. Network Topology

III. Configuration Tips

1.      Configure dual card dial-up for the 4G router.

2.      Configure the access mode switch solution forthe 4G router.

3.      Configure the central aggregation router as theVPN server.

IV. Configuration Steps

1.      Configure dual card dial-up for the 4Grouter.

ip rns 1      //Indicates detection of the active Unicom card.

icmp-echo100.0.0.1 out-interface Cellular  2/0    //100.0.0.1 indicates the IP address of the virtual-templateinterface on the LNS.

timeout3000         //The detection timeoutinterval is 3 seconds.

frequency3000          //The detectionfrequency is 3 seconds.

ntime 3              //Status change for three consecutive times issynchronized with the track status.

ip rns 2       //Indicates detection of the standby Mobile link.

icmp-echo2.2.2.2 out-interface Cellular 3/0    //2.2.2.2indicates the IP address of the virtual-template interface on the LNS.

timeout3000  

frequency3000

ntime 3

track 1rns 1        //Correlates trackobject 1 with the status of RNS1.

track 2rns 2         //Correlates trackobject 2 with the status of RNS2.

interfaceCellular 2/0      //Configures theactive card. The cell interface number is identical with the show slot number.

plmn modemanual lte-pref    //Enables 4Gpriority mode.

profilecreate master track 1  //Indicatesthe interface traffic keepalive. When the track status is DOWN, dial-up isperformed.

profilecreate master apn liantong  //Setsthe APN to liantong. The APN is provided by customers and ISPs.

profilecreate master username ruijie@liantong password 0 123  //Configures the user name and password.

interfaceCellular 3/0       //Configures thestandby card. The cell interface number is identical with the show slot number.

plmn modemanual lte-pref    //Enables 4Gpriority mode.

profilecreate master track 2  //Indicatesthe interface traffic keepalive. When the track status is DOWN, dial-up isperformed.

profilecreate master apn yidong //Sets theAPN to yidong. The APN is provided by customers and ISPs.

profilecreate master username ruijie2@yidong password 0 123  //Configures the user name and password.

 

2.      Configure the access mode switch solutionfor the 4G router.

interfaceCellular 3/0      //Configures thestandby card. The cell interface number is identical with the show slot number.

applydetect interface cellular 2/0 track 1    //Correlates the status of the active interface. When trackobject 1 of the active interface is DOWN, the standby interface performsdial-up. When track object 1 is UP, the standby stand is changed to the standbystatus.

applydial-on-demand       //Enables/disablescorrelation between the wired interface and 4G interface.

ip route0.0.0.0 0.0.0.0 Cellular 2/0 track 1     //Correlates the default route of the active link with thestatus of track object 1. When the status of track object 1 is DOWN, the routerdoes not take effect.

ip route0.0.0.0 0.0.0.0 Cellular 3/0 100     //Setsthe route priority of the backup link to 100.

crypto isakmp link-redundency backup Cellular 3/0 track 1//When the active link is recovered, the status of track object 1 changes fromDOWN to Up. Delete the IPSec on the cell interface to ensure that the IPSecinverse route on the aggregation end does not affect a user's selection of thereturn route. 

 

3.      Configure the central aggregation routeras the VPN server (taking Unicom as an example).

1)     Configure the tunnel authentication user name, password and addresspool on the 4G router. (Optional)

ip localpool p1 100.0.0.2 100.0.0.100  //(Optional)If the virtual-ppp interface of the 4G router is configured set to a fixed IP address,it is not recommended to configure p1 address pool.

usernametest password test       //Configuresthe user name and password for the 4G router to dial in VPDN, corresponding tothe user name and password of the virtual-ppp interface of the 4G router.

 

2)     Configure the VPDN tunnel.

interfaceloopback 1

ip address100.0.0.1 255.255.255.255

interfaceVirtual-Template 1

pppauthentication pap chap

ipunnumbered Loopback 1

peerdefault ip address pool p1     //(Optional)If the intranet AAA server is used to assign IP addresses, configuration forthe address pool is optional.

crypto mapmymap          //Configures theIPSec map.

vpdnenable

vpdn-group1

accept-dialin

protocoll2tp

virtual-template1

l2tptunnel authentication

l2tptunnel password ruijie

 

1.1.3    Other Function Configuration for a 4G Router

Video Transmission Optimization Function

Video Transmission Optimization Principle

Features of Video Stream:

Video data features massive data andinformation and traffic irregularity.

These features pose challenges to itstransmission through WiFi. As known to all, the WiFi connection is poor,featuring unstable bandwidth, high delay, jitter, and packet loss ratio. Avideo server at the sending end sends video frames at regular intervals (onevideo frame may consist of one or more packets). After transmission through anunstable network, long or short and irregular delay occurs when video packetsreach the receiving end, causing pause or stutter of decoded video images andeven reconnection after play interruption.

Problems and Solutions:

Problem

Solution

Phenomenon

Cause

Technology

Principle

Application

Pixilation, pause, or disconnection

The standard TCP implementation is restricted by the maximum window size (MWS) of 64 or 256 KB. A network with high bandwidth and high delay can make full use of the bandwidth.

TCP window extension

(Use the default maximum segment size (MSS) 1460.)

It uses TCP proxy, and extends the MWS. The MSS is 1460.

Access device

(Sending end)

In case of packet loss, the standard TCP implementation is forced to re-transmit the whole windows where packets are lost, causing low efficiency.

Selective recognition and extension

(Sack enable is enabled by default.)

It only transmits the lost TCP segments so as to efficiently recover the lost data packets.

Access device

(Sending end)

TCP has a built-in recovery mechanism handling congestion. In case of congestion, the connection throughput rate is immediately lowered by 50%.

Congestion control for delay

(Low-bandwidth-delay is enabled by default.)

It uses TCP proxy, and optimizes the congestion control algorithms. Five algorithms are available now.

Access device

(Sending end)

Video retrieval, slow start, or  timeout occasionally

Many applications use extremely short-term TCP connections. Due to slow TCP start, new TCP connections may be inhibited.

Large initiation window

(Use the default init-cwnd 10.)

It enlarges the MSS of the TCP connection, and maximizes the use of the WAN throughput rate. The initial value of the congestion window is 10 by default.

Access device

(Sending end)

Video stutter and disorder

After transmission through a ISP's link, the arrival interval of data packets may be inconsistent and even disorderly.

RTP shaping and caching technology

RTP shaping uses the delay technology to ensure that RTP service packets reach the monitoring end at regular intervals.

Aggregation device

(Receiving end)

The complete video transmissionoptimization solution consists of two parts:

Access Port: WAN-TA

Enable WAN-TA on the access router at thesending end to improve the quality of video transmission.

Receiving End: WAN-TA+RTP

Enable WAN-TA+RTP shaping at the receivingend to eliminate video pause and stutter caused by network jitter.

This solution enables transmitted videos tobe played more smoothly without video pause or stutter, improving the videoexperience.

WAN-TA

WAN Transmission Accelerate (WAN-TA) is ageneral term for technologies used to improve the efficiency of TCP transmissionover a WAN link. To improve the TCP transmission efficiency in the videonetwork transmission environment (video packets are encapsulated in TCP in theonline video surveillance system), Ruijie routers introduce some new TCPfeatures based on WAN-TA and apply them to the forwarded data flow so as toimprove the performance of TCP transmission over a WAN link. WAN-TA divides aTCP connection through a Ruijie router into two connections, so that the Ruijierouter is used as the terminal device to participate in the TCP session, andthe TCP data flow is controlled through the WAN-TA optimization policyconfigured on the Ruijie router. WAN-TA can eliminate almost all TCPperformance bottlenecks without changing the client, server or networkfeatures.

RTP Shaping

Adopting the delay technology, RTP shaping isused at the aggregation receiving end to ensure that RTP service packets reachthe video client at regular intervals. Based on the WAN-TA function, RTPshaping retrieves packets from the WAN-TA incoming queue, caches video framesin the RTP queue, and sends them one by one in the original timing sequence atregular intervals after a delay (from hundreds of milliseconds to severalseconds), so that the video client can receive stable video streams.

Note:

Both WAN-TA and RTP shaping functions areused to improve transmission efficiency rather than increase the linkbandwidth. Therefore, neither functions can solve unsmooth video transmissioncaused by insufficient bandwidth (for example, a 6 Mbps HD video is transmittedover a bandwidth of 4 Mbps).

Configuration for Video TransmissionOptimization

Features:

The video transmission optimization solutionis mainly used in online video surveillance scenario.

The complete video transmission optimizationsolution consists of two parts. First, enable WAN-TA on the access router atthe sending end to improve the quality of video transmission. Second, enableWAN-TA+RTP at the receiving end to eliminate video pause and stutter caused bynetwork jitter. This solution enables transmitted videos to be played moresmoothly without video pause or stutter, improving the video experience.

I.Networking Requirements

1)      As shown in the following figure, in thewireless video surveillance scenario, the access router is connected to thedigital video server (DVR) in the branch, and the aggregation router isconnected to the video client in the headquarters.

2)      The access router is connected to theheadquarters via the 3G/4G line.

3)      The video surveillance client is connected tothe branch and headquarters via TCP.

II. Network Topology

III. Configuration Tips

1.      Enable WAN-TA on the access port.

2.      The video optimization policy is built in thesystem. Choose wan-ta policy video without changing any parameter.

3.      Enable WAN-TA+HQOS_RTP on the aggregation port.

IV. Configuration Steps

1.      Configuration for the access port(WAN-TA): (basic configuration for 3G dial-up is omitted)

1)      Enable video transmission optimization in globalconfiguration mode.

wan-taenable

 

2)      Define the video data flow to be optimized.

ipaccess-list extended 101

 10 permitip host 124.1.1.2 66.1.1.0 0.0.0.255      //Video transmission optimization can be only performed fortraffic matching the ACL. Do not set the ACL range to any any. Precisely definethe video stream.

 

3)      Enable the video transmission optimizationpolicy.

wan-tapolicy video  //Enables asystem-defined policy named "video", which is a default policywithout detailed configuration.

match-portxx yy zz.....  //xx yy zz......indicates the port number used by the manufacturer's device for videotransmission. If the port number is unidentified, run the match-port allcommand, which however affects the device performance because all dataconnections (both video and non-video) are accelerated.

 

4)      Apply the video transmission optimization policyon the interface.

interfaceAsync 1

wan-ta-policyvideo list 101  

 

5)      Create an empty port-queue rule. (Optional)

port-queue1

 

6)      Apply the port-queue rule on the interface.(Optional)

interfaceAsync 1

port-queue1    //Deploys HQOS port-queue,which prevents service interruption during video on demand (VOD) and enablesvideo transmission optimization.

 

2.      Configuration for the aggregation port(WAN-TA+RTP): (L2TP configuration is omitted)

1)     Enable WAN-TA.

wan-taenable      //Enables WAN-TA (videotransmission optimization).

ipaccess-list extended 101 //Definesthe video stream to be optimized using the ACL.

10 permitip host 124.1.1.2 66.1.1.0 0.0.0.255 

wan-tapolicy video              //Createsa video transmission optimization policy.

 

2)     Define the classfier policy and correlate it with the ACL.

trafficclassifier rtp or

  if-matchacl 101       //Use the same ACL asthat used by WAN-TA.

 

3)     Define the behavior and configure a RTP shaping policy.

trafficbehavior rtp

 rtp-shapingdelay 2000 clock-rate 90000      //Setsthe cache time of RTP video stream to 2 seconds and the clock frequency to90000.

 

4)     Correlate classfier and behavior and configure an HQOS policy.

trafficpolicy rtp

 classifierrtp behavior rtp precedence 1

 

5)     Apply the RTP policy for WAN-TA and HQOS to the interface.

interfaceGigabitEthernet 1/1/0

  wan-ta-policy video list 101

   traffic-policy rtp inbound

 

Note: RTPshaping takes effect only after WAN-TA is enabled, that is, enabling WAN-TA isa prerequisite for RTP shaping.

V. Verification

1.      Call the real-time video to compare videoeffects before and after transmission optimization.

2.      Check the configuration of the WAN-TA policy.

Ruijie#showwan-ta policy video

wan-tapolicy: video

   Congestion Control : low-bandwidth-delay

    SACKSupport: TRUE

   Initial Congest Window: 10 MSS

   Maxitum Segment Size: 1460

   Keepalvie Interval(retry): 120(9)

 

apply oninterfaces:

interfacename                                list

GigabitEthernet2/1/0                     101

 

3.      Check the current session.

Ruijie#shwan-ta  policy session  vtty 2/1

session_id pair     flow                                tcp_state          uptime     service

391        392      [124.1.1.2:554->66.1.1.55:1776]     TCP_ESTABLISHED    0:00:06    RTSP

392        391      [66.1.1.55:1776->124.1.1.2:554]     TCP_ESTABLISHED    0:00:06    RTSP   //The session ID 392 acts asa proxy for LAN communication between an onsite ATM and an offsite ATM. Thesession ID 391 acts as a proxy for WAN communication between a branch and theheadquarters.

WiFi Configuration for the 4G Router

 

1.1.4    Configuring WiFi for the 4G Router

4G router supports WLAN 2.4 G frequency bandonly. The WiFi access terminal belongs to an independent VLAN by default

The configurations are shown as follow:

1)      Create VLAN 100 for WiFi.

vlan 100

 

2)      Configure WLAN ID and SSID.

dot11 wlan1

 wlan-typeap // Set AP configuration mode.

ssidruijieruijie      //Set SSID toruijie.

vlan 100        //Correlate it with VLAN 100.

nol2_isolate      //Allow usersconnected to WiFi to access each other.

 

3)      Configure the gateway for the WiFi networksegment.

interfaceDot11radio 2/0.1

 encapsulationdot1Q 100

 ipaddress 192.168.2.1 255.255.255.0

 

4)      Configure a wireless interface and correlate itwith a WLAN ID.

interfaceDot11radio 2/0

  wlan-id1

 

5)      Set the WiFi password to 12345678 (using WAP2encryption).

wlansec 1

 securityrsn enable

 securityrsn akm psk set-key ascii 12345678

 securityrsn akm psk enable

 securityrsn ciphers aes enable

 

6)      Configure the DHCP server connected to WiFi.

ip dhcppool AP1_NET_POOL

 network192.168.2.0 255.255.255.0

 dns-server8.8.8.8

 default-router192.168.2.1

ip dhcpexcluded-address 192.168.2.255

ip dhcpexcluded-address 192.168.2.1

 

Note:

For RSR10-01G-T (W) series, if the networksegments of WLAN users and LAN users should be in the same subnet, upgrade therouter version to RGOS 10.4 (3b64) p1, Release (202782) or a later version.Change the following configuration: WLAN configuratios just keep the same.

interfaceVLAN 2

 ipaddress 10.7.250.209 255.255.255.240    //Set the IP addresses of the wired and wirelessinterfaces.

transparent

transparentmanage-interface VLAN 2   //SetVLAN2 as the active interface.

interfaceDot11radio 2/0.1

 encapsulationdot1Q 2

 transparent

 

1.1.5    4G FAQs and Faults

FAQs

æ  4G FAQs

For RSR10-01G-T series, how to restorefactory settings?

As the series have no console port, log inthrough Web or Telnet. The following are methods for restoring factorysettings.

1.      Restore factory settings through the Web page.

2.      If Web login fails, use the FUNC button on thedashboard to restore factory settings in the following steps:

After the device is powered on, immediatelypress the FUNC button and release it 10 seconds later. When the device isrestarted (the system indicator on the dashboard is steadily on in yellow fortwo to three seconds), the configuration is cleared. Log in to 192.168.1.1through Web and enter the password admin. In the pop-up page, choose ClearConfiguration to completely clear the configuration of the device.

Note: RGOS 10.4 (3b47), Release (193205) andlater versions support this method. For earlier versions, use the FUNC buttonto upgrade the device to the required version.

 

 

 

 

 

 

 

 

 

 

 

      Device Status Detection

1.1     Check Clock

 

I. Basic Check

Correct time ensures correct logging time andfacilitates fault location. CA certificate and other applications also call forcorrect time.

Run the show clock command to checktime:

Ruijie#showclock

02:24:23 UTC Thu, Jan 17, 2013

 

II. Check Criteria

Check router time against Beijing time. Incase of inconsistency, configure the NTP server or correct time.

 

1.2     Check Log

 

I. Basic Check

1)     Save logs in the flash

Logs are saved in the memory by default. Dueto small memory cache and potential log loss after device restart, save logs inthe flash instead. Thus it is easy to find historical logs in case of a fault.

Ruijie(config)#logging file flash:log  2000000 7 //Saves logs in the flash with 2M memory at the level of 7 (all logsincluding debug messages).

2)     Run the show log command in privileged EXEC mode to display logs:

Ruijie#showlogging

Syslog logging: enabled

Console logging: level debugging, 71 messages logged

Monitor logging: level debugging, 0 messages logged

  Buffer logging: level debugging, 71 messages logged

  Standard format: false

  Timestamp debug messages: datetime

  Timestamp log messages: datetime

  Sequence-number log messages: disable

  Sysname log messages: disable

  Count log messages: disable

  Trap logging: level informational, 71 message lineslogged,0 fail

Log Buffer (Total 262144 Bytes): have written 6507,

3)     Run the more flash:xxx command to display logs saved in theflash.

 

II. Check Criteria

Check exceptions in logs, such as, frequentinterface UP/DOWN, dynamic protocol DOWN and other high level alarms or tips. Ifyou have any problems, call 4008-111-000.

 

1.3     Check Hardware Status

 

I. Basic Check

Run the show environment command tocheck the working status of hardware:

RSR77 routers are taken as an example below.This process is also applicable to other middle-range and high-end devices.

RSR7708#showenvironment

 Environmental status update at 23:4:53 2013-01-16.

  Data is5 second old, refresh in 30 second(s).

  PowerSupplies:                             //working status of power supplies: "on" indicates normal.

       Power supply 1 is present. Unit is on.

       Power supply 2 is present. Unit is on.

       Power supply 3 is not present. Unit is off.

  Fansworking status: OK.              //workingstatus of fans: "OK" indicates normal.

 Temperature readings:              //temperatureinside the chassis: Pay attention if the temperature is above 45°C.

        measuredat 23

 Hardware:

       CPU name : Freescale MPC85xx.

       CPU Speed: 1320M

 

II. Check Criteria

1)      If the power module displayed is different fromthe inserted power module, check whether there are any exceptions.

2)      If any exceptions occur to the operatingenvironment (for example, temperature), an alarm is displayed. If you have anyproblems, call 4008-111-000.

 

1.4     Check CPU Utilization

 

I. Basic Check

Run the show cpu command to check CPUutilization.

Ruijie#showcpu

=======================================

     CPUUsing Rate Information

CPUutilization in five seconds: 12.12%

CPUutilization in one minute  : 12.07%

CPU utilization in five minutes: 12.07%

 

II. Check Criteria

1)      In the normal state, “CPU utilization in fiveminutes” must remain below 30%. Payattention if the CPU utilization is above 60%.

2)      Extensive configurations, display of extensiveinformation or debugging may result in high CPU utilization. You can stopoperations or disable debugging.

3)      Heavy network traffic or network attacks mayalso result in high CPU utilization. Traffic exceptions may result from networkattacks.

 

1.5     Check Memory Utilization

 

I. Basic Check

Run the show memory command to checkmemory utilization.

Ruijie#showmemory

SystemMemory Statistic:

  Freepages: 54998

   watermarks : min 2140, lower 4025, low 5910, high 7795

  SystemTotal Memory : 512MB, Current Free Memory : 225428KB

Used Rate : 57%

 

II. Check Criteria

In the normal state, memory utilization mustremain below 60%. The memory utilization rises with an increase in the serviceload. Pay attention if the memory utilization is above 80%.

NOTE: Due to small memory of RSR10-01G andRSR10-02 routers, the memory utilization may reach 80%-90% in case of serviceloading. But if the memory utilization remains stable, the device runsnormally.

 

1.6     Check Flow Table Status

 

I. Basic Check

Note:

The RSR77 router is a distributed system withan independent flow table capacity for every line card. Enter every line cardto check flow table statistics.

Run the show ip fpm statistics commandto check the flow table capacity:

Ruijie#showip fpm statistics

Flow tablecapacity: 262143      //Indicatesflow table capacity

Flownumber: 0                   //Indicatesthe number of flow tables

Nat-flownumber: 0               //Indicatesthe number of entries in the NAT flow table

Usernumber: 0                   /Indicatesthe number of users

Defragmentcontext number:0      //Indicatesthe number of fragmented IP packets to be reassembled

Defragmentpacket number: 0      //Indicatesthe number of fragmented packets to be reassembled

Eventcount: 57

 

II. Check Criteria

1)      Flow table information may indicate the loadstate of a device.

2)      If the number of entries in the flow table isclose to the flow table capacity, traffic or session attacks may exist in thenetwork. Attack sources must be found.

If there are too many fragmented packets in aflow table, fragmented packet attacks may exist in the network. Attack sourcesmust be found.

 

1.7     Check Interface Status

 

I. Basic Check

Run the show interface command todisplay the interface status:

Ruijie#showinterfaces gigabitEthernet 0/0

Index(dec):1(hex):1

GigabitEthernet 0/0 is UP  , line protocol is UP  //Indicates physical status and protocol statusof the interface

Hardwareis PQ3 TSEC GIGABIT ETHERNET CONTROLLER GigabitEthernet, address is001a.a93c.c9f6 (bia 001a.a93c.c9f6)

Interfaceaddress is: 10.0.0.3/24

ARP type:ARPA, ARP Timeout: 3600 seconds

  MTU 1500bytes, BW 100000 Kbit

 Encapsulation protocol is Ethernet-II, loopback not set

 Keepalive interval is 10 sec , set

  Carrierdelay is 2 sec

  Rxloadis 1/255, Txload is 1/255

  Queueingstrategy: FIFO

Output queue 0/40, 0 drops; //Indicates packets dropped in output direction

Output queue 0/75, 0 drops; //Indicates packets dropped in input direction

Link Mode: 100M/Full-Duplex, media-type is twisted-pair.    //Indicates rate, duplex mode, and media type ofthe interface

  Outputflowcontrol is off;Input flowcontrol is off.

5 minutes input rate 79 bits/sec, 0 packets/sec    //Indicates average traffic in input direction in5 minutes

5 minutes input rate 107 bits/sec, 0 packets/sec    //Indicates average traffic in output directionin 5 minutes

31 packets input, 1860 bytes, 0 no buffer, 0 dropped   //Indicates the traffic and the number ofpackets dropped in the inbound direction

   Received 31 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort //Indicates error packets in the inbounddirection

54 packets input, 2652 bytes, 0 no buffer, 0 dropped   //Indicates the traffic and the number of packetsdropped in the outbound direction

0 output errors, 0 collisions, 5 interface resets   //Indicates error packets in the outbounddirection

 

II. Check Criteria

1)      Check whether traffic on the interface isnormal. If the traffic is close to or completely occupy the bandwidth, checkwhether the bandwidth can meet the existing application or whether any attackshas used up the bandwidth.

2)      Check whether the number of CRC errors and thenumber of dropped packets are large and continuously increase. It may resultfrom poor cable contact or cable aging, or the rate/duplex mode mismatching.

 

1.8     Basic Fault Information Collection

 

If a fault cannot be located, you are advisedto acquire the following basic information and then call 4008-111-000 fortechnical support:

showversion

show run

show clock

show cpu(Run this command once every 5 seconds for 3 times.)

showmemory (Run this command once every 5 seconds for 3 times.)

showmemory protocols (Run this command once every 5 seconds for 3 times.)

showlogging

show slot

showversion slot

show arp(Run this command once every 5 seconds for 3 times.)

showinterface (Run this command once every 5 seconds for 3 times.)

show iproute count (Run this command once every 5 seconds for 3 times.)

show ipfpm counters (Run this command once every 5 seconds for 3 times.)

show ipfpm statistics (Run this command once every 5 seconds for 3 times.)

show ipref adj (Run this command once every 5 seconds for 3 times.)

Run the debug support command inprivileged EXEC mode to enter the support mode.

Ruijie#debugsupport

Ruijie(support)#showexception (Run this command once every 5 seconds for 3 times.)

Ruijie(support)#exit  (NOTE: Exit after running the showexception command.)

 

      Detailed Case Study

1.1     Detailed Configuration for Internet Access

1.1.1    Internet Access Configuration Guide

RG-RSR10 Router Configuration

RSR10-02E Internet Access Configuration

RSR10-02E Device Appearance

Internet Access via a Fixed IP AddressProvided by an ISP

Common Networking Scenario:

With a Ruijie router as the egress, theinternal PCs access the Internet via a fixed public IP address provided by anISP.

Network Topology Example:

Configuration Example:

Information provided by the ISP:

The public IP address is 211.11.83.2. Thesubnet mask is 255.255.255.224. The IP address of the gateway is 211.11.83.1.

The IP address of the primary DNS is111.11.1.1. The IP address of the secondary DNS is 8.8.8.8.

IP address segment planning for intranet PCs:

1)     IP address segment planning for PCs connected to the GE0/0 interface

The address segment is 192.168.10.0/24.The IP address of the gateway is 192.168.10.1.

The IP address of an Intranet PC isautomatically obtained via the intranet with the range from 192.168.10.2 to192.168.10.254.

2)     IP address segment planning for PCs connected to eight switchinginterfaces

The address segment is192.168.20.0/24. The IP address of the gateway is 192.168.20.1.

The IP address of anIntranet PC is automatically obtained via the intranet with the range from192.168.20.2 to 192.168.20.254.

 

Configuration Steps

Log in to device through the console port(see Device Login Method).

1)          Configure the external network interface andintranet interface of the router. (Mandatory)

intergi0/1

    ipaddress 211.11.83.2 255.255.255.224 

    ip natoutside

    intergi0/0

    ip natinside

    ip add192.168.10.1 255.255.255.0   

    intervlan 1

    ip natinside

    ipaddress 192.168.20.1 255.255.255.0

 

2)          Configure NAT. (Mandatory)

access-list100 permit ip any any

    ip natinside source list 100 interface gi0/1 overload

 

3)          Configure a default route. (Mandatory)

ip route0.0.0.0 0.0.0.0 211.11.83.1

 

4)          Configure DHCP-based automatic IP addressassignment. (Optional)

ser dhcp

    ipdhcp pool g0

   network 192.168.10.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.10.1

  ip dhcppool vlan1

   network 192.168.20.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.20.1

 

5)          Configure the Telnet login password. (Optional)

enablepassword ruijie

    linevty 0 4

   password ruijie

 

6)          Save the configuration. (Optional)

end

    wr

 

To copy the configuration steps, modifythe part in red based on the actual condition and copy them in ruijie> mode.

Internet Access via User Name and Password inPPPoE Mode Provided by an ISP

en

    conf t

  

    intergi0/1

    ipaddress 211.11.83.2 255.255.255.224 

    ip natoutside

 

 

    intergi0/0

    ip natinside

    ip add192.168.10.1 255.255.255.0   

 

 

    intervlan 1

    ip natinside

    ipaddress 192.168.20.1 255.255.255.0

   access-list 100 permit ip any any

    ip natinside source list 100 interface gi0/1 overload

 

    iproute 0.0.0.0 0.0.0.0 211.11.83.1     

 

    serdhcp

    ipdhcp pool g0

   network 192.168.10.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.10.1

   ip dhcppool vlan1

   network 192.168.20.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.20.1

 

 enablepassword ruijie

    linevty 0 4

   password ruijie

 

    end

    wr

 

Common Networking Scenario:

With a Ruijie router as the egress, theinternal PCs access the Internet via a fixed account and password in PPPoE modeprovided by an ISP.

Network Topology Example:

Configuration Example:

Information provided by the ISP:

The PPPoE account name is abcd. The passwordis 1234567.

The IP address of the primary DNS is111.11.1.1. The IP address of the secondary DNS is 8.8.8.8.

IP address segment planning for intranet PCs:

1)     IP address segment planning for PCs connected to the GE0/0 interface

The address segment is 192.168.10.0/24.The IP address of the gateway is 192.168.10.1.

The IP address of an Intranet PC isautomatically obtained via the intranet with the range from 192.168.10.2 to192.168.10.254.

2)      IP address segment planning for PCs connected toeight switching interfaces

The address segment is 192.168.20.0/24.The IP address of the gateway is 192.168.20.1.

The IP address of an Intranet PC isautomatically obtained via the intranet with the range from 192.168.20.2 to192.168.20.25.

 

Configuration Steps

Log in to device through the console port(see Device Log-in Method).

1.      Configure the external network interface andintranet interface of the router. (Mandatory)

intergi0/0

    ip add192.168.10.1 255.255.255.0   

    ip natinside

 

 

    intervlan 1

    ip natinside

    ipaddress 192.168.20.1 255.255.255.0

 

 

   interface dialer 0

   encapsulation ppp

    pppchap hostname abcd

    pppchap password 1234567

    ppppap sent-username abcd password 1234567

    ipaddress negotiate

    dialerpool 5

    ip natoutside

    mtu1492

 

    interg0/1

    pppoeenable

   pppoe-client dial-pool-number 5 no-ddr    

 

2.      Configure NAT. (Mandatory)

access-list100 permit ip any any

    ip natinside source list 100 interface dialer 0  overload

 

3.      Configure a default route. (Mandatory)

ip route0.0.0.0 0.0.0.0 dialer 0

 

4.      Configure DHCP-based automatic IP addressassignment. (Optional)

ser dhcp

    ipdhcp pool g0

   network 192.168.10.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.10.1

  ip dhcppool vlan1

   network 192.168.20.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.20.1

 

5.      Configure the Telnet login password. (Optional)

enablepassword ruijie

    linevty 0 4

    passwordruijie

 

6.      Save the configuration. (Mandatory)

end

    wr

 

To copy the configuration steps, modify thepart in red based on the actual condition and copy them in ruijie> mode.

Internet Access via DHCP-based Automatic IPAddress Assignment

en

    conf t

 

    intergi0/0

    ip add192.168.10.1 255.255.255.0   

    ip natinside

 

 

    intervlan 1

    ip natinside

    ipaddress 192.168.20.1 255.255.255.0

 

 

   interface dialer 0

   encapsulation ppp

    pppchap hostname abcd

    pppchap password 1234567

    ppppap sent-username abcd password 1234567

    ipaddress negotiate

    dialerpool 5

    ip natoutside

    mtu1492

 

    interg0/1

    pppoeenable

   pppoe-client dial-pool-number 5 no-ddr     

 

 

   access-list 100 permit ip any any

    ip natinside source list 100 interface dialer 0  overload

 

    iproute 0.0.0.0 0.0.0.0 dialer 0      

 

    serdhcp

    ipdhcp pool g0

   network 192.168.10.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.10.1

  ip dhcppool vlan1

   network 192.168.20.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.20.1

 

 enablepassword ruijie

    linevty 0 4

   password ruijie

 

    end

    wr

 

Common Networking Scenario:

Scenario 1: ARuijie router as the egress is connected to a device of an ISP (whichautomatically assigns the IP address for the router). Intranet PCs access the Internetvia a fixed account and password in PPPoE mode provided by the ISP.

Scenario 2: ARuijie router as the secondary router is connected to the switch interface ofthe primary router (which automatically assigns the IP address for the router).Intranet PCs access the Internet via a fixed account and password in PPPoE modeprovided by the ISP.

Note:Configuration steps for Scenario 1 and Scenario 2 are the same. Insert theuplink line directly to the PC on which the network card is configured toobtain an IP address automatically, and check whether the PC can access theInternet.

 

Network Topology Example:

Configuration Example:

An ISP provides a device that can access theInternet (downlink PC that is configured to obtain an IP address automaticallyto directly access the Internet).

Alternatively,

A shopping mall has a router that can accessthe Internet, in which a store needs to use Ruijie router for Internet access.

IP address segment planning for intranet PCs:

The address segment is 192.168.10.0/24. TheIP address of the gateway is 192.168.10.1.

The IP address of an Intranet PC isautomatically obtained via the intranet with the range from 192.168.10.2 to192.168.10.254.

Configuration Steps

Log in to device through the console port (seeDevice Log-in Method).

1)       Configure the external network interface and intranet interface ofthe router. (Mandatory)

intergi0/0

    ip add192.168.10.1 255.255.255.0   

    ip natinside

   

    intervlan 1

    ipaddress 192.168.20.1 255.255.255.0

    ip natinside

 

    intergi0/1

    ipaddress dhcp

    ip natoutside   

 

2)       Configure NAT. (Mandatory)

access-list100 permit ip any any

    ip natinside source list 100 interface gi0/1  overload

 

3)       Configure DHCP-based automatic IP address assignment. (Optional)

ser dhcp

    ipdhcp pool g0

   network 192.168.10.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.10.1

  ip dhcppool vlan1

   network 192.168.20.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.20.1

 

4)       Configure the Telnet login password. (Optional)

enablepassword ruijie

    linevty 0 4

   password ruijie

 

5)       Save the configuration. (Optional)

end

    wr

 

To copy the configuration steps, modifythe part in red based on the actual condition and copy them in ruijie> mode.

en

    conf t

 

 

    intergi0/0

    ip add192.168.10.1 255.255.255.0  

    ip natinside

   

    intervlan 1

    ipaddress 192.168.20.1 255.255.255.0

    ip natinside

 

    intergi0/1

    ipaddress dhcp

    ip natoutside   

 

 

   access-list 100 permit ip any any

    ip natinside source list 100 interface gi0/1  overload

 

    serdhcp

    ipdhcp pool g0

   network 192.168.10.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.10.1

    ipdhcp pool vlan1

   network 192.168.20.0 255.255.255.0

   dns-server 114.114.114.114  8.8.8.8

   default-router 192.168.20.1

 

  enablepassword ruijie

    linevty 0 4

   password ruijie

 

    end

    wr

 

 

 

 

How do you like this document ?

Suggestion


(0/255)

Can we contact you to discuss your suggestion?

Privacy Policy
Thank you. We will inform you of our response as soon as possible.
Thank you again for your valuable input!
This page will be closed in 5 s…
Submit

Ruijie Networks websites use cookies to deliver and improve the website experience.

See our cookie policy for further details on how we use cookies and how to change your cookie settings.

Cookie Manager

When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.

  • Performance cookies

    Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.

  • Essential cookies

    This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.

Accept All

View Cookie Policy Details

Contact Us

Contact Us

How can we help you?

Contact Us

Get an Order help

Contact Us

Get a tech support